Add support for login with kubelogin #188 (!102) · Merge requests · Common Ground / Haven / haven

Bart Jeukendrup requested to merge feat/188-login-with-kubelogin into master Aug 19, 2020

This MR adds support for the kubelogin helper. The helper handles the OIDC flow through a local webserver and makes refreshing the OIDC token easier.

Change already rolled out to our existing clusters.

Setup

# Homebrew (macOS and Linux)
brew install int128/kubelogin/kubelogin

# Krew (macOS, Linux, Windows and ARM)
kubectl krew install oidc-login

Then configure kubectl with:

curl --create-dirs -s https://ca.nlx.reviews/k8s-ca.crt -o ${HOME}/.kube/certs/dv-core-review/k8s-ca.crt

kubectl config set-cluster dv-core-review \
    --certificate-authority=${HOME}/.kube/certs/dv-core-review/k8s-ca.crt \
    --server=https://141.105.122.92

kubectl config set-credentials bart-dv-core-review \
    --exec-api-version=client.authentication.k8s.io/v1beta1 \
    --exec-command=kubectl \
    --exec-arg=oidc-login \
    --exec-arg=get-token \
    --exec-arg=--listen-address=localhost:18000 \
    --exec-arg=--oidc-issuer-url=https://dex.nlx.reviews \
    --exec-arg=--oidc-client-id=kubernetes \
    --exec-arg=--oidc-client-secret={secret} \
    --exec-arg=--oidc-extra-scope=openid \
    --exec-arg=--oidc-extra-scope=email \
    --exec-arg=--oidc-extra-scope=groups

kubectl config set-context bart-dv-core-review \
    --cluster=dv-core-review \
    --user=bart-dv-core-review

kubectl config use-context bart-dv-core-review

Edited Aug 20, 2020 by Bart Jeukendrup

Add support for login with kubelogin #188

Setup

Merge request reports