feat(k8s): add exec-credentials

jtherin · jtherin · commit 85d35eab8405 · 2024-08-22T13:58:18.000+02:00
diff --git a/internal/namespaces/k8s/v1/custom.go b/internal/namespaces/k8s/v1/custom.go
@@ -15,6 +15,7 @@ import (
 func GetCommands() *core.Commands {
 	cmds := GetGeneratedCommands()
 	cmds.Merge(core.NewCommands(
+		k8sExecCredentialCommand(),
 		k8sKubeconfigCommand(),
 		k8sKubeconfigGetCommand(),
 		k8sKubeconfigInstallCommand(),
diff --git a/internal/namespaces/k8s/v1/custom_execcredentials.go b/internal/namespaces/k8s/v1/custom_execcredentials.go
@@ -0,0 +1,87 @@
+package k8s
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"reflect"
+
+	"github.com/scaleway/scaleway-cli/v2/internal/core"
+	"github.com/scaleway/scaleway-sdk-go/scw"
+	"github.com/scaleway/scaleway-sdk-go/validation"
+)
+
+func k8sExecCredentialCommand() *core.Command {
+	return &core.Command{
+		Hidden:    true,
+		Short:     `exec-credential is a kubectl plugin to communicate credentials to HTTP transports.`,
+		Namespace: "k8s",
+		Resource:  "exec-credential",
+		ArgsType:  reflect.TypeOf(struct{}{}),
+		ArgSpecs:  core.ArgSpecs{},
+		Run:       k8sExecCredentialRun,
+	}
+}
+
+func k8sExecCredentialRun(ctx context.Context, argsI interface{}) (i interface{}, e error) {
+	config, _ := scw.LoadConfigFromPath(core.ExtractConfigPath(ctx))
+	profileName := core.ExtractProfileName(ctx)
+
+	var token string
+	switch {
+	// Environment variable check
+	case core.ExtractEnv(ctx, scw.ScwSecretKeyEnv) != "":
+		token = core.ExtractEnv(ctx, scw.ScwSecretKeyEnv)
+	// There is no config file
+	case config == nil:
+		return nil, fmt.Errorf("config not provided")
+	// Config file with profile name
+	case config.Profiles[profileName] != nil && config.Profiles[profileName].SecretKey != nil:
+		token = *config.Profiles[profileName].SecretKey
+	// Default config
+	case config.Profile.SecretKey != nil:
+		token = *config.Profile.SecretKey
+	default:
+		return nil, fmt.Errorf("unable to find secret key")
+	}
+
+	if !validation.IsSecretKey(token) {
+		return nil, fmt.Errorf("invalid secret key format '%s', expected a UUID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", token)
+	}
+
+	execCreds := ExecCredential{
+		APIVersion: "client.authentication.k8s.io/v1",
+		Kind:       "ExecCredential",
+		Status: &ExecCredentialStatus{
+			Token: token,
+		},
+	}
+	response, err := json.MarshalIndent(execCreds, "", "    ")
+	if err != nil {
+		return nil, err
+	}
+
+	return string(response), nil
+}
+
+// ExecCredential is used by exec-based plugins to communicate credentials to HTTP transports.
+type ExecCredential struct {
+	// APIVersion defines the versioned schema of this representation of an object.
+	// Servers should convert recognized schemas to the latest internal value, and
+	// may reject unrecognized values.
+	APIVersion string `json:"apiVersion,omitempty"`
+
+	// Kind is a string value representing the REST resource this object represents.
+	// Servers may infer this from the endpoint the client submits requests to.
+	Kind string `json:"kind,omitempty"`
+
+	// Status is filled in by the plugin and holds the credentials that the transport
+	// should use to contact the API.
+	Status *ExecCredentialStatus `json:"status,omitempty"`
+}
+
+// ExecCredentialStatus holds credentials for the transport to use.
+type ExecCredentialStatus struct {
+	// Token is a bearer token used by the client for request authentication.
+	Token string `json:"token,omitempty"`
+}
diff --git a/internal/namespaces/k8s/v1/custom_execcredentials_test.go b/internal/namespaces/k8s/v1/custom_execcredentials_test.go
@@ -0,0 +1,131 @@
+package k8s
+
+import (
+	"os"
+	"path"
+	"testing"
+
+	"github.com/scaleway/scaleway-cli/v2/internal/core"
+	"github.com/scaleway/scaleway-sdk-go/scw"
+)
+
+func Test_ExecCredential(t *testing.T) {
+	// expect to return default secret_key
+	t.Run("simple", core.Test(&core.TestConfig{
+		Commands:   GetCommands(),
+		TmpHomeDir: true,
+		BeforeFunc: beforeFuncCreateFullConfig(),
+		Cmd:        "scw k8s exec-credential",
+		Check: core.TestCheckCombine(
+			core.TestCheckExitCode(0),
+			core.TestCheckGolden(),
+		),
+	}))
+
+	// expect to return 66666666-6666-6666-6666-666666666666
+	t.Run("with scw_secret_key env", core.Test(&core.TestConfig{
+		Commands:   GetCommands(),
+		TmpHomeDir: true,
+		BeforeFunc: beforeFuncCreateFullConfig(),
+		Cmd:        "scw k8s exec-credential",
+		OverrideEnv: map[string]string{
+			scw.ScwSecretKeyEnv: "66666666-6666-6666-6666-666666666666",
+		},
+		Check: core.TestCheckCombine(
+			core.TestCheckExitCode(0),
+			core.TestCheckGolden(),
+		),
+	}))
+
+	// expect to return p2 secret_key
+	t.Run("with profile env", core.Test(&core.TestConfig{
+		Commands:   GetCommands(),
+		TmpHomeDir: true,
+		BeforeFunc: beforeFuncCreateFullConfig(),
+		Cmd:        "scw k8s exec-credential",
+		OverrideEnv: map[string]string{
+			scw.ScwActiveProfileEnv: "p2",
+		},
+		Check: core.TestCheckCombine(
+			core.TestCheckExitCode(0),
+			core.TestCheckGolden(),
+		),
+	}))
+
+	// expect to return p3 secret_key
+	t.Run("with profile flag", core.Test(&core.TestConfig{
+		Commands:   GetCommands(),
+		TmpHomeDir: true,
+		BeforeFunc: beforeFuncCreateFullConfig(),
+		Cmd:        "scw --profile p3 k8s exec-credential",
+		Check: core.TestCheckCombine(
+			core.TestCheckExitCode(0),
+			core.TestCheckGolden(),
+		),
+	}))
+
+	// expect to return p3 secret_key
+	t.Run("with profile env and flag", core.Test(&core.TestConfig{
+		Commands:   GetCommands(),
+		TmpHomeDir: true,
+		BeforeFunc: beforeFuncCreateFullConfig(),
+		Cmd:        "scw --profile p3 k8s exec-credential",
+		OverrideEnv: map[string]string{
+			scw.ScwActiveProfileEnv: "p2",
+		},
+		Check: core.TestCheckCombine(
+			core.TestCheckExitCode(0),
+			core.TestCheckGolden(),
+		),
+	}))
+}
+
+func beforeFuncCreateConfigFile(c *scw.Config) core.BeforeFunc {
+	return func(ctx *core.BeforeFuncCtx) error {
+		homeDir := ctx.OverrideEnv["HOME"]
+		scwDir := path.Join(homeDir, ".config", "scw")
+		err := os.MkdirAll(scwDir, 0755)
+		if err != nil {
+			return err
+		}
+
+		return c.SaveTo(path.Join(scwDir, "config.yaml"))
+	}
+}
+
+func beforeFuncCreateFullConfig() core.BeforeFunc {
+	return beforeFuncCreateConfigFile(&scw.Config{
+		Profile: scw.Profile{
+			AccessKey:             scw.StringPtr("SCWXXXXXXXXXXXXXXXXX"),
+			SecretKey:             scw.StringPtr("00000000-0000-0000-0000-111111111111"),
+			APIURL:                scw.StringPtr("https://mock-api-url.com"),
+			Insecure:              scw.BoolPtr(true),
+			DefaultOrganizationID: scw.StringPtr("deadbeef-dead-dead-dead-deaddeafbeef"),
+			DefaultRegion:         scw.StringPtr("fr-par"),
+			DefaultZone:           scw.StringPtr("fr-par-1"),
+			SendTelemetry:         scw.BoolPtr(true),
+		},
+		Profiles: map[string]*scw.Profile{
+			"p2": {
+				AccessKey:             scw.StringPtr("SCWP2XXXXXXXXXXXXXXX"),
+				SecretKey:             scw.StringPtr("00000000-0000-0000-0000-222222222222"),
+				APIURL:                scw.StringPtr("https://p2-mock-api-url.com"),
+				Insecure:              scw.BoolPtr(true),
+				DefaultOrganizationID: scw.StringPtr("deadbeef-dead-dead-dead-deaddeafbeef"),
+				DefaultRegion:         scw.StringPtr("fr-par"),
+				DefaultZone:           scw.StringPtr("fr-par-1"),
+				SendTelemetry:         scw.BoolPtr(true),
+			},
+			"p3": {
+				AccessKey:             scw.StringPtr("SCWP3XXXXXXXXXXXXXXX"),
+				SecretKey:             scw.StringPtr("00000000-0000-0000-0000-333333333333"),
+				APIURL:                scw.StringPtr("https://p3-mock-api-url.com"),
+				Insecure:              scw.BoolPtr(true),
+				DefaultOrganizationID: scw.StringPtr("deadbeef-dead-dead-dead-deaddeafbeef"),
+				DefaultRegion:         scw.StringPtr("fr-par"),
+				DefaultZone:           scw.StringPtr("fr-par-1"),
+				SendTelemetry:         scw.BoolPtr(true),
+			},
+		},
+	})
+}
