package sa
import (
"errors"
"fmt"
"io"
"os"
"github.com/spf13/cobra"
kapi "k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/client/unversioned"
kclientcmd "k8s.io/kubernetes/pkg/client/unversioned/clientcmd"
clientcmdapi "k8s.io/kubernetes/pkg/client/unversioned/clientcmd/api"
cmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
"github.com/openshift/origin/pkg/cmd/templates"
"github.com/openshift/origin/pkg/cmd/util/clientcmd"
"github.com/openshift/origin/pkg/serviceaccounts"
)
const (
CreateKubeconfigRecommendedName = "create-kubeconfig"
createKubeconfigShort = `Generate a kubeconfig file for a service account`
createKubeconfigUsage = `%s SA-NAME`
)
var (
createKubeconfigLong = templates.LongDesc(`
Generate a kubeconfig file that will utilize this service account.
The kubeconfig file will reference the service account token and use the current server,
namespace, and cluster contact info. If the service account has multiple tokens, the
first token found will be returned. The generated file will be output to STDOUT.
Service account API tokens are used by service accounts to authenticate to the API.
Client actions using a service account token will be executed as if the service account
itself were making the actions.`)
createKubeconfigExamples = templates.Examples(`
# Create a kubeconfig file for service account 'default'
%[1]s 'default' > default.kubeconfig`)
)
type CreateKubeconfigOptions struct {
SAName string
SAClient unversioned.ServiceAccountsInterface
SecretsClient unversioned.SecretsInterface
RawConfig clientcmdapi.Config
ContextNamespace string
Out io.Writer
Err io.Writer
}
func NewCommandCreateKubeconfig(name, fullname string, f *clientcmd.Factory, out io.Writer) *cobra.Command {
options := &CreateKubeconfigOptions{
Out: out,
Err: os.Stderr,
}
cmd := &cobra.Command{
Use: fmt.Sprintf(createKubeconfigUsage, name),
Short: createKubeconfigShort,
Long: createKubeconfigLong,
Example: fmt.Sprintf(createKubeconfigExamples, fullname),
Run: func(cmd *cobra.Command, args []string) {
cmdutil.CheckErr(options.Complete(args, f, cmd))
cmdutil.CheckErr(options.Validate())
cmdutil.CheckErr(options.Run())
},
}
cmd.Flags().StringVar(&options.ContextNamespace, "with-namespace", "", "Namespace for this context in .kubeconfig.")
return cmd
}
func (o *CreateKubeconfigOptions) Complete(args []string, f *clientcmd.Factory, cmd *cobra.Command) error {
if len(args) != 1 {
return cmdutil.UsageError(cmd, fmt.Sprintf("expected one service account name as an argument, got %q", args))
}
o.SAName = args[0]
client, err := f.Client()
if err != nil {
return err
}
namespace, _, err := f.DefaultNamespace()
if err != nil {
return err
}
o.RawConfig, err = f.OpenShiftClientConfig.RawConfig()
if err != nil {
return err
}
if len(o.ContextNamespace) == 0 {
o.ContextNamespace = namespace
}
o.SAClient = client.ServiceAccounts(namespace)
o.SecretsClient = client.Secrets(namespace)
return nil
}
func (o *CreateKubeconfigOptions) Validate() error {
if o.SAName == "" {
return errors.New("service account name cannot be empty")
}
if o.SAClient == nil || o.SecretsClient == nil {
return errors.New("API clients must not be nil in order to create a new service account token")
}
if o.Out == nil || o.Err == nil {
return errors.New("cannot proceed if output or error writers are nil")
}
return nil
}
func (o *CreateKubeconfigOptions) Run() error {
serviceAccount, err := o.SAClient.Get(o.SAName)
if err != nil {
return err
}
for _, reference := range serviceAccount.Secrets {
secret, err := o.SecretsClient.Get(reference.Name)
if err != nil {
continue
}
if serviceaccounts.IsValidServiceAccountToken(serviceAccount, secret) {
token, exists := secret.Data[kapi.ServiceAccountTokenKey]
if !exists {
return fmt.Errorf("service account token %q for service account %q did not contain token data", secret.Name, serviceAccount.Name)
}
cfg := &o.RawConfig
if err := clientcmdapi.MinifyConfig(cfg); err != nil {
return fmt.Errorf("invalid configuration, unable to create new config file: %v", err)
}
ctx := cfg.Contexts[cfg.CurrentContext]
ctx.Namespace = o.ContextNamespace
// rename the current context
cfg.CurrentContext = o.SAName
cfg.Contexts = map[string]*clientcmdapi.Context{
cfg.CurrentContext: ctx,
}
// use the server name
ctx.AuthInfo = o.SAName
cfg.AuthInfos = map[string]*clientcmdapi.AuthInfo{
ctx.AuthInfo: {
Token: string(token),
},
}
out, err := kclientcmd.Write(*cfg)
if err != nil {
return err
}
fmt.Fprintf(o.Out, string(out))
return nil
}
}
return fmt.Errorf("could not find a service account token for service account %q", serviceAccount.Name)
}