How to use kubelogin command to login Vault on the Web UI to get a token? (instead of cli)

Hey there,

I enabled LDAP auth method on Vault and I was issuing the following command to get a token from Vault:
vault read identity/oidc/token/kubernetes

Have followed this article: Authenticate to Kubernetes using Hashicorp Vault – /var/log/tmaurice

This method requires mutating kubeconfig to add a custom script such as:

tokenData=$(vault read -format json identity/oidc/token/k8s-token | jq -c .)

which also requires authentication to Vault:

So we have to issue:

$ vault login -method=ldap username=user01
(Get token)
$ export VAULT_ADDR=http://localhost:8200
$ export VAULT_TOKEN=REDACTED

The major prerequisites in this UX are to have a vault client in local, manual vault login, and each user should export VAULT_ variables. Instead, what I want to achieve is to use kubelogin to auth Kubernetes cluster. It should open Vault login page, user should type their username and password, then authentication should be completed. Eventually, kubelogin should return a token to authenticate API server.

Any thoughts on this?

I use Kubernetes, and Vault, and OIDC, but I’ve never used Vault’s OIDC Identity Provider support, myself.

I took a look at the kubelogin docs out of curiosity, and it does look like it should be possible to set this up using Vault’s OIDC IdP - it would just take a solid understanding of OIDC concepts, to figure out the proper configuration of the Vault OIDC system.

Sorry, that’s not an immediately helpful reply, but it’s as much as I can offer with my current knowledge.