Use token with kubeconfig set (#46)

* Use token with kubeconfig set

This supports the case where we supply a kubeconfig without secrets
to be stored in git, and the token is supplied separately.

If token is set, this creates a new user with token and resets the user
of the current active context.

* Update README.md, AUTHORS

Author: wernerb

AUTHORS

@@ -7,3 +7,4 @@ Tanner Bruce
 Takuhiro Yoshida
 O. Yuanying
 Anne Schuth
+Werner Buck

README.md

@@ -35,8 +35,8 @@ The version of this resource corresponds to the version of kubectl. We recommend
 
 ### cluster configs
 
-- `server`: *Optional.* The address and port of the API server. Requires `token`.
-- `token`: *Optional.* Bearer token for authentication to the API server. Requires `server`.
+- `server`: *Optional.* The address and port of the API server.
+- `token`: *Optional.* Bearer token for authentication to the API server.
 - `namespace`: *Optional.* The namespace scope. Defaults to `default`. If set along with `kubeconfig`, `namespace` will override the namespace in the current-context
 - `certificate_authority`: *Optional.* A certificate file for the certificate authority.
     ```yaml

assets/common.sh

@@ -34,9 +34,6 @@ setup_kubectl() {
     # Optional. The address and port of the API server. Requires token.
     local server
     server="$(jq -r '.source.server // ""' < "$payload")"
-    # Optional. Bearer token for authentication to the API server. Requires server.
-    local token
-    token="$(jq -r '.source.token // ""' < "$payload")"
     # Optional. A certificate file for the certificate authority.
     local certificate_authority
     certificate_authority="$(jq -r '.source.certificate_authority // ""' < "$payload")"
@@ -45,23 +42,9 @@ setup_kubectl() {
     local insecure_skip_tls_verify
     insecure_skip_tls_verify="$(jq -r '.source.insecure_skip_tls_verify // ""' < "$payload")"
 
-    if [[ -z "$server" || -z "$token" ]]; then
-      echoerr 'You must specify "server" and "token", if not specify "kubeconfig".'
-      exit 1
-    fi
-
-    local -r AUTH_NAME=auth
     local -r CLUSTER_NAME=cluster
     local -r CONTEXT_NAME=kubernetes-resource
 
-    # Build options for kubectl config set-credentials
-    # Avoid to expose the token string by using placeholder
-    local set_credentials_opts
-    set_credentials_opts=("--token=**********")
-    exe kubectl config set-credentials "$AUTH_NAME" "${set_credentials_opts[@]}"
-    # placeholder is replaced with actual token string
-    sed -i -e "s/[*]\\{10\\}/$token/" "$KUBECONFIG"
-
     # Build options for kubectl config set-cluster
     local set_cluster_opts
     set_cluster_opts=("--server=$server")
@@ -76,7 +59,7 @@ setup_kubectl() {
     fi
     exe kubectl config set-cluster "$CLUSTER_NAME" "${set_cluster_opts[@]}"
 
-    exe kubectl config set-context "$CONTEXT_NAME" --user="$AUTH_NAME" --cluster="$CLUSTER_NAME"
+    exe kubectl config set-context "$CONTEXT_NAME" --cluster="$CLUSTER_NAME"
 
     exe kubectl config use-context "$CONTEXT_NAME"
 
@@ -111,6 +94,24 @@ setup_kubectl() {
   if [[ -n "$namespace" ]]; then
     exe kubectl config set-context "$(kubectl config current-context)" --namespace="$namespace"
   fi
+  
+  # if providing a token we set a user and override context to support both kubeconfig and generated config
+  local token
+  token="$(jq -r '.source.token // ""' < "$payload")"
+  if [[ -n "$token" ]]; then 
+    local -r AUTH_NAME=auth
+
+    # Build options for kubectl config set-credentials
+    # Avoid to expose the token string by using placeholder
+    local set_credentials_opts
+    set_credentials_opts=("--token=**********")
+    exe kubectl config set-credentials "$AUTH_NAME" "${set_credentials_opts[@]}"
+    # placeholder is replaced with actual token string
+    sed -i -e "s/[*]\\{10\\}/$token/" "$KUBECONFIG"
+
+    # override user of context to one with token   
+    exe kubectl config set-context "$(kubectl config current-context)" --user="$AUTH_NAME" 
+  fi
 
   # Optional. The name of the kubeconfig context to use.
   local context

test/suite.bats

@@ -12,6 +12,15 @@ setup() {
   kubectl config view --flatten --minify > "$kubeconfig_file"
   # Change the current-context to $namespace
   kubectl --kubeconfig "$kubeconfig_file" config set-context ${current_context} --namespace "$namespace"
+  # Create a kubeconfig json without users (no token)
+  kubeconfig_file_no_token="$(mktemp)"
+  kubectl config view --flatten --minify -o json | jq -r 'del(.contexts[0].context.user,.users)' > "$kubeconfig_file_no_token"
+  # create rolebinding for full namespace access to default service account in namespace to avoid forbidden errors with token
+  kubectl create -n $namespace rolebinding --clusterrole=cluster-admin --serviceaccount=$namespace:default testaccount
+  # get default service account
+  serviceaccount=$(kubectl get -n $namespace serviceaccount default -o json | jq -r '.secrets[0].name')
+  # Extract token from service account for testing
+  token="$(kubectl get -n $namespace secret "$serviceaccount" -o json | jq -r '.data["token"]' | base64 -d)"
 }
 
 teardown() {
@@ -57,6 +66,16 @@ teardown() {
   assert_failure
 }
 
+@test "with no credentials in outputs.kubeconfig_file and source.token" {
+  run assets/out <<< "$(jq -n '{"source": {"token": $token}, "params": {"kubectl": $kubectl, "kubeconfig_file": $kubeconfig_file, "namespace": $namespace}}' \
+    --arg token "$token" \
+    --arg kubeconfig_file "$kubeconfig_file_no_token" \
+    --arg kubectl "get ns $namespace -o name" \
+    --arg namespace "$namespace")"
+  assert_match "namespace/$namespace" "$output"
+  assert_success
+}
+
 @test "command substitution in outputs.kubectl" {
   run kubectl --kubeconfig "$kubeconfig_file" run nginx --image=nginx
   assert_success