Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[v14] Machine ID: Render kubernetes template without exec plugin when using non-directory destination #43657

Closed
wants to merge 4 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion lib/tbot/bot/destination.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,10 @@ limitations under the License.

package bot

import "context"
import (
"context"
"fmt"
)

// Destination can persist renewable certificates.
type Destination interface {
Expand Down Expand Up @@ -51,4 +54,8 @@ type Destination interface {
// MarshalYAML enables the yaml package to correctly marshal the Destination
// as YAML including the type header.
MarshalYAML() (interface{}, error)

// Stringer so that Destination's implements fmt.Stringer which allows for
// better logging.
fmt.Stringer
}
31 changes: 17 additions & 14 deletions lib/tbot/config/template_kubernetes.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ import (
"github.com/gravitational/teleport/lib/kube/kubeconfig"
"github.com/gravitational/teleport/lib/tbot/bot"
"github.com/gravitational/teleport/lib/tbot/identity"
logutils "github.com/gravitational/teleport/lib/utils/log"
)

const defaultKubeconfigPath = "kubeconfig.yaml"
Expand Down Expand Up @@ -199,6 +200,22 @@ func (t *templateKubernetes) render(
kubernetesClusterName: t.clusterName,
}

// In exec plugin mode, we write the credentials to disk and write a
// kubeconfig that execs `tbot` to load those credentials.

// We only support directory mode for this since the exec plugin needs
// to know the path to read the credentials from, and this is
// unpredictable with other types of destination.
destinationDir, isDirectoryDest := destination.(*DestinationDirectory)
if !t.disableExecPlugin {
if !isDirectoryDest {
log.InfoContext(
ctx,
"Kubernetes template will be rendered without exec plugin because destination is not a directory. Explicitly set `disable_exec_plugin: true` in the output to suppress this message",
"destination", logutils.StringerAttr(destination))
t.disableExecPlugin = true
}
}
var cfg *clientcmdapi.Config
if t.disableExecPlugin {
// If they've disabled the exec plugin, we just write the credentials
Expand All @@ -208,20 +225,6 @@ func (t *templateKubernetes) render(
return trace.Wrap(err)
}
} else {
// In exec plugin mode, we write the credentials to disk and write a
// kubeconfig that execs `tbot` to load those credentials.

// We only support directory mode for this since the exec plugin needs
// to know the path to read the credentials from, and this is
// unpredictable with other types of destination.
destinationDir, ok := destination.(*DestinationDirectory)
if !ok {
return trace.BadParameter(
"Destination %s must be a directory in exec plugin mode",
destination,
)
}

executablePath, err := t.executablePathGetter()
if err != nil {
return trace.Wrap(err)
Expand Down
Loading