Skip to content
This repository was archived by the owner on Apr 27, 2020. It is now read-only.

Commit 160a836

Browse files
wernerbsuperbrothers
authored andcommitted
Use token with kubeconfig set (#46)
* Use token with kubeconfig set This supports the case where we supply a kubeconfig without secrets to be stored in git, and the token is supplied separately. If token is set, this creates a new user with token and resets the user of the current active context. * Update README.md, AUTHORS
1 parent 31547c7 commit 160a836

File tree

4 files changed

+41
-20
lines changed

4 files changed

+41
-20
lines changed

AUTHORS

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,3 +7,4 @@ Tanner Bruce
77
Takuhiro Yoshida
88
O. Yuanying
99
Anne Schuth
10+
Werner Buck

README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -35,8 +35,8 @@ The version of this resource corresponds to the version of kubectl. We recommend
3535

3636
### cluster configs
3737

38-
- `server`: *Optional.* The address and port of the API server. Requires `token`.
39-
- `token`: *Optional.* Bearer token for authentication to the API server. Requires `server`.
38+
- `server`: *Optional.* The address and port of the API server.
39+
- `token`: *Optional.* Bearer token for authentication to the API server.
4040
- `namespace`: *Optional.* The namespace scope. Defaults to `default`. If set along with `kubeconfig`, `namespace` will override the namespace in the current-context
4141
- `certificate_authority`: *Optional.* A certificate file for the certificate authority.
4242
```yaml

assets/common.sh

Lines changed: 19 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -34,9 +34,6 @@ setup_kubectl() {
3434
# Optional. The address and port of the API server. Requires token.
3535
local server
3636
server="$(jq -r '.source.server // ""' < "$payload")"
37-
# Optional. Bearer token for authentication to the API server. Requires server.
38-
local token
39-
token="$(jq -r '.source.token // ""' < "$payload")"
4037
# Optional. A certificate file for the certificate authority.
4138
local certificate_authority
4239
certificate_authority="$(jq -r '.source.certificate_authority // ""' < "$payload")"
@@ -45,23 +42,9 @@ setup_kubectl() {
4542
local insecure_skip_tls_verify
4643
insecure_skip_tls_verify="$(jq -r '.source.insecure_skip_tls_verify // ""' < "$payload")"
4744

48-
if [[ -z "$server" || -z "$token" ]]; then
49-
echoerr 'You must specify "server" and "token", if not specify "kubeconfig".'
50-
exit 1
51-
fi
52-
53-
local -r AUTH_NAME=auth
5445
local -r CLUSTER_NAME=cluster
5546
local -r CONTEXT_NAME=kubernetes-resource
5647

57-
# Build options for kubectl config set-credentials
58-
# Avoid to expose the token string by using placeholder
59-
local set_credentials_opts
60-
set_credentials_opts=("--token=**********")
61-
exe kubectl config set-credentials "$AUTH_NAME" "${set_credentials_opts[@]}"
62-
# placeholder is replaced with actual token string
63-
sed -i -e "s/[*]\\{10\\}/$token/" "$KUBECONFIG"
64-
6548
# Build options for kubectl config set-cluster
6649
local set_cluster_opts
6750
set_cluster_opts=("--server=$server")
@@ -76,7 +59,7 @@ setup_kubectl() {
7659
fi
7760
exe kubectl config set-cluster "$CLUSTER_NAME" "${set_cluster_opts[@]}"
7861

79-
exe kubectl config set-context "$CONTEXT_NAME" --user="$AUTH_NAME" --cluster="$CLUSTER_NAME"
62+
exe kubectl config set-context "$CONTEXT_NAME" --cluster="$CLUSTER_NAME"
8063

8164
exe kubectl config use-context "$CONTEXT_NAME"
8265

@@ -111,6 +94,24 @@ setup_kubectl() {
11194
if [[ -n "$namespace" ]]; then
11295
exe kubectl config set-context "$(kubectl config current-context)" --namespace="$namespace"
11396
fi
97+
98+
# if providing a token we set a user and override context to support both kubeconfig and generated config
99+
local token
100+
token="$(jq -r '.source.token // ""' < "$payload")"
101+
if [[ -n "$token" ]]; then
102+
local -r AUTH_NAME=auth
103+
104+
# Build options for kubectl config set-credentials
105+
# Avoid to expose the token string by using placeholder
106+
local set_credentials_opts
107+
set_credentials_opts=("--token=**********")
108+
exe kubectl config set-credentials "$AUTH_NAME" "${set_credentials_opts[@]}"
109+
# placeholder is replaced with actual token string
110+
sed -i -e "s/[*]\\{10\\}/$token/" "$KUBECONFIG"
111+
112+
# override user of context to one with token
113+
exe kubectl config set-context "$(kubectl config current-context)" --user="$AUTH_NAME"
114+
fi
114115

115116
# Optional. The name of the kubeconfig context to use.
116117
local context

test/suite.bats

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,15 @@ setup() {
1212
kubectl config view --flatten --minify > "$kubeconfig_file"
1313
# Change the current-context to $namespace
1414
kubectl --kubeconfig "$kubeconfig_file" config set-context ${current_context} --namespace "$namespace"
15+
# Create a kubeconfig json without users (no token)
16+
kubeconfig_file_no_token="$(mktemp)"
17+
kubectl config view --flatten --minify -o json | jq -r 'del(.contexts[0].context.user,.users)' > "$kubeconfig_file_no_token"
18+
# create rolebinding for full namespace access to default service account in namespace to avoid forbidden errors with token
19+
kubectl create -n $namespace rolebinding --clusterrole=cluster-admin --serviceaccount=$namespace:default testaccount
20+
# get default service account
21+
serviceaccount=$(kubectl get -n $namespace serviceaccount default -o json | jq -r '.secrets[0].name')
22+
# Extract token from service account for testing
23+
token="$(kubectl get -n $namespace secret "$serviceaccount" -o json | jq -r '.data["token"]' | base64 -d)"
1524
}
1625

1726
teardown() {
@@ -57,6 +66,16 @@ teardown() {
5766
assert_failure
5867
}
5968

69+
@test "with no credentials in outputs.kubeconfig_file and source.token" {
70+
run assets/out <<< "$(jq -n '{"source": {"token": $token}, "params": {"kubectl": $kubectl, "kubeconfig_file": $kubeconfig_file, "namespace": $namespace}}' \
71+
--arg token "$token" \
72+
--arg kubeconfig_file "$kubeconfig_file_no_token" \
73+
--arg kubectl "get ns $namespace -o name" \
74+
--arg namespace "$namespace")"
75+
assert_match "namespace/$namespace" "$output"
76+
assert_success
77+
}
78+
6079
@test "command substitution in outputs.kubectl" {
6180
run kubectl --kubeconfig "$kubeconfig_file" run nginx --image=nginx
6281
assert_success

0 commit comments

Comments
 (0)