Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

k8s: use ExecCredential for authentication #387

Merged
merged 1 commit into from
Dec 21, 2018
Merged

k8s: use ExecCredential for authentication #387

merged 1 commit into from
Dec 21, 2018

Conversation

bouk
Copy link
Contributor

@bouk bouk commented Dec 19, 2018
edited
Loading

This changes the behavior of saving kubeconfig locally to set up an exec plugin in the kubeconfig, which gets called to talk to our API and retrieve credentials to authenticate against the Kubernetes server.

It caches the credentials under ~/.config/doctl/cache/kubeconfig/<uuid>.json

@bouk bouk requested a review from aybabtme December 19, 2018 10:46
@bouk bouk force-pushed the k8s-refresh-config branch 5 times, most recently from 37a79a3 to fe3ac9d Compare December 19, 2018 13:45
@bouk
Copy link
Contributor Author

bouk commented Dec 19, 2018
edited
Loading

If you want to give it a shot locally, just check out my branch, run go get github.com/digitalocean/doctl/cmd/doctl and then doctl k8s cluster create ... or doctl k8s cluster kubeconfig save ...

Then look at the kubernetes config with kubectl config view

nanzhong
nanzhong reviewed Dec 19, 2018
View reviewed changes
Copy link
Member

@nanzhong nanzhong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking through the docs on exec plugins I see:

Alternatively, a PEM-encoded client certificate and key can be returned to use TLS client auth. If the plugin returns a different certificate and key on a subsequent call, k8s.io/client-go will close existing connections with the server to force a new TLS handshake.

Trying to grok my head around what situations client-go will hold onto multiple connections 🤔 and what the implications are for us, since we dogenerate a new cert on each api call.

commands/kubernetes.go Show resolved Hide resolved
fatih
fatih reviewed Dec 20, 2018
View reviewed changes
commands/kubernetes.go Outdated Show resolved Hide resolved
fatih
fatih reviewed Dec 20, 2018
View reviewed changes
commands/kubernetes.go Outdated Show resolved Hide resolved
fatih
fatih reviewed Dec 20, 2018
View reviewed changes
commands/kubernetes.go Outdated Show resolved Hide resolved
@bouk bouk force-pushed the k8s-refresh-config branch 2 times, most recently from 2eb8d2b to fa59fe1 Compare December 20, 2018 14:30
@bouk
Copy link
Contributor Author

bouk commented Dec 20, 2018

@fatih I've improved the errors, please take another look

@fatih
Copy link
Contributor

fatih commented Dec 21, 2018

lgtm 👍

@bouk bouk merged commit 3db4336 into master Dec 21, 2018
@bouk bouk deleted the k8s-refresh-config branch December 21, 2018 13:24
@eddiezane eddiezane mentioned this pull request Jan 17, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fatih fatih fatih left review comments

@nanzhong nanzhong nanzhong approved these changes

@aybabtme aybabtme Awaiting requested review from aybabtme

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bouk @fatih @nanzhong