Add flags to control kubeconfig support

Two new flags were added to allow users to enable the use of user.Exec and InsecureTLS in the kubeconfigs provided remote apply reconciliations. Breaking change: both functionalities are no longer enabled by default. Signed-off-by: Paulo Gomes <[email protected]>
fluxcd · Mar 29, 2022 · f9612e1 · f9612e1
1 parent e5c845a
commit f9612e1
Show file tree

Hide file tree

Showing 5 changed files with 86 additions and 12 deletions.
diff --git a/controllers/kustomization_controller.go b/controllers/kustomization_controller.go
@@ -65,6 +65,7 @@ import (
  sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 
  kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
+ fluxClient "github.com/fluxcd/pkg/runtime/client"
 )
 
 // +kubebuilder:rbac:groups=kustomize.toolkit.fluxcd.io,resources=kustomizations,verbs=get;list;watch;create;update;patch;delete
@@ -88,6 +89,7 @@ type KustomizationReconciler struct {
  statusManager string
  NoCrossNamespaceRefs bool
  DefaultServiceAccount string
+ KubeConfigOpts fluxClient.KubeConfigOptions
 }
 
 // KustomizationReconcilerOptions contains options for the KustomizationReconciler.
@@ -343,7 +345,7 @@ func (r *KustomizationReconciler) reconcile(
  }
 
  // setup the Kubernetes client for impersonation
- impersonation := NewKustomizeImpersonation(kustomization, r.Client, r.StatusPoller, r.DefaultServiceAccount)
+ impersonation := NewKustomizeImpersonation(kustomization, r.Client, r.StatusPoller, r.DefaultServiceAccount, r.KubeConfigOpts)
  kubeClient, statusPoller, err := impersonation.GetClient(ctx)
  if err != nil {
  return kustomizev1.KustomizationNotReady(
@@ -926,7 +928,7 @@ func (r *KustomizationReconciler) finalize(ctx context.Context, kustomization ku
  kustomization.Status.Inventory.Entries != nil {
  objects, _ := ListObjectsInInventory(kustomization.Status.Inventory)
 
- impersonation := NewKustomizeImpersonation(kustomization, r.Client, r.StatusPoller, r.DefaultServiceAccount)
+ impersonation := NewKustomizeImpersonation(kustomization, r.Client, r.StatusPoller, r.DefaultServiceAccount, r.KubeConfigOpts)
  if impersonation.CanFinalize(ctx) {
  kubeClient, _, err := impersonation.GetClient(ctx)
  if err != nil {

diff --git a/controllers/kustomization_impersonation.go b/controllers/kustomization_impersonation.go
@@ -31,6 +31,7 @@ import (
  "sigs.k8s.io/controller-runtime/pkg/client/config"
 
  kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
+ fluxClient "github.com/fluxcd/pkg/runtime/client"
 )
 
 // KustomizeImpersonation holds the state for impersonating a service account.
@@ -39,19 +40,22 @@ type KustomizeImpersonation struct {
  kustomization kustomizev1.Kustomization
  statusPoller *polling.StatusPoller
  defaultServiceAccount string
+ kubeConfigOpts fluxClient.KubeConfigOptions
 }
 
 // NewKustomizeImpersonation creates a new KustomizeImpersonation.
 func NewKustomizeImpersonation(
  kustomization kustomizev1.Kustomization,
  kubeClient client.Client,
  statusPoller *polling.StatusPoller,
- defaultServiceAccount string) *KustomizeImpersonation {
+ defaultServiceAccount string,
+ kubeConfigOpts fluxClient.KubeConfigOptions) *KustomizeImpersonation {
  return &KustomizeImpersonation{
  defaultServiceAccount: defaultServiceAccount,
  kustomization: kustomization,
  statusPoller: statusPoller,
  Client: kubeClient,
+ kubeConfigOpts: kubeConfigOpts,
  }
 }
 
@@ -141,6 +145,8 @@ func (ki *KustomizeImpersonation) clientForKubeConfig(ctx context.Context) (clie
  if err != nil {
  return nil, nil, err
  }
+
+ restConfig = fluxClient.KubeConfig(restConfig, ki.kubeConfigOpts)
  ki.setImpersonationConfig(restConfig)
 
  restMapper, err := apiutil.NewDynamicRESTMapper(restConfig)

diff --git a/go.mod b/go.mod
@@ -17,7 +17,7 @@ require (
  github.com/fluxcd/pkg/apis/acl v0.0.3
  github.com/fluxcd/pkg/apis/kustomize v0.3.2
  github.com/fluxcd/pkg/apis/meta v0.12.1
- github.com/fluxcd/pkg/runtime v0.13.2
+ github.com/fluxcd/pkg/runtime v0.13.3
  github.com/fluxcd/pkg/ssa v0.15.1
  github.com/fluxcd/pkg/testserver v0.2.0
  github.com/fluxcd/pkg/untar v0.1.0
@@ -30,10 +30,10 @@ require (
  go.mozilla.org/sops/v3 v3.7.2
  golang.org/x/net v0.0.0-20220225172249-27dd8689420f
  google.golang.org/grpc v1.45.0
- k8s.io/api v0.23.4
+ k8s.io/api v0.23.5
  k8s.io/apiextensions-apiserver v0.23.4
- k8s.io/apimachinery v0.23.4
- k8s.io/client-go v0.23.4
+ k8s.io/apimachinery v0.23.5
+ k8s.io/client-go v0.23.5
  sigs.k8s.io/cli-utils v0.29.3
  sigs.k8s.io/controller-runtime v0.11.1
  sigs.k8s.io/kustomize/api v0.11.4