Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integrate kubelogin for Azure AD Authentication to AKS Clusters #105

Closed
marianheinsen opened this issue Feb 28, 2023 · 7 comments · Fixed by #170
Closed

Integrate kubelogin for Azure AD Authentication to AKS Clusters #105

marianheinsen opened this issue Feb 28, 2023 · 7 comments · Fixed by #170
Labels
enhancement New feature or request

Comments

@marianheinsen
Copy link

What problem are you facing?

We are provisioning Azure AKS Kubernetes Clusters using the Azure Provider by Upbound. After provisioning, we install software inside of the clusters using this Kubernetes Provider as well as the related Helm Provider. When using Local Accounts for authentication with the clusters API servers, this works out of the box. However, we would like to switch to authentication based on Azure AD Service Principals and Managed Identities, as this is the best practice and recommended by Azure. The Kubernetes Go Client which is used by this provider does not support this authentication method by default, so currently we can't use this provider with AKS clusters configured with Azure AD Authentication. As the same problem arises with standard kubectl usage and Terraform providers as well (see e.g. Azure/kubelogin#114), Azure provides the kubelogin client-go credential plugin which can be used to retrieve the user credentials and pass it to the Kubernetes Go Client.

How could Crossplane help solve your problem?

I propose to integrate the official kubelogin Go package into this provider (as well as the Helm Provider), so that it's possible to use it with AKS clusters configured with Azure AD Authentication. I'm open to provide an implementation for this and open a PR. Also, I would be happy to hear the maintainer's thoughts about this. Are you open to such contribution? @turkenh @morningspace
@marianheinsen marianheinsen added the enhancement New feature or request label Feb 28, 2023
@marianheinsen
Copy link
Author

Related issue in Helm Provider repo: crossplane-contrib/provider-helm#180

@marianheinsen marianheinsen mentioned this issue Feb 28, 2023
Closed
@muvaf muvaf mentioned this issue May 31, 2023
Closed
@turkenh
Copy link
Collaborator

turkenh commented Oct 25, 2023
edited
Loading

This makes sense to me. It sounds similar to #10, so, I would prefer a similar implementation/API, if possible.

Are you open to such contribution? @turkenh @morningspace

Yes, we are always open and welcome contributions!

@waterfoul
Copy link

FYI I added the kubelogin binary to the image (we build the image internally) and it works just fine. If you have need of this in the short term you can try that, just make sure it's in the path somewhere

@haarchri
Copy link
Member

@waterfoul can you add a bit more informations ? only kubelogin or you need to add AzureCLI as well ? Is the Provider then running with Workload Identity ?

@dprts
Copy link

dprts commented Dec 15, 2023

@waterfoul can you share more details of what you added to your image?

@haarchri
Copy link
Member

We can implement in provider-kubernetes then same: crossplane-contrib/provider-helm#205

@waterfoul
Copy link

I only added the one binary

@haarchri haarchri mentioned this issue Dec 19, 2023
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(kubelogin): add kubelogin azure ad auth haarchri/provider-kubernetes
5 participants
@waterfoul @turkenh @dprts @haarchri @marianheinsen