From 6192c17699a8ca4e271f965682063e230d853b37 Mon Sep 17 00:00:00 2001
From: Stavros Moiras <stavros.moiras@cern.ch>
Date: Mon, 11 Jan 2021 18:47:33 +0100
Subject: [PATCH 1/2] OIDC support for python-magnumclient
---
magnumclient/common/utils.py | 56 ++++++++++++++++++++++++++++++---
magnumclient/osc/v1/clusters.py | 16 +++++++++-
2 files changed, 67 insertions(+), 5 deletions(-)
diff --git a/magnumclient/common/utils.py b/magnumclient/common/utils.py
index 3af5b67..2481e8d 100644
--- a/magnumclient/common/utils.py
+++ b/magnumclient/common/utils.py
@@ -160,11 +160,11 @@ def handle_json_from_file(json_arg):
def config_cluster(cluster, cluster_template, cfg_dir, force=False,
- certs=None, use_keystone=False):
+ certs=None, use_keystone=False, use_oidc=False, oidc_browser=False):
"""Return and write configuration for the given cluster."""
if cluster_template.coe == 'kubernetes':
return _config_cluster_kubernetes(cluster, cluster_template, cfg_dir,
- force, certs, use_keystone)
+ force, certs, use_keystone, use_oidc, oidc_browser)
elif (cluster_template.coe == 'swarm'
or cluster_template.coe == 'swarm-mode'):
return _config_cluster_swarm(cluster, cluster_template, cfg_dir,
@@ -172,7 +172,7 @@ def config_cluster(cluster, cluster_template, cfg_dir, force=False,
def _config_cluster_kubernetes(cluster, cluster_template, cfg_dir,
- force=False, certs=None, use_keystone=False):
+ force=False, certs=None, use_keystone=False, use_oidc=False, oidc_browser=False):
"""Return and write configuration for the given kubernetes cluster."""
cfg_file = "%s/config" % cfg_dir
if cluster_template.tls_disabled or certs is None:
@@ -193,7 +193,55 @@ def _config_cluster_kubernetes(cluster, cluster_template, cfg_dir,
"- name: %(name)s'\n"
% {'name': cluster.name, 'api_address': cluster.api_address})
else:
- if not use_keystone:
+ if use_oidc:
+
+ # If cluster has the 'oidc_client_id' set then there is a custom client id
+ clientid = cluster.labels.get('oidc_client_id')
+
+ if not clientid:
+ # If not, then everything is managed by magnum, thus we add "oidc" and the cluster uuid (convention)
+ clientid = "openstack-magnum-" + cluster.uuid
+
+ if oidc_browser:
+ # Browser will pop up automatically during authentication
+ granttype = "auto"
+ else:
+ # Users will have to follow a link and paste a token from their local browser
+ granttype = "authcode-keyboard"
+
+ cfg = ("apiVersion: v1\n"
+ "clusters:\n"
+ "- cluster:\n"
+ " certificate-authority-data: %(ca)s\n"
+ " server: %(api_address)s\n"
+ " name: %(name)s\n"
+ "contexts:\n"
+ "- context:\n"
+ " cluster: %(name)s\n"
+ " user: admin\n"
+ " name: default\n"
+ "current-context: default\n"
+ "kind: Config\n"
+ "preferences: {}\n"
+ "users:\n"
+ "- name: admin\n"
+ " user:\n"
+ " exec:\n"
+ " apiVersion: client.authentication.k8s.io/v1beta1\n"
+ " args:\n"
+ " - get-token\n"
+ " - --oidc-issuer-url=https://auth.cern.ch/auth/realms/cern\n"
+ " - --oidc-client-id=%(client)s\n"
+ " - --oidc-extra-scope=offline_access\n"
+ " - --grant-type=%(granttype)s\n"
+ " command: kubectl-oidc_login\n"
+ " env: null\n"
+ % {'name': cluster.name,
+ 'client' : clientid,
+ 'granttype' : granttype,
+ 'api_address': cluster.api_address,
+ 'ca': base64.encode_as_text(certs['ca'])})
+ elif not use_keystone:
cfg = ("apiVersion: v1\n"
"clusters:\n"
"- cluster:\n"
diff --git a/magnumclient/osc/v1/clusters.py b/magnumclient/osc/v1/clusters.py
index ad05b60..f7398d9 100644
--- a/magnumclient/osc/v1/clusters.py
+++ b/magnumclient/osc/v1/clusters.py
@@ -411,6 +411,18 @@ class ConfigCluster(command.Command):
dest='use_keystone',
default=False,
help=_('Use Keystone token in config files.'))
+ parser.add_argument(
+ '--use-oidc',
+ action='store_true',
+ dest='use_oidc',
+ default=False,
+ help=_('Use oidc cluster config.'))
+ parser.add_argument(
+ '--oidc-browser',
+ action='store_true',
+ dest='oidc_browser',
+ default=False,
+ help=_('Changes the default oidc authentication method from keyboard to browser'))
return parser
@@ -460,7 +472,9 @@ class ConfigCluster(command.Command):
print(magnum_utils.config_cluster(
cluster, cluster_template, parsed_args.dir,
force=parsed_args.force, certs=tls,
- use_keystone=parsed_args.use_keystone))
+ use_keystone=parsed_args.use_keystone,
+ use_oidc=parsed_args.use_oidc,
+ oidc_browser=parsed_args.oidc_browser))
class ResizeCluster(command.Command):
--
GitLab
From 2419e20e2efacc6fc8cc4afe9fea4ab29b21de90 Mon Sep 17 00:00:00 2001
From: Stavros Moiras <stavros.moiras@cern.ch>
Date: Tue, 18 May 2021 09:54:21 +0000
Subject: [PATCH 2/2] Changed misleading user "admin" to "oidc-user"
---
magnumclient/common/utils.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/magnumclient/common/utils.py b/magnumclient/common/utils.py
index 2481e8d..3c37452 100644
--- a/magnumclient/common/utils.py
+++ b/magnumclient/common/utils.py
@@ -218,13 +218,13 @@ def _config_cluster_kubernetes(cluster, cluster_template, cfg_dir,
"contexts:\n"
"- context:\n"
" cluster: %(name)s\n"
- " user: admin\n"
+ " user: oidc-user\n"
" name: default\n"
"current-context: default\n"
"kind: Config\n"
"preferences: {}\n"
"users:\n"
- "- name: admin\n"
+ "- name: oidc-user\n"
" user:\n"
" exec:\n"
" apiVersion: client.authentication.k8s.io/v1beta1\n"
--
GitLab