Access to identity provider behind SOCKS proxy

[ktarplee]

Describe the question

Is it possible to configure kubectl-oidc_login to use a SOCKS5 proxy when connecting to the --oidc-issuer-url?

Rationale

I have a Kubernetes cluster that is running Gitlab. Gitlab is the OIDC identity provider for the cluster's kube-apiserver. All access to the cluster is through SOCKS5 (via ssh -D 9999 cluster-login-node). When I have credentials set in the kubeconfig file I can easily set the proxy-url: socks5://localhost:9999 in the cluster section of my kubeconfig and kubectl works as expected.

The issue comes when I want to use kubectl-oidc_login. It does not seem to support SOCKS5 proxies for access to the identity provider.

To implement this in kubectl-oidc_login it looks like some code similar to this is necessary.

[toVersus]

Go's ProxyFromEnvironment also supports SOCKS5 (see golang/go#18508), so when setting the client-go credential plugin in the kubeconfig, you can specify HTTP_PROXY or HTTPS_PROXY (depending on the OIDC provider's endpoint) in env section, and it will work.

kubectl config set-credentials oidc \
 --exec-api-version=client.authentication.k8s.io/v1beta1 \
 --exec-command=kubectl \
 --exec-arg=oidc-login \
 --exec-arg=get-token \
 --exec-arg=--oidc-issuer-url=<your_oidc_issuer_url> \
 --exec-arg=--oidc-client-id=<your_client_id> \
 --exec-arg=--oidc-client-secret=<your_client_secret> \
 --exec-arg=--oidc-extra-scope=profile \
 --exec-arg=--oidc-extra-scope=email \
 --exec-env=HTTPS_PROXY=socks5://localhost:9999