Context has no client certificate and key

[tombh]

Just trying out this for the first time. kubectl works fine on all my contexts. The full warning is:

Context xxxxxxx has no client certificate and key, nor does it specify any auth method (user/pass, token, auth-provider). You will likely not be able to authenticate to this cluster. Please check your kube config.

I don't know what to do?

[nicklan]

Do you know what kind of authentication your k8s cluster uses? It's possible it's something click doesn't support yet.

If you could post your ~/.kube/config (with anything private redacted of course) that would be helpful.

[tombh]

This is the basic idea:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: 
    server: https://xxx.k8s.ondigitalocean.com
  name: do-sfo2-xxx
- cluster:
    ...
contexts:
- context:
    cluster: do-sfo2-xxx
    user: do-sfo2-xxx-admin
  name: do-sfo2-xxx
...
current-context: do-sfo2-xxx
kind: Config
preferences: {}
users:
- name: ci_user
  user:
    token: |-
      Name:         ci-token-2nmqd
      Namespace:    default
      Labels:       <none>
      Annotations:  kubernetes.io/service-account.name: ci
                    kubernetes.io/service-account.uid: xxxx

      Type:  kubernetes.io/service-account-token

      Data
      ====
      ca.crt:     1156 bytes
      namespace:  7 bytes
      token:      xxxxx
- name: do-sfo2-xxx-admin
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - kubernetes
      - cluster
      - kubeconfig
      - exec-credential
      - --version=v1beta1
      - --context=default
      - xxxxx
      command: doctl
      env: null
...

I don't think the ci_user is really relevant though. There are a lot more clusters, contexts and users, but I've just skipped them for clarity.

[nicklan]

Ahh, yes, currently unfortunately click only supports exec style authentication for gke (i.e. run another command to generate my auth token). Supporting other ones in a more generic way is high on my list, so hopefully this will be fixed soon!

[nicklan]

this turns out to not be too hard. i have this working on EKS, but digital ocean is a pain to set up an account on, so I can't test it. If possible could you send me the output when you run:

doctl kubernetes cluster kubeconfig exec-credential --version=v1beta1 --context=default xxxxx (with the xxx replaced of course :))

Should be something like:

{
  "kind": "ExecCredential",
  "apiVersion": "client.authentication.k8s.io/v1alpha1",
  "spec": {},
  "status": {
    "expirationTimestamp": "2020-01-30T21:32:34Z",
    "token": "[snip]"
  }
}

but i want to be sure. thanks!

[nicklan]

Support for this was merged in #129. It would be great if you could test master and make sure it works for you (i tested it as much as I could, but it's always good to get someone else to confirm)

[tombh]

It works! Thank you so much :D