Embedded OIDC for quickstart & add bind dev cli preview command (#368)

* Add embedded oidc provider for quick start

Signed-off-by: Mangirdas Judeikis <mangirdas@judeikis.lt>
On-behalf-of: @SAP mangirdas.judeikis@sap.com

* Add bind dev command and updage golang to fix linter

Signed-off-by: Mangirdas Judeikis <mangirdas@judeikis.lt>
On-behalf-of: @SAP mangirdas.judeikis@sap.com

* add oidc docs

Signed-off-by: Mangirdas Judeikis <mangirdas@judeikis.lt>
On-behalf-of: @SAP mangirdas.judeikis@sap.com

* address reviews

---------

Signed-off-by: Mangirdas Judeikis <mangirdas@judeikis.lt>

Author: mjudeikis

.github/workflows/ci.yaml

@@ -30,7 +30,7 @@ jobs:
     - uses: actions/checkout@v4
     - uses: actions/setup-go@v5
       with:
-        go-version: v1.24.0
+        go-version: v1.25.4
     - uses: actions/setup-node@v4
       with:
         node-version: '20'
@@ -45,7 +45,7 @@ jobs:
     - uses: actions/checkout@v4
     - uses: actions/setup-go@v5
       with:
-        go-version: v1.24.0
+        go-version: v1.25.4
     - uses: actions/setup-node@v4
       with:
         node-version: '20'
@@ -60,7 +60,7 @@ jobs:
     - uses: actions/checkout@v4
     - uses: actions/setup-go@v5
       with:
-        go-version: v1.24.0
+        go-version: v1.25.4
     - run: make test
 
   lint:
@@ -70,7 +70,7 @@ jobs:
     - uses: actions/checkout@v4
     - uses: actions/setup-go@v5
       with:
-        go-version: v1.24.0
+        go-version: v1.25.4
     - run: make lint
 
   verify:
@@ -80,5 +80,5 @@ jobs:
     - uses: actions/checkout@v4
     - uses: actions/setup-go@v5
       with:
-        go-version: v1.24.0
+        go-version: v1.25.4
     - run: make verify

.github/workflows/docs-gen-and-push.yaml

@@ -34,7 +34,7 @@ jobs:
 
       - uses: actions/setup-go@v5
         with:
-          go-version: v1.24.0
+          go-version: v1.25.4
           cache: true
 
       - uses: actions/setup-python@v5

.github/workflows/goreleaser.yml

@@ -22,7 +22,7 @@ jobs:
         fetch-depth: 0
     - uses: actions/setup-go@v5
       with:
-        go-version: v1.24.0
+        go-version: v1.25.4
     - name: Delete non-semver tags
       run: 'git tag -d $(git tag -l | grep -v "^v")'
     - name: Run GoReleaser on tag

.github/workflows/image.yaml

@@ -19,7 +19,7 @@ jobs:
     - uses: actions/checkout@v4
     - uses: actions/setup-go@v5
       with:
-        go-version: v1.24.0
+        go-version: v1.25.4
         check-latest: true
 
     # We need this to remove local tags that are not semver so goreleaser doesn't get confused.

.gitignore

@@ -20,4 +20,6 @@ apiserviceexport.yaml
 # Frontend dependencies and build
 web/node_modules/
 web/.vite/
-web/*.tsbuildinfo
+web/*.tsbuildinfo
+go.work
+go.work.sum

.ko.yaml

@@ -1,5 +1,5 @@
 baseImageOverrides:
-  github.com/google/ko: golang:1.24.0
+  github.com/google/ko: golang:1.25.4
 
 builds:
 - id: konnector

Dockerfile

@@ -39,7 +39,7 @@ ENV VITE_BUILD_TARGET=docker
 RUN npm run build
 
 # Build Go binary with embedded UI assets
-FROM golang:1.24.0 AS go-build-env
+FROM golang:1.25.4 AS go-build-env
 WORKDIR /app
 
 # Accept build arguments for multi-arch support

Dockerfile.konnector

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM golang:1.24.0 AS builder
+FROM golang:1.25.4 AS builder
 WORKDIR /app
 
 # Accept build arguments for multi-arch support

Makefile

@@ -171,11 +171,6 @@ fix-lint: $(GOLANGCI_LINT) ## Run golangci-lint with --fix
 	GOLANGCI_LINT_FLAGS="--fix" $(MAKE) lint
 .PHONY: fix-lint
 
-vendor: ## Vendor the dependencies
-	go mod tidy
-	go mod vendor
-.PHONY: vendor
-
 tools: $(GOLANGCI_LINT) $(CONTROLLER_GEN) $(YAML_PATCH) $(GOTESTSUM) $(CODE_GENERATOR) ## Install tools
 .PHONY: tools
 
@@ -364,7 +359,7 @@ verify-modules: modules  # Verify go modules are up to date
 	done
 
 .PHONY: verify
-verify: verify-modules verify-go-versions verify-imports verify-codegen verify-boilerplate ## verify formal properties of the code
+verify: verify-go-versions verify-imports verify-codegen verify-boilerplate ## verify formal properties of the code
 
 .PHONY: help
 help: ## Show this help

backend/auth/handler.go

@@ -17,6 +17,7 @@ limitations under the License.
 package auth
 
 import (
+	"context"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
@@ -34,14 +35,23 @@ import (
 	"github.com/kube-bind/kube-bind/backend/session"
 )
 
+type OIDCProvider interface {
+	GetOIDCProvider(ctx context.Context) (*OIDCServiceProvider, error)
+}
+
+type AuthHandlerInterface interface {
+	HandleAuthorize(w http.ResponseWriter, r *http.Request)
+	HandleCallback(w http.ResponseWriter, r *http.Request)
+}
+
 type AuthHandler struct {
-	oidc                *OIDCServiceProvider
+	oidc                OIDCProvider
 	jwtService          *JWTService
 	cookieSigningKey    []byte
 	cookieEncryptionKey []byte
 }
 
-func NewAuthHandler(oidc *OIDCServiceProvider, jwtService *JWTService, cookieSigningKey, cookieEncryptionKey []byte) *AuthHandler {
+func NewAuthHandler(oidc OIDCProvider, jwtService *JWTService, cookieSigningKey, cookieEncryptionKey []byte) *AuthHandler {
 	return &AuthHandler{
 		oidc:                oidc,
 		jwtService:          jwtService,
@@ -85,8 +95,15 @@ func (ah *AuthHandler) HandleAuthorize(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	provider, err := ah.oidc.GetOIDCProvider(r.Context())
+	if err != nil {
+		logger.Info("failed to get OIDC provider", "error", err)
+		ah.respondWithError(w, authReq.ClientType, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
 	encoded := base64.URLEncoding.EncodeToString(dataCode)
-	authURL := ah.oidc.OIDCProviderConfig(scopes).AuthCodeURL(encoded)
+	authURL := provider.OIDCProviderConfig(scopes).AuthCodeURL(encoded)
 
 	http.Redirect(w, r, authURL, http.StatusFound)
 }
@@ -133,7 +150,25 @@ func (ah *AuthHandler) HandleCallback(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	token, err := ah.oidc.OIDCProviderConfig(nil).Exchange(r.Context(), code)
+	provider, err := ah.oidc.GetOIDCProvider(r.Context())
+	if err != nil {
+		logger.Info("failed to get OIDC provider", "error", err)
+		ah.respondWithError(w, authCode.ClientType, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	// Create context with custom HTTP client if TLS config is available
+	ctx := r.Context()
+	if tlsConfig := provider.GetTLSConfig(); tlsConfig != nil {
+		client := &http.Client{
+			Transport: &http.Transport{
+				TLSClientConfig: tlsConfig,
+			},
+		}
+		ctx = context.WithValue(ctx, oauth2.HTTPClient, client)
+	}
+
+	token, err := provider.OIDCProviderConfig(nil).Exchange(ctx, code)
 	if err != nil {
 		logger.Error(err, "failed to exchange token")
 		http.Error(w, "internal error", http.StatusInternalServerError)