kops/pkg/kubeconfig/kubecfg_builder.go

/*
Copyright 2019 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package kubeconfig

import (
	"fmt"

	"k8s.io/client-go/rest"
	"k8s.io/client-go/tools/clientcmd"
	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
	"k8s.io/klog/v2"
)

// KubeconfigBuilder builds a kubecfg file
// This logic previously lives in the bash scripts (create-kubeconfig in cluster/common.sh)
type KubeconfigBuilder struct {
	Server        string
	TLSServerName string

	Context   string
	Namespace string

	User         string
	KubeUser     string
	KubePassword string

	CACerts    []byte
	ClientCert []byte
	ClientKey  []byte

	AuthenticationExec []string
}

// Create new KubeconfigBuilder
func NewKubeconfigBuilder() *KubeconfigBuilder {
	return &KubeconfigBuilder{}
}

func (b *KubeconfigBuilder) DeleteKubeConfig(configAccess clientcmd.ConfigAccess) error {
	config, err := configAccess.GetStartingConfig()
	if err != nil {
		return fmt.Errorf("error loading kubeconfig: %v", err)
	}

	if config == nil || clientcmdapi.IsConfigEmpty(config) {
		klog.V(2).Info("kubeconfig is empty")
		return nil
	}

	delete(config.Clusters, b.Context)
	delete(config.AuthInfos, b.Context)
	delete(config.AuthInfos, fmt.Sprintf("%s-basic-auth", b.Context))
	delete(config.Contexts, b.Context)

	if config.CurrentContext == b.Context {
		config.CurrentContext = ""
	}

	if err := clientcmd.ModifyConfig(configAccess, *config, false); err != nil {
		return fmt.Errorf("error writing kubeconfig: %v", err)
	}

	fmt.Printf("Deleted kubectl config for %s\n", b.Context)
	return nil
}

// Write out a new kubeconfig
func (b *KubeconfigBuilder) WriteKubecfg(configAccess clientcmd.ConfigAccess) error {
	config, err := configAccess.GetStartingConfig()
	if err != nil {
		return fmt.Errorf("error reading kubeconfig: %v", err)
	}

	if config == nil {
		config = &clientcmdapi.Config{}
	}

	{
		cluster := config.Clusters[b.Context]
		if cluster == nil {
			cluster = clientcmdapi.NewCluster()
		}
		cluster.Server = b.Server
		cluster.TLSServerName = b.TLSServerName
		cluster.CertificateAuthorityData = b.CACerts

		if config.Clusters == nil {
			config.Clusters = make(map[string]*clientcmdapi.Cluster)
		}
		config.Clusters[b.Context] = cluster
	}

	// We avoid changing the user unless we're actually writing something
	// Issue #11537
	haveUserInfo := false

	// If the user has the same name as the context, it is the admin user
	if b.User == b.Context {
		authInfo := config.AuthInfos[b.Context]
		if authInfo == nil {
			authInfo = clientcmdapi.NewAuthInfo()
		}

		// If we are using the auth plugin, we want to clear the password & client-key,
		// otherwise the auth plugin won't be used

		usingAuthPlugin := len(b.AuthenticationExec) != 0
		if (b.KubeUser != "" && b.KubePassword != "") || usingAuthPlugin {
			authInfo.Username = b.KubeUser
			authInfo.Password = b.KubePassword

			haveUserInfo = true
		}

		if (b.ClientCert != nil && b.ClientKey != nil) || usingAuthPlugin {
			authInfo.ClientCertificate = ""
			authInfo.ClientCertificateData = b.ClientCert
			authInfo.ClientKey = ""
			authInfo.ClientKeyData = b.ClientKey

			haveUserInfo = true
		}

		if usingAuthPlugin {
			authInfo.Exec = &clientcmdapi.ExecConfig{
				APIVersion: "client.authentication.k8s.io/v1beta1",
				Command:    b.AuthenticationExec[0],
				Args:       b.AuthenticationExec[1:],
			}

			haveUserInfo = true
		}

		if haveUserInfo {
			if config.AuthInfos == nil {
				config.AuthInfos = make(map[string]*clientcmdapi.AuthInfo)
			}
			config.AuthInfos[b.Context] = authInfo
		}
	} else if b.User != "" {
		if config.AuthInfos[b.User] == nil {
			return fmt.Errorf("could not find user %q", b.User)
		}
		haveUserInfo = true
	}

	// If we have a bearer token, also create a credential entry with basic auth
	// so that it is easy to discover the basic auth password for your cluster
	// to use in a web browser.
	if b.KubeUser != "" && b.KubePassword != "" {
		name := b.Context + "-basic-auth"
		authInfo := config.AuthInfos[name]
		if authInfo == nil {
			authInfo = clientcmdapi.NewAuthInfo()
		}

		authInfo.Username = b.KubeUser
		authInfo.Password = b.KubePassword

		if config.AuthInfos == nil {
			config.AuthInfos = make(map[string]*clientcmdapi.AuthInfo)
		}
		config.AuthInfos[name] = authInfo
	}

	{
		context := config.Contexts[b.Context]
		if context == nil {
			context = clientcmdapi.NewContext()
		}

		context.Cluster = b.Context
		if haveUserInfo {
			if b.User != "" {
				context.AuthInfo = b.User
			}
		}

		if b.Namespace != "" {
			context.Namespace = b.Namespace
		}

		if config.Contexts == nil {
			config.Contexts = make(map[string]*clientcmdapi.Context)
		}
		config.Contexts[b.Context] = context
	}

	config.CurrentContext = b.Context

	if err := clientcmd.ModifyConfig(configAccess, *config, true); err != nil {
		return err
	}

	fmt.Printf("kOps has set your kubectl context to %s\n", b.Context)
	return nil
}

func (b *KubeconfigBuilder) ToRESTConfig() (*rest.Config, error) {
	restConfig := &rest.Config{}

	restConfig.Host = b.Server
	restConfig.TLSClientConfig.CAData = b.CACerts
	restConfig.TLSClientConfig.ServerName = b.TLSServerName

	usingAuthPlugin := len(b.AuthenticationExec) != 0
	if usingAuthPlugin {
		return nil, fmt.Errorf("auth plugin not yet supported by ToRESTConfig")
	}

	restConfig.CertData = b.ClientCert
	restConfig.KeyData = b.ClientKey

	return restConfig, nil
}