Skip to main content
New to Testkube? Unleash the power of cloud native testing in Kubernetes with Testkube. Get Started >

OAuth for CLI

By default, Testkube CLI uses the "proxy" client which leverages the kube apiserver proxy to reach the Testkube API server. This implies granting users access to Iestkube internals in order to reach the Testkube APIREST endpoint (when using commands such as testkube get artifact ).

This section describes how to protect the Testkube api-server REST API endpoint with oauth2 authentication authorization grant, for use by the Testkube CLI as an oauth 2 client. In this mode, Testkube users do not need to be granted "Testkube administrator roles".

Testkube doesn't provide a separate user/role management system to protect access to its CLI.

Users can configure OAuth-based authentication modules using Testkube Helm chart parameters and the CLI config command.

Testkube can automatically configure the Kubernetes NGINX Ingress Controller and create the required ingresses.

Provide Parameters for API Ingress

Pass values to Testkube Helm chart during installation or upgrade (they are empty by default). Pay attention to the usage of the scheme (http or https) in URIs.

--set testkube-api.cliIngress.enabled=true \
--set testkube-api.cliIngress.oauth.provider="github"
--set testkube-api.cliIngress.oauth.clientID="XXXXXXXXXX" \
--set testkube-api.cliIngress.oauth.clientSecret="XXXXXXXXXX" \
--set testkube-api.cliIngress.oauth.scopes=""

Create Github OAuth Application

Currently, only GitHub OAuth authentication is supported. It is not yet possible to configure kube api-server to authenticate Testkube CLI OAuth2 against other OAuth2 IDPs.

In OAuth terminology:

  • GitHub is the authorization server.
  • Testkube CLI is the client receiving HTTP redirects from the authorization server on a local HTTP endpoint ( served by the CLI. A local web browser invoked by xdg-open is required to access GitHub web UI, and then follow HTTP redirect to the local HTTP authorization callback endpoint.
  • Testkube api-server is the resource server.

Register a new Github OAuth application for your personal or organization account.

Register new App

Pay attention to the usage of the scheme (http or https) in URIs. The homepage URL should be the Testkube Dashboard home page

The authorization callback URL should be a prebuilt page at the Testkube Dashboard website

View created App

Make note of the generated Client ID and Client Secret.

Provide Parameters for CLI

Run the command below to configure oauth parameters (we support GitHub OAuth provider):

kubectl testkube config oauth --client-id XXXXXXXXXX --client-secret XXXXXXXXXX


You will be redirected to your browser for authentication or you can open the url below manually
Authentication will be cancelled in 60 seconds

Authorization for the GitHub application will be requested and access will need to be confirmed. Confirm App authorization

If authorization is successful, you will see the success page. Success Page


Shutting down server...
Server gracefully stopped 🥇
New api uri set to 🥇
New oauth token gho_XXXXXXXXXX 🥇

Run CLI Commands with OAuth

Now all of your requests with direct client will submit an OAuth token, for example:

kubectl testkube get executors -c direct


  NAME               | URI | LABELS
artillery-executor | |
curl-executor | |
cypress-executor | |
k6-executor | |
postman-executor | |
soapui-executor | |

Environment Variables

You can use 2 environment variables to override CLI config values:


TESTKUBE_OAUTH_ACCESS_TOKEN - For the OAuth access token.