Metadata-Version: 2.1
Name: ocp-sso-token
Version: 0.1.0
Summary: Obtain an OCP OAuth token for an SSO IdP with Kerberos support
Home-page: https://gitlab.com/cki-project/ocp-sso-token
Author: CKI Team
Author-email: cki-project@redhat.com
License: GPLv3
Description-Content-Type: text/markdown
Provides-Extra: dev
Provides-Extra: release
License-File: LICENSE

# Automation to create OpenShift CLI tokens for OpenID-connected IdP with Kerberos support

This package can be found on PyPI as [ocp-sso-token](https://test.pypi.org/project/ocp-sso-token/0.1.0/).

## Problem: several manual steps to log into an OpenShift cluster via OIDC without ROPC

To log into an OpenShift cluster on the command line, [oc login] supports
user/password authentication for various [identity providers] like [LDAP] or [OIDC
with ROPC grant flow].

If no provider with password support is configured, the user is referred to the
OAuth login page to obtain a temporary token interactively. After selecting the
right provider, the user is forwarded to authenticate with the SSO provider,
and redirected back to the cluster afterwards. Another click reveals the
temporary token that can now be used for the CLI tools.

For an OpenID provider that supports Kerberos tickets, the authentication with
the SSO provider happens transparently. For such setups, logging into a cluster
via the CLI roughly requires the following steps:

- run `oc login` and click on the link, or visit a bookmark for the cluster
  login page
- click on the button for the OpenID provider
- watch the webpages forwarding to each other
- click on the link to reveal the temporary token
- use the shown temporary token/oc login command to log into the cluster

These steps must be performed daily and per cluster.

## Approach: automate all the steps above

The Python script in this repository automates all the steps to obtain the
temporary token so that the following is possible:

```bash
kinit $user@$domain
oc login --server $server --token $(ocp-sso-token $server)
```

[oc login]: https://docs.openshift.com/container-platform/latest/cli_reference/openshift_cli/getting-started-cli.html#cli-logging-in_cli-developer-commands
[identity providers]: https://docs.openshift.com/container-platform/latest/authentication/understanding-identity-provider.html
[LDAP]: https://docs.openshift.com/container-platform/latest/authentication/identity_providers/configuring-ldap-identity-provider.html
[OIDC with ROPC grant flow]: https://docs.openshift.com/container-platform/latest/authentication/identity_providers/configuring-oidc-identity-provider.html#add-identity-provider_configuring-oidc-identity-provider

## Installing the script

```bash
# from PyPI
pip install ocp-sso-token

# from source
pip install --user git+https://gitlab.com/cki-project/ocp-sso-token
```

## Using the script to log into an OpenShift cluster via OIDC

```text
usage: ocp-sso-token [-h] [--identity-providers IDENTITY_PROVIDERS] api_url

Log into an OCP cluster via Kerberos tickets

positional arguments:
  api_url               Cluster API URL like https://api.cluster:6443

optional arguments:
  -h, --help            show this help message and exit
  --identity-providers IDENTITY_PROVIDERS
                        Identity provider names (default: SSO,OpenID)
```

Running a smoke test:

```bash
kinit user@DOMAIN.COM
server=https://api.cluster:6443
oc --server $server --token $(ocp-sso-token $server) get project
```

If your identity provider name is not included in the defaults shown above, add
it via `--identity-providers`. The first matching identity provider will be
used.

## Creating a development setup and running the tests

Installing development dependencies:

```bash
pip install -e .[dev]
```

Running linting/tests:

```bash
tox
```

## Creating a release

1. Create a release MR with an update of the version number in
   `ocp_sso_token/__init__.py`, e.g to '3.1.4'
1. After merging, push a new tag with the same version prefixed with `v`, e.g.

   ```shell
   git tag v3.1.4
   git push origin v3.1.4
   ```

1. Wait for the pipeline to finish
1. Check the resulting GitLab and PyPI releases
