MFA Login with plugin without Browser

[dhorstmann]

Describe the question

When setting --username in kubeconfig, there is no Browser opening keycloak for asking username and password, just asking in terminale directly. Thats very nice. When the user has mfa configured in keycloak, he has to login with otp. But then the login with the username option in kubeconfig does not work anymore (error see next line). Is there an option, so that the otp will be asked on bash?
error: {"error":"invalid_grant","error_description":"Invalid user credentials"}

To reproduce

• first kubectl command of the day e.g. kubectl get pods
• kubeconfig has configured `--username´
• Browser is not opening, you just type password in bash console

Your environment

• OS: fedora 37
• kubelogin version: kubelogin version v1.27.0
• kubectl version: e.g. v1.27
• OpenID Connect provider: keycloak 21

[igurleen911]

@dhorstmann were you able to resolve this issue?

[dhorstmann]

@dhorstmann were you able to resolve this issue?

Nope.

[jsalatiel]

I have forked this and added support to asking for OTP.

Just add this to your .kube/config

users:
    - name: kubernetes-admin
      user:
        exec:
            apiVersion: client.authentication.k8s.io/v1beta1
            args:
                - oidc-login
                - get-token
                - --oidc-issuer-url=https://keycloak/auth/realms/master
                - --oidc-client-id=yourclientid
                - --grant-type=password
            command: kubectl
            env: null
            interactiveMode: IfAvailable
            provideClusterInfo: false

and you will get something like this:

Just clone from my fork and build it if you want.