clastix / kubectl-login Goto Github PK
View Code? Open in Web Editor NEWkubectl login manager
License: Apache License 2.0
kubectl login manager
License: Apache License 2.0
Go HTTP client got no timeout option by default.
Specify a reasonable value, as well as configuring it by CLI flag.
Also, set up a Make
to ensure everything is working fine without the need to raise a PR.
Would be nice having that kind of check at PR time.
Missing profile
scope in OIDC token request. Currently only these scopes are sent
qs.Set("scope", "openid+groups+offline_access")
. The profile
scope is used to returns claims that represent basic profile information, including name
, family_name
, given_name
, middle_name
, nickname
, picture
, and updated_at
.
After merging #17 there is an issue about the name of the server in the kubeconfig
file gets overwritten after login.
apiVersion: v1
clusters:
- cluster:
insecure-skip-tls-verify: true
server: https://cmp.clastix.io:9443
name: kubernetes # <<< here
contexts:
- context:
cluster: kubernetes
user: oidc
name: oidc
current-context: oidc
kind: Config
preferences: {}
users:
- name: oidc
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- login
- get-token
command: kubectl
env: null
provideClusterInfo: false
The server is named always as kubernetes
in the merged kubeconfig
file. If there is another server in the current kubeconfig
file already called kubernetes
, it will be overwritten. What about to take the name from the --k8s-api-server
option value? Or better, from the kubeconfig cluster-info
API?
In some conditions the output kubeconfig
file is not created. After a successfully login, the .kubectl-login.yaml
is created but the kubeconfig
is missing. When this happens, the login process seems to terminate abruptly.
kubectl-login --k8s-api-server=https://REDACTED \
--oidc-server=https://REDACTED \
--oidc-insecure-skip-tls-verify \
--oidc-client-id=REDACTED
Proceed to login to the following link using your browser:
REDACTED
Type the verification code: REDACTED
User input code is REDACTED
I noted that this happens always running the command from a remote ssh session in a CentOS 7 machine. It does not happens running the command from a remote ssh session in a Ubuntu machine.
Which debug option should we enable in order to understand the issue?
Hi !
I Just found this little problem with parameter --oidc-server .
If I submit the parameter --oidc-server with a url of a non-existent IDP
ES: --oidc-server=https://"Wrong Url Oidc Server"/auth/realms/domain/
Or in the case of IDP Keycloack I submit the parameter --oidc-server without specifying the complete url path to the oidc domain:
ES: --oidc-server=https://"Right Url Oidc Server"
Obtain the error below and kubectl-login exit :
`
2021-01-29T12:06:51.567+0100 INFO cmd/root.go:105 Starting the login procedure
2021-01-29T12:06:51.568+0100 INFO actions/oidc_config.go:63 Starting OIDC login with PKCE
2021-01-29T12:06:51.568+0100 INFO actions/oidc_config.go:74 Getting OIDC configuration from the server {"OIDCServer": "https://XXX.XXX.XXX.XXXX"}
2021-01-29T12:06:51.613+0100 ERROR actions/oidc_config.go:87 Cannot unmarshal OIDC configuration {"OIDCServer": "https://XXX.XXX.XXX.XXXX", "error": "invalid character '<' looking for beginning of value"}
github.com/clastix/kubectl-login/internal/actions.PKCELogin.GetOpenIDConfig
/home/runner/work/kubectl-login/kubectl-login/internal/actions/oidc_config.go:87
github.com/clastix/kubectl-login/internal/actions.PKCELogin.Handle
/home/runner/work/kubectl-login/kubectl-login/internal/actions/oidc_config.go:65
github.com/clastix/kubectl-login/cmd.glob..func3
/home/runner/work/kubectl-login/kubectl-login/cmd/root.go:116
github.com/spf13/cobra.(*Command).execute
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:850
github.com/spf13/cobra.(*Command).ExecuteC
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:958
github.com/spf13/cobra.(*Command).Execute
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:895
github.com/clastix/kubectl-login/cmd.Execute
/home/runner/work/kubectl-login/kubectl-login/cmd/root.go:237
main.main
/home/runner/work/kubectl-login/kubectl-login/main.go:21
runtime.main
/opt/hostedtoolcache/go/1.14.14/x64/src/runtime/proc.go:203
Error: invalid character '<' looking for beginning of value
invalid character '<' looking for beginning of value
`
Describe the feature
Hi @prometherion
It would be nice for a already logged user with kubectl-login integrated with an oidc provider, an option to logout and invalidate oidc session.
What would the new user story look like?
As normal user, i complete a login process with kubectl-login on OIDC provider on a temporary workstation.
After complete my tasks, do a lubectl-login -r (?) o something else and invalidate session on OIDC cluster
As reported in the gorelease
output:
• building binaries
• DEPRECATED: skipped darwin/arm64 build on Go < 1.16 for compatibility, check https://goreleaser.com/deprecations/#builds-for-darwinarm64 for more info.
Describe the feature
Hi all.
I would like a lot a feature that automatically export the KUBECONFIG for the user after complete the login process
What would the new user story look like?
Once a user has completed the login process, kubetcl-login automatically export the KUBECONFIG for the user, instead of ask to the user to export with the command "export KUBECONFIG=oidc.kubeconfig"
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.