Hey Team,

I tried out Dexter on an Ubuntu 18 host and looks to be id & secret id are still required to get a successful login.

Built the binary with following parameters:
CLIENT_ID=529839178945-toh9cj642someid7hvu7id9n5.apps.googleusercontent.com CLIENT_SECRET=VzK7vrksome_secret3ts6AfZa6Diz OS=linux make

When a login attempt being made via dexter as follows getting a http 400.
$dexter auth
However when all the parameters are specified as follows can log in just fine.
dexter auth -i xxxxxx -s ffdfdff

Appreciate your feedback guys, could be something that I might have missed.

We need to find a reliable way to open the URL similar to MacOS & Linux. chrome.exe works but this may not be the best approach.

Building from freshly cloned repository failed, because of missing tmpl/kube-config.yaml.

How to reproduce:

git clone https://github.com/gini/dexter.git
cd dexter
docker run --rm --privileged \
  -v $PWD:/go/src/github.com/user/repo \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -w /go/src/github.com/user/repo \
  --env-file ../env-file \
  goreleaser/goreleaser release --snapshot --rm-dist

In the .gitignore, there are lines:

# This is required to allow goreleaser to release with different templates.
# The actual config has to be copied to the location in a prep step.
tmpl/kube-config.yaml

Maybe, there should be a step, during the build, where the default kube-config.yaml is provided, if I don't provide custom one.

Hi,
I have downloaded the pre built darwin package and tried to run "./dexter_darwin_amd64 --client-id=XXX --client-secret=XXX auth" command.
I am getting the below error.
ERRO[2018-05-15T15:17:11+05:30] oauth2 configuration failed: failed to create new dexterOIDC provider: Get https://accounts.google.com/.well-known/openid-configuration: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

My internet connectivity is fine. Please help me with this.

Here is my steps for creating auth.

Go to Google Console:

• create new credentials
• OAuth Client ID
• Web Application
• Authorized redirect URIs: http://127.0.0.1:64464/callback

Save Google ID and SECRET.

Change APIServer:

kops edit cluster --name=${NAME} --state=s3://${NAME}
...
spec:
  kubeAPIServer:
    authorizationMode: RBAC
    authorizationRbacSuperUser: admin
    oidcCAFile: /srv/kubernetes/ca.crt
    oidcClientID: ${ID}
    oidcIssuerURL: https://accounts.google.com
    oidcUsernameClaim: email
    runtimeConfig:
      rbac.authorization.k8s.io/v1alpha1: "true"

kops update cluster --name=${NAME} --yes
kops rolling-update cluster --name=${NAME} --state=s3://${NAME} --yes
kops validate cluster

Create RoleBinding:

cat <<EOF | kubectl create -f -
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: namespace-admin
  namespace: infra
subjects:
- kind: User
  apiGroup: rbac.authorization.k8s.io
  name: [email protected]
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io
EOF

Compile and run dexter:

go get -u github.com/gini/dexter
cd ~/go/src/github.com/gini/dexter
make dep
CLIENT_ID=${ID} CLIENT_SECRET=${SECRET} OS=darwin make -j 8
cp ~/.kube/config ~/.kube/config.bak
./build/dexter_darwin_amd64 auth

Here is generated kubectl config:

$ kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: REDACTED
    server: https://api.k8s-dev.site.org
  name: k8s-dev.site.org
contexts:
- context:
    cluster: k8s-dev.site.org
    namespace: infra
    user: k8s-dev.site.org
  name: k8s-dev.site.org
current-context: k8s-dev.site.org
kind: Config
preferences: {}
users:
- name: [email protected]
  user:
    auth-provider:
      config:
        client-id: 1123441.apps.googleusercontent.com
        client-secret: googlesecret
        id-token: some-token
        idp-issuer-url: https://accounts.google.com
        refresh-token: 1/12345566
      name: oidc
- name: k8s-dev.site.org
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
    password: 123456
    username: admin
- name: k8s-dev.site.org-basic-auth
  user:
    password: 123456
    username: admin

Switch to new user:

kubectl config set-context k8s-dev.site.org [email protected] --namespace=infra

Trying to check resources:

$ kubectl get nodes,svc,ing,pods
No resources found.
error: You must be logged in to the server (Unauthorized)
error: You must be logged in to the server (Unauthorized)
error: You must be logged in to the server (Unauthorized)
error: You must be logged in to the server (Unauthorized)

What I'm doing wrong?

Sometimes, after authenticating with the browser, http server is wound down too quickly, which results in a error page from the browser:

When this happens, the processing (including writing kubeconfig) finishes correctly, this is a just a minor visual issue, but looks quite user unfriendly when happens.

Maybe we need to add the feature, that enables one google user with different credentials generate a two different users in ~/.kube/config?

I've created a service account in the Google cloud console and am struggling to find out how to authenticate as that service account via kubectl. The idea is that our deployment server should be able to execute kubectl set image deployment ... against the cluster but to do that, it needs to authenticate. It makes more sense to use a service account as opposed to a normal IAM user account in this situation.

Is this possible using dexter? If not, does anyone know of an example I can look at for how to achieve this?

Travis based releases stopped working: https://travis-ci.org/gini/dexter/jobs/461688517

Is this application affected by the OOB deprecation announced here https://developers.google.com/identity/protocols/oauth2/resources/oob-migration ?

Right now, google is the default provider set in the code unless told otherwise with a cli flag. Just like we can embed credentials at compile time, it would be great to be able to set the default provider as well.

I've ran into timeout issues, which I could fix by changing this timeout here: https://github.com/gini/dexter/blob/master/cmd/google.go#L23

I attempted to authenticate using Google like this:

dexter auth google \
  --client-id=${id} \
  --client-secret=${secret}

The error looked like this:

ERRO[2023-03-03T13:47:56+01:00] Failed to exchange auth code: Post "https://oauth2.googleapis.com/token": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

Would you accept a pull request either raising the timeout or make it configurable?

There are already command-line flags that only apply to a single OIDC provider. This will only get worse with new providers. I think it will be best to refactor the code in a way to make the majority reusable and only handle the individual bits differently.

Proposed command structure:

dexter auth google
dexter auth azure
dexter auth generic

Correct me if i'm wrong but isn't this kind of the same as using SSL certificates for client auth ?
I mean , the user will get a valid id-token and a refresh token (with google oidc at least). He/she can use the refresh token to get a new id-token once it expired indefinitely , so there's no actual way to revoke access to a token beside removing the user from the (Cluster|Role)Binding same as with SSL certificates.

This might be a silly question, but I can't find a reference in the docs. Is dexter able to be used with dex?

We are currently using dexter to authenticate directly to Google. However, we looking at setting up dex to be able to provide groups which Google Oidc doesn't handle by default.

Thanks.

Hello,

It would be interesting to choose the path of his kubeconfig.

dexter --file /path/to/kube/config
The file to write to. If not specified, ~/.kube/config is used

Thanks

This is how kubectl get's the home folder to build config path: https://github.com/kubernetes/client-go/blob/master/util/homedir/homedir.go

This is how you do it:

In most cases result will be the same, but we hit an issue here when the result was different and the setup failed.

It would be nice if this could be fixed.

It looks like we might need a maintenance release. Currently goreleaser gives

• DEPRECATED: --rm-dist was deprecated in favor of --clean, check https://goreleaser.com/deprecations#-rm-dist for more details

and

• DEPRECATED: `archives.replacements` should not be used anymore, check https://goreleaser.com/deprecations#archivesreplacements for more info

would be good to make these in line with the supported version