Add support for structured auhentication configuration.

[patope]

Structured authentication configuration allows Kubernetes to support multiple identity providers. To use this feature you'll need version 1.30 of Kubernetes at-least.

Details: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-authentication-configuration

Example how to use github actions pipeline token to access cluster

name: 'test kubectl'
on:
  workflow_dispatch:
  workflow_call:
permissions:
  id-token: write
  contents: read

jobs:
  restart-services:
    name: 'Test kubectl'
    runs-on: ubuntu-latest
    environment: development
    steps:
    - name: Install OIDC Client from Core Package
      run: npm install @actions/core@1.10.1 @actions/http-client

    - name: Get Id Token
      uses: actions/github-script@v6
      id: idtoken
      with:
        script: |
            const coredemo = require('@actions/core')
            // On automatically created `github.token` "aud" claim is a string.
            // Kubernetes requires "aud" to be array of strings instead.
            let id_token = await coredemo.getIDToken(['https://github.com/kube-hetzner'])
            coredemo.setOutput('id_token', id_token)

    - name: Install kubectl
      uses: azure/setup-kubectl@v4

    - run: |
        mkdir -p $HOME/.kube/
        echo "$KUBE_CERTIFICATE" | base64 -d > $HOME/.kube/certificate
        kubectl config set-cluster default --server=${KUBE_HOST} --certificate-authority=$HOME/.kube/certificate > /dev/null
        kubectl config set-credentials cluster-admin --token="${KUBE_TOKEN}"
        kubectl config set-context default --cluster=default --namespace=default --user=cluster-admin > /dev/null
        kubectl config use-context default > /dev/null
        kubectl get nodes
      env:
        KUBE_TOKEN: ${{ steps.idtoken.outputs.id_token }}
        KUBE_HOST: ${{ secrets.KUBE_HOST }}
        KUBE_CERTIFICATE: ${{ secrets.KUBE_CERTIFICATE }}

[mysticaltech]

@patope Very interesting 🙏

[aleksasiriski]

Could this be done outside of this project, to me it looks too specific to be included with the project?

[patope]

Could this be done outside of this project, to me it looks too specific to be included with the project?

Specific? This is one of the most anticipated upcoming features in Kubernetes. https://kubernetes.io/blog/2024/04/25/structured-authentication-moves-to-beta/

This is really hard to-do outside, because configuration file needs to be copied to all control plane nodes and location is passed as command line argument to server.

[patope]

If there was a way to deliver custom config files on control planes and updates to k3s_exec_server_args would not require recreation of cluster. Then this could be implemented outside.

[aleksasiriski]

Oh, I completely misread the PR. My mistake, thought it was only for GH Actions and not the K8s feature itself. Will take a detailed look when I get some free time.

[mysticaltech]

It's a good one, important. Thanks folks 🚀