Untitled

avatar
unknown
plain_text
a year ago
2.3 kB
16
Indexable
func (f *KubeClientFactory) setupOIDCAuth(config *rest.Config, kubeconfig *clientcmdapi.Config) error {
	// Get token from environment variable first
	if token := os.Getenv("KUBE_TOKEN"); token != "" {
		config.BearerToken = token
		return nil
	}

	// Get current context and auth info
	currentContext := kubeconfig.CurrentContext
	context := kubeconfig.Contexts[currentContext]
	if context == nil {
		return fmt.Errorf("current context not found: %s", currentContext)
	}

	authInfo := kubeconfig.AuthInfos[context.AuthInfo]
	if authInfo == nil {
		return fmt.Errorf("auth info not found for user: %s", context.AuthInfo)
	}

	// Handle OIDC auth provider
	if authInfo.AuthProvider != nil {
		switch authInfo.AuthProvider.Name {
		case "oidc":
			if authInfo.AuthProvider.Config == nil {
				return fmt.Errorf("oidc auth provider config is nil")
			}

			// Use id-token if available
			if idToken, ok := authInfo.AuthProvider.Config["id-token"]; ok && idToken != "" {
				config.BearerToken = idToken
				return nil
			}

			// Use refresh token if available
			if refreshToken, ok := authInfo.AuthProvider.Config["refresh-token"]; ok && refreshToken != "" {
				// If we have both client ID and IDP issuer URL, we can set up OIDC auth
				clientID, hasClientID := authInfo.AuthProvider.Config["client-id"]
				idpIssuerURL, hasIssuerURL := authInfo.AuthProvider.Config["idp-issuer-url"]
				
				if hasClientID && hasIssuerURL {
					config.AuthProvider = &clientcmdapi.AuthProviderConfig{
						Name: "oidc",
						Config: map[string]string{
							"client-id":      clientID,
							"idp-issuer-url": idpIssuerURL,
							"id-token":       refreshToken,
						},
					}
					return nil
				}
			}
		default:
			// Handle other auth providers if needed
			return fmt.Errorf("unsupported auth provider: %s", authInfo.AuthProvider.Name)
		}
	}

	// Fallback to direct token or token file
	if authInfo.Token != "" {
		config.BearerToken = authInfo.Token
		return nil
	}

	if authInfo.TokenFile != "" {
		tokenBytes, err := os.ReadFile(authInfo.TokenFile)
		if err != nil {
			return fmt.Errorf("failed to read token file: %w", err)
		}
		config.BearerToken = string(tokenBytes)
		return nil
	}

	return fmt.Errorf("no valid authentication method found")
Editor is loading...
Leave a Comment