Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support authentication with certificate in exec-credentials #5608

Closed
qingboooo opened this issue Nov 24, 2023 · 1 comment · Fixed by #5612
Closed

Support authentication with certificate in exec-credentials #5608

qingboooo opened this issue Nov 24, 2023 · 1 comment · Fixed by #5612
Assignees
@qingboooo
Milestone
6.10.0

Comments

@qingboooo
Copy link
Contributor

Is your task related to a problem? Please describe

In class io.fabric8.kubernetes.client.Config, it is only support authenticate with token, authenticate with certificate is unsupported and marked as TODO.

Due to there is no token generated by ExecConfig and certificate is not supported yet, so all requests treat as anonymous request

WARN No token returned

Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://[server]:6443/api/v1/namespaces/sandbox/secrets. Message: secrets is forbidden: User "system:anonymous" cannot list resource "secrets" in API group "" in the namespace "sandbox". Received status: Status(apiVersion=v1, code=403, details=StatusDetails(causes=[], group=null, kind=secrets, name=null, retryAfterSeconds=null, uid=null, additionalProperties={}), kind=Status, message=secrets is forbidden: User "system:anonymous" cannot list resource "secrets" in API group "" in the namespace "sandbox", metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=Forbidden, status=Failure, additionalProperties={}).

Describe the solution you'd like

Implement TODO item, add support to authenticate with certificate

Describe alternatives you've considered

No response

Additional context

Fabric8 Kubernetes Client version: 6.8.1
qingboooo added a commit to qingboooo/kubernetes-client that referenced this issue Nov 24, 2023
@qingboooo
fix fabric8io#5608 support authentication with certificate
1419fd6
qingboooo added a commit to qingboooo/kubernetes-client that referenced this issue Nov 27, 2023
@qingboooo
fix fabric8io#5608 support authentication with certificate
83e650c
@rohanKanojia rohanKanojia changed the title TODO support authentication with certificate Support authentication with certificate in exec-credentials Nov 27, 2023
@rohanKanojia rohanKanojia mentioned this issue Nov 27, 2023
Merged
11 tasks
qingboooo added a commit to qingboooo/kubernetes-client that referenced this issue Nov 27, 2023
@qingboooo
Fix fabric8io#5608 Support authentication with certificate in exec-cr…
d80ef8b 
…edentials
@manusa
Copy link
Member

manusa commented Nov 29, 2023

https://kubernetes.io/docs/reference/access-authn-authz/authentication/#input-and-output-formats

To use bearer token credentials, the plugin returns a token in the status of the ExecCredential

 {
   "apiVersion": "client.authentication.k8s.io/v1",
   "kind": "ExecCredential",
   "status": {
     "token": "my-bearer-token"
   }
 }

Alternatively, a PEM-encoded client certificate and key can be returned to use TLS client auth. If the plugin returns a different certificate and key on a subsequent call, k8s.io/client-go will close existing connections with the server to force a new TLS handshake.

If specified, clientKeyData and clientCertificateData must both must be present

{
  "apiVersion": "client.authentication.k8s.io/v1",
  "kind": "ExecCredential",
  "status": {
    "clientCertificateData": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
    "clientKeyData": "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----"
  }
}

@manusa manusa added this to the 6.10.0 milestone Nov 29, 2023
manusa pushed a commit that referenced this issue Nov 29, 2023
@qingboooo
Fix #5608 Support authentication with certificate in exec-credentials (
d729dd8 
…#5612)

* fix #5608 support authentication with certificate

* fix #5608 support authentication with certificate

* review
@manusa manusa mentioned this issue Jan 8, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@qingboooo qingboooo

Labels
None yet
Projects
None yet
Milestone
6.10.0
Development

Successfully merging a pull request may close this issue.

Fix #5608 Support authentication with certificate in exec-credentials qingboooo/kubernetes-client
2 participants
@manusa @qingboooo