add structured auth config example to dex guide

Signed-off-by: Karol Szwaj <[email protected]>

On-behalf-of: @SAP [email protected]

contrib/kcp-dex/README.md

@@ -25,7 +25,9 @@ GOBIN=$(pwd)/bin go install github.com/mjudeikis/genkey
 
 ### KCP
 
-Start kcp with oidc enabled:
+Start kcp with oidc enabled, you can either use the OIDC flags or structured authentication configuration from a file. Example configuration is shown in `auth-config.yaml`.
+
+## OIDC Flags
 
 ```bash
 go run ./cmd/kcp start \
@@ -35,6 +37,41 @@ go run ./cmd/kcp start \
 --oidc-ca-file=127.0.0.1.pem
 ```
 
+## Structured Authentication Config
+
+```bash
+CA_CERT=$(openssl x509 -in 127.0.0.1.pem | sed 's/^/      /')
+```
+```bash
+cat << EOF_AuthConfig > auth-config.yaml
+apiVersion: apiserver.config.k8s.io/v1beta1
+kind: AuthenticationConfiguration
+jwt:
+- issuer:
+    url: https://127.0.0.1:5556/dex
+    certificateAuthority: |
+$CA_CERT
+    audiences:
+      - kcp-dev
+    audienceMatchPolicy: MatchAny
+  claimMappings:
+    username:
+      claim: "email"
+      prefix: ""
+    groups:
+      claim: "groups"
+      prefix: ""
+  claimValidationRules: []
+  userValidationRules: []
+EOF_AuthConfig
+```
+
+Start a kcp server:
+
+```bash
+./bin/kcp start --authentication-config auth-config.yaml
+```
+
 ### Login
 
 Use oidc plugin:

contrib/kcp-dex/auth-config.yaml

@@ -0,0 +1,21 @@
+apiVersion: apiserver.config.k8s.io/v1beta1
+kind: AuthenticationConfiguration
+jwt:
+- issuer:
+    url: https://127.0.0.1:5556/dex
+    certificateAuthority: |
+      -----BEGIN CERTIFICATE-----
+      enter your certificate here
+      -----END CERTIFICATE-----
+    audiences:
+      - kcp-dev
+    audienceMatchPolicy: MatchAny
+  claimMappings:
+    username:
+      claim: "email"
+      prefix: ""
+    groups:
+      claim: "groups"
+      prefix: ""
+  claimValidationRules: []
+  userValidationRules: []