From 620e98d6d78e9996a7971d2e65cff3b9f7179a4a Mon Sep 17 00:00:00 2001
From: Michele Cereda <cereda.michele@gmail.com>
Date: Sat, 27 May 2023 17:48:37 +0200
Subject: [PATCH] feat: kb article for kubelogin

---
 knowledge base/azure/kubelogin.md | 84 +++++++++++++++++++++++++++++++
 1 file changed, 84 insertions(+)
 create mode 100644 knowledge base/azure/kubelogin.md

diff --git a/knowledge base/azure/kubelogin.md b/knowledge base/azure/kubelogin.md
new file mode 100644
index 0000000..f6cca6b
--- /dev/null
+++ b/knowledge base/azure/kubelogin.md	
@@ -0,0 +1,84 @@
+# Azure Kubelogin
+
+Client-go credential (exec) plugin for `kubectl` 1.11+ implementing Azure authentication.
+
+## Table of contents <!-- omit in toc -->
+
+1. [TL;DR](#tldr)
+1. [Further readings](#further-readings)
+
+## TL;DR
+
+```sh
+# Installation.
+brew install 'Azure/kubelogin/kubelogin'
+
+
+# Leverage the already logged-in context used by Azure CLI.
+# The token will be issued in the same Azure AD tenant as in `az login` and be
+# managed by the Azure CLI.
+kubelogin convert-kubeconfig -l 'azurecli'
+
+
+# Use service principals to login.
+# The token will **not** be cached on the filesystem.
+# Only works with managed AAD.
+# The service principal can be member of up to 200 AAD groups.
+
+# Provide password-based credentials via command flags.
+kubelogin convert-kubeconfig -l 'spn' \
+  --client-id 'spn_client_id' --client-secret 'spn_client_secret'
+
+# Provide password-based credentials via environment variables.
+kubelogin convert-kubeconfig -l 'spn' && export \
+  AAD_SERVICE_PRINCIPAL_CLIENT_ID='spn_client_id' \
+  AAD_SERVICE_PRINCIPAL_CLIENT_SECRET='spn secret'
+kubelogin convert-kubeconfig -l 'spn' && export \
+  AZURE_CLIENT_ID='spn_client_id' AZURE_CLIENT_SECRET='spn secret'
+
+# Provide pfx client certificate-based credentials via environment variables.
+kubelogin convert-kubeconfig -l 'spn' && export \
+  AAD_SERVICE_PRINCIPAL_CLIENT_ID='spn_client_id' \
+  AAD_SERVICE_PRINCIPAL_CLIENT_CERTIFICATE='path/to/cert.pfx' \
+  AAD_SERVICE_PRINCIPAL_CLIENT_CERTIFICATE_PASSWORD='pfx_password'
+kubelogin convert-kubeconfig -l 'spn' && export \
+  AZURE_CLIENT_ID='spn_client_id' \
+  AZURE_CLIENT_CERTIFICATE_PATH='path/to/cert.pfx' \
+  AZURE_CLIENT_CERTIFICATE_PASSWORD='pfx_password'
+
+
+# Use managed identities to login.
+# The token will **not** be cached on the filesystem.
+kubelogin convert-kubeconfig -l 'msi'
+kubelogin convert-kubeconfig -l 'msi' --client-id 'msi_client_id'
+
+
+# Use workload identities to login.
+# The token will **not** be cached on the filesystem.
+export \
+  AZURE_CLIENT_ID='applicationId_federated_with_workload_identity' \
+  AZURE_TENANT_ID='tenantId' \
+  AZURE_FEDERATED_TOKEN_FILE='file_containing_the_signed_assertion_of_workload_identity' \
+  AZURE_AUTHORITY_HOST='base_url_of_an_azure_active_directory_authority' \
+&& kubelogin convert-kubeconfig -l 'workloadidentity'
+
+
+# Remove cached tokens.
+kubelogin remove-tokens
+```
+
+## Further readings
+
+- [Website]
+- [Azure CLI]
+- [`kubectl`][kubectl]
+
+<!-- project's references -->
+[website]: https://azure.github.io/kubelogin/
+
+<!-- in-article references -->
+<!-- internal references -->
+[azure cli]: cli.md
+[kubectl]: ../kubernetes/kubectl.md
+
+<!-- external references -->