T4K UI Native Authentication
T4K UI supports authentication through kubeconfig files which contains token, certificate, auth-provider, etc. But for some Kubernetes cluster distributions, kubeconfig may contain cloud-specific
exec action or auth-provider configuration to fetch the authentication token with the help of credentials file which is not supported by default.When we use kubeconfig on the local system, cloud-specific action/config in the
user section of kubeconfig will look for credentials file at the specific location which will help kubectl/client-go library generate an authentication token used for authentication. But T4K Backend being deployed in the Cluster Pod, this credentials file won't be available in the Pod to generate authentication token. T4K will provide a cloud distribution specific support to handle and generate token from these credentials file.apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVMRENDQXBTZ0F3SUJBZ0lRU3B5cVp4QzU4NFFEbVFYdz
server: https://34.138.168.200
name: gke_amazing-chalice-243510_us-east1-b_dev-cluster
contexts:
- context:
cluster: gke_amazing-chalice-243510_us-east1-b_dev-cluster
user: gke_amazing-chalice-243510_us-east1-b_dev-cluster
name: gke_amazing-chalice-243510_us-east1-b_dev-cluster
current-context: gke_amazing-chalice-243510_us-east1-b_dev-cluster
kind: Config
preferences: {}
users:
- name: gke_amazing-chalice-243510_us-east1-b_dev-cluster
user:
auth-provider:
config:
cmd-args: config config-helper --format=json
cmd-path: /home/trilio/google-cloud-sdk/bin/gcloud
expiry-key: '{.credential.token_expiry}'
token-key: '{.credential.access_token}'
name: gcp
For GKE cluster, there exists local binary
gcloud which reads sqlite credentials file with a name credentials.db under location $HOME/.config/gcloud to generate an authentication token. All the parameters required to generate the token exists in the same credentials.db file. While logging into T4K UI deployed in the GKE cluster, a user is expected to provide credentials.db file under location $HOME/.config/gcloud to pass the authentication.\apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFR
server: https://6C74ACD3CA40CFCB719CF3464423ADA9.gr7.us-east-1.eks.amazonaws.com
name: vinod-eks.us-east-1.eksctl.io
contexts:
- context:
cluster: vinod-eks.us-east-1.eksctl.io
user: [email protected]@vinod-eks.us-east-1.eksctl.io
name: [email protected]@vinod-eks.us-east-1.eksctl.io
current-context: [email protected]@vinod-eks.us-east-1.eksctl.io
kind: Config
preferences: {}
users:
- name: [email protected]@vinod-eks.us-east-1.eksctl.io
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- eks
- get-token
- --cluster-name
- vinod-eks
- --region
- us-east-1
command: aws
env:
- name: AWS_STS_REGIONAL_ENDPOINTS
value: regional
For EKS cluster, there exists local binary
aws (aws-cli) which reads credentials file with a name credentials under location $HOME/.aws to generate an authentication token. There is one more extra parameter eks cluster-name needed to generate a token which will be asked only once to login. While logging into T4K UI deployed in the EKS cluster, a user is expected to provide credentials file under location ~/.aws to pass the authentication.\