kind:ClientConfig stored in .kube/config yaml, looks like:
kind: ClientConfig
apiVersion: authentication.gke.io/v2alpha1
spec:
name: dev-corp
server: https://10.x.x.x:443
certificateAuthorityData: ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
authentication:
- name: oidc
oidc:
clientID: aaaaad3-9aa1-33c8-dd0-ddddd6b5bf5
clientSecret: ccccccccccccccccc-
issuerURI: https://login.microsoftonline.com/aaaa92-aab7-bbfa-cccf-ddaaaaaaaa/v2.0
kubectlRedirectURI: http://localhost:12345/callback
cloudConsoleRedirectURI: http://console.cloud.google.com/kubernetes/oidc
scopes: offline_access,profile
userClaim: upn
userPrefix: '-'
groupsClaim: groups
preferredAuthentication: oidc
With kubectl, above config is used as:
$ gcloud components install kubectl
All components are up to date.
$
$ kubectl oidc login --login-config ~/.kube/config --cluster dev-crop
to authenticate and then talk to cluster(as shown below):
kubectl get ns
kubectl is also GoLang based tool, which is able to load config from --login-config and then authenticate.
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"22+", GitVersion:"v1.22.12-dispatcher-dirty", GitCommit:"fde00375407ad0afadd681a3505054ec83f935ec", GitTreeState:"dirty", BuildDate:"2022-07-19T19:06:19Z", GoVersion:"go1.16.15", Compiler:"gc", Platform:"windows/amd64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.5-gke.1200", GitCommit:"90a16981ade07f163a0233adb631b42ac1fc53ff", GitTreeState:"clean", BuildDate:"2021-10-04T09:25:23Z", GoVersion:"go1.16.7b7", Compiler:"gc", Platform:"linux/amd64"}
In our scenario, above configuration is actually stored in database(mongodb collection):
[
{
"apiVersion": "authentication.gke.io/v2alpha1",
"name": "dev-corp"
"server": "https://10.x.x.23:443"
"certificateAuthorityData": "ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc"
"clientID": "aaaaad3-9aa1-33c8-dd0-ddddd6b5bf5"
"clientSecret": "ccccccccccccccccc-"
"issuerURI": "https://login.microsoftonline.com/aaaa92-aab7-bbfa-cccf-ddaaaaaaaa/v2.0"
"kubectlRedirectURI": "http://localhost:12345/callback"
"cloudConsoleRedirectURI": "http://console.cloud.google.com/kubernetes/oidc"
"scopes": "offline_access,profile"
"userClaim": "upn"
"userPrefix": "-"
"groupsClaim": "groups"
"preferredAuthentication": "oidc"
},
{
"apiVersion": "authentication.gke.io/v2alpha1",
"name": "test-corp"
"server": "https://10.x.x.24:443"
"certificateAuthorityData": "dddddddddddddddddddddddddfeeeeeeeeeeeeeeeeeeeeeeeeeeeccccccccccccccc"
"clientID": "bbbbb3-9aa1-33c8-dd0-ddddd6b5bf5"
"clientSecret": "eeeeecccccccccc-"
"issuerURI": "https://login.microsoftonline.com/aaaa92-aab7-bbfa-cccf-ddaaaaaaaa/v2.0"
"kubectlRedirectURI": "http://localhost:12345/callback"
"cloudConsoleRedirectURI": "http://console.cloud.google.com/kubernetes/oidc"
"scopes": "offline_access,profile"
"userClaim": "upn"
"userPrefix": "-"
"groupsClaim": "groups"
"preferredAuthentication": "oidc"
}
]
After loading above data(from mongodb) into a cache(user defined struct shown below):
type ClientConfig struct {
// ClientID is the application's ID.
ClientID string
// ClientSecret is the application's secret.
ClientSecret string
// Endpoint contains the resource server's token endpoint
// URLs. These are constants specific to each server and are
// often available via site-specific packages, such as
// google.Endpoint or github.Endpoint.
Endpoint Endpoint
// RedirectURL is the URL to redirect users going through
// the OAuth flow, after the resource owner's URLs.
RedirectURL string
// Scope specifies optional requested permissions.
Scopes []string
ApiVersion string
ServerName string // "dev-corp" in above case
ServerURL string // "https://10.x.x.24:443"
CertificateAuthorityData string
CloudConsoleRedirectURI string
UserClaim string
UserPrefix string
GroupsClaim string
PreferredAuthentication string
}
kubectl is able to load this config with --login-config option
How to load config from cache and authenticate with kubernetes cluster(in google cloud)? Goal is to manage the cluster using kubernetes API. oidc-auth-plugin has no support to load this config.
