Adding support for kubectl ExecCredential output #72
Conversation
christopherhein
changed the title
|
Can you separate vendor into a separate commit to make this more reviewable? |
**Why:**
* Allows you to use the `heptio-authenticator-aws` binary in your
`~/.kube/config` as an external authProvider
**Usage:**
```yaml
users:
- name: user
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
command: heptio-authenticator-aws
args:
- "token"
- "--cluster-id"
- "cluster-id"
```
**This change addresses the need by:**
* closes #64
Signed-off-by: Christopher Hein <[email protected]>
**Why:** * Separated this commit to make reviewing easier Signed-off-by: Christopher Hein <[email protected]>
|
@nckturner Updated with commits separated, I should have error handling done soon to review that as well. Also rebased |
|
I was mistaken about the flow for the authenticator, I thought it passed a token to the API server that it validated after learning a little more it's passing a signed URL that the server uses to in essence call Any thoughts or suggestions? |
| @@ -35,7 +35,7 @@ var tokenCmd = &cobra.Command{ | |||
| clusterID := viper.GetString("clusterID") | |||
|
|
|||
| if clusterID == "" { | |||
| fmt.Fprintf(os.Stderr, "error: cluster ID not specified\n") | |||
| fmt.Fprintf(os.Stderr, "Error: cluster ID not specified\n") | |||
There was a problem hiding this comment.
Updated to be cohesive with the default Cobra error responses. heptio-authenticator-aws token -i for example returns:
Error: flag needs an argument: 'i' in -i**Why:** * Documentes how to configured your `kubeconfig` to use `ExecCredential` `client-go` mechanisms. * Changes some of the documented comments to reflex `clientauth` vs 1.10 release Signed-off-by: Christopher Hein <[email protected]>
pkg/token/token.go
Outdated
| @@ -180,6 +184,21 @@ func (g generator) GetWithRole(clusterID string, roleARN string) (string, error) | |||
| return v1Prefix + base64.RawURLEncoding.EncodeToString([]byte(presignedURLString)), nil | |||
| } | |||
|
|
|||
| // FormatJSON formats the json to support 1.10 external authProvider | |||
There was a problem hiding this comment.
Updated in a later commit.
There was a problem hiding this comment.
I actually think this version is slightly more readable. The docs and implementation use different names in different places, so I'll leave it to you, but something like 1.10 client-go exec-based auth provider would be explicit enough.
Signed-off-by: Christopher Hein <[email protected]>
README.md
Outdated
| @@ -82,13 +82,26 @@ systemctl restart kubelet.service | |||
| ``` | |||
|
|
|||
| ### 4. Set up kubectl to use Heptio Authenticator for AWS tokens | |||
|
|
|||
| > This requires a 1.10+ `kubectl` binary to work. If you receive `Please enter Username:` when trying to use `kubectl` you need to update to the latest `kubectl` | |||
|
|
|||
| Finally, once the server is set up you'll want to authenticate! | |||
| You will still need a `kubeconfig` that has the public data about your cluster (cluster CA certificate, endpoint address). | |||
| The `users` section of your configuration, however, can be mostly blank: | |||
There was a problem hiding this comment.
README.md
Outdated
| To authenticate, run `kubectl --kubeconfig /path/to/kubeconfig --token "$(heptio-authenticator-aws token -i CLUSTER_ID -r ROLE_ARN)" [...]`. | ||
| You can simplify this with an alias or shell wrapper. | ||
| To authenticate, run `kubectl --kubeconfig /path/to/kubeconfig" [...]`. | ||
| kubectl will handle `exec`'ing the `heptio-authenticator-aws` binary with the supplied params in your kubeconfig which will generate a token and pass it to the apiserver. |
There was a problem hiding this comment.
nit: kubectl will exec the ...
pkg/token/token.go
Outdated
| @@ -180,6 +184,21 @@ func (g generator) GetWithRole(clusterID string, roleARN string) (string, error) | |||
| return v1Prefix + base64.RawURLEncoding.EncodeToString([]byte(presignedURLString)), nil | |||
| } | |||
|
|
|||
| // FormatJSON formats the json to support 1.10 external authProvider | |||
There was a problem hiding this comment.
I actually think this version is slightly more readable. The docs and implementation use different names in different places, so I'll leave it to you, but something like 1.10 client-go exec-based auth provider would be explicit enough.
| @@ -58,7 +58,9 @@ var tokenCmd = &cobra.Command{ | |||
| fmt.Fprintf(os.Stderr, "could not get token: %v\n", err) | |||
| os.Exit(1) | |||
| } | |||
| fmt.Println(tok) | |||
|
|
|||
| enc := gen.FormatJSON(tok) | |||
There was a problem hiding this comment.
nit:
fmt.Println(gen.FormatJSON(tok))
Signed-off-by: Christopher Hein <[email protected]>
|
@nckturner updated based on your review. For the MFA, assuming we can track that separately through #42 right? |
|
I'd like to merge this after #42, I've proposed how we do that on that PR. |
Why:
heptio-authenticator-awsbinary in your~/.kube/configas an externalExecCredentialUsage:
This change addresses the need by:
Todos:
readme.mdQuestions:
KUBERNETES_EXEC_INFO?expirationTimestampit's optional per the documentation, if so could you provide me a little guidance on where to make or get that from?https://kubernetes.io/docs/admin/authentication/#client-go-credential-plugins
Signed-off-by: Christopher Hein [email protected]