Canonical Juju

Bug #1834433
Comment #9

Comment 9 for bug 1834433

Revision history for this message

John-Paul Robinson (uabjpr) wrote on 2023-03-13:

The ability to authenticate against a cloud with WebSSO seems to be a missing feature in juju. We have a k8s cloud with Keystone for account mgmt with SAML for WebSSO. We can authenticate to the k8s api server using kubectl and the client-go credential plugins.

https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins

This feature uses the Keystone app credentials to retrieve a limited-lifetime token for use with the K8s api server. It relies on an external app that uses the keystone app credentials to retrieve the token and present it to kubectl. This is necessary since our Keystone doesn't store user credentials. It only issues app credentials. Furthermore, k8s doesn't work with the application credentials directly, rather it validates a token issued by keystone (and derived from the app creds).

For juju:

$ juju --version
3.0.3-genericlinux-amd64

Kubectl against our cluster works just fine:

$ kubectl get pods
NAME READY STATUS RESTARTS AGE
hello-world-699cdf74dc-fnjzk 1/1 Running 0 17d
...

The kubectl config directs kubectl to get it's token via an external app. From the user section of the kube config:

users:
- name: username
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1
      args: null
      command: ./app_cred_auth.sh
      env: null
      interactiveMode: Never
      provideClusterInfo: false

The app_cred_auth.sh script uses the Keystone app credentials to retreive a token:

curl -s -i -H "Content-Type: application/json" -d "${data}" "${OS_AUTH_URL}/auth/tokens"

The token is the present to k8s api server to interact with k8s.

Juju needs to do something similar to get a token by way of the app credentials, rather than trying to use the app credentials directly.

My app credentials are loaded in my environment.

$ env | grep OS_
OS_REGION_NAME=RegionOne
OS_INTERFACE=public
OS_AUTH_URL=https://keystone:5000/v3
OS_APPLICATION_CREDENTIAL_SECRET=<secret>
OS_APPLICATION_CREDENTIAL_ID=<id>
OS_AUTH_TYPE=v3applicationcredential
OS_IDENTITY_API_VERSION=3

When juju attempts to detect and load these credentials it complains that it can't understand the user stanza in the kubectl config file:

$ juju autoload-credentials
This operation can be applied to both a copy on this client and to the one on a controller.
No current controller was detected and there are no registered controllers on this client: either bootstrap one or register one.

Looking for cloud and credential information on local client...
ERROR could not detect credentials for provider "kubernetes": failed to read credentials from kubernetes config: configuration for "username" not supported

The ability to authenticate against a cloud with WebSSO seems to be a missing feature in juju.  We have a k8s cloud with Keystone for account mgmt with SAML for WebSSO.  We can authenticate to the k8s api server using kubectl and the client-go credential plugins.

https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins

This feature uses the Keystone app credentials to retrieve a limited-lifetime token for use with the K8s api server.  It relies on an external app that uses the keystone app credentials to retrieve the token and present it to kubectl.  This is necessary since our Keystone doesn't store user credentials. It only issues app credentials. Furthermore, k8s doesn't work with the application credentials directly, rather it validates a token issued by keystone (and derived from the app creds).

For juju:

$ juju --version
3.0.3-genericlinux-amd64

Kubectl against our cluster works just fine:

$ kubectl get pods
NAME                           READY   STATUS    RESTARTS   AGE
hello-world-699cdf74dc-fnjzk   1/1     Running   0          17d
...

The kubectl config directs kubectl to get it's token via an external app.  From the user section of the kube config:

The app_cred_auth.sh script uses the Keystone app credentials to retreive a token:

curl -s -i -H "Content-Type: application/json" -d "${data}" "${OS_AUTH_URL}/auth/tokens"

The token is the present to k8s api server to interact with k8s.

Juju needs to do something similar to get a token by way of the app credentials, rather than trying to use the app credentials directly.

My app credentials are loaded in my environment.

When juju attempts to detect and load these credentials it complains that it can't understand the user stanza in the kubectl config file:

$ juju autoload-credentials 
This operation can be applied to both a copy on this client and to the one on a controller.
No current controller was detected and there are no registered controllers on this client: either bootstrap one or register one.