exec credential provider: wire in cluster info

Signed-off-by: Monis Khan <mok@vmware.com> Kubernetes-commit: f97422c8bd57692f5a1a3aa6dc6abc31051ebc82
2025-09-16 15:18:24 +00:00 · 2020-05-06 01:01:09 -04:00
parent e84213f91f
commit 9e147f192f
9 changed files with 430 additions and 59 deletions
--- a/rest/config.go
+++ b/rest/config.go
@@ -87,7 +87,7 @@ type Config struct {
 	AuthConfigPersister AuthProviderConfigPersister

 	// Exec-based authentication provider.
-	ExecProvider *clientcmdapi.ExecConfig
+	Exec Exec

 	// TLSClientConfig contains settings to enable transport layer security
 	TLSClientConfig
@@ -160,6 +160,15 @@ func (sanitizedAuthConfigPersister) String() string {
 	return "rest.AuthProviderConfigPersister(--- REDACTED ---)"
 }

+type sanitizedObject struct{ runtime.Object }
+
+func (sanitizedObject) GoString() string {
+	return "runtime.Object(--- REDACTED ---)"
+}
+func (sanitizedObject) String() string {
+	return "runtime.Object(--- REDACTED ---)"
+}
+
 // GoString implements fmt.GoStringer and sanitizes sensitive fields of Config
 // to prevent accidental leaking via logs.
 func (c *Config) GoString() string {
@@ -183,10 +192,40 @@ func (c *Config) String() string {
 	if cc.AuthConfigPersister != nil {
 		cc.AuthConfigPersister = sanitizedAuthConfigPersister{cc.AuthConfigPersister}
 	}
-
+	if cc.Exec.Config != nil {
+		cc.Exec.Config = sanitizedObject{Object: cc.Exec.Config}
+	}
 	return fmt.Sprintf("%#v", cc)
 }

+// Exec plugin authentication provider.
+type Exec struct {
+	// ExecProvider provides the config needed to execute the exec plugin.
+	ExecProvider *clientcmdapi.ExecConfig
+
+	// Config holds additional config data that is specific to the exec
+	// plugin with regards to the cluster being authenticated to.
+	//
+	// This data is sourced from the clientcmd Cluster object's extensions[exec] field:
+	//
+	// clusters:
+	// - name: my-cluster
+	//   cluster:
+	//     ...
+	//     extensions:
+	//     - name: exec  # reserved extension name for per cluster exec config
+	//       extension:
+	//         audience: 06e3fbd18de8  # arbitrary config
+	//
+	// In some environments, the user config may be exactly the same across many clusters
+	// (i.e. call this exec plugin) minus some details that are specific to each cluster
+	// such as the audience.  This field allows the per cluster config to be directly
+	// specified with the cluster info.  Using this field to store secret data is not
+	// recommended as one of the prime benefits of exec plugins is that no secrets need
+	// to be stored directly in the kubeconfig.
+	Config runtime.Object
+}
+
 // ImpersonationConfig has all the available impersonation options
 type ImpersonationConfig struct {
 	// UserName is the username to impersonate on each request.
@@ -603,7 +642,10 @@ func CopyConfig(config *Config) *Config {
 		},
 		AuthProvider:        config.AuthProvider,
 		AuthConfigPersister: config.AuthConfigPersister,
-		ExecProvider:        config.ExecProvider,
+		Exec: Exec{
+			ExecProvider: config.Exec.ExecProvider,
+			Config:       config.Exec.Config,
+		},
 		TLSClientConfig: TLSClientConfig{
 			Insecure:   config.TLSClientConfig.Insecure,
 			ServerName: config.TLSClientConfig.ServerName,