-
Notifications
You must be signed in to change notification settings - Fork 142
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: kubeconfig token passthrough authentication for WGE commands in CLI #2410
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- The controller-runtime config package supports the --kubeconfig flag via the `flag` stdlib package. - This change is made to avoid a conflict
- Pass config.Options to adapters.NewHTTPClient
jmickey
force-pushed
the
feat/cli-kubeconfig-auth
branch
from
July 7, 2022 02:40
56f4e67
to
ec86b7c
Compare
jmickey
force-pushed
the
feat/cli-kubeconfig-auth
branch
from
July 7, 2022 02:48
ec86b7c
to
ae57988
Compare
ozamosi
reviewed
Jul 8, 2022
RootCmd now accepts *adapters.HTTPClient instead of *resty.Client. The adapters.NewHTTPClient function now returns a barebones HTTPClient. The *HTTPClient.EnableCLIAuth() configures an authFunc that is called when the client is configured via the ConfigureClientWithOptions method from within the PersistentPreRun in the RootCmd. This removes unnecessary code duplication such as having to call adapters.NewHttpClient in every command, and the need to configure DisableAuth in unit tests, either with a CLI flag, or within the config.Options object.
jmickey
force-pushed
the
feat/cli-kubeconfig-auth
branch
from
July 11, 2022 04:46
5d4f17d
to
be4a596
Compare
foot
reviewed
Jul 11, 2022
Whoop! Works for me, except w/
|
foot
approved these changes
Jul 14, 2022
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All looks good to me. 👌
ozamosi
approved these changes
Jul 14, 2022
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes weaveworks/weave-gitops-enterprise#692
Closes weaveworks/weave-gitops-enterprise#582
What changed?
config
package out ofinternal
as it needs to be accessed by higher level packages.--kubeconfig
flag on thegitops get clusters
command as this now causes a conflict with the root--kubeconfig
flag. The root flag is required in order to set the--kubeconfig
flag within theflag
package so thatkubernetes-sigs/controller-runtime/client/config
can find the kubeconfig if a custom location is passed.*rest.Config
from thekubeconfig
, and generate ahttp.RoundTripper
from theclient-go/rest
package. Thishttp.RoundTripper
will handle the authentication requirements, generating atransport.BearerToken
and apply it to the request header.Authorization
header exists, we store the header within the current context. The token will then be applied to theKubeHTTPClient
when requests are made to the management cluster.adapters.HTTPClient
. The client is now instantiated with auth in main and passed to root, rather than passing aresty.Client
. In theCmdRunE
function for each command we configure the client with theclient.ConfigureClientWithOptions
method, which configures the client with the necessary information to complete a request (e.g. Endpoint, TLS config) and handles auth if enabled.Why was this change made?
The
gitops
CLI doesn't currently support authentication and therefore all enterprise CLI commands fail.How was this change implemented?
When the user issues a CLI command that requires authentication to the Weave GitOps Enterprise server they are able to supply either a username/password, or a kubeconfig file that is valid to the Kubernetes management cluster. If no username or password is provided, then we default to the kubeconfig with the following prededence:
If a valid kubeconfig is located the CLI will generate a
(client-go/rest) *rest.Config
which is then used to generate ahttp.RoundTripper
that will apply the necessary authentication information to the request (see: https://pkg.go.dev/k8s.io/client-go/rest#TransportFor).Once the request is made and received by the server we check if the incoming request contains an
Authorization
header. If so, we store this token within the requestcontext.Context
and continue. This token is then extracted later when building the*rest.Config
that will be used to make requests from the WGE server to the Kubernetes API on the management server.How did you validate the change?
Change validated locally by running the
cluster-service
pointing to the demo cluster and issuing a command from the CLI to the local service. The CLI command returned successfully.Release notes
--kubeconfig
flag on thegitops get clusters <cluster_name>
command has been renamed to--print-kubeconfig
kubeconfig
context for the management cluster which supplies an Authorization token.gitops
commands that require authentication now support the--kubeconfig <location>
flag, allowing users to specify a custom kubeconfig location. TheKUBECONFIG
environment variable is also supported. If neither is specified$HOME/.kube/config
will be used.