POC: Kube-bind skeleton

.gitignore

@@ -37,3 +37,13 @@ docs/generators/cli-doc/cli-doc
 # Ignore UNIX sockets and delve binaries
 *.sock
 __debug_*
+
+dex/
+*.crt
+*.key
+*.pem
+contrib/kube-bind/bin/backend
+contrib/kube-bind/bin/bootstrap
+dex/
+contrib/kube-bind/kubectl-bind
+contrib/kube-bind/bin/backend

Makefile

@@ -72,7 +72,7 @@ LOGCHECK_BIN := logcheck
 LOGCHECK := $(TOOLS_GOBIN_DIR)/$(LOGCHECK_BIN)-$(LOGCHECK_VER)
 export LOGCHECK # so hack scripts can use it
 
-CODE_GENERATOR_VER := v2.3.0
+CODE_GENERATOR_VER := v2.3.1
 CODE_GENERATOR_BIN := code-generator
 CODE_GENERATOR := $(TOOLS_GOBIN_DIR)/$(CODE_GENERATOR_BIN)-$(CODE_GENERATOR_VER)
 export CODE_GENERATOR # so hack scripts can use it

cli/go.mod

@@ -4,7 +4,7 @@ go 1.22.0
 
 require (
 	github.com/google/go-cmp v0.6.0
-	github.com/kcp-dev/client-go v0.0.0-20240903163341-318c14d7636e
+	github.com/kcp-dev/client-go v0.0.0-20240912145314-f5949d81732a
 	github.com/kcp-dev/kcp/sdk v0.0.0-00010101000000-000000000000
 	github.com/kcp-dev/logicalcluster/v3 v3.0.5
 	github.com/spf13/cobra v1.8.1

cli/go.sum

@@ -98,8 +98,8 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/kcp-dev/apimachinery/v2 v2.0.1-0.20240817110845-a9eb9752bfeb h1:W11F/dp6NdUnHeB0SrpyWLiifRosu1qaMJvdFGGLXc0=
 github.com/kcp-dev/apimachinery/v2 v2.0.1-0.20240817110845-a9eb9752bfeb/go.mod h1:mEDD1K5BVUXJ4CP6wcJ0vZUf+7tbFMjkCFzBKsUNj18=
-github.com/kcp-dev/client-go v0.0.0-20240903163341-318c14d7636e h1:9wOMy1qKXpefpW28vccGEX3o/IaoDu3PZSqDeaz1p8k=
-github.com/kcp-dev/client-go v0.0.0-20240903163341-318c14d7636e/go.mod h1:GZTo7YtdO7PJ6VwWjKUiby5WjNh7YQZieDqNvbSHd0U=
+github.com/kcp-dev/client-go v0.0.0-20240912145314-f5949d81732a h1:O9SNM3MqMlwoEAPSWxk/yw4JU211KpVsAFjTXWQcMEk=
+github.com/kcp-dev/client-go v0.0.0-20240912145314-f5949d81732a/go.mod h1:h5jC8rEbkyGUgV86+sgtMMcl950ooGzk+iLrQnbCR6o=
 github.com/kcp-dev/logicalcluster/v3 v3.0.5 h1:JbYakokb+5Uinz09oTXomSUJVQsqfxEvU4RyHUYxHOU=
 github.com/kcp-dev/logicalcluster/v3 v3.0.5/go.mod h1:EWBUBxdr49fUB1cLMO4nOdBWmYifLbP1LfoL20KkXYY=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=

contrib/kcp-dex/README.md

@@ -0,0 +1,75 @@
+# KCP Dex
+
+How to run local kcp with dex.
+
+## Step by step guide
+
+### Dex
+
+Run dex outside of kcp
+We use dex to manage OIDC, following the steps below you can run a local OIDC issuer using dex:
+
+* First, clone the dex repo: `git clone https://github.com/mjudeikis/dex.git -b mjudeikis/groups.support`
+  * Important: We use fork to allow local group support k8s relies on: https://github.com/dexidp/dex/issues/1080
+* `cd dex` and then build the dex binary `make build`
+* The binary will be created in `bin/dex`
+* Adjust the config file(`examples/config-dev.yaml`) for dex by specifying the server callback method:
+* Generate certificates for dex:
+```bash
+GOBIN=$(pwd)/bin go install github.com/mjudeikis/genkey
+./bin/genkey 127.0.0.1
+```
+
+* Run dex: `./bin/dex serve ../contrib/kcp-dex/kcp-config.yaml `
+
+
+### KCP
+
+Start kcp with oidc enabled:
+
+```bash
+go run ./cmd/kcp start \
+--oidc-issuer-url=https://127.0.0.1:5556/dex \
+--oidc-client-id=kcp-dev \
+--oidc-groups-claim=groups \
+--oidc-ca-file=127.0.0.1.pem
+```
+
+### Login
+
+Use oidc plugin:
+
+```bash
+kubectl krew install oidc-login
+
+# to test
+kubectl oidc-login get-token \
+--oidc-issuer-url=https://127.0.0.1:5556/dex \
+--oidc-client-id=kcp-dev \
+--oidc-client-secret=Z2Fyc2lha2FsYmlzdmFuZGVuekWplCg== \
+--insecure-skip-tls-verify \
+--oidc-extra-scope=groups,email
+
+# to configure kubectl to use this plugin
+export KUBECONFIG=.kcp/admin.kubeconfig
+
+# create a new user with oidc
+kubectl config set-credentials oidc \
+  --exec-api-version=client.authentication.k8s.io/v1beta1 \
+  --exec-command=kubectl \
+  --exec-arg=oidc-login \
+  --exec-arg=get-token \
+  --exec-arg=--oidc-issuer-url=https://127.0.0.1:5556/dex  \
+  --exec-arg=--oidc-client-id=kcp-dev \
+  --exec-arg=--oidc-client-secret=Z2Fyc2lha2FsYmlzdmFuZGVuekWplCg== \
+  --exec-arg=--oidc-extra-scope=groups \
+  --exec-arg=--oidc-extra-scope=email \
+  --exec-arg=--insecure-skip-tls-verify
+
+# set current context to use oidc
+kubectl config set-context --current --user=oidc
+
+# test
+# password is admin:password
+kubectl get ws
+kubectl create workspace bob

contrib/kcp-dex/kcp-config.yaml

@@ -0,0 +1,34 @@
+
+issuer: https://127.0.0.1:5556/dex
+web:
+  https: 127.0.0.1:5556
+  tlsCert: ../127.0.0.1.pem
+  tlsKey: ../127.0.0.1.pem
+storage:
+  type: sqlite3
+  config:
+    file: examples/dex.db
+staticClients:
+  - id: kcp-dev
+    public: true
+    redirectURIs:
+    - http://localhost:8000 # oidc-login callback url
+    - https://127.0.0.1:8080/callback # kube-bind callback url
+    - https://127.0.0.1:6443/callback # kube-bind callback url
+    name: 'KCP App'
+    secret: Z2Fyc2lha2FsYmlzdmFuZGVuekWplCg==
+
+# Let dex keep a list of passwords which can be used to login to dex.
+enablePasswordDB: true
+
+# A static list of passwords to login the end user. By identifying here, dex
+# won't look in its underlying storage for passwords.
+#
+# If this option isn't chosen users may be added through the gRPC API.
+staticPasswords:
+- email: "admin"
+  # bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
+  hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+  username: "admin"
+  userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
+  groups: ["system:kcp:admin", "system:admin"]

contrib/kube-bind/.gitignore

@@ -0,0 +1,2 @@
+/kube-bind
+/bin

contrib/kube-bind/Makefile

@@ -0,0 +1,113 @@
+TOOLS_DIR=hack/tools
+TOOLS_BIN_DIR := $(abspath $(TOOLS_DIR))/bin
+export TOOLS_BIN_DIR # so hack scripts can use it
+
+GO_INSTALL = ./hack/go-install.sh
+
+KCP_VERSION ?= 0.23.0
+CONTROLLER_GEN := $(TOOLS_BIN_DIR)/controller-gen
+export CONTROLLER_GEN # so hack scripts can use it
+
+KUBE_BIND_VERSION ?= v0.4.1
+KUBE_BIND_DIR := kube-bind
+KUBE_BIND_REPO := https://github.com/kube-bind/kube-bind
+export KUBE_BIND_DIR # so hack scripts can use it
+export KUBE_BIND_REPO # so hack scripts can use it
+export KUBE_BIND_VERSION # so hack scripts can use it
+
+CODE_GENERATOR_VER := v2.1.0
+CODE_GENERATOR_BIN := code-generator
+CODE_GENERATOR := $(TOOLS_BIN_DIR)/$(CODE_GENERATOR_BIN)-$(CODE_GENERATOR_VER)
+export CODE_GENERATOR # so hack scripts can use it
+
+KCP_APIGEN_VER := v0.26.0
+KCP_APIGEN_BIN := apigen
+KCP_APIGEN_GEN := $(TOOLS_BIN_DIR)/$(KCP_APIGEN_BIN)-$(KCP_APIGEN_VER)
+export KCP_APIGEN_GEN # so hack scripts can use it
+
+OPENSHIFT_GOIMPORTS_VER := c72f1dc2e3aacfa00aece3391d938c9bc734e791
+OPENSHIFT_GOIMPORTS_BIN := openshift-goimports
+OPENSHIFT_GOIMPORTS := $(TOOLS_BIN_DIR)/$(OPENSHIFT_GOIMPORTS_BIN)-$(OPENSHIFT_GOIMPORTS_VER)
+export OPENSHIFT_GOIMPORTS # so hack scripts can use it
+
+$(KCP_APIGEN_GEN):
+	GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) github.com/kcp-dev/kcp/sdk/cmd/apigen $(KCP_APIGEN_BIN) $(KCP_APIGEN_VER)
+
+$(CONTROLLER_GEN):  # Build controller-gen from tools folder.
+	cd $(TOOLS_BIN_DIR) && go build -tags=tools -o bin/controller-gen sigs.k8s.io/controller-tools/cmd/controller-gen
+
+$(CODE_GENERATOR):
+	GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) github.com/kcp-dev/code-generator/v2 $(CODE_GENERATOR_BIN) $(CODE_GENERATOR_VER)
+
+$(OPENSHIFT_GOIMPORTS):
+	GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) github.com/openshift-eng/openshift-goimports $(OPENSHIFT_GOIMPORTS_BIN) $(OPENSHIFT_GOIMPORTS_VER)
+
+
+tools: $(CONTROLLER_GEN) $(KCP_APIGEN_GEN) $ $(CODE_GENERATOR $(OPENSHIFT_GOIMPORTS)) ## Install tools
+.PHONY: tools
+
+
+KUBE_MAJOR_VERSION := 1
+KUBE_MINOR_VERSION := $(shell go mod edit -json | jq '.Require[] | select(.Path == "k8s.io/client-go") | .Version' --raw-output | sed "s/v[0-9]*\.\([0-9]*\).*/\1/")
+GIT_COMMIT := $(shell git rev-parse --short HEAD || echo 'local')
+GIT_DIRTY := $(shell git diff --quiet && echo 'clean' || echo 'dirty')
+#GIT_VERSION := $(shell go mod edit -json | jq '.Require[] | select(.Path == "k8s.io/client-go") | .Version' --raw-output | sed 's/v0/v1/')+kube-bind-$(shell git describe --tags --match='v*' --abbrev=14 "$(GIT_COMMIT)^{commit}" 2>/dev/null || echo v0.0.0-$(GIT_COMMIT))
+GIT_VERSION := "v1.32.0+kube-bind-v0.4.6"
+BUILD_DATE := $(shell date -u +'%Y-%m-%dT%H:%M:%SZ')
+LDFLAGS := \
+	-X k8s.io/client-go/pkg/version.gitCommit=${GIT_COMMIT} \
+	-X k8s.io/client-go/pkg/version.gitTreeState=${GIT_DIRTY} \
+	-X k8s.io/client-go/pkg/version.gitVersion=${GIT_VERSION} \
+	-X k8s.io/client-go/pkg/version.gitMajor=${KUBE_MAJOR_VERSION} \
+	-X k8s.io/client-go/pkg/version.gitMinor=${KUBE_MINOR_VERSION} \
+	-X k8s.io/client-go/pkg/version.buildDate=${BUILD_DATE} \
+	\
+	-X k8s.io/component-base/version.gitCommit=${GIT_COMMIT} \
+	-X k8s.io/component-base/version.gitTreeState=${GIT_DIRTY} \
+	-X k8s.io/component-base/version.gitVersion=${GIT_VERSION} \
+	-X k8s.io/component-base/version.gitMajor=${KUBE_MAJOR_VERSION} \
+	-X k8s.io/component-base/version.gitMinor=${KUBE_MINOR_VERSION} \
+	-X k8s.io/component-base/version.buildDate=${BUILD_DATE}
+build: WHAT ?= ./cmd/...
+build: clean
+	GOOS=$(OS) GOARCH=$(ARCH) go build $(BUILDFLAGS) -ldflags="$(LDFLAGS)" -o bin/ $(WHAT)
+.PHONY: build
+
+clean:
+	rm -rf bin/*
+
+run-dev-init: build
+	bin/bootstrap init --kcp-kubeconfig=../../.kcp/admin.kubeconfig
+
+run-dev: build
+	bin/backend start \
+	-v 4 \
+	--tls-cert-file=../../127.0.0.1.pem \
+	--tls-key-file=../../127.0.0.1.pem \
+	--listen-address=127.0.0.1:6443 \
+	--oidc-issuer-client-secret=Z2Fyc2lha2FsYmlzdmFuZGVuekWplCg== \
+	--oidc-issuer-client-id=kcp-dev \
+	--oidc-issuer-url=https://127.0.0.1:5556/dex \
+	--oidc-callback-url=https://127.0.0.1:6443/callback \
+	--oidc-authorize-url=https://127.0.0.1:6443/authorize \
+	--oidc-ca-file=../../127.0.0.1.pem \
+	--pretty-name="CorpAAA.com" \
+	--namespace-prefix="kube-bind-" \
+	--cookie-signing-key=bGMHz7SR9XcI9JdDB68VmjQErrjbrAR9JdVqjAOKHzE= \
+	--cookie-encryption-key=wadqi4u+w0bqnSrVFtM38Pz2ykYVIeeadhzT34XlC1Y= \
+	--workspace-path="root:kube-bind" \
+	--apiexport-name="kube-bind.io" \
+	--kubeconfig=../../.kcp/admin.kubeconfig \
+	--dev-mode=true
+
+crds: $(CONTROLLER_GEN) ## Generate crds
+	./hack/update-codegen-crds.sh
+.PHONY: crds
+
+codegen: crds
+	$(MAKE) imports
+.PHONY: codegen
+
+.PHONY: imports
+imports: $(OPENSHIFT_GOIMPORTS)
+	$(OPENSHIFT_GOIMPORTS) -m github.com/kcp-dev/kcp/contrib/kube-bind

contrib/kube-bind/README.md

@@ -0,0 +1,37 @@
+# Kube-Bind for KCP
+
+This is example backend for KCP that uses [kube-bind](https://github.com/kube-bind/kube-bind) to bind api-exports.
+
+Values here should match the values used to start kcp with so that the oidc tokens are valid.
+We use kcp from `contrib/kcp-dex` as an example.
+
+
+1. Create a kube-bind provider backend.
+
+```bash
+
+```
+
+
+```bash
+make build
+
+bin/backend \
+  --oidc-issuer-client-secret=Z2Fyc2lha2FsYmlzdmFuZGVuekWplCg== \
+  --oidc-issuer-client-id=kcp-dev \
+  --oidc-issuer-url=https://127.0.0.1:5556/dex \
+  --oidc-callback-url=https://127.0.0.1:6443/callback \
+  --pretty-name="CorpAAA.com" \
+  --namespace-prefix="kube-bind-" \
+  --cookie-signing-key=bGMHz7SR9XcI9JdDB68VmjQErrjbrAR9JdVqjAOKHzE= \
+  --cookie-encryption-key=wadqi4u+w0bqnSrVFtM38Pz2ykYVIeeadhzT34XlC1Y=
+```
+
+
+# Architecture
+
+Challenges:
+1. backend needs to be aware of every workspace where APIExports are enabled to be
+exported.
+   This is achieved by binding kube-bind api into workspace where APIExport is present. 
+