github/client-go
1
0
Fork 0
mirror of https://github.com/kubernetes/client-go.git synced 2025-09-15 22:58:24 +00:00
Code Issues Projects Releases Wiki Activity

Remove v1alpha1 of the execcredential

Browse Source 
Signed-off-by: Margo Crawford <margaretc@vmware.com>

Kubernetes-commit: 5b690b44d08807c6434a421b0041ef685482d337
This commit is contained in:
Margo Crawford
2022-03-18 10:16:11 -07:00
committed by Kubernetes Publisher
parent c47b802895
commit 28b9e26d5f
16 changed files with 39 additions and 871 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
plugin/pkg/client/auth/exec/exec.go
View File

@@ -42,7 +42,6 @@ import (
"k8s.io/client-go/pkg/apis/clientauthentication"
"k8s.io/client-go/pkg/apis/clientauthentication/install"
clientauthenticationv1 "k8s.io/client-go/pkg/apis/clientauthentication/v1"
clientauthenticationv1alpha1 "k8s.io/client-go/pkg/apis/clientauthentication/v1alpha1"
clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
"k8s.io/client-go/tools/clientcmd/api"
"k8s.io/client-go/tools/metrics"
@@ -73,9 +72,8 @@ var (
globalCache = newCache()
// The list of API versions we accept.
apiVersions = map[string]schema.GroupVersion{
clientauthenticationv1alpha1.SchemeGroupVersion.String(): clientauthenticationv1alpha1.SchemeGroupVersion,
clientauthenticationv1beta1.SchemeGroupVersion.String(): clientauthenticationv1beta1.SchemeGroupVersion,
clientauthenticationv1.SchemeGroupVersion.String(): clientauthenticationv1.SchemeGroupVersion,
clientauthenticationv1beta1.SchemeGroupVersion.String(): clientauthenticationv1beta1.SchemeGroupVersion,
clientauthenticationv1.SchemeGroupVersion.String(): clientauthenticationv1.SchemeGroupVersion,
}
)
@@ -348,11 +346,7 @@ func (r *roundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
return nil, err
}
if res.StatusCode == http.StatusUnauthorized {
resp := &clientauthentication.Response{
Header: res.Header,
Code: int32(res.StatusCode),
}
if err := r.a.maybeRefreshCreds(creds, resp); err != nil {
if err := r.a.maybeRefreshCreds(creds); err != nil {
klog.Errorf("refreshing credentials: %v", err)
}
}
@@ -382,7 +376,7 @@ func (a *Authenticator) getCreds() (*credentials, error) {
return a.cachedCreds, nil
}
if err := a.refreshCredsLocked(nil); err != nil {
if err := a.refreshCredsLocked(); err != nil {
return nil, err
}
@@ -391,7 +385,7 @@ func (a *Authenticator) getCreds() (*credentials, error) {
// maybeRefreshCreds executes the plugin to force a rotation of the
// credentials, unless they were rotated already.
func (a *Authenticator) maybeRefreshCreds(creds *credentials, r *clientauthentication.Response) error {
func (a *Authenticator) maybeRefreshCreds(creds *credentials) error {
a.mu.Lock()
defer a.mu.Unlock()
@@ -402,12 +396,12 @@ func (a *Authenticator) maybeRefreshCreds(creds *credentials, r *clientauthentic
return nil
}
return a.refreshCredsLocked(r)
return a.refreshCredsLocked()
}
// refreshCredsLocked executes the plugin and reads the credentials from
// stdout. It must be called while holding the Authenticator's mutex.
func (a *Authenticator) refreshCredsLocked(r *clientauthentication.Response) error {
func (a *Authenticator) refreshCredsLocked() error {
interactive, err := a.interactiveFunc()
if err != nil {
return fmt.Errorf("exec plugin cannot support interactive mode: %w", err)
@@ -415,7 +409,6 @@ func (a *Authenticator) refreshCredsLocked(r *clientauthentication.Response) err
cred := &clientauthentication.ExecCredential{
Spec: clientauthentication.ExecCredentialSpec{
Response: r,
Interactive: interactive,
},
}

282
plugin/pkg/client/auth/exec/exec_test.go
View File

@@ -115,7 +115,7 @@ func TestCacheKey(t *testing.T) {
{Name: "5", Value: "6"},
{Name: "7", Value: "8"},
},
APIVersion: "client.authentication.k8s.io/v1alpha1",
APIVersion: "client.authentication.k8s.io/v1beta1",
ProvideClusterInfo: true,
}
c1c := &clientauthentication.Cluster{
@@ -141,7 +141,7 @@ func TestCacheKey(t *testing.T) {
{Name: "5", Value: "6"},
{Name: "7", Value: "8"},
},
APIVersion: "client.authentication.k8s.io/v1alpha1",
APIVersion: "client.authentication.k8s.io/v1beta1",
ProvideClusterInfo: true,
}
c2c := &clientauthentication.Cluster{
@@ -166,7 +166,7 @@ func TestCacheKey(t *testing.T) {
{Name: "3", Value: "4"},
{Name: "5", Value: "6"},
},
APIVersion: "client.authentication.k8s.io/v1alpha1",
APIVersion: "client.authentication.k8s.io/v1beta1",
}
c3c := &clientauthentication.Cluster{
Server: "foo",
@@ -190,7 +190,7 @@ func TestCacheKey(t *testing.T) {
{Name: "3", Value: "4"},
{Name: "5", Value: "6"},
},
APIVersion: "client.authentication.k8s.io/v1alpha1",
APIVersion: "client.authentication.k8s.io/v1beta1",
}
c4c := &clientauthentication.Cluster{
Server: "foo",
@@ -215,7 +215,7 @@ func TestCacheKey(t *testing.T) {
{Name: "3", Value: "4"},
{Name: "5", Value: "6"},
},
APIVersion: "client.authentication.k8s.io/v1alpha1",
APIVersion: "client.authentication.k8s.io/v1beta1",
ProvideClusterInfo: true,
}
c5c := &clientauthentication.Cluster{
@@ -241,7 +241,7 @@ func TestCacheKey(t *testing.T) {
{Name: "3", Value: "4"},
{Name: "5", Value: "6"},
},
APIVersion: "client.authentication.k8s.io/v1alpha1",
APIVersion: "client.authentication.k8s.io/v1betaa1",
}
// c7 should be the same as c6, except c7 has stdin marked as unavailable
@@ -252,7 +252,7 @@ func TestCacheKey(t *testing.T) {
{Name: "3", Value: "4"},
{Name: "5", Value: "6"},
},
APIVersion: "client.authentication.k8s.io/v1alpha1",
APIVersion: "client.authentication.k8s.io/v1beta1",
StdinUnavailable: true,
}
@@ -313,7 +313,6 @@ func TestRefreshCreds(t *testing.T) {
cluster *clientauthentication.Cluster
output string
isTerminal bool
response *clientauthentication.Response
wantInput string
wantCreds credentials
wantExpiry time.Time
@@ -321,173 +320,21 @@ func TestRefreshCreds(t *testing.T) {
wantErrSubstr string
}{
{
name: "basic-request",
name: "beta-with-TLS-credentials",
config: api.ExecConfig{
APIVersion: "client.authentication.k8s.io/v1alpha1",
APIVersion: "client.authentication.k8s.io/v1beta1",
InteractiveMode: api.IfAvailableExecInteractiveMode,
},
wantInput: `{
"kind":"ExecCredential",
"apiVersion":"client.authentication.k8s.io/v1alpha1",
"spec": {}
}`,
output: `{
"kind": "ExecCredential",
"apiVersion": "client.authentication.k8s.io/v1alpha1",
"status": {
"token": "foo-bar"
}
}`,
wantCreds: credentials{token: "foo-bar"},
},
{
name: "interactive",
config: api.ExecConfig{
APIVersion: "client.authentication.k8s.io/v1alpha1",
InteractiveMode: api.IfAvailableExecInteractiveMode,
},
isTerminal: true,
wantInput: `{
"kind":"ExecCredential",
"apiVersion":"client.authentication.k8s.io/v1alpha1",
"apiVersion":"client.authentication.k8s.io/v1beta1",
"spec": {
"interactive": true
"interactive": false
}
}`,
output: `{
"kind": "ExecCredential",
"apiVersion": "client.authentication.k8s.io/v1alpha1",
"status": {
"token": "foo-bar"
}
}`,
wantCreds: credentials{token: "foo-bar"},
},
{
name: "response",
config: api.ExecConfig{
APIVersion: "client.authentication.k8s.io/v1alpha1",
InteractiveMode: api.IfAvailableExecInteractiveMode,
},
response: &clientauthentication.Response{
Header: map[string][]string{
"WWW-Authenticate": {`Basic realm="Access to the staging site", charset="UTF-8"`},
},
Code: 401,
},
wantInput: `{
"kind":"ExecCredential",
"apiVersion":"client.authentication.k8s.io/v1alpha1",
"spec": {
"response": {
"header": {
"WWW-Authenticate": [
"Basic realm=\"Access to the staging site\", charset=\"UTF-8\""
]
},
"code": 401
}
}
}`,
output: `{
"kind": "ExecCredential",
"apiVersion": "client.authentication.k8s.io/v1alpha1",
"status": {
"token": "foo-bar"
}
}`,
wantCreds: credentials{token: "foo-bar"},
},
{
name: "expiry",
config: api.ExecConfig{
APIVersion: "client.authentication.k8s.io/v1alpha1",
InteractiveMode: api.IfAvailableExecInteractiveMode,
},
wantInput: `{
"kind":"ExecCredential",
"apiVersion":"client.authentication.k8s.io/v1alpha1",
"spec": {}
}`,
output: `{
"kind": "ExecCredential",
"apiVersion": "client.authentication.k8s.io/v1alpha1",
"status": {
"token": "foo-bar",
"expirationTimestamp": "2006-01-02T15:04:05Z"
}
}`,
wantExpiry: time.Date(2006, 01, 02, 15, 04, 05, 0, time.UTC),
wantCreds: credentials{token: "foo-bar"},
},
{
name: "no-group-version",
config: api.ExecConfig{
APIVersion: "client.authentication.k8s.io/v1alpha1",
InteractiveMode: api.IfAvailableExecInteractiveMode,
},
wantInput: `{
"kind":"ExecCredential",
"apiVersion":"client.authentication.k8s.io/v1alpha1",
"spec": {}
}`,
output: `{
"kind": "ExecCredential",
"status": {
"token": "foo-bar"
}
}`,
wantErr: true,
},
{
name: "no-status",
config: api.ExecConfig{
APIVersion: "client.authentication.k8s.io/v1alpha1",
InteractiveMode: api.IfAvailableExecInteractiveMode,
},
wantInput: `{
"kind":"ExecCredential",
"apiVersion":"client.authentication.k8s.io/v1alpha1",
"spec": {}
}`,
output: `{
"kind": "ExecCredential",
"apiVersion":"client.authentication.k8s.io/v1alpha1"
}`,
wantErr: true,
},
{
name: "no-creds",
config: api.ExecConfig{
APIVersion: "client.authentication.k8s.io/v1alpha1",
InteractiveMode: api.IfAvailableExecInteractiveMode,
},
wantInput: `{
"kind":"ExecCredential",
"apiVersion":"client.authentication.k8s.io/v1alpha1",
"spec": {}
}`,
output: `{
"kind": "ExecCredential",
"apiVersion":"client.authentication.k8s.io/v1alpha1",
"status": {}
}`,
wantErr: true,
},
{
name: "TLS credentials",
config: api.ExecConfig{
APIVersion: "client.authentication.k8s.io/v1alpha1",
InteractiveMode: api.IfAvailableExecInteractiveMode,
},
wantInput: `{
"kind":"ExecCredential",
"apiVersion":"client.authentication.k8s.io/v1alpha1",
"spec": {}
}`,
output: fmt.Sprintf(`{
"kind": "ExecCredential",
"apiVersion": "client.authentication.k8s.io/v1alpha1",
"apiVersion": "client.authentication.k8s.io/v1beta1",
"status": {
"clientKeyData": %q,
"clientCertificateData": %q
@@ -496,19 +343,14 @@ func TestRefreshCreds(t *testing.T) {
wantCreds: credentials{cert: validCert},
},
{
name: "bad TLS credentials",
name: "beta-with-bad-TLS-credentials",
config: api.ExecConfig{
APIVersion: "client.authentication.k8s.io/v1alpha1",
APIVersion: "client.authentication.k8s.io/v1beta1",
InteractiveMode: api.IfAvailableExecInteractiveMode,
},
wantInput: `{
"kind":"ExecCredential",
"apiVersion":"client.authentication.k8s.io/v1alpha1",
"spec": {}
}`,
output: `{
"kind": "ExecCredential",
"apiVersion": "client.authentication.k8s.io/v1alpha1",
"apiVersion": "client.authentication.k8s.io/v1beta1",
"status": {
"clientKeyData": "foo",
"clientCertificateData": "bar"
@@ -517,19 +359,14 @@ func TestRefreshCreds(t *testing.T) {
wantErr: true,
},
{
name: "cert but no key",
name: "beta-cert-but-no-key",
config: api.ExecConfig{
APIVersion: "client.authentication.k8s.io/v1alpha1",
APIVersion: "client.authentication.k8s.io/v1beta1",
InteractiveMode: api.IfAvailableExecInteractiveMode,
},
wantInput: `{
"kind":"ExecCredential",
"apiVersion":"client.authentication.k8s.io/v1alpha1",
"spec": {}
}`,
output: fmt.Sprintf(`{
"kind": "ExecCredential",
"apiVersion": "client.authentication.k8s.io/v1alpha1",
"apiVersion": "client.authentication.k8s.io/v1beta1",
"status": {
"clientCertificateData": %q
}
@@ -834,55 +671,6 @@ func TestRefreshCreds(t *testing.T) {
wantErr: true,
wantErrSubstr: "73",
},
{
name: "alpha-with-cluster-is-ignored",
config: api.ExecConfig{
APIVersion: "client.authentication.k8s.io/v1alpha1",
InteractiveMode: api.IfAvailableExecInteractiveMode,
},
cluster: &clientauthentication.Cluster{
Server: "foo",
TLSServerName: "bar",
CertificateAuthorityData: []byte("baz"),
Config: &runtime.Unknown{
TypeMeta: runtime.TypeMeta{
APIVersion: "",
Kind: "",
},
Raw: []byte(`{"apiVersion":"group/v1","kind":"PluginConfig","spec":{"audience":"panda"}}`),
ContentEncoding: "",
ContentType: "application/json",
},
},
response: &clientauthentication.Response{
Header: map[string][]string{
"WWW-Authenticate": {`Basic realm="Access to the staging site", charset="UTF-8"`},
},
Code: 401,
},
wantInput: `{
"kind":"ExecCredential",
"apiVersion":"client.authentication.k8s.io/v1alpha1",
"spec": {
"response": {
"header": {
"WWW-Authenticate": [
"Basic realm=\"Access to the staging site\", charset=\"UTF-8\""
]
},
"code": 401
}
}
}`,
output: `{
"kind": "ExecCredential",
"apiVersion": "client.authentication.k8s.io/v1alpha1",
"status": {
"token": "foo-bar"
}
}`,
wantCreds: credentials{token: "foo-bar"},
},
{
name: "beta-with-cluster-and-provide-cluster-info-is-serialized",
config: api.ExecConfig{
@@ -904,12 +692,6 @@ func TestRefreshCreds(t *testing.T) {
ContentType: "application/json",
},
},
response: &clientauthentication.Response{
Header: map[string][]string{
"WWW-Authenticate": {`Basic realm="Access to the staging site", charset="UTF-8"`},
},
Code: 401,
},
wantInput: `{
"kind":"ExecCredential",
"apiVersion":"client.authentication.k8s.io/v1beta1",
@@ -958,12 +740,6 @@ func TestRefreshCreds(t *testing.T) {
ContentType: "application/json",
},
},
response: &clientauthentication.Response{
Header: map[string][]string{
"WWW-Authenticate": {`Basic realm="Access to the staging site", charset="UTF-8"`},
},
Code: 401,
},
wantInput: `{
"kind":"ExecCredential",
"apiVersion":"client.authentication.k8s.io/v1beta1",
@@ -1037,7 +813,7 @@ func TestRefreshCreds(t *testing.T) {
a.stderr = stderr
a.environ = func() []string { return nil }
if err := a.refreshCredsLocked(test.response); err != nil {
if err := a.refreshCredsLocked(); err != nil {
if !test.wantErr {
t.Errorf("get token %v", err)
} else if !strings.Contains(err.Error(), test.wantErrSubstr) {
@@ -1103,7 +879,7 @@ func TestRoundTripper(t *testing.T) {
c := api.ExecConfig{
Command: "./testdata/test-plugin.sh",
APIVersion: "client.authentication.k8s.io/v1alpha1",
APIVersion: "client.authentication.k8s.io/v1beta1",
InteractiveMode: api.IfAvailableExecInteractiveMode,
}
a, err := newAuthenticator(newCache(), func(_ int) bool { return false }, &c, nil)
@@ -1136,7 +912,7 @@ func TestRoundTripper(t *testing.T) {
setOutput(`{
"kind": "ExecCredential",
"apiVersion": "client.authentication.k8s.io/v1alpha1",
"apiVersion": "client.authentication.k8s.io/v1beta1",
"status": {
"token": "token1"
}
@@ -1146,7 +922,7 @@ func TestRoundTripper(t *testing.T) {
setOutput(`{
"kind": "ExecCredential",
"apiVersion": "client.authentication.k8s.io/v1alpha1",
"apiVersion": "client.authentication.k8s.io/v1beta1",
"status": {
"token": "token2"
}
@@ -1162,7 +938,7 @@ func TestRoundTripper(t *testing.T) {
setOutput(`{
"kind": "ExecCredential",
"apiVersion": "client.authentication.k8s.io/v1alpha1",
"apiVersion": "client.authentication.k8s.io/v1beta1",
"status": {
"token": "token3",
"expirationTimestamp": "` + now().Add(time.Hour).Format(time.RFC3339Nano) + `"
@@ -1177,7 +953,7 @@ func TestRoundTripper(t *testing.T) {
n = n.Add(time.Hour * 2)
setOutput(`{
"kind": "ExecCredential",
"apiVersion": "client.authentication.k8s.io/v1alpha1",
"apiVersion": "client.authentication.k8s.io/v1beta1",
"status": {
"token": "token4",
"expirationTimestamp": "` + now().Add(time.Hour).Format(time.RFC3339Nano) + `"
@@ -1218,7 +994,7 @@ func TestAuthorizationHeaderPresentCancelsExecAction(t *testing.T) {
t.Run(test.name, func(t *testing.T) {
a, err := newAuthenticator(newCache(), func(_ int) bool { return false }, &api.ExecConfig{
Command: "./testdata/test-plugin.sh",
APIVersion: "client.authentication.k8s.io/v1alpha1",
APIVersion: "client.authentication.k8s.io/v1beta1",
}, nil)
if err != nil {
t.Fatal(err)
@@ -1260,7 +1036,7 @@ func TestTLSCredentials(t *testing.T) {
a, err := newAuthenticator(newCache(), func(_ int) bool { return false }, &api.ExecConfig{
Command: "./testdata/test-plugin.sh",
APIVersion: "client.authentication.k8s.io/v1alpha1",
APIVersion: "client.authentication.k8s.io/v1beta1",
InteractiveMode: api.IfAvailableExecInteractiveMode,
}, nil)
if err != nil {
@@ -1350,7 +1126,7 @@ func TestConcurrentUpdateTransportConfig(t *testing.T) {
c := api.ExecConfig{
Command: "./testdata/test-plugin.sh",
APIVersion: "client.authentication.k8s.io/v1alpha1",
APIVersion: "client.authentication.k8s.io/v1beta1",
}
a, err := newAuthenticator(newCache(), func(_ int) bool { return false }, &c, nil)
if err != nil {
@@ -1416,7 +1192,7 @@ func TestInstallHintRateLimit(t *testing.T) {
t.Run(test.name, func(t *testing.T) {
c := api.ExecConfig{
Command: "does not exist",
APIVersion: "client.authentication.k8s.io/v1alpha1",
APIVersion: "client.authentication.k8s.io/v1beta1",
InstallHint: "some install hint",
InteractiveMode: api.IfAvailableExecInteractiveMode,
}
@@ -1433,7 +1209,7 @@ func TestInstallHintRateLimit(t *testing.T) {
count := 0
for i := 0; i < test.calls; i++ {
err := a.refreshCredsLocked(&clientauthentication.Response{})
err := a.refreshCredsLocked()
if strings.Contains(err.Error(), c.InstallHint) {
count++
}

5
plugin/pkg/client/auth/exec/metrics_test.go
View File

@@ -23,7 +23,6 @@ import (
"time"
"github.com/google/go-cmp/cmp"
"k8s.io/client-go/pkg/apis/clientauthentication"
"k8s.io/client-go/tools/clientcmd/api"
"k8s.io/client-go/tools/metrics"
)
@@ -153,7 +152,7 @@ func TestCallsMetric(t *testing.T) {
// Run refresh creds twice so that our test validates that the metrics are set correctly twice
// in a row with the same authenticator.
refreshCreds := func() {
if err := a.refreshCredsLocked(&clientauthentication.Response{}); (err == nil) != (exitCode == 0) {
if err := a.refreshCredsLocked(); (err == nil) != (exitCode == 0) {
if err != nil {
t.Fatalf("wanted no error, but got %q", err.Error())
} else {
@@ -183,7 +182,7 @@ func TestCallsMetric(t *testing.T) {
t.Fatal(err)
}
a.stderr = io.Discard
if err := a.refreshCredsLocked(&clientauthentication.Response{}); err == nil {
if err := a.refreshCredsLocked(); err == nil {
t.Fatal("expected the authenticator to fail because the plugin does not exist")
}
wantCallsMetrics = append(wantCallsMetrics, mockCallsMetric{exitCode: 1, errorType: "plugin_not_found_error"})