#238: support client.authentication.k8s.io/v1beta1 ExecCredential #512
Conversation
…ication.k8s.io/v1beta1.
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
the
size/M
| Object exec = currentUser.get("exec"); | ||
| if (exec != null) { | ||
| // TODO extract to helper method for clarity | ||
| Map<String, Object> execMap = (Map<String, Object>) exec; |
There was a problem hiding this comment.
It's probably better to declare an actual Java object that represents the exec field rather than using generic JSON accessors, it makes the code pretty ugly.
There was a problem hiding this comment.
(I realized I'm being hypocritical given the above, so feel free to ignore this...)
There was a problem hiding this comment.
hypocritical given the above
You mean the authProviderMap code?
After years of bad experiences I have a general preference for plain old Java code over use of fancy reflection-based (de)serialization libraries, but if you have a strong preference for some particular approach (GSON?) I will follow your guidelines.
There was a problem hiding this comment.
@jglick - is the item "observed working with EKS (I could make a test cluster if necessary)" still open, and if not, could I help out with that?
There was a problem hiding this comment.
Yes it is still open. If you are using EKS, please help test this system.
| if (r == 0) { | ||
| if (root != null) { | ||
| // TODO verify .apiVersion and .kind = ExecCredential | ||
| JsonObject status = root.getAsJsonObject().get("status").getAsJsonObject(); |
There was a problem hiding this comment.
Let's create a real Java object for this response value too.
There was a problem hiding this comment.
As above, feel free to skip if you want.
|
Thanks for starting this! I have a few comments, also this needs unit tests. |
https://google.github.io/styleguide/javaguide.html#s4.4-column-limit explicitly exempts > Lines where obeying the column limit is not possible (for example, a long URL in Javadoc but evidently google-java-format does not understand this.
…h test runs here.
k8s-ci-robot
added
size/L
| Process proc = pb.start(); | ||
| JsonElement root; | ||
| try (InputStream is = proc.getInputStream(); | ||
| Reader r = new InputStreamReader(is, StandardCharsets.UTF_8)) { |
There was a problem hiding this comment.
indentation is weird here, is this really correct?
There was a problem hiding this comment.
What looks incorrect? I do not have a choice about indentation—it is whatever mvn fmt:format picks.
There was a problem hiding this comment.
ok, the 'R' aligned with the '(' looks weird to me, but if mvn:format says so, I guess it's right :P
There was a problem hiding this comment.
Yeah my preference would be to line up the I and the R.
| return null; | ||
| } | ||
| return root; | ||
| } catch (IOException | InterruptedException x) { |
There was a problem hiding this comment.
why swallow the exception here? wouldn't you rather throw?
There was a problem hiding this comment.
It is not swallowed—it is sent to the log.
As to whether it is appropriate to throw exceptions out of getAccessToken (presumably wrapped in RuntimeException?) as opposed to logging and proceeding with other authentication modes and ultimately returning null (unauthenticated), I have no strong opinion. I was following the example of existing code which proceeds despite errors (Failed to read token file for example).
On the other hand AzureActiveDirectoryAuthenticator.refresh appears to throw an undeclared exception out of getAccessToken. KubeconfigAuthentication.<init> is permitted to throw IOException so perhaps getAccessToken should as well? That would mean reworking some existing code which catches and logs exceptions, and adding IOException to the signature of Authenticator.refresh.
There was a problem hiding this comment.
ok, sounds like it's messy, let's take it as a follow-on cleanup exercise...
There was a problem hiding this comment.
Noted in PR description.
|
Looks pretty good, some minor nits. |
|
/lgtm Thanks! |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: brendandburns, jglick The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
brendandburns
removed
the
do-not-merge/work-in-progress
Implementation of #238 allowing
~/.kube/configto use the new generic exec credentials rather than a vendor-specific plugin or hard-coded token.Planning to do before taking out of “draft” status:
KubeConfigTestadditionOther things which I think could be left for follow-ups depending on demand:
getAccessTokenas per #238: support client.authentication.k8s.io/v1beta1 ExecCredential #512 (comment)