github.com/kubeshop/testkube@v1.17.23/docs/docs/articles/oauth-cli.md

github.com/kubeshop/testkube@v1.17.23/docs/docs/articles/oauth-cli.md (about)

     1  # OAuth for CLI
     2  
     3  By default, Testkube CLI uses the "proxy" client which leverages the [kube apiserver proxy](https://kubernetes.io/docs/concepts/cluster-administration/proxies/) to reach the Testkube API server. This implies granting users access to Iestkube internals in order to reach the Testkube APIREST endpoint (when using commands such as `testkube get artifact` ).
     4  
     5  This section describes how to protect the Testkube api-server REST API endpoint with [oauth2 authentication authorization grant](https://oauth.net/2/grant-types/authorization-code/), for use by the Testkube CLI as an oauth 2 client. In this mode, Testkube users do not need to be granted "Testkube administrator roles".
     6  
     7  Testkube doesn't provide a separate user/role management system to protect access to its CLI.
     8  
     9  Users can configure OAuth-based authentication modules using Testkube Helm chart parameters and the CLI config command.
    10  
    11  Testkube can automatically configure the Kubernetes NGINX Ingress Controller and create the required ingresses.
    12  
    13  ## Provide Parameters for API Ingress
    14  
    15  Pass values to Testkube Helm chart during installation or upgrade (they are empty by default).
    16  Pay attention to the usage of the scheme (http or https) in URIs.
    17  
    18  ```sh
    19  --set testkube-api.cliIngress.enabled=true \
    20  --set testkube-api.cliIngress.oauth.provider="github"
    21  --set testkube-api.cliIngress.oauth.clientID="XXXXXXXXXX" \
    22  --set testkube-api.cliIngress.oauth.clientSecret="XXXXXXXXXX" \
    23  --set testkube-api.cliIngress.oauth.scopes=""
    24  ```
    25  
    26  ## Create Github OAuth Application
    27  
    28  Currently, only GitHub OAuth authentication is supported. It is not yet possible to configure kube api-server to authenticate Testkube CLI OAuth2 against other OAuth2 IDPs. 
    29  
    30  In [OAuth terminology](https://www.rfc-editor.org/rfc/rfc6749#section-1.1): 
    31  - GitHub is the *authorization server*.
    32  - Testkube CLI is the *client* receiving HTTP redirects from the authorization server on a local HTTP endpoint (http://127.0.0.1:13254) served by the CLI. A local web browser invoked by [xdg-open](https://linux.die.net/man/1/xdg-open) is required to access GitHub web UI, and then follow HTTP redirect to the local HTTP authorization callback endpoint.
    33  - Testkube api-server is the *resource server*.
    34  
    35  
    36  Register a new Github OAuth application for your personal or organization account.
    37  
    38  ![Register new App](../img/github_app_request_cli.png)
    39  
    40  Pay attention to the usage of the scheme (http or https) in URIs.
    41  The homepage URL should be the Testkube Dashboard home page http://127.0.0.1:13254.
    42  
    43  The authorization callback URL should be a prebuilt page at the Testkube Dashboard website http://127.0.0.1:13254/oauth/callback.
    44  
    45  ![View created App](../img/github_app_response_cli.png)
    46  
    47  Make note of the generated Client ID and Client Secret.
    48  
    49  ## Provide Parameters for CLI
    50  
    51  Run the command below to configure oauth parameters (we support GitHub OAuth provider):
    52  
    53  ```sh
    54  kubectl testkube config oauth https://demo.testkube.io/api --client-id XXXXXXXXXX --client-secret XXXXXXXXXX
    55  ```
    56  
    57  Output:
    58  
    59  ```sh
    60  You will be redirected to your browser for authentication or you can open the url below manually
    61  https://github.com/login/oauth/authorize?access_type=offline&client_id=XXXXXXXXXX&redirect_uri=http%3A%2F%2F127.0.0.1%3A13254%2Foauth%2Fcallback&response_type=code&state=iRQkcwXV
    62  Authentication will be cancelled in 60 seconds
    63  ```
    64  
    65  Authorization for the GitHub application will be requested and access will need to be confirmed.
    66  ![Confirm App authorization](../img/github_app_authorize_cli.png)
    67  
    68  If authorization is successful, you will see the success page.
    69  ![Success Page](../img/github_app_success_cli.png)
    70  
    71  Output:
    72  
    73  ```sh
    74  Shutting down server...
    75  Server gracefully stopped 🥇
    76  New api uri set to https://demo.testkube.io/api 🥇
    77  New oauth token gho_XXXXXXXXXX 🥇
    78  ```
    79  
    80  ## Run CLI Commands with OAuth
    81  
    82  Now all of your requests with direct client will submit an OAuth token, for example:
    83  
    84  ```sh
    85  kubectl testkube get executors -c direct
    86  ```
    87  
    88  Output:
    89  
    90  ```sh
    91    NAME               | URI | LABELS
    92  +--------------------+-----+--------+
    93    artillery-executor |     |
    94    curl-executor      |     |
    95    cypress-executor   |     |
    96    k6-executor        |     |
    97    postman-executor   |     |
    98    soapui-executor    |     |
    99  ```
   100  
   101  ## Environment Variables
   102  
   103  You can use 2 environment variables to override CLI config values:
   104  
   105  `TESTKUBE_API_URI` - For the API uri.
   106  
   107  `TESTKUBE_OAUTH_ACCESS_TOKEN` - For the OAuth access token.