Azure
az aks get-credentials should automatically convert generated config with azure kubelogin when AAD integrated cluster
Is your feature request related to a problem? Please describe.
For AzureAD integrated aks clusters kubelogin convert-kubeconfig is required to renew credentials, it's easy to forget/overlook this extra step and have credentials expire making users unable to access the cluster until they do a new az aks get credentials.
Describe the solution you'd like
It would be a better user experience if az aks get-credentials would automatically detect AAD integration and do the conversion step.
Describe alternatives you've considered
If that is unreliable having a flag such as --aad would also be acceptable.
Additional context
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Azure/aks-pm.
Issue Details
Is your feature request related to a problem? Please describe.
For AzureAD integrated aks clusters kubelogin convert-kubeconfig is required to renew credentials, it's easy to forget/overlook this extra step and have credentials expire making users unable to access the cluster until they do a new az aks get credentials.
Describe the solution you'd like
It would be a better user experience if az aks get-credentials would automatically detect AAD integration and do the conversion step.
Describe alternatives you've considered
If that is unreliable having a flag such as --aad would also be acceptable.
Additional context
| Author: | daniel-anova |
|---|---|
| Assignees: | - |
| Labels: |
|
| Milestone: | - |
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Azure/aks-pm.
Issue Details
Is your feature request related to a problem? Please describe.
For AzureAD integrated aks clusters kubelogin convert-kubeconfig is required to renew credentials, it's easy to forget/overlook this extra step and have credentials expire making users unable to access the cluster until they do a new az aks get credentials.
Describe the solution you'd like
It would be a better user experience if az aks get-credentials would automatically detect AAD integration and do the conversion step.
Describe alternatives you've considered
If that is unreliable having a flag such as --aad would also be acceptable.
Additional context
| Author: | daniel-anova |
|---|---|
| Assignees: | - |
| Labels: |
|
| Milestone: | - |
@daniel-anova Apologies for the late reply. We are looking into this ask. We will update this thread once we have more details.
@Azure/aks-pm Could you please provide an update on this ask ? Awaiting your reply.
This might also be useful in non-interactive scenarios, in which case, the user should be able to tell get-credentials to fetch non-interactive kubelogin command args.
I also think this would be a great improvement. Even something like:
az aks get-credentials --name <cluster-name> --resource-group <resource-group-name> --msi
Any update on this. Latest kubectl removed the azure auth plugin (December 2022). So everyone updating will need to do the convert
Are you looking for the --format "exec" option for az aks get-credentials?
https://learn.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-get-credentials
"exec" creates an entry like
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- get-token
- --environment
- AzurePublicCloud
- --server-id
- srv123
- --client-id
- usr456
- --tenant-id
- tnt789
- --login
- devicecode
command: kubelogin
env: null
interactiveMode: IfAvailable
provideClusterInfo: false
"azure" creates
user:
auth-provider:
config:
access-token: secrettoken
apiserver-id: aid123
client-id: cid456
config-mode: "1"
environment: AzurePublicCloud
expires-in: "1234"
expires-on: "1673275758"
refresh-token: secretrefreshtoken
tenant-id: tnt789
name: azure
I now see the documentation state this is automatically done. It didn't happen to me today, but I'll check my versions once more. Have I missed the point of this issue, since it's still open?
Sent from Outlook for iOShttps://aka.ms/o0ukef
From: patrickdmw @.> Sent: Monday, January 9, 2023 3:50:36 PM To: Azure/azure-cli @.> Cc: Martin Ehrnst @.>; Comment @.> Subject: Re: [Azure/azure-cli] az aks get-credentials should automatically convert generated config with azure kubelogin when AAD integrated cluster (Issue #20511)
Are you looking for the --format "exec" option for az aks get-credentials? https://learn.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-get-credentials
"exec" creates an entry like
user: exec: apiVersion: client.authentication.k8s.io/v1beta1 args: - get-token - --environment - AzurePublicCloud - --server-id - srv123 - --client-id - usr456 - --tenant-id - tnt789 - --login - devicecode command: kubelogin env: null interactiveMode: IfAvailable provideClusterInfo: false
"azure" creates
user: auth-provider: config: access-token: secrettoken apiserver-id: aid123 client-id: cid456 config-mode: "1" environment: AzurePublicCloud expires-in: "1234" expires-on: "1673275758" refresh-token: secretrefreshtoken tenant-id: tnt789 name: azure
— Reply to this email directly, view it on GitHubhttps://github.com/Azure/azure-cli/issues/20511#issuecomment-1375737514, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AFC6E5SOML4TPPPRMBN7NELWRQQTZANCNFSM5IYIYV3Q. You are receiving this because you commented.Message ID: @.***>
ok. if i run with --format exec it works, but I am prompted with devicecode which is the last option as far as I can see from the config. When I do kubelogin convert-kubeconfig -l azurecli it works fine. is this the intention?
It would be nice if we would have a flag to retrieve the kubeconfig with the azurecli conversion, so that we don't have to call kubelogin as an extra step.
