Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Empty client secret when defining it from environment variables #196

Open
alk-adong opened this issue Feb 14, 2023 · 2 comments
Open

Empty client secret when defining it from environment variables #196

alk-adong opened this issue Feb 14, 2023 · 2 comments

Comments

@alk-adong
Copy link

Hello,

We are using a service principal with kubelogin and recently migrated to the following commandline:

# Before
kubelogin convert-kubeconfig --login spn --client-id ${ARM_CLIENT_ID} --client-secret ${ARM_CLIENT_SECRET}

# After
kubelogin convert-kubeconfig --login spn --use-azurerm-env-vars

However, with the new commandline, in the ~/.kube/config file, we are missing the --client-secret argument and its value.

- name: clusterUser_REDACTED
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - get-token
      - --login
      - spn
      - --server-id
      - REDACTED
      - --client-id
      - REDACTED
      - --tenant-id
      - REDACTED
      - --environment
      - AzurePublicCloud
      command: kubelogin
      env: null
      provideClusterInfo: false

It results in the following error:

Error: both clientSecret and clientcert cannot be empty

I noticed that changing to the following commandline fixes the issue:

kubelogin convert-kubeconfig --login spn --use-azurerm-env-vars --client-secret ""

Most likely, this is the responsible part, as it checks that the flag is defined in the commandline arguments instead of checking if the value in the struct is non-empty.

kubelogin/pkg/converter/convert.go

Lines 251 to 261 in 992e74d

if o.isSet(flagClientSecret) {
exec.Args = append(exec.Args, argClientSecret, o.TokenOptions.ClientSecret)
}
if o.isSet(flagClientCert) {
exec.Args = append(exec.Args, argClientCert, o.TokenOptions.ClientCert)
}
if o.isSet(flagClientCertPassword) {
exec.Args = append(exec.Args, argClientCertPassword, o.TokenOptions.ClientCertPassword)
}

@sam-cogan
Copy link

It seems there is the same issue with Client ID as well, it's not written out unless you supply an empty value as a parameter

@markgould
Copy link

This is still an issue. Thankfully this thread helped me resolve it.

dpersson pushed a commit to dpersson/kubelogin that referenced this issue Jan 14, 2025
Add disable environment override option.
bc51796 
Add flag to convert-kubeconfig for allowing disabling environment override.
Use the flag in "kubelogin get-token" to disregard possible set environment variables.

Provides solution for Azure#196
@dpersson dpersson mentioned this issue Jan 14, 2025
Merged
weinong pushed a commit that referenced this issue Jan 29, 2025
@dpersson
Add disable environment override option. (#594)
b852805 
Add flag to convert-kubeconfig for allowing disabling environment override.
Use the flag in "kubelogin get-token" to disregard possible set environment variables.

Provides solution for #196

Co-authored-by: Daniel Persson <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@markgould @sam-cogan @alk-adong