Improve similarity with kubelet in handling of oidc kubeconfigs

- allow 'client-secret' to be empty

config/kube_config.py

@@ -361,13 +361,14 @@ def _refresh_oidc(self, provider):
             return
 
         response = json.loads(response.data)
+        client_secret = provider['config'].safe_get('client-secret') or ''
 
         request = OAuth2Session(
             client_id=provider['config']['client-id'],
             token=provider['config']['refresh-token'],
             auto_refresh_kwargs={
                 'client_id': provider['config']['client-id'],
-                'client_secret': provider['config']['client-secret']
+                'client_secret': client_secret
             },
             auto_refresh_url=response['token_endpoint']
         )
@@ -377,7 +378,7 @@ def _refresh_oidc(self, provider):
                 token_url=response['token_endpoint'],
                 refresh_token=provider['config']['refresh-token'],
                 auth=(provider['config']['client-id'],
-                      provider['config']['client-secret']),
+                      client_secret),
                 verify=config.ssl_ca_cert if config.verify_ssl else None
             )
         except oauthlib.oauth2.rfc6749.errors.InvalidClientIdError: