Handle environment variables.

jglick · jglick · commit a4163e252326 · 2019-03-04T16:12:34.000-05:00
diff --git a/util/src/main/java/io/kubernetes/client/util/KubeConfig.java b/util/src/main/java/io/kubernetes/client/util/KubeConfig.java
@@ -249,6 +249,7 @@ public String getAccessToken() {
    *     href="https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins">
    *     Authenticating » client-go credential plugins</a>
    */
+  @SuppressWarnings("unchecked")
   private String tokenViaExecCredential(Map<String, Object> execMap) {
     if (execMap == null) {
       return null;
@@ -260,8 +261,28 @@ private String tokenViaExecCredential(Map<String, Object> execMap) {
       return null;
     }
     String command = (String) execMap.get("command");
-    List<Map<String, String>> env = (List) execMap.get("env");
-    List<String> args = (List) execMap.get("args");
+    JsonElement root = runExec(command, (List) execMap.get("args"), (List) execMap.get("env"));
+    if (root == null) {
+      return null;
+    }
+    // TODO verify .apiVersion and .kind = ExecCredential
+    JsonObject status = root.getAsJsonObject().get("status").getAsJsonObject();
+    JsonElement token = status.get("token");
+    if (token == null) {
+      // TODO handle clientCertificateData/clientKeyData
+      // (KubeconfigAuthentication is not yet set up for that to be dynamic)
+      log.warn("No token produced by {}", command);
+      return null;
+    }
+    return token.getAsString();
+    // TODO cache tokens between calls, up to .status.expirationTimestamp
+    // TODO a 401 is supposed to force a refresh,
+    // but KubeconfigAuthentication hardcodes AccessTokenAuthentication which does not support that
+    // and anyway ClientBuilder only calls Authenticator.provide once per ApiClient;
+    // we would need to do it on every request
+  }
+
+  private JsonElement runExec(String command, List<String> args, List<Map<String, String>> env) {
     // TODO relativize command to basedir of config file (requires KubeConfig to be given a basedir)
     List<String> argv = new ArrayList<>();
     argv.add(command);
@@ -270,7 +291,9 @@ private String tokenViaExecCredential(Map<String, Object> execMap) {
     }
     ProcessBuilder pb = new ProcessBuilder(argv);
     if (env != null) {
-      // TODO apply
+      for (Map<String, String> entry : env) {
+        pb.environment().put(entry.get("name"), entry.get("value"));
+      }
     }
     pb.redirectError(ProcessBuilder.Redirect.INHERIT);
     try {
@@ -288,25 +311,11 @@ private String tokenViaExecCredential(Map<String, Object> execMap) {
         log.error("{} failed with exit code {}", command, r);
         return null;
       }
-      // TODO verify .apiVersion and .kind = ExecCredential
-      JsonObject status = root.getAsJsonObject().get("status").getAsJsonObject();
-      JsonElement token = status.get("token");
-      if (token == null) {
-        // TODO handle clientCertificateData/clientKeyData
-        // (KubeconfigAuthentication is not yet set up for that to be dynamic)
-        log.warn("No token produced by {}", command);
-        return null;
-      }
-      return token.getAsString();
+      return root;
     } catch (IOException | InterruptedException x) {
       log.error("Failed to run " + command, x);
       return null;
     }
-    // TODO cache tokens between calls, up to .status.expirationTimestamp
-    // TODO a 401 is supposed to force a refresh,
-    // but KubeconfigAuthentication hardcodes AccessTokenAuthentication which does not support that
-    // and anyway ClientBuilder only calls Authenticator.provide once per ApiClient;
-    // we would need to do it on every request
   }
 
   public boolean verifySSL() {
diff --git a/util/src/test/java/io/kubernetes/client/util/KubeConfigTest.java b/util/src/test/java/io/kubernetes/client/util/KubeConfigTest.java
@@ -296,4 +296,31 @@ public void testExecCredentials() throws Exception {
     KubeConfig kc = KubeConfig.loadKubeConfig(new StringReader(KUBECONFIG_EXEC));
     assertEquals("abc123", kc.getAccessToken());
   }
+
+  private static final String KUBECONFIG_EXEC_ENV =
+      "apiVersion: v1\n"
+          + "current-context: c\n"
+          + "contexts:\n"
+          + "- name: c\n"
+          + "  context:\n"
+          + "    user: u\n"
+          + "users:\n"
+          + "- name: u\n"
+          + "  user:\n"
+          + "    exec:\n"
+          + "      apiVersion: client.authentication.k8s.io/v1beta1\n"
+          + "      command: sh\n"
+          + "      env:\n"
+          + "        - name: TOK\n"
+          + "          value: abc\n"
+          + "      args:\n"
+          + "        - -c\n"
+          + "        - >-\n"
+          + "          echo '{\"apiVersion\": \"client.authentication.k8s.io/v1beta1\", \"kind\": \"ExecCredential\", \"status\": {\"token\": \"'$TOK'123\"}}'\n";
+
+  @Test
+  public void testExecCredentialsEnv() throws Exception {
+    KubeConfig kc = KubeConfig.loadKubeConfig(new StringReader(KUBECONFIG_EXEC_ENV));
+    assertEquals("abc123", kc.getAccessToken());
+  }
 }
