Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubectl works with token from oidc-login get-token but does not work when this is automated #917

Open
maaft opened this issue Apr 4, 2023 · 3 comments
Open

kubectl works with token from oidc-login get-token but does not work when this is automated #917

maaft opened this issue Apr 4, 2023 · 3 comments
Labels
bug Something isn't working

Comments

@maaft
Copy link

maaft commented Apr 4, 2023
edited
Loading

Describe the issue

When I use the "standard" oidc-login flow:

users:
- name: oidc
  user:
    client-certificate-data: <redacted>
    client-key-data: <redacted>
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://sts.windows.net/<redacted>/
      - --oidc-client-id=<redacted>
      - --oidc-client-secret=<redacted>
      - --oidc-extra-scope=email roles
      command: kubectl
      env: null
      interactiveMode: IfAvailable
      provideClusterInfo: false

I get: error: You must be logged in to the server (Unauthorized)

When I retrieve the token manually with:

kubectl oidc-login get-token --oidc-issuer-url=https://sts.windows.net/<redacted>/ --oidc-client-id=<redacted> --oidc-client-secret=<redacted> --oidc-extra-scope="email roles"

and put the token manually in.kube/config:

users:
- name: tokenuser
  user:
    token: <redacted>

my kubectl commands work as exptected.

Additional Info:

  • I have multiple clusters in my config where I use the same auth flow (different client-id) and there I experience no issues
  • I tripple checked oidc-data for "auto-login" and "manual token retrieval" and they are exactly the same

How can I debug this further?
@maaft maaft added the bug Something isn't working label Apr 4, 2023
@QueerCodingGirl
Copy link

I have the same problem and just debugged it a while. It seems that:

Example output missing the 2 fields:
{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"2023-10-14T15:03:45Z","token":"REDACTED"}}

Maybe i am totally on the wrong trail here and don't know what i am talking about. I just used the get-token command together with --force-refresh -v9 --log_backtrace_at and read some code.

I hope it helps and somebody can find & fix this issue.

@QueerCodingGirl
Copy link

@int128 Could you have a look at this, please?

@hobti01
Copy link

hobti01 commented Jul 2, 2024

@QueerCodingGirl , it looks like a doc problem. The api indicates that the properties are optional. https://pkg.go.dev/k8s.io/client-go/pkg/apis/[email protected]#ExecCredentialStatus

@maaft when you set the scopes manually it's not the same since you use quotes.

Perhaps the issue is the parsing of the scopes?
Commas are one option:

- --oidc-extra-scope=email,roles

Or setting multiple scopes with separate args:

- --oidc-extra-scope=email
- --oidc-extra-scope=roles

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@QueerCodingGirl @maaft @hobti01