Add GCP OAuth authentication support for GKE clusters

This implementation adds GCP OAuth 2.0 authentication to Headlamp, replacing
the deprecated Identity Service for GKE. Users can authenticate with their
Google Cloud account, and the authentication tokens are used to access
Kubernetes resources with proper RBAC.

Backend changes:
- New GCP authenticator package with RFC 7636-compliant PKCE support
- OAuth HTTP handlers for login, callback, and token refresh
- Configuration via environment variables
- Token caching and automatic refresh mechanisms
- Input validation to prevent injection attacks

Frontend changes:
- GCPLoginButton component for Google sign-in
- GKE cluster detection based on server URL patterns
- Integration into existing authentication chooser UI
- Comprehensive test coverage

Documentation:
- Complete setup guide for GKE deployments
- RBAC configuration examples
- Troubleshooting guide

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: itpick

.gitignore

@@ -14,3 +14,4 @@ node_modules
 plugins/headlamp-plugin/headlamp-myfancy/
 plugins/examples/*/dist/
 .DS_Store
+scripts/backend/headlamp

backend/cmd/headlamp.go

@@ -47,6 +47,7 @@ import (
 	auth "github.com/kubernetes-sigs/headlamp/backend/pkg/auth"
 	"github.com/kubernetes-sigs/headlamp/backend/pkg/cache"
 	cfg "github.com/kubernetes-sigs/headlamp/backend/pkg/config"
+	"github.com/kubernetes-sigs/headlamp/backend/pkg/gcp"
 	"github.com/kubernetes-sigs/headlamp/backend/pkg/serviceproxy"
 
 	headlampcfg "github.com/kubernetes-sigs/headlamp/backend/pkg/headlampconfig"
@@ -95,6 +96,11 @@ type HeadlampConfig struct {
 	meGroupsPaths string
 	// meUserInfoURL is the URL to fetch additional user info for the /me endpoint. /oauth2/userinfo
 	meUserInfoURL string
+	// GCP OAuth fields for GKE authentication
+	gcpOAuthEnabled bool
+	gcpClientID     string
+	gcpClientSecret string
+	gcpRedirectURL  string
 }
 
 const DrainNodeCacheTTL = 20 // seconds
@@ -391,6 +397,36 @@ func addPluginListRoute(config *HeadlampConfig, r *mux.Router) {
 	}).Methods("GET")
 }
 
+// setupInClusterContext configures the in-cluster Kubernetes context.
+func setupInClusterContext(config *HeadlampConfig) {
+	context, err := kubeconfig.GetInClusterContext(config.oidcIdpIssuerURL,
+		config.oidcClientID, config.oidcClientSecret,
+		strings.Join(config.oidcScopes, ","),
+		config.oidcSkipTLSVerify,
+		config.oidcCACert)
+	if err != nil {
+		logger.Log(logger.LevelError, nil, err, "Failed to get in-cluster context")
+		return
+	}
+
+	context.Source = kubeconfig.InCluster
+
+	// When GCP OAuth is enabled, clear the auth info so users must authenticate via GCP OAuth
+	if config.gcpOAuthEnabled {
+		context.AuthInfo = &api.AuthInfo{}
+
+		logger.Log(logger.LevelInfo, nil, nil, "Added in-cluster context without service account auth (GCP OAuth enabled)")
+	}
+
+	if err := context.SetupProxy(); err != nil {
+		logger.Log(logger.LevelError, nil, err, "Failed to setup proxy for in-cluster context")
+	}
+
+	if err := config.KubeConfigStore.AddContext(context); err != nil {
+		logger.Log(logger.LevelError, nil, err, "Failed to add in-cluster context")
+	}
+}
+
 //nolint:gocognit,funlen,gocyclo
 func createHeadlampHandler(config *HeadlampConfig) http.Handler {
 	kubeConfigPath := config.KubeConfigPath
@@ -450,26 +486,7 @@ func createHeadlampHandler(config *HeadlampConfig) http.Handler {
 
 	// In-cluster
 	if config.UseInCluster {
-		context, err := kubeconfig.GetInClusterContext(config.oidcIdpIssuerURL,
-			config.oidcClientID, config.oidcClientSecret,
-			strings.Join(config.oidcScopes, ","),
-			config.oidcSkipTLSVerify,
-			config.oidcCACert)
-		if err != nil {
-			logger.Log(logger.LevelError, nil, err, "Failed to get in-cluster context")
-		}
-
-		context.Source = kubeconfig.InCluster
-
-		err = context.SetupProxy()
-		if err != nil {
-			logger.Log(logger.LevelError, nil, err, "Failed to setup proxy for in-cluster context")
-		}
-
-		err = config.KubeConfigStore.AddContext(context)
-		if err != nil {
-			logger.Log(logger.LevelError, nil, err, "Failed to add in-cluster context")
-		}
+		setupInClusterContext(config)
 	}
 
 	if config.StaticDir != "" {
@@ -884,6 +901,36 @@ func createHeadlampHandler(config *HeadlampConfig) http.Handler {
 		http.Redirect(w, r, redirectURL, http.StatusSeeOther)
 	})
 
+	// GCP OAuth routes for GKE authentication
+	if config.gcpOAuthEnabled {
+		gcpAuth := gcp.NewGCPAuthenticator(
+			config.gcpClientID,
+			config.gcpClientSecret,
+			config.gcpRedirectURL,
+			config.cache,
+		)
+
+		r.HandleFunc("/gcp-auth/login", auth.HandleGCPAuthLogin(gcpAuth, config.BaseURL)).Methods("GET")
+		r.HandleFunc("/gcp-auth/callback", auth.HandleGCPAuthCallback(gcpAuth, config.BaseURL)).Methods("GET")
+		r.HandleFunc("/gcp-auth/refresh", auth.HandleGCPTokenRefresh(gcpAuth, config.BaseURL)).Methods("POST")
+
+		logger.Log(logger.LevelInfo, nil, nil, "GCP OAuth authentication enabled for GKE clusters")
+	}
+
+	// Endpoint to check if GCP OAuth is enabled.
+	// This is intentionally outside the gcpOAuthEnabled conditional block so the frontend
+	// can always query this endpoint to determine whether to show the GCP OAuth login button.
+	r.HandleFunc("/gcp-auth/enabled", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		if config.gcpOAuthEnabled {
+			w.WriteHeader(http.StatusOK)
+			_, _ = w.Write([]byte(`{"enabled": true}`))
+		} else {
+			w.WriteHeader(http.StatusOK)
+			_, _ = w.Write([]byte(`{"enabled": false}`))
+		}
+	}).Methods("GET")
+
 	// Serve the frontend if needed
 	if spa.UseEmbeddedFiles {
 		r.PathPrefix("/").Handler(spa.NewEmbeddedHandler(spa.StaticFilesEmbed, "index.html", config.BaseURL))

backend/cmd/server.go

@@ -139,6 +139,11 @@ func createHeadlampConfig(conf *config.Config) *HeadlampConfig {
 		cache:                     cache,
 		multiplexer:               multiplexer,
 		telemetryConfig:           buildTelemetryConfig(conf),
+		// GCP OAuth fields
+		gcpOAuthEnabled: conf.GCPOAuthEnabled,
+		gcpClientID:     conf.GCPClientID,
+		gcpClientSecret: conf.GCPClientSecret,
+		gcpRedirectURL:  conf.GCPRedirectURL,
 	}
 
 	if conf.OidcCAFile != "" {

backend/go.mod

@@ -50,6 +50,7 @@ require (
 )
 
 require (
+	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	dario.cat/mergo v1.0.1 // indirect
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20240716105424-66b64c4bb379 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect

backend/go.sum

@@ -1,5 +1,7 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
+cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
 dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
 dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=