search

gini / dexter

dexter is a Kubernetes OIDC helper with as much automation as possible
https://blog.gini.net/frictionless-kubernetes-openid-connect-integration-f1c356140937
MIT License
166 stars 29 forks source link

Support multiple providers #30

Closed dkerwin closed 4 years ago

dkerwin commented 5 years ago

This PR reworks the way how providers are created. It is now possible to add arbitrary providers with very little overhead. Azure needs verification - I cannot test that.

This PR affects

Closes https://github.com/gini/dexter/issues/23

dkerwin commented 5 years ago

Hey @cblims! Would it be possible for you to verify that the new azure provider works as expected? Your help would be highly appreciated

cblims commented 5 years ago

Hi, just testet and it works. However "auto-configuration" mode does not. Normally I run dexter without any parameters to read current configuration from ~/.kube/config. Is this one removed?

dkerwin commented 5 years ago

@cblims Thanks for giving it a try. It should work. Could you share the logs and maybe even a anonymized snippet from you kube config so I could verify locally?

cblims commented 5 years ago

Running dexter auth azure starts authentication, but seems like it doesn't pick up the tenant id from idp-issuer-url. Here is a .kube/config dump. UUIDs in client-id and idp-issuer-url are fake. The UUID in idp-issuer-url is a tenant id.

- name: your.azure.registred.email.address@yourdomain.tld
  user:
    auth-provider:
      config:
        client-id: a1209219-e181-41f3-9671-17bac336b8ae
        client-secret: redacted
        id-token: redacted
        idp-issuer-url: https://login.microsoftonline.com/096bd15c-4e79-47f8-b3d6-15519ec857c2/v2.0
      name: oidc
dkerwin commented 5 years ago

Hey @cblims.

azure issue should be fixed now. Would you mind giving it another spin?

cblims commented 5 years ago

in func AzureCommand azureProvider.tenant is always common when running without --tenant. Auto pilot mode kics in after microsoft.AzureADEndpoint is set. I can look into that sometime during this weekend.

Btw, before autopilot mode was initiated by only running dexter without any options. My initial thought introducing autopilot was to autodetect provider and its configuration based on kubectl context. Are you planning to remove this?

dkerwin commented 5 years ago

I really like the autopilot functionality. I think i will refactor it into a dedicated provider (something like dexter auth auto. Need to think about this a little more... Thanks

dkerwin commented 4 years ago

Autopilot is back to normal operation. OAuth2 endpoints for azure are constructed as expected. @cblims: You could still use it as before. You just have to use the new azure subcommand