{"version":"https://jsonfeed.org/version/1.1","title":"Charles' Ends and Odds","home_page_url":"https://blog.charlesrod.com","feed_url":"https://blog.charlesrod.com/json/","description":"","icon":"https://blog.charlesrod.com/assets/default/channel-image.png","favicon":"https://blog.charlesrod.com/assets/default/favicon.png","authors":[{"name":"charles rodriguez"}],"language":"en-us","items":[{"id":"rMe4_PiVmnh","title":"OIDC Rancher Desktop","url":"https://blog.charlesrod.com/i/oidc-rancher-desktop-and-rke2-rMe4_PiVmnh/","content_html":"<p>Rancher Desktop provides \"provisioning scripts\" to customize Rancher Desktop installations on Windows. ( <a href=\"https://docs.rancherdesktop.io/how-to-guides/provisioning-scripts/#windows\" rel=\"noopener noreferrer\" target=\"_blank\">source</a> )</p><p><br></p><p>The following examples use GitLab as the basis.</p><p><br></p><h2>Prerequisite:</h2><p><br></p><ul><li>Create a Gitlab application: <a href=\"https://docs.gitlab.com/integration/oauth_provider/\" rel=\"noopener noreferrer\" target=\"_blank\">https://docs.gitlab.com/integration/oauth_provider/</a></li></ul><p><br></p><h2>To add OIDC to Rancher Desktop on Windows</h2><p><br></p><ul><li>Create a file under the provisioning directory:</li></ul><pre class=\"ql-syntax\" spellcheck=\"false\">C:\\Users\\your-user-folder-here\\AppData\\Local\\rancher-desktop\\provisioning\\00-OIDC-Setup.start&nbsp;\n</pre><p><br></p><ul><li>File Contents should be similar to the following</li></ul><pre class=\"ql-syntax\" spellcheck=\"false\">#!/bin/sh   \nmkdir -p /etc/rancher/k3s/config.yaml.d/   \ncat &gt; /etc/rancher/k3s/config.yaml.d/OIDC.yaml &lt;&lt;EOF   \nkube-apiserver-arg:    \n- \"oidc-client-id=xxxxxxxxxxxx\"    \n- \"oidc-groups-claim=groups_direct\"    \n- \"oidc-issuer-url=https://gitlab.com\"    \n- \"oidc-username-claim=preferred_username\"    \n- \"oidc-groups-prefix=customvalue:\"    \n- \"oidc-username-prefix=customvalue:\"   \nEOF\n</pre><p><br></p><p><strong>groups_direct</strong> is a key within the Gitlab OIDC token. By using the oidc-groups-claim flag, the kube-api server will grab a value found in the groups_direct key from the Gitlab OIDC token. If you're using a different provider, use a claim from the provider's token. <strong>preferred_username</strong> is another value from GitLab's token.</p><p><br></p><p><strong>customvalue</strong> can be any string. It'll be used to match OIDC operations to a ClusterRoleBinding</p><p><br></p><ul><li>Set up a ClusterRoleBinding and ClusterRole ( The ClusterRole is optional: you could use the built in roles- but not the best practice. )</li><li>Documentation on ClusterRoles and ClusterRoleBindings: <a href=\"https://kubernetes.io/docs/reference/access-authn-authz/rbac/\" rel=\"noopener noreferrer\" target=\"_blank\">Using RBAC Authorization</a></li></ul><p><br></p><p>Example: where the customvalue was set to <strong>no1llc,</strong> and the user is part of a group <strong>partners</strong> and the subgroup <strong>founder. </strong>The values after the username and group prefixes <strong>MUST</strong> be matched to the token. ( note: [Group/User] should be Group or User.  ) </p><pre class=\"ql-syntax\" spellcheck=\"false\">subjects:   \n- kind: [Group/User]  \n  name: \"no1llc:partners/founder\"   \n  apiGroup: rbac.authorization.k8s.io   \n# or where user's username is gnoejuan and customvalue was \"me\"   \nsubjects:   \n- kind: [Group/User]   \n  name: \"me:gnoejuan\"   \n  apiGroup: rbac.authorization.k8s.io\n</pre><p><br></p><p>If there is no subgroup, the value will simply be the group.</p><p><br></p><p>Example \"no1llc:partners\"</p>","content_text":"Rancher Desktop provides \"provisioning scripts\" to customize Rancher Desktop\ninstallations on Windows. ( source )\n\n\n\n\nThe following examples use GitLab as the basis.\n\n\n\n\n\nPREREQUISITE:\n\n\n\n\n * Create a Gitlab application:\n   https://docs.gitlab.com/integration/oauth_provider/\n\n\n\n\n\nTO ADD OIDC TO RANCHER DESKTOP ON WINDOWS\n\n\n\n\n * Create a file under the provisioning directory:\n\nC:\\Users\\your-user-folder-here\\AppData\\Local\\rancher-desktop\\provisioning\\00-OIDC-Setup.start \n\n\n\n\n\n * File Contents should be similar to the following\n\n#!/bin/sh   \nmkdir -p /etc/rancher/k3s/config.yaml.d/   \ncat > /etc/rancher/k3s/config.yaml.d/OIDC.yaml <<EOF   \nkube-apiserver-arg:    \n- \"oidc-client-id=xxxxxxxxxxxx\"    \n- \"oidc-groups-claim=groups_direct\"    \n- \"oidc-issuer-url=https://gitlab.com\"    \n- \"oidc-username-claim=preferred_username\"    \n- \"oidc-groups-prefix=customvalue:\"    \n- \"oidc-username-prefix=customvalue:\"   \nEOF\n\n\n\n\n\ngroups_direct is a key within the Gitlab OIDC token. By using the\noidc-groups-claim flag, the kube-api server will grab a value found in the\ngroups_direct key from the Gitlab OIDC token. If you're using a different\nprovider, use a claim from the provider's token. preferred_username is another\nvalue from GitLab's token.\n\n\n\n\ncustomvalue can be any string. It'll be used to match OIDC operations to a\nClusterRoleBinding\n\n\n\n\n * Set up a ClusterRoleBinding and ClusterRole ( The ClusterRole is optional:\n   you could use the built in roles- but not the best practice. )\n * Documentation on ClusterRoles and ClusterRoleBindings: Using RBAC\n   Authorization\n\n\n\n\nExample: where the customvalue was set to no1llc, and the user is part of a\ngroup partners and the subgroup founder. The values after the username and group\nprefixes MUST be matched to the token. ( note: [Group/User] should be Group or\nUser. )\n\nsubjects:   \n- kind: [Group/User]  \n  name: \"no1llc:partners/founder\"   \n  apiGroup: rbac.authorization.k8s.io   \n# or where user's username is gnoejuan and customvalue was \"me\"   \nsubjects:   \n- kind: [Group/User]   \n  name: \"me:gnoejuan\"   \n  apiGroup: rbac.authorization.k8s.io\n\n\n\n\n\nIf there is no subgroup, the value will simply be the group.\n\n\n\n\nExample \"no1llc:partners\"","date_published":"2025-07-17T06:55:25.562Z","_microfeed":{"web_url":"https://blog.charlesrod.com/i/oidc-rancher-desktop-rMe4_PiVmnh/","json_url":"https://blog.charlesrod.com/i/rMe4_PiVmnh/json/","rss_url":"https://blog.charlesrod.com/i/rMe4_PiVmnh/rss/","guid":"rMe4_PiVmnh","status":"published","itunes:episodeType":"full","date_published_short":"Thu Jul 17 2025","date_published_ms":1752735325562}}],"_microfeed":{"microfeed_version":"0.1.5","base_url":"https://blog.charlesrod.com","categories":[{"name":"Technology"},{"name":"Business"},{"name":"Business","categories":[{"name":"Non-Profit"}]}],"subscribe_methods":[{"name":"RSS","type":"rss","url":"https://blog.charlesrod.com/rss/","image":"https://blog.charlesrod.com/assets/brands/subscribe/rss.png","enabled":true,"editable":false,"id":"krdpI0qPHqI"},{"name":"JSON","type":"json","url":"https://blog.charlesrod.com/json/","image":"https://blog.charlesrod.com/assets/brands/subscribe/json.png","enabled":true,"editable":false,"id":"fy7rNUib-cM"}],"description_text":"","copyright":"©2023","itunes:type":"episodic","itunes:block":true,"items_sort_order":"newest_first"}}