add support for auth providers

[rajatjindal]

No description provided.

[rajatjindal]

requesting review from @ahmetb

[ahmetb]

I'm confident this is not how it's supposed to work.
You should be just doing import _ "k8s.io/client-go/plugin/pkg/client/auth".

There's no guarantee that

1. access-token will exist on gcp auth section (i.e. first-time use)
2. access-token will be valid (i.e. long-time no use)

I highly discourage this approach.

[rajatjindal]

Hi Ahmet

thanks for your feedback. I've already imported auth as you suggested, but its still an issue (with current implementation)

The prob is that we need 'token' being used in the request to use TokenReviewRequest api. I am trying to get it by injecting a custom http.RoundTripper now.

is there a way to retrieve the effective token used in the request using client-go?

[rajatjindal]

Hi Ahmet,

thanks for your valuable feedback. I've tried a diff approach to make it work. Please let me know what u think about it.

Also following are results of some tests I did with this new approach:

with valid gcp token:

➜ kubectl-whoami git:(auth-providers) go run main.go --context gke_kubectl-whoami-259606_asia-south1-a_kubectl-whoami
rajatjindal83@gmail.com

With invalid gcp token
➜ kubectl-whoami git:(auth-providers) go run main.go --context gke_kubectl-whoami-259606_asia-south1-a_kubectl-whoami
Error: Unauthorized
exit status 1

With minikube basic auth
➜ kubectl-whoami git:(auth-providers) go run main.go --context default
kubecfg:basicauth:admin

with cert auth
➜ kubectl-whoami git:(auth-providers) go run main.go --context minikube
kubecfg:certauth:admin

with valid service account token
➜ kubectl-whoami git:(auth-providers) go run main.go --token eyJhbGciOiJSUzI1NiIsImtpZCI6IjNUdkxMTi1ESmt0SGRzY2JzY2dVZS1CY2E4UHhERFVlM1FXcE9WNjZ2YlUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJyZXBsaWNhc2V0LWNvbnRyb2xsZXItdG9rZW4tcDVjc3oiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoicmVwbGljYXNldC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDk4NmViZmUtOGFlMi00ZDc5LTkyNjYtYWNkZGRiMDIwOGNhIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOnJlcGxpY2FzZXQtY29udHJvbGxlciJ9.DbUP2JNfHDA9mpv5FxMqknKR69zmfOslYN3-ORVenTuUMQezfMvmlzNQrBBwNOxMC12cr2LmN0OZKZWCb4yBVa3nxTKsRXrqzUYgHNYWMN6rpq68ZhMnT_3xcF_WQHCal1zhUSxIvMC167bBz1FCK01AzCU4UthGtXoeGe-Ufaec3KHqN1dbO0UBhZx5k0sQMrxj5kjeKukWCfqyUC5Fw75LvvfOPyRyxp-IOaamYo-6--VcoGTn5ECYlNbEowe8eVPHo4jyB81YK1F86qxhwrJT03gdQrrirqJXzw6rgXFZeWh9RgmKCEb2f00uUsSaH4SMyRAE8T8JIicaMWGA6A --context minikube
system:serviceaccount:kube-system:replicaset-controller

with token of wrong cluster
➜ kubectl-whoami git:(auth-providers) go run main.go --token eyJhbGciOiJSUzI1NiIsImtpZCI6IjNUdkxMTi1ESmt0SGRzY2JzY2dVZS1CY2E4UHhERFVlM1FXcE9WNjZ2YlUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJyZXBsaWNhc2V0LWNvbnRyb2xsZXItdG9rZW4tcDVjc3oiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoicmVwbGljYXNldC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDk4NmViZmUtOGFlMi00ZDc5LTkyNjYtYWNkZGRiMDIwOGNhIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOnJlcGxpY2FzZXQtY29udHJvbGxlciJ9.DbUP2JNfHDA9mpv5FxMqknKR69zmfOslYN3-ORVenTuUMQezfMvmlzNQrBBwNOxMC12cr2LmN0OZKZWCb4yBVa3nxTKsRXrqzUYgHNYWMN6rpq68ZhMnT_3xcF_WQHCal1zhUSxIvMC167bBz1FCK01AzCU4UthGtXoeGe-Ufaec3KHqN1dbO0UBhZx5k0sQMrxj5kjeKukWCfqyUC5Fw75LvvfOPyRyxp-IOaamYo-6--VcoGTn5ECYlNbEowe8eVPHo4jyB81YK1F86qxhwrJT03gdQrrirqJXzw6rgXFZeWh9RgmKCEb2f00uUsSaH4SMyRAE8T8JIicaMWGA6A
Unauthorized
Error: Unauthorized
exit status 1

with invalid token
➜ kubectl-whoami git:(auth-providers) go run main.go --token eyJhbGciOiJSUzI1NiIsImtpZCI6IjNUdkxMTi1ESmt0SGRzY2JzY2dVZS1CY2E4UHhERFVlM1FXcE9WNjZ2YlUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJyZXBsaWNhc2V0LWNvbnRyb2xsZXItdG9rZW4tcDVjc3oiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoicmVwbGljYXNldC1jb250cm9sbGVyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDk4NmViZmUtOGFlMi00ZDc5LTkyNjYtYWNkZGRiMDIwOGNhIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOnJlcGxpY2FzZXQtY29udHJvbGxlciJ9.DbUP2JNfHDA9mpv5FxMqknKR69zmfOslYN3-ORVenTuUMQezfMvmlzNQrBBwNOxMC12cr2LmN0OZKZWCb4yBVa3nxTKsRXrqzUYgHNYWMN6rpq68ZhMnT_3xcF_WQHCal1zhUSxIvMC167bBz1FCK01AzCU4UthGtXoeGe-Ufaec3KHqN1dbO0UBhZx5k0sQMrxj5kjeKukWCfqyUC5Fw75LvvfOPyRyxp-IOaamYo-6--VcoGTn5ECYlNbEowe8eVPHo4jyB81YK1F86qxhwrJT03gdQrrirqJXzw6rgXFZeWh9RgmKCEb2f00uUsSaH4SMyRAE8T8JIicaMW --context minikube
Error: [invalid bearer token, square/go-jose: error in cryptographic primitive]
exit status 1

[ahmetb]

Please don’t put tokens on the internet like this :)

I think you should take the roundtripper approach and get the token from the header after a successful request. Don’t try to read token from kubeconfig; it won’t work easily.

[rajatjindal]

:) thanks for the tip, I am usually extra paranoids with credentials.

Also those tokens are from my minikube cluster which I already deleted so shud be fine.

(but given how easy it is to do that mistake, thank you again for the reminder to not put tokens on public internet)

I've updated the PR to use the round-tripper approach. Seems to work fine. if there are no other concerns, I will merge the code and cut a new release.

Thanks again