backend: headlamp: Add pkce support

[k-airos]

Summary

Add PKCE support for OIDC authentication flow

Related Issue

Fixes #3137

Changes

• Added PKCE configuration: Newflag (default: true) to enable/disable PKCE
• Updated Config struct: Added OidcUsePKCE field to support PKCE configuration
• Implemented PKCE cryptographic functions
• Enhanced OauthConfig struct: Added field to store PKCE verifier

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: k-airos / name: k-airos (5f14a59, eb171ed)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: k-airos
Once this PR has been reviewed and has the lgtm label, please assign sniok for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Welcome @k-airos!

It looks like this is your first PR to kubernetes-sigs/headlamp 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/headlamp has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[illume]

Thanks @k-airos !

I asked in the issue for feedback, and ran the CI checks.

We'd need to documentation into the headlamp helm chart at some point (README.md, values.yaml and values.schema. Let me know if you'd like to add it in this PR, or we can do it after this is merged.

• https://github.com/kubernetes-sigs/headlamp/blob/main/charts/headlamp/values.yaml
• https://github.com/kubernetes-sigs/headlamp/blob/main/charts/headlamp/values.schema.json
• https://github.com/kubernetes-sigs/headlamp/blob/main/charts/headlamp/README.md

[k-airos]

Thanks! I've added the documentation to README.md, updated values.yaml and values.schema.json accordingly.
Let me know if anything else should be adjusted!

[illume]

@k-airos much appreciated.

I see Erik from the issue gave a thumbs up. Let's wait a little bit to see if anyone else from that issue has feedback.

I see there's an error in CI:

Testing Helm chart templates against expected output...
Error: parse error at (headlamp/templates/deployment.yaml:227): undefined variable "$usePKCE"

Use --debug flag to render out invalid YAML

To test this locally you can run:
make helm-template-test

[Copilot]

Pull Request Overview

This PR adds PKCE (Proof Key for Code Exchange) support to the OIDC authentication flow in Headlamp, enhancing security for OAuth 2.0 authorization code flows. PKCE is particularly important for public clients and helps mitigate authorization code interception attacks.

• Added PKCE configuration option with default value of false
• Implemented cryptographic functions for PKCE code verifier and challenge generation
• Updated OIDC flow to conditionally use PKCE parameters during authorization and token exchange

Reviewed Changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
charts/headlamp/values.yaml	Added usePKCE configuration option with default false
charts/headlamp/values.schema.json	Added schema definition for usePKCE boolean field
charts/headlamp/templates/secret.yaml	Added usePKCE to secret template
charts/headlamp/templates/deployment.yaml	Added OIDC_USE_PKCE environment variable handling
charts/headlamp/README.md	Updated documentation to include usePKCE configuration
backend/pkg/config/config.go	Added OidcUsePKCE field and flag definition
backend/cmd/server.go	Added oidcUsePKCE to server configuration
backend/cmd/headlamp.go	Implemented PKCE cryptographic functions and updated OAuth flow

Comments suppressed due to low confidence (1)

backend/cmd/headlamp.go:264

• [nitpick] The default value for PKCE should be true rather than false. PKCE is a security enhancement recommended by RFC 7636 and OAuth 2.1, and there's no significant downside to enabling it by default. Consider changing the default to improve security posture.

		case strings.HasPrefix(r.Host, "localhost:") || r.TLS == nil:

[Copilot]

The variable $usePKCE is referenced but not defined in this context. This appears to be a copy-paste error from the useAccessToken logic above. It should likely be ($oidc.usePKCE | toString) or the environment variable check should be removed.

Suggested change

	{{- if or (ne ($oidc.usePKCE | toString) "false") (ne $usePKCE "") }}
	{{- if or (ne ($oidc.usePKCE | toString) "false") (ne $usePKCE "false") }}

[Copilot]

The oauth2.SetAuthURLParam function is being used incorrectly for token exchange. For PKCE token exchange, you should use oauth2.SetAuthURLParam with the Exchange method, but the parameter should be passed as an option to Exchange, not as an auth URL parameter. Use oauth2.SetAuthURLParam("code_verifier", oauthConfig.CodeVerifier) as an option to the Exchange call.

[illume]

@yolossn @ashu8912 When you get a chance, can you please review?

[yolossn]

I tried testing this in in-cluster and the app doesn't work without the client-secret because of this client-secret check. We have to make client-secret optional in the kubconfig.OidcConfig for the user to make headlamp work without client-secret.

headlamp/backend/pkg/kubeconfig/kubeconfig.go

Line 911 in 68e7477

if oidcClientID != "" && oidcClientSecret != "" && oidcIssuerURL != "" && oidcScopes != "" {

[k8s-ci-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.