sky-uk / osprey

Kubernetes OIDC CLI login
BSD 3-Clause "New" or "Revised" License
50 stars 18 forks source link

Fetch API server URL from GKE OIDC ClientConfig #73

Closed howardburgess closed 2 years ago

howardburgess commented 2 years ago

This allows osprey client to fetch the API server URL from the kube-public/ClientConfig resource. This is created when the OIDC Identity Service is enabled in GKE. This is an Envoy proxy that passes requests through the OIDC service. The API server CA cert is also fetched from the ClientConfig resource.

It seems like a chicken-and-egg situation that the API server URL is retrieved from the API server, but typically the public URL would be used in order to fetch the internal OIDC proxy URL.

Osprey client config

Note: when use-gke-clientconfig: true is specified api-server is also required, to know from where to retrieve the ClientConfig.

providers:
  azure:
  ...
    targets:
      sandbox2.gcp:
        api-server: https://34.79.49.27
        use-gke-clientconfig: true
        aliases: [gcp-sandbox2-europe-west1]
        groups: [sandbox,sandbox-gcp]

The ClientConfig resource

❯ kubectl -n kube-public get clientconfig default -o json | jq -r '.spec | .server, .certificateAuthorityData'
https://10.118.238.235:443
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVMRENDQXBTZ0F3SUJBZ0lRTGFXdkR5UUVyaTNpL1BIYU9DVjlSVEFOQmdrcWhraUc5dzBCQVFzRkFEQXYKTVMwd0t3WURWUVFERXlRNE1tWXlZemhpT1MwM1lUVmxMVFF4TkdVdFltUXhPQzA1WW1FMk1qRXhZMlppTlRVdwpJQmNOTWpFeE1UQTFNVEF3TURBeFdoZ1BNakExTVRFd01qa3hNVEF3TURGYU1DOHhMVEFyQmdOVkJBTVRKRGd5ClpqSmpPR0k1TFRkaE5XVXROREUwWlMxaVpERTRMVGxpWVRZeU1URmpabUkxTlRDQ0FhSXdEUVlKS29aSWh2Y04KQVFFQkJRQURnZ0dQQURDQ0FZb0NnZ0dCQU5OWnR4YWtoakRWMTJtWis0WUQ3TEVjUkpJQy9QYU54Y1BOdi9MNwpJbzNVNm1lNWFVa283QS94a3oySDI3bGI4d1NFc0NyRW9OaHcyY0FURFVaemQ1WFgzMURpbGM4RkZHK0ZyUmRSClkzbm44OWJpMkFjYndqcitYRjk3TlFLbkJMbnowTTFjOXdESjdSV0Q1aGVkTjliWDZrUXBpYWx2ZWtVd25LUlAKTjFQbWxYcHBlaHgvNCsrZmdMNHA1dW1KVzhhYVFVbWxZK2RsSlN1WFlENUhwSkszL1ZmYnpLN0RmT2FTWEVlWgpkQzJQWGNVaHFnb3RGeloweTY5QTJRVElNTHpQNkQzZWQvblJjZjU4OEYwbEJMb3ZoamtGeS8vSFdCUXppZHhTCmg5bUpoSTlDeTE0ZERDMU5KR0lzaGZBT0FxNUNEMjg4UWlKWGpkYm9McjBiTVdpVjV5dGRLSTFQR1JHTFpvT08KdlpJV1hmbmNtMkp4NTRaYUorby9xMUQ3dDNQMm5QVTJJeWkvdGpjRHlQSHlHYXR1YmY5V0g3ZUVVU0xZeWlFcQp6b01kY2JLT3dWWUJHUUJ3QVZnQnIrWTY5V3ZaSjZ4RERMeXd5b0JpWVVTZGpBVVFMMnp3ekNod0hFZnlCMjA1CmRrbkFiNEtrYlZiWnViSTErSlN1bWpoMWFRSURBUUFCbzBJd1FEQU9CZ05WSFE4QkFmOEVCQU1DQWdRd0R3WUQKVlIwVEFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVV1OC9NcGpEVnlycTRIZUdmUFJHQ1h1RkVuc0F3RFFZSgpLb1pJaHZjTkFRRUxCUUFEZ2dHQkFMVkptK05GT1k1eXlwdnhZMmFmVVh5ZVZDaW9uMmdLUCtxM2owYzVESmNKCmQ0bVAvRU9NUWQzSUdlQWJjYTVCM0Z6cWNLQ245Ulg5b3RHK0gvR1NZNUc4SHBnejQrbm81dFFtU01rYXM2aWUKKzY4YkRFdjhndDFWR2tNSHE3enpSZmhVeGkwWGZVNEo3SGhQQ29pU1BtSTBVM0JuZWpVMUlhSzlIb0pqU3Nmawp3RElPaXFsN0I5M2pOS3hXUURNeVVFbkd1ZDI4SEtqK2N1dlRBeXlGVmZQYml4cmhGSnBVOU9iOFRlY1dieXNqCkY4WmVxMEFwVFhrZllHMmxtaFJWemRodGZOcmRLbkoweVNvcGZ6Q0xqdFlQZ0daQW9Eb0xZa25ZY0paS1NjNXEKbjg0UTBMZU9jR243Y1JLLzlCR3FsV1hOZzJ6TkZzUWFYRDVBSGRXbFB5Mzg5L0MrUERHQjZaLzZ1Q1p4Ty9mRQppc0dnUUJSTmo1MnFWdHozdWtPRm95U1YwNlVSQUN2NkQvQXF5cys5dTZmZTFnZW9Qcy9PRHYySW9xTVJmOXFYCnk3dDVZN2tOYWl2OHA5NFM0N3dEemtkQldoM2hvMDlyZkxyaEQzaVdPNmxUKytrVnJuRjd4NjVlTlV6cnNRamwKRjRyay9TRlZFUXNpVmRUMkdFdnF1QT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K

Anonymous access to ClientConfig

RBAC access needs to be granted for system:anonymous users to fetch the ClientConfig from kube-public for this to work without authentication. The API server must allow anonymous access, which is the default for GKE.

❯ curl -ksS https://34.79.49.27/apis/authentication.gke.io/v2alpha1/namespaces/kube-public/clientconfigs/default | jq -r '.spec | .server, .certificateAuthorityData'
https://10.118.238.235:443
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVMRENDQXBTZ0F3SUJBZ0lRTGFXdkR5UUVyaTNpL1BIYU9DVjlSVEFOQmdrcWhraUc5dzBCQVFzRkFEQXYKTVMwd0t3WURWUVFERXlRNE1tWXlZemhpT1MwM1lUVmxMVFF4TkdVdFltUXhPQzA1WW1FMk1qRXhZMlppTlRVdwpJQmNOTWpFeE1UQTFNVEF3TURBeFdoZ1BNakExTVRFd01qa3hNVEF3TURGYU1DOHhMVEFyQmdOVkJBTVRKRGd5ClpqSmpPR0k1TFRkaE5XVXROREUwWlMxaVpERTRMVGxpWVRZeU1URmpabUkxTlRDQ0FhSXdEUVlKS29aSWh2Y04KQVFFQkJRQURnZ0dQQURDQ0FZb0NnZ0dCQU5OWnR4YWtoakRWMTJtWis0WUQ3TEVjUkpJQy9QYU54Y1BOdi9MNwpJbzNVNm1lNWFVa283QS94a3oySDI3bGI4d1NFc0NyRW9OaHcyY0FURFVaemQ1WFgzMURpbGM4RkZHK0ZyUmRSClkzbm44OWJpMkFjYndqcitYRjk3TlFLbkJMbnowTTFjOXdESjdSV0Q1aGVkTjliWDZrUXBpYWx2ZWtVd25LUlAKTjFQbWxYcHBlaHgvNCsrZmdMNHA1dW1KVzhhYVFVbWxZK2RsSlN1WFlENUhwSkszL1ZmYnpLN0RmT2FTWEVlWgpkQzJQWGNVaHFnb3RGeloweTY5QTJRVElNTHpQNkQzZWQvblJjZjU4OEYwbEJMb3ZoamtGeS8vSFdCUXppZHhTCmg5bUpoSTlDeTE0ZERDMU5KR0lzaGZBT0FxNUNEMjg4UWlKWGpkYm9McjBiTVdpVjV5dGRLSTFQR1JHTFpvT08KdlpJV1hmbmNtMkp4NTRaYUorby9xMUQ3dDNQMm5QVTJJeWkvdGpjRHlQSHlHYXR1YmY5V0g3ZUVVU0xZeWlFcQp6b01kY2JLT3dWWUJHUUJ3QVZnQnIrWTY5V3ZaSjZ4RERMeXd5b0JpWVVTZGpBVVFMMnp3ekNod0hFZnlCMjA1CmRrbkFiNEtrYlZiWnViSTErSlN1bWpoMWFRSURBUUFCbzBJd1FEQU9CZ05WSFE4QkFmOEVCQU1DQWdRd0R3WUQKVlIwVEFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVV1OC9NcGpEVnlycTRIZUdmUFJHQ1h1RkVuc0F3RFFZSgpLb1pJaHZjTkFRRUxCUUFEZ2dHQkFMVkptK05GT1k1eXlwdnhZMmFmVVh5ZVZDaW9uMmdLUCtxM2owYzVESmNKCmQ0bVAvRU9NUWQzSUdlQWJjYTVCM0Z6cWNLQ245Ulg5b3RHK0gvR1NZNUc4SHBnejQrbm81dFFtU01rYXM2aWUKKzY4YkRFdjhndDFWR2tNSHE3enpSZmhVeGkwWGZVNEo3SGhQQ29pU1BtSTBVM0JuZWpVMUlhSzlIb0pqU3Nmawp3RElPaXFsN0I5M2pOS3hXUURNeVVFbkd1ZDI4SEtqK2N1dlRBeXlGVmZQYml4cmhGSnBVOU9iOFRlY1dieXNqCkY4WmVxMEFwVFhrZllHMmxtaFJWemRodGZOcmRLbkoweVNvcGZ6Q0xqdFlQZ0daQW9Eb0xZa25ZY0paS1NjNXEKbjg0UTBMZU9jR243Y1JLLzlCR3FsV1hOZzJ6TkZzUWFYRDVBSGRXbFB5Mzg5L0MrUERHQjZaLzZ1Q1p4Ty9mRQppc0dnUUJSTmo1MnFWdHozdWtPRm95U1YwNlVSQUN2NkQvQXF5cys5dTZmZTFnZW9Qcy9PRHYySW9xTVJmOXFYCnk3dDVZN2tOYWl2OHA5NFM0N3dEemtkQldoM2hvMDlyZkxyaEQzaVdPNmxUKytrVnJuRjd4NjVlTlV6cnNRamwKRjRyay9TRlZFUXNpVmRUMkdFdnF1QT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K