Skip to content

Add Optional Token-Based Authentication with TLS Support#293

Draft
jblang wants to merge 1 commit into
replicatedhq:mainfrom
jblang:kubectl-auth
Draft

Add Optional Token-Based Authentication with TLS Support#293
jblang wants to merge 1 commit into
replicatedhq:mainfrom
jblang:kubectl-auth

Conversation

@jblang

@jblang jblang commented Mar 10, 2026

Copy link
Copy Markdown

Overview

This PR adds optional token-based authentication to the sbctl API server, providing secure access control for kubectl commands when examining support bundles. Authentication can be enabled at runtime with the --enable-auth flag or enforced at compile-time with the auth_required build tag.

Motivation

  • Even though sbctl only binds to localhost, this is insufficiently secure for multiuser systems with strict access control requirements.
  • Running an unauthenticated HTTP server on a multi-user server could grant an unauthorized user access to the data being served via sbctl's API server

Features

Authentication

  • Bearer token authentication following OAuth 2.0 conventions
  • 256-bit cryptographically secure tokens generated using crypto/rand
  • Constant-time token comparison to prevent timing attacks
  • Runtime opt-in via --enable-auth flag on serve and shell commands
  • Compile-time enforcement via -tags auth_required build flag

TLS Support

  • Auto-generated self-signed certificates (24-hour validity)
  • ECDSA P-256 for modern, efficient cryptography
  • HTTPS automatically enabled when authentication is enabled
  • Localhost-only (127.0.0.1) for additional security

User Experience

  • Token automatically embedded in generated kubeconfig
  • No manual token copying required - kubectl works seamlessly
  • Clear user feedback - "Authentication is enabled" message
  • Backward compatible - existing workflows unchanged when auth is disabled

Implementation Details

New Files

  • pkg/api/token.go - Cryptographically secure token generation
  • pkg/api/tls.go - Self-signed TLS certificate generation
  • pkg/api/auth_required.go - Build tag for compile-time enforcement
  • pkg/api/auth_optional.go - Build tag for optional authentication (default)

Modified Files

  • pkg/api/server.go - Added authentication middleware with Bearer token validation
  • pkg/api/client.go - Updated kubeconfig generation to include token and TLS cert
  • cli/serve.go - Added --enable-auth flag and token/TLS generation
  • cli/shell.go - Added --enable-auth flag and token/TLS generation
  • README.md - Added authentication documentation and usage examples
  • tests/suite_test.go - Fixed API signature to match updated function

Testing

Test Coverage

  • 43 comprehensive tests added (28 unit + 11 integration + 4 existing)
  • 100% test success rate
  • All tests passing in CI/CD

Test Categories

  1. Token Generation Tests (5) - Verify cryptographic security, uniqueness, encoding
  2. TLS Certificate Tests (7) - Verify validity period, localhost names, PEM encoding
  3. Authentication Middleware Tests (9) - Verify token validation, error handling, edge cases
  4. Kubeconfig Generation Tests (7) - Verify token/cert embedding, YAML validity
  5. Integration Tests (11) - Verify end-to-end authentication flows, both enabled and disabled

Test Files

  • pkg/api/token_test.go (82 lines)
  • pkg/api/tls_test.go (218 lines)
  • pkg/api/auth_test.go (283 lines)
  • pkg/api/client_test.go (308 lines)
  • tests/auth_test.go (283 lines)

Usage Examples

Runtime Authentication (Serve Mode)

sbctl serve --enable-auth ~/Downloads/support-bundle-2024-XX-XX

Server is running

Authentication is enabled

export KUBECONFIG=/var/folders/.../T/local-kubeconfig-XXXXX

Runtime Authentication (Shell Mode)

sbctl shell --enable-auth ~/Downloads/support-bundle-2024-XX-XX

Authentication is enabled
Starting new shell with KUBECONFIG. Press Ctl-D when done to exit from the shell and stop sbctl server

Compile-Time Enforcement

go build -tags auth_required -o sbctl sbctl.go
./sbctl serve ~/Downloads/support-bundle-2024-XX-XX
# Authentication is always enabled, --enable-auth flag not needed

Add optional authentication to sbctl API server with both runtime
(--enable-auth flag) and compile-time (-tags auth_required) enforcement.

Features:
- Bearer token authentication following OAuth 2.0 conventions
- Auto-generated self-signed TLS certificates (24-hour validity)
- 256-bit cryptographically secure tokens using crypto/rand
- Constant-time token comparison to prevent timing attacks
- Token and TLS cert automatically embedded in kubeconfig
- HTTPS enforced when authentication is enabled
- All API endpoints protected when auth is enabled
- Backward compatible (auth disabled by default)

Implementation:
- Added token generation utility (pkg/api/token.go)
- Added TLS certificate generation (pkg/api/tls.go)
- Added authentication middleware with Bearer token validation
- Added build tags for compile-time auth enforcement
- Updated kubeconfig generation to include token and TLS cert
- Added --enable-auth flag to serve and shell commands

Security:
- Uses crypto/rand for cryptographically secure token generation
- Implements subtle.ConstantTimeCompare to prevent timing attacks
- ECDSA P-256 for TLS certificates (modern, efficient)
- Localhost-only binding (127.0.0.1) for additional security
- Token not displayed in console output (embedded in kubeconfig)

Testing:
- Added 43 comprehensive tests (28 unit + 11 integration + 4 existing)
- 100% test success rate
- Tests cover token generation, TLS certs, auth middleware, and end-to-end flows
- Verified all security features and edge cases

Documentation:
- Updated README with authentication usage examples
- Added security features documentation
- Fixed typo: "interractive" → "interactive"

Breaking Changes: None (authentication is opt-in)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant