From c66d898148cff7ecf582382939dacb365fbdaa9a Mon Sep 17 00:00:00 2001 From: Christopher Hein Date: Mon, 9 Apr 2018 18:17:47 -0700 Subject: [PATCH] Adding README.md Updates With the New Auth Flow **Why:** * Documentes how to configured your `kubeconfig` to use `ExecCredential` `client-go` mechanisms. * Changes some of the documented comments to reflex `clientauth` vs 1.10 release Signed-off-by: Christopher Hein --- README.md | 17 +++++++++++++++-- cmd/heptio-authenticator-aws/token.go | 2 +- pkg/token/token.go | 4 ++-- 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index f1c7a5e30..021d71304 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,9 @@ systemctl restart kubelet.service ``` ### 4. Set up kubectl to use Heptio Authenticator for AWS tokens + +> This requires a 1.10+ `kubectl` binary to work. If you receive `Please enter Username:` when trying to use `kubectl` you need to update to the latest `kubectl` + Finally, once the server is set up you'll want to authenticate! You will still need a `kubeconfig` that has the public data about your cluster (cluster CA certificate, endpoint address). The `users` section of your configuration, however, can be mostly blank: @@ -89,6 +92,16 @@ The `users` section of your configuration, however, can be mostly blank: # [...] users: - name: kubernetes-admin + user: + exec: + apiVersion: client.authentication.k8s.io/v1alpha1 + command: heptio-authenticator-aws + args: + - "token" + - "-i" + - "CLUSTER_ID" + - "-r" + - "ROLE_ARN" # no client certificate/key needed here! ``` @@ -98,8 +111,8 @@ It may make sense to upload it to a trusted public location such as AWS S3. Make sure you have the `heptio-authenticator-aws` binary installed. You can install it with `go get -u -v github.com/heptio/authenticator/cmd/heptio-authenticator-aws`. -To authenticate, run `kubectl --kubeconfig /path/to/kubeconfig --token "$(heptio-authenticator-aws token -i CLUSTER_ID -r ROLE_ARN)" [...]`. -You can simplify this with an alias or shell wrapper. +To authenticate, run `kubectl --kubeconfig /path/to/kubeconfig" [...]`. +kubectl will handle `exec`'ing the `heptio-authenticator-aws` binary with the supplied params in your kubeconfig which will generate a token and pass it to the apiserver. The token is valid for 15 minutes (the shortest value AWS permits) and can be reused multiple times. You can also omit `-r ROLE_ARN` to sign the token with your existing credentials without assuming a dedicated role. diff --git a/cmd/heptio-authenticator-aws/token.go b/cmd/heptio-authenticator-aws/token.go index a1fb11d19..cfaec4b6a 100644 --- a/cmd/heptio-authenticator-aws/token.go +++ b/cmd/heptio-authenticator-aws/token.go @@ -35,7 +35,7 @@ var tokenCmd = &cobra.Command{ clusterID := viper.GetString("clusterID") if clusterID == "" { - fmt.Fprintf(os.Stderr, "error: cluster ID not specified\n") + fmt.Fprintf(os.Stderr, "Error: cluster ID not specified\n") cmd.Usage() os.Exit(1) } diff --git a/pkg/token/token.go b/pkg/token/token.go index f5d3f0871..514c663aa 100644 --- a/pkg/token/token.go +++ b/pkg/token/token.go @@ -127,7 +127,7 @@ type Generator interface { Get(string) (string, error) // GetWithRole creates a token by assuming the provided role, using the credentials in the default chain. GetWithRole(clusterID, roleARN string) (string, error) - // FormatJSON returns the client auth formatted json for the execcredential auth + // FormatJSON returns the client auth formatted json for the ExecCredential auth FormatJSON(string) string } @@ -184,7 +184,7 @@ func (g generator) GetWithRole(clusterID string, roleARN string) (string, error) return v1Prefix + base64.RawURLEncoding.EncodeToString([]byte(presignedURLString)), nil } -// FormatJSON formats the json to support 1.10 external authProvider +// FormatJSON formats the json to support ExecCredential authentication func (g generator) FormatJSON(token string) string { execInput := &clientauthv1alpha1.ExecCredential{ TypeMeta: metav1.TypeMeta{