Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Central API] kubectl authentication #373

Open
9 tasks
joshmue opened this issue Jul 27, 2023 · 1 comment
Open
9 tasks

[Central API] kubectl authentication #373

joshmue opened this issue Jul 27, 2023 · 1 comment
Assignees
@joshmue
Labels
Ops Issues or pull requests relevant for Team 3: Ops Tooling

Comments

@joshmue
Copy link

joshmue commented Jul 27, 2023

As a CSP customer, I want want to get a kubeconfig in order to access the central API (securely) so that I can use it.

Most likely implemented by using an kubectl exec auth plugin that does OAuth2 Device Auth Flow.

Definition of Ready:

  • User Story is small enough to be finished within one sprint
  • User Story is clear and understood by the whole team
  • Acceptance criteria are defined
  • Acceptance criteria are clear and understood by the whole team

Definition of Done:

  • All acceptance criteria are met
  • Changes have been reviewed
  • CI tests have run successfully
  • Documentation has been updated
  • Release Notes have been updated
@fkr fkr mentioned this issue Jul 27, 2023
Open
6 tasks
@joshmue joshmue added the Ops Issues or pull requests relevant for Team 3: Ops Tooling label Jul 27, 2023
@joshmue
Copy link
Author

joshmue commented Aug 7, 2023
edited

Used https://github.com/int128/kubelogin (with some inspiration from a post) to login to testbed in gx-scs.

Rough steps:

  • Created joshmue-kubectl client in keycloak (enable default scopes microprofile-jwt and email, set redirect URL)
  • Created k8s-viewer group and role in keycloak, associating with user
  • Created kind cluster; Config: 
    kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
kubeadmConfigPatches:
- |-
  kind: ClusterConfiguration
  apiServer:
    extraArgs:
      oidc-client-id: joshmue-kubectl
      oidc-issuer-url: https://keycloak.testbed.osism.xyz/auth/realms/master
      oidc-username-claim: email
      oidc-groups-claim: groups
      oidc-ca-file: /usr/local/share/ca-certificates/osism.crt
nodes:
- role: control-plane
  extraMounts:
  - hostPath: /usr/local/share/ca-certificates
    containerPath: /usr/local/share/ca-certificates
    readOnly: true
- role: worker
  • Put ClusterRoleBinding in place. For example: 
    kubectl create clusterrolebinding keycloak --clusterrole view --user keycloak-admin@keycloak.testbed.osism.xyz
# OR
kubectl create clusterrolebinding keycloak --clusterrole view --group k8s-viewer
  • Copy admin kubeconfig of kind cluster (see ~/.kube/config)
  • Change users section in copied kubeconfig 
    users:
- name: kind-kind
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      command: kubectl
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://keycloak.testbed.osism.xyz/auth/realms/master
      - --oidc-client-id=joshmue-kubectl
  • Change KUBECONFIG to new non-admin kubeconfig location
  • kubectl get pods and follow on-screen directions
  • Verify that viewing works, but anything else doesn't

@joshmue joshmue mentioned this issue Aug 7, 2023
Open
9 tasks
@joshmue joshmue mentioned this issue Feb 8, 2024
Open
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joshmue joshmue

Labels
Ops Issues or pull requests relevant for Team 3: Ops Tooling
Projects
Sovereign Cloud Stack
Status: Doing
Milestone
No milestone
Development

No branches or pull requests
1 participant
@joshmue