Switch "get kubeconfig" flags to use --concierge-mode flag instead of boolean flag.
This is the same as the previous change to the login commands. Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
Matt Moyer
parent
0cae72b391
commit
1c7c22352f
@ -73,13 +73,13 @@ type getKubeconfigOIDCParams struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
type getKubeconfigConciergeParams struct {
|
type getKubeconfigConciergeParams struct {
|
||||||
disabled bool
|
disabled bool
|
||||||
authenticatorName string
|
authenticatorName string
|
||||||
authenticatorType string
|
authenticatorType string
|
||||||
apiGroupSuffix string
|
apiGroupSuffix string
|
||||||
caBundlePath string
|
caBundlePath string
|
||||||
endpoint string
|
endpoint string
|
||||||
useImpersonationProxy bool
|
mode conciergeMode
|
||||||
}
|
}
|
||||||
|
|
||||||
type getKubeconfigParams struct {
|
type getKubeconfigParams struct {
|
||||||
@ -107,15 +107,15 @@ func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
|
|||||||
f.StringVar(&flags.staticToken, "static-token", "", "Instead of doing an OIDC-based login, specify a static token")
|
f.StringVar(&flags.staticToken, "static-token", "", "Instead of doing an OIDC-based login, specify a static token")
|
||||||
f.StringVar(&flags.staticTokenEnvName, "static-token-env", "", "Instead of doing an OIDC-based login, read a static token from the environment")
|
f.StringVar(&flags.staticTokenEnvName, "static-token-env", "", "Instead of doing an OIDC-based login, read a static token from the environment")
|
||||||
|
|
||||||
f.BoolVar(&flags.concierge.disabled, "no-concierge", false, "Generate a configuration which does not use the concierge, but sends the credential to the cluster directly")
|
f.BoolVar(&flags.concierge.disabled, "no-concierge", false, "Generate a configuration which does not use the Concierge, but sends the credential to the cluster directly")
|
||||||
f.StringVar(&namespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the concierge was installed")
|
f.StringVar(&namespace, "concierge-namespace", "pinniped-concierge", "Namespace in which the Concierge was installed")
|
||||||
f.StringVar(&flags.concierge.authenticatorType, "concierge-authenticator-type", "", "Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover)")
|
f.StringVar(&flags.concierge.authenticatorType, "concierge-authenticator-type", "", "Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover)")
|
||||||
f.StringVar(&flags.concierge.authenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name (default: autodiscover)")
|
f.StringVar(&flags.concierge.authenticatorName, "concierge-authenticator-name", "", "Concierge authenticator name (default: autodiscover)")
|
||||||
f.StringVar(&flags.concierge.apiGroupSuffix, "concierge-api-group-suffix", groupsuffix.PinnipedDefaultSuffix, "Concierge API group suffix")
|
f.StringVar(&flags.concierge.apiGroupSuffix, "concierge-api-group-suffix", groupsuffix.PinnipedDefaultSuffix, "Concierge API group suffix")
|
||||||
|
|
||||||
f.StringVar(&flags.concierge.caBundlePath, "concierge-ca-bundle", "", "Path to TLS certificate authority bundle (PEM format, optional, can be repeated) to use when connecting to the concierge")
|
f.StringVar(&flags.concierge.caBundlePath, "concierge-ca-bundle", "", "Path to TLS certificate authority bundle (PEM format, optional, can be repeated) to use when connecting to the Concierge")
|
||||||
f.StringVar(&flags.concierge.endpoint, "concierge-endpoint", "", "API base for the Pinniped concierge endpoint")
|
f.StringVar(&flags.concierge.endpoint, "concierge-endpoint", "", "API base for the Concierge endpoint")
|
||||||
f.BoolVar(&flags.concierge.useImpersonationProxy, "concierge-use-impersonation-proxy", false, "Whether the concierge cluster uses an impersonation proxy")
|
f.Var(&flags.concierge.mode, "concierge-mode", "Concierge mode of operation")
|
||||||
|
|
||||||
f.StringVar(&flags.oidc.issuer, "oidc-issuer", "", "OpenID Connect issuer URL (default: autodiscover)")
|
f.StringVar(&flags.oidc.issuer, "oidc-issuer", "", "OpenID Connect issuer URL (default: autodiscover)")
|
||||||
f.StringVar(&flags.oidc.clientID, "oidc-client-id", "pinniped-cli", "OpenID Connect client ID (default: autodiscover)")
|
f.StringVar(&flags.oidc.clientID, "oidc-client-id", "pinniped-cli", "OpenID Connect client ID (default: autodiscover)")
|
||||||
@ -172,17 +172,6 @@ func runGetKubeconfig(out io.Writer, deps kubeconfigDeps, flags getKubeconfigPar
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("could not load --kubeconfig/--kubeconfig-context: %w", err)
|
return fmt.Errorf("could not load --kubeconfig/--kubeconfig-context: %w", err)
|
||||||
}
|
}
|
||||||
if flags.concierge.useImpersonationProxy {
|
|
||||||
// TODO what to do if --use-impersonation-proxy is set but flags.concierge.caBundlePath is not???
|
|
||||||
// TODO dont do this twice
|
|
||||||
conciergeCaBundleData, err := loadCABundlePaths([]string{flags.concierge.caBundlePath})
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("could not read --concierge-ca-bundle: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
cluster.CertificateAuthorityData = []byte(conciergeCaBundleData)
|
|
||||||
cluster.Server = flags.concierge.endpoint
|
|
||||||
}
|
|
||||||
clientset, err := deps.getClientset(clientConfig, flags.concierge.apiGroupSuffix)
|
clientset, err := deps.getClientset(clientConfig, flags.concierge.apiGroupSuffix)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("could not configure Kubernetes client: %w", err)
|
return fmt.Errorf("could not configure Kubernetes client: %w", err)
|
||||||
@ -249,6 +238,19 @@ func runGetKubeconfig(out io.Writer, deps kubeconfigDeps, flags getKubeconfigPar
|
|||||||
}
|
}
|
||||||
|
|
||||||
func configureConcierge(authenticator metav1.Object, flags *getKubeconfigParams, v1Cluster *clientcmdapi.Cluster, oidcCABundle *string, execConfig *clientcmdapi.ExecConfig) error {
|
func configureConcierge(authenticator metav1.Object, flags *getKubeconfigParams, v1Cluster *clientcmdapi.Cluster, oidcCABundle *string, execConfig *clientcmdapi.ExecConfig) error {
|
||||||
|
|
||||||
|
if flags.concierge.mode == modeImpersonationProxy {
|
||||||
|
// TODO what to do if --use-impersonation-proxy is set but flags.concierge.caBundlePath is not???
|
||||||
|
// TODO dont do this twice
|
||||||
|
conciergeCaBundleData, err := loadCABundlePaths([]string{flags.concierge.caBundlePath})
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("could not read --concierge-ca-bundle: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
v1Cluster.CertificateAuthorityData = []byte(conciergeCaBundleData)
|
||||||
|
v1Cluster.Server = flags.concierge.endpoint
|
||||||
|
}
|
||||||
|
|
||||||
switch auth := authenticator.(type) {
|
switch auth := authenticator.(type) {
|
||||||
case *conciergev1alpha1.WebhookAuthenticator:
|
case *conciergev1alpha1.WebhookAuthenticator:
|
||||||
// If the --concierge-authenticator-type/--concierge-authenticator-name flags were not set explicitly, set
|
// If the --concierge-authenticator-type/--concierge-authenticator-name flags were not set explicitly, set
|
||||||
@ -309,12 +311,8 @@ func configureConcierge(authenticator metav1.Object, flags *getKubeconfigParams,
|
|||||||
"--concierge-authenticator-type="+flags.concierge.authenticatorType,
|
"--concierge-authenticator-type="+flags.concierge.authenticatorType,
|
||||||
"--concierge-endpoint="+flags.concierge.endpoint,
|
"--concierge-endpoint="+flags.concierge.endpoint,
|
||||||
"--concierge-ca-bundle-data="+encodedConciergeCaBundleData,
|
"--concierge-ca-bundle-data="+encodedConciergeCaBundleData,
|
||||||
|
"--concierge-mode="+flags.concierge.mode.String(),
|
||||||
)
|
)
|
||||||
if flags.concierge.useImpersonationProxy {
|
|
||||||
execConfig.Args = append(execConfig.Args,
|
|
||||||
"--concierge-use-impersonation-proxy",
|
|
||||||
)
|
|
||||||
}
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -64,13 +64,13 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
--concierge-api-group-suffix string Concierge API group suffix (default "pinniped.dev")
|
--concierge-api-group-suffix string Concierge API group suffix (default "pinniped.dev")
|
||||||
--concierge-authenticator-name string Concierge authenticator name (default: autodiscover)
|
--concierge-authenticator-name string Concierge authenticator name (default: autodiscover)
|
||||||
--concierge-authenticator-type string Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover)
|
--concierge-authenticator-type string Concierge authenticator type (e.g., 'webhook', 'jwt') (default: autodiscover)
|
||||||
--concierge-ca-bundle string Path to TLS certificate authority bundle (PEM format, optional, can be repeated) to use when connecting to the concierge
|
--concierge-ca-bundle string Path to TLS certificate authority bundle (PEM format, optional, can be repeated) to use when connecting to the Concierge
|
||||||
--concierge-endpoint string API base for the Pinniped concierge endpoint
|
--concierge-endpoint string API base for the Concierge endpoint
|
||||||
--concierge-use-impersonation-proxy Whether the concierge cluster uses an impersonation proxy
|
--concierge-mode mode Concierge mode of operation (default TokenCredentialRequestAPI)
|
||||||
-h, --help help for kubeconfig
|
-h, --help help for kubeconfig
|
||||||
--kubeconfig string Path to kubeconfig file
|
--kubeconfig string Path to kubeconfig file
|
||||||
--kubeconfig-context string Kubeconfig context name (default: current active context)
|
--kubeconfig-context string Kubeconfig context name (default: current active context)
|
||||||
--no-concierge Generate a configuration which does not use the concierge, but sends the credential to the cluster directly
|
--no-concierge Generate a configuration which does not use the Concierge, but sends the credential to the cluster directly
|
||||||
--oidc-ca-bundle strings Path to TLS certificate authority bundle (PEM format, optional, can be repeated)
|
--oidc-ca-bundle strings Path to TLS certificate authority bundle (PEM format, optional, can be repeated)
|
||||||
--oidc-client-id string OpenID Connect client ID (default: autodiscover) (default "pinniped-cli")
|
--oidc-client-id string OpenID Connect client ID (default: autodiscover) (default "pinniped-cli")
|
||||||
--oidc-issuer string OpenID Connect issuer URL (default: autodiscover)
|
--oidc-issuer string OpenID Connect issuer URL (default: autodiscover)
|
||||||
@ -273,7 +273,12 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
"--kubeconfig", "./testdata/kubeconfig.yaml",
|
"--kubeconfig", "./testdata/kubeconfig.yaml",
|
||||||
"--concierge-ca-bundle", "./does/not/exist",
|
"--concierge-ca-bundle", "./does/not/exist",
|
||||||
"--concierge-endpoint", "https://impersonation-proxy-endpoint.test",
|
"--concierge-endpoint", "https://impersonation-proxy-endpoint.test",
|
||||||
"--concierge-use-impersonation-proxy",
|
"--concierge-authenticator-name", "test-authenticator",
|
||||||
|
"--concierge-authenticator-type", "webhook",
|
||||||
|
"--concierge-mode", "ImpersonationProxy",
|
||||||
|
},
|
||||||
|
conciergeObjects: []runtime.Object{
|
||||||
|
&conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}},
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: here.Doc(`
|
wantStderr: here.Doc(`
|
||||||
@ -343,6 +348,7 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
- --concierge-authenticator-type=webhook
|
- --concierge-authenticator-type=webhook
|
||||||
- --concierge-endpoint=https://fake-server-url-value
|
- --concierge-endpoint=https://fake-server-url-value
|
||||||
- --concierge-ca-bundle-data=ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==
|
- --concierge-ca-bundle-data=ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==
|
||||||
|
- --concierge-mode=TokenCredentialRequestAPI
|
||||||
- --token=test-token
|
- --token=test-token
|
||||||
command: '.../path/to/pinniped'
|
command: '.../path/to/pinniped'
|
||||||
env: []
|
env: []
|
||||||
@ -387,6 +393,7 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
- --concierge-authenticator-type=webhook
|
- --concierge-authenticator-type=webhook
|
||||||
- --concierge-endpoint=https://fake-server-url-value
|
- --concierge-endpoint=https://fake-server-url-value
|
||||||
- --concierge-ca-bundle-data=ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==
|
- --concierge-ca-bundle-data=ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==
|
||||||
|
- --concierge-mode=TokenCredentialRequestAPI
|
||||||
- --token-env=TEST_TOKEN
|
- --token-env=TEST_TOKEN
|
||||||
command: '.../path/to/pinniped'
|
command: '.../path/to/pinniped'
|
||||||
env: []
|
env: []
|
||||||
@ -439,6 +446,7 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
- --concierge-authenticator-type=jwt
|
- --concierge-authenticator-type=jwt
|
||||||
- --concierge-endpoint=https://fake-server-url-value
|
- --concierge-endpoint=https://fake-server-url-value
|
||||||
- --concierge-ca-bundle-data=ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==
|
- --concierge-ca-bundle-data=ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==
|
||||||
|
- --concierge-mode=TokenCredentialRequestAPI
|
||||||
- --issuer=https://example.com/issuer
|
- --issuer=https://example.com/issuer
|
||||||
- --client-id=pinniped-cli
|
- --client-id=pinniped-cli
|
||||||
- --scopes=offline_access,openid,pinniped:request-audience
|
- --scopes=offline_access,openid,pinniped:request-audience
|
||||||
@ -498,6 +506,7 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
- --concierge-authenticator-type=webhook
|
- --concierge-authenticator-type=webhook
|
||||||
- --concierge-endpoint=https://fake-server-url-value
|
- --concierge-endpoint=https://fake-server-url-value
|
||||||
- --concierge-ca-bundle-data=ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==
|
- --concierge-ca-bundle-data=ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==
|
||||||
|
- --concierge-mode=TokenCredentialRequestAPI
|
||||||
- --issuer=https://example.com/issuer
|
- --issuer=https://example.com/issuer
|
||||||
- --client-id=pinniped-cli
|
- --client-id=pinniped-cli
|
||||||
- --scopes=offline_access,openid,pinniped:request-audience
|
- --scopes=offline_access,openid,pinniped:request-audience
|
||||||
@ -519,7 +528,7 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
"--kubeconfig", "./testdata/kubeconfig.yaml",
|
"--kubeconfig", "./testdata/kubeconfig.yaml",
|
||||||
"--concierge-ca-bundle", testConciergeCABundlePath,
|
"--concierge-ca-bundle", testConciergeCABundlePath,
|
||||||
"--concierge-endpoint", "https://impersonation-proxy-endpoint.test",
|
"--concierge-endpoint", "https://impersonation-proxy-endpoint.test",
|
||||||
"--concierge-use-impersonation-proxy",
|
"--concierge-mode", "ImpersonationProxy",
|
||||||
},
|
},
|
||||||
conciergeObjects: []runtime.Object{
|
conciergeObjects: []runtime.Object{
|
||||||
&conciergev1alpha1.JWTAuthenticator{
|
&conciergev1alpha1.JWTAuthenticator{
|
||||||
@ -562,7 +571,7 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
- --concierge-authenticator-type=jwt
|
- --concierge-authenticator-type=jwt
|
||||||
- --concierge-endpoint=https://impersonation-proxy-endpoint.test
|
- --concierge-endpoint=https://impersonation-proxy-endpoint.test
|
||||||
- --concierge-ca-bundle-data=dGVzdC1jb25jaWVyZ2UtY2E=
|
- --concierge-ca-bundle-data=dGVzdC1jb25jaWVyZ2UtY2E=
|
||||||
- --concierge-use-impersonation-proxy
|
- --concierge-mode=ImpersonationProxy
|
||||||
- --issuer=https://example.com/issuer
|
- --issuer=https://example.com/issuer
|
||||||
- --client-id=pinniped-cli
|
- --client-id=pinniped-cli
|
||||||
- --scopes=offline_access,openid,pinniped:request-audience
|
- --scopes=offline_access,openid,pinniped:request-audience
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user