Skip to content

Commit

Permalink
Merge pull request #72 from christopherhein/feature/add-kubectl-output
Browse files Browse the repository at this point in the history 
Adding support for kubectl ExecCredential output
  • Loading branch information
@nckturner
nckturner authored Apr 12, 2018
2 parents 55067d3 + 562cc3e commit 3b5322c
Show file tree
Hide file tree
Showing 1,480 changed files with 148,982 additions and 14,121 deletions.
18 changes: 14 additions & 4 deletions Gopkg.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

19 changes: 16 additions & 3 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,13 +82,26 @@ systemctl restart kubelet.service
```

### 4. Set up kubectl to use Heptio Authenticator for AWS tokens

> This requires a 1.10+ `kubectl` binary to work. If you receive `Please enter Username:` when trying to use `kubectl` you need to update to the latest `kubectl`
Finally, once the server is set up you'll want to authenticate!
You will still need a `kubeconfig` that has the public data about your cluster (cluster CA certificate, endpoint address).
The `users` section of your configuration, however, can be mostly blank:
The `users` section of your configuration, however, should include an exec section ([refer to the v1.10 docs](https://kubernetes.io/docs/admin/authentication/#client-go-credential-plugins))::
```yaml
# [...]
users:
- name: kubernetes-admin
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
command: heptio-authenticator-aws
args:
- "token"
- "-i"
- "CLUSTER_ID"
- "-r"
- "ROLE_ARN"
# no client certificate/key needed here!
```

Expand All @@ -98,8 +111,8 @@ It may make sense to upload it to a trusted public location such as AWS S3.
Make sure you have the `heptio-authenticator-aws` binary installed.
You can install it with `go get -u -v github.com/heptio/authenticator/cmd/heptio-authenticator-aws`.

To authenticate, run `kubectl --kubeconfig /path/to/kubeconfig --token "$(heptio-authenticator-aws token -i CLUSTER_ID -r ROLE_ARN)" [...]`.
You can simplify this with an alias or shell wrapper.
To authenticate, run `kubectl --kubeconfig /path/to/kubeconfig" [...]`.
kubectl will `exec` the `heptio-authenticator-aws` binary with the supplied params in your kubeconfig which will generate a token and pass it to the apiserver.
The token is valid for 15 minutes (the shortest value AWS permits) and can be reused multiple times.

You can also omit `-r ROLE_ARN` to sign the token with your existing credentials without assuming a dedicated role.
Expand Down
4 changes: 2 additions & 2 deletions cmd/heptio-authenticator-aws/token.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ var tokenCmd = &cobra.Command{
clusterID := viper.GetString("clusterID")

if clusterID == "" {
fmt.Fprintf(os.Stderr, "error: cluster ID not specified\n")
fmt.Fprintf(os.Stderr, "Error: cluster ID not specified\n")
cmd.Usage()
os.Exit(1)
}
Expand All @@ -58,7 +58,7 @@ var tokenCmd = &cobra.Command{
fmt.Fprintf(os.Stderr, "could not get token: %v\n", err)
os.Exit(1)
}
fmt.Println(tok)
fmt.Println(gen.FormatJSON(tok))
},
}

Expand Down
19 changes: 19 additions & 0 deletions pkg/token/token.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ import (
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/sts"
"github.com/heptio/authenticator/pkg/arn"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
clientauthv1alpha1 "k8s.io/client-go/pkg/apis/clientauthentication/v1alpha1"
)

// Identity is returned on successful Verify() results. It contains a parsed
Expand Down Expand Up @@ -126,6 +128,8 @@ type Generator interface {
Get(string) (string, error)
// GetWithRole creates a token by assuming the provided role, using the credentials in the default chain.
GetWithRole(clusterID, roleARN string) (string, error)
// FormatJSON returns the client auth formatted json for the ExecCredential auth
FormatJSON(string) string
}

type generator struct {
Expand Down Expand Up @@ -189,6 +193,21 @@ func (g generator) GetWithRole(clusterID string, roleARN string) (string, error)
return v1Prefix + base64.RawURLEncoding.EncodeToString([]byte(presignedURLString)), nil
}

// FormatJSON formats the json to support ExecCredential authentication
func (g generator) FormatJSON(token string) string {
execInput := &clientauthv1alpha1.ExecCredential{
TypeMeta: metav1.TypeMeta{
APIVersion: "client.authentication.k8s.io/v1alpha1",
Kind: "ExecCredential",
},
Status: &clientauthv1alpha1.ExecCredentialStatus{
Token: token,
},
}
enc, _ := json.Marshal(execInput)
return string(enc)
}

// Verifier validates tokens by calling STS and returning the associated identity.
type Verifier interface {
Verify(token string) (*Identity, error)
Expand Down
2 changes: 2 additions & 0 deletions vendor/k8s.io/api/.github/PULL_REQUEST_TEMPLATE.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 7 additions & 0 deletions vendor/k8s.io/api/CONTRIBUTING.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

124 changes: 26 additions & 98 deletions vendor/k8s.io/api/Godeps/Godeps.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions vendor/k8s.io/api/Godeps/OWNERS
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 0 additions & 1 deletion vendor/k8s.io/api/OWNERS
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 3b5322c

Please sign in to comment.