Add support for service account auth for incluster deployments

backend/cmd/headlamp.go

@@ -450,14 +450,20 @@
 
 	// In-cluster
 	if config.UseInCluster {
+		if config.UseServiceAccountToken {
+			logger.Log(logger.LevelWarn, nil, nil, "Using service account token for in-cluster authentication could pose security risks if Headlamp is exposed externally.")
+		}
 		context, err := kubeconfig.GetInClusterContext(
 			config.InClusterContextName,
 			config.oidcIdpIssuerURL,
 			config.oidcClientID, config.oidcClientSecret,
 			strings.Join(config.oidcScopes, ","),
 			config.oidcSkipTLSVerify,
-			config.oidcCACert)
+			config.oidcCACert,
+			config.UseServiceAccountToken,
+			config.ServiceAccountTokenPath,
+		)
 		if err != nil {
 			logger.Log(logger.LevelError, nil, err, "Failed to get in-cluster context")
 		}
 

backend/cmd/server.go

@@ -80,26 +80,28 @@ func main() {
 // buildHeadlampCFG maps the parsed config into the struct the backend uses.
 func buildHeadlampCFG(conf *config.Config, kubeConfigStore kubeconfig.ContextStore) *headlampconfig.HeadlampCFG {
 	return &headlampconfig.HeadlampCFG{
-		UseInCluster:          conf.InCluster,
-		InClusterContextName:  conf.InClusterContextName,
-		KubeConfigPath:        conf.KubeConfigPath,
-		SkippedKubeContexts:   conf.SkippedKubeContexts,
-		ListenAddr:            conf.ListenAddr,
-		CacheEnabled:          conf.CacheEnabled,
-		Port:                  conf.Port,
-		DevMode:               conf.DevMode,
-		StaticDir:             conf.StaticDir,
-		Insecure:              conf.InsecureSsl,
-		PluginDir:             conf.PluginsDir,
-		UserPluginDir:         conf.UserPluginsDir,
-		EnableHelm:            conf.EnableHelm,
-		EnableDynamicClusters: conf.EnableDynamicClusters,
-		WatchPluginsChanges:   conf.WatchPluginsChanges,
-		KubeConfigStore:       kubeConfigStore,
-		BaseURL:               conf.BaseURL,
-		ProxyURLs:             strings.Split(conf.ProxyURLs, ","),
-		TLSCertPath:           conf.TLSCertPath,
-		TLSKeyPath:            conf.TLSKeyPath,
+		UseInCluster:            conf.InCluster,
+		InClusterContextName:    conf.InClusterContextName,
+		KubeConfigPath:          conf.KubeConfigPath,
+		SkippedKubeContexts:     conf.SkippedKubeContexts,
+		ListenAddr:              conf.ListenAddr,
+		CacheEnabled:            conf.CacheEnabled,
+		Port:                    conf.Port,
+		DevMode:                 conf.DevMode,
+		StaticDir:               conf.StaticDir,
+		Insecure:                conf.InsecureSsl,
+		PluginDir:               conf.PluginsDir,
+		UserPluginDir:           conf.UserPluginsDir,
+		EnableHelm:              conf.EnableHelm,
+		EnableDynamicClusters:   conf.EnableDynamicClusters,
+		WatchPluginsChanges:     conf.WatchPluginsChanges,
+		KubeConfigStore:         kubeConfigStore,
+		BaseURL:                 conf.BaseURL,
+		ProxyURLs:               strings.Split(conf.ProxyURLs, ","),
+		TLSCertPath:             conf.TLSCertPath,
+		TLSKeyPath:              conf.TLSKeyPath,
+		UseServiceAccountToken:  conf.UseServiceAccountToken,
+		ServiceAccountTokenPath: conf.ServiceAccountTokenPath,
 	}
 }
 

backend/pkg/config/config.go

@@ -25,10 +25,11 @@ const (
 )
 
 const (
-	DefaultMeUsernamePath = "preferred_username,upn,username,name"
-	DefaultMeEmailPath    = "email"
-	DefaultMeGroupsPath   = "groups,realm_access.roles"
-	DefaultMeUserInfoURL  = ""
+	DefaultMeUsernamePath          = "preferred_username,upn,username,name"
+	DefaultMeEmailPath             = "email"
+	DefaultMeGroupsPath            = "groups,realm_access.roles"
+	DefaultMeUserInfoURL           = ""
+	DefaultServiceAccountTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token" // #nosec G101
 )
 
 type Config struct {
@@ -70,6 +71,8 @@ type Config struct {
 	MeGroupsPath              string `koanf:"me-groups-path"`
 	MeUserInfoURL             string `koanf:"me-user-info-url"`
 	OidcUsePKCE               bool   `koanf:"oidc-use-pkce"`
+	UseServiceAccountToken    bool   `koanf:"use-service-account-token"`
+	ServiceAccountTokenPath   string `koanf:"service-account-token-path"`
 	// telemetry configs
 	ServiceName        string   `koanf:"service-name"`
 	ServiceVersion     *string  `koanf:"service-version"`
@@ -87,9 +90,10 @@ type Config struct {
 
 func (c *Config) Validate() error {
 	if !c.InCluster && (c.OidcClientID != "" || c.OidcClientSecret != "" || c.OidcIdpIssuerURL != "" ||
-		c.OidcValidatorClientID != "" || c.OidcValidatorIdpIssuerURL != "") {
+		c.OidcValidatorClientID != "" || c.OidcValidatorIdpIssuerURL != "" || c.UseServiceAccountToken) {
 		return errors.New(`oidc-client-id, oidc-client-secret, oidc-idp-issuer-url, oidc-validator-client-id,
-		oidc-validator-idp-issuer-url, flags are only meant to be used in inCluster mode`)
+		oidc-validator-idp-issuer-url, use-service-account-token
+		flags are only meant to be used in inCluster mode`)
 	}
 
 	// OIDC TLS verification warning.
@@ -434,6 +438,8 @@ func addGeneralFlags(f *flag.FlagSet) {
 	f.Uint("port", defaultPort, "Port to listen from")
 	f.String("proxy-urls", "", "Allow proxy requests to specified URLs")
 	f.Bool("enable-helm", false, "Enable Helm operations")
+	f.Bool("use-service-account-token", false, "Use the service account token for in-cluster authentication")
+	f.String("service-account-token-path", DefaultServiceAccountTokenPath, "Path to the service account token")
 }
 
 func addOIDCFlags(f *flag.FlagSet) {

backend/pkg/config/config_test.go

@@ -202,7 +202,7 @@
 	}
 }
 
 func TestParseFlags(t *testing.T) {
 	tests := []struct {
 		name   string
 		args   []string
@@ -250,6 +250,14 @@
 				assert.Equal(t, "warn", conf.LogLevel)
 			},
 		},
+		{
+			name: "use_service_account_token_flag",
+			args: []string{"go run ./cmd", "--use-service-account-token", "--service-account-token-path=/custom/token/path"},
+			verify: func(t *testing.T, conf *config.Config) {
+				assert.Equal(t, true, conf.UseServiceAccountToken)
+				assert.Equal(t, "/custom/token/path", conf.ServiceAccountTokenPath)
+			},
+		},
 	}
 
 	for _, tt := range tests {

backend/pkg/headlampconfig/headlampConfig.go

@@ -6,27 +6,29 @@ import (
 )
 
 type HeadlampCFG struct {
-	UseInCluster          bool
-	InClusterContextName  string
-	ListenAddr            string
-	CacheEnabled          bool
-	DevMode               bool
-	Insecure              bool
-	EnableHelm            bool
-	EnableDynamicClusters bool
-	WatchPluginsChanges   bool
-	Port                  uint
-	KubeConfigPath        string
-	SkippedKubeContexts   string
-	StaticDir             string
-	PluginDir             string
-	UserPluginDir         string
-	StaticPluginDir       string
-	KubeConfigStore       kubeconfig.ContextStore
-	Telemetry             *telemetry.Telemetry
-	Metrics               *telemetry.Metrics
-	BaseURL               string
-	ProxyURLs             []string
-	TLSCertPath           string
-	TLSKeyPath            string
+	UseInCluster            bool
+	InClusterContextName    string
+	ListenAddr              string
+	CacheEnabled            bool
+	DevMode                 bool
+	Insecure                bool
+	EnableHelm              bool
+	EnableDynamicClusters   bool
+	WatchPluginsChanges     bool
+	Port                    uint
+	KubeConfigPath          string
+	SkippedKubeContexts     string
+	StaticDir               string
+	PluginDir               string
+	UserPluginDir           string
+	StaticPluginDir         string
+	KubeConfigStore         kubeconfig.ContextStore
+	Telemetry               *telemetry.Telemetry
+	Metrics                 *telemetry.Metrics
+	BaseURL                 string
+	ProxyURLs               []string
+	TLSCertPath             string
+	TLSKeyPath              string
+	UseServiceAccountToken  bool
+	ServiceAccountTokenPath string
 }

backend/pkg/kubeconfig/kubeconfig.go

@@ -1009,6 +1009,8 @@
 	oidcScopes string,
 	oidcSkipTLSVerify bool,
 	oidcCACert string,
+	useServiceAccountToken bool,
+	serviceAccountTokenPath string,
 ) (*Context, error) {
 	clusterConfig, err := rest.InClusterConfig()
 	if err != nil {
@@ -1032,6 +1034,12 @@
 	contextName = makeDNSFriendly(contextName)
 
 	inClusterAuthInfo := &api.AuthInfo{}
+	if useServiceAccountToken {
+		if serviceAccountTokenPath == "" {
+			serviceAccountTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+		}
+		inClusterAuthInfo.TokenFile = serviceAccountTokenPath
+	}
 
 	var oidcConf *OidcConfig
 

charts/headlamp/templates/deployment.yaml

@@ -245,6 +245,12 @@ spec:
             {{- with .Values.config.pluginsDir}}
             - "-plugins-dir={{ . }}"
             {{- end }}
+            {{- if .Values.config.useServiceAccountToken }}
+            - "-use-service-account-token"
+            {{- end }}
+            {{- if and .Values.config.useServiceAccountToken .Values.config.serviceAccountTokenPath }}
+            - "-service-account-token-path={{ .Values.config.serviceAccountTokenPath }}"
+            {{- end }}
             {{- if not $oidc.externalSecret.enabled}}
             # Check if externalSecret is disabled
             {{- if or (ne $oidc.clientID "") (ne $clientID "") }}

charts/headlamp/tests/expected_templates/service-account-token-custom-token.yaml

@@ -0,0 +1,124 @@
+---
+# Source: headlamp/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: headlamp
+  labels:
+    helm.sh/chart: headlamp-0.39.0
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: headlamp
+    app.kubernetes.io/version: "0.39.0"
+    app.kubernetes.io/managed-by: Helm
+---
+# Source: headlamp/templates/secret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: oidc
+type: Opaque
+data:
+---
+# Source: headlamp/templates/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: headlamp-admin
+  labels:
+    helm.sh/chart: headlamp-0.39.0
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: headlamp
+    app.kubernetes.io/version: "0.39.0"
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: headlamp
+  namespace: default
+---
+# Source: headlamp/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: headlamp
+  labels:
+    helm.sh/chart: headlamp-0.39.0
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: headlamp
+    app.kubernetes.io/version: "0.39.0"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  type: ClusterIP
+
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: headlamp
+---
+# Source: headlamp/templates/deployment.yaml
+# This block of code is used to extract the values from the env.
+# This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: headlamp
+  labels:
+    helm.sh/chart: headlamp-0.39.0
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: headlamp
+    app.kubernetes.io/version: "0.39.0"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: headlamp
+      app.kubernetes.io/instance: headlamp
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: headlamp
+        app.kubernetes.io/instance: headlamp
+    spec:
+      serviceAccountName: headlamp
+      securityContext:
+        {}
+      containers:
+        - name: headlamp
+          securityContext:
+            privileged: false
+            runAsGroup: 101
+            runAsNonRoot: true
+            runAsUser: 100
+          image: "ghcr.io/headlamp-k8s/headlamp:v0.39.0"
+          imagePullPolicy: IfNotPresent
+
+          env:
+          args:
+            - "-in-cluster"
+            - "-plugins-dir=/headlamp/plugins"
+            - "-use-service-account-token"
+            - "-service-account-token-path=/custom/token"
+            # Check if externalSecret is disabled
+          ports:
+            - name: http
+              containerPort: 4466
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: "/"
+              port: http
+          readinessProbe:
+            httpGet:
+              path: "/"
+              port: http
+          resources:
+            {}