kube icon indicating copy to clipboard operation
kube copied to clipboard

Published 20 hours ago verified publisher icon kube-rs

add support for Azure oidc auth

Open clux opened this issue 4 years ago • 5 comments

~~Azure auth provider was working before we refactored it (as we fixed #238), but it was always shoehorned into the load_gcp fn at the time. Now it's done better, but~~ looks like people are having issues now: https://github.com/Dentrax/kubesql/issues/1 Edit: This probably never worked.

The source for the azure auth can be found in https://github.com/kubernetes/client-go/tree/master/plugin/pkg/client/auth/azure in client-go.

Support for this should probably exist elsewhere than in kube, like in tame-oauth (which we use for the gcp flow) is open to supporting other flows.

~~We need a handler in token_from_provider. It's even possible that the token_from_gcp_provider one even works, but we had quite a bit of changes to simplify our oauth stuff by using tame_oauth, so not sure if that's true anymore.~~

~~Similar PR: https://github.com/clux/kube-rs/pull/419/files~~

clux avatar Apr 22 '21 09:04 clux

Azure auth provider was working before we refactored it

I don't think so? #238 fixed the panic when kubeconfig had Azure auth, but kube didn't have Azure auth provider support. There was no code to make requests to Azure.

I don't think we should implement OAuth for Azure in kube. We should use optional dependency. I believe https://github.com/EmbarkStudios/tame-oauth is open to adding Azure support.

kazk avatar Apr 22 '21 19:04 kazk

Ah right! I thought we had unintentional support, but I guess not. Yeah, tame-oauth is probably the better place for it based on their description:

The only auth flow that is currently implemented is the service account flow for GCP. Other flows can be added, but right now that is the only one we need. I'll reword the issue.

clux avatar Apr 22 '21 19:04 clux

Sorry for asking here, but do you have any updates on this one? I'd like to authenticate with Azure, but I have no leads currently.

bocc avatar Dec 16 '21 07:12 bocc

Similar to GCP OAuth, it's now deprecated:

	// deprecated in v1.22, remove in v1.25
	// this should be updated to use klog.Warningf in v1.24 to more actively warn consumers
	warnOnce.Do(func() {
		klog.V(1).Infof(`WARNING: the azure auth plugin is deprecated in v1.22+, unavailable in v1.25+; use https://github.com/Azure/kubelogin instead.
To learn more, consult https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins`)
	})

Replaced by Azure/kubelogin, which is an exec plugin, so that should be supported. Please open an issue if that doesn't work.

If you really need OAuth support, I'd recommend working with tame-oauth to add Azure support first.

kazk avatar Dec 16 '21 07:12 kazk

Thank you for pointing this out! kubelogin convert-kubeconfig did the trick.

bocc avatar Dec 16 '21 09:12 bocc