Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Credential Plugins (AKS / AAD) Support #136

Open
jonstelly opened this issue Jun 23, 2021 · 1 comment
Open

Credential Plugins (AKS / AAD) Support #136

jonstelly opened this issue Jun 23, 2021 · 1 comment

Comments

@jonstelly
Copy link
Collaborator

I'm starting to use KubeClient to connect to some AKS instances and I've got some clusters deployed using kubelogin (a credential plugin).

I'm seeing the following exception when loading from a kubernetes config entry using the azure credential provider. The error looks like:

ArgumentException: Argument cannot be null, empty, or entirely composed of whitespace: 'accessTokenCommand'. (Parameter 'accessTokenCommand')
   at KubeClient.MessageHandlers.CommandBearerTokenHandler..ctor(String accessTokenCommand, String accessTokenCommandArguments, String accessTokenSelector, String accessTokenExpirySelector, String initialAccessToken, Nullable`1 initialTokenExpiryUtc, Dictionary`2 environmentVariables)

Which led me to felixfbecker/PSKubectl#54 and #108.

This happens when I retrieve an AKS cluster's info from the Azure Resource Management SDK, using the UserKubeConfigContent property which is a yaml string format kubeconfig file but the user element is not as described in the credential plugin documentation, it looks like:

  user:
    auth-provider:
      config:
        apiserver-id: ...
        client-id: ...
        config-mode: "1"
        environment: AzurePublicCloud
        tenant-id: ...
      name: azure

I'm going to start looking into this and created this new issue to gather thoughts anyone might have on design/implementation here. It looks like some of the plumbing might already exist, I see KubeAuthStrategy.CredentialPlugin and CommandBearerTokenHandler, I'm guessing I'll need to figure out a reasonable way to build the AccessTokenCommand based on the slightly different user format above.

If this turns out to be a massive amount of work I may have to put it off, but I'll at least capture findings here. If anyone has thoughts or other non-AKS/AAD credential plugins they want me to look into, let me know here.
@tintoy
Copy link
Owner

tintoy commented Jun 23, 2021

Yeah I never got a chance to come back to this issue (authentication changes) but what’s there (the strategy stuff) should be a good starting point, I hope 🙂

tintoy added a commit that referenced this issue Jul 30, 2022
@tintoy
Initial port of authentication strategies from branch "feature/auth-s…
fc12ce6 
…trategies-old"

#108
#136
tintoy added a commit that referenced this issue Aug 10, 2022
@tintoy
Reimplement legacy "exec" credential plugin support as an authenticat…
89f4549 
…ion-strategy

#108 #136
tintoy added a commit that referenced this issue Aug 10, 2022
@tintoy
Use common implementation of KubeClientOptions configuration from K8s…
3c6a94b 
…Config

#108 #136
tintoy added a commit that referenced this issue Aug 10, 2022
@tintoy
Sketch out mechanism for configuring WebSocket authentication from au…
ac0f420 
…th strategy

#108
#136
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jonstelly @tintoy