Merge pull request kubernetes#2103 from ankeesler/exec-cred-prov-cluster-info-updates

k8s-ci-robot · web-flow · commit cabc0f12dd2a · 2020-11-03T11:50:03.000-08:00
exec credential provider: updates to KEP after cluster info PR
diff --git a/keps/sig-auth/541-external-credential-providers/README.md b/keps/sig-auth/541-external-credential-providers/README.md
@@ -158,7 +158,7 @@ users:
 
       # Whether or not to provide cluster information, which could potentially contain
       # very large CA data, to this exec plugin as a part of the KUBERNETES_EXEC_INFO
-      # environment variable.
+      # environment variable. Optional. Defaults to false.
       provideClusterInfo: true
 clusters:
 - name: my-cluster
@@ -209,7 +209,8 @@ type ExecConfig struct {
   // ProvideClusterInfo determines whether or not to provide cluster information,
   // which could potentially contain very large CA data, to this exec plugin as a
   // part of the KUBERNETES_EXEC_INFO environment variable. By default, it is set
-  // to false.
+  // to false. Package k8s.io/client-go/tools/auth/exec provides helper methods for
+  // reading this environment variable.
   ProvideClusterInfo bool `json:"provideClusterInfo"`
 }
 ```
@@ -243,8 +244,10 @@ In JSON:
   "spec": {
     "cluster": {
       "server": "https://1.2.3.4:8080",
-      "serverName": "bar",
-      "caData": " ... ",
+      "tls-server-name": "bar",
+      "insecure-skip-tls-verify": true,
+      "certificate-authority-data": " ... ",
+      "proxy-url": "https://4.5.6.7:9090/proxy",
       "config": { ... }
     }
   }
@@ -310,7 +313,8 @@ type Cluster struct {
   // Config holds additional config data that is specific to the exec
   // plugin with regards to the cluster being authenticated to.
   //
-  // This data is sourced from the clientcmd Cluster object's extensions[exec] field:
+  // This data is sourced from the clientcmd Cluster object's
+  // extensions[client.authentication.k8s.io/exec] field:
   //
   // clusters:
   // - name: my-cluster
@@ -426,6 +430,9 @@ func LoadExecCredentialFromEnv() (runtime.Object, *rest.Config, error)
 //
 // If the provided data is successfully unmarshalled, but it does not contain cluster information
 // (i.e., ExecCredential.Spec.Cluster == nil), then the returned rest.Config and error will be nil.
+//
+// Note that the returned rest.Config will use anonymous authentication, since the exec plugin has
+// not returned credentials for this cluster yet.
 func LoadExecCredential(data []byte) (runtime.Object, *rest.Config, error)
 ```
 
@@ -524,7 +531,7 @@ Unit tests to confirm:
   `CertificateAuthority` for reasons stated in design) so
   that structs are kept up to date
 - Helper methods properly create `"k8s.io/client-go/rest".Config` from
-  `"k8s.io/client-go/pkg/apis/clientauthentication".Cluster`
+  `"k8s.io/client-go/pkg/apis/clientauthentication".Cluster` and vice versa
 
 Integration (or e2e CLI) tests to confirm:
 
