@@ -265,11 +265,9 @@ def set_active_context(self, context_name=None):
265265
266266 def _load_authentication (self ):
267267 """Read authentication from kube-config user section if exists.
268-
269268 This function goes through various authentication methods in user
270269 section of kube-config and stops if it finds a valid authentication
271270 method. The order of authentication methods is:
272-
273271 1. auth-provider (gcp, azure, oidc)
274272 2. token field (point to a token file)
275273 3. exec provided plugin
@@ -368,31 +366,36 @@ def _load_oid_token(self, provider):
368366 if 'config' not in provider :
369367 return
370368
371- reserved_characters = frozenset ([ "=" , "+" , "/" ])
369+ urlunsafe_revision = { "=" : "" , "+" : "-" , "/" : "_" }
372370 token = provider ['config' ]['id-token' ]
373371
374- if any (char in token for char in reserved_characters ):
375- # Invalid jwt, as it contains url-unsafe chars
376- return
372+ if any (char in token for char in urlunsafe_revision . keys () ):
373+ for key , value in urlunsafe_revision . items ():
374+ token = token . replace ( key , value )
377375
378376 parts = token .split ('.' )
379- if len (parts ) != 3 : # Not a valid JWT
380- return
377+ if len (parts ) != 3 :
378+ # Not a valid JWT
379+ raise ConfigException (
380+ 'Invalid kube-config file. '
381+ 'Not a vaild oidc token' )
381382
382383 padding = (4 - len (parts [1 ]) % 4 ) * '='
383384 if len (padding ) == 3 :
384385 # According to spec, 3 padding characters cannot occur
385386 # in a valid jwt
386387 # https://tools.ietf.org/html/rfc7515#appendix-C
387- return
388+ raise ConfigException (
389+ 'Invalid kube-config file. '
390+ 'Not a vaild oidc token' )
388391
389392 if PY3 :
390393 jwt_attributes = json .loads (
391- base64 .b64decode (parts [1 ] + padding ).decode ('utf-8' )
394+ base64 .urlsafe_b64decode (parts [1 ] + padding ).decode ('utf-8' )
392395 )
393396 else :
394397 jwt_attributes = json .loads (
395- base64 .b64decode (parts [1 ] + padding )
398+ base64 .urlsafe_b64decode (parts [1 ] + padding )
396399 )
397400
398401 expire = jwt_attributes .get ('exp' )
@@ -416,11 +419,11 @@ def _refresh_oidc(self, provider):
416419 ca_cert = tempfile .NamedTemporaryFile (delete = True )
417420
418421 if PY3 :
419- cert = base64 .b64decode (
422+ cert = base64 .urlsafe_b64decode (
420423 provider ['config' ]['idp-certificate-authority-data' ]
421424 ).decode ('utf-8' )
422425 else :
423- cert = base64 .b64decode (
426+ cert = base64 .urlsafe_b64decode (
424427 provider ['config' ]['idp-certificate-authority-data' ] + "=="
425428 )
426429
@@ -655,10 +658,8 @@ class KubeConfigMerger:
655658
656659 """Reads and merges configuration from one or more kube-config's.
657660 The propery `config` can be passed to the KubeConfigLoader as config_dict.
658-
659661 It uses a path attribute from ConfigNode to store the path to kubeconfig.
660662 This path is required to load certs from relative paths.
661-
662663 A method `save_changes` updates changed kubeconfig's (it compares current
663664 state of dicts with).
664665 """
@@ -776,7 +777,6 @@ def load_kube_config(config_file=None, context=None,
776777 persist_config = True ):
777778 """Loads authentication and cluster information from kube-config file
778779 and stores them in kubernetes.client.configuration.
779-
780780 :param config_file: Name of the kube-config file.
781781 :param context: set the active context. If is set to None, current_context
782782 from config file will be used.
@@ -806,7 +806,6 @@ def load_kube_config_from_dict(config_dict, context=None,
806806 persist_config = True ):
807807 """Loads authentication and cluster information from config_dict file
808808 and stores them in kubernetes.client.configuration.
809-
810809 :param config_dict: Takes the config file as a dict.
811810 :param context: set the active context. If is set to None, current_context
812811 from config file will be used.
0 commit comments