dotnet-kube-client icon indicating copy to clipboard operation
dotnet-kube-client copied to clipboard

Published 20 hours ago verified publisher icon tintoy

Credential Plugins (AKS / AAD) Support

Open jonstelly opened this issue 3 years ago • 1 comments

I'm starting to use KubeClient to connect to some AKS instances and I've got some clusters deployed using kubelogin (a credential plugin).

I'm seeing the following exception when loading from a kubernetes config entry using the azure credential provider. The error looks like:

ArgumentException: Argument cannot be null, empty, or entirely composed of whitespace: 'accessTokenCommand'. (Parameter 'accessTokenCommand')
   at KubeClient.MessageHandlers.CommandBearerTokenHandler..ctor(String accessTokenCommand, String accessTokenCommandArguments, String accessTokenSelector, String accessTokenExpirySelector, String initialAccessToken, Nullable`1 initialTokenExpiryUtc, Dictionary`2 environmentVariables)

Which led me to https://github.com/felixfbecker/PSKubectl/issues/54 and https://github.com/tintoy/dotnet-kube-client/issues/108.

This happens when I retrieve an AKS cluster's info from the Azure Resource Management SDK, using the UserKubeConfigContent property which is a yaml string format kubeconfig file but the user element is not as described in the credential plugin documentation, it looks like:

  user:
    auth-provider:
      config:
        apiserver-id: ...
        client-id: ...
        config-mode: "1"
        environment: AzurePublicCloud
        tenant-id: ...
      name: azure

I'm going to start looking into this and created this new issue to gather thoughts anyone might have on design/implementation here. It looks like some of the plumbing might already exist, I see KubeAuthStrategy.CredentialPlugin and CommandBearerTokenHandler, I'm guessing I'll need to figure out a reasonable way to build the AccessTokenCommand based on the slightly different user format above.

If this turns out to be a massive amount of work I may have to put it off, but I'll at least capture findings here. If anyone has thoughts or other non-AKS/AAD credential plugins they want me to look into, let me know here.

jonstelly avatar Jun 23 '21 20:06 jonstelly

Yeah I never got a chance to come back to this issue (authentication changes) but what’s there (the strategy stuff) should be a good starting point, I hope 🙂

tintoy avatar Jun 23 '21 21:06 tintoy