Comments (8)
I agree this will be a must have for most companies.
from headlamp.
From #1716 I've been able to get this working like so
Can confirm what @kdeyko says. I have a similar issue with a custom OIDC binary we invoke from exec. If we open the app through point-and-click (macOS), we just get bad gateway and lots of errors in the dev console connecting to localhost. If I open up in a terminal via /Applications/Headlamp.app/Contents/MacOS/Headlamp, everything works perfectly.
Could be a work-around until the underlying connectivity issue is resolved?
from headlamp.
On macos, I've used the following work-around to make this work via native Finder/Dock/Spotlight launch
$ sudo launchctl config user path /bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/homebrew/bin
This ensures that the paths where my exec plugins are located are in the environment of every application I launch via Finder et al. Unfortunately, the change requires root and a reboot, but successfully unblocks Headlamp in local GUI mode to work properly with exec configuration.
Incorporating something similar to shell-path in the electron startup should allow Headlamp to inherit user-configured PATH environment so that Headlamp works as expected: https://github.com/sindresorhus/shell-path (hopefully there is a newer, maintained dependency). Headlamp appears to implement kubeconfig handling in a way that already supports exec
so long as any executable referenced by exec
is either absolute path or IN the search PATH. TL;DR, enabling this feature seems to only require fixing the way Headlamp launches with respect to incorporating/honoring user-configured PATH that tools like kubectl already depend on.
from headlamp.
Would also like for this to work. I'm guessing there are a lot of people using some form of client-side addon (e.g. i am using passman to store the credentials in keychain):
- name: rancher
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- keychain
- user@cluster
command: kubectl-passman
env: null
interactiveMode: IfAvailable
provideClusterInfo: false
from headlamp.
Hi.
Thanks for writing.
Yeah, we use the k8s APIs rather than kubectl and haven't implemented support for the "client-go credential plugins".
As a not-great work around authentication for both AKS and EKS can be done with OIDC. I realize this is probably not suitable however. Because the point of the aws-iam-authenticator is to avoid having to manage separate services. (please correct me if I'm wrong?)
Supporting external auth commands isn't currently on the short term roadmap. But I personally think it's something we should support.
External auth related docs
exec: apiVersion: ... command: ... args: ...Other related issues:
A number of others have reported here and elsewhere wanting support for external auth commands.
Here are some of the github issues:
Yep, I'd love that. OpenLens picks up my AWS EKS context and connects to the clusters out of the box. Headlamp recognizes the contexts, but just shows "Bad Gateway" status for the clusters. I guess I'll stay with OpenLens for now :(
edit2:
Oh wait, yes, looks like it's exactly the problem:
16:18:10.725 › server process stderr: 2024/05/08 16:18:10 http: proxy error: getting credentials: exec: executable aws not found
It looks like you are trying to use a client-go credential plugin that is not installed.
To learn more about this feature, consult the documentation available at:
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins
thats what my kube config looks like:
- name: arn:aws:eks:us-west-2:011111111111:cluster/mycluster1
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- --region
- us-west-2
- eks
- get-token
- --cluster-name
- mycluster1
- --output
- json
command: aws
from headlamp.
Hi.
Thanks for writing.
Yeah, we use the k8s APIs rather than kubectl and haven't implemented support for the "client-go credential plugins".
As a not-great work around authentication for both AKS and EKS can be done with OIDC. I realize this is probably not suitable however. Because the point of the aws-iam-authenticator is to avoid having to manage separate services. (please correct me if I'm wrong?)
Supporting external auth commands isn't currently on the short term roadmap. But I personally think it's something we should support.
External auth related docs
exec:
apiVersion: ...
command: ...
args: ...
Other related issues:
A number of others have reported here and elsewhere wanting support for external auth commands.
Here are some of the github issues:
from headlamp.
Thanks @lindblombr
from headlamp.
FWIW, octant also implements client-go authentication.
from headlamp.
Related Issues (20)
- Trying to build headlamp for openSUSE: conflict with plugin react HOT 12
- @babel/plugin-proposal-private-property-in-object dependency not declared explicitely HOT 1
- values.yaml is missing an exact example of how to use the ingress HOT 2
- Plugins endlessly reloading on dev only app HOT 1
- Helm charts: Add template testing
- Option to pass Cluster Settings via Config for user Groups HOT 1
- Playwright local fails default
- Certificate handling with k3d
- Proxy Support HOT 2
- Empty X-Forwarded-Host header HOT 1
- Add more info to containers HOT 2
- Storybook fails in a new plugin
- [RFE] Headlamp demo website and branch previews
- headlamp helm chart should be signed
- Clicking Save & Apply in Plugin page opens browser HOT 1
- Update deprecated packages HOT 1
- Helm chart OIDC config with existing secret not working as expected HOT 7
- Websocket Connections resuliting in Forbidden HOT 4
- Headlamp crashes on network tab HOT 2
- Delete a CRD doesn't work HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from headlamp.