From 9ab83c119507f7fae1851eaadcbcd9fe8bf65a3d Mon Sep 17 00:00:00 2001 From: Noah Stride Date: Mon, 24 Jun 2024 11:10:19 +0100 Subject: [PATCH 1/4] Render kubernetes template without exec plugin when using non-directory destination --- lib/tbot/config/template_kubernetes.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/lib/tbot/config/template_kubernetes.go b/lib/tbot/config/template_kubernetes.go index 27d6153146e64..952688ec0c9fd 100644 --- a/lib/tbot/config/template_kubernetes.go +++ b/lib/tbot/config/template_kubernetes.go @@ -201,6 +201,14 @@ func (t *templateKubernetes) render( kubernetesClusterName: t.clusterName, } + destinationDir, isDirectoryDest := destination.(*DestinationDirectory) + if !t.disableExecPlugin { + if !isDirectoryDest { + log.WarnContext(ctx, "Kubernetes template will be rendered without exec plugin because destination is not a directory. Explicitly set `disable_exec_plugin: true` in the output to suppress this message") + t.disableExecPlugin = true + } + } + var cfg *clientcmdapi.Config if t.disableExecPlugin { // If they've disabled the exec plugin, we just write the credentials @@ -216,14 +224,6 @@ func (t *templateKubernetes) render( // We only support directory mode for this since the exec plugin needs // to know the path to read the credentials from, and this is // unpredictable with other types of destination. - destinationDir, ok := destination.(*DestinationDirectory) - if !ok { - return trace.BadParameter( - "Destination %s must be a directory in exec plugin mode", - destination, - ) - } - executablePath, err := t.executablePathGetter() if err != nil { return trace.Wrap(err) From 92d5972b8b6c6adc671b5cc3f4d8d2f43b4bf625 Mon Sep 17 00:00:00 2001 From: Noah Stride Date: Mon, 24 Jun 2024 12:38:11 +0100 Subject: [PATCH 2/4] Switch to info level for warning --- lib/tbot/config/template_kubernetes.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/tbot/config/template_kubernetes.go b/lib/tbot/config/template_kubernetes.go index 952688ec0c9fd..01116c4f9d13f 100644 --- a/lib/tbot/config/template_kubernetes.go +++ b/lib/tbot/config/template_kubernetes.go @@ -204,7 +204,7 @@ func (t *templateKubernetes) render( destinationDir, isDirectoryDest := destination.(*DestinationDirectory) if !t.disableExecPlugin { if !isDirectoryDest { - log.WarnContext(ctx, "Kubernetes template will be rendered without exec plugin because destination is not a directory. Explicitly set `disable_exec_plugin: true` in the output to suppress this message") + log.InfoContext(ctx, "Kubernetes template will be rendered without exec plugin because destination is not a directory. Explicitly set `disable_exec_plugin: true` in the output to suppress this message") t.disableExecPlugin = true } } From 5f7b8869a74156682a8ffa6e50bbfe9560767d30 Mon Sep 17 00:00:00 2001 From: Noah Stride Date: Tue, 25 Jun 2024 09:41:44 +0100 Subject: [PATCH 3/4] Update lib/tbot/config/template_kubernetes.go Co-authored-by: Edoardo Spadolini --- lib/tbot/config/template_kubernetes.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/tbot/config/template_kubernetes.go b/lib/tbot/config/template_kubernetes.go index 01116c4f9d13f..3626b6fae07d0 100644 --- a/lib/tbot/config/template_kubernetes.go +++ b/lib/tbot/config/template_kubernetes.go @@ -204,7 +204,7 @@ func (t *templateKubernetes) render( destinationDir, isDirectoryDest := destination.(*DestinationDirectory) if !t.disableExecPlugin { if !isDirectoryDest { - log.InfoContext(ctx, "Kubernetes template will be rendered without exec plugin because destination is not a directory. Explicitly set `disable_exec_plugin: true` in the output to suppress this message") + log.InfoContext(ctx, "Kubernetes template will be rendered without exec plugin because destination is not a directory. Explicitly set `disable_exec_plugin: true` in the output to suppress this message", "destination", destination) t.disableExecPlugin = true } } From b935781bbf7ac3ce74cea9fb7cde8f78f9ed110c Mon Sep 17 00:00:00 2001 From: Noah Stride Date: Tue, 25 Jun 2024 10:49:31 +0100 Subject: [PATCH 4/4] Address review feedback --- lib/tbot/bot/destination.go | 9 ++++++++- lib/tbot/config/template_kubernetes.go | 19 +++++++++++-------- 2 files changed, 19 insertions(+), 9 deletions(-) diff --git a/lib/tbot/bot/destination.go b/lib/tbot/bot/destination.go index 2e9c83e261adc..a52a96b08ef9f 100644 --- a/lib/tbot/bot/destination.go +++ b/lib/tbot/bot/destination.go @@ -18,7 +18,10 @@ package bot -import "context" +import ( + "context" + "fmt" +) // Destination can persist renewable certificates. type Destination interface { @@ -53,4 +56,8 @@ type Destination interface { // MarshalYAML enables the yaml package to correctly marshal the Destination // as YAML including the type header. MarshalYAML() (interface{}, error) + + // Stringer so that Destination's implements fmt.Stringer which allows for + // better logging. + fmt.Stringer } diff --git a/lib/tbot/config/template_kubernetes.go b/lib/tbot/config/template_kubernetes.go index 3626b6fae07d0..27e41e7cb4953 100644 --- a/lib/tbot/config/template_kubernetes.go +++ b/lib/tbot/config/template_kubernetes.go @@ -35,6 +35,7 @@ import ( "github.com/gravitational/teleport/lib/kube/kubeconfig" "github.com/gravitational/teleport/lib/tbot/bot" "github.com/gravitational/teleport/lib/tbot/identity" + logutils "github.com/gravitational/teleport/lib/utils/log" ) const defaultKubeconfigPath = "kubeconfig.yaml" @@ -201,14 +202,22 @@ func (t *templateKubernetes) render( kubernetesClusterName: t.clusterName, } + // In exec plugin mode, we write the credentials to disk and write a + // kubeconfig that execs `tbot` to load those credentials. + + // We only support directory mode for this since the exec plugin needs + // to know the path to read the credentials from, and this is + // unpredictable with other types of destination. destinationDir, isDirectoryDest := destination.(*DestinationDirectory) if !t.disableExecPlugin { if !isDirectoryDest { - log.InfoContext(ctx, "Kubernetes template will be rendered without exec plugin because destination is not a directory. Explicitly set `disable_exec_plugin: true` in the output to suppress this message", "destination", destination) + log.InfoContext( + ctx, + "Kubernetes template will be rendered without exec plugin because destination is not a directory. Explicitly set `disable_exec_plugin: true` in the output to suppress this message", + "destination", logutils.StringerAttr(destination)) t.disableExecPlugin = true } } - var cfg *clientcmdapi.Config if t.disableExecPlugin { // If they've disabled the exec plugin, we just write the credentials @@ -218,12 +227,6 @@ func (t *templateKubernetes) render( return trace.Wrap(err) } } else { - // In exec plugin mode, we write the credentials to disk and write a - // kubeconfig that execs `tbot` to load those credentials. - - // We only support directory mode for this since the exec plugin needs - // to know the path to read the credentials from, and this is - // unpredictable with other types of destination. executablePath, err := t.executablePathGetter() if err != nil { return trace.Wrap(err)