provider-helm v0.16.0 (https://github.com/crossplane-contrib/provider-helm/pull/205) introduced support for AzureAD authentication for AKS clusters and lets you specify the principal to authenticate to AKS through identity section in ProviderConfig spec, when kubeconfigs relying on kubelogin are supplied via ProviderConfig. These clusters typically has kubeconfigs with execProvider section, which consists of kubelogin command and arguments.
However, when user supplies both of the following in ProviderConfig:
a "standalone" kubeconfig that does not rely on any external helper tool for authenticating (i.e no execProvider section), in the credentials section
a non-empty identity section
This causes a runtime panic, because of a nil pointer dereference. It is recovered and does not halt the execution.
By design, when such kubeconfigs are supplied, the identity section must not exist. However, such cases should be handled gracefully when users provide such configs, as reported by a community member in the Slack thread
How can we reproduce it?
The following ProviderConfig that references a "standalone" kubeconfig and a non-empty identity section with type AzureServicePrincipalCredentials
What happened?
provider-helm
v0.16.0
(https://github.com/crossplane-contrib/provider-helm/pull/205) introduced support for AzureAD authentication for AKS clusters and lets you specify the principal to authenticate to AKS throughidentity
section inProviderConfig
spec, when kubeconfigs relying onkubelogin
are supplied viaProviderConfig
. These clusters typically has kubeconfigs withexecProvider
section, which consists of kubelogin command and arguments.However, when user supplies both of the following in
ProviderConfig
:execProvider
section), in thecredentials
sectionidentity
sectionThis causes a runtime panic, because of a nil pointer dereference. It is recovered and does not halt the execution.
By design, when such kubeconfigs are supplied, the identity section must not exist. However, such cases should be handled gracefully when users provide such configs, as reported by a community member in the Slack thread
How can we reproduce it?
The following
ProviderConfig
that references a "standalone" kubeconfig and a non-emptyidentity
section with typeAzureServicePrincipalCredentials
the kubeconfig in
helm-aks-config
Secret
. This kubeconfig has client cert key and token for authentication and has noexecProvider
sectionWhat environment did it happen in?
Crossplane version:
v1.13.2
provider-helm: v0.16.0