Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth fails with okta SSO auth provider #15

Closed
bougyman opened this issue Sep 25, 2020 · 3 comments
Closed

Auth fails with okta SSO auth provider #15

bougyman opened this issue Sep 25, 2020 · 3 comments

Comments

@bougyman
Copy link

When using .kube/config which describes okta auth, K8s::Client fails with

Errno::ENOENT: No such file or directory -
from /Users/<redacted>/.rbenv/versions/2.6.6/lib/ruby/gems/2.6.0/gems/k8s-ruby-0.10.5/lib/k8s/transport.rb:98:in ``'

When I tracked this down, transport.rb:76 is dispatching this to the self.token_from_auth_provider(auth_provider) method, which expects a 'cmd-path' key to exist; however, in my configuration, that does not exist:

[2] pry(K8s::Transport)> auth_provider
=> {"client-id"=>"<snipped>",
 "client-secret"=>"<snipped>",
 "id-token"=> "<snip>",
 "idp-issuer-url"=>"https://<snip>.okta.com/oauth2/<snipped>",
 "refresh-token"=>"<snipped>"}

^ This is from introspecting with a binding.pry on line 79 of transport.rb. I suppose this means there's no default support for idp / saml auth yet in k8s-client. I've done some cursory research into ruby-saml and ruby-saml-idp but not yet figured out how to get the information necessary to auth with them. Will continue researching as I can, and track in this issue.
@bougyman
Copy link
Author

Added cmd-path: kubectl and cmd-args: get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes.io/service-account.name']=='default')].data.token}" to derive a token using the standard token_from_auth_provider method, but it is getting 404 auth failed after that.

@bougyman
Copy link
Author

However, this does work with curl:

tv574p@ALT03105 ~ % APISERVER=$(kubectl config view -o jsonpath="{.clusters[?(@.name==\"$CLUSTER_NAME\")].cluster.server}")
tv574p@ALT03105 ~ % TOKEN=$(kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='default')].data.token}"|base64 --decode)
tv574p@ALT03105 ~ % curl -X GET $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure
{
  "kind": "APIVersions",
  "versions": [
    "v1"
  ],
  "serverAddressByClientCIDRs": [
    {
      "clientCIDR": "0.0.0.0/0",
      "serverAddress": "<snip>.232.63.21:6443"
    }
  ]
}%

@bougyman
Copy link
Author

I had left out the base64 decoding! This is now workitng with cmd-path: ~/bin/get_kube_token.sh, with this file being:

#!/bin/bash
kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='default')].data.token}"|base64 --decode

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bougyman