Support kube config user exec for EKS #161
Conversation
…aws, refactored the send adapter mixin + HTTPClient tests a bit
… now all implemented inside the send adapter
…- not sure how other exec commands return their token..
|
This is very rudimentary, but should be easy to refactor to support more ways of |
|
It doesn't look like it would take too much more work to make this support the full credential plugin spec for tokens? |
|
Yes, I imagine so, but I didn't look up the spec when I built this. I'm perfectly willing to take a look at the spec and see if I can make this a bit more generic and cleaner. Could you point me in the right direction to find it? :-) |
…ntication plugin providing a bearer token according to the spec: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins -- will add more unit tests to assert exception handling is as expected.
|
I made this a bit more generic and hopefully easier to extend. I tried not to make too many opinionated changes to the codebase, that means the auth plugin exec code lives in @brosner could you take a look and give me some feedback? I'd be happy to reorganize/refactor to fit your overall design for the project :-) |
|
Is there a plan to merge and release this soon? |
|
I'm about to move to EKS for our clusters, any feedback which can help get this feature merged? @brosner ? :-) |
What?
This PR adds support for executing client-go credential plugins as defined in the
user.execsection of a local kubernetes config. This implementation only supports the retrieval of a bearer token, not the PEM-encoded client certificate and key used with TLS auth. See: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins for more details.Why?
The "Getting Started" EKS guide on Amazon suggests using the heptio aws authenticator as a client credential plugin. Unless another authentication method is configured, that would leave pykube unable to work with EKS clusters.