weiganggeng

## gist:c520a2e439b8100a18c52841498c92f6
He does get the full response back from the Microsoft SSO server:

PS C:\kubectl> kubectl-oidc_login.exe setup --oidc-issuer-url=https://auth.lambdalabs.com/ --oidc-client-id=FkDN3B4toTrDElMTpzBbTpIdqGLiZHKp --oidc-extra-scope=openid,profile,email,offline_access

Authentication in progress...

## Authenticated with the OpenID Connect Provider


You got the token with the following claims:

## gist:cdb2dc0580939bc38c470ad19bcc07b4
here is if i run it manually:

ubuntu@ggc-test-70evcnrohq3mf0y7-4w749-df5ks:~$ sudo /usr/local/bin/rke2 server
WARN[0000] not running in CIS mode
INFO[0000] Applying Pod Security Admission Configuration
INFO[0000] Starting rke2 v1.32.3+rke2r1 (18005e93ee0b015b78be47cf6515ae6d3a9afd55)
INFO[0000] Managed etcd cluster bootstrap already complete and initialized
INFO[0000] Starting temporary etcd to reconcile with datastore
{"level":"info","ts":"2025-10-08T00:36:04.157019Z","caller":"embed/etcd.go:140","msg":"configuring peer listeners","listen-peer-urls":["http://127.0.0.1:2400"]}
{"level":"info","ts":"2025-10-08T00:36:04.157434Z","caller":"embed/etcd.go:148","msg":"configuring client listeners","listen-client-urls":["http://127.0.0.1:2399"]}

## gist:aacda18729026075aead64f25b5937c2
➜  github ansible-playbook -i /tmp/oci.ini \
  cluster-manager/ansible/deploy/playbooks/rke2/cluster.yml \
  --limit head-oci \
  --extra-vars '{
    "rke2_servers_group_name": "masters",
    "rke2_agents_group_name": "workers",
    "rke2_version": "v1.32.3+rke2r1",

    "rke2_server_options": ["supervisor-metrics: true"],
    "rke2_agent_options": [],

## gist:5340da1804861b9609d4e7b89d63b167
gengwg@A02897 github % git clone https://github.com/lambdal/cluster-manager.git
Cloning into 'cluster-manager'...
remote: Enumerating objects: 7518, done.
remote: Counting objects: 100% (2395/2395), done.
remote: Compressing objects: 100% (803/803), done.
remote: Total 7518 (delta 1979), reused 1627 (delta 1581), pack-reused 5123 (from 3)
Receiving objects: 100% (7518/7518), 3.17 MiB | 14.51 MiB/s, done.
Resolving deltas: 100% (4078/4078), done.

➜  /tmp git clone git@github.com:lambdal/cluster-manager.git

## gist:4b97676fc04ade1e81cb8902610ccd21
gengwg@A02897 group_vars % git push -u origin temp/add-sshkey
remote: Write access to repository not granted.
fatal: unable to access 'https://github.com/lambdal/ops-ansible.git/': The requested URL returned error: 403
gengwg@A02897 group_vars % gh repo fork lambdal/ops-ansible

failed to fork: HTTP 403: You cannot fork this repository to the selected destination due to a policy. (https://api.github.com/repos/lambdal/ops-ansible/forks)
gengwg@A02897 group_vars % git branch
  main
* temp/add-sshkey
gengwg@A02897 group_vars % git push origin HEAD

## gist:f21d3ff632a3d0e1ad653eeae5e161f6
gengwg@A02897 group_vars % gh auth login --scopes repo,write:public_key,admin:public_key,workflow

? Where do you use GitHub? GitHub.com
? What is your preferred protocol for Git operations on this host? HTTPS
? Authenticate Git with your GitHub credentials? Yes
? How would you like to authenticate GitHub CLI? Login with a web browser

! First copy your one-time code: D8CE-DBD0
Press Enter to open https://github.com/login/device in your browser...
✓ Authentication complete.

## gist:2a771558ebbbb2ee338ba1ea18a03827
➜  ~ export KUBECONFIG=/Users/gengwg/.kube/us-west-2-mgmt-stg-us-west-2                                                                                                                              <aws:managed-k8s-staging/LambdaPowerUser> <region:us-west-2>
➜  ~ kubectl get pods                                                                                                                                                                                <aws:managed-k8s-staging/LambdaPowerUser> <region:us-west-2>
NAME                    READY   STATUS    RESTARTS   AGE
nginx-bf5d5cf98-m4vkj   1/1     Running   0          7d19h
➜  ~                                                                                                                                                                                                 <aws:managed-k8s-staging/LambdaPowerUser> <region:us-west-2>

## gist:d70d858de647e12d03b43cca94cd7a70
➜  ~ granted sso populate --sso-region us-west-2 https://d-9267a4eef6.awsapps.com/start

[!] error retrieving IAM Identity Center token from secure storage: The specified item could not be found in the keyring
[i] If the browser does not open automatically, please open this link: https://d-9267a4eef6.awsapps.com/start/#/device?user_code=ZVVN-KHFW
[i] Awaiting AWS authentication in the browser
[i] You will be prompted to authenticate with AWS in the browser, then you will be prompted to 'Allow'
[i] Code: ZVVN-KHFW
[i] listing available profiles from AWS IAM Identity Center...
 100% |███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| (5/5, 6 it/s)
	He does get the full response back from the Microsoft SSO server:

	PS C:\kubectl> kubectl-oidc_login.exe setup --oidc-issuer-url=https://auth.lambdalabs.com/ --oidc-client-id=FkDN3B4toTrDElMTpzBbTpIdqGLiZHKp --oidc-extra-scope=openid,profile,email,offline_access

	Authentication in progress...

	## Authenticated with the OpenID Connect Provider


	You got the token with the following claims:
	here is if i run it manually:

	ubuntu@ggc-test-70evcnrohq3mf0y7-4w749-df5ks:~$ sudo /usr/local/bin/rke2 server
	WARN[0000] not running in CIS mode
	INFO[0000] Applying Pod Security Admission Configuration
	INFO[0000] Starting rke2 v1.32.3+rke2r1 (18005e93ee0b015b78be47cf6515ae6d3a9afd55)
	INFO[0000] Managed etcd cluster bootstrap already complete and initialized
	INFO[0000] Starting temporary etcd to reconcile with datastore
	{"level":"info","ts":"2025-10-08T00:36:04.157019Z","caller":"embed/etcd.go:140","msg":"configuring peer listeners","listen-peer-urls":["http://127.0.0.1:2400"]}
	{"level":"info","ts":"2025-10-08T00:36:04.157434Z","caller":"embed/etcd.go:148","msg":"configuring client listeners","listen-client-urls":["http://127.0.0.1:2399"]}
	➜ github ansible-playbook -i /tmp/oci.ini \
	cluster-manager/ansible/deploy/playbooks/rke2/cluster.yml \
	--limit head-oci \
	--extra-vars '{
	"rke2_servers_group_name": "masters",
	"rke2_agents_group_name": "workers",
	"rke2_version": "v1.32.3+rke2r1",

	"rke2_server_options": ["supervisor-metrics: true"],
	"rke2_agent_options": [],
	gengwg@A02897 github % git clone https://github.com/lambdal/cluster-manager.git
	Cloning into 'cluster-manager'...
	remote: Enumerating objects: 7518, done.
	remote: Counting objects: 100% (2395/2395), done.
	remote: Compressing objects: 100% (803/803), done.
	remote: Total 7518 (delta 1979), reused 1627 (delta 1581), pack-reused 5123 (from 3)
	Receiving objects: 100% (7518/7518), 3.17 MiB \| 14.51 MiB/s, done.
	Resolving deltas: 100% (4078/4078), done.

	➜ /tmp git clone git@github.com:lambdal/cluster-manager.git
	gengwg@A02897 group_vars % git push -u origin temp/add-sshkey
	remote: Write access to repository not granted.
	fatal: unable to access 'https://github.com/lambdal/ops-ansible.git/': The requested URL returned error: 403
	gengwg@A02897 group_vars % gh repo fork lambdal/ops-ansible

	failed to fork: HTTP 403: You cannot fork this repository to the selected destination due to a policy. (https://api.github.com/repos/lambdal/ops-ansible/forks)
	gengwg@A02897 group_vars % git branch
	main
	* temp/add-sshkey
	gengwg@A02897 group_vars % git push origin HEAD
	gengwg@A02897 group_vars % gh auth login --scopes repo,write:public_key,admin:public_key,workflow

	? Where do you use GitHub? GitHub.com
	? What is your preferred protocol for Git operations on this host? HTTPS
	? Authenticate Git with your GitHub credentials? Yes
	? How would you like to authenticate GitHub CLI? Login with a web browser

	! First copy your one-time code: D8CE-DBD0
	Press Enter to open https://github.com/login/device in your browser...
	✓ Authentication complete.
	➜ ~ export KUBECONFIG=/Users/gengwg/.kube/us-west-2-mgmt-stg-us-west-2 <aws:managed-k8s-staging/LambdaPowerUser> <region:us-west-2>
	➜ ~ kubectl get pods <aws:managed-k8s-staging/LambdaPowerUser> <region:us-west-2>
	NAME READY STATUS RESTARTS AGE
	nginx-bf5d5cf98-m4vkj 1/1 Running 0 7d19h
	➜ ~ <aws:managed-k8s-staging/LambdaPowerUser> <region:us-west-2>
	➜ ~ granted sso populate --sso-region us-west-2 https://d-9267a4eef6.awsapps.com/start

	[!] error retrieving IAM Identity Center token from secure storage: The specified item could not be found in the keyring
	[i] If the browser does not open automatically, please open this link: https://d-9267a4eef6.awsapps.com/start/#/device?user_code=ZVVN-KHFW
	[i] Awaiting AWS authentication in the browser
	[i] You will be prompted to authenticate with AWS in the browser, then you will be prompted to 'Allow'
	[i] Code: ZVVN-KHFW
	[i] listing available profiles from AWS IAM Identity Center...
	100% \|███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████\| (5/5, 6 it/s)