Let .kubeconfig populate ca/cert/key data, and basic-auth username/password in client configs

2026-01-05 23:47:50 +00:00 · 2015-02-17 21:37:43 -05:00
parent 413e1dba7e
commit abb38cf793
13 changed files with 589 additions and 57 deletions
--- a/pkg/kubectl/cmd/config/create_authinfo.go
+++ b/pkg/kubectl/cmd/config/create_authinfo.go
@@ -20,6 +20,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"strings"

 	"github.com/spf13/cobra"

@@ -35,20 +36,35 @@ type createAuthInfoOptions struct {
 	clientCertificate util.StringFlag
 	clientKey         util.StringFlag
 	token             util.StringFlag
+	username          util.StringFlag
+	password          util.StringFlag
 }

 func NewCmdConfigSetAuthInfo(out io.Writer, pathOptions *pathOptions) *cobra.Command {
 	options := &createAuthInfoOptions{pathOptions: pathOptions}

 	cmd := &cobra.Command{
-		Use:   fmt.Sprintf("set-credentials name [--%v=path/to/auth/file] [--%v=path/to/certficate/file] [--%v=path/to/key/file] [--%v=bearer_token_string]", clientcmd.FlagAuthPath, clientcmd.FlagCertFile, clientcmd.FlagKeyFile, clientcmd.FlagBearerToken),
+		Use:   fmt.Sprintf("set-credentials name [--%v=authfile] [--%v=certfile] [--%v=keyfile] [--%v=bearer_token] [--%v=basic_user] [--%v=basic_password]", clientcmd.FlagAuthPath, clientcmd.FlagCertFile, clientcmd.FlagKeyFile, clientcmd.FlagBearerToken, clientcmd.FlagUsername, clientcmd.FlagPassword),
 		Short: "Sets a user entry in .kubeconfig",
-		Long: `Sets a user entry in .kubeconfig
-	Specifying a name that already exists will merge new fields on top of existing values for those fields.
-	e.g. 
-		kubectl config set-credentials cluster-admin --client-key=~/.kube/cluster-admin/.kubecfg.key
-		only sets the client-key field on the cluster-admin user entry without touching other values.
-		`,
+		Long: fmt.Sprintf(`Sets a user entry in .kubeconfig
+
+  Specifying a name that already exists will merge new fields on top of existing
+  values. For example, the following only sets the "client-key" field on the 
+  "cluster-admin" entry, without touching other values:
+
+    set-credentials cluster-admin --client-key=~/.kube/admin.key
+
+  Client-certificate flags:
+    --%v=certfile --%v=keyfile
+
+  Bearer token flags:
+    --%v=bearer_token
+
+  Basic auth flags:
+    --%v=basic_user --%v=basic_password
+
+  Bearer token and basic auth are mutually exclusive.
+`, clientcmd.FlagCertFile, clientcmd.FlagKeyFile, clientcmd.FlagBearerToken, clientcmd.FlagUsername, clientcmd.FlagPassword),
 		Run: func(cmd *cobra.Command, args []string) {
 			if !options.complete(cmd) {
 				return
@@ -56,7 +72,7 @@ func NewCmdConfigSetAuthInfo(out io.Writer, pathOptions *pathOptions) *cobra.Com

 			err := options.run()
 			if err != nil {
-				fmt.Printf("%v\n", err)
+				fmt.Fprintf(out, "%v\n", err)
 			}
 		},
 	}
@@ -65,6 +81,8 @@ func NewCmdConfigSetAuthInfo(out io.Writer, pathOptions *pathOptions) *cobra.Com
 	cmd.Flags().Var(&options.clientCertificate, clientcmd.FlagCertFile, clientcmd.FlagCertFile+" for the user entry in .kubeconfig")
 	cmd.Flags().Var(&options.clientKey, clientcmd.FlagKeyFile, clientcmd.FlagKeyFile+" for the user entry in .kubeconfig")
 	cmd.Flags().Var(&options.token, clientcmd.FlagBearerToken, clientcmd.FlagBearerToken+" for the user entry in .kubeconfig")
+	cmd.Flags().Var(&options.username, clientcmd.FlagUsername, clientcmd.FlagUsername+" for the user entry in .kubeconfig")
+	cmd.Flags().Var(&options.password, clientcmd.FlagPassword, clientcmd.FlagPassword+" for the user entry in .kubeconfig")

 	return cmd
 }
@@ -95,17 +113,48 @@ func (o createAuthInfoOptions) run() error {
 func (o *createAuthInfoOptions) modifyAuthInfo(existingAuthInfo clientcmdapi.AuthInfo) clientcmdapi.AuthInfo {
 	modifiedAuthInfo := existingAuthInfo

+	var setToken, setBasic bool
+
 	if o.authPath.Provided() {
 		modifiedAuthInfo.AuthPath = o.authPath.Value()
 	}
+
 	if o.clientCertificate.Provided() {
 		modifiedAuthInfo.ClientCertificate = o.clientCertificate.Value()
+		if len(modifiedAuthInfo.ClientCertificate) > 0 {
+			modifiedAuthInfo.ClientCertificateData = nil
+		}
 	}
 	if o.clientKey.Provided() {
 		modifiedAuthInfo.ClientKey = o.clientKey.Value()
+		if len(modifiedAuthInfo.ClientKey) > 0 {
+			modifiedAuthInfo.ClientKeyData = nil
+		}
 	}
+
 	if o.token.Provided() {
 		modifiedAuthInfo.Token = o.token.Value()
+		setToken = len(modifiedAuthInfo.Token) > 0
+	}
+
+	if o.username.Provided() {
+		modifiedAuthInfo.Username = o.username.Value()
+		setBasic = setBasic || len(modifiedAuthInfo.Username) > 0
+	}
+	if o.password.Provided() {
+		modifiedAuthInfo.Password = o.password.Value()
+		setBasic = setBasic || len(modifiedAuthInfo.Password) > 0
+	}
+
+	// If any auth info was set, make sure any other existing auth types are cleared
+	if setToken || setBasic {
+		if !setToken {
+			modifiedAuthInfo.Token = ""
+		}
+		if !setBasic {
+			modifiedAuthInfo.Username = ""
+			modifiedAuthInfo.Password = ""
+		}
 	}

 	return modifiedAuthInfo
@@ -126,6 +175,16 @@ func (o createAuthInfoOptions) validate() error {
 	if len(o.name) == 0 {
 		return errors.New("You must specify a non-empty user name")
 	}
+	methods := []string{}
+	if len(o.token.Value()) > 0 {
+		methods = append(methods, fmt.Sprintf("--%v", clientcmd.FlagBearerToken))
+	}
+	if len(o.username.Value()) > 0 || len(o.password.Value()) > 0 {
+		methods = append(methods, fmt.Sprintf("--%v/--%v", clientcmd.FlagUsername, clientcmd.FlagPassword))
+	}
+	if len(methods) > 1 {
+		return fmt.Errorf("You cannot specify more than one authentication method at the same time: %v", strings.Join(methods, ", "))
+	}

 	return nil
 }