Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using $KUBECONFIG with several files, logging into the cluster dumps all contexts into the default config file #966

Open
adietish opened this issue Jan 29, 2025 · 3 comments · May be fixed by #971
Open

Using $KUBECONFIG with several files, logging into the cluster dumps all contexts into the default config file #966

adietish opened this issue Jan 29, 2025 · 3 comments · May be fixed by #971
Assignees
@adietish
Labels
bug Something isn't working severity/major
Milestone
1.11.0

Comments

@adietish
Copy link
Contributor

adietish commented Jan 29, 2025
edited
Loading

Steps:

  1. ASSERT: have several config files, all of them listed on the KUBECONFIG env var
  • $KUBECONFIG
export KUBECONFIG=${HOME}/.kube/config:${HOME}/.kube/minikube.yaml:${HOME}/.kube/sandbox.yaml
  • config
apiVersion: v1
current-context: rh-sandbox
kind: Config
preferences: {}
  • minikube.yaml
apiVersion: v1
clusters:
- cluster:
    certificate-authority: /Users/adietish/.minikube/ca.crt
    extensions:
    - extension:
        provider: minikube.sigs.k8s.io
        version: v1.34.0
      name: cluster_info
    server: https://127.0.0.1:41825
  name: minikube
contexts:
- context:
    cluster: minikube
    extensions:
    - extension:
        last-update: Wed, 08 Jan 2025 15:05:54 CET
        provider: minikube.sigs.k8s.io
        version: v1.34.0
      name: context_info
    namespace: kube-node-lease
    user: minikube
  name: minikube
kind: Config
preferences: {}
users:
- name: minikube
  user:
    client-certificate: /Users/adietish/.minikube/profiles/minikube/client.crt
    client-key: /Users/adietish/.minikube/profiles/minikube/client.key
  • sandbox.yaml
apiVersion: v1
clusters:
- cluster:
    server: https://api.XXXX.openshiftapps.com:6443
  name: rh-sandbox
contexts:
- context:
    cluster: rh-sandbox
    namespace: adietish-dev
    user: adietish/rh-sandbox
  name: rh-sandbox
current-context: ""
kind: Config
preferences: {}
users:
- name: adietish/rh-sandbox
  user:
    token: sha256~XXXXXXXXXXXXXXXXXXXEMhxfNi614txI
  1. EXEC: pick ctx menu action "Log in to Cluster"
  2. ASSERT: Login dialog is show
  3. EXEC: get the token and paste into the Login dialog into the field "Token:"
  4. EXEC: hit "OK"
  5. ASSERT: The plugin is logged into the RH sandbox
  6. EXEC: cat ~/.kube/config

Result:
~/.kube/config was altered. All the above contexts were dumped into it. Interestingly, Only the context were dumped. Neiter the users, nor clusters were. Additionally a new context was created for the cluster using the url that was listed in the dialog.

apiVersion: v1
clusters:
- cluster:
    insecure-skip-tls-verify: true
    server: https://api.rm1.0a51.p1.openshiftapps.com:6443
  name: api-rm1-0a51-p1-openshiftapps-com:6443
contexts:
- context:
    cluster: apiXXXXopenshiftapps-com:6443
    namespace: adietish-dev
    user: adietish/apiXXXXXopenshiftapps-com:6443
  name: adietish-dev/apiXXXXXopenshiftapps-com:6443/adietish
- context:
    cluster: minikube
    extensions:
    - extension:
        provider: minikube.sigs.k8s.io
        version: v1.34.0
      name: context_info
    namespace: kube-node-lease
    user: minikube
  name: minikube
- context:
    cluster: rh-sandbox
    namespace: adietish-dev
    user: adietish/rh-sandbox
  name: rh-sandbox
current-context: adietish-dev/api-rm1-0a51-p1-openshiftapps-com:6443/adietish
kind: Config
preferences: {}
users:
- name: adietish/apiXXXXXopenshiftapps-com:6443
  user:
    token: sha256XXXXXXXXXEMhxfNi614txI
@adietish adietish added the bug Something isn't working label Jan 29, 2025
@adietish
Copy link
Contributor Author

adietish commented Jan 29, 2025
edited
Loading

This is caused by calling oc login. The new context is created in the first file listed in the $KUBECONFIG:

https://docs.openshift.com/container-platform/4.17/cli_reference/openshift_cli/managing-cli-profiles.html#load-and-merge-rules_managing-cli-profiles

When a value is created, it is created in the first file that exists.

Why all the existing contexts are dumped into this file is beyond me currently

@adietish
Copy link
Contributor Author

adietish commented Jan 29, 2025
edited
Loading

oc login is currently implemented at

intellij-openshift-connector/src/main/java/org/jboss/tools/intellij/openshift/utils/oc/OcCli.java

Lines 62 to 68 in 2474d44

public void login(String url, String userName, char[] password, char[] token) throws IOException {
if (userName != null && !userName.isEmpty()) {
execute(new File(HOME_FOLDER), command, envVars, "login", url, "-u", userName, "-p", String.valueOf(password), "--insecure-skip-tls-verify");
} else {
execute(new File(HOME_FOLDER), command, envVars, "login", url, "--token", String.valueOf(token), "--insecure-skip-tls-verify");
}
}

As a workaround, we could

  1. check if $KUBECONFIG exists
  2. if it exists (if it doesn't we dont need to proceed differently):
  3. create a new file and specify --kubeconfig= when logging in, so that a new file is created.
oc login <cluster-url> --kubeconfig=<new file> --token=<token> --insecure-skip-tls-verify

or

oc login <cluster-url> --kubeconfig=<new file> -u=<username> -p=<password> --insecure-skip-tls-verify

I would think that the contexts that exist in $KUBECONFIG are visible and thus not dumped into the new file (not tested).

With a new file, we have the following problem though: the new file is not in the env. We can add it to the running system but there's no way for us to persist it.
Maybe we should simply use the first file in the list of file of the $KUBECONFIG and only that file (--kubeconfig=) hoping that oc would not dump the contexts of the other ones into it.

@sbouchet, @msivasubramaniaan, @vrubezhny: thoughts?

@adietish adietish added this to the 1.11.0 milestone Jan 29, 2025
@adietish adietish moved this to 📝 In Progress in IDE Cloudaptors Jan 29, 2025
@adietish
Copy link
Contributor Author

adietish commented Jan 29, 2025
edited
Loading

On github, this issue was filed at openshift/oc#283
Reading the discussion one can see that the behaviour is intentional and that one should use --kubeconfig to avoid it.
A support case was opened though as of August 2024.

@adietish adietish self-assigned this Jan 29, 2025
@adietish adietish changed the title Using $KUBECONFIG with several files, logging into the cluster dumps all contexts into the default config files Using $KUBECONFIG with several files, logging into the cluster dumps all contexts into the default config file Jan 29, 2025
@adietish adietish moved this from 📝 In Progress to 📋 Backlog in IDE Cloudaptors Jan 31, 2025
@adietish adietish mentioned this issue Jan 31, 2025
Closed
@adietish adietish moved this from 📋 Backlog to 📝 In Progress in IDE Cloudaptors Feb 3, 2025
adietish added a commit to adietish/intellij-openshift-connector that referenced this issue Feb 3, 2025
@adietish
fix: only use first config file when logging in, avoid oc adding cont…
9333cbf 
…exts (redhat-developer#966)

Signed-off-by: Andre Dietisheim <[email protected]>
@adietish adietish linked a pull request Feb 3, 2025 that will close this issue
Open
adietish added a commit to adietish/intellij-openshift-connector that referenced this issue Feb 3, 2025
@adietish
fix: only use first config file when logging in, avoid oc adding cont…
64fc9ee 
…exts (redhat-developer#966)

Signed-off-by: Andre Dietisheim <[email protected]>
adietish added a commit to adietish/intellij-openshift-connector that referenced this issue Feb 3, 2025
@adietish
fix: only use first config file when logging in, avoid oc adding cont…
bfeb951 
…exts (redhat-developer#966)

Signed-off-by: Andre Dietisheim <[email protected]>
adietish added a commit to adietish/intellij-openshift-connector that referenced this issue Feb 3, 2025
@adietish
fix: only use first config file when logging in, avoid oc adding cont…
700ba6c 
…exts (redhat-developer#966)

Signed-off-by: Andre Dietisheim <[email protected]>
adietish added a commit to adietish/intellij-openshift-connector that referenced this issue Feb 3, 2025
@adietish
fix: only use first config file when logging in, avoid oc adding cont…
2574f13 
…exts (redhat-developer#966)

Signed-off-by: Andre Dietisheim <[email protected]>
adietish added a commit to adietish/intellij-openshift-connector that referenced this issue Feb 3, 2025
@adietish
fix: only use first config file when logging in, avoid oc adding cont…
bf7f360 
…exts (redhat-developer#966)

Signed-off-by: Andre Dietisheim <[email protected]>
@adietish adietish moved this from 📝 In Progress to 👀 In review in IDE Cloudaptors Feb 4, 2025
@adietish adietish moved this from 👀 In review to 📝 In Progress in IDE Cloudaptors Feb 4, 2025
adietish added a commit to adietish/intellij-openshift-connector that referenced this issue Feb 5, 2025
@adietish
fix: only use 1st cfg file when logging in, dont add all ctxts (redha…
4b353d9 
…t-developer#966)

Signed-off-by: Andre Dietisheim <[email protected]>
@adietish adietish moved this from 📝 In Progress to 👀 In review in IDE Cloudaptors Feb 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adietish adietish

Labels
bug Something isn't working severity/major
Projects
IDE Cloudaptors
Status: 👀 In review
Milestone
1.11.0
1 participant
@adietish