From d0ffd89ba585e7b2c877b0d165568782a8859a9c Mon Sep 17 00:00:00 2001 From: Antonia <56017655+anvddriesch@users.noreply.github.com> Date: Thu, 13 Oct 2022 15:20:24 +0900 Subject: [PATCH 1/2] use server address instead of issuer address when retrying login (#915) --- CHANGELOG.md | 4 ++++ cmd/login/login.go | 5 ++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3d30cd269..187a35d86 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project's packages adheres to [Semantic Versioning](http://semver.org/s ## [Unreleased] +### Fixed + +- Fixed a bug in `login` command where the `issuer` URL was used instead of the `server` address in login retry attempt. + ### Added - Added read header timeout to http server diff --git a/cmd/login/login.go b/cmd/login/login.go index 4f720efd3..8fa01ef3b 100644 --- a/cmd/login/login.go +++ b/cmd/login/login.go @@ -47,10 +47,9 @@ func (r *runner) loginWithKubeContextName(ctx context.Context, contextName strin authType := kubeconfig.GetAuthType(config, contextName) if authType == kubeconfig.AuthTypeAuthProvider { // If we get here, we are sure that the kubeconfig context exists. - authProvider, _ := kubeconfig.GetAuthProvider(config, contextName) - issuer := authProvider.Config[Issuer] + server, _ := kubeconfig.GetClusterServer(config, contextName) - err = r.loginWithURL(ctx, issuer, false, "") + err = r.loginWithURL(ctx, server, false, "") if err != nil { return microerror.Mask(err) } From 0eb52afe70f5b9fc8aeb23e95fb3fe90fe6082b4 Mon Sep 17 00:00:00 2001 From: vvondruska Date: Thu, 13 Oct 2022 10:33:03 +0200 Subject: [PATCH 2/2] Prevented unnecessary writes to the main kubeconfig file (#912) * Prevented unnecessary writes to the main kubeconfig file * Updated changelog --- CHANGELOG.md | 4 ++++ cmd/login/clientcert.go | 5 +++-- pkg/middleware/renewtoken/renewtoken.go | 28 ++++++++++++++++--------- 3 files changed, 25 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 187a35d86..d117839d6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,10 @@ and this project's packages adheres to [Semantic Versioning](http://semver.org/s - Added read header timeout to http server +### Changed + +- Adjusted `kubectl gs login` command to ensure that it writes to the main kubeconfig file only in case there are actual changes in the content of the file. + ## [2.24.1] - 2022-10-12 ### Fixed diff --git a/cmd/login/clientcert.go b/cmd/login/clientcert.go index 6677f8e5c..638a0f1f5 100644 --- a/cmd/login/clientcert.go +++ b/cmd/login/clientcert.go @@ -392,8 +392,9 @@ func printWCClientCertCredentials(k8sConfigAccess clientcmd.ConfigAccess, fs afe if err != nil { return "", false, microerror.Mask(err) } - // Because we are still in the MC context we need to switch back to the origin context after creating the WC kubeconfig file - if c.loginOptions.originContext != "" { + // Change back to the origin context if needed + if c.loginOptions.originContext != "" && config.CurrentContext != "" && c.loginOptions.originContext != config.CurrentContext { + // Because we are still in the MC context we need to switch back to the origin context after creating the WC kubeconfig file config.CurrentContext = c.loginOptions.originContext err = clientcmd.ModifyConfig(k8sConfigAccess, *config, false) if err != nil { diff --git a/pkg/middleware/renewtoken/renewtoken.go b/pkg/middleware/renewtoken/renewtoken.go index 7707eb74c..bfa6c0477 100644 --- a/pkg/middleware/renewtoken/renewtoken.go +++ b/pkg/middleware/renewtoken/renewtoken.go @@ -10,6 +10,13 @@ import ( "github.com/giantswarm/kubectl-gs/pkg/oidc" ) +const ( + refreshTokenKey = "refresh-token" + idTokenKey = "id-token" + idpIssuerUrlKey = "idp-issuer-url" + clientIdKey = "client-id" +) + // Middleware will attempt to renew the current context's auth info token. // If the renewal fails, this middleware will not fail. func Middleware(config genericclioptions.RESTClientGetter) middleware.Middleware { @@ -30,8 +37,8 @@ func Middleware(config genericclioptions.RESTClientGetter) middleware.Middleware var auther *oidc.Authenticator { oidcConfig := oidc.Config{ - Issuer: authProvider.Config["idp-issuer-url"], - ClientID: authProvider.Config["client-id"], + Issuer: authProvider.Config[idpIssuerUrlKey], + ClientID: authProvider.Config[clientIdKey], } auther, err = oidc.New(ctx, oidcConfig) if err != nil { @@ -39,16 +46,17 @@ func Middleware(config genericclioptions.RESTClientGetter) middleware.Middleware } } - { - idToken, rToken, err := auther.RenewToken(ctx, authProvider.Config["refresh-token"]) - if err != nil { - return nil - } - authProvider.Config["refresh-token"] = rToken - authProvider.Config["id-token"] = idToken + idToken, rToken, err := auther.RenewToken(ctx, authProvider.Config[refreshTokenKey]) + if err != nil { + return nil } - _ = clientcmd.ModifyConfig(k8sConfigAccess, *config, true) + // Update the config only in case there are actual changes + if authProvider.Config[refreshTokenKey] != rToken || authProvider.Config[idTokenKey] != idToken { + authProvider.Config[refreshTokenKey] = rToken + authProvider.Config[idTokenKey] = idToken + _ = clientcmd.ModifyConfig(k8sConfigAccess, *config, true) + } return nil }