remove auth-path from kubeconfig
This commit is contained in:
deads2k
parent
6498fc1fda
commit
19784dbc4f
@ -721,7 +721,6 @@ _kubectl_config_set-credentials()
|
||||
flags_with_completion=()
|
||||
flags_completion=()
|
||||
|
||||
flags+=("--auth-path=")
|
||||
flags+=("--client-certificate=")
|
||||
flags+=("--client-key=")
|
||||
flags+=("--embed-certs")
|
||||
@ -916,8 +915,6 @@ _kubectl()
|
||||
|
||||
flags+=("--alsologtostderr")
|
||||
flags+=("--api-version=")
|
||||
flags+=("--auth-path=")
|
||||
two_word_flags+=("-a")
|
||||
flags+=("--certificate-authority=")
|
||||
flags+=("--client-certificate=")
|
||||
flags+=("--client-key=")
|
||||
|
||||
@ -31,10 +31,6 @@ Print available API versions.
|
||||
\fB\-\-api\-version\fP=""
|
||||
The API version to use when talking to the server
|
||||
|
||||
.PP
|
||||
\fB\-a\fP, \fB\-\-auth\-path\fP=""
|
||||
Path to the auth info file. If missing, prompt the user. Only used if using https.
|
||||
|
||||
.PP
|
||||
\fB\-\-certificate\-authority\fP=""
|
||||
Path to a cert. file for the certificate authority.
|
||||
|
||||
@ -31,10 +31,6 @@ Display addresses of the master and services with label kubernetes.io/cluster\-s
|
||||
\fB\-\-api\-version\fP=""
|
||||
The API version to use when talking to the server
|
||||
|
||||
.PP
|
||||
\fB\-a\fP, \fB\-\-auth\-path\fP=""
|
||||
Path to the auth info file. If missing, prompt the user. Only used if using https.
|
||||
|
||||
.PP
|
||||
\fB\-\-certificate\-authority\fP=""
|
||||
Path to a cert. file for the certificate authority.
|
||||
|
||||
@ -48,10 +48,6 @@ Specifying a name that already exists will merge new fields on top of existing v
|
||||
\fB\-\-alsologtostderr\fP=false
|
||||
log to standard error as well as files
|
||||
|
||||
.PP
|
||||
\fB\-a\fP, \fB\-\-auth\-path\fP=""
|
||||
Path to the auth info file. If missing, prompt the user. Only used if using https.
|
||||
|
||||
.PP
|
||||
\fB\-\-client\-certificate\fP=""
|
||||
Path to a client key file for TLS.
|
||||
|
||||
@ -44,10 +44,6 @@ Specifying a name that already exists will merge new fields on top of existing v
|
||||
\fB\-\-api\-version\fP=""
|
||||
The API version to use when talking to the server
|
||||
|
||||
.PP
|
||||
\fB\-a\fP, \fB\-\-auth\-path\fP=""
|
||||
Path to the auth info file. If missing, prompt the user. Only used if using https.
|
||||
|
||||
.PP
|
||||
\fB\-\-certificate\-authority\fP=""
|
||||
Path to a cert. file for the certificate authority.
|
||||
|
||||
@ -33,10 +33,6 @@ Bearer token and basic auth are mutually exclusive.
|
||||
|
||||
|
||||
.SH OPTIONS
|
||||
.PP
|
||||
\fB\-\-auth\-path\fP=""
|
||||
auth\-path for the user entry in kubeconfig
|
||||
|
||||
.PP
|
||||
\fB\-\-client\-certificate\fP=""
|
||||
path to client\-certificate for the user entry in kubeconfig
|
||||
|
||||
@ -33,10 +33,6 @@ PROPERTY\_VALUE is the new value you wish to set.
|
||||
\fB\-\-api\-version\fP=""
|
||||
The API version to use when talking to the server
|
||||
|
||||
.PP
|
||||
\fB\-a\fP, \fB\-\-auth\-path\fP=""
|
||||
Path to the auth info file. If missing, prompt the user. Only used if using https.
|
||||
|
||||
.PP
|
||||
\fB\-\-certificate\-authority\fP=""
|
||||
Path to a cert. file for the certificate authority.
|
||||
|
||||
@ -32,10 +32,6 @@ PROPERTY\_NAME is a dot delimited name where each token represents either a attr
|
||||
\fB\-\-api\-version\fP=""
|
||||
The API version to use when talking to the server
|
||||
|
||||
.PP
|
||||
\fB\-a\fP, \fB\-\-auth\-path\fP=""
|
||||
Path to the auth info file. If missing, prompt the user. Only used if using https.
|
||||
|
||||
.PP
|
||||
\fB\-\-certificate\-authority\fP=""
|
||||
Path to a cert. file for the certificate authority.
|
||||
|
||||
@ -31,10 +31,6 @@ Sets the current\-context in a kubeconfig file
|
||||
\fB\-\-api\-version\fP=""
|
||||
The API version to use when talking to the server
|
||||
|
||||
.PP
|
||||
\fB\-a\fP, \fB\-\-auth\-path\fP=""
|
||||
Path to the auth info file. If missing, prompt the user. Only used if using https.
|
||||
|
||||
.PP
|
||||
\fB\-\-certificate\-authority\fP=""
|
||||
Path to a cert. file for the certificate authority.
|
||||
|
||||
@ -67,10 +67,6 @@ You can use \-\-output=template \-\-template=TEMPLATE to extract specific values
|
||||
\fB\-\-api\-version\fP=""
|
||||
The API version to use when talking to the server
|
||||
|
||||
.PP
|
||||
\fB\-a\fP, \fB\-\-auth\-path\fP=""
|
||||
Path to the auth info file. If missing, prompt the user. Only used if using https.
|
||||
|
||||
.PP
|
||||
\fB\-\-certificate\-authority\fP=""
|
||||
Path to a cert. file for the certificate authority.
|
||||
|
||||
@ -41,10 +41,6 @@ The loading order follows these rules:
|
||||
\fB\-\-api\-version\fP=""
|
||||
The API version to use when talking to the server
|
||||
|
||||
.PP
|
||||
\fB\-a\fP, \fB\-\-auth\-path\fP=""
|
||||
Path to the auth info file. If missing, prompt the user. Only used if using https.
|
||||
|
||||
.PP
|
||||
\fB\-\-certificate\-authority\fP=""
|
||||
Path to a cert. file for the certificate authority.
|
||||
|
||||
@ -38,10 +38,6 @@ JSON and YAML formats are accepted.
|
||||
\fB\-\-api\-version\fP=""
|
||||
The API version to use when talking to the server
|
||||
|
||||
.PP
|
||||
\fB\-a\fP, \fB\-\-auth\-path\fP=""
|
||||
Path to the auth info file. If missing, prompt the user. Only used if using https.
|
||||
|
||||
.PP
|
||||
\fB\-\-certificate\-authority\fP=""
|
||||
Path to a cert. file for the certificate authority.
|
||||
|
||||
@ -63,10 +63,6 @@ will be lost along with the rest of the resource.
|
||||
\fB\-\-api\-version\fP=""
|
||||
The API version to use when talking to the server
|
||||
|
||||
.PP
|
||||
\fB\-a\fP, \fB\-\-auth\-path\fP=""
|
||||
Path to the auth info file. If missing, prompt the user. Only used if using https.
|
||||
|
||||
.PP
|
||||
\fB\-\-certificate\-authority\fP=""
|
||||
Path to a cert. file for the certificate authority.
|
||||
|
||||
@ -35,10 +35,6 @@ given resource.
|
||||
\fB\-\-api\-version\fP=""
|
||||
The API version to use when talking to the server
|
||||
|
||||
.PP
|
||||
\fB\-a\fP, \fB\-\-auth\-path\fP=""
|
||||
Path to the auth info file. If missing, prompt the user. Only used if using https.
|
||||
|
||||
.PP
|
||||
\fB\-\-certificate\-authority\fP=""
|
||||
Path to a cert. file for the certificate authority.
|
||||
|
||||
@ -47,10 +47,6 @@ Execute a command in a container.
|
||||
\fB\-\-api\-version\fP=""
|
||||
The API version to use when talking to the server
|
||||
|
||||
.PP
|
||||
\fB\-a\fP, \fB\-\-auth\-path\fP=""
|
||||
Path to the auth info file. If missing, prompt the user. Only used if using https.
|
||||
|
||||
.PP
|
||||
\fB\-\-certificate\-authority\fP=""
|
||||
Path to a cert. file for the certificate authority.
|
||||
|
||||
@ -100,10 +100,6 @@ selector for a new Service on the specified port.
|
||||
\fB\-\-api\-version\fP=""
|
||||
The API version to use when talking to the server
|
||||
|
||||
.PP
|
||||
\fB\-a\fP, \fB\-\-auth\-path\fP=""
|
||||
Path to the auth info file. If missing, prompt the user. Only used if using https.
|
||||
|
||||
.PP
|
||||
\fB\-\-certificate\-authority\fP=""
|
||||
Path to a cert. file for the certificate authority.
|
||||
|
||||
@ -68,10 +68,6 @@ of the \-\-template flag, you can filter the attributes of the fetched resource(
|
||||
\fB\-\-api\-version\fP=""
|
||||
The API version to use when talking to the server
|
||||
|
||||
.PP
|
||||
\fB\-a\fP, \fB\-\-auth\-path\fP=""
|
||||
Path to the auth info file. If missing, prompt the user. Only used if using https.
|
||||
|
||||
.PP
|
||||
\fB\-\-certificate\-authority\fP=""
|
||||
Path to a cert. file for the certificate authority.
|
||||
|
||||
@ -68,10 +68,6 @@ If \-\-resource\-version is specified, then updates will use this resource versi
|
||||
\fB\-\-api\-version\fP=""
|
||||
The API version to use when talking to the server
|
||||
|
||||
.PP
|
||||
\fB\-a\fP, \fB\-\-auth\-path\fP=""
|
||||
Path to the auth info file. If missing, prompt the user. Only used if using https.
|
||||
|
||||
.PP
|
||||
\fB\-\-certificate\-authority\fP=""
|
||||
Path to a cert. file for the certificate authority.
|
||||
|
||||
@ -39,10 +39,6 @@ Print the logs for a container in a pod. If the pod has only one container, the
|
||||
\fB\-\-api\-version\fP=""
|
||||
The API version to use when talking to the server
|
||||
|
||||
.PP
|
||||
\fB\-a\fP, \fB\-\-auth\-path\fP=""
|
||||
Path to the auth info file. If missing, prompt the user. Only used if using https.
|
||||
|
||||
.PP
|
||||
\fB\-\-certificate\-authority\fP=""
|
||||
Path to a cert. file for the certificate authority.
|
||||
|
||||
@ -34,10 +34,6 @@ namespace has been superceded by the context.namespace field of .kubeconfig file
|
||||
\fB\-\-api\-version\fP=""
|
||||
The API version to use when talking to the server
|
||||
|
||||
.PP
|
||||
\fB\-a\fP, \fB\-\-auth\-path\fP=""
|
||||
Path to the auth info file. If missing, prompt the user. Only used if using https.
|
||||
|
||||
.PP
|
||||
\fB\-\-certificate\-authority\fP=""
|
||||
Path to a cert. file for the certificate authority.
|
||||
|
||||
@ -35,10 +35,6 @@ Forward one or more local ports to a pod.
|
||||
\fB\-\-api\-version\fP=""
|
||||
The API version to use when talking to the server
|
||||
|
||||
.PP
|
||||
\fB\-a\fP, \fB\-\-auth\-path\fP=""
|
||||
Path to the auth info file. If missing, prompt the user. Only used if using https.
|
||||
|
||||
.PP
|
||||
\fB\-\-certificate\-authority\fP=""
|
||||
Path to a cert. file for the certificate authority.
|
||||
|
||||
@ -47,10 +47,6 @@ Run a proxy to the Kubernetes API server.
|
||||
\fB\-\-api\-version\fP=""
|
||||
The API version to use when talking to the server
|
||||
|
||||
.PP
|
||||
\fB\-a\fP, \fB\-\-auth\-path\fP=""
|
||||
Path to the auth info file. If missing, prompt the user. Only used if using https.
|
||||
|
||||
.PP
|
||||
\fB\-\-certificate\-authority\fP=""
|
||||
Path to a cert. file for the certificate authority.
|
||||
|
||||
@ -49,10 +49,6 @@ resize is sent to the server.
|
||||
\fB\-\-api\-version\fP=""
|
||||
The API version to use when talking to the server
|
||||
|
||||
.PP
|
||||
\fB\-a\fP, \fB\-\-auth\-path\fP=""
|
||||
Path to the auth info file. If missing, prompt the user. Only used if using https.
|
||||
|
||||
.PP
|
||||
\fB\-\-certificate\-authority\fP=""
|
||||
Path to a cert. file for the certificate authority.
|
||||
|
||||
@ -85,10 +85,6 @@ existing controller and overwrite at least one (common) label in its replicaSele
|
||||
\fB\-\-api\-version\fP=""
|
||||
The API version to use when talking to the server
|
||||
|
||||
.PP
|
||||
\fB\-a\fP, \fB\-\-auth\-path\fP=""
|
||||
Path to the auth info file. If missing, prompt the user. Only used if using https.
|
||||
|
||||
.PP
|
||||
\fB\-\-certificate\-authority\fP=""
|
||||
Path to a cert. file for the certificate authority.
|
||||
|
||||
@ -81,10 +81,6 @@ Creates a replication controller to manage the created container(s).
|
||||
\fB\-\-api\-version\fP=""
|
||||
The API version to use when talking to the server
|
||||
|
||||
.PP
|
||||
\fB\-a\fP, \fB\-\-auth\-path\fP=""
|
||||
Path to the auth info file. If missing, prompt the user. Only used if using https.
|
||||
|
||||
.PP
|
||||
\fB\-\-certificate\-authority\fP=""
|
||||
Path to a cert. file for the certificate authority.
|
||||
|
||||
@ -51,10 +51,6 @@ If the resource is resizable it will be resized to 0 before deletion.
|
||||
\fB\-\-api\-version\fP=""
|
||||
The API version to use when talking to the server
|
||||
|
||||
.PP
|
||||
\fB\-a\fP, \fB\-\-auth\-path\fP=""
|
||||
Path to the auth info file. If missing, prompt the user. Only used if using https.
|
||||
|
||||
.PP
|
||||
\fB\-\-certificate\-authority\fP=""
|
||||
Path to a cert. file for the certificate authority.
|
||||
|
||||
@ -42,10 +42,6 @@ JSON and YAML formats are accepted.
|
||||
\fB\-\-api\-version\fP=""
|
||||
The API version to use when talking to the server
|
||||
|
||||
.PP
|
||||
\fB\-a\fP, \fB\-\-auth\-path\fP=""
|
||||
Path to the auth info file. If missing, prompt the user. Only used if using https.
|
||||
|
||||
.PP
|
||||
\fB\-\-certificate\-authority\fP=""
|
||||
Path to a cert. file for the certificate authority.
|
||||
|
||||
@ -35,10 +35,6 @@ Print the client and server version information.
|
||||
\fB\-\-api\-version\fP=""
|
||||
The API version to use when talking to the server
|
||||
|
||||
.PP
|
||||
\fB\-a\fP, \fB\-\-auth\-path\fP=""
|
||||
Path to the auth info file. If missing, prompt the user. Only used if using https.
|
||||
|
||||
.PP
|
||||
\fB\-\-certificate\-authority\fP=""
|
||||
Path to a cert. file for the certificate authority.
|
||||
|
||||
@ -29,10 +29,6 @@ Find more information at
|
||||
\fB\-\-api\-version\fP=""
|
||||
The API version to use when talking to the server
|
||||
|
||||
.PP
|
||||
\fB\-a\fP, \fB\-\-auth\-path\fP=""
|
||||
Path to the auth info file. If missing, prompt the user. Only used if using https.
|
||||
|
||||
.PP
|
||||
\fB\-\-certificate\-authority\fP=""
|
||||
Path to a cert. file for the certificate authority.
|
||||
|
||||
@ -96,16 +96,12 @@ func ShortenConfig(config *Config) {
|
||||
}
|
||||
|
||||
// Flatten changes the config object into a self contained config (useful for making secrets)
|
||||
// AuthPath is not handled.
|
||||
func FlattenConfig(config *Config) error {
|
||||
for key, authInfo := range config.AuthInfos {
|
||||
baseDir, err := MakeAbs(path.Dir(authInfo.LocationOfOrigin), "")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if len(authInfo.AuthPath) != 0 {
|
||||
return fmt.Errorf("auth path of %v is not empty: %v", key, authInfo.AuthPath)
|
||||
}
|
||||
|
||||
if err := FlattenContent(&authInfo.ClientCertificate, &authInfo.ClientCertificateData, baseDir); err != nil {
|
||||
return err
|
||||
|
||||
@ -69,8 +69,6 @@ type Cluster struct {
|
||||
type AuthInfo struct {
|
||||
// LocationOfOrigin indicates where this object came from. It is used for round tripping config post-merge, but never serialized.
|
||||
LocationOfOrigin string
|
||||
// AuthPath is the path to a kubernetes auth file (~/.kubernetes_auth). If you provide an AuthPath, the other options specified are ignored
|
||||
AuthPath string `json:"auth-path,omitempty"`
|
||||
// ClientCertificate is the path to a client cert file for TLS.
|
||||
ClientCertificate string `json:"client-certificate,omitempty"`
|
||||
// ClientCertificateData contains PEM-encoded data from a client cert file for TLS. Overrides ClientCertificate
|
||||
|
||||
@ -53,9 +53,6 @@ func ExampleOfOptionsConfig() {
|
||||
APIVersion: "v1beta1",
|
||||
InsecureSkipTLSVerify: false,
|
||||
}
|
||||
defaultConfig.AuthInfos["black-mage-via-file"] = AuthInfo{
|
||||
AuthPath: "path/to/my/.kubernetes_auth",
|
||||
}
|
||||
defaultConfig.AuthInfos["white-mage-via-cert"] = AuthInfo{
|
||||
ClientCertificate: "path/to/my/client-cert-filename",
|
||||
ClientKey: "path/to/my/client-key-filename",
|
||||
@ -116,9 +113,6 @@ func ExampleOfOptionsConfig() {
|
||||
// preferences:
|
||||
// colors: true
|
||||
// users:
|
||||
// black-mage-via-file:
|
||||
// LocationOfOrigin: ""
|
||||
// auth-path: path/to/my/.kubernetes_auth
|
||||
// red-mage-via-token:
|
||||
// LocationOfOrigin: ""
|
||||
// token: my-secret-token
|
||||
|
||||
@ -65,8 +65,6 @@ type Cluster struct {
|
||||
|
||||
// AuthInfo contains information that describes identity information. This is use to tell the kubernetes cluster who you are.
|
||||
type AuthInfo struct {
|
||||
// AuthPath is the path to a kubernetes auth file (~/.kubernetes_auth). If you provide an AuthPath, the other options specified are ignored
|
||||
AuthPath string `json:"auth-path,omitempty"`
|
||||
// ClientCertificate is the path to a client cert file for TLS.
|
||||
ClientCertificate string `json:"client-certificate,omitempty"`
|
||||
// ClientCertificateData contains PEM-encoded data from a client cert file for TLS. Overrides ClientCertificate
|
||||
|
||||
@ -117,25 +117,6 @@ func (config DirectClientConfig) ClientConfig() (*client.Config, error) {
|
||||
func getServerIdentificationPartialConfig(configAuthInfo clientcmdapi.AuthInfo, configClusterInfo clientcmdapi.Cluster) (*client.Config, error) {
|
||||
mergedConfig := &client.Config{}
|
||||
|
||||
defaultAuthPathInfo, err := NewDefaultAuthLoader().LoadAuth(os.Getenv("HOME") + "/.kubernetes_auth")
|
||||
// if the error is anything besides a does not exist, then fail. Not existing is ok
|
||||
if err != nil && !os.IsNotExist(err) {
|
||||
return nil, err
|
||||
}
|
||||
if defaultAuthPathInfo != nil {
|
||||
defaultAuthPathConfig := makeServerIdentificationConfig(*defaultAuthPathInfo)
|
||||
mergo.Merge(mergedConfig, defaultAuthPathConfig)
|
||||
}
|
||||
|
||||
if len(configAuthInfo.AuthPath) > 0 {
|
||||
authPathInfo, err := NewDefaultAuthLoader().LoadAuth(configAuthInfo.AuthPath)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
authPathConfig := makeServerIdentificationConfig(*authPathInfo)
|
||||
mergo.Merge(mergedConfig, authPathConfig)
|
||||
}
|
||||
|
||||
// configClusterInfo holds the information identify the server provided by .kubeconfig
|
||||
configClientConfig := &client.Config{}
|
||||
configClientConfig.CAFile = configClusterInfo.CertificateAuthority
|
||||
@ -156,15 +137,6 @@ func getServerIdentificationPartialConfig(configAuthInfo clientcmdapi.AuthInfo,
|
||||
func getUserIdentificationPartialConfig(configAuthInfo clientcmdapi.AuthInfo, fallbackReader io.Reader) (*client.Config, error) {
|
||||
mergedConfig := &client.Config{}
|
||||
|
||||
if len(configAuthInfo.AuthPath) > 0 {
|
||||
authPathInfo, err := NewDefaultAuthLoader().LoadAuth(configAuthInfo.AuthPath)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
authPathConfig := makeUserIdentificationConfig(*authPathInfo)
|
||||
mergo.Merge(mergedConfig, authPathConfig)
|
||||
}
|
||||
|
||||
// blindly overwrite existing values based on precedence
|
||||
if len(configAuthInfo.Token) > 0 {
|
||||
mergedConfig.BearerToken = configAuthInfo.Token
|
||||
@ -180,22 +152,6 @@ func getUserIdentificationPartialConfig(configAuthInfo clientcmdapi.AuthInfo, fa
|
||||
mergedConfig.Password = configAuthInfo.Password
|
||||
}
|
||||
|
||||
// if there isn't sufficient information to authenticate the user to the server, merge in ~/.kubernetes_auth.
|
||||
if !canIdentifyUser(*mergedConfig) {
|
||||
defaultAuthPathInfo, err := NewDefaultAuthLoader().LoadAuth(os.Getenv("HOME") + "/.kubernetes_auth")
|
||||
// if the error is anything besides a does not exist, then fail. Not existing is ok
|
||||
if err != nil && !os.IsNotExist(err) {
|
||||
return nil, err
|
||||
}
|
||||
if defaultAuthPathInfo != nil {
|
||||
defaultAuthPathConfig := makeUserIdentificationConfig(*defaultAuthPathInfo)
|
||||
previouslyMergedConfig := mergedConfig
|
||||
mergedConfig = &client.Config{}
|
||||
mergo.Merge(mergedConfig, defaultAuthPathConfig)
|
||||
mergo.Merge(mergedConfig, previouslyMergedConfig)
|
||||
}
|
||||
}
|
||||
|
||||
// if there still isn't enough information to authenticate the user, try prompting
|
||||
if !canIdentifyUser(*mergedConfig) && (fallbackReader != nil) {
|
||||
prompter := NewPromptingAuthLoader(fallbackReader)
|
||||
|
||||
@ -235,7 +235,6 @@ func ResolveLocalPaths(filename string, config *clientcmdapi.Config) error {
|
||||
|
||||
resolvedAuthInfos := make(map[string]clientcmdapi.AuthInfo)
|
||||
for key, authInfo := range config.AuthInfos {
|
||||
authInfo.AuthPath = resolveLocalPath(configDir, authInfo.AuthPath)
|
||||
authInfo.ClientCertificate = resolveLocalPath(configDir, authInfo.ClientCertificate)
|
||||
authInfo.ClientKey = resolveLocalPath(configDir, authInfo.ClientKey)
|
||||
resolvedAuthInfos[key] = authInfo
|
||||
|
||||
@ -177,8 +177,8 @@ func TestConflictingCurrentContext(t *testing.T) {
|
||||
func TestResolveRelativePaths(t *testing.T) {
|
||||
pathResolutionConfig1 := clientcmdapi.Config{
|
||||
AuthInfos: map[string]clientcmdapi.AuthInfo{
|
||||
"relative-user-1": {ClientCertificate: "relative/client/cert", ClientKey: "../relative/client/key", AuthPath: "../../relative/auth/path"},
|
||||
"absolute-user-1": {ClientCertificate: "/absolute/client/cert", ClientKey: "/absolute/client/key", AuthPath: "/absolute/auth/path"},
|
||||
"relative-user-1": {ClientCertificate: "relative/client/cert", ClientKey: "../relative/client/key"},
|
||||
"absolute-user-1": {ClientCertificate: "/absolute/client/cert", ClientKey: "/absolute/client/key"},
|
||||
},
|
||||
Clusters: map[string]clientcmdapi.Cluster{
|
||||
"relative-server-1": {CertificateAuthority: "../relative/ca"},
|
||||
@ -187,8 +187,8 @@ func TestResolveRelativePaths(t *testing.T) {
|
||||
}
|
||||
pathResolutionConfig2 := clientcmdapi.Config{
|
||||
AuthInfos: map[string]clientcmdapi.AuthInfo{
|
||||
"relative-user-2": {ClientCertificate: "relative/client/cert2", ClientKey: "../relative/client/key2", AuthPath: "../../relative/auth/path2"},
|
||||
"absolute-user-2": {ClientCertificate: "/absolute/client/cert2", ClientKey: "/absolute/client/key2", AuthPath: "/absolute/auth/path2"},
|
||||
"relative-user-2": {ClientCertificate: "relative/client/cert2", ClientKey: "../relative/client/key2"},
|
||||
"absolute-user-2": {ClientCertificate: "/absolute/client/cert2", ClientKey: "/absolute/client/key2"},
|
||||
},
|
||||
Clusters: map[string]clientcmdapi.Cluster{
|
||||
"relative-server-2": {CertificateAuthority: "../relative/ca2"},
|
||||
@ -247,25 +247,21 @@ func TestResolveRelativePaths(t *testing.T) {
|
||||
foundAuthInfoCount++
|
||||
matchStringArg(path.Join(configDir1, pathResolutionConfig1.AuthInfos["relative-user-1"].ClientCertificate), authInfo.ClientCertificate, t)
|
||||
matchStringArg(path.Join(configDir1, pathResolutionConfig1.AuthInfos["relative-user-1"].ClientKey), authInfo.ClientKey, t)
|
||||
matchStringArg(path.Join(configDir1, pathResolutionConfig1.AuthInfos["relative-user-1"].AuthPath), authInfo.AuthPath, t)
|
||||
}
|
||||
if key == "relative-user-2" {
|
||||
foundAuthInfoCount++
|
||||
matchStringArg(path.Join(configDir2, pathResolutionConfig2.AuthInfos["relative-user-2"].ClientCertificate), authInfo.ClientCertificate, t)
|
||||
matchStringArg(path.Join(configDir2, pathResolutionConfig2.AuthInfos["relative-user-2"].ClientKey), authInfo.ClientKey, t)
|
||||
matchStringArg(path.Join(configDir2, pathResolutionConfig2.AuthInfos["relative-user-2"].AuthPath), authInfo.AuthPath, t)
|
||||
}
|
||||
if key == "absolute-user-1" {
|
||||
foundAuthInfoCount++
|
||||
matchStringArg(pathResolutionConfig1.AuthInfos["absolute-user-1"].ClientCertificate, authInfo.ClientCertificate, t)
|
||||
matchStringArg(pathResolutionConfig1.AuthInfos["absolute-user-1"].ClientKey, authInfo.ClientKey, t)
|
||||
matchStringArg(pathResolutionConfig1.AuthInfos["absolute-user-1"].AuthPath, authInfo.AuthPath, t)
|
||||
}
|
||||
if key == "absolute-user-2" {
|
||||
foundAuthInfoCount++
|
||||
matchStringArg(pathResolutionConfig2.AuthInfos["absolute-user-2"].ClientCertificate, authInfo.ClientCertificate, t)
|
||||
matchStringArg(pathResolutionConfig2.AuthInfos["absolute-user-2"].ClientKey, authInfo.ClientKey, t)
|
||||
matchStringArg(pathResolutionConfig2.AuthInfos["absolute-user-2"].AuthPath, authInfo.AuthPath, t)
|
||||
}
|
||||
}
|
||||
if foundAuthInfoCount != 4 {
|
||||
|
||||
@ -1,89 +0,0 @@
|
||||
/*
|
||||
Copyright 2014 The Kubernetes Authors All rights reserved.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package clientcmd
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"testing"
|
||||
|
||||
"github.com/spf13/cobra"
|
||||
|
||||
"github.com/GoogleCloudPlatform/kubernetes/pkg/clientauth"
|
||||
)
|
||||
|
||||
// Verifies that referencing an old .kubernetes_auth file respects all fields
|
||||
func TestAuthPathUpdatesBothClusterAndUser(t *testing.T) {
|
||||
authFile, _ := ioutil.TempFile("", "")
|
||||
defer os.Remove(authFile.Name())
|
||||
|
||||
insecure := true
|
||||
auth := &clientauth.Info{
|
||||
User: "user",
|
||||
Password: "password",
|
||||
CAFile: "ca-file",
|
||||
CertFile: "cert-file",
|
||||
KeyFile: "key-file",
|
||||
BearerToken: "bearer-token",
|
||||
Insecure: &insecure,
|
||||
}
|
||||
err := testWriteAuthInfoFile(*auth, authFile.Name())
|
||||
if err != nil {
|
||||
t.Errorf("Unexpected error %v", err)
|
||||
}
|
||||
|
||||
cmd := &cobra.Command{
|
||||
Run: func(cmd *cobra.Command, args []string) {
|
||||
},
|
||||
}
|
||||
clientConfig := testBindClientConfig(cmd)
|
||||
cmd.ParseFlags([]string{"--server=https://localhost", "--auth-path=" + authFile.Name()})
|
||||
|
||||
config, err := clientConfig.ClientConfig()
|
||||
if err != nil {
|
||||
t.Errorf("Unexpected error %v", err)
|
||||
}
|
||||
|
||||
matchStringArg(auth.User, config.Username, t)
|
||||
matchStringArg(auth.Password, config.Password, t)
|
||||
matchStringArg(auth.CAFile, config.CAFile, t)
|
||||
matchStringArg(auth.CertFile, config.CertFile, t)
|
||||
matchStringArg(auth.KeyFile, config.KeyFile, t)
|
||||
matchStringArg(auth.BearerToken, config.BearerToken, t)
|
||||
matchBoolArg(*auth.Insecure, config.Insecure, t)
|
||||
}
|
||||
|
||||
func testWriteAuthInfoFile(auth clientauth.Info, filename string) error {
|
||||
data, err := json.Marshal(auth)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
err = ioutil.WriteFile(filename, data, 0600)
|
||||
return err
|
||||
}
|
||||
|
||||
func testBindClientConfig(cmd *cobra.Command) ClientConfig {
|
||||
loadingRules := &ClientConfigLoadingRules{}
|
||||
cmd.PersistentFlags().StringVar(&loadingRules.ExplicitPath, "kubeconfig", "", "Path to the kubeconfig file to use for CLI requests.")
|
||||
|
||||
overrides := &ConfigOverrides{}
|
||||
BindOverrideFlags(overrides, cmd.PersistentFlags(), RecommendedConfigOverrideFlags(""))
|
||||
clientConfig := NewInteractiveDeferredLoadingClientConfig(loadingRules, overrides, os.Stdin)
|
||||
|
||||
return clientConfig
|
||||
}
|
||||
@ -44,7 +44,6 @@ type ConfigOverrideFlags struct {
|
||||
|
||||
// AuthOverrideFlags holds the flag names to be used for binding command line flags for AuthInfo objects
|
||||
type AuthOverrideFlags struct {
|
||||
AuthPath FlagInfo
|
||||
ClientCertificate FlagInfo
|
||||
ClientKey FlagInfo
|
||||
Token FlagInfo
|
||||
@ -81,7 +80,6 @@ const (
|
||||
FlagNamespace = "namespace"
|
||||
FlagAPIServer = "server"
|
||||
FlagAPIVersion = "api-version"
|
||||
FlagAuthPath = "auth-path"
|
||||
FlagInsecure = "insecure-skip-tls-verify"
|
||||
FlagCertFile = "client-certificate"
|
||||
FlagKeyFile = "client-key"
|
||||
@ -95,7 +93,6 @@ const (
|
||||
// RecommendedAuthOverrideFlags is a convenience method to return recommended flag names prefixed with a string of your choosing
|
||||
func RecommendedAuthOverrideFlags(prefix string) AuthOverrideFlags {
|
||||
return AuthOverrideFlags{
|
||||
AuthPath: FlagInfo{prefix + FlagAuthPath, "", "", "Path to the auth info file. If missing, prompt the user. Only used if using https."},
|
||||
ClientCertificate: FlagInfo{prefix + FlagCertFile, "", "", "Path to a client key file for TLS."},
|
||||
ClientKey: FlagInfo{prefix + FlagKeyFile, "", "", "Path to a client key file for TLS."},
|
||||
Token: FlagInfo{prefix + FlagBearerToken, "", "", "Bearer token for authentication to the API server."},
|
||||
@ -135,20 +132,11 @@ func RecommendedContextOverrideFlags(prefix string) ContextOverrideFlags {
|
||||
|
||||
// BindAuthInfoFlags is a convenience method to bind the specified flags to their associated variables
|
||||
func BindAuthInfoFlags(authInfo *clientcmdapi.AuthInfo, flags *pflag.FlagSet, flagNames AuthOverrideFlags) {
|
||||
deadString := ""
|
||||
bindStringFlag(flags, &deadString, flagNames.AuthPath)
|
||||
bindStringFlag(flags, &authInfo.ClientCertificate, flagNames.ClientCertificate)
|
||||
bindStringFlag(flags, &authInfo.ClientKey, flagNames.ClientKey)
|
||||
bindStringFlag(flags, &authInfo.Token, flagNames.Token)
|
||||
bindStringFlag(flags, &authInfo.Username, flagNames.Username)
|
||||
bindStringFlag(flags, &authInfo.Password, flagNames.Password)
|
||||
|
||||
if len(flagNames.AuthPath.LongName) > 0 {
|
||||
flags.MarkDeprecated(flagNames.AuthPath.LongName, flagNames.AuthPath.LongName+" has been removed and is no longer respected")
|
||||
}
|
||||
if len(flagNames.AuthPath.ShortName) > 0 {
|
||||
flags.MarkDeprecated(flagNames.AuthPath.ShortName, flagNames.AuthPath.ShortName+" has been removed and is no longer respected")
|
||||
}
|
||||
}
|
||||
|
||||
// BindClusterFlags is a convenience method to bind the specified flags to their associated variables
|
||||
|
||||
@ -177,17 +177,6 @@ func validateAuthInfo(authInfoName string, authInfo clientcmdapi.AuthInfo) []err
|
||||
if len(authInfo.Username) != 0 || len(authInfo.Password) != 0 {
|
||||
methods = append(methods, "basicAuth")
|
||||
}
|
||||
if len(authInfo.AuthPath) != 0 {
|
||||
usingAuthPath = true
|
||||
methods = append(methods, "authFile")
|
||||
|
||||
file, err := os.Open(authInfo.AuthPath)
|
||||
os.IsNotExist(err)
|
||||
defer file.Close()
|
||||
if err != nil {
|
||||
validationErrors = append(validationErrors, fmt.Errorf("unable to read auth-path %v for %v due to %v", authInfo.AuthPath, authInfoName, err))
|
||||
}
|
||||
}
|
||||
|
||||
if len(authInfo.ClientCertificate) != 0 || len(authInfo.ClientCertificateData) != 0 {
|
||||
// Make sure cert data and file aren't both specified
|
||||
|
||||
@ -33,7 +33,7 @@ func TestConfirmUsableBadInfoButOkConfig(t *testing.T) {
|
||||
CertificateAuthority: "missing",
|
||||
}
|
||||
config.AuthInfos["error"] = clientcmdapi.AuthInfo{
|
||||
AuthPath: "anything",
|
||||
Username: "anything",
|
||||
Token: "here",
|
||||
}
|
||||
config.Contexts["dirty"] = clientcmdapi.Context{
|
||||
@ -53,7 +53,7 @@ func TestConfirmUsableBadInfoButOkConfig(t *testing.T) {
|
||||
|
||||
badValidation := configValidationTest{
|
||||
config: config,
|
||||
expectedErrorSubstring: []string{"unable to read auth-path", "unable to read certificate-authority"},
|
||||
expectedErrorSubstring: []string{"unable to read certificate-authority"},
|
||||
}
|
||||
okTest := configValidationTest{
|
||||
config: config,
|
||||
@ -69,7 +69,7 @@ func TestConfirmUsableBadInfoConfig(t *testing.T) {
|
||||
CertificateAuthority: "missing",
|
||||
}
|
||||
config.AuthInfos["error"] = clientcmdapi.AuthInfo{
|
||||
AuthPath: "anything",
|
||||
Username: "anything",
|
||||
Token: "here",
|
||||
}
|
||||
config.Contexts["first"] = clientcmdapi.Context{
|
||||
@ -78,7 +78,7 @@ func TestConfirmUsableBadInfoConfig(t *testing.T) {
|
||||
}
|
||||
test := configValidationTest{
|
||||
config: config,
|
||||
expectedErrorSubstring: []string{"unable to read auth-path", "unable to read certificate-authority"},
|
||||
expectedErrorSubstring: []string{"unable to read certificate-authority"},
|
||||
}
|
||||
|
||||
test.testConfirmUsable("first", t)
|
||||
@ -236,19 +236,6 @@ func TestValidateEmptyAuthInfo(t *testing.T) {
|
||||
test.testAuthInfo("error", t)
|
||||
test.testConfig(t)
|
||||
}
|
||||
func TestValidatePathNotFoundAuthInfo(t *testing.T) {
|
||||
config := clientcmdapi.NewConfig()
|
||||
config.AuthInfos["error"] = clientcmdapi.AuthInfo{
|
||||
AuthPath: "missing",
|
||||
}
|
||||
test := configValidationTest{
|
||||
config: config,
|
||||
expectedErrorSubstring: []string{"unable to read auth-path"},
|
||||
}
|
||||
|
||||
test.testAuthInfo("error", t)
|
||||
test.testConfig(t)
|
||||
}
|
||||
func TestValidateCertFilesNotFoundAuthInfo(t *testing.T) {
|
||||
config := clientcmdapi.NewConfig()
|
||||
config.AuthInfos["error"] = clientcmdapi.AuthInfo{
|
||||
@ -298,21 +285,6 @@ func TestValidateCleanCertFilesAuthInfo(t *testing.T) {
|
||||
test.testAuthInfo("clean", t)
|
||||
test.testConfig(t)
|
||||
}
|
||||
func TestValidateCleanPathAuthInfo(t *testing.T) {
|
||||
tempFile, _ := ioutil.TempFile("", "")
|
||||
defer os.Remove(tempFile.Name())
|
||||
|
||||
config := clientcmdapi.NewConfig()
|
||||
config.AuthInfos["clean"] = clientcmdapi.AuthInfo{
|
||||
AuthPath: tempFile.Name(),
|
||||
}
|
||||
test := configValidationTest{
|
||||
config: config,
|
||||
}
|
||||
|
||||
test.testAuthInfo("clean", t)
|
||||
test.testConfig(t)
|
||||
}
|
||||
func TestValidateCleanTokenAuthInfo(t *testing.T) {
|
||||
config := clientcmdapi.NewConfig()
|
||||
config.AuthInfos["clean"] = clientcmdapi.AuthInfo{
|
||||
|
||||
@ -94,8 +94,6 @@ func NewCmdConfigSetAuthInfo(out io.Writer, configAccess ConfigAccess) *cobra.Co
|
||||
cmd.Flags().Var(&options.password, clientcmd.FlagPassword, clientcmd.FlagPassword+" for the user entry in kubeconfig")
|
||||
cmd.Flags().Var(&options.embedCertData, clientcmd.FlagEmbedCerts, "embed client cert/key for the user entry in kubeconfig")
|
||||
|
||||
cmd.Flags().String(clientcmd.FlagAuthPath, "", clientcmd.FlagAuthPath+" for the user entry in kubeconfig")
|
||||
cmd.Flags().MarkDeprecated(clientcmd.FlagAuthPath, clientcmd.FlagAuthPath+" has been removed and is no longer respected")
|
||||
return cmd
|
||||
}
|
||||
|
||||
@ -126,10 +124,6 @@ func (o *createAuthInfoOptions) modifyAuthInfo(existingAuthInfo clientcmdapi.Aut
|
||||
|
||||
var setToken, setBasic bool
|
||||
|
||||
if o.authPath.Provided() {
|
||||
modifiedAuthInfo.AuthPath = o.authPath.Value()
|
||||
}
|
||||
|
||||
if o.clientCertificate.Provided() {
|
||||
certPath := o.clientCertificate.Value()
|
||||
if o.embedCertData.Value() {
|
||||
|
||||
@ -338,7 +338,6 @@ func DefaultClientConfig(flags *pflag.FlagSet) clientcmd.ClientConfig {
|
||||
overrides := &clientcmd.ConfigOverrides{}
|
||||
flagNames := clientcmd.RecommendedConfigOverrideFlags("")
|
||||
// short flagnames are disabled by default. These are here for compatibility with existing scripts
|
||||
flagNames.AuthOverrideFlags.AuthPath.ShortName = "a"
|
||||
flagNames.ClusterOverrideFlags.APIServer.ShortName = "s"
|
||||
|
||||
clientcmd.BindOverrideFlags(overrides, flags, flagNames)
|
||||
|
||||
@ -306,7 +306,6 @@ func validateController(c *client.Client, containerImage string, replicas int, c
|
||||
Failf("Timed out after %v seconds waiting for %s pods to reach valid state", podStartTimeout.Seconds(), testname)
|
||||
}
|
||||
|
||||
// kubectlCmd runs the kubectl executable.
|
||||
// kubectlCmd runs the kubectl executable.
|
||||
func kubectlCmd(args ...string) *exec.Cmd {
|
||||
defaultArgs := []string{}
|
||||
@ -324,7 +323,6 @@ func kubectlCmd(args ...string) *exec.Cmd {
|
||||
}
|
||||
|
||||
} else {
|
||||
defaultArgs = append(defaultArgs, "--"+clientcmd.FlagAuthPath+"="+testContext.AuthConfig)
|
||||
if testContext.CertDir != "" {
|
||||
defaultArgs = append(defaultArgs,
|
||||
fmt.Sprintf("--certificate-authority=%s", filepath.Join(testContext.CertDir, "ca.crt")),
|
||||
|
||||
Loading…
Reference in New Issue
Block a user