UNCLASSIFIED - NO CUI

Add support for multiple OIDC identity providers (sso.additional_oidc)

Problem

The current elasticsearch-kibana chart only supports a single OIDC identity provider via the sso block. Organizations often need to authenticate users from multiple identity providers (e.g., Platform One Keycloak + DAF ICAM Okta).

Without native chart support, users would need to manually configure additional OIDC realms via deeply nested elasticsearch.master.config, elasticsearch.data.config, etc. with verbose dot-notation keys (e.g., xpack.security.authc.realms.oidc.MyRealm.rp.client_id) repeated across all node types - error-prone and difficult to maintain.

Solution

Add sso.additional_oidc MAP to configure additional OIDC realms beyond the primary SSO provider.

Values Structure

sso:
  enabled: true
  client_id: "primary-client"
  login_label: "Platform One SSO"  # Button text on login screen
  oidc:
    host: login.dso.mil
    realm: baby-yoda
  # ... existing SSO config ...

  additional_oidc:
    OktaRealm:  # Key = realm name
      client_id: "okta-client-id"
      client_secret: "okta-secret"  # Can be in SOPS, merges with plain values
      issuer: "https://example.okta.mil/oauth2/default"
      auth_url: "https://example.okta.mil/oauth2/default/v1/authorize"
      token_url: "https://example.okta.mil/oauth2/default/v1/token"
      userinfo_url: "https://example.okta.mil/oauth2/default/v1/userinfo"
      jwkset_url: "https://example.okta.mil/oauth2/default/v1/keys"
      endsession_url: "https://example.okta.mil/oauth2/default/v1/logout"
      claims_principal: "preferred_username"
      claims_group: "groups"
      claims_mail: "email"
      signature_algorithm: RS256
      login_label: "Okta Login"  # Button text on login screen
      # requested_scopes defaults to ["openid", "profile", "email", "groups"]

Key Design Decisions

  • MAP structure (not array) - Keyed by realm name for proper Helm values merge. Allows non-secret config in plain values and client_secret in SOPS that merge automatically.
  • login_label - Field for configuring login button text
  • Default scopes include groups - Enables role mapping out of the box

Changes

  • _helpers.tpl: Extended oidc template to iterate over additional OIDC providers
  • _kibana-config.tpl: Added logic to create additional Kibana OIDC providers (oidc2, oidc3, etc.)
  • bigbang/sso-secret.yaml: Added client_secret entries for additional OIDC realms
  • values.yaml: Added sso.login_label and sso.additional_oidc with documentation
  • tests/sso_test.yaml: Added helm-unittest tests

UNCLASSIFIED - NO CUI