Support authentication helper for kubectl

We create a simple exec plugin command which can create and renew short-lived admin credentials on the fly, essentially leveraging the security of the underlying cloud credentials. Co-authored-by: John Gardiner Myers <[email protected]>
kubernetes · Aug 28, 2020 · 03906b3 · 03906b3
1 parent 3f079cd
commit 03906b3
Show file tree

Hide file tree

Showing 15 changed files with 452 additions and 8 deletions.
diff --git a/cmd/kops/BUILD.bazel b/cmd/kops/BUILD.bazel
@@ -68,6 +68,7 @@ go_library(
         "//pkg/client/simple:go_default_library",
         "//pkg/cloudinstances:go_default_library",
         "//pkg/commands:go_default_library",
+        "//pkg/commands/commandutils:go_default_library",
         "//pkg/dump:go_default_library",
         "//pkg/edit:go_default_library",
         "//pkg/featureflag:go_default_library",

diff --git a/cmd/kops/export_kubecfg.go b/cmd/kops/export_kubecfg.go
@@ -60,6 +60,9 @@ type ExportKubecfgOptions struct {
 	admin          time.Duration
 	user           string
 	internal       bool
+
+	// UseKopsAuthenticationPlugin controls whether we should use the kops auth helper instead of a static credential
+	UseKopsAuthenticationPlugin bool
 }
 
 func NewCmdExportKubecfg(f *util.Factory, out io.Writer) *cobra.Command {
@@ -85,6 +88,7 @@ func NewCmdExportKubecfg(f *util.Factory, out io.Writer) *cobra.Command {
 	cmd.Flags().Lookup("admin").NoOptDefVal = kubeconfig.DefaultKubecfgAdminLifetime.String()
 	cmd.Flags().StringVar(&options.user, "user", options.user, "add an existing user to the cluster context")
 	cmd.Flags().BoolVar(&options.internal, "internal", options.internal, "use the cluster's internal DNS name")
+	cmd.Flags().BoolVar(&options.UseKopsAuthenticationPlugin, "auth-plugin", options.UseKopsAuthenticationPlugin, "install the kops authentication plugin")
 
 	return cmd
 }
@@ -135,7 +139,17 @@ func RunExportKubecfg(ctx context.Context, f *util.Factory, out io.Writer, optio
 			return err
 		}
 
-		conf, err := kubeconfig.BuildKubecfg(cluster, keyStore, secretStore, &commands.CloudDiscoveryStatusStore{}, buildPathOptions(options), options.admin, options.user, options.internal)
+		conf, err := kubeconfig.BuildKubecfg(
+			cluster,
+			keyStore,
+			secretStore,
+			&commands.CloudDiscoveryStatusStore{},
+			buildPathOptions(options),
+			options.admin,
+			options.user,
+			options.internal,
+			f.KopsStateStore(),
+			options.UseKopsAuthenticationPlugin)
 		if err != nil {
 			return err
 		}

diff --git a/cmd/kops/main.go b/cmd/kops/main.go
@@ -17,8 +17,7 @@ limitations under the License.
 package main // import "k8s.io/kops/cmd/kops"
 
 import (
-	"fmt"
-	"os"
+	"k8s.io/kops/pkg/commands/commandutils"
 )
 
 func main() {
@@ -28,6 +27,5 @@ func main() {
 // exitWithError will terminate execution with an error result
 // It prints the error to stderr and exits with a non-zero exit code
 func exitWithError(err error) {
-	fmt.Fprintf(os.Stderr, "\n%v\n", err)
-	os.Exit(1)
+	commandutils.ExitWithError(err)
 }
diff --git a/cmd/kops/root.go b/cmd/kops/root.go
@@ -35,6 +35,7 @@ import (
 	"k8s.io/kops/cmd/kops/util"
 	kopsapi "k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/client/simple"
+	"k8s.io/kops/pkg/commands"
 	"k8s.io/kubectl/pkg/util/i18n"
 	"k8s.io/kubectl/pkg/util/templates"
 )
@@ -143,6 +144,7 @@ func NewCmdRoot(f *util.Factory, out io.Writer) *cobra.Command {
 	cmd.AddCommand(NewCmdEdit(f, out))
 	cmd.AddCommand(NewCmdExport(f, out))
 	cmd.AddCommand(NewCmdGet(f, out))
+	cmd.AddCommand(commands.NewCmdHelpers(f, out))
 	cmd.AddCommand(NewCmdUpdate(f, out))
 	cmd.AddCommand(NewCmdReplace(f, out))
 	cmd.AddCommand(NewCmdRollingUpdate(f, out))

diff --git a/cmd/kops/update_cluster.go b/cmd/kops/update_cluster.go
@@ -306,7 +306,19 @@ func RunUpdateCluster(ctx context.Context, f *util.Factory, clusterName string,
 		firstRun = !hasKubecfg
 
 		klog.Infof("Exporting kubecfg for cluster")
-		conf, err := kubeconfig.BuildKubecfg(cluster, keyStore, secretStore, &commands.CloudDiscoveryStatusStore{}, clientcmd.NewDefaultPathOptions(), c.admin, c.user, c.internal)
+		// TODO: Another flag?
+		useKopsAuthenticationPlugin := false
+		conf, err := kubeconfig.BuildKubecfg(
+			cluster,
+			keyStore,
+			secretStore,
+			&commands.CloudDiscoveryStatusStore{},
+			clientcmd.NewDefaultPathOptions(),
+			c.admin,
+			c.user,
+			c.internal,
+			f.KopsStateStore(),
+			useKopsAuthenticationPlugin)
 		if err != nil {
 			return nil, err
 		}

diff --git a/cmd/kops/util/factory.go b/cmd/kops/util/factory.go
@@ -124,3 +124,8 @@ func (f *Factory) Clientset() (simple.Clientset, error) {
 
 	return f.clientset, nil
 }
+
+// KopsStateStore returns the configured KOPS_STATE_STORE in use
+func (f *Factory) KopsStateStore() string {
+	return f.options.RegistryPath
+}
diff --git a/hack/.packages b/hack/.packages
@@ -83,6 +83,8 @@ k8s.io/kops/pkg/client/simple/api
 k8s.io/kops/pkg/client/simple/vfsclientset
 k8s.io/kops/pkg/cloudinstances
 k8s.io/kops/pkg/commands
+k8s.io/kops/pkg/commands/commandutils
+k8s.io/kops/pkg/commands/helpers
 k8s.io/kops/pkg/configbuilder
 k8s.io/kops/pkg/diff
 k8s.io/kops/pkg/dns

diff --git a/pkg/commands/BUILD.bazel b/pkg/commands/BUILD.bazel
@@ -3,6 +3,7 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
 go_library(
     name = "go_default_library",
     srcs = [
+        "helpers.go",
         "helpers_readwrite.go",
         "set_cluster.go",
         "status_discovery.go",
@@ -17,6 +18,7 @@ go_library(
         "//pkg/apis/kops/validation:go_default_library",
         "//pkg/assets:go_default_library",
         "//pkg/client/simple:go_default_library",
+        "//pkg/commands/helpers:go_default_library",
         "//pkg/featureflag:go_default_library",
         "//pkg/resources/digitalocean:go_default_library",
         "//upup/pkg/fi:go_default_library",
@@ -30,6 +32,8 @@ go_library(
         "//vendor/github.com/spf13/cobra:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
+        "//vendor/k8s.io/kubectl/pkg/util/i18n:go_default_library",
+        "//vendor/k8s.io/kubectl/pkg/util/templates:go_default_library",
     ],
 )
 

diff --git a/pkg/commands/commandutils/BUILD.bazel b/pkg/commands/commandutils/BUILD.bazel
@@ -0,0 +1,8 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["exit.go"],
+    importpath = "k8s.io/kops/pkg/commands/commandutils",
+    visibility = ["//visibility:public"],
+)
diff --git a/pkg/commands/commandutils/exit.go b/pkg/commands/commandutils/exit.go
@@ -0,0 +1,29 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package commandutils
+
+import (
+	"fmt"
+	"os"
+)
+
+// ExitWithError will terminate execution with an error result
+// It prints the error to stderr and exits with a non-zero exit code
+func ExitWithError(err error) {
+	fmt.Fprintf(os.Stderr, "\n%v\n", err)
+	os.Exit(1)
+}
diff --git a/pkg/commands/helpers.go b/pkg/commands/helpers.go
@@ -0,0 +1,50 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package commands
+
+import (
+	"io"
+
+	"github.com/spf13/cobra"
+	"k8s.io/kops/cmd/kops/util"
+	"k8s.io/kops/pkg/commands/helpers"
+	"k8s.io/kubectl/pkg/util/i18n"
+	"k8s.io/kubectl/pkg/util/templates"
+)
+
+var (
+	helpersLong = templates.LongDesc(i18n.T(`
+	Commands intended for integration with other systems.`))
+
+	helpersShort = i18n.T(`Commands for use with other systems.`)
+)
+
+// NewCmdHelpers builds the cobra command tree for the `helpers` subcommand
+func NewCmdHelpers(f *util.Factory, out io.Writer) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "helpers",
+		Short: helpersShort,
+		Long:  helpersLong,
+
+		// We hide the command, as it is intended for internal usage
+		Hidden: true,
+	}
+
+	cmd.AddCommand(helpers.NewCmdHelperKubectlAuth(f, out))
+
+	return cmd
+}
diff --git a/pkg/commands/helpers/BUILD.bazel b/pkg/commands/helpers/BUILD.bazel
@@ -0,0 +1,19 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["kubectl_auth.go"],
+    importpath = "k8s.io/kops/pkg/commands/helpers",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//cmd/kops/util:go_default_library",
+        "//pkg/commands/commandutils:go_default_library",
+        "//pkg/pki:go_default_library",
+        "//pkg/rbac:go_default_library",
+        "//upup/pkg/fi:go_default_library",
+        "//vendor/github.com/spf13/cobra:go_default_library",
+        "//vendor/k8s.io/client-go/util/homedir:go_default_library",
+        "//vendor/k8s.io/klog:go_default_library",
+        "//vendor/k8s.io/kubectl/pkg/util/i18n:go_default_library",
+    ],
+)