Investigate alternative for Kuberos for user authentication

[digitalronin]

We use Kuberos to enable users to authenticate to the cluster. But, it's now unmaintained, so we should switch to something else instead.

Initially we were considering kubehook, however that hasn't been updated for 8 months.

This is a spike to look at alternatives (which might also include Kubehook).

Approach:

• See what is aviailable
• does it meet our needs?
• how well supported is it?

Definition of Done:

• identify alternatives
• comparison and recommendation on a replacement
• create new issue for replacement

[AntonyBishop]

Stale story. Revisit if need arises.

[AntonyBishop]

Revisiting

[poornima-krishnasamy]

Can Gangway help here? https://github.com/heptiolabs/gangway

[davidread]

Also conversation here: https://mojdt.slack.com/archives/C514ETYJX/p1617800090002300?thread_ts=1617790175.492600&cid=C514ETYJX which suggests kubelogin

[davidread]

See also further details: https://github.com/ministryofjustice/cloud-platform-sensitive/issues/3

[pwyborn]

Think Gangway has issues re multi-clusters?
vmware-archive/gangway#62

[poornima-krishnasamy]

Other solution is kube-login. https://github.com/int128/kubelogin
But, If we use kube-login, we need to share the Auth0 credentials to all users for authenticating to the cluster.
int128/kubelogin#414.

[poornima-krishnasamy]

Below are the options explored:

Kubelogin:
https://github.com/int128/kubelogin
client-go plugin. Kubectl plugin when run, opens the browser and you can log in to the provider. Then kubelogin gets a token from the provider and kubectl access Kubernetes APIs with the token.
Pros:

• easy usage
• works with Auth0 and hence can be mapped with github groups

Cons:

• Sharing single Auth0 credentials to users

kubehook:
Kubehook is a webhook token authentication service for Kubernetes. It provides one API endpoint to generate JSON Web Tokens, and another to validate tokens on behalf of Kubernetes.
Pros:

• JWT token to which you can set expiration

Cons:

• Not maintained
• No integration path with Auth0

Gangway:
Pros:

• the app work fine

Cons:

• it hasn’t had a release since Sep 2019 though there are commits until Oct 2020

Based on investigating the above plugins, we have decided to patch kuberos and take ownership of the repository including helm chart.

Another project to lookout is discussed in the channel here: https://mojdt.slack.com/archives/C514ETYJX/p1621421963072900