kubeconfig-service

module

v0.0.0-...-1c44903 Latest Latest Go to latest Published: Jul 3, 2020 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kyma-incubator/compass

Links

Open Source Insights

README ¶

OIDC Kubeconfig Service

Overview

The OIDC Kubeconfig Service is a single purpose REST-based API. It is designed to retrieve a kubeconfig file from an SKR cluster and change the default authentication mechanism (token) to kubelogin.

Prerequisites

To run locally, the OIDC Kubeconfig Service requires the following tools:

Go (version specified in the go.mod file)
Make
Docker

Configuration

The application uses the following environment variables for configuration:

Parameter	Required	Description	Default value
PORT_SERVICE	No	Port used by the application.	`8000`
PORT_HEALTH	No	Port used by the application for health check.	`9000`
GRAPHQL_URL	Yes	Full URL of the chosen GraphQL service.	`http://127.0.0.1:3000/graphql`
OIDC_KUBECONFIG_ISSUER_URL	Yes	Full URL of the chosen OIDC Issuer instance used for the `kubeconfig` generation.	None
OIDC_KUBECONFIG_CLIENT_ID	Yes	ClientID for the chosen OIDC Issuer used for the `kubeconfig` generation.	None
OIDC_KUBECONFIG_CLIENT_SECRET	Yes	Client Secret for the chosen OIDC Issuer used for the `kubeconfig` generation.	None
OIDC_ISSUER_URL	Yes	Full URL of the chosen OIDC Issuer instance.	None
OIDC_CLIENT_ID	Yes	ClientID for the chosen OIDC Issuer.	`""`
OIDC_CA	No	CA certificate file path.	None
OIDC_CLAIM_USERNAME	No	Identifier of the user in JWT claims.	`email`
OIDC_CLAIM_GROUPS	No	Identifier of groups in JWT claims.	`groups`
OIDC_USERNAME_PREFIX	No	If provided, all users are prefixed with this value to prevent conflicts with other authentication strategies.	None
OIDC_GROUPS_PREFIX	No	If provided, all groups are prefixed with this value to prevent conflicts with other authentication strategies.	None
OIDC_SUPPORTED_SIGNING_ALGS	No	List of supported signing algorithms.	`RS256`

Usage

You can run the OIDC Kubeconfig Service locally using either a Docker image or the binary.

Run locally using a Docker image

Use the provided makefile to build a local image:

make build-image

Set the required parameters and run the Docker image:

docker run --rm -e OIDC_KUBECONFIG_ISSUER_URL=https://foo -e OIDC_KUBECONFIG_CLIENT_ID=foobar -e OIDC_KUBECONFIG_CLIENT_SECRET=1234 -e OIDC_ISSUER_URL=https://dex.kyma.local -e OIDC_CLIENT_ID=compass-ui -e OIDC_CA=~/.minikube/ca.crt kubeconfig-service

Run locally using the binary

Set the required parameters and run the binary:

OIDC_KUBECONFIG_ISSUER_URL=https://foo OIDC_KUBECONFIG_CLIENT_ID=foobar OIDC_KUBECONFIG_CLIENT_SECRET=1234 OIDC_ISSUER_URL=https://dex.kyma.local OIDC_CLIENT_ID=compass-ui OIDC_CA=~/.minikube/ca.crt go run cmd/generator/main.go

Call the API

# Get a valid Token from your issuer
export TOKEN="Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
# Get valid IDs from Provisioner
export TENANT="3e64ebae-38b5-46a0-b1ed-9ccee153a0ae"
export RUNTIME="ec8b348f-d8c8-49cd-956d-a0c783bfe329"

# Call the service
curl -H "Authorization: ${TOKEN}" "http://127.0.0.1:8000/kubeconfig/${TENANT}/${RUNTIME}" > kubeconfig.yaml

# Use the new config file
KUBECONFIG=kubeconfig.yaml kubectl cluster-inf

Directories ¶

Path	Synopsis
cmd
generator
pkg
authn
caller
endpoints
env
reload
transformer

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL