From b2e92664c8841ad9d531e1c8a4d2b37140d169c4 Mon Sep 17 00:00:00 2001
From: Nick Cao <nickcao@nichi.co>
Date: Fri, 7 Mar 2025 11:31:51 -0500
Subject: [PATCH 1/5] Initialize cert

---
 docs/source/config/oidc.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/docs/source/config/oidc.md b/docs/source/config/oidc.md
index 61ef27450..f632b6948 100644
--- a/docs/source/config/oidc.md
+++ b/docs/source/config/oidc.md
@@ -60,6 +60,24 @@ jmp exporter login <exporter alias> --endpoint <jumpstarter controller endpoint>
 # --username, --password and --token are also accepted by jmp exporter login
 ```
 
+### Dex (for authenticating with kubernetes Service Accounts)
+
+Initialize a self-signed CA and sign certificate for dex
+
+```shell
+easyrsa init-pki
+easyrsa --no-pass build-ca
+easyrsa --no-pass build-server-full dex.dex.svc.cluster.local
+
+# import certificate into secret
+kubectl create namespace dex
+kubectl -n dex create secret tls dex-tls \
+  --cert=pki/issued/dex.dex.svc.cluster.local.crt \
+  --key=pki/private/dex.dex.svc.cluster.local.key
+```
+
+
+
 ## Reference
 ```yaml
 #

From a45998f1d4885de636a36a3aaa2abba925ada29a Mon Sep 17 00:00:00 2001
From: Nick Cao <nickcao@nichi.co>
Date: Fri, 7 Mar 2025 11:42:10 -0500
Subject: [PATCH 2/5] Install dex

---
 docs/source/config/oidc.md | 55 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/docs/source/config/oidc.md b/docs/source/config/oidc.md
index f632b6948..15a35c5bd 100644
--- a/docs/source/config/oidc.md
+++ b/docs/source/config/oidc.md
@@ -76,7 +76,62 @@ kubectl -n dex create secret tls dex-tls \
   --key=pki/private/dex.dex.svc.cluster.local.key
 ```
 
+Install dex with helm
 
+```yaml
+# dex.values.yaml
+https:
+  enabled: true
+config:
+  issuer: https://dex.dex.svc.cluster.local:5556
+  web:
+    tlsCert: /etc/dex/tls/tls.crt
+    tlsKey: /etc/dex/tls/tls.key
+  storage:
+    type: kubernetes
+    config:
+      inCluster: true
+  staticClients:
+    - id: jumpstarter-cli
+      name: Jumpstarter CLI
+      public: true
+  connectors:
+    - name: kubernetes
+      type: oidc
+      id: kubernetes
+      config:
+        # kubectl get --raw /.well-known/openid-configuration | jq -r '.issuer'
+        issuer: "https://kubernetes.default.svc.cluster.local"
+        rootCAs:
+          - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+        userNameKey: sub
+        scopes:
+          - profile
+volumes:
+  - name: tls
+    secret:
+      secretName: dex-tls
+volumeMounts:
+  - name: tls
+    mountPath: /etc/dex/tls
+service:
+  type: ClusterIP
+  ports:
+    http:
+      port: 5554
+    https:
+      port: 5556
+```
+
+```shell
+# Ensure OIDC discovery URLs do not require authentication
+kubectl create clusterrolebinding oidc-reviewer  \
+ --clusterrole=system:service-account-issuer-discovery \
+ --group=system:unauthenticated
+
+helm repo add dex https://charts.dexidp.io
+helm install --namespace dex --wait -f dex.values.yaml dex dex/dex
+```
 
 ## Reference
 ```yaml

From cd643e84fff1d83d5bc8b9453d7585624884fe20 Mon Sep 17 00:00:00 2001
From: Nick Cao <nickcao@nichi.co>
Date: Fri, 7 Mar 2025 11:44:58 -0500
Subject: [PATCH 3/5] Configure jumpstarter

---
 docs/source/config/oidc.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/docs/source/config/oidc.md b/docs/source/config/oidc.md
index 15a35c5bd..fd7a1c741 100644
--- a/docs/source/config/oidc.md
+++ b/docs/source/config/oidc.md
@@ -133,6 +133,26 @@ helm repo add dex https://charts.dexidp.io
 helm install --namespace dex --wait -f dex.values.yaml dex dex/dex
 ```
 
+Configure Jumpstarter to trust dex by using the following snippet as `jumpstarter-controller.authenticationConfiguration` during Jumpstarter installation.
+
+```yaml
+apiVersion: jumpstarter.dev/v1alpha1
+kind: AuthenticationConfiguration
+jwt:
+  - issuer:
+      url: https://dex.dex.svc.cluster.local:5556
+      audiences:
+      - jumpstarter-cli
+      audienceMatchPolicy: MatchAny
+      certificateAuthority: |
+        <content of pki/ca.crt>
+    claimMappings:
+      username:
+        claim: "name"
+        prefix: "dex:"
+```
+
+
 ## Reference
 ```yaml
 #

From 4b6085d7f67ff12f574d5044ee28531987425cfe Mon Sep 17 00:00:00 2001
From: Nick Cao <nickcao@nichi.co>
Date: Fri, 7 Mar 2025 11:47:38 -0500
Subject: [PATCH 4/5] Update oidc client/exporter creation doc

---
 docs/source/config/oidc.md | 13 +------------
 1 file changed, 1 insertion(+), 12 deletions(-)

diff --git a/docs/source/config/oidc.md b/docs/source/config/oidc.md
index fd7a1c741..61007470c 100644
--- a/docs/source/config/oidc.md
+++ b/docs/source/config/oidc.md
@@ -27,18 +27,7 @@ jwt:
       prefix: "keycloak:"
 ```
 
-Then proceed to create clients and exporters with the `jmp admin create` commands, newly created clients and exporters would still use the internal authenticator, after which kubectl can be used to modify them to accept OIDC authentication.
-
-```shell
-# for clients
-kubectl -n <namespace> patch clients.jumpstarter.dev <client name> \
-  --type=merge --patch '{"spec":{"username":"keycloak:developer-1"}}'
-# for exporters
-kubectl -n <namespace> patch exporters.jumpstarter.dev <exporter name> \
-  --type=merge --patch '{"spec":{"username":"keycloak:lab-admin-1"}}'
-```
-
-Be sure to prefix usernames with "keycloak:", as previously configured.
+Then proceed to create clients and exporters with the `jmp admin create` commands, set their corresponding OIDC username with the `--oidc-username` flag, e.g. `jmp admin create client test-client --oidc-username keycloak:developer-1`. Be sure to prefix usernames with "keycloak:", as previously configured.
 
 Finally, instruct the users to login with the following commands
 

From 124cc15233c6272f1f7aab6c99f6c014309c8cea Mon Sep 17 00:00:00 2001
From: Nick Cao <nickcao@nichi.co>
Date: Fri, 7 Mar 2025 12:03:07 -0500
Subject: [PATCH 5/5] Document how to login

---
 docs/source/config/oidc.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/docs/source/config/oidc.md b/docs/source/config/oidc.md
index 61007470c..e1a4250b3 100644
--- a/docs/source/config/oidc.md
+++ b/docs/source/config/oidc.md
@@ -141,6 +141,25 @@ jwt:
         prefix: "dex:"
 ```
 
+Then proceed to create clients and exporters with the `jmp admin create` commands, set their corresponding OIDC username with the `--oidc-username` flag, e.g. `jmp admin create exporter test-exporter --oidc-username dex:system:serviceaccount:default:test-service-account`. Just prefix the full service account name with "dex:", as previously configured.
+
+Finally, instruct the users to login with the following commands in pods configured with proper service accounts.
+
+```
+# for clients
+jmp client login <client alias> --endpoint <jumpstarter controller endpoint> \
+  --namespace <namespace> --name <client name> \
+  --issuer https://dex.dex.svc.cluster.local:5556 \
+  --connector-id kubernetes \
+  --token $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+
+# for exporters
+jmp exporter login <exporter alias> --endpoint <jumpstarter controller endpoint> \
+  --namespace <namespace> --name <exporter name> \
+  --issuer https://dex.dex.svc.cluster.local:5556 \
+  --connector-id kubernetes \
+  --token $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+```
 
 ## Reference
 ```yaml