Add initial local auth implementation

[saswatamcode]

This PR adds the initial local authentication implementation for obsctl,

• Adds context api add and context api rm functionality, which saves an Observatorium API instance with a given name or hostname, locally in .config/obs/config.json`
• Adds login functionality, which saves configuration for a tenant, including OIDC config and token, also in .config/obs/config.json
• Adds logout command which removes locally saved tenant config
• Adds context switch <api name>/<tenant name> and context current functionality for viewing and changing context
• Adds context list to display all locally saved contexts
• Adds get operations whose output is pretty printed
• Add set operation to set Rule files (obsctl metrics set --rule.file=)

TODOs (which will be handled in subsequent PRs),

• Add way to hook in with oapi fetcher
• Add flags for URL query params for API
• Add query functionality
• Add docs and intergration tests w/ api

[bill3tt]

@saswatamcode FYI there's a bug in the way that we are constructing URLs. I think we're missing a leading slash.

❯ obsctl metrics get rules.raw
Error: fetching: Get "https://observatorium.api.stage.openshift.comapi/metrics/v1/rhobs/api/v1/rules/raw": dial tcp: lookup observatorium.api.stage.openshift.comapi: no such host

This was the login command I used

obsctl login --api observatorium.api.stage.openshift.com --oidc.audience observatorium --oidc.client-id <client-id> --oidc.client-secret <client-secret> --oidc.issuer-url https://sso.redhat.com/auth/realms/redhat-external --tenant rhobs

[bill3tt]

❯ obsctl metrics get labelvalues
Error: indent JSON invalid character 'p' after top-level value

[bill3tt]

My other suggestion here would be to add an explicit log line, possibly at error level, indicating to the user when a command is not yet implemented.

❯ obsctl metrics query ALERTS
info: query called

[bill3tt]

Struggling to login with certain URLs 🤔

❯ obsctl login --api observatorium.api.stage.openshift.com --oidc.audience observatorium --oidc.client-id <client-id> --oidc.client-secret <client-secret> --oidc.issuer-url https://sso.redhat.com/auth/realms/redhat-external --tenant rhobs
Error: adding new api: observatorium.api.stage.openshift.com is not a valid URL

Which is weird because if I then try and run

❯ obsctl login --api http://observatorium.api.stage.openshift.com ... 
Error: api with name http://observatorium.api.stage.openshift.com doesn't exist

But then when I re-run the original command it passes successfully 🤷

[bill3tt]

@saswatamcode I think this is a fantastic start and already I can see how this is going to make our lives much easier when interacting with observatorium 🎉 however, there are a couple of rough edges that are reducing my enjoyment of this CLI that we should get ironed out :)

[saswatamcode]

@ianbillett thanks for testing this out! I'll try and tackle those rough edges!

obsctl metrics get labelvalues
Error: indent JSON invalid character 'p' after top-level value

Labelvalues requires a name flag as per API, will mark that flag as required.

❯ obsctl login --api observatorium.api.stage.openshift.com --oidc.audience observatorium --oidc.client-id --oidc.client-secret --oidc.issuer-url https://sso.redhat.com/auth/realms/redhat-external --tenant rhobs
Error: adding new api: observatorium.api.stage.openshift.com is not a valid URL

For the login api flag, one can pass an already saved API name or just the URL which it will save as a new API. There's a bug in that step so let me fix. 🙂

Edit: Fixed and added a context list command as well.
Also, I noticed that each operation is generating a new access token, so changed that to reuse tokens as well!

[matej-g]

Great work @saswatamcode 👏 I have added some comments, I'd be happy to give it a test spin soon as well!

[matej-g]

Just tested obsctl = 🤩

I left few suggestions, perhaps they do not need addressing now but in future PRs.

I'd only request changing the auth.go filename, otherwise good to go 🚢

[matej-g]

If we have API's specified, but no tenants, is that a valid context? It was a bit confusing since only APIs were listed when I had no tenants added - but that means those contexts are not valid / usable, right?

[saswatamcode]

Context means an API name and a tenant name using which we can do an operation (will add docs soon to clarify this well 🙂). An API can exist in the config without a tenant (although you can't make requests like that), but a tenant cannot exist without an API.

So in this case, it means they aren't usable. You need to add a tenant under your already added API.

[matej-g]

I think I understand that, but then we're listing 'unusable' contexts, which is not useful for the user.

[saswatamcode]

Hmm, that's correct. Let's add an issue once this is merged and figure out a nice way to display contexts in an easily understandable way in future PRs. Maybe adding a " no tenant, cannot use yet" text beside the API name which has no tenants would be reasonable? 🙂

[matej-g]

I was also wondering whether it would make sense to add list command for APIs as well?

[saswatamcode]

The list command lists out all possible context in the form of,

API1:
    - tenant1
    - tenant2
API2:
   - tenant1
   - tenant2

So might not need a separate list command for only API.
But one thing that I would want to add is a verbose mode by which we can print out all details or all tenant and APIs.

[matej-g]

I think it still might be useful, especially if you have no context defined so far or if you want a higher-level view of which APIs you currently have in your config. If we can add and remove an entity, then it makes to me to list as well. But yes, it's achievable through context command to a degree, so it's not a blocker.

[saswatamcode]

Let's iterate on a future PR! 🙂

[matej-g]

🏅

[onprem]

LGTM!