clastix / kubectl-login Goto Github PK

Docs: https://goreleaser.com/customization/homebrew/

Go HTTP client got no timeout option by default.

Specify a reasonable value, as well as configuring it by CLI flag.

Also, set up a Make to ensure everything is working fine without the need to raise a PR.

Would be nice having that kind of check at PR time.

Reference: https://www.conventionalcommits.org/en/v1.0.0/

Missing profile scope in OIDC token request. Currently only these scopes are sent
qs.Set("scope", "openid+groups+offline_access"). The profile scope is used to returns claims that represent basic profile information, including name, family_name, given_name, middle_name, nickname, picture, and updated_at.

After merging #17 there is an issue about the name of the server in the kubeconfig file gets overwritten after login.

apiVersion: v1
clusters:
- cluster:
    insecure-skip-tls-verify: true
    server: https://cmp.clastix.io:9443
  name: kubernetes         # <<< here
contexts:
- context:
    cluster: kubernetes
    user: oidc
  name: oidc
current-context: oidc
kind: Config
preferences: {}
users:
- name: oidc
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - login
      - get-token
      command: kubectl
      env: null
      provideClusterInfo: false

The server is named always as kubernetes in the merged kubeconfig file. If there is another server in the current kubeconfig file already called kubernetes, it will be overwritten. What about to take the name from the --k8s-api-server option value? Or better, from the kubeconfig cluster-info API?

In some conditions the output kubeconfig file is not created. After a successfully login, the .kubectl-login.yaml is created but the kubeconfig is missing. When this happens, the login process seems to terminate abruptly.

kubectl-login --k8s-api-server=https://REDACTED \
--oidc-server=https://REDACTED \
--oidc-insecure-skip-tls-verify \
--oidc-client-id=REDACTED

Proceed to login to the following link using your browser:

REDACTED

Type the verification code: REDACTED
User input code is REDACTED

I noted that this happens always running the command from a remote ssh session in a CentOS 7 machine. It does not happens running the command from a remote ssh session in a Ubuntu machine.

Which debug option should we enable in order to understand the issue?

Hi !
I Just found this little problem with parameter --oidc-server .

If I submit the parameter --oidc-server with a url of a non-existent IDP

ES: --oidc-server=https://"Wrong Url Oidc Server"/auth/realms/domain/

Or in the case of IDP Keycloack I submit the parameter --oidc-server without specifying the complete url path to the oidc domain:

ES: --oidc-server=https://"Right Url Oidc Server"

Obtain the error below and kubectl-login exit :

`
2021-01-29T12:06:51.567+0100 INFO cmd/root.go:105 Starting the login procedure
2021-01-29T12:06:51.568+0100 INFO actions/oidc_config.go:63 Starting OIDC login with PKCE
2021-01-29T12:06:51.568+0100 INFO actions/oidc_config.go:74 Getting OIDC configuration from the server {"OIDCServer": "https://XXX.XXX.XXX.XXXX"}
2021-01-29T12:06:51.613+0100 ERROR actions/oidc_config.go:87 Cannot unmarshal OIDC configuration {"OIDCServer": "https://XXX.XXX.XXX.XXXX", "error": "invalid character '<' looking for beginning of value"}
github.com/clastix/kubectl-login/internal/actions.PKCELogin.GetOpenIDConfig
/home/runner/work/kubectl-login/kubectl-login/internal/actions/oidc_config.go:87
github.com/clastix/kubectl-login/internal/actions.PKCELogin.Handle
/home/runner/work/kubectl-login/kubectl-login/internal/actions/oidc_config.go:65
github.com/clastix/kubectl-login/cmd.glob..func3
/home/runner/work/kubectl-login/kubectl-login/cmd/root.go:116
github.com/spf13/cobra.(*Command).execute
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:850
github.com/spf13/cobra.(*Command).ExecuteC
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:958
github.com/spf13/cobra.(*Command).Execute
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:895
github.com/clastix/kubectl-login/cmd.Execute
/home/runner/work/kubectl-login/kubectl-login/cmd/root.go:237
main.main
/home/runner/work/kubectl-login/kubectl-login/main.go:21
runtime.main
/opt/hostedtoolcache/go/1.14.14/x64/src/runtime/proc.go:203
Error: invalid character '<' looking for beginning of value
invalid character '<' looking for beginning of value

`

Describe the feature

Hi @prometherion
It would be nice for a already logged user with kubectl-login integrated with an oidc provider, an option to logout and invalidate oidc session.

What would the new user story look like?

As normal user, i complete a login process with kubectl-login on OIDC provider on a temporary workstation.
After complete my tasks, do a lubectl-login -r (?) o something else and invalidate session on OIDC cluster

As reported in the gorelease output:

      • building binaries
         • DEPRECATED: skipped darwin/arm64 build on Go < 1.16 for compatibility, check https://goreleaser.com/deprecations/#builds-for-darwinarm64 for more info.

Describe the feature

Hi all.
I would like a lot a feature that automatically export the KUBECONFIG for the user after complete the login process

What would the new user story look like?

Once a user has completed the login process, kubetcl-login automatically export the KUBECONFIG for the user, instead of ask to the user to export with the command "export KUBECONFIG=oidc.kubeconfig"