feat: kubeconfig token passthrough authentication for WGE commands in CLI #2410
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- The controller-runtime config package supports the --kubeconfig flag via the `flag` stdlib package. - This change is made to avoid a conflict
- Pass config.Options to adapters.NewHTTPClient
jmickey
force-pushed
the
feat/cli-kubeconfig-auth
branch
from
56f4e67
to
ec86b7c
Compare
jmickey
force-pushed
the
feat/cli-kubeconfig-auth
branch
from
ec86b7c
to
ae57988
Compare
ozamosi
reviewed
Jul 8, 2022
RootCmd now accepts *adapters.HTTPClient instead of *resty.Client. The adapters.NewHTTPClient function now returns a barebones HTTPClient. The *HTTPClient.EnableCLIAuth() configures an authFunc that is called when the client is configured via the ConfigureClientWithOptions method from within the PersistentPreRun in the RootCmd. This removes unnecessary code duplication such as having to call adapters.NewHttpClient in every command, and the need to configure DisableAuth in unit tests, either with a CLI flag, or within the config.Options object.
jmickey
force-pushed
the
feat/cli-kubeconfig-auth
branch
from
5d4f17d
to
be4a596
Compare
foot
reviewed
Jul 11, 2022
|
Whoop! Works for me, except w/
|
ozamosi
approved these changes
Jul 14, 2022
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes weaveworks/weave-gitops-enterprise#692
Closes weaveworks/weave-gitops-enterprise#582
What changed?
configpackage out ofinternalas it needs to be accessed by higher level packages.--kubeconfigflag on thegitops get clusterscommand as this now causes a conflict with the root--kubeconfigflag. The root flag is required in order to set the--kubeconfigflag within theflagpackage so thatkubernetes-sigs/controller-runtime/client/configcan find the kubeconfig if a custom location is passed.*rest.Configfrom thekubeconfig, and generate ahttp.RoundTripperfrom theclient-go/restpackage. Thishttp.RoundTripperwill handle the authentication requirements, generating atransport.BearerTokenand apply it to the request header.Authorizationheader exists, we store the header within the current context. The token will then be applied to theKubeHTTPClientwhen requests are made to the management cluster.adapters.HTTPClient. The client is now instantiated with auth in main and passed to root, rather than passing aresty.Client. In theCmdRunEfunction for each command we configure the client with theclient.ConfigureClientWithOptionsmethod, which configures the client with the necessary information to complete a request (e.g. Endpoint, TLS config) and handles auth if enabled.Why was this change made?
The
gitopsCLI doesn't currently support authentication and therefore all enterprise CLI commands fail.How was this change implemented?
When the user issues a CLI command that requires authentication to the Weave GitOps Enterprise server they are able to supply either a username/password, or a kubeconfig file that is valid to the Kubernetes management cluster. If no username or password is provided, then we default to the kubeconfig with the following prededence:
If a valid kubeconfig is located the CLI will generate a
(client-go/rest) *rest.Configwhich is then used to generate ahttp.RoundTripperthat will apply the necessary authentication information to the request (see: https://pkg.go.dev/k8s.io/client-go/rest#TransportFor).Once the request is made and received by the server we check if the incoming request contains an
Authorizationheader. If so, we store this token within the requestcontext.Contextand continue. This token is then extracted later when building the*rest.Configthat will be used to make requests from the WGE server to the Kubernetes API on the management server.How did you validate the change?
Change validated locally by running the
cluster-servicepointing to the demo cluster and issuing a command from the CLI to the local service. The CLI command returned successfully.Release notes
--kubeconfigflag on thegitops get clusters <cluster_name>command has been renamed to--print-kubeconfigkubeconfigcontext for the management cluster which supplies an Authorization token.gitopscommands that require authentication now support the--kubeconfig <location>flag, allowing users to specify a custom kubeconfig location. TheKUBECONFIGenvironment variable is also supported. If neither is specified$HOME/.kube/configwill be used.