I'm trying to set oidc credentials and got stuck, because the client-secret contains a comma:
kubectl config set-credentials user#cluster \
--auth-provider=oidc \
--auth-provider-arg='idp-issuer-url=https://host' \
--auth-provider-arg='client-id=xxx' \
--auth-provider-arg='client-secret=AAAA,BBBB'
This results in the following error:
error: Error: invalid auth-provider-arg format: BBBB
Is there a way to escape the char?
Mentioning the special characters in a single quote is an exact work around for escaping special characters but in this case as comma is present it's considered as extra-scope (Scopes to request to the provider (comma separated)).
Currently kubectl does not accept multiple scopes, so you need to edit the kubeconfig as following:
$ kubectl config set-credentials keycloak --auth-provider-arg extra-scopes=SCOPES
sed -i ' ' -e s/SCOPES/email,profile/ $KUBECONFIG
kubectl config set-credentials user#cluster \
--auth-provider=oidc \
--auth-provider-arg='idp-issuer-url=https://host' \
--auth-provider-arg='client-id=xxx' \
--auth-provider-arg='"client-secret=AAAA,BBBB"'
Related
My team runs into a recurring issue where if we mis-spell a parameter for our argo workflows, that parameter gets ignored without error. For example, say I run the following submission command, where the true (optional) parameter is validation_data_config:
argo submit --from workflowtemplate/training \
-p output=$( artifacts resolve-url $BUCKET $PROJECT $TAG) \
-p tag=${TAG} \
-p training_config="$( yq . training.yaml )" \
-p training_data_config="$( yq . train-data.yaml )" \
-p validation-data-config="$( yq . validation-data.yaml )" \
-p wandb-project="cyclegan_c48_to_c384" \
-p cpu=4 \
-p memory="15Gi" \
--name "${NAME}" \
--labels "project=${PROJECT},experiment=${EXPERIMENT},trial=${TRIAL}"
The validation configuration is ignored and the job is run without validation metrics because I used hyphens instead of underscores.
I also understand the parameters should use consistent hyphen/underscore naming, but we've also had this happen with e.g. the "memory" parameter.
Is there any way to detect this automatically, to have the submission error if a parameter is unused, or even to get a list of parameters for a given workflow template so I can write such detection myself?
When I use base64 inside Ubuntu to encode admin, I get: YWRtaW4K. But when I see secret in kubernetes I get YWRtaW4=.
enter image description here
You need to remove the trailing newline character from the input; you can use the -n switch to trim the trailing new line from the echo command and get the same behavior as seen with the Kubernetes secrets.
echo -n "admin" |base64
YWRtaW4=
echo -n "YWRtaW4=" |base64 -d
admin
I have a command similar to this
kubectl get secrets \
--selector='my-selector' \
-o jsonpath='{range .items[*] }{"\n"}{.metadata.labels.cluster-name}{"."}{.metadata.namespace {":"}{"5432"}{"postgres" }{":"}{.data.password}{end}'
which outputs a list like this (format required)
cluster-name.namespace:5432:postgres:YbHF....==
cluster-name.namespace:5432:postgres:YbHF....==
cluster-name.namespace:5432:postgres:YbHF....==
I need to decode the base64 for this file and using the kubectl cheat sheet as a reference which gives this example:
# Output decoded secrets without external tools
kubectl get secret my-secret -o go-template='{{range $k,$v := .data}}{{"### "}}{{$k}}{{"\n"}}{{$v|base64decode}}{{"\n\n"}}{{end}}'
I tried the following
kubectl get secrets \
--selector='my-selector' \
-o jsonpath='{range .items[*] }{"\n"}{.metadata.labels.cluster-name}{"."}{.metadata.namespace {":"}{"5432"}{"postgres" }{":"}{.data.password|base64decode}{end}'
The result is that everything appears apart from the password field which is now blank, for example:
cluster-name.namespace:5432:postgres:
Any pointers would be appreciated.
As per #mdaniel suggestion I used the -o go-template
My main syntaxal changes were removing the [ ], ie, {range .items[*] } to {{range .items}}'
And if a key contained a - then {.metadata.labels.cluster-name} became {{index .metadata.labels "cluster-name"}}
My solution below which enabled the base64 decode to work:
kubectl get secrets \
--selector='my-selector' \
-o go-template='{{range .items}}{{"\n"}}{{index .metadata.labels "cluster-name"}}{{"."}}{{.metadata.namespace }}{{":"}}{{"5432"}}{{"postgres"}}{{":"}}{{.data.password|base64decode}}{{end}}'
I'm trying to import this example into postman
curl -s --user 'api:YOUR_API_KEY' \
https://api.mailgun.net/v3/YOUR_DOMAIN_NAME/messages \
-F from='Excited User <mailgun#YOUR_DOMAIN_NAME>' \
-F to=YOU#YOUR_DOMAIN_NAME \
-F to=bar#example.com \
-F subject='Hello' \
-F text='Testing some Mailgun awesomness!'
Please help me understand the -s, --user, -F, what is that? And then when I try to import, I get this error: option-less arguments found. How can I fix this?
If you're trying to execute curl commands in Postman, select Import, then Paste Raw Text and then copy the command, but first remove all backslashes.
I found following option in standalone.xml of our jboss 7 installation:
<module-option name="baseFilter" value="(&(objectClass=User)(sAMAccountName={0}))"/>
The & instead & looks odd to me, but the login process of our service seems to work so far. Do you use & or & in your configurations? Is it a general "masking" that is necessary for special characters that could be shell expanded or so?
Thanks for any thoughts on this.
Chris
It's standard character escaping in XML. The ampersand character in XML files is used as prefix for XML character entities.
If you use JBoss CLI then use the ampersands without escaping.
/subsystem=security/security-domain=testLdapExample3/authentication=classic/login-module=LdapExtended:add( \
code=LdapExtended, \
flag=required, \
module-options=[ \
("java.naming.factory.initial"=>"com.sun.jndi.ldap.LdapCtxFactory"), \
("java.naming.provider.url"=>"ldap://ldaphost.jboss.org"), \
("java.naming.security.authentication"=>"simple"), \
("bindDN"=>"cn=Root,dc=jboss,dc=org"), \
("bindCredential"=>"secret1"), \
("baseCtxDN"=>"ou=People,o=example3,dc=jboss,dc=org"), \
("baseFilter"=>"(&(objectClass=User)(sAMAccountName={0}))"), \
("rolesCtxDN"=>"ou=Roles,o=example3,dc=jboss,dc=org"), \
("roleFilter"=>"(member={1})"), \
("roleAttributeID"=>"cn") \
])