-
Notifications
You must be signed in to change notification settings - Fork 384
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
k8s: use ExecCredential for authentication #387
Conversation
37a79a3
to
fe3ac9d
Compare
If you want to give it a shot locally, just check out my branch, run Then look at the kubernetes config with |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking through the docs on exec plugins I see:
Alternatively, a PEM-encoded client certificate and key can be returned to use TLS client auth. If the plugin returns a different certificate and key on a subsequent call, k8s.io/client-go will close existing connections with the server to force a new TLS handshake.
Trying to grok my head around what situations client-go will hold onto multiple connections 🤔 and what the implications are for us, since we dogenerate a new cert on each api call.
fe3ac9d
to
33d3287
Compare
2eb8d2b
to
fa59fe1
Compare
@fatih I've improved the errors, please take another look |
a543f67
to
d8c7519
Compare
lgtm 👍 |
This changes the behavior of saving kubeconfig locally to set up an exec plugin in the kubeconfig, which gets called to talk to our API and retrieve credentials to authenticate against the Kubernetes server.
It caches the credentials under
~/.config/doctl/cache/kubeconfig/<uuid>.json