Implement token exchange based login (machine to machine)

action.yml

@@ -27,19 +27,44 @@ runs:
         repository: jumpstarter-dev/jumpstarter
         ref: ${{ inputs.jumpstarter-ref }}
         path: jumpstarter
-    - name: Deploy jumpstarter controller
-      shell: bash
-      run: |
-        cp "$GITHUB_ACTION_PATH"/values.kind.yaml ./controller/deploy/helm/jumpstarter/values.kind.yaml
-        cp "$GITHUB_ACTION_PATH"/kind_cluster.yaml ./controller/hack/kind_cluster.yaml
-        make -C controller deploy
     - name: Deploy dex
       shell: bash
       run: |
+        go run github.com/cloudflare/cfssl/cmd/cfssl@latest gencert -initca "$GITHUB_ACTION_PATH"/ca-csr.json | \
+          go run github.com/cloudflare/cfssl/cmd/cfssljson@latest -bare ca -
+        go run github.com/cloudflare/cfssl/cmd/cfssl@latest gencert -ca=ca.pem -ca-key=ca-key.pem \
+          -config="$GITHUB_ACTION_PATH"/ca-config.json -profile=www "$GITHUB_ACTION_PATH"/dex-csr.json | \
+          go run github.com/cloudflare/cfssl/cmd/cfssljson@latest -bare server
+
+        cp "$GITHUB_ACTION_PATH"/kind_cluster.yaml ./controller/hack/kind_cluster.yaml
+        make -C controller cluster
+
         kubectl create namespace dex
-        kubectl apply -f "$GITHUB_ACTION_PATH"/dex.yaml
+        kubectl -n dex create secret tls dex-tls \
+          --cert=server.pem \
+          --key=server-key.pem
+
+        go run github.com/mikefarah/yq/v4@latest -i \
+          '.jumpstarter-controller.authenticationConfig = (.jumpstarter-controller.authenticationConfig | from_yaml | .jwt[0].issuer.certificateAuthority = load_str("ca.pem") | to_yaml)' \
+          "$GITHUB_ACTION_PATH"/values.kind.yaml
+
+        # important!
+        kubectl create clusterrolebinding oidc-reviewer  \
+         --clusterrole=system:service-account-issuer-discovery \
+         --group=system:unauthenticated
+
         helm repo add dex https://charts.dexidp.io
         helm install --namespace dex --wait -f "$GITHUB_ACTION_PATH"/dex.values.yaml dex dex/dex
+
+        sudo cp ca.pem /usr/local/share/ca-certificates/dex.crt
+        sudo update-ca-certificates
+
+        echo "127.0.0.1 dex.dex.svc.cluster.local" | sudo tee -a /etc/hosts
+    - name: Deploy jumpstarter controller
+      shell: bash
+      run: |
+        cp "$GITHUB_ACTION_PATH"/values.kind.yaml ./controller/deploy/helm/jumpstarter/values.kind.yaml
+        make -C controller deploy
     - name: Install jumpstarter
       shell: bash
       run: |
@@ -52,11 +77,6 @@ runs:
     - name: Run jumpstarter
       shell: bash
       run: |
-        sudo cp "$GITHUB_ACTION_PATH"/minica.pem /usr/local/share/ca-certificates/minica.crt
-        sudo update-ca-certificates
-
-        echo "127.0.0.1 dex.dex.svc.cluster.local" | sudo tee -a /etc/hosts
-
         ENDPOINT=$(helm get values jumpstarter --output json | jq -r '."jumpstarter-controller".grpc.endpoint')
 
         sudo mkdir -p /etc/jumpstarter/exporters
@@ -66,10 +86,21 @@ runs:
 
         export JUMPSTARTER_GRPC_INSECURE=1
 
-        jmp admin create client   test-client-oidc     --unsafe --out /dev/null --oidc-username dex:test-client-oidc
+        kubectl create -n default sa test-client-sa
+        kubectl create -n default sa test-exporter-sa
+
+        jmp admin create client   test-client-oidc     --unsafe --out /dev/null \
+          --oidc-username dex:test-client-oidc
+        jmp admin create client   test-client-sa       --unsafe --out /dev/null \
+          --oidc-username dex:system:serviceaccount:default:test-client-sa
         jmp admin create client   test-client-legacy   --unsafe --save
-        jmp admin create exporter test-exporter-oidc   --out /dev/null --oidc-username dex:test-exporter-oidc \
+
+        jmp admin create exporter test-exporter-oidc   --out /dev/null \
+          --oidc-username dex:test-exporter-oidc \
           --label example.com/board oidc
+        jmp admin create exporter test-exporter-sa     --out /dev/null \
+          --oidc-username dex:system:serviceaccount:default:test-exporter-sa \
+          --label example.com/board sa
         jmp admin create exporter test-exporter-legacy --save \
           --label example.com/board legacy
 
@@ -80,29 +111,50 @@ runs:
           --endpoint "$ENDPOINT" --namespace default --name test-client-oidc \
           --issuer https://dex.dex.svc.cluster.local:5556 \
           --username test-client-oidc@example.com --password password --unsafe
+
+        jmp client   login test-client-sa \
+          --endpoint "$ENDPOINT" --namespace default --name test-client-sa \
+          --issuer https://dex.dex.svc.cluster.local:5556 \
+          --connector-id kubernetes \
+          --token $(kubectl create -n default token test-client-sa) --unsafe
+
         jmp exporter login test-exporter-oidc \
           --endpoint "$ENDPOINT" --namespace default --name test-exporter-oidc \
           --issuer https://dex.dex.svc.cluster.local:5556 \
           --username test-exporter-oidc@example.com --password password
 
+        jmp exporter login test-exporter-sa \
+          --endpoint "$ENDPOINT" --namespace default --name test-exporter-sa \
+          --issuer https://dex.dex.svc.cluster.local:5556 \
+          --connector-id kubernetes \
+          --token $(kubectl create -n default token test-exporter-sa)
+
         go run github.com/mikefarah/yq/v4@latest -i ". * load(\"$GITHUB_ACTION_PATH/exporter.yaml\")" \
           /etc/jumpstarter/exporters/test-exporter-oidc.yaml
+        go run github.com/mikefarah/yq/v4@latest -i ". * load(\"$GITHUB_ACTION_PATH/exporter.yaml\")" \
+          /etc/jumpstarter/exporters/test-exporter-sa.yaml
         go run github.com/mikefarah/yq/v4@latest -i ". * load(\"$GITHUB_ACTION_PATH/exporter.yaml\")" \
           /etc/jumpstarter/exporters/test-exporter-legacy.yaml
 
         jmp client   list-configs
         jmp exporter list-configs
 
         jmp exporter run test-exporter-oidc &
+        jmp exporter run test-exporter-sa &
         jmp exporter run test-exporter-legacy &
 
         kubectl -n default wait --for=condition=Registered exporters.jumpstarter.dev/test-exporter-oidc
+        kubectl -n default wait --for=condition=Registered exporters.jumpstarter.dev/test-exporter-sa
         kubectl -n default wait --for=condition=Registered exporters.jumpstarter.dev/test-exporter-legacy
 
         jmp client shell test-client-oidc --label example.com/board oidc <<EOF
         j power on
         EOF
 
+        jmp client shell test-client-sa --label example.com/board sa <<EOF
+        j power on
+        EOF
+
         jmp client shell test-client-legacy --label example.com/board legacy <<EOF
         j power on
         EOF

ca-config.json

@@ -0,0 +1,26 @@
+{
+    "signing": {
+        "default": {
+            "expiry": "168h"
+        },
+        "profiles": {
+            "www": {
+                "expiry": "8760h",
+                "usages": [
+                    "signing",
+                    "key encipherment",
+                    "server auth"
+                ]
+            },
+            "client": {
+                "expiry": "8760h",
+                "usages": [
+                    "signing",
+                    "key encipherment",
+                    "client auth"
+                ]
+            }
+        }
+    }
+}
+

ca-csr.json

@@ -0,0 +1,19 @@
+{
+    "CN": "example.net",
+    "hosts": [
+        "example.net",
+        "www.example.net"
+    ],
+    "key": {
+        "algo": "ecdsa",
+        "size": 256
+    },
+    "names": [
+        {
+            "C": "US",
+            "ST": "CA",
+            "L": "San Francisco"
+        }
+    ]
+}
+

dex-csr.json

@@ -0,0 +1,18 @@
+{
+    "CN": "dex.dex.svc.cluster.local",
+    "hosts": [
+        "dex.dex.svc.cluster.local"
+    ],
+    "key": {
+        "algo": "ecdsa",
+        "size": 256
+    },
+    "names": [
+        {
+            "C": "US",
+            "ST": "CA",
+            "L": "San Francisco"
+        }
+    ]
+}
+

dex.values.yaml

@@ -26,6 +26,18 @@ config:
       hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" # password
       username: "test-exporter-oidc"
       userID: "a4cb4de2-4467-4e5c-a42a-33be8783649d"
+  connectors:
+    - name: kubernetes
+      type: oidc
+      id: kubernetes
+      config:
+        # kubectl get --raw /.well-known/openid-configuration | jq -r '.issuer'
+        issuer: "https://kubernetes.default.svc.cluster.local"
+        rootCAs:
+          - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+        userNameKey: sub
+        scopes:
+          - profile
 volumes:
   - name: tls
     secret:

values.kind.yaml

@@ -15,20 +15,7 @@ jumpstarter-controller:
         audiences:
         - jumpstarter-cli
         audienceMatchPolicy: MatchAny
-        certificateAuthority: |
-          -----BEGIN CERTIFICATE-----
-          MIIB/DCCAYKgAwIBAgIIcpC2uS+SjEIwCgYIKoZIzj0EAwMwIDEeMBwGA1UEAxMV
-          bWluaWNhIHJvb3QgY2EgNzI5MGI2MCAXDTI1MDIwMzE5MzMyNVoYDzIxMjUwMjAz
-          MTkzMzI1WjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSA3MjkwYjYwdjAQBgcq
-          hkjOPQIBBgUrgQQAIgNiAAQzezKJ4My35HPeoJvvzTjhS2uJMBYrYfrs5csxZjiy
-          q8ORrHM539XhWlA6sVZODhzcF2KL4mC9xKz/yIrsws+LKsIWNHGGmIPEKFYnHBGw
-          VBGeARvhpzZP/9frJXAN/8ejgYYwgYMwDgYDVR0PAQH/BAQDAgKEMB0GA1UdJQQW
-          MBQGCCsGAQUFBwMBBggrBgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1Ud
-          DgQWBBSZRBCUuP3ta2xsfjnWIjvgvz4fojAfBgNVHSMEGDAWgBSZRBCUuP3ta2xs
-          fjnWIjvgvz4fojAKBggqhkjOPQQDAwNoADBlAjADql5Ks5wh181iUa1ZBnx4XOVe
-          l0l7I+mwlwJSPmkZHxruWZTx7gQU4tfDCr+UuzUCMQC2aDXRb17cphipK4gzbExv
-          EDLExjhHAqMPrKDmT0jHIi7Bbos38/1tyZ/IoKjLnv0=
-          -----END CERTIFICATE-----
+        certificateAuthority: placeholder
       claimMappings:
         username:
           claim: "name"