feat: support aws and other OIDC authentication methods kubeconfig (#521

) (#564)

## What type of PR is this?
/kind feature

## What this PR does / why we need it:
This PR allows users to upload kubeconfig with an AWS EKS cluster (GCP
GKE is also supported). Now, we can see the AWS cluster on the Cluster
Management Page.

**However**, AWS requires `aws-cli`, `ACCESS_KEY`, and
`SECRET_ACCESS_KEY` to verify user information. This means that the
Dockerfile should include `RUN apk add --no-cache aws-cli `and configure
AWS settings. I am not sure how to handle this problem. Should we change
the Helm Chart or let the user input ACCESS_KEY and SECRET_ACCESS_KEY?
Therefore, I did not change the Dockerfile and other files.

I have read the CLA Document and I hereby sign the CLA

## Which issue(s) this PR fixes:

Fixes #521

Dockerfile

@@ -22,4 +22,6 @@ COPY cert-generator .
 COPY config/relationship.yaml .
 COPY pkg/version/VERSION .
 
+RUN apk update && apk add --no-cache aws-cli
+
 ENTRYPOINT ["/karpor"]

pkg/infra/multicluster/multicluster.go

@@ -27,6 +27,7 @@ import (
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/kubernetes"
 	restclient "k8s.io/client-go/rest"
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 	metrics "k8s.io/metrics/pkg/client/clientset/versioned"
 	metricsv1beta1 "k8s.io/metrics/pkg/client/clientset/versioned/typed/metrics/v1beta1"
 )
@@ -164,15 +165,36 @@ func NewConfigFromCluster(c *clusterv1beta1.Cluster) (*restclient.Config, error)
 	case clusterv1beta1.CredentialTypeX509Certificate:
 		cfg.CertData = c.Spec.Access.Credential.X509.Certificate
 		cfg.KeyData = c.Spec.Access.Credential.X509.PrivateKey
+	case clusterv1beta1.CredentialTypeOIDC:
+		var env []clientcmdapi.ExecEnvVar
+		for _, envValue := range c.Spec.Access.Credential.ExecConfig.Env {
+			tempEnv := clientcmdapi.ExecEnvVar{
+				Name:  envValue.Name,
+				Value: envValue.Value,
+			}
+			env = append(env, tempEnv)
+		}
+		cfg.ExecProvider = &clientcmdapi.ExecConfig{
+			Command:            c.Spec.Access.Credential.ExecConfig.Command,
+			Args:               c.Spec.Access.Credential.ExecConfig.Args,
+			Env:                env,
+			APIVersion:         c.Spec.Access.Credential.ExecConfig.APIVersion,
+			InstallHint:        c.Spec.Access.Credential.ExecConfig.InstallHint,
+			ProvideClusterInfo: c.Spec.Access.Credential.ExecConfig.ProvideClusterInfo,
+			InteractiveMode:    clientcmdapi.ExecInteractiveMode(c.Spec.Access.Credential.ExecConfig.InteractiveMode),
+		}
+	}
+	// ServerName should be set to an empty string when using ExecConfig
+	if c.Spec.Access.Credential.Type != clusterv1beta1.CredentialTypeOIDC {
+		u, err := url.Parse(c.Spec.Access.Endpoint)
+		if err != nil {
+			return nil, err
+		}
+		host, _, err := net.SplitHostPort(u.Host)
+		if err != nil {
+			return nil, err
+		}
+		cfg.ServerName = host // apiserver may listen on SNI cert
 	}
-	u, err := url.Parse(c.Spec.Access.Endpoint)
-	if err != nil {
-		return nil, err
-	}
-	host, _, err := net.SplitHostPort(u.Host)
-	if err != nil {
-		return nil, err
-	}
-	cfg.ServerName = host // apiserver may listen on SNI cert
 	return cfg, nil
 }

pkg/kubernetes/apis/cluster/types.go

@@ -25,6 +25,7 @@ type CredentialType string
 const (
 	CredentialTypeServiceAccountToken CredentialType = "ServiceAccountToken"
 	CredentialTypeX509Certificate     CredentialType = "X509Certificate"
+	CredentialTypeOIDC                CredentialType = "OIDC"
 )
 
 // +genclient
@@ -74,15 +75,31 @@ type ClusterAccess struct {
 type ClusterAccessCredential struct {
 	Type CredentialType `json:"type"`
 	// +optional
-	ServiceAccountToken string `json:"serviceAccountToken,omitempty"`
-	X509                *X509  `json:"x509,omitempty"`
+	ServiceAccountToken string      `json:"serviceAccountToken,omitempty"`
+	X509                *X509       `json:"x509,omitempty"`
+	ExecConfig          *ExecConfig `json:"execConfig,omitempty"`
 }
 
 type X509 struct {
 	Certificate []byte `json:"certificate"`
 	PrivateKey  []byte `json:"privateKey"`
 }
 
+type ExecEnvVar struct {
+	Name  string `json:"name"`
+	Value string `json:"value"`
+}
+
+type ExecConfig struct {
+	Command            string       `json:"command"`
+	Args               []string     `json:"args"`
+	Env                []ExecEnvVar `json:"env"`
+	APIVersion         string       `json:"apiVersion,omitempty"`
+	InstallHint        string       `json:"installHint,omitempty"`
+	ProvideClusterInfo bool         `json:"provideClusterInfo"`
+	InteractiveMode    string       `json:"interactiveMode,omitempty"`
+}
+
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 type ClusterProxyOptions struct {

pkg/kubernetes/apis/cluster/v1beta1/types.go

@@ -25,6 +25,7 @@ type CredentialType string
 const (
 	CredentialTypeServiceAccountToken CredentialType = "ServiceAccountToken"
 	CredentialTypeX509Certificate     CredentialType = "X509Certificate"
+	CredentialTypeOIDC                CredentialType = "OIDC"
 )
 
 // +genclient
@@ -81,13 +82,30 @@ type ClusterAccessCredential struct {
 	ServiceAccountToken string `json:"serviceAccountToken,omitempty"`
 	// +optional
 	X509 *X509 `json:"x509,omitempty"`
+	// +optional
+	ExecConfig *ExecConfig `json:"execConfig,omitempty"`
 }
 
 type X509 struct {
 	Certificate []byte `json:"certificate"`
 	PrivateKey  []byte `json:"privateKey"`
 }
 
+type ExecEnvVar struct {
+	Name  string `json:"name"`
+	Value string `json:"value"`
+}
+
+type ExecConfig struct {
+	Command            string       `json:"command"`
+	Args               []string     `json:"args"`
+	Env                []ExecEnvVar `json:"env"`
+	APIVersion         string       `json:"apiVersion,omitempty"`
+	InstallHint        string       `json:"installHint,omitempty"`
+	ProvideClusterInfo bool         `json:"provideClusterInfo"`
+	InteractiveMode    string       `json:"interactiveMode,omitempty"`
+}
+
 // +k8s:conversion-gen:explicit-from=net/url.Values
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object