From 0d18f0a6ea974574582da3f36ffa3c92684aa825 Mon Sep 17 00:00:00 2001 From: Matt Morrison Date: Wed, 13 Dec 2023 19:16:29 +1300 Subject: [PATCH] Update instructions to use the kubelogin plugin The kubelogin plugin allows an auto-refresh workflow if the token has expired. --- .github/workflows/artifacts.yaml | 2 +- Justfile | 50 +++++++++ charts/dex-k8s-authenticator/values.yaml | 2 +- templates/linux-mac-common.html | 124 +++++++++------------ templates/mac-tab.html | 6 +- tests/e2e/helm/dex-k8s-auth-overrides.yaml | 33 +++++- 6 files changed, 142 insertions(+), 75 deletions(-) create mode 100644 Justfile diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml index 2c9027e..84e59d1 100644 --- a/.github/workflows/artifacts.yaml +++ b/.github/workflows/artifacts.yaml @@ -101,7 +101,7 @@ jobs: uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 with: context: . - platforms: linux/amd64,linux/arm/v7,linux/arm64 + platforms: linux/amd64,linux/arm64 tags: ${{ steps.meta.outputs.tags }} build-args: | BASE_IMAGE=${{ matrix.variant }} diff --git a/Justfile b/Justfile new file mode 100644 index 0000000..cd046b4 --- /dev/null +++ b/Justfile @@ -0,0 +1,50 @@ +GONAME := "dex-k8s-authenticator" +TAG := "latest" +E2E_GITHUB_SHA := `openssl rand -hex 4` +KIND_NODE_IP := `kubectl get nodes -o jsonpath="{.items[0].status.addresses[0].address}"` + +all: build + +build: + @echo "Building go binary ./bin/{{GONAME}}" + go build -o bin/{{GONAME}} *.go + +alias docker := container +container: + @echo "Building container image" + docker build -t getditto/{{GONAME}}:{{TAG}} . + +clean: + @echo "Cleaning" + go clean + rm -rf ./bin + +lint: + golangci-lint run + +lint-fix: lint + golangci-lint run --fix + +up: + docker build -t getditto/dex-k8s-authenticator:{{E2E_GITHUB_SHA}} . + kind load docker-image getditto/dex-k8s-authenticator:{{E2E_GITHUB_SHA}} + + echo {{KIND_NODE_IP}} + NODE_IP={{KIND_NODE_IP}} CI_TAG={{E2E_GITHUB_SHA}} envsubst < ./tests/e2e/helm/dex-overrides.yaml > /tmp/dex-overrides.yaml + NODE_IP={{KIND_NODE_IP}} CI_TAG={{E2E_GITHUB_SHA}} envsubst < ./tests/e2e/helm/dex-k8s-auth-overrides.yaml > /tmp/dex-k8s-auth-overrides.yaml + + helm repo add dexidp https://charts.dexidp.io || true + helm template -f /tmp/dex-overrides.yaml dex dexidp/dex | kubectl apply -f - + kubectl describe deployment dex + kubectl rollout status deploy dex -w + + helm template -f /tmp/dex-k8s-auth-overrides.yaml dex-k8s-authenticator ./charts/dex-k8s-authenticator | kubectl apply -f - + kubectl describe deployment dex-k8s-authenticator + kubectl rollout status deploy dex-k8s-authenticator -w + +alias pf := portforward +alias port-forward := portforward + +portforward: + kubectl port-forward deployment/dex-k8s-authenticator 5555 5555 + \ No newline at end of file diff --git a/charts/dex-k8s-authenticator/values.yaml b/charts/dex-k8s-authenticator/values.yaml index 0f73fce..28aa39c 100644 --- a/charts/dex-k8s-authenticator/values.yaml +++ b/charts/dex-k8s-authenticator/values.yaml @@ -7,7 +7,7 @@ global: replicaCount: 1 image: - repository: ghcr.io/sl1pm4t/dex-k8s-authenticator + repository: ghcr.io/getditto/dex-k8s-authenticator tag: 2.0.0 pullPolicy: Always diff --git a/templates/linux-mac-common.html b/templates/linux-mac-common.html index e4bd825..ac3d8fe 100644 --- a/templates/linux-mac-common.html +++ b/templates/linux-mac-common.html @@ -1,94 +1,76 @@ {{ define "linux-mac-common" }} - {{ if .IDPCaURI }} -

Copy IDP CA Certificate From URL

-

Copy this CA Certificate and download it to your .kube directory

-
+
+

Install kubelogin plugin

+ https://github.com/int128/kubelogin - - 
curl --create-dirs -s {{ .IDPCaURI }} -o ${HOME}/.kube/certs/{{ .ClusterName }}/idp-ca.crt
-
- {{ end }} +

The kubelogin plugin streamlines OIDC authentication from the command line.

+

+ When you run kubectl, kubelogin opens the browser and you can log in to the provider. + Then kubelogin gets a token from the provider and kubectl can access Kubernetes APIs with the token. +

- {{ if .IDPCaPem }} -

Copy IDP CA Certificate From PEM

- -

Put the CA Certificate into your .kube directory

- -
- - - 
mkdir -p ${HOME}/.kube/certs/{{ .ClusterName }}/ && cat << EOF > ${HOME}/.kube/certs/{{ .ClusterName }}/idp-ca.crt
-{{ .IDPCaPem }}
-EOF
-
- {{ end }} - - - {{ if .K8sCaURI }} -

Copy Kubernetes CA Certificate From URL

- -

Copy this CA Certificate and download it to your .kube directory

-
- - - 
curl --create-dirs -s {{ .K8sCaURI }} -o ${HOME}/.kube/certs/{{ .ClusterName }}/k8s-ca.crt
-
- {{ end }} - - {{ if .K8sCaPem }} -

Copy Kubernetes CA Certificate From PEM

- -

Put the CA Certificate into your .kube directory

+

+ * Install with brew: +

+
+ + 
 brew install int128/kubelogin/kubelogin
+
-
+

+ * Install with krew: +

+

krew is a plugin manager for kubectl

+
+ + 
kubectl krew install oidc-login
+
- - 
mkdir -p ${HOME}/.kube/certs/{{ .ClusterName }}/ && cat << EOF > ${HOME}/.kube/certs/{{ .ClusterName }}/k8s-ca.crt
-{{ .K8sCaPem }}
-EOF
-
- {{ end }} +
-

Run configuration commands

+

Add / Update kubeconfig context

-

These commands will update ~/.kube/config

+

These commands will update ~/.kube/config. Use --kubeconfig=xyz to update a different config file.

+

Create / Update cluster settings in kubeconfig:

- - 
kubectl config set-cluster {{ .ClusterName }} \
-  {{- if or .K8sCaPem .K8sCaURI }}
-    --certificate-authority=${HOME}/.kube/certs/{{ .ClusterName}}/k8s-ca.crt \
+    
{{- if or .K8sCaPem -}}
+  # API Server CA Certificate
+  K8S_CA_CERT="{{.K8sCaPem}}"
+
+{{ end }} kubectl config set-cluster {{ .ClusterName }} \
+  {{- if .K8sCaPem }}
+  --certificate-authority <(echo -n $K8S_CA_CERT) \
+  --embed-certs=true \
   {{- end }}
-    --server={{ .K8sMasterURI }}

+  --server={{ .K8sMasterURI }}
- - 
kubectl config set-credentials {{ .Username }}-{{ .ClusterName }} \
-    --auth-provider=oidc \
-    --auth-provider-arg="idp-issuer-url={{ .Issuer }}" \
-    --auth-provider-arg="client-id={{ .ClientID }}" \
-    --auth-provider-arg="client-secret={{ .ClientSecret }}" \
-    --auth-provider-arg="refresh-token={{ .RefreshToken }}" \
-    --auth-provider-arg="id-token={{ .IDToken }}"
-  {{- if or (.IDPCaURI) (.IDPCaPem) }} \
-    --auth-provider-arg=idp-certificate-authority=${HOME}/.kube/certs/{{ .ClusterName }}/idp-ca.crt
-  {{- end }}
+ 
kubectl config set-credentials {{ .Username }}-{{ .ClusterName }} \
+      --exec-api-version=client.authentication.k8s.io/v1beta1 \
+      --exec-command=kubectl \
+      --exec-arg=oidc-login \
+      --exec-arg=get-token \
+      --exec-arg=--listen-address=127.0.0.1:18000 \
+      --exec-arg=--oidc-issuer-url={{ .Issuer }} \
+      --exec-arg=--oidc-client-id={{ .ClientID }} \
+  {{- if .ClientSecret }}
+      --exec-arg=--oidc-client-secret=YOUR_CLIENT_SECRET \
+  {{- end }}
+      --exec-arg=--oidc-extra-scope=email \
+      --exec-arg=--oidc-extra-scope=groups
diff --git a/templates/mac-tab.html b/templates/mac-tab.html index 2935cf1..bd1a730 100644 --- a/templates/mac-tab.html +++ b/templates/mac-tab.html @@ -8,7 +8,11 @@

Install and Set Up kubectl

{{ if .KubectlVersion }}

Download kubectl: - + + https://storage.googleapis.com/kubernetes-release/release/{{.KubectlVersion}}/bin/darwin/arm64/kubectl + + + https://storage.googleapis.com/kubernetes-release/release/{{.KubectlVersion}}/bin/darwin/amd64/kubectl

diff --git a/tests/e2e/helm/dex-k8s-auth-overrides.yaml b/tests/e2e/helm/dex-k8s-auth-overrides.yaml index da4e383..a637093 100644 --- a/tests/e2e/helm/dex-k8s-auth-overrides.yaml +++ b/tests/e2e/helm/dex-k8s-auth-overrides.yaml @@ -19,7 +19,38 @@ dexK8sAuthenticator: k8s_master_uri: https://my-cluster.example.com client_id: my-cluster redirect_uri: http://${NODE_IP}:30000/callback/my-cluster - k8s_ca_uri: https://url-to-your-ca.crt + k8s_ca_pem: |- + -----BEGIN CERTIFICATE----- + MIIFTjCCBDagAwIBAgIQBHr3lUfAfQ/vgKWyH1HjYzANBgkqhkiG9w0BAQsFADCB + kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G + A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV + BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD + QTAeFw0xODAzMTIwMDAwMDBaFw0yMDAzMTEyMzU5NTlaMFIxITAfBgNVBAsTGERv + bWFpbiBDb250cm9sIFZhbGlkYXRlZDEUMBIGA1UECxMLUG9zaXRpdmVTU0wxFzAV + BgNVBAMTDmFjcy5xYWNhZmUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB + CgKCAQEA6/61GhYNST8VGJlE62Pv5H7e95EqLzydQ1diUpIXpkgL3oZDa3dcd50F + bGTrlvqXyPmTPnI8xITz4phgnBeSvwESoyBpGRY5HEgL4NvivNBIV02mDRqhOlEl + tdkcYbo0t3ZWFXJ+aesHDyA++UFWixtR61XNnGGhyKFCH26HXqEbaBHlTmY2fEos + I+SYcTH3DCjuHWWZHR9AHtq1pN5bbY3DNTsGtF2CpmEnKSWrcRJxnAz2aMFUWDod + oc7qEKYt4Er19EW0LSU39Q6ywwMfNXNZRjZqc6IsP3DI5CZJoyCPOHxV0C71iiQA + e842jWBae8VLZs1J0OZRbbWeqGgGeQIDAQABo4IB3zCCAdswHwYDVR0jBBgwFoAU + kK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFMwxDzaFkpGoDWFGnpz+niNC + udaSMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG + AQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYI + KwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAEC + ATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01P + RE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGFBggrBgEF + BQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NP + TU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYB + BQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAtBgNVHREEJjAkgg5hY3Mu + cWFjYWZlLmNvbYISd3d3LmFjcy5xYWNhZmUuY29tMA0GCSqGSIb3DQEBCwUAA4IB + AQBE/SmWs8rJthBedEAUaqDEQSFbFgviE+uKJRlfMHMPK55oe2c7cdujcpFS2wKM + E7P9cS5KTNECbn4fDgrPuylxkUKK6GiPorTWUuT0k98TmKRY5nfkeIaurXO3bUMl + 3R+SwDaXBCqHQIcWFsN5ExCiLqDLJw/uxloaW1Vbt50gEnyLDSAyPozBWlYxJw77 + TNd6rcUiWK2Xx711FLvnWPXI9kn4Q2gTLtQ6ZwIT6DVQBd/ZMpDhxruwqlL7Tx+S + 3dNVeihnkb7AXLd7dDcO2Gk29XS5o2F8KTE+i1Gi3/z03EiTRsmyNTBsSGYqbvVv + F9crB7TEuWdlZxrYdoCP//3v + -----END CERTIFICATE----- ingress: enabled: true