Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add "tanzu context get-token" command to fetch a valid CSP token for the given context #502

Merged
merged 1 commit into from
Sep 29, 2023
Merged

Add "tanzu context get-token" command to fetch a valid CSP token for the given context #502

merged 1 commit into from
Sep 29, 2023

Conversation

prkalle
Copy link
Contributor

@prkalle prkalle commented Sep 27, 2023
edited
Loading

What this PR does / why we need it

This PR adds "tanzu context get-token" command to fetch a valid CSP token for the given context

Changes Summary:

  • Add a hidden command "tanzu context get-token" to fetch a valid CSP token for the given context. This command would be used in the kubeconfig generated for UCP resource to fetch/refresh the access-token dynamically.
  • Updated the kubeconfig generation logic to include the exec plugin to fetch the access token dynamically
  • Command would return error if the context provided is not an UCP context

Which issue(s) this PR fixes

Fixes #

Describe testing done for PR

Created the UCP context and ran the tanzu context get-token and it successfully printed the ExecCredentials to stdout.

❯ ./bin/tanzu context list
Target:  kubernetes
  NAME           ISACTIVE  ENDPOINT                                                                         KUBECONFIGPATH                           KUBECONTEXT
  test-withcert  false     https://10.206.208.104:6443                                                      /Users/pkalle/.kube-tanzu/config         tanzu-cli-tkg-mgmt-vc@tkg-mgmt-vc
  tkg-mgmt-vc    false                                                                                      /Users/pkalle/temp/tkgCluster_admin.kfg  tkg-mgmt-vc-admin@tkg-mgmt-vc
  myucp          true      https://api-dev.tanzu.cloud.vmware.com/org/bc27608b-4809-4cac-9e04-778803963da2  /Users/pkalle/.kube/config               tanzu-cli-myucp
Target:  mission-control
  NAME            ISACTIVE  ENDPOINT
  tt-test-selfmg  false     tmc-sm-main.local-dev.7infra.com:443
  mytmc           false     unstable.tmc-dev.cloud.vmware.com:443
  mytmc2          true      unstable.tmc-dev.cloud.vmware.com:443


❯ ./bin/tanzu context get-token myucp
{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1","spec":{"interactive":false},"status":{"expirationTimestamp":"2023-09-27T22:08:24Z","token":"<REDACTED>"}}

Tested with context that is not of UCP type

❯ ./bin/tanzu context get-token tkg-mgmt-vc
[x] : context "tkg-mgmt-vc" is not of type UCP

Created a UCP context and verified the kubeconfig has user information with ExecConfig with reference to tanzu context get-token

❯ ./bin/tanzu context create myucp --endpoint https://api-dev.tanzu.cloud.vmware.com --type application-engine  --staging
[i] API token env var is set

[ok] successfully created a Application Engine(UCP) context



//kubeconfig generated

apiVersion: v1
clusters:
- cluster:
    server: https://api-dev.tanzu.cloud.vmware.com/org/bc27608b-4809-4cac-9e04-778803963da2
  name: tanzu-cli-myucp/current
contexts:
- context:
    cluster: tanzu-cli-myucp/current
    user: tanzu-cli-myucp-user
  name: tanzu-cli-myucp
current-context: ""
kind: Config
preferences: {}
users:
- name: tanzu-cli-myucp-user
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1
      args:
      - context
      - get-token
      - myucp
      command: tanzu
      env: []
      provideClusterInfo: false

Release note

Additional information

Special notes for your reviewer

@prkalle prkalle marked this pull request as ready for review September 27, 2023 21:45
@prkalle prkalle requested a review from a team as a code owner September 27, 2023 21:45
@prkalle prkalle force-pushed the add/context_gettoken branch 3 times, most recently from 705b8d8 to 77c8f8b Compare September 28, 2023 21:27
@vuil
Copy link
Contributor

vuil commented Sep 28, 2023
edited
Loading

Might be good to document the behavior when the tanzu cli is found but get-token is not, and when tanzu is not found.

  1. this is found during development, when I have the released and build binaries of cli named differently.
    but it would be a potential issue for other customers
~> kubectl api-resources
NAME   SHORTNAMES   APIVERSION   NAMESPACED   KIND
Unable to connect to the server: getting credentials: decoding stdout: yaml: line 3: mapping values are not allowed in this context
  1. this is a rarer situation, but could happen if tanzu is somehow not in the user's PATH
~> kubectl api-resources
NAME   SHORTNAMES   APIVERSION   NAMESPACED   KIND
Unable to connect to the server: getting credentials: exec: executable tanzu not found

It looks like you are trying to use a client-go credential plugin that is not installed.

To learn more about this feature, consult the documentation available at:
      https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins

Not to block this change, but we might want to take note to see if we can do some validation (by actually test running "tanzu context get-token" or something) before assigning the invocation to the kubeconfig's Exec

vuil
vuil reviewed Sep 28, 2023
View reviewed changes
Copy link
Contributor

@vuil vuil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! A question about interactive mode, and some thoughts about maybe doing some preflight check about the Exec command.

pkg/command/context.go Outdated Show resolved Hide resolved
@prkalle prkalle force-pushed the add/context_gettoken branch 2 times, most recently from 5592b3e to 4f9014f Compare September 29, 2023 00:48
@prkalle prkalle mentioned this pull request Sep 29, 2023
Open
@prkalle
Copy link
Contributor Author

prkalle commented Sep 29, 2023

Not to block this change, but we might want to take note to see if we can do some validation (by actually test running "tanzu context get-token" or something) before assigning the invocation to the kubeconfig's Exec

Created an Issue#506 to track and address it

@prkalle
Add "tanzu context get-token" command to fetch a valid CSP token for …
6d3fbcb 
…the given context

- Add a hidden command "tanzu context get-token" to fetch a valid CSP token for the given context. This command would be used in the kubeconfig generated for UCP resource to fetch/refresh the access-token dynamically.
- Updated the kubeconfig generation logic to include the exec plugin to fetch the access token dynamically

Signed-off-by: Prem Kumar Kalle <pkalle@vmware.com>
@prkalle prkalle merged commit 7565aa8 into vmware-tanzu:main Sep 29, 2023
6 checks passed
@marckhouzam marckhouzam added this to the 1.1.0 milestone Oct 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vuil vuil vuil approved these changes

Assignees
No one assigned
Labels
cla-not-required
Projects
None yet
Milestone
v1.1.0
Development

Successfully merging this pull request may close these issues.
4 participants
@prkalle @vuil @marckhouzam @vmwclabot