kubefwd icon indicating copy to clipboard operation
kubefwd copied to clipboard

Published 20 hours ago verified publisher icon txn2

kubefwd does not refresh the oidc token

Open alexef opened this issue 4 years ago • 5 comments

We're using a ~/.kube/config file with a configuration similar to this:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: (redacted)
    server: https://api.(redacted)
  name: (redacted)
contexts:
- context:
    cluster: (redacted)
    user: (redacted email)
  name: (redacted)
current-context: (redacted)
kind: Config
preferences: {}
users:
- name: (redacted email address)
  user:
    auth-provider:
      config:
        client-id: (redacted)
        client-secret: (redacted)
        id-token: (redacted)
        idp-issuer-url: https://accounts.google.com/
        refresh-token: (redacted)
      name: oidc

While kubectl has no issue using it (and refreshing it every hour or so), with kubefwd we observed that after id_token expires it is not refreshed.

The workaround is calling kubectl manually, but any chance this functionality can be added to kubefwd?

alexef avatar Mar 02 '20 12:03 alexef

I tried to simulate it, but my OIDC token gets refreshed. Furthermore I believe the token refresh functionality is implemented in kubernetes/client-go. @alexef Can you please check what kubefwd version do you have?

kubahorak avatar May 18 '20 10:05 kubahorak

I can not reproduce this issue without more information. Seems to be working for others as well.

cjimti avatar Oct 19 '20 07:10 cjimti

I know this is closed, but I started using kubefwd and am having the same problem. . I'm using 1.18.0 version of kubefwd on windows. Not sure it matters, but using AKS 1.18.14 with integrated AAD.

davejhahn avatar Mar 17 '21 00:03 davejhahn

@davejhahn kubefwd uses the official kubernetes/client-go. There is a section in readme client-go#whats-included listing the plugin/pkg/client/auth packages containing optional authentication plugins for obtaining credentials from external sources.

https://github.com/kubernetes/client-go/tree/master/plugin/pkg/client/auth

I don't see specific instructions for enabling these but I can take a deeper look this weekend unless you can point me to a good example. Thanks!

cjimti avatar Mar 17 '21 06:03 cjimti

@davejhahn could you try updating to at least 1.18.1?

There's a version bump for the underlying kubernetes go client. It fixed a similar sounding issue I had, since there is a new option that was introduced in a newer version of kuectl, that the kubernetes go client in kubefwd version 1.18.0 doesn't properly support.

I don't remember the details, but my 4 hours of investigating an issue with access tokens not refreshing properly with Azure Kubernetes resulted in me just bumping the kubefwd version to solve the problem.

cuddlecake avatar Sep 01 '21 14:09 cuddlecake