kubectl works with token from `oidc-login get-token` but does not work when this is automated

Question

kubectl works with token from `oidc-login get-token` but does not work when this is automated

maaft opened this issue 2 years ago · 3 comments

Describe the issue

When I use the "standard" oidc-login flow:

users:
- name: oidc
  user:
    client-certificate-data: <redacted>
    client-key-data: <redacted>
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://sts.windows.net/<redacted>/
      - --oidc-client-id=<redacted>
      - --oidc-client-secret=<redacted>
      - --oidc-extra-scope=email roles
      command: kubectl
      env: null
      interactiveMode: IfAvailable
      provideClusterInfo: false

I get: error: You must be logged in to the server (Unauthorized)

When I retrieve the token manually with:

kubectl oidc-login get-token --oidc-issuer-url=https://sts.windows.net/<redacted>/ --oidc-client-id=<redacted> --oidc-client-secret=<redacted> --oidc-extra-scope="email roles"

and put the token manually in.kube/config:

users:
- name: tokenuser
  user:
    token: <redacted>

my kubectl commands work as exptected.

Additional Info:

I have multiple clusters in my config where I use the same auth flow (different client-id) and there I experience no issues
I tripple checked oidc-data for "auto-login" and "manual token retrieval" and they are exactly the same

How can I debug this further?

Answer 1 · 2023-10-13T15:33:13.000Z

I have the same problem and just debugged it a while. It seems that:

getting and caching the token happens and works just fine
the token appears in the output that is written out for kubectl ( happens here: https://github.com/int128/kubelogin/blob/master/pkg/credentialplugin/writer/credential_plugin.go#L35 )
but the k8s spec has 2 required fields that i can't find in my output (clientCertificateData & clientKeyData)
spec: https://kubernetes.io/docs/reference/config-api/client-authentication.v1beta1/#client-authentication-k8s-io-v1beta1-ExecCredentialStatus

Example output missing the 2 fields:
{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"2023-10-14T15:03:45Z","token":"REDACTED"}}

Maybe i am totally on the wrong trail here and don't know what i am talking about. I just used the get-token command together with --force-refresh -v9 --log_backtrace_at and read some code.

I hope it helps and somebody can find & fix this issue.

Answer 2 · 2023-10-13T15:34:02.000Z

@int128 Could you have a look at this, please?