Add GCP OAuth authentication support for GKE clusters

This implementation adds GCP OAuth 2.0 authentication to Headlamp for
Google Kubernetes Engine (GKE) deployments, replacing the deprecated
Identity Service for GKE.

Features:
- OAuth 2.0 authentication flow with Google
- PKCE (Proof Key for Code Exchange) support for enhanced security
- Automatic token refresh mechanism
- GKE cluster detection and automatic OAuth enablement
- "Sign in with Google" button in authentication chooser
- Comprehensive GKE deployment documentation with RBAC examples

Backend Changes:
- New GCP authenticator package (backend/pkg/gcp/auth.go)
- OAuth route handlers (/gcp-auth/login, /gcp-auth/callback, /gcp-auth/refresh)
- Configuration support via environment variables
- Token caching and refresh logic

Frontend Changes:
- GCPLoginButton component for Google sign-in
- Modified auth chooser to show OAuth option
- GKE cluster detection utilities

Documentation:
- Complete GKE setup guide with step-by-step instructions
- Architecture overview and authentication flow documentation
- RBAC configuration examples
- Troubleshooting guide

Author: drduker

backend/cmd/headlamp.go

@@ -47,6 +47,7 @@ import (
 	auth "github.com/kubernetes-sigs/headlamp/backend/pkg/auth"
 	"github.com/kubernetes-sigs/headlamp/backend/pkg/cache"
 	cfg "github.com/kubernetes-sigs/headlamp/backend/pkg/config"
+	"github.com/kubernetes-sigs/headlamp/backend/pkg/gcp"
 	"github.com/kubernetes-sigs/headlamp/backend/pkg/serviceproxy"
 
 	headlampcfg "github.com/kubernetes-sigs/headlamp/backend/pkg/headlampconfig"
@@ -95,6 +96,11 @@ type HeadlampConfig struct {
 	meGroupsPaths string
 	// meUserInfoURL is the URL to fetch additional user info for the /me endpoint. /oauth2/userinfo
 	meUserInfoURL string
+	// GCP OAuth fields for GKE authentication
+	gcpOAuthEnabled bool
+	gcpClientID     string
+	gcpClientSecret string
+	gcpRedirectURL  string
 }
 
 const DrainNodeCacheTTL = 20 // seconds
@@ -457,18 +463,27 @@ func createHeadlampHandler(config *HeadlampConfig) http.Handler {
 			config.oidcCACert)
 		if err != nil {
 			logger.Log(logger.LevelError, nil, err, "Failed to get in-cluster context")
-		}
-
-		context.Source = kubeconfig.InCluster
+		} else {
+			context.Source = kubeconfig.InCluster
+
+			// When GCP OAuth is enabled, we add the cluster context but clear the auth info
+			// so that users are required to authenticate via GCP OAuth instead of using
+			// the service account token automatically
+			if config.gcpOAuthEnabled {
+				// Clear the auth info so no automatic service account authentication happens
+				context.AuthInfo = &api.AuthInfo{}
+				logger.Log(logger.LevelInfo, nil, nil, "Added in-cluster context without service account auth (GCP OAuth enabled)")
+			}
 
-		err = context.SetupProxy()
-		if err != nil {
-			logger.Log(logger.LevelError, nil, err, "Failed to setup proxy for in-cluster context")
-		}
+			err = context.SetupProxy()
+			if err != nil {
+				logger.Log(logger.LevelError, nil, err, "Failed to setup proxy for in-cluster context")
+			}
 
-		err = config.KubeConfigStore.AddContext(context)
-		if err != nil {
-			logger.Log(logger.LevelError, nil, err, "Failed to add in-cluster context")
+			err = config.KubeConfigStore.AddContext(context)
+			if err != nil {
+				logger.Log(logger.LevelError, nil, err, "Failed to add in-cluster context")
+			}
 		}
 	}
 
@@ -884,6 +899,34 @@ func createHeadlampHandler(config *HeadlampConfig) http.Handler {
 		http.Redirect(w, r, redirectURL, http.StatusSeeOther)
 	})
 
+	// GCP OAuth routes for GKE authentication
+	if config.gcpOAuthEnabled {
+		gcpAuth := gcp.NewGCPAuthenticator(
+			config.gcpClientID,
+			config.gcpClientSecret,
+			config.gcpRedirectURL,
+			config.cache,
+		)
+
+		r.HandleFunc("/gcp-auth/login", auth.HandleGCPAuthLogin(gcpAuth, config.BaseURL)).Methods("GET")
+		r.HandleFunc("/gcp-auth/callback", auth.HandleGCPAuthCallback(gcpAuth, config.BaseURL)).Methods("GET")
+		r.HandleFunc("/gcp-auth/refresh", auth.HandleGCPTokenRefresh(gcpAuth, config.BaseURL)).Methods("POST")
+
+		logger.Log(logger.LevelInfo, nil, nil, "GCP OAuth authentication enabled for GKE clusters")
+	}
+
+	// Endpoint to check if GCP OAuth is enabled (frontend needs this)
+	r.HandleFunc("/gcp-auth/enabled", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		if config.gcpOAuthEnabled {
+			w.WriteHeader(http.StatusOK)
+			w.Write([]byte(`{"enabled": true}`))
+		} else {
+			w.WriteHeader(http.StatusOK)
+			w.Write([]byte(`{"enabled": false}`))
+		}
+	}).Methods("GET")
+
 	// Serve the frontend if needed
 	if spa.UseEmbeddedFiles {
 		r.PathPrefix("/").Handler(spa.NewEmbeddedHandler(spa.StaticFilesEmbed, "index.html", config.BaseURL))

backend/cmd/server.go

@@ -125,6 +125,11 @@ func createHeadlampConfig(conf *config.Config) *HeadlampConfig {
 		cache:                     cache,
 		multiplexer:               multiplexer,
 		telemetryConfig:           buildTelemetryConfig(conf),
+		// GCP OAuth fields
+		gcpOAuthEnabled:           conf.GCPOAuthEnabled,
+		gcpClientID:               conf.GCPClientID,
+		gcpClientSecret:           conf.GCPClientSecret,
+		gcpRedirectURL:            conf.GCPRedirectURL,
 	}
 
 	if conf.OidcCAFile != "" {

backend/go.mod

@@ -49,6 +49,7 @@ require (
 )
 
 require (
+	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	dario.cat/mergo v1.0.1 // indirect
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20240716105424-66b64c4bb379 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
@@ -148,7 +149,7 @@ require (
 	golang.org/x/crypto v0.40.0 // indirect
 	golang.org/x/net v0.42.0 // indirect
 	golang.org/x/sync v0.16.0 // indirect
-	golang.org/x/sys v0.34.0 // indirect
+	golang.org/x/sys v0.35.0 // indirect
 	golang.org/x/text v0.27.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect

backend/go.sum

@@ -1,5 +1,7 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
+cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
 dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
 dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
@@ -661,8 +663,8 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
-golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
+golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg=
 golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0=