initial implementation (#1)

.github/workflows/build.yml

@@ -0,0 +1,20 @@
+name: Build on Push
+on: [push]
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    env:
+      GO111MODULE: on 
+    steps:
+    - name: Set up Go 1.13
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.13
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v2
+
+    - name: Build
+      run: make

.github/workflows/release.yml

@@ -0,0 +1,51 @@
+name: Release
+on:
+#  push   
+  release:
+    types: [created]
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    env:
+      GO111MODULE: on 
+    steps:
+    - name: Set up Go 1.13
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.13
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v2
+
+    - name: Build (linux)
+      env:
+        GOOS: linux
+        GOARCH: amd64
+      run: make
+
+    - name: Build (darwin)
+      env:
+        GOOS: darwin
+        GOARCH: amd64
+      run: make
+
+    - name: Build (windows)
+      env:
+        GOOS: windows
+        GOARCH: amd64
+      run: make
+
+    - name: Zip
+      uses: montudor/[email protected]
+      with:
+        args: zip -qq -r kubelogin.zip bin
+
+    - name: Publish
+      uses: skx/github-action-publish-binaries@master
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        args: kubelogin.zip

.gitignore

@@ -4,6 +4,7 @@
 *.dll
 *.so
 *.dylib
+bin
 
 # Test binary, built with `go test -c`
 *.test
@@ -13,3 +14,4 @@
 
 # Dependency directories (remove the comment below to include it)
 # vendor/
+

Makefile

@@ -0,0 +1,33 @@
+TARGET     := kubelogin
+OS         := $(if $(GOOS),$(GOOS),$(shell go env GOOS))
+ARCH       := $(if $(GOARCH),$(GOARCH),$(shell go env GOARCH))
+BIN         = bin/$(OS)_$(ARCH)/$(TARGET)
+ifeq ($(OS),windows)
+  BIN = bin/$(OS)_$(ARCH)/$(TARGET).exe
+endif
+
+GIT_BRANCH := $(shell git rev-parse --abbrev-ref HEAD)
+GIT_HASH   := $(shell git rev-parse --verify HEAD)
+GIT_TAG    := $(shell git describe --tags --exact-match --abbrev=0 2>/dev/null || echo "")
+BUILD_TIME ?= $(shell date -u +"%Y-%m-%dT%H:%M:%SZ")
+
+ifdef GIT_TAG
+	VERSION := $(GIT_TAG)/$(GIT_HASH)
+else
+	VERSION := $(GIT_BRANCH)/$(GIT_HASH)
+endif
+
+LDFLAGS    := -X main.version=$(VERSION) \
+    -X main.goVersion=$(shell go version | cut -d " " -f 3) \
+	-X main.buildTime=$(BUILD_TIME)
+
+all: $(TARGET)
+
+version:
+	@echo VERSION: $(VERSION)
+
+$(TARGET): clean
+	go build -o $(BIN) -ldflags "$(LDFLAGS)"
+
+clean:
+	-rm -f $(BIN)

README.md

@@ -1,5 +1,77 @@
+# kubelogin
 
-# Contributing
+This is a [client-go credential (exec) plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins) implementing azure authentication. This plugin provides features that are not available in kubectl.
+
+## Features
+
+* convert command to convert kubeconfig with existing azure auth provider to exec credential plugin
+* device code login
+* non-interactive service principal login
+* non-interactive user principal login using [Resource owner login flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc) 
+* AAD token will be cached locally for renewal. By default, it is saved in `~/.kube/cache/kubelogin/azure.json`
+* addresses https://github.com/kubernetes/kubernetes/issues/86410 to remove `spn:` prefix in `audience` claim, if necessary. (based on kubeconfig or commandline argument `--legacy`)
+
+## Getting Started
+
+### Setup
+
+Copy the latest [Releases](https://github.com/Azure/kubelogin/releases) to shell's search path.
+
+### Run
+
+#### Device code flow (interactive)
+
+```sh
+export KUBECONFIG=/path/to/kubeconfig
+
+kubelogin convert-kubeconfig
+
+kubectl get no
+```
+
+If you are using kubeconfig from AKS AADv1 clusters, `convert-kubeconfig` command will automatically add `--legacy` flag so that `audience` claim will have `spn:` prefix.
+
+#### Service principal login flow (non interactive)
+
+> On AKS, it will only work with AADv2
+
+```sh
+export KUBECONFIG=/path/to/kubeconfig
+
+kubelogin convert-kubeconfig -l spn
+
+export AAD_SERVICE_PRINCIPAL_CLIENT_ID=<spn client id>
+export AAD_SERVICE_PRINCIPAL_CLIENT_SECRET=<spn secret>
+
+kubectl get no
+```
+
+#### User Principal login flow (non interactive)
+
+> Note: ROPC is not supported in hybrid identity federation scenarios (for example, Azure AD and ADFS used to authenticate on-premises accounts). If users are full-page redirected to an on-premises identity providers, Azure AD is not able to test the username and password against that identity provider. Pass-through authentication is supported with ROPC, however.
+> It also does not work when MFA policy is enabled
+> Personal accounts that are invited to an Azure AD tenant can't use ROPC
+
+```sh
+export KUBECONFIG=/path/to/kubeconfig
+
+kubelogin convert-kubeconfig -l ropc
+
+export [email protected]
+export AAD_USER_PRINCIPAL_PASSWORD=<password>
+
+kubectl get no
+```
+
+### Clean up
+
+Whenever you want to remove the cached token, to change login method, or to change tenant, you should remove the cached token
+
+```sh
+kubelogin remove-token
+```
+
+## Contributing
 
 This project welcomes contributions and suggestions.  Most contributions require you to agree to a
 Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us

go.mod

@@ -0,0 +1,14 @@
+module github.com/Azure/kubelogin
+
+go 1.13
+
+require (
+	github.com/Azure/go-autorest/autorest v0.9.0
+	github.com/Azure/go-autorest/autorest/adal v0.5.0
+	github.com/spf13/cobra v0.0.6
+	github.com/spf13/pflag v1.0.5
+	k8s.io/apimachinery v0.17.4
+	k8s.io/cli-runtime v0.17.4
+	k8s.io/client-go v0.17.4
+	k8s.io/klog v1.0.0
+)