feat(k8s): add exec-credential (#4069)

Author: jtherin

cmd/scw/testdata/test-all-usage-k8s-usage.golden

@@ -6,13 +6,13 @@ USAGE:
   scw k8s <command>
 
 AVAILABLE COMMANDS:
-  acl          Access Control List (ACL) management commands
-  cluster      Kapsule cluster management commands
-  cluster-type Cluster type management commands
-  kubeconfig   Manage your Kubernetes Kapsule cluster's kubeconfig files
-  node         Kapsule node management commands
-  pool         Kapsule pool management commands
-  version      Available Kubernetes versions commands
+  acl             Access Control List (ACL) management commands
+  cluster         Kapsule cluster management commands
+  cluster-type    Cluster type management commands
+  kubeconfig      Manage your Kubernetes Kapsule cluster's kubeconfig files
+  node            Kapsule node management commands
+  pool            Kapsule pool management commands
+  version         Available Kubernetes versions commands
 
 FLAGS:
   -h, --help   help for k8s

internal/namespaces/k8s/v1/custom.go

@@ -15,6 +15,7 @@ import (
 func GetCommands() *core.Commands {
 	cmds := GetGeneratedCommands()
 	cmds.Merge(core.NewCommands(
+		k8sExecCredentialCommand(),
 		k8sKubeconfigCommand(),
 		k8sKubeconfigGetCommand(),
 		k8sKubeconfigInstallCommand(),

internal/namespaces/k8s/v1/custom_execcredentials.go

@@ -0,0 +1,91 @@
+package k8s
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"reflect"
+
+	"github.com/scaleway/scaleway-cli/v2/internal/core"
+	"github.com/scaleway/scaleway-sdk-go/scw"
+	"github.com/scaleway/scaleway-sdk-go/validation"
+)
+
+func k8sExecCredentialCommand() *core.Command {
+	return &core.Command{
+		Hidden:    true,
+		Short:     `exec-credential is a kubectl plugin to communicate credentials to HTTP transports.`,
+		Namespace: "k8s",
+		Resource:  "exec-credential",
+		ArgsType:  reflect.TypeOf(struct{}{}),
+		ArgSpecs:  core.ArgSpecs{},
+		Run:       k8sExecCredentialRun,
+
+		// avoid calling checkAPIKey (Check if API Key is about to expire)
+		DisableAfterChecks: true,
+	}
+}
+
+func k8sExecCredentialRun(ctx context.Context, _ interface{}) (i interface{}, e error) {
+	config, _ := scw.LoadConfigFromPath(core.ExtractConfigPath(ctx))
+	profileName := core.ExtractProfileName(ctx)
+
+	var token string
+	switch {
+	// Environment variable check
+	case core.ExtractEnv(ctx, scw.ScwSecretKeyEnv) != "":
+		token = core.ExtractEnv(ctx, scw.ScwSecretKeyEnv)
+	// There is no config file
+	case config == nil:
+		return nil, errors.New("config not provided")
+	// Config file with profile name
+	case config.Profiles[profileName] != nil && config.Profiles[profileName].SecretKey != nil:
+		token = *config.Profiles[profileName].SecretKey
+	// Default config
+	case config.Profile.SecretKey != nil:
+		token = *config.Profile.SecretKey
+	default:
+		return nil, errors.New("unable to find secret key")
+	}
+
+	if !validation.IsSecretKey(token) {
+		return nil, fmt.Errorf("invalid secret key format '%s', expected a UUID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", token)
+	}
+
+	execCreds := ExecCredential{
+		APIVersion: "client.authentication.k8s.io/v1",
+		Kind:       "ExecCredential",
+		Status: &ExecCredentialStatus{
+			Token: token,
+		},
+	}
+	response, err := json.MarshalIndent(execCreds, "", "    ")
+	if err != nil {
+		return nil, err
+	}
+
+	return string(response), nil
+}
+
+// ExecCredential is used by exec-based plugins to communicate credentials to HTTP transports.
+type ExecCredential struct {
+	// APIVersion defines the versioned schema of this representation of an object.
+	// Servers should convert recognized schemas to the latest internal value, and
+	// may reject unrecognized values.
+	APIVersion string `json:"apiVersion,omitempty"`
+
+	// Kind is a string value representing the REST resource this object represents.
+	// Servers may infer this from the endpoint the client submits requests to.
+	Kind string `json:"kind,omitempty"`
+
+	// Status is filled in by the plugin and holds the credentials that the transport
+	// should use to contact the API.
+	Status *ExecCredentialStatus `json:"status,omitempty"`
+}
+
+// ExecCredentialStatus holds credentials for the transport to use.
+type ExecCredentialStatus struct {
+	// Token is a bearer token used by the client for request authentication.
+	Token string `json:"token,omitempty"`
+}

internal/namespaces/k8s/v1/custom_execcredentials_test.go

@@ -0,0 +1,161 @@
+package k8s_test
+
+import (
+	"encoding/json"
+	"os"
+	"path"
+	"testing"
+
+	"github.com/scaleway/scaleway-cli/v2/internal/core"
+	"github.com/scaleway/scaleway-cli/v2/internal/namespaces/k8s/v1"
+	"github.com/scaleway/scaleway-sdk-go/scw"
+	"github.com/stretchr/testify/assert"
+)
+
+const (
+	p1Secret  = "00000000-0000-0000-0000-111111111111"
+	p2Secret  = "00000000-0000-0000-0000-222222222222"
+	p3Secret  = "00000000-0000-0000-0000-333333333333"
+	envSecret = "66666666-6666-6666-6666-666666666666"
+)
+
+func Test_ExecCredential(t *testing.T) {
+	// expect to return default secret_key
+	t.Run("simple", core.Test(&core.TestConfig{
+		Commands:   k8s.GetCommands(),
+		TmpHomeDir: true,
+		BeforeFunc: beforeFuncCreateFullConfig(),
+		Cmd:        "scw k8s exec-credential",
+		Check: core.TestCheckCombine(
+			core.TestCheckExitCode(0),
+			core.TestCheckGolden(),
+			assertTokenInResponse(p1Secret),
+		),
+	}))
+
+	// expect to return 66666666-6666-6666-6666-666666666666
+	t.Run("with scw_secret_key env", core.Test(&core.TestConfig{
+		Commands:   k8s.GetCommands(),
+		TmpHomeDir: true,
+		BeforeFunc: beforeFuncCreateFullConfig(),
+		Cmd:        "scw k8s exec-credential",
+		OverrideEnv: map[string]string{
+			scw.ScwSecretKeyEnv: envSecret,
+		},
+		Check: core.TestCheckCombine(
+			core.TestCheckExitCode(0),
+			core.TestCheckGolden(),
+			assertTokenInResponse(envSecret),
+		),
+	}))
+
+	// expect to return p2 secret_key
+	t.Run("with profile env", core.Test(&core.TestConfig{
+		Commands:   k8s.GetCommands(),
+		TmpHomeDir: true,
+		BeforeFunc: beforeFuncCreateFullConfig(),
+		Cmd:        "scw k8s exec-credential",
+		OverrideEnv: map[string]string{
+			scw.ScwActiveProfileEnv: "p2",
+		},
+		Check: core.TestCheckCombine(
+			core.TestCheckExitCode(0),
+			core.TestCheckGolden(),
+			assertTokenInResponse(p2Secret),
+		),
+	}))
+
+	// expect to return p3 secret_key
+	t.Run("with profile flag", core.Test(&core.TestConfig{
+		Commands:   k8s.GetCommands(),
+		TmpHomeDir: true,
+		BeforeFunc: beforeFuncCreateFullConfig(),
+		Cmd:        "scw --profile p3 k8s exec-credential",
+		Check: core.TestCheckCombine(
+			core.TestCheckExitCode(0),
+			core.TestCheckGolden(),
+			assertTokenInResponse(p3Secret),
+		),
+	}))
+
+	// expect to return p3 secret_key
+	t.Run("with profile env and flag", core.Test(&core.TestConfig{
+		Commands:   k8s.GetCommands(),
+		TmpHomeDir: true,
+		BeforeFunc: beforeFuncCreateFullConfig(),
+		Cmd:        "scw --profile p3 k8s exec-credential",
+		OverrideEnv: map[string]string{
+			scw.ScwActiveProfileEnv: "p2",
+		},
+		Check: core.TestCheckCombine(
+			core.TestCheckExitCode(0),
+			core.TestCheckGolden(),
+			assertTokenInResponse(p3Secret),
+		),
+	}))
+}
+
+func beforeFuncCreateConfigFile(c *scw.Config) core.BeforeFunc {
+	return func(ctx *core.BeforeFuncCtx) error {
+		homeDir := ctx.OverrideEnv["HOME"]
+		scwDir := path.Join(homeDir, ".config", "scw")
+		err := os.MkdirAll(scwDir, 0o0755)
+		if err != nil {
+			return err
+		}
+
+		return c.SaveTo(path.Join(scwDir, "config.yaml"))
+	}
+}
+
+func beforeFuncCreateFullConfig() core.BeforeFunc {
+	return beforeFuncCreateConfigFile(&scw.Config{
+		Profile: scw.Profile{
+			AccessKey:             scw.StringPtr("SCWXXXXXXXXXXXXXXXXX"),
+			SecretKey:             scw.StringPtr(p1Secret),
+			APIURL:                scw.StringPtr("https://mock-api-url.com"),
+			Insecure:              scw.BoolPtr(true),
+			DefaultOrganizationID: scw.StringPtr("deadbeef-dead-dead-dead-deaddeafbeef"),
+			DefaultProjectID:      scw.StringPtr("deadbeef-dead-dead-dead-deaddeafbeef"),
+			DefaultRegion:         scw.StringPtr("fr-par"),
+			DefaultZone:           scw.StringPtr("fr-par-1"),
+			SendTelemetry:         scw.BoolPtr(true),
+		},
+		Profiles: map[string]*scw.Profile{
+			"p2": {
+				AccessKey:             scw.StringPtr("SCWP2XXXXXXXXXXXXXXX"),
+				SecretKey:             scw.StringPtr(p2Secret),
+				APIURL:                scw.StringPtr("https://p2-mock-api-url.com"),
+				Insecure:              scw.BoolPtr(true),
+				DefaultOrganizationID: scw.StringPtr("deadbeef-dead-dead-dead-deaddeafbeef"),
+				DefaultProjectID:      scw.StringPtr("deadbeef-dead-dead-dead-deaddeafbeef"),
+				DefaultRegion:         scw.StringPtr("fr-par"),
+				DefaultZone:           scw.StringPtr("fr-par-1"),
+				SendTelemetry:         scw.BoolPtr(true),
+			},
+			"p3": {
+				AccessKey:             scw.StringPtr("SCWP3XXXXXXXXXXXXXXX"),
+				SecretKey:             scw.StringPtr(p3Secret),
+				APIURL:                scw.StringPtr("https://p3-mock-api-url.com"),
+				Insecure:              scw.BoolPtr(true),
+				DefaultOrganizationID: scw.StringPtr("deadbeef-dead-dead-dead-deaddeafbeef"),
+				DefaultProjectID:      scw.StringPtr("deadbeef-dead-dead-dead-deaddeafbeef"),
+				DefaultRegion:         scw.StringPtr("fr-par"),
+				DefaultZone:           scw.StringPtr("fr-par-1"),
+				SendTelemetry:         scw.BoolPtr(true),
+			},
+		},
+	})
+}
+
+func assertTokenInResponse(expectedToken string) core.TestCheck {
+	return func(t *testing.T, ctx *core.CheckFuncCtx) {
+		res := ctx.Result.(string)
+		creds := k8s.ExecCredential{}
+		err := json.Unmarshal([]byte(res), &creds)
+		if err != nil {
+			t.Fatal(err)
+		}
+		assert.Equal(t, expectedToken, creds.Status.Token)
+	}
+}

internal/namespaces/k8s/v1/testdata/test-exec-credential-simple.golden

@@ -0,0 +1,11 @@
+🎲🎲🎲 EXIT CODE: 0 🎲🎲🎲
+🟩🟩🟩 STDOUT️ 🟩🟩🟩️
+{
+    "apiVersion": "client.authentication.k8s.io/v1",
+    "kind": "ExecCredential",
+    "status": {
+        "token": "00000000-0000-0000-0000-111111111111"
+    }
+}
+🟩🟩🟩 JSON STDOUT 🟩🟩🟩
+"{\n    \"apiVersion\": \"client.authentication.k8s.io/v1\",\n    \"kind\": \"ExecCredential\",\n    \"status\": {\n        \"token\": \"00000000-0000-0000-0000-111111111111\"\n    }\n}"

internal/namespaces/k8s/v1/testdata/test-exec-credential-with-profile-env-and-flag.golden

@@ -0,0 +1,11 @@
+🎲🎲🎲 EXIT CODE: 0 🎲🎲🎲
+🟩🟩🟩 STDOUT️ 🟩🟩🟩️
+{
+    "apiVersion": "client.authentication.k8s.io/v1",
+    "kind": "ExecCredential",
+    "status": {
+        "token": "00000000-0000-0000-0000-333333333333"
+    }
+}
+🟩🟩🟩 JSON STDOUT 🟩🟩🟩
+"{\n    \"apiVersion\": \"client.authentication.k8s.io/v1\",\n    \"kind\": \"ExecCredential\",\n    \"status\": {\n        \"token\": \"00000000-0000-0000-0000-333333333333\"\n    }\n}"

internal/namespaces/k8s/v1/testdata/test-exec-credential-with-profile-env.golden

@@ -0,0 +1,11 @@
+🎲🎲🎲 EXIT CODE: 0 🎲🎲🎲
+🟩🟩🟩 STDOUT️ 🟩🟩🟩️
+{
+    "apiVersion": "client.authentication.k8s.io/v1",
+    "kind": "ExecCredential",
+    "status": {
+        "token": "00000000-0000-0000-0000-222222222222"
+    }
+}
+🟩🟩🟩 JSON STDOUT 🟩🟩🟩
+"{\n    \"apiVersion\": \"client.authentication.k8s.io/v1\",\n    \"kind\": \"ExecCredential\",\n    \"status\": {\n        \"token\": \"00000000-0000-0000-0000-222222222222\"\n    }\n}"

internal/namespaces/k8s/v1/testdata/test-exec-credential-with-profile-flag.golden

@@ -0,0 +1,11 @@
+🎲🎲🎲 EXIT CODE: 0 🎲🎲🎲
+🟩🟩🟩 STDOUT️ 🟩🟩🟩️
+{
+    "apiVersion": "client.authentication.k8s.io/v1",
+    "kind": "ExecCredential",
+    "status": {
+        "token": "00000000-0000-0000-0000-333333333333"
+    }
+}
+🟩🟩🟩 JSON STDOUT 🟩🟩🟩
+"{\n    \"apiVersion\": \"client.authentication.k8s.io/v1\",\n    \"kind\": \"ExecCredential\",\n    \"status\": {\n        \"token\": \"00000000-0000-0000-0000-333333333333\"\n    }\n}"

internal/namespaces/k8s/v1/testdata/test-exec-credential-with-scw-secret-key-env.golden

@@ -0,0 +1,11 @@
+🎲🎲🎲 EXIT CODE: 0 🎲🎲🎲
+🟩🟩🟩 STDOUT️ 🟩🟩🟩️
+{
+    "apiVersion": "client.authentication.k8s.io/v1",
+    "kind": "ExecCredential",
+    "status": {
+        "token": "66666666-6666-6666-6666-666666666666"
+    }
+}
+🟩🟩🟩 JSON STDOUT 🟩🟩🟩
+"{\n    \"apiVersion\": \"client.authentication.k8s.io/v1\",\n    \"kind\": \"ExecCredential\",\n    \"status\": {\n        \"token\": \"66666666-6666-6666-6666-666666666666\"\n    }\n}"