[BUG] The Kyma kubeconfig is unavailable through kubeconfiggenerator.oidc.orchestrate.cloud.sap. #94

JayChanggithub · 2025-01-08T14:36:14Z

Hi Colleagues,

We use the composition XRD claim to deploy the Kyma runtime via this repository. However, we are currently encountering a strange issue: although the kubeconfiggenerator.oidc.orchestrate.cloud.sap resource is ready and the kubeconfig secret is generated, the issue persists which the kubeconfig unavailable.

Tested with Provider Version

apiServer:
   type: GardenerDedicated
 btpServiceOperator:
   version: 0.6.8
 externalSecretsOperator:
   version: 0.10.7
 flux:
   version: 2.14.0
 crossplane:
   version: 1.18.0
   providers:
     - name: btp
       version: 1.0.2
     - name: kubernetes
       version: 0.15.0
     - name: ias
       version: 0.2.0
     - name: vault
       version: 1.0.0
     - name: btp-account
       version: 0.7.6
     - name: argocd
       version: 0.9.1

To Reproduce

k get CertBasedOIDCLogin.oidc.orchestrate.cloud.sap,KubeConfigGenerator.oidc.orchestrate.cloud.sap 
NAME                                                               READY   SYNCED   EXTERNAL-NAME        AGE
certbasedoidclogin.oidc.orchestrate.cloud.sap/k-sre-slow-us21-co   True    True     k-sre-slow-us21-co   5h35m

NAME                                                                READY   SYNCED   EXTERNAL-NAME        AGE
kubeconfiggenerator.oidc.orchestrate.cloud.sap/k-sre-slow-us21-co   True    True     k-sre-slow-us21-co   5h35m

 k view-secret -a k-sre-slow-us21-co-kyma-kubeconfig 

kubeconfig='apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQ1akNDQWs2Z0F3SUJBZ0lRZDBzcjhRbFVsU09tNHdzQk5DcVZIekFOQmdrcWhraUc5dzBCQVFzRkFEQU4KTVFzd0NRWURWUVFERXdKallUQWVGdzB5TlRBeE1EZ3dPRFEyTWpGYUZ3MHpOVEF4TURnd09EUTNNakZhTUEweApDekFKQmdOVkJBTVRBbU5oTUlJQm9qQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FZOEFNSUlCaWdLQ0FZRUF5akkyCm5sRlZzOEVwMWZOV0Qrd3pkRlRkSWpnQWZsUDVTUGZjejRTMGxQeFlpQVB0MGh4S3U1TUJ5SzhsTXphTkJhWEUKNS9ZRzFmdXVIT0VhZTZxYjk5UlhmYVNDMDFXY09MK2ZvRTdrZVRCVDFJdFVRRDRMVER5Q0hxbUV2UmxobGdwQwpmUXdDeFFSL21LZlNwQ0hPekdVSG80M0dZNzM5U3BLNnU1QW5wbDcvUjF3RXdnNjRqNjZrWEJzVUVBVlczei9VCmZpOEZDZ2FTR0U4bDIrOWxLdng2OVk0RTFZd3V3MGRXOEIwYnZjT3ZVb042WjRVWGdCU1huQVl3ekNYRW5UN3EKUUY4UUd0YlU4NHhaRm91MlNDQjVzQm1SVit5eVpJdVZEUlpVdHdWMGZYcHZXVjJxMm9lbU9CQTdLOVkyb3VXVgpWSGtyRDJaVnBxUSs1RlMxNjh5R1VKOTN0Y0pwdGZ0SnA4U0FwSDcrcmlURWdNaFMyYUlWNi9aTnNteWxRaEx6CmNFc2FjaElmQ0hkaC9RZXpubzNVZUIzejUxbUYwRlFURktlN29jNG5VaWZRYzVySUJ3N2xRQmxGZDF1a1FBcGwKeVZzVm9SQ2hoT00ydXBBWUdVTmYrcmZRZDFnUzk0RTlaU0lCVEtsRnpSNThCdkd5dStMTjdkZkRxbDZsQWdNQgpBQUdqUWpCQU1BNEdBMVVkRHdFQi93UUVBd0lCcGpBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXCkJCU2I5SE0xY0lCTnZGWEF4YURLSDJJVHYzQXVwREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBWUVBQ1NJandmdSsKUlhUQmxDcVZTUjBiNldzY1ArM0dUenFTK25QaER5dWJwRy9mSjVsN01jTG9oNUdEemhSQXEzVzZnVXFmeGs2NApPSFRzeHIvcC9CVWRsdG1mYy9pczNLM2tsRDV4dWJzaVBaSFBXZzhhYTgzTmRZYTlmSmdPY2oxWWlrekhzVlFECjlNa2ZLRVdkR1ZaVGVjU1N0ZlVOeEtYa0R1a0RPRVBKUW52TUJWVjlMb0s4QzVzUXhIdVF0Z1J4Z2t1dFVqUGkKUkxhaWx1ZXlwYUF3UmhZYWFicmxpU1BlWm9aNUh4UVlONllKNzNLejUvZE52QXlWd3UxaVBYN1lIRHJaY0doUworci9aYVBEVmk4LzNRbG95K0dWSnU2ZnJLclVKS2pJR1hWSm8wOWIveVVsU3JvTzFsODUwdHhCRHJGblFERHZnCmhqa2lrajQwK0xKNlowVWk1b3JjckRqRkRtNmoxZ1hQbVlhN3R3NVM5QitoOTRKZ00zZEo2dTJSWTFQWERRZmYKUFkvd1pWeWFBUkoxTlUyUFpFMG55RFB1UG5PUkw1OWIvL3l3dmNyYlJNY2NEczMzRlR2SVpHZm5zRHZIazErWgpSMmp2djFsVUlMUnFmZUhXeWJaSDBXeTdWTG9QNGZRMjNLVFErMUU1RkxvM3Jvd1N4TnQzTHBrZQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    server: https://api.c-81a2d1b.kyma.ondemand.com
  name: garden-kyma--c-81a2d1b-external
contexts:
- context:
    cluster: garden-kyma--c-81a2d1b-external
    user: garden-kyma--c-81a2d1b-external
  name: garden-kyma--c-81a2d1b-external
current-context: garden-kyma--c-81a2d1b-external
kind: Config
users:
- name: garden-kyma--c-81a2d1b-external
  user:
    token: eyJraWQiOiJhbWM5M2VpeThLMFMtM05GRHF6NnA4Q1drOXciLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJQMDAwMDI3IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm1haWwiOiJrLXNyZS1zbG93LXVzMjEtY29Ac2FwLmNvbSIsImlzcyI6Imh0dHBzOi8vZGV2ZXhwZGV2LmFjY291bnRzLm9uZGVtYW5kLmNvbSIsImxhc3RfbmFtZSI6Imstc3JlLXNsb3ctdXMyMS1jbyIsInNpZCI6IlMtU1AtZWU5Zjk3MTUtODBhMC00NTFjLWE1MzAtMTJkMTY2NzhmMjdlIiwiYXVkIjoiY2U4NDM2NzAtNTk2NC00NjRkLWE4ZjYtM2ZlNDAxMmNjMDE2Iiwic2NpbV9pZCI6IjA1NDI5OGJmLTRhMzItNDMxOC04NjY5LTA5MjI4NmNhZmVmNSIsInVzZXJfdXVpZCI6IjA1NDI5OGJmLTRhMzItNDMxOC04NjY5LTA5MjI4NmNhZmVmNSIsImV4cCI6MTczNjM0Nzk3OCwiaWF0IjoxNzM2MzQ0Mzc4LCJmaXJzdF9uYW1lIjoiay1zcmUtc2xvdy11czIxLWNvIiwianRpIjoiODRiZTQzNmMtNTBlNS00YmFmLTg0ZjgtYjgxYzlhZGIyMTU0IiwiZW1haWwiOiJrLXNyZS1zbG93LXVzMjEtY29Ac2FwLmNvbSJ9.kOQKD0UZr8LBNsQ6dAOa6NN55Df_QULfNDDUT5675gaX-sHplmEnXk9bcnfn60e_--4W2GHLLiDa4EM3VTlMnrn8kc8MW5HV9DhA9AaZm9RCdJKPX333dcGO0eu3Lrvu1Ne6J6vikk412wuiJLOaCNTE-QhMmz5Xs8fXCrGjL-ZBHHiDyWwjmxPgZ-h4_P_ucGLIJlYUOsY9gwnYrAXiR7MiRoTLQP21R4d2qUfDOYf_YLeloSEWuInOftDX4zpH9gktQG2IBUmE7YpjupJBj9RTNS4GSf_hVbwkrDPqogWnaySPHVYyerWiIYiCCtvw9NyhjfinTd-13NFsupxVSw'

# using kubeconfig as above to do following (seems kubeconfig unavailable)

k cluster-info
E0108 22:32:50.136239   92838 memcache.go:238] couldn't get current server API group list: the server has asked for the client to provide credentials
E0108 22:32:52.178749   92838 memcache.go:238] couldn't get current server API group list: the server has asked for the client to provide credentials
E0108 22:32:54.831339   92838 memcache.go:238] couldn't get current server API group list: the server has asked for the client to provide credentials
E0108 22:32:56.777257   92838 memcache.go:238] couldn't get current server API group list: the server has asked for the client to provide credentials
E0108 22:32:59.315142   92838 memcache.go:238] couldn't get current server API group list: the server has asked for the client to provide credentials

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
error: You must be logged in to the server (the server has asked for the client to provide credentials)

Expected behavior
The kubeconfig should be available. Because oidc authentication success.

Screenshots

Additional context

project: iccx-sre-us21
workspace: k get workspace -n project-iccx-sre-us21
mcp: k get mcp -n project-iccx-sre-us21--ws-slow

The text was updated successfully, but these errors were encountered:

sdischer-sap · 2025-01-10T09:51:45Z

With kubeconfig being unavailable I guess you mean that you can't really use the generated kubeconfig to get access to the kyma cluster right?

Could you please have a look at this issue and see if the mentioned workaround works for you?
https://github.tools.sap/CoLa/support/issues/78

JayChanggithub · 2025-01-10T14:59:49Z

@sdischer-sap
Thank you for your response. I have confirmed that the kubeconfig was generated using KubeConfigGenerator.oidc.orchestrate.cloud.sap. However, these kubeconfigs are currently unavailable. In the meantime, I can proceed with a workaround which you mentioned above while awaiting further feedback.

JayChanggithub · 2025-01-10T15:31:30Z

@sdischer-sap

Awesome! It should work. Thank you! However, is it possible to automatically add these attributes via IAS? Currently, we handle this through IAD: Link to Documentation. Is there a way to leverage this functionality? If so, how can we configure the corresponding setup here?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[BUG] The Kyma kubeconfig is unavailable through kubeconfiggenerator.oidc.orchestrate.cloud.sap. #94

[BUG] The Kyma kubeconfig is unavailable through kubeconfiggenerator.oidc.orchestrate.cloud.sap. #94

JayChanggithub commented Jan 8, 2025 •

edited

Loading

sdischer-sap commented Jan 10, 2025

JayChanggithub commented Jan 10, 2025 •

edited

Loading

JayChanggithub commented Jan 10, 2025 •

edited

Loading

[BUG] The Kyma kubeconfig is unavailable through kubeconfiggenerator.oidc.orchestrate.cloud.sap. #94

[BUG] The Kyma kubeconfig is unavailable through kubeconfiggenerator.oidc.orchestrate.cloud.sap. #94

Comments

JayChanggithub commented Jan 8, 2025 • edited Loading

sdischer-sap commented Jan 10, 2025

JayChanggithub commented Jan 10, 2025 • edited Loading

JayChanggithub commented Jan 10, 2025 • edited Loading

JayChanggithub commented Jan 8, 2025 •

edited

Loading

JayChanggithub commented Jan 10, 2025 •

edited

Loading

JayChanggithub commented Jan 10, 2025 •

edited

Loading