kops breaking auth with kubeconfig changes

[ryan-dyer-sp]

1. What kops version are you running? The command kops version, will display
this information.
1.19.2

2. What Kubernetes version are you running? kubectl version will print the
version if a cluster is running or provide the Kubernetes version specified as
a kops flag.
1.19.x

3. What cloud provider are you using?
AWS

4. What commands did you run? What is the simplest way to reproduce this issue?
cluster.config

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <stuff>
    server: <url>
  name: cluster
contexts:
- context:
    cluster: cluster
    namespace: kube-system
    user: oidc
  name: cluster
current-context: cluster
kind: Config
preferences: {}
users: null

oidc.config

apiVersion: v1
kind: Config
preferences: {}
users:
- name: oidc
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - oidc-login
      - get-token
      - --oidc-options
      - --v=0
      command: kubectl
      env: null

export KUBECONFIG=cluster.config:oidc.config
kops update cluster --yes

5. What happened after the commands executed?
Contents of cluster.config are modified in a way which breaks auth to the cluster.

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <stuff>
    server: <url>
  name: cluster
contexts:
- context:
    cluster: cluster
    namespace: kube-system
    user: cluster
  name: cluster
current-context: cluster
kind: Config
preferences: {}
users:
- name: cluster
  user: {}

6. What did you expect to happen?
Dont modify kubeconfig files as per documentation which says it wont be done unless --admin or --user are specified.

7. Please provide your cluster manifest. Execute
kops get --name my.example.com -o yaml to display your cluster manifest.
You may want to remove your cluster name and other sensitive information.

8. Please run the commands with most verbose logging by adding the -v 10 flag.
Paste the logs into this report, or in a gist and provide the gist link here.

9. Anything else do we need to know?
Logs from update. I believe we see it is modifying the kubecfg even though we didnt ask it to.

I0519 19:56:30.965550   95317 update_cluster.go:313] Exporting kubecfg for cluster
kops has set your kubectl context to cluster
W0519 19:56:31.179445   95317 update_cluster.go:337] Exported kubecfg with no user authentication; use --admin, --user or --auth-plugin flags with `kops export kubecfg`

[hakman]

Similar to #11021 and #11000.
@ryan-dyer-sp can you check if #11021 (comment) helps?

/cc @justinsb @johngmyers

[ryan-dyer-sp]

Similar to #11021 and #11000.
@ryan-dyer-sp can you check if #11021 (comment) helps?

/cc @justinsb @johngmyers

Sorry, which part of this? Doing the hack temp set of KUBECONFIG before doing the update cluster? I dont see the parameter specified as being available in kops update --help

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue or PR with /reopen
• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue or PR with /reopen
• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.