kubelogin(interactive pop) issue with AKSArc connected to Winfield

[Aijing2333]

@julienstroheker
For Winfield, we need to disable instance discovery in the auth flow, or we will hit below error. Maybe the previous flow work as the instance discovery was not enabled at that time

PS C:\Users\cloudtest> $env:AZURE_ENVIRONMENT_FILEPATH = "C:\AksArc\env.json"
PS C:\Users\cloudtest> kubectl --kubeconfig C:\Aksarc\config-aksarc-test1-user get ns
Error: failed to get token: failed to create PoP token using interactive login: failed to create PoP token with interactive flow: http call(https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=https%3A%2F%2Flogin.autonomous.cloud.private%2F98b8267d-e97f-426e-8b3f-7956511fd63f%2Foauth2%2Fv2.0%2Fauthorize)(GET) error: reply status code was 400:
{"error":"invalid_instance","error_description":"AADSTS50049: Unknown or invalid instance. Trace ID: 8475d55f-87de-42e3-a4fb-8bc1e1401100 Correlation ID: 7e9eef1b-bbc1-4d55-b2b6-9c3b1ae15fb7 Timestamp: 2024-11-20 03:14:35Z","error_codes":[50049],"timestamp":"2024-11-20 03:14:35Z","trace_id":"8475d55f-87de-42e3-a4fb-8bc1e1401100","correlation_id":"7e9eef1b-bbc1-4d55-b2b6-9c3b1ae15fb7","error_uri":"https://login.microsoftonline.com/error?code=50049"}
E1120 03:14:35.121603 2420 memcache.go:265] couldn't get current server API group list: Get "https://192.168.1.202:6443/api?timeout=32s": getting credentials: exec: executable kubelogin failed with exit code 1
Error: failed to get token: failed to create PoP token using interactive login: failed to create PoP token with interactive flow: http call(https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=https%3A%2F%2Flogin.autonomous.cloud.private%2F98b8267d-e97f-426e-8b3f-7956511fd63f%2Foauth2%2Fv2.0%2Fauthorize)(GET) error: reply status code was 400:

env.json:
{
"name": "AzureEdgeCloud",
"managementPortalURL": "https://portal.autonomous.cloud.private/",
"resourceManagerEndpoint": "https://resourcemanagerweb.azs:40007/",
"activeDirectoryEndpoint": "https://login.autonomous.cloud.private/",
"graphEndpoint": "https://graph.autonomous.cloud.private/",
"microsoftGraphEndpoint": "https://graph.autonomous.cloud.private/",
"storageEndpointSuffix": "autonomous.cloud.private",
"cosmosDBDNSSuffix": "docdb.autonomous.cloud.private:13443",
"tokenAudience": "https://resourcemanagerweb.azs:40007/",
"resourceIdentifiers": {
"graph": "https://graph.autonomous.cloud.private/",
"storage": "https://resourcemanagerweb.azs:40007/",
"cosmosDB": "https://docdb.autonomous.cloud.private:13443/"
}
}

kubelogin info:

users:

• name: aad-user
  user:
  exec:
  apiVersion: client.authentication.k8s.io/v1beta1
  args:
  - get-token
  - --login
  - interactive
  - --server-id
  - 6256c85f-0aad-4d50-b960-e6e9b21efe35
  - --client-id
  - 3f4439ff-e698-4d6d-84fe-09c9d574f06b
  - --tenant-id
  - 98b8267d-e97f-426e-8b3f-7956511fd63f
  - --environment
  - AzureStackCloud
  - --pop-enabled
  - --pop-claims
  - u=/subscriptions/8673b929-0d2f-a5d9-3003-7b9184a881c4/resourceGroups/onebox-test/providers/Microsoft.Kubernetes/connectedClusters/aksarc-test1
  command: kubelogin
  env: null

[julienstroheker]

@Aijing2333 Make sense, let's open a PR to see how it looks like.

This should be easy by leveraging https://github.com/AzureAD/microsoft-authentication-library-for-go/blob/4a4dafcbcbd7d57a69ed3bc59760381232c2be9c/apps/public/public.go#L110 or something around these line.