Add cluster CA certificate into kubeconfig if one exists

[ripta]

Addresses one of the ideas in #31. Instead of adding YAML templating, this PR takes a different approach:

1. Check each cluster definition (clusters[*].cluster in the kubeconfig) to see if either certificate-authority-data (binary embedded PEM data) or certificate-authority (path to client-side file) are non-empty in the template.
   a. If both certificate fields are empty and /var/run/secrets/kubernetes.io/serviceaccount/ca.crt is accessible by Kuberos (which only happens when Kuberos is run in-cluster, and its pod is given a service account), then the contents of ca.crt is used as the value of certificate-authority-data.
   b. Otherwise, no behavior changes.
2. If the template already has a current-context, it's still used as the default. Otherwise, current-context is set to the first non-empty context.

I'd love feedback overall, but two things jumped out in particular:

3. I'm not sure what the best way to add tests for (1) above, since it needs to test filesystem access.
4. I added DefaultAPITokenMountPath, because there doesn't seem to be an easy way to access the definition of it without pulling in the entirety of k8s.io/kubernetes/plugin/pkg/admission/serviceaccount.

[codecov]

Codecov Report

Merging #36 into master will increase coverage by 4.9%.
The diff coverage is n/a.

@@            Coverage Diff            @@
##           master      #36     +/-   ##
=========================================
+ Coverage   34.51%   39.42%   +4.9%     
=========================================
  Files           1        1             
  Lines         197      208     +11     
=========================================
+ Hits           68       82     +14     
+ Misses        123      121      -2     
+ Partials        6        5      -1

Impacted Files	Coverage Δ
cmd/kuberos/kuberos.go	39.42% <0%> (+4.9%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e921993...7e2f3c3. Read the comment docs.

[negz]

I like this approach a lot! I've added some comments - switching to afero to make it testable is the only one I feel strongly about.

[negz]

cluster.CertificateAuthority is a string, so it would be more idiomatic to test that it's the empty string (i.e. cluster.CertificateAuthority == "".

[ripta]

Good call! I'll make the change.

[negz]

https://github.com/spf13/afero

I like to use afero to make this kind of thing testable. It's pretty much a drop in replacement for the stdlib's filesystem functions, with an in-memory backend that's great for testing.

[ripta]

I attempted to use a similar library (github.com/blang/vfs) for a work project, and ended up running into a lot of tiny little differences compared to stdlib.

I'll check out afero, though!

[negz]

I'm not sure about this functionality. I personally like to avoid setting a current context, because I typically have many clusters and always want to type kubectl --context=blah to make sure I never accidentally operate on my current context when I actually meant to operate on another one. (i.e. I want to make it hard to set my current context to a production cluster one day, then assume it's set to the staging cluster the next day and delete a whole namespace). That said I don't use Kuberos in production at my current job, and I think I'm a little weird in this regard, so perhaps this behaviour is what most users would prefer?

[ripta]

Yeah, I considered whether or not it's worth it.

We (work) recommend keeping configs for separate clusters in separate configs and setting the KUBECONFIG env-var to switch instead. It's obviously a different workflow, so having a default context is useful.

I'll say that this behavior does seem a little magical, though. So maybe I should just remove it, haha.

[ripta]

@negz - I added a couple of test cases; used afero, and I really like it so far. Please take a look and LMK what you think!

[negz]

Looks great, thank you!