Re: [kubernetes/kubernetes] Trailing whitespace in tokenFile causes `net/http: invalid header field value` error (#52919)

[k8s-ci-robot]

@benburry: Reiterating the mentions to trigger a notification:
@kubernetes/sig-cli-bugs

In response to this:

Is this a BUG REPORT or FEATURE REQUEST?:

Uncomment only one, leave it on its own line:

/kind bug

@kubernetes/sig-cli-bugs

What happened:
We have webhook auth(n) enabled in our kube-apiserver. I generated myself a token, and used vim to write the token to a file in my ~/.kube/config directory. I added a tokenFile field to my ~/.kube/config user, referencing this token file, and issued a kubectl get po command.

I received the error:
Unable to connect to the server: net/http: invalid header field value "Bearer: <TOKEN_REDACTED>\n" for key Authorization

What you expected to happen:
I expected the token file to work, as it contained only a single line containing the token.

How to reproduce it (as minimally and precisely as possible):
Using a text editor that adds linebreaks automatically, save your token to a file and reference that file in your kubeconfig using the tokenFile entry.

Anything else we need to know?:
It would be reasonable to ask people to not include any leading/trailing
whitespace in their token files. However, some (many? most?) text editors will
add a single linebreak at the end of a line by default. This seems to
originate from the POSIX definition of a Line:

A sequence of zero or more non-<newline> characters plus a terminating <newline> character. (from
http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_206)

vim seems to exhibit this behaviour by default, so I'm presuming it's widespread.

Environment:

• Kubernetes version (use kubectl version):
  Client Version: version.Info{Major:"1", Minor:"6", GitVersion:"v1.6.2", GitCommit:"477efc3cbe6a7effca06bd1452fa356e2201e1ee", GitTreeState:"clean", BuildDate:"2017-04-19T20:33:11Z", GoVersion:"go1.7.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"6", GitVersion:"v1.6.2", GitCommit:"477efc3cbe6a7effca06bd1452fa356e2201e1ee", GitTreeState:"clean", BuildDate:"2017-04-19T20:22:08Z", GoVersion:"go1.7.5", Compiler:"gc", Platform:"linux/amd64"}
• Cloud provider or hardware configuration**: onpremises cluster
• OS (e.g. from /etc/os-release): CentOS Linux release 7.0.1406 (Core)
• Kernel (e.g. uname -a): Linux 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
• Install tools: From binaries
• Others: None

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

—
You are receiving this because you are on a team that was mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
/remove-lifecycle stale

[k8s-ci-robot]

Closed #52919.

[fejta-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

[chinglin]

I encountered this issue too, for prometheus kubernetes config

Using string directly, rather than file solve this, it's complicate the config though

Changed from bearer_token_file to bearer_token, solved this issue

Example config:

global:
  scrape_interval: 10s
  scrape_timeout: 10s
  evaluation_interval: 10s
rule_files:
  - "/etc/prometheus-rules/*.rules"
scrape_configs:

  # https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml#L37
  - job_name: 'kubernetes-nodes'
    kubernetes_sd_configs:
      - role: node
        api_server: https://172.28.46.123
        tls_config:
          insecure_skip_verify: true
        bearer_token: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJtb25pdG9yaW5nIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InByb21ldGhldXMtazhzLXRva2VuLTV6cW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InByb21ldGhldXMtazhzIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiOTJmYThiOWItMzBiYi0xMWU4LWFlZTItZjQwMzQzNDM3NjU0Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Om1vbml0b3Jpbmc6cHJvbWV0aGV1cy1rOHMifQ.seXXt0PLAlNzclSq28zks7rVlgkhQzn6ZqPLP9CmgAPOAD5XeE19t2MmpMKXWZAe14sBILT4hZTFeG_yiepYB4q8x5frpoKU7ml_z7eKbPgHAPV_sHskyd9WIzUuC3yHaqQa-3E_SDaXTna_FAHCoCkSKZtsVPou5qHHPwhQvez2YNB4hM67OZv2uQCcZAO4kLVL5_0af68cuxkIkrRw7MI9C2WyxMK6NUIoa_YsR7eXsGYuGN2aDy-M_UDY7vNngqPiAQQ4BgwjUHzam0Kx-spBU0XxFbGVk6Na2iew1yFYPnGtC7ebEAfsDL9A_YV2DLzol4YX4QPAqMcbphKmWw"
    relabel_configs:
      - source_labels: [__address__]
        regex: '(.*):10250'
        replacement: '${1}:10255'
        target_label: __address__

[Sean Lyons]

/reopen

I am also encountering this issue. It doesn't seem like the original reporter actually had their issue resolved, they just used an alternative method of declaring their bearer token. I am not in a position to keep my secrets under source control, so the bearer_token declaration will not work for me.

I am confirm that the file I am specifying has no newline in it, yet Prometheus is attempting to insert a trailing newline in the request header when probing Kubernetes.

My scrape config is effectively identical to the one posted by @chinglinwen above.

[k8s-ci-robot]

@lyonssp: you can't re-open an issue/PR unless you authored it or you are assigned to it.

In response to this:

/reopen

I am also encountering this issue. It doesn't seem like the original reporter actually had their issue resolved, they just used an alternative method of declaring their bearer token. I am not in a position to keep my secrets under source control, so the bearer_token declaration will not work for me.

I am confirm that the file I am specifying has no newline in it, yet Prometheus is attempting to insert a trailing newline in the request header when probing Kubernetes.

My scrape config is effectively identical to the one posted by @chinglinwen above.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

—

[fabstu]

echo "" | base64 adds a newline.

Use instead:

echo -n "" | base64

—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are on a team that was mentioned.Message ID: <kubernetes/kubernetes/issues/52919/1277568586@github.com>

[fabstu]

echo "" | base64 adds a newline

Use instead:

echo -n "" | base64

—
Reply to this email directly, view it on GitHub, or unsubscribe.

You are receiving this because you are on a team that was mentioned.Message ID: <kubernetes/kubernetes/issues/52919/1277572474@github.com>