exec credential provider: ProvideClusterInfo and kubeconfig shadow

- The main idea here is that we want to 1) prevent potentially large CA
  bundles from being set in an exec plugin's environment and 2) ensure
  that the exec plugin is getting everything it needs in order to talk to
  a cluster.
- Avoid breaking existing manual declarations of rest.Config instances by
  moving exec Cluster to kubeconfig internal type.
- Use client.authentication.k8s.io/exec to qualify exec cluster extension.
- Deep copy the exec Cluster.Config when we copy a rest.Config.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>

Kubernetes-commit: c4299d15d5289768808034676858e76a177eeae5

pkg/apis/clientauthentication/types.go

@@ -23,7 +23,7 @@ import (
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
-// ExecCredentials is used by exec-based plugins to communicate credentials to
+// ExecCredential is used by exec-based plugins to communicate credentials to
 // HTTP transports.
 type ExecCredential struct {
 	metav1.TypeMeta
@@ -38,7 +38,7 @@ type ExecCredential struct {
 	Status *ExecCredentialStatus
 }
 
-// ExecCredenitalSpec holds request and runtime specific information provided by
+// ExecCredentialSpec holds request and runtime specific information provided by
 // the transport.
 type ExecCredentialSpec struct {
 	// Response is populated when the transport encounters HTTP status codes, such as 401,
@@ -51,9 +51,12 @@ type ExecCredentialSpec struct {
 	// +optional
 	Interactive bool
 
-	// Cluster contains information to allow an exec plugin to communicate
-	// with the kubernetes cluster being authenticated to.
-	Cluster Cluster
+	// Cluster contains information to allow an exec plugin to communicate with the
+	// kubernetes cluster being authenticated to. Note that Cluster is non-nil only
+	// when provideClusterInfo is set to true in the exec provider config (i.e.,
+	// ExecConfig.ProvideClusterInfo).
+	// +optional
+	Cluster *Cluster
 }
 
 // ExecCredentialStatus holds credentials for the transport to use.
@@ -83,19 +86,32 @@ type Response struct {
 
 // Cluster contains information to allow an exec plugin to communicate
 // with the kubernetes cluster being authenticated to.
+//
+// To ensure that this struct contains everything someone would need to communicate
+// with a kubernetes cluster (just like they would via a kubeconfig), the fields
+// should shadow "k8s.io/client-go/tools/clientcmd/api/v1".Cluster, with the exception
+// of CertificateAuthority, since CA data will always be passed to the plugin as bytes.
 type Cluster struct {
 	// Server is the address of the kubernetes cluster (https://hostname:port).
 	Server string
-	// ServerName is passed to the server for SNI and is used in the client to check server
-	// certificates against. If ServerName is empty, the hostname used to contact the
-	// server is used.
+	// TLSServerName is passed to the server for SNI and is used in the client to
+	// check server certificates against. If ServerName is empty, the hostname
+	// used to contact the server is used.
 	// +optional
-	ServerName string
+	TLSServerName string
+	// InsecureSkipTLSVerify skips the validity check for the server's certificate.
+	// This will make your HTTPS connections insecure.
+	// +optional
+	InsecureSkipTLSVerify bool
 	// CAData contains PEM-encoded certificate authority certificates.
 	// If empty, system roots should be used.
 	// +listType=atomic
 	// +optional
-	CAData []byte
+	CertificateAuthorityData []byte
+	// ProxyURL is the URL to the proxy to be used for all requests to this
+	// cluster.
+	// +optional
+	ProxyURL string
 	// Config holds additional config data that is specific to the exec
 	// plugin with regards to the cluster being authenticated to.
 	//
@@ -106,7 +122,7 @@ type Cluster struct {
 	//   cluster:
 	//     ...
 	//     extensions:
-	//     - name: exec  # reserved extension name for per cluster exec config
+	//     - name: client.authentication.k8s.io/exec  # reserved extension name for per cluster exec config
 	//       extension:
 	//         audience: 06e3fbd18de8  # arbitrary config
 	//

pkg/apis/clientauthentication/v1alpha1/conversion.go

@@ -22,5 +22,6 @@ import (
 )
 
 func Convert_clientauthentication_ExecCredentialSpec_To_v1alpha1_ExecCredentialSpec(in *clientauthentication.ExecCredentialSpec, out *ExecCredentialSpec, s conversion.Scope) error {
+	// This conversion intentionally omits the Cluster field which is only supported in newer versions.
 	return autoConvert_clientauthentication_ExecCredentialSpec_To_v1alpha1_ExecCredentialSpec(in, out, s)
 }

pkg/apis/clientauthentication/v1alpha1/types.go

@@ -37,7 +37,7 @@ type ExecCredential struct {
 	Status *ExecCredentialStatus `json:"status,omitempty"`
 }
 
-// ExecCredenitalSpec holds request and runtime specific information provided by
+// ExecCredentialSpec holds request and runtime specific information provided by
 // the transport.
 type ExecCredentialSpec struct {
 	// Response is populated when the transport encounters HTTP status codes, such as 401,

pkg/apis/clientauthentication/v1beta1/conversion.go

@@ -22,5 +22,7 @@ import (
 )
 
 func Convert_clientauthentication_ExecCredentialSpec_To_v1beta1_ExecCredentialSpec(in *clientauthentication.ExecCredentialSpec, out *ExecCredentialSpec, s conversion.Scope) error {
+	// This conversion intentionally omits the Response and Interactive fields, which were only
+	// supported in v1alpha1.
 	return autoConvert_clientauthentication_ExecCredentialSpec_To_v1beta1_ExecCredentialSpec(in, out, s)
 }

pkg/apis/clientauthentication/v1beta1/types.go

@@ -40,9 +40,12 @@ type ExecCredential struct {
 // ExecCredentialSpec holds request and runtime specific information provided by
 // the transport.
 type ExecCredentialSpec struct {
-	// Cluster contains information to allow an exec plugin to communicate
-	// with the kubernetes cluster being authenticated to.
-	Cluster Cluster `json:"cluster"`
+	// Cluster contains information to allow an exec plugin to communicate with the
+	// kubernetes cluster being authenticated to. Note that Cluster is non-nil only
+	// when provideClusterInfo is set to true in the exec provider config (i.e.,
+	// ExecConfig.ProvideClusterInfo).
+	// +optional
+	Cluster *Cluster `json:"cluster,omitempty"`
 }
 
 // ExecCredentialStatus holds credentials for the transport to use.
@@ -64,19 +67,32 @@ type ExecCredentialStatus struct {
 
 // Cluster contains information to allow an exec plugin to communicate
 // with the kubernetes cluster being authenticated to.
+//
+// To ensure that this struct contains everything someone would need to communicate
+// with a kubernetes cluster (just like they would via a kubeconfig), the fields
+// should shadow "k8s.io/client-go/tools/clientcmd/api/v1".Cluster, with the exception
+// of CertificateAuthority, since CA data will always be passed to the plugin as bytes.
 type Cluster struct {
 	// Server is the address of the kubernetes cluster (https://hostname:port).
 	Server string `json:"server"`
-	// ServerName is passed to the server for SNI and is used in the client to check server
-	// certificates against. If ServerName is empty, the hostname used to contact the
-	// server is used.
+	// TLSServerName is passed to the server for SNI and is used in the client to
+	// check server certificates against. If ServerName is empty, the hostname
+	// used to contact the server is used.
 	// +optional
-	ServerName string `json:"serverName,omitempty"`
+	TLSServerName string `json:"tls-server-name,omitempty"`
+	// InsecureSkipTLSVerify skips the validity check for the server's certificate.
+	// This will make your HTTPS connections insecure.
+	// +optional
+	InsecureSkipTLSVerify bool `json:"insecure-skip-tls-verify,omitempty"`
 	// CAData contains PEM-encoded certificate authority certificates.
 	// If empty, system roots should be used.
 	// +listType=atomic
 	// +optional
-	CAData []byte `json:"caData,omitempty"`
+	CertificateAuthorityData []byte `json:"certificate-authority-data,omitempty"`
+	// ProxyURL is the URL to the proxy to be used for all requests to this
+	// cluster.
+	// +optional
+	ProxyURL string `json:"proxy-url,omitempty"`
 	// Config holds additional config data that is specific to the exec
 	// plugin with regards to the cluster being authenticated to.
 	//
@@ -87,7 +103,7 @@ type Cluster struct {
 	//   cluster:
 	//     ...
 	//     extensions:
-	//     - name: exec  # reserved extension name for per cluster exec config
+	//     - name: client.authentication.k8s.io/exec  # reserved extension name for per cluster exec config
 	//       extension:
 	//         audience: 06e3fbd18de8  # arbitrary config
 	//

pkg/apis/clientauthentication/v1beta1/zz_generated.conversion.go

@@ -81,8 +81,10 @@ func RegisterConversions(s *runtime.Scheme) error {
 
 func autoConvert_v1beta1_Cluster_To_clientauthentication_Cluster(in *Cluster, out *clientauthentication.Cluster, s conversion.Scope) error {
 	out.Server = in.Server
-	out.ServerName = in.ServerName
-	out.CAData = *(*[]byte)(unsafe.Pointer(&in.CAData))
+	out.TLSServerName = in.TLSServerName
+	out.InsecureSkipTLSVerify = in.InsecureSkipTLSVerify
+	out.CertificateAuthorityData = *(*[]byte)(unsafe.Pointer(&in.CertificateAuthorityData))
+	out.ProxyURL = in.ProxyURL
 	if err := runtime.Convert_runtime_RawExtension_To_runtime_Object(&in.Config, &out.Config, s); err != nil {
 		return err
 	}
@@ -96,8 +98,10 @@ func Convert_v1beta1_Cluster_To_clientauthentication_Cluster(in *Cluster, out *c
 
 func autoConvert_clientauthentication_Cluster_To_v1beta1_Cluster(in *clientauthentication.Cluster, out *Cluster, s conversion.Scope) error {
 	out.Server = in.Server
-	out.ServerName = in.ServerName
-	out.CAData = *(*[]byte)(unsafe.Pointer(&in.CAData))
+	out.TLSServerName = in.TLSServerName
+	out.InsecureSkipTLSVerify = in.InsecureSkipTLSVerify
+	out.CertificateAuthorityData = *(*[]byte)(unsafe.Pointer(&in.CertificateAuthorityData))
+	out.ProxyURL = in.ProxyURL
 	if err := runtime.Convert_runtime_Object_To_runtime_RawExtension(&in.Config, &out.Config, s); err != nil {
 		return err
 	}
@@ -136,8 +140,14 @@ func Convert_clientauthentication_ExecCredential_To_v1beta1_ExecCredential(in *c
 }
 
 func autoConvert_v1beta1_ExecCredentialSpec_To_clientauthentication_ExecCredentialSpec(in *ExecCredentialSpec, out *clientauthentication.ExecCredentialSpec, s conversion.Scope) error {
-	if err := Convert_v1beta1_Cluster_To_clientauthentication_Cluster(&in.Cluster, &out.Cluster, s); err != nil {
-		return err
+	if in.Cluster != nil {
+		in, out := &in.Cluster, &out.Cluster
+		*out = new(clientauthentication.Cluster)
+		if err := Convert_v1beta1_Cluster_To_clientauthentication_Cluster(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.Cluster = nil
 	}
 	return nil
 }
@@ -150,8 +160,14 @@ func Convert_v1beta1_ExecCredentialSpec_To_clientauthentication_ExecCredentialSp
 func autoConvert_clientauthentication_ExecCredentialSpec_To_v1beta1_ExecCredentialSpec(in *clientauthentication.ExecCredentialSpec, out *ExecCredentialSpec, s conversion.Scope) error {
 	// WARNING: in.Response requires manual conversion: does not exist in peer-type
 	// WARNING: in.Interactive requires manual conversion: does not exist in peer-type
-	if err := Convert_clientauthentication_Cluster_To_v1beta1_Cluster(&in.Cluster, &out.Cluster, s); err != nil {
-		return err
+	if in.Cluster != nil {
+		in, out := &in.Cluster, &out.Cluster
+		*out = new(Cluster)
+		if err := Convert_clientauthentication_Cluster_To_v1beta1_Cluster(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.Cluster = nil
 	}
 	return nil
 }

pkg/apis/clientauthentication/v1beta1/zz_generated.deepcopy.go

@@ -27,8 +27,8 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Cluster) DeepCopyInto(out *Cluster) {
 	*out = *in
-	if in.CAData != nil {
-		in, out := &in.CAData, &out.CAData
+	if in.CertificateAuthorityData != nil {
+		in, out := &in.CertificateAuthorityData, &out.CertificateAuthorityData
 		*out = make([]byte, len(*in))
 		copy(*out, *in)
 	}
@@ -80,7 +80,11 @@ func (in *ExecCredential) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ExecCredentialSpec) DeepCopyInto(out *ExecCredentialSpec) {
 	*out = *in
-	in.Cluster.DeepCopyInto(&out.Cluster)
+	if in.Cluster != nil {
+		in, out := &in.Cluster, &out.Cluster
+		*out = new(Cluster)
+		(*in).DeepCopyInto(*out)
+	}
 	return
 }
 

pkg/apis/clientauthentication/zz_generated.deepcopy.go

@@ -27,8 +27,8 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Cluster) DeepCopyInto(out *Cluster) {
 	*out = *in
-	if in.CAData != nil {
-		in, out := &in.CAData, &out.CAData
+	if in.CertificateAuthorityData != nil {
+		in, out := &in.CertificateAuthorityData, &out.CertificateAuthorityData
 		*out = make([]byte, len(*in))
 		copy(*out, *in)
 	}
@@ -87,7 +87,11 @@ func (in *ExecCredentialSpec) DeepCopyInto(out *ExecCredentialSpec) {
 		*out = new(Response)
 		(*in).DeepCopyInto(*out)
 	}
-	in.Cluster.DeepCopyInto(&out.Cluster)
+	if in.Cluster != nil {
+		in, out := &in.Cluster, &out.Cluster
+		*out = new(Cluster)
+		(*in).DeepCopyInto(*out)
+	}
 	return
 }