OpenShift Login

openshift-login is a CLI tool designed to simplify authentication with OpenShift clusters. It integrates seamlessly with Kubernetes' kubeconfig to provide a streamlined login experience.

Features

• Supports multiple OpenShift clusters.
• Provides an interactive login experience.

Installation

Download the Binary

You can download the latest release of openshift-login from the GitHub Releases page.

For example, to download version v0.0.8 for Linux (amd64):

curl -L -o openshift-login https://github.com/SRGSSR/openshift-login/releases/download/v0.0.8/openshift-login-linux-amd64
chmod +x openshift-login
sudo mv openshift-login /usr/local/bin/

Verify Installation

Run the following command to verify the installation:

openshift-login

It should output KUBERNETES_EXEC_INFO is not set as it needs to be executed by kubectl.

Configuring kubeconfig

To use openshift-login with your Kubernetes configuration, you need to add the appropriate cluster, context, and user entries to your kubeconfig.yaml file.

Here is an example configuration:

apiVersion: v1
clusters:
- cluster:
    server: https://api.example-cluster.openshiftapps.com:443
  name: example-cluster
contexts:
- context:
    cluster: example-cluster
    namespace: example-namespace
    user: openshift-login
  name: example-cluster
current-context: example-cluster
kind: Config
users:
- name: openshift-login
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1
      args: null
      command: openshift-login
      env:
      - name: OPENSHIFT_LOGIN_LOGLEVEL
        value: warn
      interactiveMode: Always
      provideClusterInfo: true

Steps to Configure

1. Replace example-cluster and example-namespace with your cluster name and namespace.
2. Ensure the oauth_address and server fields match your OpenShift cluster's API and OAuth endpoints.
3. Save the configuration to your ~/.kube/config file or another file specified by the KUBECONFIG environment variable.

Usage

Once configured, you can authenticate with your OpenShift cluster by running:

kubectl get pods

The openshift-login tool will handle the authentication process automatically.

How It Works

The openshift-login tool simplifies authentication with OpenShift clusters. For every request kubectl executes, it will call openshift-login:

1. Setting Log Level:

   • Configures logging based on the OPENSHIFT_LOGIN_LOGLEVEL environment variable.

2. Using Kubernetes Exec Info:

   • Reads cluster context from the KUBERNETES_EXEC_INFO environment variable given by kubectl.

3. Caching Credentials:

   • Checks for valid cached credentials to avoid redundant logins.

4. Performing OAuth2 Authentication:

   • Uses OpenID Connect (OIDC) to fetch authentication and token endpoints from OpenShift API Server.
   • Opens a browser for user login and retrieves an access token from OpenShift OAuth Server.

5. Returning Credentials:

   • Outputs the access token and expiration time in Kubernetes' ExecCredential format.
   • Caches the credentials for future use.

This ensures secure and efficient authentication while integrating seamlessly with Kubernetes.

Contributing

Contributions are welcome! Please open an issue or submit a pull request on the GitHub repository.

License

This project is licensed under the MIT License. See the LICENSE file for details.