feat(k8s): rework kubeconfig handling (#4137)

Author: jtherin

cmd/scw/testdata/test-all-usage-k8s-kubeconfig-get-usage.golden

@@ -9,9 +9,16 @@ EXAMPLES:
  Get the kubeconfig for a given cluster
  scw k8s kubeconfig get 11111111-1111-1111-1111-111111111111
 
+ Get the kubeconfig for a given cluster by copying current secret_key to it
+ scw k8s kubeconfig get 11111111-1111-1111-1111-111111111111 auth-method=copy-cli-token
+
+ Get the kubeconfig for a given cluster and use legacy authentication
+ scw k8s kubeconfig get 11111111-1111-1111-1111-111111111111 auth-method=legacy
+
 ARGS:
- cluster-id Cluster ID from which to retrieve the kubeconfig
- [region=fr-par] Region to target. If none is passed will use default region from the config
+ cluster-id Cluster ID from which to retrieve the kubeconfig
+ [auth-method=cli] Which method to use to authenticate using kubelet (cli | copy-cli-token | legacy)
+ [region=fr-par] Region to target. If none is passed will use default region from the config
 
 FLAGS:
  -h, --help help for get

cmd/scw/testdata/test-all-usage-k8s-kubeconfig-install-usage.golden

@@ -10,8 +10,15 @@ EXAMPLES:
  Install the kubeconfig for a given cluster and using the new context
  scw k8s kubeconfig install 11111111-1111-1111-1111-111111111111
 
+ Get the kubeconfig for a given cluster by copying current secret_key to it
+ scw k8s kubeconfig install 11111111-1111-1111-1111-111111111111 auth-method=copy-cli-token
+
+ Get the kubeconfig for a given cluster and use legacy authentication
+ scw k8s kubeconfig install 11111111-1111-1111-1111-111111111111 auth-method=legacy
+
 ARGS:
  cluster-id Cluster ID from which to retrieve the kubeconfig
+ [auth-method=cli] Which method to use to authenticate using kubelet (cli | copy-cli-token | legacy)
  [keep-current-context] Whether or not to keep the current kubeconfig context unmodified
  [region=fr-par] Region to target. If none is passed will use default region from the config
 

docs/commands/k8s.md

@@ -640,6 +640,7 @@ scw k8s kubeconfig get <cluster-id ...> [arg=value ...]
 | Name | | Description |
 |------|---|-------------|
 | cluster-id | Required | Cluster ID from which to retrieve the kubeconfig |
+| auth-method | Default: `cli`<br />One of: `cli`, `copy-cli-token`, `legacy` | Which method to use to authenticate using kubelet |
 | region | Default: `fr-par` | Region to target. If none is passed will use default region from the config |
 
 
@@ -651,6 +652,16 @@ Get the kubeconfig for a given cluster
 scw k8s kubeconfig get 11111111-1111-1111-1111-111111111111
 ```
 
+Get the kubeconfig for a given cluster by copying current secret_key to it
+```
+scw k8s kubeconfig get 11111111-1111-1111-1111-111111111111 auth-method=copy-cli-token
+```
+
+Get the kubeconfig for a given cluster and use legacy authentication
+```
+scw k8s kubeconfig get 11111111-1111-1111-1111-111111111111 auth-method=legacy
+```
+
 
 
 
@@ -671,6 +682,7 @@ scw k8s kubeconfig install <cluster-id ...> [arg=value ...]
 | Name | | Description |
 |------|---|-------------|
 | cluster-id | Required | Cluster ID from which to retrieve the kubeconfig |
+| auth-method | Default: `cli`<br />One of: `cli`, `copy-cli-token`, `legacy` | Which method to use to authenticate using kubelet |
 | keep-current-context | | Whether or not to keep the current kubeconfig context unmodified |
 | region | Default: `fr-par` | Region to target. If none is passed will use default region from the config |
 
@@ -683,6 +695,16 @@ Install the kubeconfig for a given cluster and using the new context
 scw k8s kubeconfig install 11111111-1111-1111-1111-111111111111
 ```
 
+Get the kubeconfig for a given cluster by copying current secret_key to it
+```
+scw k8s kubeconfig install 11111111-1111-1111-1111-111111111111 auth-method=copy-cli-token
+```
+
+Get the kubeconfig for a given cluster and use legacy authentication
+```
+scw k8s kubeconfig install 11111111-1111-1111-1111-111111111111 auth-method=legacy
+```
+
 
 
 

internal/namespaces/k8s/v1/custom.go

@@ -1,9 +1,13 @@
 package k8s
 
 import (
+"context"
+"errors"
+
 "github.com/scaleway/scaleway-cli/v2/core"
 "github.com/scaleway/scaleway-cli/v2/core/human"
 k8s "github.com/scaleway/scaleway-sdk-go/api/k8s/v1"
+"github.com/scaleway/scaleway-sdk-go/scw"
 )
 
 // GetCommands returns cluster commands.
@@ -60,3 +64,25 @@ func GetCommands() *core.Commands {
 
 return cmds
 }
+
+func extractSecretKey(ctx context.Context) (string, error) {
+config, _ := scw.LoadConfigFromPath(core.ExtractConfigPath(ctx))
+profileName := core.ExtractProfileName(ctx)
+
+switch {
+// Environment variable check
+case core.ExtractEnv(ctx, scw.ScwSecretKeyEnv) != "":
+return core.ExtractEnv(ctx, scw.ScwSecretKeyEnv), nil
+// There is no config file
+case config == nil:
+return "", errors.New("config not provided")
+// Config file with profile name
+case config.Profiles[profileName] != nil && config.Profiles[profileName].SecretKey != nil:
+return *config.Profiles[profileName].SecretKey, nil
+// Default config
+case config.SecretKey != nil:
+return *config.SecretKey, nil
+}
+
+return "", errors.New("unable to find secret key")
+}

internal/namespaces/k8s/v1/custom_cluster_test.go

@@ -10,25 +10,25 @@ import (
 func Test_GetCluster(t *testing.T) {
 t.Run("Simple", core.Test(&core.TestConfig{
 Commands: k8s.GetCommands(),
-BeforeFunc: createCluster("get-cluster", "Cluster", kapsuleVersion, 1, "DEV1-M"),
+BeforeFunc: createCluster("get-cluster", 1, "DEV1-M"),
 Cmd: "scw k8s cluster get {{ .Cluster.ID }}",
 Check: core.TestCheckCombine(
 core.TestCheckGolden(),
 core.TestCheckExitCode(0),
 ),
-AfterFunc: deleteCluster("Cluster"),
+AfterFunc: deleteCluster(),
 }))
 }
 
 func Test_WaitCluster(t *testing.T) {
 t.Run("wait for pools", core.Test(&core.TestConfig{
 Commands: k8s.GetCommands(),
-BeforeFunc: createCluster("wait-cluster", "Cluster", kapsuleVersion, 1, "GP1-XS"),
+BeforeFunc: createCluster("wait-cluster", 1, "GP1-XS"),
 Cmd: "scw k8s cluster wait {{ .Cluster.ID }} wait-for-pools=true",
 Check: core.TestCheckCombine(
 core.TestCheckGolden(),
 core.TestCheckExitCode(0),
 ),
-AfterFunc: deleteCluster("Cluster"),
+AfterFunc: deleteCluster(),
 }))
 }

internal/namespaces/k8s/v1/custom_execcredentials.go

@@ -3,12 +3,9 @@ package k8s
 import (
 "context"
 "encoding/json"
-"errors"
-"fmt"
 "reflect"
 
 "github.com/scaleway/scaleway-cli/v2/core"
-"github.com/scaleway/scaleway-sdk-go/scw"
 "github.com/scaleway/scaleway-sdk-go/validation"
 )
 
@@ -28,39 +25,20 @@ func k8sExecCredentialCommand() *core.Command {
 }
 
 func k8sExecCredentialRun(ctx context.Context, _ any) (i any, e error) {
-config, _ := scw.LoadConfigFromPath(core.ExtractConfigPath(ctx))
-profileName := core.ExtractProfileName(ctx)
-
-var token string
-switch {
-// Environment variable check
-case core.ExtractEnv(ctx, scw.ScwSecretKeyEnv) != "":
-token = core.ExtractEnv(ctx, scw.ScwSecretKeyEnv)
-// There is no config file
-case config == nil:
-return nil, errors.New("config not provided")
-// Config file with profile name
-case config.Profiles[profileName] != nil && config.Profiles[profileName].SecretKey != nil:
-token = *config.Profiles[profileName].SecretKey
-// Default config
-case config.SecretKey != nil:
-token = *config.SecretKey
-default:
-return nil, errors.New("unable to find secret key")
+secretKey, err := extractSecretKey(ctx)
+if err != nil {
+return nil, err
 }
 
-if !validation.IsSecretKey(token) {
-return nil, fmt.Errorf(
-"invalid secret key format '%s', expected a UUID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
-token,
-)
+if !validation.IsSecretKey(secretKey) {
+return nil, core.InvalidSecretKeyError(secretKey)
 }
 
 execCreds := ExecCredential{
 APIVersion: "client.authentication.k8s.io/v1",
 Kind: "ExecCredential",
 Status: &ExecCredentialStatus{
-Token: token,
+Token: secretKey,
 },
 }
 response, err := json.MarshalIndent(execCreds, "", " ")

internal/namespaces/k8s/v1/custom_execcredentials_test.go

@@ -20,7 +20,9 @@ const (
 )
 
 func Test_ExecCredential(t *testing.T) {
-// expect to return default secret_key
+////
+// Simple expect to return current secret_key
+////
 t.Run("simple", core.Test(&core.TestConfig{
 Commands: k8s.GetCommands(),
 TmpHomeDir: true,
@@ -37,7 +39,9 @@ func Test_ExecCredential(t *testing.T) {
 ),
 }))
 
+////
 // expect to return 66666666-6666-6666-6666-666666666666
+////
 t.Run("with scw_secret_key env", core.Test(&core.TestConfig{
 Commands: k8s.GetCommands(),
 TmpHomeDir: true,
@@ -53,7 +57,9 @@ func Test_ExecCredential(t *testing.T) {
 ),
 }))
 
+////
 // expect to return p2 secret_key
+////
 t.Run("with profile env", core.Test(&core.TestConfig{
 Commands: k8s.GetCommands(),
 TmpHomeDir: true,
@@ -71,7 +77,9 @@ func Test_ExecCredential(t *testing.T) {
 ),
 }))
 
+////
 // expect to return p3 secret_key
+////
 t.Run("with profile flag", core.Test(&core.TestConfig{
 Commands: k8s.GetCommands(),
 TmpHomeDir: true,
@@ -88,7 +96,9 @@ func Test_ExecCredential(t *testing.T) {
 ),
 }))
 
+////
 // expect to return p3 secret_key
+////
 t.Run("with profile env and flag", core.Test(&core.TestConfig{
 Commands: k8s.GetCommands(),
 TmpHomeDir: true,
@@ -111,12 +121,16 @@ func beforeFuncCreateConfigFile(c *scw.Config) core.BeforeFunc {
 return func(ctx *core.BeforeFuncCtx) error {
 homeDir := ctx.OverrideEnv["HOME"]
 scwDir := path.Join(homeDir, ".config", "scw")
-err := os.MkdirAll(scwDir, 0o0755)
-if err != nil {
+if err := os.MkdirAll(scwDir, 0o0755); err != nil {
+return err
+}
+
+scwPath := path.Join(scwDir, "config.yaml")
+if err := c.SaveTo(scwPath); err != nil {
 return err
 }
 
-return c.SaveTo(path.Join(scwDir, "config.yaml"))
+return nil
 }
 }