kubectl works with token from `oidc-login get-token` but does not work when this is automated
maaft opened this issue · 3 comments
Describe the issue
When I use the "standard" oidc-login flow:
users:
- name: oidc
user:
client-certificate-data: <redacted>
client-key-data: <redacted>
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- oidc-login
- get-token
- --oidc-issuer-url=https://sts.windows.net/<redacted>/
- --oidc-client-id=<redacted>
- --oidc-client-secret=<redacted>
- --oidc-extra-scope=email roles
command: kubectl
env: null
interactiveMode: IfAvailable
provideClusterInfo: false
I get: error: You must be logged in to the server (Unauthorized)
When I retrieve the token manually with:
kubectl oidc-login get-token --oidc-issuer-url=https://sts.windows.net/<redacted>/ --oidc-client-id=<redacted> --oidc-client-secret=<redacted> --oidc-extra-scope="email roles"
and put the token manually in.kube/config
:
users:
- name: tokenuser
user:
token: <redacted>
my kubectl
commands work as exptected.
Additional Info:
- I have multiple clusters in my config where I use the same auth flow (different client-id) and there I experience no issues
- I tripple checked oidc-data for "auto-login" and "manual token retrieval" and they are exactly the same
How can I debug this further?
I have the same problem and just debugged it a while. It seems that:
- getting and caching the token happens and works just fine
- the token appears in the output that is written out for kubectl ( happens here: https://github.com/int128/kubelogin/blob/master/pkg/credentialplugin/writer/credential_plugin.go#L35 )
- but the k8s spec has 2 required fields that i can't find in my output (clientCertificateData & clientKeyData)
spec: https://kubernetes.io/docs/reference/config-api/client-authentication.v1beta1/#client-authentication-k8s-io-v1beta1-ExecCredentialStatus
Example output missing the 2 fields:
{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"2023-10-14T15:03:45Z","token":"REDACTED"}}
Maybe i am totally on the wrong trail here and don't know what i am talking about. I just used the get-token command together with --force-refresh -v9 --log_backtrace_at
and read some code.
I hope it helps and somebody can find & fix this issue.
@int128 Could you have a look at this, please?