Skip to content
This repository was archived by the owner on Mar 13, 2022. It is now read-only.

OIDC auth behaivor differs from kubectl #142

Closed
mogaika opened this issue Jul 3, 2019 · 12 comments
Closed

OIDC auth behaivor differs from kubectl #142

mogaika opened this issue Jul 3, 2019 · 12 comments
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Comments

@mogaika
Copy link

mogaika commented Jul 3, 2019
edited
Loading

I trying to use kubeconfig that works with kubectl but causes problems in python client

auth-provider:
  name: oidc
  config:
    client-id: <CENSORED>
    id-token: <CENSORED>
    idp-certificate-authority-data: <CENSORED>
    idp-issuer-url: <CENSORED>
    refresh-token: <CENSORED>

Code: config.load_kube_config('testkube.yml')
Error:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/mogaika/.local/lib/python3.6/site-packages/kubernetes/config/kube_config.py", line 549, in load_kube_config
    loader.load_and_set(config)
  File "/home/mogaika/.local/lib/python3.6/site-packages/kubernetes/config/kube_config.py", line 430, in load_and_set
    self._load_authentication()
  File "/home/mogaika/.local/lib/python3.6/site-packages/kubernetes/config/kube_config.py", line 194, in _load_authentication
    if self._load_auth_provider_token():
  File "/home/mogaika/.local/lib/python3.6/site-packages/kubernetes/config/kube_config.py", line 213, in _load_auth_provider_token
    return self._load_oid_token(provider)
  File "/home/mogaika/.local/lib/python3.6/site-packages/kubernetes/config/kube_config.py", line 290, in _load_oid_token
    self._refresh_oidc(provider)
  File "/home/mogaika/.local/lib/python3.6/site-packages/kubernetes/config/kube_config.py", line 351, in _refresh_oidc
    verify=config.ssl_ca_cert if config.verify_ssl else None
  File "/home/mogaika/.local/lib/python3.6/site-packages/requests_oauthlib/oauth2_session.py", line 363, in refresh_token
    timeout=timeout, headers=headers, verify=verify, withhold_token=True, proxies=proxies)
  File "/home/mogaika/.local/lib/python3.6/site-packages/requests/sessions.py", line 581, in post
    return self.request('POST', url, data=data, json=json, **kwargs)
  File "/home/mogaika/.local/lib/python3.6/site-packages/requests_oauthlib/oauth2_session.py", line 425, in request
    headers=headers, data=data, **kwargs)
  File "/home/mogaika/.local/lib/python3.6/site-packages/requests/sessions.py", line 533, in request
    resp = self.send(prep, **send_kwargs)
  File "/home/mogaika/.local/lib/python3.6/site-packages/requests/sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "/home/mogaika/.local/lib/python3.6/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='172.16.244.35', port=443): Max retries exceeded with url: /auth/realms/iam/protocol/openid-connect/token (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))

I didn't get origin of this problem since temp cert file created and passed to urllib correctly (code)
Workaround is to remove idp-certificate-authority-data field and disable cert checks.
But then I found other 2 problems:

  • code expects that 'client-secret' is always provided, but this is not always the case (code). Workaround: provide any string as client-secret, but afaik this depend on oauth server side.
  • code passes None object as verify parameter to refresh_token method instead of boolean value (code), (method definition) (deeper method definition)
@mogaika
Copy link
Author

mogaika commented Jul 4, 2019

I debugged kubectl and if 'client-secret' is not provided kubectl treats its as empty string

@mogaika
Copy link
Author

mogaika commented Jul 8, 2019

Turned out that we have problem with our cert. It misses other certs of chain. But in the same time kubelet works perfectly with such certs. Either kubelet ignores cert problems and fallback to ignore them, either kubelet do not require to have cert ca bundle (what is unlikely). Will prepare fix for 2 other problems from topic list.

@roycaihw
Copy link
Member

roycaihw commented Jul 9, 2019

could you clarify if it's a problem with the cert or if it's a gap between the python client and kubectl? The first comment seems to be not concrete enough to reproduce the issue

I debugged kubectl and if 'client-secret' is not provided kubectl treats its as empty string

sounds like the python client is missing this path. Would you like to open a PR to fix it?

@mogaika
Copy link
Author

mogaika commented Jul 10, 2019

could you clarify if it's a problem with the cert or if it's a gap between the python client and kubectl?

My cert (cert-1) issued by self-signed cert-2. In kubectl case its enough to provide only cert-1 in idp-certificate-authority-data field. But in python-client/urllib3 case looks like its required to provide ca bundle (what is logically seems right, because cert-2 is not in cert store somewhere)

@mogaika mogaika mentioned this issue Jul 10, 2019
Closed
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 8, 2019
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Nov 7, 2019
@mogaika
Copy link
Author

mogaika commented Nov 8, 2019

/remove-lifecycle rotten
/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Nov 8, 2019
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 6, 2020
@roycaihw roycaihw removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 18, 2020
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 19, 2020
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jun 18, 2020
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@k8s-ci-robot
Copy link
Contributor

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Improve similarity with kubectl in handling of oidc kubeconfigs mogaika/python-base
4 participants
@mogaika @roycaihw @k8s-ci-robot @fejta-bot