Skip to content
This repository has been archived by the owner on Mar 13, 2022. It is now read-only.

Improve similarity with kubectl in handling of oidc kubeconfigs #144

Closed
wants to merge 1 commit into from
Closed

Improve similarity with kubectl in handling of oidc kubeconfigs #144

wants to merge 1 commit into from

Conversation

mogaika
Copy link

@mogaika mogaika commented Jul 10, 2019
edited
Loading

  • allow 'client-secret' to be empty
  • fix 'verify' parameter of refresh_token call

Fixes: #142

@k8s-ci-robot
Copy link
Contributor

Welcome @mogaika!

It looks like this is your first PR to kubernetes-client/python-base 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-client/python-base has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jul 10, 2019
@mogaika mogaika changed the title Improve similarity with kubelet in handling of oidc kubeconfigs (#142) Improve similarity with kubelet in handling of oidc kubeconfigs Jul 10, 2019
@codecov-io
Copy link

codecov-io commented Jul 10, 2019
edited
Loading

Codecov Report

Merging #144 into master will increase coverage by <.01%.
The diff coverage is 100%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #144      +/-   ##
==========================================
+ Coverage   93.41%   93.42%   +<.01%     
==========================================
  Files          13       13              
  Lines        1398     1399       +1     
==========================================
+ Hits         1306     1307       +1     
  Misses         92       92
Impacted Files Coverage Δ
config/kube_config.py 87.56% <100%> (+0.03%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6b65461...81e84ef. Read the comment docs.

@roycaihw
Copy link
Member

/cc

@yliaog
Copy link
Contributor

yliaog commented Jul 16, 2019

i think you mean "Improve similarity with kubectl" instead of "Improve similarity with kubelet"

roycaihw
roycaihw reviewed Jul 16, 2019
View reviewed changes
config/kube_config.py Outdated
provider['config']['client-secret']),
verify=config.ssl_ca_cert if config.verify_ssl else None
client_secret),
verify=config.ssl_ca_cert if config.verify_ssl else False
Copy link
Member

@roycaihw roycaihw Jul 16, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As you pointed out in the issue, verify can be either a boolean or a string. When verify is None, the requests Session tries to look for requests environment configuration. I wonder what's the implication of changing verify to False here? More importantly, what's the expected behavior when idp-certificate-authority-data is empty in kubeconfig (and verify_ssl being False as a result)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yliaog Do you have more context on this as you looked at #69?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i don't have more context. please add a unit test that fails before the PR, and works after the PR.

Copy link
Author

@mogaika mogaika Sep 26, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My logic was based on the fact that kubectl ignores cert verification problems (like I had in #142). And since request method description notes that 'verify' parameter can be either bool or string, I thought that original code planned to use False instead of None, because its strange to explicitly point that 'verify' parameter must be None since it's None by default. I remove the parameter change from this commit since it's another unclear subject to discuss (if kubectl ignores verification problems is problem of kubectl or no, and does python client mimic this strange behaviour)

@roycaihw roycaihw changed the title Improve similarity with kubelet in handling of oidc kubeconfigs Improve similarity with kubectl in handling of oidc kubeconfigs Jul 16, 2019
@scottilee
Copy link

@mogaika could you provide an update to the comment above?

@mogaika mogaika force-pushed the issue_142 branch 2 times, most recently from 4b9da57 to 8f41346 Compare September 26, 2019 20:45
roycaihw
roycaihw reviewed Sep 27, 2019
View reviewed changes
config/kube_config.py Outdated
@@ -361,13 +361,14 @@ def _refresh_oidc(self, provider):
return

response = json.loads(response.data)
client_secret = provider['config'].safe_get('client-secret') or ''
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should client_secret be empty string or None? Could you show what kubectl sends?

Copy link

@pshchelo pshchelo Oct 9, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've stumbled on the same issue, and while poking around, None is what works, so just delete the 'or' clause

@mogaika
Copy link
Author

mogaika commented Oct 18, 2019

I currently have no option to test real traffic but looking on kubectl client go code I confirm that @roycaihw and @pshchelo right

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. and removed cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jan 16, 2020
@k8s-ci-robot
Copy link
Contributor

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

  • If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
  • If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.
  • If you have done the above and are still having issues with the CLA being reported as unsigned, please log a ticket with the Linux Foundation Helpdesk: https://support.linuxfoundation.org/
  • Should you encounter any issues with the Linux Foundation Helpdesk, send a message to the backup e-mail support address at: [email protected]

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. label Jan 16, 2020
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Feb 15, 2020
@pshchelo
Copy link

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Feb 18, 2020
@roycaihw
Copy link
Member

/lgtm
/approve

allowing client-secret to be empty looks good. Please fix the commit missing GitHub user issue

@k8s-ci-robot k8s-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Feb 18, 2020
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mogaika, roycaihw

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 18, 2020
@roycaihw roycaihw mentioned this pull request Mar 2, 2020
Closed
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 19, 2020
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jun 18, 2020
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@k8s-ci-robot
Copy link
Contributor

@fejta-bot: Closed this PR.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@z0r0
Copy link

z0r0 commented Aug 6, 2020

Can we re-open this one? I'm facing the same issue here.

@yliaog
Copy link
Contributor

yliaog commented Aug 6, 2020

/reopen

@k8s-ci-robot k8s-ci-robot reopened this Aug 6, 2020
@k8s-ci-robot
Copy link
Contributor

@yliaog: Reopened this PR.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@k8s-ci-robot
Copy link
Contributor

@fejta-bot: Closed this PR.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@roycaihw roycaihw roycaihw left review comments

@pshchelo pshchelo pshchelo left review comments

@mbohlool mbohlool Awaiting requested review from mbohlool

@yliaog yliaog Awaiting requested review from yliaog

Assignees

@roycaihw roycaihw

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. lgtm Indicates that a PR is ready to be merged. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OIDC auth behaivor differs from kubectl
9 participants
@mogaika @k8s-ci-robot @codecov-io @roycaihw @yliaog @scottilee @fejta-bot @pshchelo @z0r0