"server" must be an instance of URL

[BenSaxon]

Describe the bug
When making a request using a client, I get an error:

TypeError: Failed to fetch resource metadata for <API_ENDPOINT_URI>: "server" must be an instance of URL

This is since upgrading to v1 from v.0.18

It's strange though, because sometimes the code path misses the step and thus the error isn't thrown.

The issue is happening when the idp-issuer-url arg is passed into oidc.discovery method, here: node_modules/.pnpm/@kubernetes+client-node@1.0.0/node_modules/@kubernetes/client-node/dist/oidc_auth.js line 91:

    async getClient(user) {
        const configuration = await oidc.discovery(user.authProvider.config['idp-issuer-url'], user.authProvider.config['client-id']);
        return new OidcClient(configuration);
    }

The first argument of oidc.discovery expects a URL object but is getting a string. And as a result it throws an error.

My kube config builder function is as follows:

export function createConfig(session: App.Session, rgFullPath?: string) {
  const kc = new k8s.KubeConfig();
  const orgId = getOrgId(session);

  const { clusterApiServerPath, namespace } = buildK8sServerContext(
    orgId,
    rgFullPath
  );

  const cluster: k8s.Cluster = {
    name: "cluster",
    server: clusterApiServerPath,
    skipTLSVerify: true
  };

  const user: k8s.User = {
    name: "user",
    authProvider: {
      name: "oidc",
      config: {
        "client-id": publicEnv.PUBLIC_KEYCLOAK_CLIENT_ID,
        "client-secret": env.KEYCLOAK_CLIENT_SECRET,
        "id-token": session.access_token,
        "idp-issuer-url": publicEnv.PUBLIC_KEYCLOAK_ISSUER_URL,
        "refresh-token": session.refresh_token
      }
    }
  };

  const context: k8s.Context = {
    name: "my-context",
    user: user.name,
    cluster: cluster.name,
    namespace
  };

  kc.loadFromOptions({
    clusters: [cluster],
    users: [user],
    contexts: [context],
    currentContext: context.name
  });

  return kc;
}

I have tried setting idp-issuer-url to be a URL but that doesn't work.

Bear in mind that this worked fine before upgrading to v1.

Client Version
1.0.0

To Reproduce

1. Create a kube config object like above.
2. Use the config object to create a client function and invoke a k8s endpoint using the client function.

Expected behavior

An error should display like:

TypeError: Failed to fetch resource metadata for iam.evroclabs.net/v1alpha3/ResourceGroup: "server" must be an instance of URL
    at CodedTypeError (file:///Users/bensaxon/Documents/code/monorepo/src/private/console/node_modules/.pnpm/openid-client@6.1.7/node_modules/openid-client/build/index.js:44:17)
    at Module.discovery (file:///Users/bensaxon/Documents/code/monorepo/src/private/console/node_modules/.pnpm/openid-client@6.1.7/node_modules/openid-client/build/index.js:146:15)
    at OpenIDConnectAuth.getClient (file:///Users/bensaxon/Documents/code/monorepo/src/private/console/node_modules/.pnpm/@kubernetes+client-node@1.0.0/node_modules/@kubernetes/client-node/dist/oidc_auth.js:92:42)
    at OpenIDConnectAuth.refresh (file:///Users/bensaxon/Documents/code/monorepo/src/private/console/node_modules/.pnpm/@kubernetes+client-node@1.0.0/node_modules/@kubernetes/client-node/dist/oidc_auth.js:82:73)
    at OpenIDConnectAuth.getToken (file:///Users/bensaxon/Documents/code/monorepo/src/private/console/node_modules/.pnpm/@kubernetes+client-node@1.0.0/node_modules/@kubernetes/client-node/dist/oidc_auth.js:70:21)
    at OpenIDConnectAuth.applyAuthentication (file:///Users/bensaxon/Documents/code/monorepo/src/private/console/node_modules/.pnpm/@kubernetes+client-node@1.0.0/node_modules/@kubernetes/client-node/dist/oidc_auth.js:55:34)
    at KubeConfig.applyAuthorizationHeader (file:///Users/bensaxon/Documents/code/monorepo/src/private/console/node_modules/.pnpm/@kubernetes+client-node@1.0.0/node_modules/@kubernetes/client-node/dist/config.js:444:33)
    at KubeConfig.applyOptions (file:///Users/bensaxon/Documents/code/monorepo/src/private/console/node_modules/.pnpm/@kubernetes+client-node@1.0.0/node_modules/@kubernetes/client-node/dist/config.js:452:20)
    at KubeConfig.applySecurityAuthentication (file:///Users/bensaxon/Documents/code/monorepo/src/private/console/node_modules/.pnpm/@kubernetes+client-node@1.0.0/node_modules/@kubernetes/client-node/dist/config.js:146:20)
    at KubernetesObjectApi.requestPromise (file:///Users/bensaxon/Documents/code/monorepo/src/private/console/node_modules/.pnpm/@kubernetes+client-node@1.0.0/node_modules/@kubernetes/client-node/dist/object.js:437:90) {
  code: 'ERR_INVALID_ARG_TYPE',
  [cause]: undefined
}

[brendandburns]

My guess is that somehow user.authProvider.config['idp-issuer-url'] is getting overwritten sometimes because of something racy happening in your code, but that's just a guess.

It's intermittent because you get a token and it works, but then the next time through when it needs to refresh something is different.

But that's just a guess. I'm don't have a server with OIDC enabled that I can test against.

[BenSaxon]

Thanks @brendandburns I'll look into that