Empty client secret when defining it from environment variables

[alk-adong]

Hello,

We are using a service principal with kubelogin and recently migrated to the following commandline:

# Before
kubelogin convert-kubeconfig --login spn --client-id ${ARM_CLIENT_ID} --client-secret ${ARM_CLIENT_SECRET}

# After
kubelogin convert-kubeconfig --login spn --use-azurerm-env-vars

However, with the new commandline, in the ~/.kube/config file, we are missing the --client-secret argument and its value.

- name: clusterUser_REDACTED
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - get-token
      - --login
      - spn
      - --server-id
      - REDACTED
      - --client-id
      - REDACTED
      - --tenant-id
      - REDACTED
      - --environment
      - AzurePublicCloud
      command: kubelogin
      env: null
      provideClusterInfo: false

It results in the following error:

Error: both clientSecret and clientcert cannot be empty

I noticed that changing to the following commandline fixes the issue:

kubelogin convert-kubeconfig --login spn --use-azurerm-env-vars --client-secret ""

Most likely, this is the responsible part, as it checks that the flag is defined in the commandline arguments instead of checking if the value in the struct is non-empty.

kubelogin/pkg/converter/convert.go

Lines 251 to 261 in 992e74d

	if o.isSet(flagClientSecret) {
	exec.Args = append(exec.Args, argClientSecret, o.TokenOptions.ClientSecret)
	}
	if o.isSet(flagClientCert) {
	exec.Args = append(exec.Args, argClientCert, o.TokenOptions.ClientCert)
	}
	if o.isSet(flagClientCertPassword) {
	exec.Args = append(exec.Args, argClientCertPassword, o.TokenOptions.ClientCertPassword)
	}

[sam-cogan]

It seems there is the same issue with Client ID as well, it's not written out unless you supply an empty value as a parameter

[markgould]

This is still an issue. Thankfully this thread helped me resolve it.