Kubeconfig user exec not working

[4durban]

SUMMARY

I have two different kubeconfigs, one using a token and one using a EXEC plugin for the authentication as specified in kubeconfig https://kubernetes.io/docs/reference/config-api/kubeconfig.v1/#ExecConfig.

With this first one the collection works fine:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLAAAAAAA==
    server: https://m.kws.example.com:6443
  name: workspace
contexts:
- context:
    cluster: workspace
    user: sis-kubeconfigs
  name: adurban@workspace
current-context: adurban@workspace
kind: Config
preferences: {}
users:
- name: sis-kubeconfigs
  user:
    token: eyJhXXXXXXXXXXXXXA

But with this one it does not:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0AAAAAK
    server: https://auth-provider.example.com:443
    tls-server-name: kube-auth-provider-proxy-alpn.auth-provider.example.com
  name: auth-provider.example.com
contexts:
- context:
    cluster: auth-provider.example.com
    extensions:
    - extension: null
      name: auth-provider-prev-selec-ctx
    - extension: workspace
      name: auth-provider.kube.name
    user: auth-provider.example.com-workspace
  name: auth-provider-auth-provider-workspace
current-context: auth-provider-auth-provider-workspace
kind: Config
preferences: {}
users:
- name: auth-provider.example.com-workspace
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - kube
      - credentials
      - --kube-cluster=workspace
      - --auth-provider-cluster=auth-provider.example.com
      - --proxy=auth-provider.example.com
      command: /usr/local/bin/auth-provider
      env: null
      provideClusterInfo: false

The thing is that both of them work fine with kubectl (the native binary provided by kubernetes) so I am guessing that the issue is with the collection, or the python module under the hood. But from my understanding the python module indeed supports this, so I guess there is some kind of missing functionality/bug in this?

ISSUE TYPE

• Bug Report

COMPONENT NAME

I guess the issue is with the way you parse/create the request using the collection into the python plugin.

ANSIBLE VERSION

ansible [core 2.16.2]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/adurban/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/adurban/.local/lib/python3.10/site-packages/ansible
  ansible collection location = /home/adurban/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/adurban/.local/bin/ansible
  python version = 3.10.12 (main, Jul 29 2024, 16:56:48) [GCC 11.4.0] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

Collection      Version
--------------- -------
kubernetes.core 2.4.0  

STEPS TO REPRODUCE

The steps to reproduce is trying to execute any task from the collection but using a kubeconfig that uses the exec plugin function from the kubeconfig

EXPECTED RESULTS

I expected the collection to behave the same way with token auth or with exec auth, but it does not.

ACTUAL RESULTS

The issue is that when I try to execute a task using the exec auth in the user it does not work, an error pops up, and I guess that it is because it is not parsing the exec section of the kubeconfig

[yurnov]

Hi @4durban,

let's clarify this issue. What is the kubernetes.core module that doesn't work with the exec plugin? Does your authentication method require any additional environmental variable, like authentication keys or so?

And finally, did you try collections versions 3.2.0 or 5.0.0?

I have used kubernetes.core versions 3.2.0 collection with AWS EKS where kubeconfig use exec plugin and awscli to authenticate in AWS, and no issue with modules kubernetes.core.k8s, kubernetes.core.k8s_info, kubernetes.core.k8s_cp, kubernetes.core.k8s_exec, kubernetes.core.k8s_scale, kubernetes.core.k8s_json_patch kubernetes.core.helm, kubernetes.core.helm_info, and connection plugin kubernetes.core.kubectl. Modules working fine without any issue (when I set remote environmental variable for authorization) and connection plugin kubernetes.core.kubectl require a extra variable kubectl_local_env_vars that was added to version 3.1.0, please check #702 and #698

So, generally I can't confirm this bug

[4durban]

Hello @yurnov,

You are completely right, the issue was with my config, it took some time to figure it out. Since this module is executed in localhost I did not realized that I had the "become=True" configured in the ansible.cfg and when I launched the tasks, they were executed as root, and root was not able to find the binary need for the exec authentication plugin (it was available on my user and its PATH variable, not root). I thought that the issue was with the implementation, because the error message was not really clear to me but I achieved to solve it.

So, I think that I will close the issue since the issue was on my side and has nothing to do with the code. If you have a place for Troubleshooting or something like that and want to detail this I think that other people may find it useful.

Thank you for your time and response