Warning about multiples kubeconfig with the same user

[jvanz]

Recently we have a customer trying to use multiples kubeconfig file with
the same user. This cause issue because after one of the machines with
the files refresh the OIDC token, the rest cannot refresh the token
anymore. This commit adds a warning about this situation.

Issue #735

[nkoranova]

Great! Many thanks for the PR!
I thought that it would be an overly long warning and that it deserved it's own section. ;)
Other than that I have two main points I want to ask about:

1. How do you know when the tokens need to be refreshed? Do you get some sort of notification or where can you check the "expiration date"? Does the user even need to do it, or is it done automatically?
2. What is the solution to this problem? Are you supposed to use multiple users? How do you then keep track of them?

[jvanz]

Great! Many thanks for the PR!
I thought that it would be an overly long warning and that it deserved it's own section. ;)
Other than that I have two main points I want to ask about:

1. How do you know when the tokens need to be refreshed? Do you get some sort of notification or where can you check the "expiration date"? Does the user even need to do it, or is it done automatically?

It is done automatically. It is transparent for the user. There is no notification.

2. What is the solution to this problem? Are you supposed to use multiple users? How do you then keep track of them?

Use multiple users is a possible solution. But I'm not sure if it is the best one and I'm not aware of other options.

[nkoranova]

Use multiple users is a possible solution. But I'm not sure if it is the best one and I'm not aware of other options.

@innobead could we please get some input from you for this solution? :)

[innobead]

LGTM, thanks for the contribution

[nkoranova]

@jvanz and @innobead Thanks, this looks pretty good and almost ready to merge. I just have one more question. (Sorry if this is getting slightly annoying, I just want to make sure the user gets all the needed info. :))
We have told the user they should create multiple users for different kubeconfig files. They know how to add a new user and how to create a new kubeconfig file. How do they make sure that the kubeconfig file is added under that user?

[jvanz]

We have told the user they should create multiple users for different kubeconfig files. They know how to add a new user and how to create a new kubeconfig file.

I believe so. @innobead suggested that for the customer. Furthermore, our support should help on that process.

How do they make sure that the kubeconfig file is added under that user?

To download the file the users need to access the gangway web page or use the cli to download the file. Thus, they need to insert the user credentials. But they can check the user in the kubeconfig file as well:

[...]
users:
- name: myuser
  user:
    auth-provider:
      config:
        client-id: oidc
        client-secret: <secret>
        id-token:  <something>
        idp-issuer-url: https://<ip>:<port>
        refresh-token: <token>
      name: oidc
[...]

[nkoranova]

Awesome, thanks. This is now ready to be merged. @r0ckarong Is there a reason not to merge it and publish this in 4.1.2?

[r0ckarong]

Awesome, thanks. This is now ready to be merged. @r0ckarong Is there a reason not to merge it and publish this in 4.1.2?

If this is not tied to any particular version of dex or gangway I don't see why not.

@jordimassaguerpla Do you have any objections to merging this?

[jordimassaguerpla]

Awesome, thanks. This is now ready to be merged. @r0ckarong Is there a reason not to merge it and publish this in 4.1.2?

If this is not tied to any particular version of dex or gangway I don't see why not.

@jordimassaguerpla Do you have any objections to merging this?

no objection.