Attempt to implement exec-plugins support in kubeconfig

[dovreshef]

Hi

This is my attempt to implement exec plugin support.
I've only tested this using Python3 with EKS.
I'm also only supporting token authentication for now, since it was not clear to me how to support anything else.
I'm willing to do the necessary changes to get it to merge, but I might need help.

Thanks,

[k8s-ci-robot]

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.
• If you have done the above and are still having issues with the CLA being reported as unsigned, please email the CNCF helpdesk: helpdesk@rt.linuxfoundation.org

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[codecov-io]

Codecov Report

Merging #75 into master will decrease coverage by 0.21%.
The diff coverage is 90%.

@@            Coverage Diff             @@
##           master      #75      +/-   ##
==========================================
- Coverage   91.85%   91.63%   -0.22%     
==========================================
  Files          11       13       +2     
  Lines         994     1124     +130     
==========================================
+ Hits          913     1030     +117     
- Misses         81       94      +13

Impacted Files	Coverage Δ
config/kube_config_test.py	93.64% <100%> (+0.13%)	⬆️
config/kube_config.py	83.77% <75%> (-0.5%)	⬇️
config/exec_provider.py	82.6% <82.6%> (ø)
config/exec_provider_test.py	98.36% <98.36%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c9b3113...becae56. Read the comment docs.

[dovreshef]

@roycaihw What is the process to get this reviewed and (hopefully) accepted?

[ltamaster]

I tested this PR and worked, any plan to merge it?
Thanks
Luis

[cliffpracht]

This is working for me as well. 👍
@mbohlool @yliaog @roycaihw
Anything we can do to make this better? or merged in?
Thanks!

[anneschuth]

I'd love to see this merged too.

[yliaog]

thanks for the pr. has this been tested with python 2.7.12?

[cliffpracht]

I have tested this with 2.7.15.

[yliaog]

s/2016/2018/ for all copyright notices?

[dovreshef]

Changed.

[yliaog]

s/v1alpha1/v1beta1/ for all the tests? the feature is v1beta1 is 1.11

[dovreshef]

Changed.

[yliaog]

why is it hard coded to True?

[dovreshef]

I have changed it to be the same as the process's stdout (using sys.stdout.isatty()), which is what was done here https://github.com/kubernetes/kubernetes/blob/7b6647a418c660f2c87f183f706b297f1cb573ca/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/exec.go#L128 (I think).
But I'm still not clear whether or not I should detect interactive stdin as well. Also, if it is interactive, what else am I supposed to do.

[yliaog]

could you list explicitly what is implemented (v1beta1, right?) as listed in the proposal (https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auth/kubectl-exec-plugins.md), or better, what is left out.

AFAICT, TLS cert, caching are not implemented.

what about refreshing? what to do when token expires?

[dovreshef]

TLS cert, caching are indeed not implemented.

TLS cert

I did not implement it.
My reading of the proposal language
TLS client certificate support is orthogonal to bearer tokens, but something that we should consider supporting in the future.
lead me to think it is not implemented in the go client as well.

caching

I can try to add caching by basing it on the way it is implemented for the other auth methods, taking into account the expiry field.
But there is a problem. Right now aws-iam-authenticator does not return anexpiry field, even though the returned token is only valid for a short period (15 minutes IIRC).
The proposal on the other hand specifies:
Plugins can indicate their credentials explicit expiry using the Expiry field on the returned ExecCredentials object, otherwise credentials will be cached throughout the lifetime of a program.

I can check the return value if it is 401 and in that case re-execute the plugin, which is what the proposal also recommends. But I do not understand the code well enough for that.
Can you point me where in the code would it be best to hook up such a mechanism?

what about refreshing? what to do when token expires?

Right now I do not cache the token at all. So since the plugin always executes, the token received is always fresh.

[yliaog]

since this is a highly desired feature, and it is orthogonal to the other auth methods. I think it is safe to merge with some missing features. people who need those features can implement them on top of this later.

so could you please add some comments about what features are missing, and probably a link
to the design (https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auth/kubectl-exec-plugins.md). then I think we can merge it. Thanks.

[dovreshef]

Added. Hope it's ok.

[anneschuth]

How far from getting this merged are we? Is there anything I can do to help this go through faster?

[yliaog]

I don't think it's far. I put in some comments, as soon as those are addressed, we can merge it.

[macat]

@dovreshef Do you need help fixing @yliaog's comments? Thanks for building this BTW.

[dovreshef]

@macat I'd be glad for help. I'll not be able to get to this before Monday.

[gitfool]

👍

[dovreshef]

Hi all. I have updated the PR.

I'm sorry about the delay, real life intervened.

Edit: Also, I don't know what This pull-request has been approved by: dovreshef above means, I did not approve it, merely updated it.

[gitfool]

No worries. I’m using a monkey patch with this change to tide me over. 😉

[yliaog]

i think it's better to catch all the exceptions and return None in case there is any exception, just to give a chance to other auth methods. that is the general pattern used by other load...() methods.

[dovreshef]

Ok.
Then there is no reason throw any exception at all in exec_provider.py?
In that case how should I inform the user if the exec process return an error, or missing exec config, etc?

[yliaog]

it's still good to have exceptions from exec_provider.py, then in kube_config.py, when it catches the exception, it could log it, and proceed.

[dovreshef]

Done. I have used logging.error since it seems to me to be more of an error than a warning. Since it implies an incorrect exec config / result.

[yliaog]

thanks for the PR.

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dovreshef, yliaog

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [yliaog]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[anneschuth]

thanks a lot!

[timoreimann]

For posterity: this one fixes kubernetes-client/python#514