client-go: add an exec-based client auth provider

Kubernetes-commit: 6463e9efd9ba552e60d2555a3e6526ef90196473

rest/config.go

@@ -77,6 +77,9 @@ type Config struct {
 	// Callback to persist config for AuthProvider.
 	AuthConfigPersister AuthProviderConfigPersister
 
+	// Exec-based authentication provider.
+	ExecProvider *clientcmdapi.ExecConfig
+
 	// TLSClientConfig contains settings to enable transport layer security
 	TLSClientConfig
 
@@ -432,6 +435,7 @@ func CopyConfig(config *Config) *Config {
 		},
 		AuthProvider:        config.AuthProvider,
 		AuthConfigPersister: config.AuthConfigPersister,
+		ExecProvider:        config.ExecProvider,
 		TLSClientConfig: TLSClientConfig{
 			Insecure:   config.TLSClientConfig.Insecure,
 			ServerName: config.TLSClientConfig.ServerName,

rest/config_test.go

@@ -269,6 +269,7 @@ func TestAnonymousConfig(t *testing.T) {
 		expected.Password = ""
 		expected.AuthProvider = nil
 		expected.AuthConfigPersister = nil
+		expected.ExecProvider = nil
 		expected.TLSClientConfig.CertData = nil
 		expected.TLSClientConfig.CertFile = ""
 		expected.TLSClientConfig.KeyData = nil

rest/transport.go

@@ -20,6 +20,7 @@ import (
 	"crypto/tls"
 	"net/http"
 
+	"k8s.io/client-go/plugin/pkg/client/auth/exec"
 	"k8s.io/client-go/transport"
 )
 
@@ -59,6 +60,20 @@ func HTTPWrappersForConfig(config *Config, rt http.RoundTripper) (http.RoundTrip
 // TransportConfig converts a client config to an appropriate transport config.
 func (c *Config) TransportConfig() (*transport.Config, error) {
 	wt := c.WrapTransport
+	if c.ExecProvider != nil {
+		provider, err := exec.GetAuthenticator(c.ExecProvider)
+		if err != nil {
+			return nil, err
+		}
+		if wt != nil {
+			previousWT := wt
+			wt = func(rt http.RoundTripper) http.RoundTripper {
+				return provider.WrapTransport(previousWT(rt))
+			}
+		} else {
+			wt = provider.WrapTransport
+		}
+	}
 	if c.AuthProvider != nil {
 		provider, err := GetAuthProvider(c.Host, c.AuthProvider, c.AuthConfigPersister)
 		if err != nil {