-
Notifications
You must be signed in to change notification settings - Fork 38.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
initial config plugin framework for kubectl and mesosphere/acs impl #21553
Conversation
GCE e2e test build/test passed for commit a9ef36c. |
cc @smarterclayton @kubernetes/kubectl |
return err | ||
} | ||
} | ||
pluginEnv := os.Getenv("KUBECTL_PLUGINS") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why wouldn't we activate plugins from config or via presence of an on disk marker? Why environment instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
implementing this outside of config gives a plugin the change to alter the config loading process/rules. specifically w/ respect to flag processing. if config plugin activation was driven by a config file ... it would seem to further complicate the loading rules for config processing. for example, if I wanted to add a --dcos-token
flag override how would I do that? require another pass over the config file(s) after the plugins have been activated?
cc @kubernetes/sig-api-machinery |
use case 1: mesosphere's DCOS uses a proprietary authentication scheme. use case 2: DCOS users don't want to manage kubecfg files directly, we want use case 3: it's possible that DCOS tokens may time out and that upon the code sketch here uses DCOS_TOKEN as a method of consuming a token from I didn't see a way to add arbitrary metadata into a config file (perhaps from the conv on slack it appeared that @cjcullen was also interested in On Mon, Feb 22, 2016 at 2:35 PM, Brian Grant notifications@github.com
|
@bgrant0607 Yeah, I'd like to be able to pass gcloud credentials in my Authorization header (see my comment in the commit). I think this would be much cleaner as a config-driven plugin system. My thoughts were that we'd add a field in the user object of the kubecfg file. E.g.:
The "dcos" plugin could then do whatever it needed to the transport (in the "google" case, we'd use the Google ApplicationDefaultCredentials library to get a valid bearer token). @jdef This would work for your Use Case 1 and Use Case 3. |
Agreed, use case #2 could be solved in other ways. With respect to where you have "auth-plugin" in the above config, why is it On Tue, Feb 23, 2016 at 6:50 PM, CJ Cullen notifications@github.com wrote:
|
I leaned towards user-scoped because it felt like it paralleled the current setup. We don't prescribe that client-cert/token/password-auth is chosen per-cluster; we let a single cluster have multiple users that authenticate in different ways. On the server-side, we provide chained authentication plugins, so allowing different client-plugins for a single cluster would mirror that. That said, it doesn't seem crazy to me to have it cluster-scoped. I think it comes down to whether we want multiple users of a cluster to be able to use different auth modes. Most use-cases would probably be fine with a single client-plugin per cluster for now, but it seems like we might be painting ourselves into a corner. |
// NewFactory creates a factory with the default Kubernetes resources defined | ||
// if optionalClientConfig is nil, then flags will be bound to a new clientcmd.ClientConfig. | ||
// if optionalClientConfig is not nil, then this factory will make use of it. | ||
func NewFactory(optionalClientConfig clientcmd.ClientConfig) *Factory { | ||
func NewFactory(optionalClientConfig clientcmd.ClientConfig, configOptions ...ConfigOption) *Factory { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is how we should be doing this. If this does become a recommended way to change the kubectl factory, I think the code is more coherent if a certain kind of plugin can provide a different factory implementation. This is actually why the factory exists: it is the way to specify behavior that is otherwise global to kubectl commands.
Trying to handle this as an argument that "flavors" the return value for "the one area I want to touch" effectively means passing this list to every bit down the chain of factory creation. This makes it easy for the one you're adding, but structurally harder for everyone following you.
@jdef PR needs rebase |
yep, just finished review. thanks! On Wed, Mar 16, 2016 at 2:38 PM, CJ Cullen notifications@github.com wrote:
|
@cjcullen Can this be closed? |
closing this out, needs a new PR based on #23066 |
there's a need for customizing kubectl config at runtime via plugins. kubectl flag parsing and overrides, config loading rules, etc. are complex and we need to keep the default case as clear as possible:
KUBECTL_PLUGINS
envvar may contain a comma-separated list of plugin names for kubectl to "activate" at runtime.if there's agreement that this approach is OK then I'll write up some unit tests to go along with it
/cc @cjcullen @roberthbailey @jlowdermilk
supersedes #21527