Add kubeconfig flags

Two new flags were added to allow users to enable the use of user.Exec and InsecureTLS in the kubeconfigs provided remote apply reconciliations. Breaking change: both functionalities are no longer enabled by default. Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
fluxcd · Mar 24, 2022 · ec9376c · ec9376c
1 parent 43b04f7
commit ec9376c
Show file tree

Hide file tree

Showing 7 changed files with 314 additions and 41 deletions.
diff --git a/controllers/kustomization_controller.go b/controllers/kustomization_controller.go
@@ -78,16 +78,18 @@ import (
 // KustomizationReconciler reconciles a Kustomization object
 type KustomizationReconciler struct {
 	client.Client
-	httpClient            *retryablehttp.Client
-	requeueDependency     time.Duration
-	Scheme                *runtime.Scheme
-	EventRecorder         kuberecorder.EventRecorder
-	MetricsRecorder       *metrics.Recorder
-	StatusPoller          *polling.StatusPoller
-	ControllerName        string
-	statusManager         string
-	NoCrossNamespaceRefs  bool
-	DefaultServiceAccount string
+	httpClient             *retryablehttp.Client
+	requeueDependency      time.Duration
+	Scheme                 *runtime.Scheme
+	EventRecorder          kuberecorder.EventRecorder
+	MetricsRecorder        *metrics.Recorder
+	StatusPoller           *polling.StatusPoller
+	ControllerName         string
+	statusManager          string
+	NoCrossNamespaceRefs   bool
+	DefaultServiceAccount  string
+	InsecureKubeconfigExec bool
+	InsecureKubeconfigTLS  bool
 }
 
 // KustomizationReconcilerOptions contains options for the KustomizationReconciler.
@@ -343,7 +345,7 @@ func (r *KustomizationReconciler) reconcile(
 	}
 
 	// setup the Kubernetes client for impersonation
-	impersonation := NewKustomizeImpersonation(kustomization, r.Client, r.StatusPoller, r.DefaultServiceAccount)
+	impersonation := NewKustomizeImpersonation(kustomization, r.Client, r.StatusPoller, r.DefaultServiceAccount, r.InsecureKubeconfigExec, r.InsecureKubeconfigTLS)
 	kubeClient, statusPoller, err := impersonation.GetClient(ctx)
 	if err != nil {
 		return kustomizev1.KustomizationNotReady(
@@ -926,7 +928,7 @@ func (r *KustomizationReconciler) finalize(ctx context.Context, kustomization ku
 		kustomization.Status.Inventory.Entries != nil {
 		objects, _ := ListObjectsInInventory(kustomization.Status.Inventory)
 
-		impersonation := NewKustomizeImpersonation(kustomization, r.Client, r.StatusPoller, r.DefaultServiceAccount)
+		impersonation := NewKustomizeImpersonation(kustomization, r.Client, r.StatusPoller, r.DefaultServiceAccount, r.InsecureKubeconfigExec, r.InsecureKubeconfigTLS)
 		if impersonation.CanFinalize(ctx) {
 			kubeClient, _, err := impersonation.GetClient(ctx)
 			if err != nil {

diff --git a/controllers/kustomization_impersonation.go b/controllers/kustomization_impersonation.go
@@ -31,27 +31,34 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/config"
 
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
+	"github.com/fluxcd/kustomize-controller/internal/kubeconfig"
 )
 
 // KustomizeImpersonation holds the state for impersonating a service account.
 type KustomizeImpersonation struct {
 	client.Client
-	kustomization         kustomizev1.Kustomization
-	statusPoller          *polling.StatusPoller
-	defaultServiceAccount string
+	kustomization          kustomizev1.Kustomization
+	statusPoller           *polling.StatusPoller
+	defaultServiceAccount  string
+	insecureKubeconfigExec bool
+	insecureKubeconfigTLS  bool
 }
 
 // NewKustomizeImpersonation creates a new KustomizeImpersonation.
 func NewKustomizeImpersonation(
 	kustomization kustomizev1.Kustomization,
 	kubeClient client.Client,
 	statusPoller *polling.StatusPoller,
-	defaultServiceAccount string) *KustomizeImpersonation {
+	defaultServiceAccount string,
+	insecureKubeconfigExec bool,
+	insecureKubeconfigTLS bool) *KustomizeImpersonation {
 	return &KustomizeImpersonation{
-		defaultServiceAccount: defaultServiceAccount,
-		kustomization:         kustomization,
-		statusPoller:          statusPoller,
-		Client:                kubeClient,
+		defaultServiceAccount:  defaultServiceAccount,
+		kustomization:          kustomization,
+		statusPoller:           statusPoller,
+		Client:                 kubeClient,
+		insecureKubeconfigExec: insecureKubeconfigExec,
+		insecureKubeconfigTLS:  insecureKubeconfigTLS,
 	}
 }
 
@@ -141,6 +148,11 @@ func (ki *KustomizeImpersonation) clientForKubeConfig(ctx context.Context) (clie
 	if err != nil {
 		return nil, nil, err
 	}
+	restConfig = kubeconfig.Sanitise(restConfig, kubeconfig.KubeconfigOptions{
+		InsecureExecProvider: ki.insecureKubeconfigExec,
+		InsecureTLS:          ki.insecureKubeconfigTLS,
+	})
+
 	ki.setImpersonationConfig(restConfig)
 
 	restMapper, err := apiutil.NewDynamicRESTMapper(restConfig)

diff --git a/go.mod b/go.mod
@@ -27,6 +27,7 @@ require (
 	github.com/onsi/gomega v1.18.1
 	github.com/ory/dockertest v3.3.5+incompatible
 	github.com/spf13/pflag v1.0.5
+	github.com/stretchr/testify v1.7.1
 	go.mozilla.org/sops/v3 v3.7.2
 	golang.org/x/net v0.0.0-20220225172249-27dd8689420f
 	google.golang.org/grpc v1.45.0
@@ -159,7 +160,6 @@ require (
 	github.com/ryanuber/go-glob v1.0.0 // indirect
 	github.com/sirupsen/logrus v1.8.1 // indirect
 	github.com/spf13/cobra v1.3.0 // indirect
-	github.com/stretchr/testify v1.7.1 // indirect
 	github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca // indirect
 	go.mozilla.org/gopgagent v0.0.0-20170926210634-4d7ea76ff71a // indirect
 	go.opencensus.io v0.23.0 // indirect