The ability to authenticate against a cloud with WebSSO seems to be a missing feature in juju. We have a k8s cloud with Keystone for account mgmt with SAML for WebSSO. We can authenticate to the k8s api server using kubectl and the client-go credential plugins.
This feature uses the Keystone app credentials to retrieve a limited-lifetime token for use with the K8s api server. It relies on an external app that uses the keystone app credentials to retrieve the token and present it to kubectl. This is necessary since our Keystone doesn't store user credentials. It only issues app credentials. Furthermore, k8s doesn't work with the application credentials directly, rather it validates a token issued by keystone (and derived from the app creds).
For juju:
$ juju --version
3.0.3-genericlinux-amd64
Kubectl against our cluster works just fine:
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
hello-world-699cdf74dc-fnjzk 1/1 Running 0 17d
...
The kubectl config directs kubectl to get it's token via an external app. From the user section of the kube config:
When juju attempts to detect and load these credentials it complains that it can't understand the user stanza in the kubectl config file:
$ juju autoload-credentials
This operation can be applied to both a copy on this client and to the one on a controller.
No current controller was detected and there are no registered controllers on this client: either bootstrap one or register one.
Looking for cloud and credential information on local client...
ERROR could not detect credentials for provider "kubernetes": failed to read credentials from kubernetes config: configuration for "username" not supported
The ability to authenticate against a cloud with WebSSO seems to be a missing feature in juju. We have a k8s cloud with Keystone for account mgmt with SAML for WebSSO. We can authenticate to the k8s api server using kubectl and the client-go credential plugins.
https:/ /kubernetes. io/docs/ reference/ access- authn-authz/ authentication/ #client- go-credential- plugins
This feature uses the Keystone app credentials to retrieve a limited-lifetime token for use with the K8s api server. It relies on an external app that uses the keystone app credentials to retrieve the token and present it to kubectl. This is necessary since our Keystone doesn't store user credentials. It only issues app credentials. Furthermore, k8s doesn't work with the application credentials directly, rather it validates a token issued by keystone (and derived from the app creds).
For juju:
$ juju --version nux-amd64
3.0.3-genericli
Kubectl against our cluster works just fine:
$ kubectl get pods 699cdf74dc- fnjzk 1/1 Running 0 17d
NAME READY STATUS RESTARTS AGE
hello-world-
...
The kubectl config directs kubectl to get it's token via an external app. From the user section of the kube config:
users: authentication. k8s.io/ v1 veMode: Never usterInfo: false
- name: username
user:
exec:
apiVersion: client.
args: null
command: ./app_cred_auth.sh
env: null
interacti
provideCl
The app_cred_auth.sh script uses the Keystone app credentials to retreive a token:
curl -s -i -H "Content-Type: application/json" -d "${data}" "${OS_AUTH_ URL}/auth/ tokens"
The token is the present to k8s api server to interact with k8s.
Juju needs to do something similar to get a token by way of the app credentials, rather than trying to use the app credentials directly.
My app credentials are loaded in my environment.
$ env | grep OS_ NAME=RegionOne /keystone: 5000/v3 CREDENTIAL_ SECRET= <secret> CREDENTIAL_ ID=<id> TYPE=v3applicat ioncredential API_VERSION= 3
OS_REGION_
OS_INTERFACE=public
OS_AUTH_URL=https:/
OS_APPLICATION_
OS_APPLICATION_
OS_AUTH_
OS_IDENTITY_
When juju attempts to detect and load these credentials it complains that it can't understand the user stanza in the kubectl config file:
$ juju autoload- credentials
This operation can be applied to both a copy on this client and to the one on a controller.
No current controller was detected and there are no registered controllers on this client: either bootstrap one or register one.
Looking for cloud and credential information on local client...
ERROR could not detect credentials for provider "kubernetes": failed to read credentials from kubernetes config: configuration for "username" not supported