From 27b9c9bf7b1f49b3c0377de948ed1e7498ed0adf Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Thu, 31 Mar 2022 11:57:26 +0100 Subject: [PATCH] Add flags to control kubeconfig support Two new flags were added to allow users to enable the use of user.Exec and InsecureTLS in the kubeconfigs provided remote apply reconciliations. Breaking change: both functionalities are no longer enabled by default. Signed-off-by: Paulo Gomes --- controllers/helmrelease_controller.go | 4 +++- go.mod | 2 +- go.sum | 4 ++-- internal/kube/client.go | 13 ++++++++++++- main.go | 3 +++ 5 files changed, 21 insertions(+), 5 deletions(-) diff --git a/controllers/helmrelease_controller.go b/controllers/helmrelease_controller.go index 72f9cc641..c6804dcaa 100644 --- a/controllers/helmrelease_controller.go +++ b/controllers/helmrelease_controller.go @@ -51,6 +51,7 @@ import ( apiacl "github.com/fluxcd/pkg/apis/acl" "github.com/fluxcd/pkg/apis/meta" "github.com/fluxcd/pkg/runtime/acl" + fluxClient "github.com/fluxcd/pkg/runtime/client" "github.com/fluxcd/pkg/runtime/events" "github.com/fluxcd/pkg/runtime/metrics" "github.com/fluxcd/pkg/runtime/predicates" @@ -81,6 +82,7 @@ type HelmReleaseReconciler struct { MetricsRecorder *metrics.Recorder DefaultServiceAccount string NoCrossNamespaceRef bool + KubeConfigOpts fluxClient.KubeConfigOptions } func (r *HelmReleaseReconciler) SetupWithManager(mgr ctrl.Manager, opts HelmReleaseReconcilerOptions) error { @@ -503,7 +505,7 @@ func (r *HelmReleaseReconciler) getRESTClientGetter(ctx context.Context, hr v2.H if len(kubeConfig) == 0 { return nil, fmt.Errorf("KubeConfig secret '%s' does not contain a 'value' key", secretName) } - return kube.NewMemoryRESTClientGetter(kubeConfig, hr.GetReleaseNamespace(), impersonateAccount, r.Config.QPS, r.Config.Burst), nil + return kube.NewMemoryRESTClientGetter(kubeConfig, hr.GetReleaseNamespace(), impersonateAccount, r.Config.QPS, r.Config.Burst, r.KubeConfigOpts), nil } if r.DefaultServiceAccount != "" || hr.Spec.ServiceAccountName != "" { diff --git a/go.mod b/go.mod index dfced7d2a..bdb1abe4c 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ require ( github.com/fluxcd/pkg/apis/acl v0.0.3 github.com/fluxcd/pkg/apis/kustomize v0.3.2 github.com/fluxcd/pkg/apis/meta v0.12.1 - github.com/fluxcd/pkg/runtime v0.13.2 + github.com/fluxcd/pkg/runtime v0.13.3 github.com/fluxcd/source-controller/api v0.22.3 github.com/go-logr/logr v1.2.3 github.com/hashicorp/go-retryablehttp v0.7.0 diff --git a/go.sum b/go.sum index 20b101efa..66a77d5ed 100644 --- a/go.sum +++ b/go.sum @@ -317,8 +317,8 @@ github.com/fluxcd/pkg/apis/kustomize v0.3.2 h1:ULoAwOOekHf5cy6mYIwL+K6v8/cfcNVVb github.com/fluxcd/pkg/apis/kustomize v0.3.2/go.mod h1:p8iAH5TeqMBnnxkkpCNNDvWYfKlNRx89a6WKOo+hJHA= github.com/fluxcd/pkg/apis/meta v0.12.1 h1:m5PfKAqbqWBvGp9+JRj1sv+xNkGsHwUVf+3rJ8wm6SE= github.com/fluxcd/pkg/apis/meta v0.12.1/go.mod h1:f8YVt70/KAhqzZ7xxhjvqyzKubOYx2pAbakb/FfCEg8= -github.com/fluxcd/pkg/runtime v0.13.2 h1:6jkQQUbp17WxHsbozlJFCvHmOS4JIB+yB20CdCd8duE= -github.com/fluxcd/pkg/runtime v0.13.2/go.mod h1:dzWNKqFzFXeittbpFcJzR3cdC9CWlbzw+pNOgaVvF/0= +github.com/fluxcd/pkg/runtime v0.13.3 h1:k0Xun+RoEC/F6iuAPTA6rQb+I4B4oecBx6pOcodX11A= +github.com/fluxcd/pkg/runtime v0.13.3/go.mod h1:dzWNKqFzFXeittbpFcJzR3cdC9CWlbzw+pNOgaVvF/0= github.com/fluxcd/source-controller/api v0.22.3 h1:HnpSnCtIytwSGSz2qu+GJwyZRmD5UXZL5oOQapiQOtk= github.com/fluxcd/source-controller/api v0.22.3/go.mod h1:Vb13q9Pq+1IW/sJUZn/RSb7IU5WT86Er6uCFPCFm9L4= github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= diff --git a/internal/kube/client.go b/internal/kube/client.go index 39a9a3494..6434dee03 100644 --- a/internal/kube/client.go +++ b/internal/kube/client.go @@ -24,6 +24,8 @@ import ( "k8s.io/client-go/rest" "k8s.io/client-go/restmapper" "k8s.io/client-go/tools/clientcmd" + + fluxClient "github.com/fluxcd/pkg/runtime/client" ) func NewInClusterRESTClientGetter(cfg *rest.Config, namespace string) genericclioptions.RESTClientGetter { @@ -49,15 +51,23 @@ type MemoryRESTClientGetter struct { impersonateAccount string qps float32 burst int + kubeConfigOpts fluxClient.KubeConfigOptions } -func NewMemoryRESTClientGetter(kubeConfig []byte, namespace string, impersonateAccount string, qps float32, burst int) genericclioptions.RESTClientGetter { +func NewMemoryRESTClientGetter( + kubeConfig []byte, + namespace string, + impersonateAccount string, + qps float32, + burst int, + kubeConfigOpts fluxClient.KubeConfigOptions) genericclioptions.RESTClientGetter { return &MemoryRESTClientGetter{ kubeConfig: kubeConfig, namespace: namespace, impersonateAccount: impersonateAccount, qps: qps, burst: burst, + kubeConfigOpts: kubeConfigOpts, } } @@ -66,6 +76,7 @@ func (c *MemoryRESTClientGetter) ToRESTConfig() (*rest.Config, error) { if err != nil { return nil, err } + cfg = fluxClient.KubeConfig(cfg, c.kubeConfigOpts) if c.impersonateAccount != "" { cfg.Impersonate = rest.ImpersonationConfig{UserName: c.impersonateAccount} } diff --git a/main.go b/main.go index ff20a5600..55ccd4a0e 100644 --- a/main.go +++ b/main.go @@ -70,6 +70,7 @@ func main() { watchAllNamespaces bool httpRetry int clientOptions client.Options + kubeConfigOpts client.KubeConfigOptions logOptions logger.Options aclOptions acl.Options leaderElectionOptions leaderelection.Options @@ -89,6 +90,7 @@ func main() { logOptions.BindFlags(flag.CommandLine) aclOptions.BindFlags(flag.CommandLine) leaderElectionOptions.BindFlags(flag.CommandLine) + kubeConfigOpts.BindFlags(flag.CommandLine) flag.Parse() ctrl.SetLogger(logger.NewLogger(logOptions)) @@ -141,6 +143,7 @@ func main() { MetricsRecorder: metricsRecorder, NoCrossNamespaceRef: aclOptions.NoCrossNamespaceRefs, DefaultServiceAccount: defaultServiceAccount, + KubeConfigOpts: kubeConfigOpts, }).SetupWithManager(mgr, controllers.HelmReleaseReconcilerOptions{ MaxConcurrentReconciles: concurrent, DependencyRequeueInterval: requeueDependency,