Bug/credentials id token

[davidB]

Our environment use OpenIDConnect (oidc) to setup some access to k8s (bare-metal).
Existing code failed because we have auth-provider but no access-token and certificate use relative inside the .kube/config.

This fix allow:

• use relative path for certificate
• use id-token if present
• not crash if auth-provider is present but access-token is absent

Current, auto-refresh of expired id-token is not supported

[clux]

Thanks a lot. This certainly looks sensible. Will try it out against my normal clusters.

[clux]

All seems fine here. Will add to the next release. Thanks again!

[davidB]

Thanks, I guess supporting refresh of id-token requires a dependency to jsonwebtoken and maybe to be able to update kubeconfig.

[clux]

Ah that's why this stuff is always broken everywhere. Even with main kubectl I've frequently had to delete lines from the auth provider line to trigger a refresh with certain oidc providers.

[clux]

Should be fine to pull that in though, doesn't look like it pulls in too many deps. Especially if we're trying to move to rustls long term #66. Happy to take a PR for it if it's somewhat maintainable. 🙂

[davidB]

maybe because some provider also update the refresh token, when you update the access-token (in fact allowing a refresh-token to be re-use is a security issue, iirc RFC)

[davidB]

I'll be busy during the next 2 or 3 weeks, but I'll take a look after if I don't forgot. If my k8s user use the cli I made with kube-rs, I things they will complain about this randow error message about invalid token ;-).

[clux]

Ok, I've made #72 to track it at least. I'd appreciate the help when you have time!

[davidB]

Do you have an ETA for 0.17.0 ?
I would like to be able to build my crate based on kube-rs and to allow my users to use it (with oidc).

FYI my crate is a kubectl plugin: kubectl-view-allocations and output thing like:

Resource                                                  Requested  %Requested  Limit  %Limit  Allocatable   Free
  cpu                                                              6           3     40      20          200    160
  ├─ node1                                                     0           0      0       0           12     12
  │  ├─ kube-flannel-ds-amd64-hqxgb                                0         NaN      0     NaN            0      0
  │  ├─ node-exporter-gpu-b4w7s                                    0         NaN      0     NaN            0      0
  │  └─ weave-scope-agent-x6hqz                                    0         NaN      0     NaN            0      0
  ├─ node2                                                     0           0      0       0           24     24
  │  ├─ kube-flannel-ds-amd64-p26rr                                0         NaN      0     NaN            0      0
  │  ├─ node-exporter-gpu-xqchb                                    0         NaN      0     NaN            0      0
  │  └─ weave-scope-agent-m9mn6                                    0         NaN      0     NaN            0      0
  ├─ node3                                                     0           0      0       0           32     32
  │  ├─ kube-flannel-ds-amd64-k9kmm

Thanks

[clux]

You can always pin to a git sha in Cargo.toml, but yeah, t's been a little too long. I'll try to make a version now.

[clux]

Released 0.17.0 now.

[davidB]

Thanks, I release my crates: https://crates.io/crates/kubectl-view-allocations