Adds flag to enable options around in cluster configuration

Signed-off-by: JoshVanL <[email protected]>

Author: JoshVanL

cmd/options/client.go

@@ -0,0 +1,63 @@
+// Copyright Jetstack Ltd. See LICENSE for details.
+package options
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+)
+
+const (
+	flagInClusterConfig = "in-cluster-config"
+)
+
+type ClientExtraOptions struct {
+	InClusterConfig bool
+	*genericclioptions.ConfigFlags
+}
+
+func NewClientExtraFlags() *ClientExtraOptions {
+	return &ClientExtraOptions{
+		InClusterConfig: false,
+		ConfigFlags:     genericclioptions.NewConfigFlags(true),
+	}
+}
+
+func (c *ClientExtraOptions) AddFlags(flags *pflag.FlagSet) {
+	flags.BoolVar(&c.InClusterConfig, flagInClusterConfig, c.InClusterConfig, "Use in-cluster configuration to authenticate and connect to a Kubernetes API server")
+	c.ConfigFlags.AddFlags(flags)
+}
+
+func (c *ClientExtraOptions) Validate(cmd *cobra.Command) error {
+	clientFCh := c.clientFlagsChanged(cmd)
+
+	if clientFCh && c.InClusterConfig {
+		return fmt.Errorf("if --%s is enabled, no other client flag options my be specified", flagInClusterConfig)
+	}
+
+	if !clientFCh && !c.InClusterConfig {
+		return errors.New("no client flag options specified")
+	}
+
+	return nil
+}
+
+func (c *ClientExtraOptions) clientFlagsChanged(cmd *cobra.Command) bool {
+	for _, f := range clientOptionFlags() {
+		if ff := cmd.Flag(f); ff != nil && ff.Changed {
+			return true
+		}
+	}
+
+	return false
+}
+
+func clientOptionFlags() []string {
+	return []string{"certificate-authority", "client-certificate", "client-key", "cluster",
+		"context", "insecure-skip-tls-verify", "kubeconfig", "namespace",
+		"request-timeout", "server", "token", "user",
+	}
+}

cmd/options/client_test.go

@@ -0,0 +1,70 @@
+// Copyright Jetstack Ltd. See LICENSE for details.
+package options
+
+import (
+	"errors"
+	"testing"
+
+	"github.com/spf13/cobra"
+)
+
+func TestClientExtraOptionsValidate(t *testing.T) {
+
+	type testT struct {
+		input    []string
+		expError error
+	}
+
+	for name, test := range map[string]testT{
+		"if no flags are provided, should error": {
+			input:    []string{},
+			expError: errors.New("no client flag options specified"),
+		},
+
+		"if only client flags provided then pass": {
+			input:    []string{"--server=foo", "--kubeconfig=bla"},
+			expError: nil,
+		},
+
+		"if only in cluster config provided then pass": {
+			input:    []string{"--in-cluster-config"},
+			expError: nil,
+		},
+
+		"if only in cluster config provided but set to false and other client flags added then pass": {
+			input:    []string{"--in-cluster-config=false", "--context=foo", "--namespace=bla"},
+			expError: nil,
+		},
+
+		"if both in cluster config and other client flags provided then error": {
+			input: []string{"--in-cluster-config",
+				"--client-certificate=foo", "--client-key=bla"},
+			expError: errors.New("if --in-cluster-config is enabled, no other client flag options my be specified"),
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			c := NewClientExtraFlags()
+			cmd := new(cobra.Command)
+			c.AddFlags(cmd.Flags())
+
+			if err := cmd.ParseFlags(test.input); err != nil {
+				t.Error(err)
+				t.FailNow()
+			}
+
+			err := c.Validate(cmd)
+
+			if test.expError == nil {
+				if err != nil {
+					t.Errorf("expected error to be nil, got=%s", err)
+				}
+
+			} else {
+				if err == nil || test.expError.Error() != err.Error() {
+					t.Errorf("unexpected error, exp=%s got=%s",
+						test.expError, err)
+				}
+			}
+		})
+	}
+}

cmd/run.go

@@ -14,7 +14,6 @@ import (
 	apiserveroptions "k8s.io/apiserver/pkg/server/options"
 	"k8s.io/apiserver/pkg/util/term"
 	"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
-	"k8s.io/cli-runtime/pkg/genericclioptions"
 	"k8s.io/client-go/rest"
 	cliflag "k8s.io/component-base/cli/flag"
 	"k8s.io/component-base/cli/globalflag"
@@ -47,7 +46,7 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 
 	kopOptions := new(options.KubeOIDCProxyOptions)
 
-	clientConfigFlags := genericclioptions.NewConfigFlags(true)
+	clientConfigOptions := options.NewClientExtraFlags()
 
 	healthCheck := probe.New(strconv.Itoa(readinessProbePort))
 
@@ -56,6 +55,8 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 		Use:  "kube-oidc-proxy",
 		Long: "kube-oidc-proxy is a reverse proxy to authenticate users to Kubernetes API servers with Open ID Connect Authentication.",
 		RunE: func(cmd *cobra.Command, args []string) error {
+			var err error
+
 			if cmd.Flag("version").Value.String() == "true" {
 				version.PrintVersionAndExit()
 			}
@@ -64,16 +65,26 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 				return err
 			}
 
+			if err := clientConfigOptions.Validate(cmd); err != nil {
+				return err
+			}
+
 			if ssoptionsWithLB.SecureServingOptions.BindPort == readinessProbePort {
 				return errors.New("unable to securely serve on port 8080, used by readiness prob")
 			}
 
-			// client rest config
-			restConfig, err := rest.InClusterConfig()
-			if err != nil {
+			var restConfig *rest.Config
+			if clientConfigOptions.InClusterConfig {
+				// In cluster config
+				restConfig, err = rest.InClusterConfig()
+				if err != nil {
+					return err
+				}
+
+			} else {
 
-				// fall back to cli flags if in cluster fails
-				restConfig, err = clientConfigFlags.ToRESTConfig()
+				// CLI flags if in cluster fails
+				restConfig, err = clientConfigOptions.ToRESTConfig()
 				if err != nil {
 					return err
 				}
@@ -147,10 +158,10 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 
 	ssoptionsWithLB.AddFlags(namedFlagSets.FlagSet("secure serving"))
 
-	clientConfigFlags.CacheDir = nil
-	clientConfigFlags.Impersonate = nil
-	clientConfigFlags.ImpersonateGroup = nil
-	clientConfigFlags.AddFlags(namedFlagSets.FlagSet("client"))
+	clientConfigOptions.CacheDir = nil
+	clientConfigOptions.Impersonate = nil
+	clientConfigOptions.ImpersonateGroup = nil
+	clientConfigOptions.AddFlags(namedFlagSets.FlagSet("client"))
 
 	globalflag.AddGlobalFlags(namedFlagSets.FlagSet("misc"), cmd.Name())
 	namedFlagSets.FlagSet("misc").Bool("version",

demo/manifests/components/kube-oidc-proxy.jsonnet

@@ -111,6 +111,7 @@ local READINESS_PORT = 8080;
               command: [
                 'kube-oidc-proxy',
                 '--secure-port=' + $.config.secureServing.port,
+                '--in-cluster-config',
                 '--tls-cert-file=' + $.config.secureServing.tlsCertFile,
                 '--tls-private-key-file=' + $.config.secureServing.tlsKeyFile,
                 '--oidc-groups-prefix=' + $.config.oidc.groupsPrefix,

demo/yaml/kube-oidc-proxy.yaml

@@ -43,6 +43,7 @@ spec:
         command: ["kube-oidc-proxy"]
         args:
           - "--secure-port=443"
+          - "--in-cluster-config"
           - "--tls-cert-file=/etc/oidc/tls/crt.pem"
           - "--tls-private-key-file=/etc/oidc/tls/key.pem"
           - "--oidc-client-id=$(OIDC_CLIENT_ID)"

deploy/charts/kube-oidc-proxy/templates/deployment.yaml

@@ -35,6 +35,7 @@ spec:
           periodSeconds: 10
         command: ["kube-oidc-proxy"]
         args:
+          - "--in-cluster-config"
           - "--secure-port=443"
           - "--tls-cert-file=/etc/oidc/tls/crt.pem"
           - "--tls-private-key-file=/etc/oidc/tls/key.pem"