Support persisting config from kubecfg AuthProvider plugins

[cjcullen]

Plumbs through an interface to the plugin that can persist a map[string]string config for just that plugin. Also adds config to the AuthProvider serialization type, and Login() to the AuthProvider plugin interface.
Modified the gcp AuthProvider to cache short-term access tokens in the kubecfg file.

Builds on #23066
@bobbyrullo @deads2k @jlowdermilk @erictune

[cjcullen]

Copied over comments from old commit:

@deads2k: I kind of want methods to give me back persisters of a given shape.

@cjcullen: What do you mean by this?

[bobbyrullo]

@deads2k you mean strongly-typed persisters? How would one do that in Go, given the lack of generics, templating, etc.

[deads2k]

@deads2k you mean strongly-typed persisters? How would one do that in Go, given the lack of generics, templating, etc.

Yeah, that's what I meant, but without generics or templating I can see that the effort would be too great to be worth it.

My main fear is trying to put the burden of building the persistAuthProviderConfigForUser on the caller to a new config. I don't think most callers will pass anything other than nil and that will produce problems later.

[cjcullen]

Any caller that has the ability to persist should be able to handle providing a persister without too much trouble. A caller that doesn't have a notion of persisting the config may not be able to provide a persister, in which case the plugin should handle a nil persister gracefully.

Is that a reasonable assertion for now?

[deads2k]

I think we'll want to provide people the option for two different methods. Something like InteractiveAuthentication(io.Reader, io.Writer, io.Writer) error and NonInteractiveAuthentication() error. I'm pretty sure that @bobbyrullo's flow doesn't require user interaction in refresh cases (no matter where the refresh token actually lives).

[cjcullen]

With that split, how would the caller know which one to call?

I'm guessing that the standard case for Interactive would be Stdin/Stdout. The provider plugin can create its own Reader/Writer if it needs them.

I know that we pass through os.Stdin as the "fallbackReader" in the interactive basic-auth case. Are their expected cases where we think Stdin/Stdout won't be the right place for an interactive login?

[bobbyrullo]

@deads2k: For the refresh case I don't think we need to add anything to the interface: The RoundTripper that is returned by WrapTransport should be able to handle that as necessary (eg, when short term creds are about to expire/have expired), as long as it can get a Persister.

So I think we only need a method for getting the initial credentials, which I would think it's safe to assume, will always require some sort of user interaction.

[cjcullen]

@deads2k: Ping on this question. Do we need to disambiguate the flows at the plugin level? Can't we just defer to letting the plugin modify its config however it likes (either interactively or non-interactively)?

[deads2k]

@deads2k: Ping on this question. Do we need to disambiguate the flows at the plugin level? Can't we just defer to letting the plugin modify its config however it likes (either interactively or non-interactively)?

I feel like I'm missing something. If this requires user interaction, they'll need an io.Reader, right? I could live with a nil reader meaning, "non-interactive", but they'll still need one, right?

[cjcullen]

I see. You're thinking we may want the option to interactively login through the command line (w/ Readers/Writers provided by kubectl)?

Neither @bobbyrullo's use case or mine would need this right now. Can we defer on adding this to the plugin until we have a user?

[deads2k]

Neither @bobbyrullo's use case or mine would need this right now. Can we defer on adding this to the plugin until we have a user?

If you update the comment to say that it "must not require user interaction", then ok.

[cjcullen]

I'm expecting that it might require user interaction, just not through the command line (passing an io.Reader). I'll change the comment to try to reflect this. I'm mostly going to defer its usage (and any necessary changes) to @bobbyrullo, because it isn't currently used anywhere.

[bobbyrullo]

yes that's true - for my case, we'll spawn a browser.

[bobbyrullo]

@cjcullen : This all looks good for my case.

[deads2k]

This doesn't look right. Seems like you should be building the ConfigAccess from the LoadingRules since they're giving (I think) the same information about where you're loading the config from.

It might even be appropriate to have the ClientConfig interface have a method for getting its ConfigAccess.

[cjcullen]

Ok. I've tried to only pass around a ConfigAccess (which contains LoadingRules).

[deads2k]

bad comment?

[cjcullen]

Yup. Fixed.

[deads2k]

Can't ClientConfigLoadingRules implement this interface?

GetLoadingPrecedence -> return Precedence
GetStartingConfig() -> call through to NewNonInteractiveDeferredLoadingClientConfig with no overrides?
GetDefaultFilename -> explicit if you have one, otherwise first existing from precedence, otherwise first from precedence
IsExplicitFilename -> len(explicitpath)
GetExplicitFile -> explicitPath

Seems like that about covers it and would eliminate the duplicate information.

[cjcullen]

Well that makes everything a heck of a lot cleaner. Good catch.

[deads2k]

That fell out pretty well. I think you can actually get the existing struct to conform to the interface to simplify a little more.

[cjcullen]

Cleaned up the redundancy. If it looks good, I'd like to squash that last commit before merge.

[deads2k]

ConfigAccess here and elsewhere in this file?

[cjcullen]

Done.

[deads2k]

lgtm

[cjcullen]

Squashed & pushed.

[bobbyrullo]

Would it make sense for the config to be a map[string]interface so that it could support lists of strings as well? I just ran into this case in the work I am doing; I could just as well have a comma-separated list of strings but it's not ideal.

Sorry for saying this so late in the game but it didn't occur to me until I started working with it.

[cjcullen]

I'd eventually (post 1.3) be interested in making the config use runtime.RawExtension/runtime.Object so that plugins could have strongly typed config. Would you be okay w/ map[string]string until we move to that? If not, I'd be fine with you making the changes in a following PR.

[deads2k]

Would it make sense for the config to be a map[string]interface so that it could support lists of strings as well?

map[string]interface{} won't work well because we're trying to serialize the data out into json.

map[string]string works well, map[string][]string also works fine. I don't have any objection to tweaking the type to map[string][]string in this pull or in a very close followup. The datatype change would be a breaking serialization change for kubeconfig files, so we'd have to change it before anyone gets a chance to use it.

[cjcullen]

Hmmm. I'd rather keep it as map[string]string then.

@bobbyrullo, how bad would it be for your case to just use strings.Split for a comma-separated list of strings?

[bobbyrullo]

strings.Split is just fine.

[cjcullen]

PR didn't actually change, I just rebased and repushed to try to unstick the pr-builder.

[k8s-bot]

GCE e2e build/test passed for commit 13a7d92.

• Build Log
• Test Artifacts
• Internal Jenkins Results

[k8s-github-robot]

@k8s-bot test this [submit-queue is verifying that this PR is safe to merge]

[k8s-bot]

GCE e2e build/test passed for commit 13a7d92.

• Build Log
• Test Artifacts
• Internal Jenkins Results

[k8s-github-robot]

Automatic merge from submit-queue