k0sproject / k0s

k0s - The Zero Friction Kubernetes
https://docs.k0sproject.io
Other
3.75k stars 365 forks source link

`k0s kubeconfig` should support OIDC #4481

Open jnummelin opened 5 months ago

jnummelin commented 5 months ago

Is your feature request related to a problem? Please describe.

When I configure OIDC for a cluster I need to manually craft the user kubeconfigs

Describe the solution you would like

It would be nice if k0s kubeconfig command would be able to detect the OIDC config and spit out working kubeconfig for the user. For example If I have in cluster config:

apiVersion: k0s.k0sproject.io/v1beta1
kind: ClusterConfig
spec:
  api:
    extraArgs:
      oidc-issuer-url: <issuer-url>
      oidc-client-id: <client-id>
      oidc-username-claim: email # we use email token claim field as a username

k0s should detect that and generate the corresponding client config:

users:
- name: oidc
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      command: kubectl
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=ISSUER_URL
      - --oidc-client-id=YOUR_CLIENT_ID
      - --oidc-client-secret=YOUR_CLIENT_SECRET

We cannot support all oidc login tools of course but kubelogin seems to be generic enough to work with most providers.

Describe alternatives you've considered

No response

Additional context

No response

twz123 commented 5 months ago

I'm not in favor of adding support for third-party stuff that needs to be installed on the client side when generating stuff on the server side.