exec credential provider: InteractiveMode support

The value here is that the exec plugin author can use the kubeconfig to assert how standard input is treated with respect to the exec plugin, e.g., - an exec plugin author can ensure that kubectl fails if it cannot provide standard input to an exec plugin that needs it (Always) - an exec plugin author can ensure that an client-go process will still call an exec plugin that prefers standard input even if standard input is not available (IfAvailable) Signed-off-by: Andrew Keesler <akeesler@vmware.com> Kubernetes-commit: cd83d89ac94c5b61fdd38840098e7223e5af0d34
2025-09-03 16:16:06 +00:00 · 2021-06-14 17:15:36 -04:00
parent 1bccfc8c60
commit 37ed584bed
19 changed files with 659 additions and 83 deletions
--- a/tools/clientcmd/validation_test.go
+++ b/tools/clientcmd/validation_test.go
@@ -377,6 +377,7 @@ func TestValidateAuthInfoExec(t *testing.T) {
 			Env: []clientcmdapi.ExecEnvVar{
 				{Name: "foo", Value: "bar"},
 			},
+			InteractiveMode: clientcmdapi.IfAvailableExecInteractiveMode,
 		},
 	}
 	test := configValidationTest{
@@ -391,7 +392,8 @@ func TestValidateAuthInfoExecNoVersion(t *testing.T) {
 	config := clientcmdapi.NewConfig()
 	config.AuthInfos["user"] = &clientcmdapi.AuthInfo{
 		Exec: &clientcmdapi.ExecConfig{
-			Command: "/bin/example",
+			Command:         "/bin/example",
+			InteractiveMode: clientcmdapi.IfAvailableExecInteractiveMode,
 		},
 	}
 	test := configValidationTest{
@@ -409,7 +411,8 @@ func TestValidateAuthInfoExecNoCommand(t *testing.T) {
 	config := clientcmdapi.NewConfig()
 	config.AuthInfos["user"] = &clientcmdapi.AuthInfo{
 		Exec: &clientcmdapi.ExecConfig{
-			APIVersion: "clientauthentication.k8s.io/v1alpha1",
+			APIVersion:      "clientauthentication.k8s.io/v1alpha1",
+			InteractiveMode: clientcmdapi.IfAvailableExecInteractiveMode,
 		},
 	}
 	test := configValidationTest{
@@ -430,8 +433,9 @@ func TestValidateAuthInfoExecWithAuthProvider(t *testing.T) {
 			Name: "oidc",
 		},
 		Exec: &clientcmdapi.ExecConfig{
-			Command:    "/bin/example",
-			APIVersion: "clientauthentication.k8s.io/v1alpha1",
+			Command:         "/bin/example",
+			APIVersion:      "clientauthentication.k8s.io/v1alpha1",
+			InteractiveMode: clientcmdapi.IfAvailableExecInteractiveMode,
 		},
 	}
 	test := configValidationTest{
@@ -454,6 +458,7 @@ func TestValidateAuthInfoExecNoEnv(t *testing.T) {
 			Env: []clientcmdapi.ExecEnvVar{
 				{Name: "foo", Value: ""},
 			},
+			InteractiveMode: clientcmdapi.IfAvailableExecInteractiveMode,
 		},
 	}
 	test := configValidationTest{
@@ -464,6 +469,45 @@ func TestValidateAuthInfoExecNoEnv(t *testing.T) {
 	test.testConfig(t)
 }

+func TestValidateAuthInfoExecInteractiveModeMissing(t *testing.T) {
+	config := clientcmdapi.NewConfig()
+	config.AuthInfos["user"] = &clientcmdapi.AuthInfo{
+		Exec: &clientcmdapi.ExecConfig{
+			Command:    "/bin/example",
+			APIVersion: "clientauthentication.k8s.io/v1alpha1",
+		},
+	}
+	test := configValidationTest{
+		config: config,
+		expectedErrorSubstring: []string{
+			"interactiveMode must be specified for user to use exec authentication plugin",
+		},
+	}
+
+	test.testAuthInfo("user", t)
+	test.testConfig(t)
+}
+
+func TestValidateAuthInfoExecInteractiveModeInvalid(t *testing.T) {
+	config := clientcmdapi.NewConfig()
+	config.AuthInfos["user"] = &clientcmdapi.AuthInfo{
+		Exec: &clientcmdapi.ExecConfig{
+			Command:         "/bin/example",
+			APIVersion:      "clientauthentication.k8s.io/v1alpha1",
+			InteractiveMode: "invalid",
+		},
+	}
+	test := configValidationTest{
+		config: config,
+		expectedErrorSubstring: []string{
+			`invalid interactiveMode for user: "invalid"`,
+		},
+	}
+
+	test.testAuthInfo("user", t)
+	test.testConfig(t)
+}
+
 type configValidationTest struct {
 	config                 *clientcmdapi.Config
 	expectedErrorSubstring []string