Revert "Remove gcp and azure auth plugins"

This reverts commit 916cf16cf14928702f3f90b655ddddab2c85fcec.

Kubernetes-commit: 651b4f5b647a205d12fad4d0edc489d97109cccc

go.mod

@@ -5,6 +5,8 @@ module k8s.io/client-go
 go 1.19
 
 require (
+ github.com/Azure/go-autorest/autorest v0.11.27
+ github.com/Azure/go-autorest/autorest/adal v0.9.20
  github.com/davecgh/go-spew v1.1.1
  github.com/evanphx/json-patch v4.12.0+incompatible
  github.com/gogo/protobuf v1.3.2
@@ -24,8 +26,8 @@ require (
  golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
  golang.org/x/time v0.0.0-20220210224613-90d013bbcef8
  google.golang.org/protobuf v1.28.0
- k8s.io/api v0.0.0-20220807235320-860821164923
- k8s.io/apimachinery v0.0.0-20220805001719-117bd9b56ec3
+ k8s.io/api v0.0.0
+ k8s.io/apimachinery v0.0.0
  k8s.io/klog/v2 v2.70.1
  k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1
  k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed
@@ -34,13 +36,19 @@ require (
 )
 
 require (
+ cloud.google.com/go v0.97.0 // indirect
+ github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+ github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
+ github.com/Azure/go-autorest/logger v0.2.1 // indirect
+ github.com/Azure/go-autorest/tracing v0.6.0 // indirect
  github.com/PuerkitoBio/purell v1.1.1 // indirect
  github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
  github.com/emicklei/go-restful/v3 v3.8.0 // indirect
  github.com/go-logr/logr v1.2.3 // indirect
  github.com/go-openapi/jsonpointer v0.19.5 // indirect
  github.com/go-openapi/jsonreference v0.19.5 // indirect
  github.com/go-openapi/swag v0.19.14 // indirect
+ github.com/golang-jwt/jwt/v4 v4.2.0 // indirect
  github.com/google/btree v1.0.1 // indirect
  github.com/josharian/intern v1.0.0 // indirect
  github.com/json-iterator/go v1.1.12 // indirect
@@ -51,6 +59,7 @@ require (
  github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
  github.com/pkg/errors v0.9.1 // indirect
  github.com/pmezard/go-difflib v1.0.0 // indirect
+ golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd // indirect
  golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect
  golang.org/x/text v0.3.7 // indirect
  google.golang.org/appengine v1.6.7 // indirect
@@ -61,6 +70,7 @@ require (
 )
 
 replace (
- k8s.io/api => k8s.io/api v0.0.0-20220807235320-860821164923
- k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20220805001719-117bd9b56ec3
+ k8s.io/api => ../api
+ k8s.io/apimachinery => ../apimachinery
+ k8s.io/client-go => ../client-go
 )

plugin/pkg/client/auth/azure/README.md

@@ -0,0 +1,56 @@
+# Azure Active Directory plugin for client authentication
+
+This plugin provides an integration with Azure Active Directory device flow. If no tokens are present in the kubectl configuration, it will prompt a device code which can be used to login in a browser. After login it will automatically fetch the tokens and store them in the kubectl configuration. In addition it will refresh and update the tokens in the configuration when expired.
+
+## Usage
+
+1. Create an Azure Active Directory *Web App / API* application for `apiserver` following these [instructions](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-app-registration). The callback URL does not matter (just cannot be empty).
+
+2. Create a second Azure Active Directory native application for `kubectl`. The callback URL does not matter (just cannot be empty).
+
+3. On `kubectl` application's configuration page in Azure portal grant permissions to `apiserver` application by clicking on *Required Permissions*, click the *Add* button and search for the apiserver application created in step 1. Select "Access apiserver" under the *DELEGATED PERMISSIONS*. Once added click the *Grant Permissions* button to apply the changes.
+
+4. Configure the `apiserver` to use the Azure Active Directory as an OIDC provider with following options
+
+ ```
+ --oidc-client-id="spn:APISERVER_APPLICATION_ID" \
+ --oidc-issuer-url="https://sts.windows.net/TENANT_ID/"
+ --oidc-username-claim="sub"
+ ```
+
+ * Replace the `APISERVER_APPLICATION_ID` with the application ID of `apiserver` application
+ * Replace `TENANT_ID` with your tenant ID.
+   * For a list of alternative username claims that are supported by the OIDC issuer check the JSON response at `https://sts.windows.net/TENANT_ID/.well-known/openid-configuration`.
+
+5. Configure `kubectl` to use the `azure` authentication provider
+
+ ```
+ kubectl config set-credentials "USER_NAME" --auth-provider=azure \
+ --auth-provider-arg=environment=AzurePublicCloud \
+ --auth-provider-arg=client-id=APPLICATION_ID \
+ --auth-provider-arg=tenant-id=TENANT_ID \
+ --auth-provider-arg=apiserver-id=APISERVER_APPLICATION_ID
+ ```
+
+ * Supported environments: `AzurePublicCloud`, `AzureUSGovernmentCloud`, `AzureChinaCloud`, `AzureGermanCloud`
+ * Replace `USER_NAME` and `TENANT_ID` with your user name and tenant ID
+ * Replace `APPLICATION_ID` with the application ID of your`kubectl` application ID
+ * Replace `APISERVER_APPLICATION_ID` with the application ID of your `apiserver` application ID
+ * Be sure to also (create and) select a context that uses above user
+
+6. (Optionally) the AAD token has `aud` claim with `spn:` prefix. To omit that, add following auth configuration:
+
+ ```
+ --auth-provider-arg=config-mode="1"
+ ```
+
+ 7. The access token is acquired when first `kubectl` command is executed
+
+ ```
+ kubectl get pods
+
+ To sign in, use a web browser to open the page https://aka.ms/devicelogin and enter the code DEC7D48GA to authenticate.
+ ```
+
+ * After signing in a web browser, the token is stored in the configuration, and it will be reused when executing further commands.
+ * The resulting username in Kubernetes depends on your [configuration of the `--oidc-username-claim` and `--oidc-username-prefix` flags on the API server](https://kubernetes.io/docs/admin/authentication/#configuring-the-api-server). If you are using any authorization method you need to give permissions to that user, e.g. by binding the user to a role in the case of RBAC.