Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The "Standalone"-mode of oidc-login in the wrapped kubectl library fails, with: no Auth Provider found for name "oidc" #11268

Open
ludost opened this issue Nov 8, 2024 · 0 comments
Open

The "Standalone"-mode of oidc-login in the wrapped kubectl library fails, with: no Auth Provider found for name "oidc" #11268

ludost opened this issue Nov 8, 2024 · 0 comments
Assignees
@brandond @mdrahman-suse
Milestone
2024-11 Release C...

Comments

@ludost
Copy link
Contributor

ludost commented Nov 8, 2024

Environmental Info:
K3s Version:
All Versions, tested in v1.28.5, v1.28.15 & v1.31.2

Node(s) CPU architecture, OS, and Version:

Cluster Configuration:

Any cluster configuration, using OpenID Direct Connect as the primary SSO setup. In our case, we're working with a KeyCloak setup.

Describe the bug:
Currently K3s fails to work with the "standalone mode" of oidc-login, where the kube.config file contains an Auth-provider section for the users. Trying to use any subcommand that requires a valid login will fail with the error:
'error: no Auth Provider found for name "oidc"'

The related PR (#11266) fixes this, and allows the usage of this oidc-login mode for the embedded kubectl library in K3s.
For background info on that oidc-login mode: https://github.com/int128/kubelogin/blob/master/docs/standalone-mode.md
That PR is a simple one-liner bugfix copied from the upstream kubectl-cli implementation.
Source of the fix: https://github.com/kubernetes/kubernetes/blob/master/cmd/kubectl/kubectl.go#L25

Steps To Reproduce:
Use an example kube.config like described in the kubelogin documentation:

- name: keycloak
  user:
    auth-provider:
      config:
        client-id: YOUR_CLIENT_ID
        client-secret: YOUR_CLIENT_SECRET
        idp-issuer-url: https://issuer.example.com
      name: oidc

Expected behavior:
Login through the normal oidc-login works correctly:

ludo@ludo-Nitro-Laptop:~/projects/k3s$ bin/k3s kubectl oidc-login 
Opening in existing browser session.
You got a valid token until 2024-11-07 14:41:30 +0100 CET

Calling any other kubectl command through k3s should now use the succeeded authentication, for example allowing:

ludo@ludo-Nitro-Laptop:~/projects/k3s$ bin/k3s kubectl auth whoami
ATTRIBUTE   VALUE
Username    6b3dbab6-f44c-45af-8b55-418ff6f0115c
Groups      [default-roles-development system:authenticated]

Actual behavior:
The wrapped kubectl fails to use the succeeded authentication, reporting an error:

ludo@ludo-Nitro-Laptop:~/projects/k3s$ bin/k3s kubectl auth whoami
error: no Auth Provider found for name "oidc"

However, in comparison, the upstream kubectl cli command works correctly:

ludo@ludo-Nitro-Laptop:~/projects/k3s$ kubectl auth whoami
ATTRIBUTE   VALUE
Username    6b3dbab6-f44c-45af-8b55-418ff6f0115c
Groups      [default-roles-development system:authenticated]

Additional context / logs:

Related PR with a proposed fix: #11266
@ludost ludost mentioned this issue Nov 8, 2024
Merged
@brandond brandond moved this from New to Peer Review in K3s Development Nov 8, 2024
@brandond brandond added this to the 2024-11 Release Cycle milestone Nov 8, 2024
@brandond brandond self-assigned this Nov 8, 2024
@brandond brandond moved this from Peer Review to To Test in K3s Development Nov 8, 2024
This was referenced Nov 8, 2024
Closed
Open
Open
Open
@mdrahman-suse mdrahman-suse self-assigned this Nov 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brandond brandond

@mdrahman-suse mdrahman-suse

Labels
None yet
Projects
K3s Development
Status: To Test
Milestone
2024-11 Release Cycle
Development

No branches or pull requests
3 participants
@brandond @ludost @mdrahman-suse