tls ca distribution to OIDC login users + easier login

controller/cmd/main.go

@@ -27,10 +27,13 @@ import (
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
 	apiserverinstall "k8s.io/apiserver/pkg/apis/apiserver/install"
+	apiserverv1beta1 "k8s.io/apiserver/pkg/apis/apiserver/v1beta1"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/util/yaml"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
@@ -47,6 +50,7 @@ import (
 	"github.com/jumpstarter-dev/jumpstarter-controller/internal/controller"
 	"github.com/jumpstarter-dev/jumpstarter-controller/internal/oidc"
 	"github.com/jumpstarter-dev/jumpstarter-controller/internal/service"
+	"github.com/jumpstarter-dev/jumpstarter-controller/internal/service/login"
 
 	// +kubebuilder:scaffold:imports
 
@@ -298,6 +302,16 @@ func main() {
 		os.Exit(1)
 	}
 
+	// Setup Login Service for simplified CLI login
+	loginService := login.NewServiceFromEnv()
+	// Extract OIDC configuration from the loaded config for the login service
+	oidcConfigs := extractOIDCConfigs(mgr.GetAPIReader(), watchNamespace)
+	loginService.SetOIDCConfig(oidcConfigs)
+	if err = loginService.SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create service", "service", "Login")
+		os.Exit(1)
+	}
+
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
 		setupLog.Error(err, "unable to set up health check")
 		os.Exit(1)
@@ -313,3 +327,52 @@ func main() {
 		os.Exit(1)
 	}
 }
+
+// extractOIDCConfigs reads the OIDC configuration from the ConfigMap
+func extractOIDCConfigs(reader client.Reader, namespace string) []login.OIDCConfig {
+	var configmap corev1.ConfigMap
+	if err := reader.Get(context.Background(), client.ObjectKey{
+		Namespace: namespace,
+		Name:      "jumpstarter-controller",
+	}, &configmap); err != nil {
+		setupLog.Error(err, "unable to read configmap for OIDC config")
+		return nil
+	}
+
+	// Try new config format first
+	rawConfig, ok := configmap.Data["config"]
+	if ok {
+		var cfg config.Config
+		if err := yaml.UnmarshalStrict([]byte(rawConfig), &cfg); err == nil {
+			return jwtAuthenticatorsToOIDCConfigs(cfg.Authentication.JWT)
+		}
+	}
+
+	// Fall back to legacy authentication format
+	rawAuth, ok := configmap.Data["authentication"]
+	if ok {
+		var auth config.Authentication
+		if err := yaml.Unmarshal([]byte(rawAuth), &auth); err == nil {
+			return jwtAuthenticatorsToOIDCConfigs(auth.JWT)
+		}
+	}
+
+	return nil
+}
+
+// jwtAuthenticatorsToOIDCConfigs converts JWT authenticators to login OIDC configs
+func jwtAuthenticatorsToOIDCConfigs(authenticators []apiserverv1beta1.JWTAuthenticator) []login.OIDCConfig {
+	var configs []login.OIDCConfig
+	for _, auth := range authenticators {
+		// Skip internal OIDC provider (localhost)
+		if auth.Issuer.URL == "https://localhost:8085" {
+			continue
+		}
+		configs = append(configs, login.OIDCConfig{
+			Issuer:    auth.Issuer.URL,
+			ClientID:  "jumpstarter-cli", // Default client ID for CLI
+			Audiences: auth.Issuer.Audiences,
+		})
+	}
+	return configs
+}

controller/deploy/helm/jumpstarter/charts/jumpstarter-controller/model.py

@@ -91,6 +91,87 @@ class Route(BaseModel):
     )
 
 
+class LoginRoute(BaseModel):
+    model_config = ConfigDict(extra="forbid")
+
+    enabled: Optional[bool] = Field(
+        None, description="Whether to enable OpenShift Route for the login endpoint"
+    )
+    annotations: Optional[dict[str, str]] = Field(
+        None, description="Annotations for the login route"
+    )
+    labels: Optional[dict[str, str]] = Field(
+        None, description="Labels for the login route"
+    )
+
+
+class LoginIngressTls(BaseModel):
+    model_config = ConfigDict(extra="forbid")
+
+    secretName: Optional[str] = Field(
+        None, description="Secret name for the TLS certificate"
+    )
+
+
+class LoginIngress(BaseModel):
+    model_config = ConfigDict(extra="forbid")
+
+    enabled: Optional[bool] = Field(
+        None, description="Whether to enable Ingress for the login endpoint"
+    )
+    class_: Optional[str] = Field(
+        None, alias="class", description="IngressClass to use for the login endpoint"
+    )
+    annotations: Optional[dict[str, str]] = Field(
+        None, description="Annotations for the login ingress"
+    )
+    labels: Optional[dict[str, str]] = Field(
+        None, description="Labels for the login ingress"
+    )
+    tls: Optional[LoginIngressTls] = None
+
+
+class LoginNodeport(BaseModel):
+    model_config = ConfigDict(extra="forbid")
+
+    enabled: Optional[bool] = Field(
+        None, description="Whether to enable NodePort for the login endpoint"
+    )
+    port: Optional[Port] = Field(
+        None, description="NodePort port number for the login service"
+    )
+
+
+class LoginTls(BaseModel):
+    model_config = ConfigDict(extra="forbid")
+
+    secretName: Optional[str] = Field(
+        None,
+        description="Name of the Kubernetes secret containing tls.crt and tls.key for edge TLS termination",
+    )
+
+
+class Login(BaseModel):
+    model_config = ConfigDict(extra="forbid")
+
+    enabled: Optional[bool] = Field(
+        None, description="Whether to enable the login endpoint for simplified CLI login"
+    )
+    hostname: Optional[str] = Field(
+        None, description="Hostname for the login endpoint"
+    )
+    endpoint: Optional[str] = Field(
+        None, description="The endpoint URL to display in the login landing page"
+    )
+    tls: Optional[LoginTls] = Field(
+        None,
+        description="TLS configuration for edge termination (used by both route and ingress)",
+    )
+    route: Optional[LoginRoute] = None
+    ingress: Optional[LoginIngress] = None
+    nodeport: Optional[LoginNodeport] = None
+
+
 class PrefixedClaimOrExpression1(BaseModel):
     model_config = ConfigDict(extra="forbid")
 
@@ -262,6 +343,15 @@ class Router(BaseModel):
     nodeSelector: dict[str, str] | None = None
 
 
+class CertManager(BaseModel):
+    model_config = ConfigDict(extra="forbid")
+
+    enabled: Optional[bool] = Field(
+        None,
+        description="Enable cert-manager integration. When enabled, jumpstarter-service-ca-cert configmap is required.",
+    )
+
+
 class Model(BaseModel):
     model_config = ConfigDict(extra="forbid")
 
@@ -282,7 +372,14 @@ class Model(BaseModel):
     global_: Optional[Global] = Field(
         None, alias="global", description="Global parameters"
     )
+    certManager: Optional[CertManager] = Field(
+        None,
+        description="cert-manager integration for automatic TLS certificate management",
+    )
     grpc: Optional[Grpc1] = None
+    login: Optional[Login] = Field(
+        None, description="Login endpoint configuration for simplified CLI login"
+    )
 
 
 print(json.dumps(Model.model_json_schema(), indent=2))

controller/deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/controller-deployment.yaml

@@ -65,6 +65,12 @@ spec:
           {{ else }}
           value: grpc.{{ .Values.global.baseDomain }}:{{ .Values.grpc.tls.port }}
           {{ end }}
+        - name: LOGIN_ENDPOINT
+          {{ if .Values.login.endpoint }}
+          value: {{ .Values.login.endpoint }}
+          {{ else }}
+          value: login.{{ .Values.global.baseDomain }}
+          {{ end }}
         - name: CONTROLLER_KEY
           valueFrom:
             secretKeyRef:
@@ -85,6 +91,16 @@ spec:
         - name: EXTERNAL_KEY_PEM
           value: /secrets/tls.key
         {{- end }}
+        - name: CA_BUNDLE_PEM
+          valueFrom:
+            configMapKeyRef:
+              name: jumpstarter-service-ca-cert
+              key: ca.crt
+              # When cert-manager is enabled, require the configmap (fail fast on missing cert)
+              # When disabled, make it optional (users may not have TLS configured)
+              optional: {{ not .Values.certManager.enabled }}
+        - name: GIN_MODE
+          value: release
         image: {{ .Values.image }}:{{ default .Chart.AppVersion .Values.tag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         name: manager

controller/deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/login-ingress.yaml

@@ -0,0 +1,36 @@
+{{ if and .Values.login.enabled .Values.login.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  labels:
+    component: login
+    {{- if .Values.login.ingress.labels }}
+    {{- toYaml .Values.login.ingress.labels | nindent 4 }}
+    {{- end }}
+  {{- if .Values.login.ingress.annotations }}
+  annotations:
+    {{- toYaml .Values.login.ingress.annotations | nindent 4 }}
+  {{- end }}
+  name: jumpstarter-login-ing
+  namespace: {{ default .Release.Namespace .Values.namespace }}
+spec:
+  {{- if .Values.login.ingress.class }}
+  ingressClassName: {{ .Values.login.ingress.class }}
+  {{- end }}
+  rules:
+  - host: {{ .Values.login.hostname | default (printf "login.%s" .Values.global.baseDomain) | required "a global.baseDomain or a login.hostname must be provided" }}
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: jumpstarter-login
+            port:
+              number: 8086
+  tls:
+  - hosts:
+    - {{ .Values.login.hostname | default (printf "login.%s" .Values.global.baseDomain) }}
+    {{- /* Use login.tls.secretName (new), fallback to login.ingress.tls.secretName (legacy), then default */}}
+    secretName: {{ .Values.login.tls.secretName | default .Values.login.ingress.tls.secretName | default "jumpstarter-login-tls" }}
+{{ end }}

controller/deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/login-route.yaml

@@ -0,0 +1,38 @@
+{{ if and .Values.login.enabled .Values.login.route.enabled }}
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  labels:
+    component: login
+    {{- if .Values.login.route.labels }}
+    {{- toYaml .Values.login.route.labels | nindent 4 }}
+    {{- end }}
+  {{- if .Values.login.route.annotations }}
+  annotations:
+    {{- toYaml .Values.login.route.annotations | nindent 4 }}
+  {{- end }}
+  name: jumpstarter-login-route
+  namespace: {{ default .Release.Namespace .Values.namespace }}
+spec:
+  {{ if .Values.login.hostname }}
+  host: {{ .Values.login.hostname }}
+  {{ else }}
+  host: login.{{ .Values.global.baseDomain | required "a global.baseDomain or a login.hostname must be provided"}}
+  {{ end }}
+  port:
+    targetPort: 8086
+  tls:
+    # Edge termination - TLS terminated at the router, plain HTTP to backend
+    termination: edge
+    insecureEdgeTerminationPolicy: Redirect
+    {{- if .Values.login.tls.secretName }}
+    # Reference TLS certificate from secret (OpenShift 4.14+)
+    externalCertificate:
+      name: {{ .Values.login.tls.secretName }}
+    {{- end }}
+  to:
+    kind: Service
+    name: jumpstarter-login
+    weight: 100
+  wildcardPolicy: None
+{{ end }}

controller/deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/login-service.yaml

@@ -0,0 +1,26 @@
+{{ if .Values.login.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    control-plane: controller-manager
+    app.kubernetes.io/name: jumpstarter-controller
+    component: login
+  name: jumpstarter-login
+  namespace: {{ default .Release.Namespace .Values.namespace }}
+spec:
+  {{ if .Values.login.nodeport.enabled }}
+  type: NodePort
+  {{ end }}
+
+  ports:
+  - name: login
+    port: 8086
+    protocol: TCP
+    targetPort: 8086
+    {{ if .Values.login.nodeport.enabled }}
+    nodePort: {{ .Values.login.nodeport.port }}
+    {{ end }}
+  selector:
+    control-plane: controller-manager
+{{ end }}