Merge branch 'main' into renovate/etc-modules

CHANGELOG.md

@@ -7,10 +7,18 @@ and this project's packages adheres to [Semantic Versioning](http://semver.org/s
 
 ## [Unreleased]
 
+### Fixed
+
+- Fixed a bug in `login` command where the `issuer` URL was used instead of the `server` address in login retry attempt.
+
 ### Added
 
 - Added read header timeout to http server
 
+### Changed
+
+- Adjusted `kubectl gs login` command to ensure that it writes to the main kubeconfig file only in case there are actual changes in the content of the file.
+
 ## [2.24.1] - 2022-10-12
 
 ### Fixed

cmd/login/clientcert.go

@@ -392,8 +392,9 @@ func printWCClientCertCredentials(k8sConfigAccess clientcmd.ConfigAccess, fs afe
 	if err != nil {
 		return "", false, microerror.Mask(err)
 	}
-	// Because we are still in the MC context we need to switch back to the origin context after creating the WC kubeconfig file
-	if c.loginOptions.originContext != "" {
+	// Change back to the origin context if needed
+	if c.loginOptions.originContext != "" && config.CurrentContext != "" && c.loginOptions.originContext != config.CurrentContext {
+		// Because we are still in the MC context we need to switch back to the origin context after creating the WC kubeconfig file
 		config.CurrentContext = c.loginOptions.originContext
 		err = clientcmd.ModifyConfig(k8sConfigAccess, *config, false)
 		if err != nil {

cmd/login/login.go

@@ -47,10 +47,9 @@ func (r *runner) loginWithKubeContextName(ctx context.Context, contextName strin
 		authType := kubeconfig.GetAuthType(config, contextName)
 		if authType == kubeconfig.AuthTypeAuthProvider {
 			// If we get here, we are sure that the kubeconfig context exists.
-			authProvider, _ := kubeconfig.GetAuthProvider(config, contextName)
-			issuer := authProvider.Config[Issuer]
+			server, _ := kubeconfig.GetClusterServer(config, contextName)
 
-			err = r.loginWithURL(ctx, issuer, false, "")
+			err = r.loginWithURL(ctx, server, false, "")
 			if err != nil {
 				return microerror.Mask(err)
 			}

pkg/middleware/renewtoken/renewtoken.go

@@ -10,6 +10,13 @@ import (
 	"github.com/giantswarm/kubectl-gs/pkg/oidc"
 )
 
+const (
+	refreshTokenKey = "refresh-token"
+	idTokenKey      = "id-token"
+	idpIssuerUrlKey = "idp-issuer-url"
+	clientIdKey     = "client-id"
+)
+
 // Middleware will attempt to renew the current context's auth info token.
 // If the renewal fails, this middleware will not fail.
 func Middleware(config genericclioptions.RESTClientGetter) middleware.Middleware {
@@ -30,25 +37,26 @@ func Middleware(config genericclioptions.RESTClientGetter) middleware.Middleware
 		var auther *oidc.Authenticator
 		{
 			oidcConfig := oidc.Config{
-				Issuer:   authProvider.Config["idp-issuer-url"],
-				ClientID: authProvider.Config["client-id"],
+				Issuer:   authProvider.Config[idpIssuerUrlKey],
+				ClientID: authProvider.Config[clientIdKey],
 			}
 			auther, err = oidc.New(ctx, oidcConfig)
 			if err != nil {
 				return nil
 			}
 		}
 
-		{
-			idToken, rToken, err := auther.RenewToken(ctx, authProvider.Config["refresh-token"])
-			if err != nil {
-				return nil
-			}
-			authProvider.Config["refresh-token"] = rToken
-			authProvider.Config["id-token"] = idToken
+		idToken, rToken, err := auther.RenewToken(ctx, authProvider.Config[refreshTokenKey])
+		if err != nil {
+			return nil
 		}
 
-		_ = clientcmd.ModifyConfig(k8sConfigAccess, *config, true)
+		// Update the config only in case there are actual changes
+		if authProvider.Config[refreshTokenKey] != rToken || authProvider.Config[idTokenKey] != idToken {
+			authProvider.Config[refreshTokenKey] = rToken
+			authProvider.Config[idTokenKey] = idToken
+			_ = clientcmd.ModifyConfig(k8sConfigAccess, *config, true)
+		}
 
 		return nil
 	}