Update instructions to use the kubelogin plugin

The kubelogin plugin allows an auto-refresh workflow if the token has expired.
getditto · Dec 13, 2023 · 0d18f0a · 0d18f0a
1 parent ab2e72d
commit 0d18f0a
Show file tree

Hide file tree

Showing 6 changed files with 142 additions and 75 deletions.
diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml
@@ -101,7 +101,7 @@ jobs:
         uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
         with:
           context: .
-          platforms: linux/amd64,linux/arm/v7,linux/arm64
+          platforms: linux/amd64,linux/arm64
           tags: ${{ steps.meta.outputs.tags }}
           build-args: |
             BASE_IMAGE=${{ matrix.variant }}

diff --git a/Justfile b/Justfile
@@ -0,0 +1,50 @@
+GONAME         := "dex-k8s-authenticator"
+TAG            := "latest"
+E2E_GITHUB_SHA := `openssl rand -hex 4`
+KIND_NODE_IP   := `kubectl get nodes -o jsonpath="{.items[0].status.addresses[0].address}"`
+
+all: build 
+
+build:
+	@echo "Building go binary ./bin/{{GONAME}}"
+	go build -o bin/{{GONAME}} *.go
+
+alias docker := container
+container:
+	@echo "Building container image"
+	docker build -t getditto/{{GONAME}}:{{TAG}} .
+
+clean:
+	@echo "Cleaning"
+	go clean
+	rm -rf ./bin
+
+lint:
+	golangci-lint run
+
+lint-fix: lint
+	golangci-lint run --fix
+
+up:
+	docker build -t getditto/dex-k8s-authenticator:{{E2E_GITHUB_SHA}} .
+	kind load docker-image getditto/dex-k8s-authenticator:{{E2E_GITHUB_SHA}}
+
+	echo {{KIND_NODE_IP}}
+	NODE_IP={{KIND_NODE_IP}} CI_TAG={{E2E_GITHUB_SHA}} envsubst < ./tests/e2e/helm/dex-overrides.yaml > /tmp/dex-overrides.yaml
+	NODE_IP={{KIND_NODE_IP}} CI_TAG={{E2E_GITHUB_SHA}} envsubst < ./tests/e2e/helm/dex-k8s-auth-overrides.yaml > /tmp/dex-k8s-auth-overrides.yaml
+
+	helm repo add dexidp https://charts.dexidp.io || true
+	helm template -f /tmp/dex-overrides.yaml dex dexidp/dex | kubectl apply -f -
+	kubectl describe deployment dex
+	kubectl rollout status deploy dex -w
+
+	helm template -f /tmp/dex-k8s-auth-overrides.yaml dex-k8s-authenticator ./charts/dex-k8s-authenticator | kubectl apply -f -
+	kubectl describe deployment dex-k8s-authenticator
+	kubectl rollout status deploy dex-k8s-authenticator -w
+
+alias pf := portforward
+alias port-forward := portforward
+
+portforward:
+	kubectl port-forward deployment/dex-k8s-authenticator 5555 5555
+
diff --git a/charts/dex-k8s-authenticator/values.yaml b/charts/dex-k8s-authenticator/values.yaml
@@ -7,7 +7,7 @@ global:
 replicaCount: 1
 
 image:
-  repository: ghcr.io/sl1pm4t/dex-k8s-authenticator
+  repository: ghcr.io/getditto/dex-k8s-authenticator
   tag: 2.0.0
   pullPolicy: Always
 

diff --git a/templates/linux-mac-common.html b/templates/linux-mac-common.html
@@ -1,94 +1,76 @@
 {{ define "linux-mac-common" }}
-  {{ if .IDPCaURI }}
-    <h3>Copy IDP CA Certificate From URL</h3>
 
-    <p>Copy this CA Certificate and download it to your .kube directory</p>
-    <div class="command">
+  <div>
+  <h2>Install kubelogin plugin</h2>
+  <a title="kubelogin" href="https://github.com/int128/kubelogin">https://github.com/int128/kubelogin</a>
 
-      <button class="btn" style="float:right" data-clipboard-snippet="">
-        <img class="clippy" width="13" src="{{ .Web_Path_Prefix }}static/clippy.svg" alt=""/>
-      </button>
-      <pre><code>curl --create-dirs -s {{ .IDPCaURI }} -o ${HOME}/.kube/certs/{{ .ClusterName }}/idp-ca.crt</code></pre>
-    </div>
-  {{ end }}
+  <p>The kubelogin plugin streamlines OIDC authentication from the command line.</p>
+  <p>
+  When you run kubectl, kubelogin opens the browser and you can log in to the provider. 
+  Then kubelogin gets a token from the provider and kubectl can access Kubernetes APIs with the token.
+  </p>
 
-  {{ if .IDPCaPem }}
-    <h3>Copy IDP CA Certificate From PEM</h3>
-
-    <p>Put the CA Certificate into your .kube directory</p>
-
-    <div class="command">
-
-      <button class="btn" style="float:right" data-clipboard-snippet="">
-        <img class="clippy" width="13" src="{{ .Web_Path_Prefix }}static/clippy.svg" alt=""/>
-      </button>
-      <pre><code>mkdir -p ${HOME}/.kube/certs/{{ .ClusterName }}/ &amp;&amp; cat &lt;&lt; EOF &gt; ${HOME}/.kube/certs/{{ .ClusterName }}/idp-ca.crt
-{{ .IDPCaPem }}
-EOF</code></pre>
-    </div>
-  {{ end }}
-
-
-  {{ if .K8sCaURI }}
-    <h3>Copy Kubernetes CA Certificate From URL</h3>
-
-    <p>Copy this CA Certificate and download it to your .kube directory</p>
-    <div class="command">
-
-      <button class="btn" style="float: right" data-clipboard-snippet="">
-        <img class="clippy" width="13" src="{{ .Web_Path_Prefix }}static/clippy.svg" alt=""/>
-      </button>
-      <pre><code>curl --create-dirs -s {{ .K8sCaURI }} -o ${HOME}/.kube/certs/{{ .ClusterName }}/k8s-ca.crt</code></pre>
-    </div>
-  {{ end }}
-
-  {{ if .K8sCaPem }}
-    <h3>Copy Kubernetes CA Certificate From PEM</h3>
-
-    <p>Put the CA Certificate into your .kube directory</p>
+  <p>
+    <b> * Install with brew:</b>
+  </p>
+  <div class="command">
+    <button class="btn" style="float:right" data-clipboard-snippet="">
+      <img class="clippy" width="13" src="{{ .Web_Path_Prefix }}static/clippy.svg" alt=""/>
+    </button>
+    <pre><code> brew install int128/kubelogin/kubelogin </pre></code>
+  </div>
 
-    <div class="command">
+  <p>
+    <b> * Install with krew:</b>
+  </p>
+  <p><i>krew</i> is a plugin manager for <tt>kubectl</tt></p>
+  <div class="command">
+    <button class="btn" style="float:right" data-clipboard-snippet="">
+      <img class="clippy" width="13" src="{{ .Web_Path_Prefix }}static/clippy.svg" alt=""/>
+    </button>
+    <pre><code>kubectl krew install oidc-login</pre></code>
+  </div>
 
-      <button class="btn" style="float:right" data-clipboard-snippet="">
-        <img class="clippy" width="13" src="{{ .Web_Path_Prefix }}static/clippy.svg" alt=""/>
-      </button>
-      <pre><code>mkdir -p ${HOME}/.kube/certs/{{ .ClusterName }}/ &amp;&amp; cat &lt;&lt; EOF &gt; ${HOME}/.kube/certs/{{ .ClusterName }}/k8s-ca.crt
-{{ .K8sCaPem }}
-EOF</code></pre>
-    </div>
-  {{ end }}
+  </div>
 
-  <h3>Run configuration commands</h3>
+  <h2>Add / Update kubeconfig context</h2>
 
-  <p>These commands will update <tt>~/.kube/config</tt></p>
+  <p>These commands will update <tt>~/.kube/config</tt>. Use <tt>--kubeconfig=xyz</tt> to update a different config file.</p>
 
+  <p><b>Create / Update cluster settings in kubeconfig:</b></p>
   <div class="command">
-
     <button class="btn" style="float:right" data-clipboard-snippet="">
       <img class="clippy" width="13" src="{{ .Web_Path_Prefix }}static/clippy.svg" alt="">
     </button>
-  <pre><code>kubectl config set-cluster {{ .ClusterName }} \
-  {{- if or .K8sCaPem .K8sCaURI }}
-    --certificate-authority=${HOME}/.kube/certs/{{ .ClusterName}}/k8s-ca.crt \
+    <pre><code>{{- if or .K8sCaPem -}}
+  # API Server CA Certificate
+  K8S_CA_CERT="{{.K8sCaPem}}"
+
+{{ end }} kubectl config set-cluster {{ .ClusterName }} \
+  {{- if .K8sCaPem }}
+  --certificate-authority <(echo -n $K8S_CA_CERT) \
+  --embed-certs=true \
   {{- end }}
-    --server={{ .K8sMasterURI }}</code></pre>
+  --server={{ .K8sMasterURI }}</code></pre>
   </div>
 
   <div class="command">
-
     <button class="btn" style="float:right" data-clipboard-snippet="">
       <img class="clippy" width="13" src="{{ .Web_Path_Prefix }}static/clippy.svg" alt=""/>
     </button>
-  <pre><code>kubectl config set-credentials {{ .Username }}-{{ .ClusterName }} \
-    --auth-provider=oidc \
-    --auth-provider-arg="idp-issuer-url={{ .Issuer }}" \
-    --auth-provider-arg="client-id={{ .ClientID }}" \
-    --auth-provider-arg="client-secret={{ .ClientSecret }}" \
-    --auth-provider-arg="refresh-token={{ .RefreshToken }}" \
-    --auth-provider-arg="id-token={{ .IDToken }}"
-  {{- if or (.IDPCaURI) (.IDPCaPem) }} \
-    --auth-provider-arg=idp-certificate-authority=${HOME}/.kube/certs/{{ .ClusterName }}/idp-ca.crt
-  {{- end }}</code></pre>
+    <pre><code>kubectl config set-credentials {{ .Username }}-{{ .ClusterName }} \
+      --exec-api-version=client.authentication.k8s.io/v1beta1 \
+      --exec-command=kubectl \
+      --exec-arg=oidc-login \
+      --exec-arg=get-token \
+      --exec-arg=--listen-address=127.0.0.1:18000 \
+      --exec-arg=--oidc-issuer-url={{ .Issuer }} \
+      --exec-arg=--oidc-client-id={{ .ClientID }} \
+  {{- if .ClientSecret }}
+      --exec-arg=--oidc-client-secret=YOUR_CLIENT_SECRET \
+  {{- end }}
+      --exec-arg=--oidc-extra-scope=email \
+      --exec-arg=--oidc-extra-scope=groups</code></pre>
   </div>
 
   <div class="command">

diff --git a/templates/mac-tab.html b/templates/mac-tab.html
@@ -8,7 +8,11 @@ <h3>Install and Set Up kubectl</h3>
   {{ if .KubectlVersion }}
   <p>
   Download kubectl:
-  <a title="Download kubectl" href="https://storage.googleapis.com/kubernetes-release/release/{{.KubectlVersion}}/bin/darwin/amd64/kubectl">
+  <a title="Apple Silicon" href="https://storage.googleapis.com/kubernetes-release/release/{{.KubectlVersion}}/bin/darwin/amd64/kubectl">
+    https://storage.googleapis.com/kubernetes-release/release/{{.KubectlVersion}}/bin/darwin/arm64/kubectl
+  </a>
+
+  <a title="Intel" href="https://storage.googleapis.com/kubernetes-release/release/{{.KubectlVersion}}/bin/darwin/amd64/kubectl">
     https://storage.googleapis.com/kubernetes-release/release/{{.KubectlVersion}}/bin/darwin/amd64/kubectl
   </a>
   </p>

diff --git a/tests/e2e/helm/dex-k8s-auth-overrides.yaml b/tests/e2e/helm/dex-k8s-auth-overrides.yaml
@@ -19,7 +19,38 @@ dexK8sAuthenticator:
     k8s_master_uri: https://my-cluster.example.com
     client_id: my-cluster
     redirect_uri: http://${NODE_IP}:30000/callback/my-cluster
-    k8s_ca_uri: https://url-to-your-ca.crt
+    k8s_ca_pem: |-
+      -----BEGIN CERTIFICATE-----
+      MIIFTjCCBDagAwIBAgIQBHr3lUfAfQ/vgKWyH1HjYzANBgkqhkiG9w0BAQsFADCB
+      kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
+      A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
+      BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
+      QTAeFw0xODAzMTIwMDAwMDBaFw0yMDAzMTEyMzU5NTlaMFIxITAfBgNVBAsTGERv
+      bWFpbiBDb250cm9sIFZhbGlkYXRlZDEUMBIGA1UECxMLUG9zaXRpdmVTU0wxFzAV
+      BgNVBAMTDmFjcy5xYWNhZmUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+      CgKCAQEA6/61GhYNST8VGJlE62Pv5H7e95EqLzydQ1diUpIXpkgL3oZDa3dcd50F
+      bGTrlvqXyPmTPnI8xITz4phgnBeSvwESoyBpGRY5HEgL4NvivNBIV02mDRqhOlEl
+      tdkcYbo0t3ZWFXJ+aesHDyA++UFWixtR61XNnGGhyKFCH26HXqEbaBHlTmY2fEos
+      I+SYcTH3DCjuHWWZHR9AHtq1pN5bbY3DNTsGtF2CpmEnKSWrcRJxnAz2aMFUWDod
+      oc7qEKYt4Er19EW0LSU39Q6ywwMfNXNZRjZqc6IsP3DI5CZJoyCPOHxV0C71iiQA
+      e842jWBae8VLZs1J0OZRbbWeqGgGeQIDAQABo4IB3zCCAdswHwYDVR0jBBgwFoAU
+      kK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFMwxDzaFkpGoDWFGnpz+niNC
+      udaSMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG
+      AQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYI
+      KwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAEC
+      ATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01P
+      RE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGFBggrBgEF
+      BQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NP
+      TU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYB
+      BQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAtBgNVHREEJjAkgg5hY3Mu
+      cWFjYWZlLmNvbYISd3d3LmFjcy5xYWNhZmUuY29tMA0GCSqGSIb3DQEBCwUAA4IB
+      AQBE/SmWs8rJthBedEAUaqDEQSFbFgviE+uKJRlfMHMPK55oe2c7cdujcpFS2wKM
+      E7P9cS5KTNECbn4fDgrPuylxkUKK6GiPorTWUuT0k98TmKRY5nfkeIaurXO3bUMl
+      3R+SwDaXBCqHQIcWFsN5ExCiLqDLJw/uxloaW1Vbt50gEnyLDSAyPozBWlYxJw77
+      TNd6rcUiWK2Xx711FLvnWPXI9kn4Q2gTLtQ6ZwIT6DVQBd/ZMpDhxruwqlL7Tx+S
+      3dNVeihnkb7AXLd7dDcO2Gk29XS5o2F8KTE+i1Gi3/z03EiTRsmyNTBsSGYqbvVv
+      F9crB7TEuWdlZxrYdoCP//3v
+      -----END CERTIFICATE-----
 
 ingress:
   enabled: true