Add kubeconfig flags

Two new flags were added to allow users to enable the use of user.Exec and InsecureTLS in the kubeconfigs provided remote apply reconciliations. Breaking change: both functionalities are no longer enabled by default. Signed-off-by: Paulo Gomes <[email protected]>
fluxcd · Mar 24, 2022 · f9814ac · f9814ac
1 parent 43b04f7
commit f9814ac
Show file tree

Hide file tree

Showing 5 changed files with 130 additions and 46 deletions.
diff --git a/controllers/kustomization_controller.go b/controllers/kustomization_controller.go
@@ -78,16 +78,18 @@ import (
 // KustomizationReconciler reconciles a Kustomization object
 type KustomizationReconciler struct {
  client.Client
- httpClient *retryablehttp.Client
- requeueDependency time.Duration
- Scheme *runtime.Scheme
- EventRecorder kuberecorder.EventRecorder
- MetricsRecorder *metrics.Recorder
- StatusPoller *polling.StatusPoller
- ControllerName string
- statusManager string
- NoCrossNamespaceRefs bool
- DefaultServiceAccount string
+ httpClient *retryablehttp.Client
+ requeueDependency time.Duration
+ Scheme *runtime.Scheme
+ EventRecorder kuberecorder.EventRecorder
+ MetricsRecorder *metrics.Recorder
+ StatusPoller *polling.StatusPoller
+ ControllerName string
+ statusManager string
+ NoCrossNamespaceRefs bool
+ DefaultServiceAccount string
+ InsecureKubeconfigExec bool
+ InsecureKubeconfigTLS bool
 }
 
 // KustomizationReconcilerOptions contains options for the KustomizationReconciler.
@@ -343,7 +345,7 @@ func (r *KustomizationReconciler) reconcile(
  }
 
  // setup the Kubernetes client for impersonation
- impersonation := NewKustomizeImpersonation(kustomization, r.Client, r.StatusPoller, r.DefaultServiceAccount)
+ impersonation := NewKustomizeImpersonation(kustomization, r.Client, r.StatusPoller, r.DefaultServiceAccount, r.InsecureKubeconfigExec, r.InsecureKubeconfigTLS)
  kubeClient, statusPoller, err := impersonation.GetClient(ctx)
  if err != nil {
  return kustomizev1.KustomizationNotReady(
@@ -926,7 +928,7 @@ func (r *KustomizationReconciler) finalize(ctx context.Context, kustomization ku
  kustomization.Status.Inventory.Entries != nil {
  objects, _ := ListObjectsInInventory(kustomization.Status.Inventory)
 
- impersonation := NewKustomizeImpersonation(kustomization, r.Client, r.StatusPoller, r.DefaultServiceAccount)
+ impersonation := NewKustomizeImpersonation(kustomization, r.Client, r.StatusPoller, r.DefaultServiceAccount, r.InsecureKubeconfigExec, r.InsecureKubeconfigTLS)
  if impersonation.CanFinalize(ctx) {
  kubeClient, _, err := impersonation.GetClient(ctx)
  if err != nil {

diff --git a/controllers/kustomization_impersonation.go b/controllers/kustomization_impersonation.go
@@ -31,27 +31,34 @@ import (
  "sigs.k8s.io/controller-runtime/pkg/client/config"
 
  kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
+ "github.com/fluxcd/pkg/kubeconfig"
 )
 
 // KustomizeImpersonation holds the state for impersonating a service account.
 type KustomizeImpersonation struct {
  client.Client
- kustomization kustomizev1.Kustomization
- statusPoller *polling.StatusPoller
- defaultServiceAccount string
+ kustomization kustomizev1.Kustomization
+ statusPoller *polling.StatusPoller
+ defaultServiceAccount string
+ insecureKubeconfigExec bool
+ insecureKubeconfigTLS bool
 }
 
 // NewKustomizeImpersonation creates a new KustomizeImpersonation.
 func NewKustomizeImpersonation(
  kustomization kustomizev1.Kustomization,
  kubeClient client.Client,
  statusPoller *polling.StatusPoller,
- defaultServiceAccount string) *KustomizeImpersonation {
+ defaultServiceAccount string,
+ insecureKubeconfigExec bool,
+ insecureKubeconfigTLS bool) *KustomizeImpersonation {
  return &KustomizeImpersonation{
- defaultServiceAccount: defaultServiceAccount,
- kustomization: kustomization,
- statusPoller: statusPoller,
- Client: kubeClient,
+ defaultServiceAccount: defaultServiceAccount,
+ kustomization: kustomization,
+ statusPoller: statusPoller,
+ Client: kubeClient,
+ insecureKubeconfigExec: insecureKubeconfigExec,
+ insecureKubeconfigTLS: insecureKubeconfigTLS,
  }
 }
 
@@ -141,6 +148,11 @@ func (ki *KustomizeImpersonation) clientForKubeConfig(ctx context.Context) (clie
  if err != nil {
  return nil, nil, err
  }
+ restConfig = kubeconfig.Sanitise(restConfig, kubeconfig.KubeconfigOptions{
+ InsecureExecProvider: ki.insecureKubeconfigExec,
+ InsecureTLS: ki.insecureKubeconfigTLS,
+ })
+
  ki.setImpersonationConfig(restConfig)
 
  restMapper, err := apiutil.NewDynamicRESTMapper(restConfig)

diff --git a/go.mod b/go.mod
@@ -17,6 +17,7 @@ require (
  github.com/fluxcd/pkg/apis/acl v0.0.3
  github.com/fluxcd/pkg/apis/kustomize v0.3.2
  github.com/fluxcd/pkg/apis/meta v0.12.1
+ github.com/fluxcd/pkg/kubeconfig v0.0.0-00010101000000-000000000000
  github.com/fluxcd/pkg/runtime v0.13.2
  github.com/fluxcd/pkg/ssa v0.15.1
  github.com/fluxcd/pkg/testserver v0.2.0
@@ -30,10 +31,10 @@ require (
  go.mozilla.org/sops/v3 v3.7.2
  golang.org/x/net v0.0.0-20220225172249-27dd8689420f
  google.golang.org/grpc v1.45.0
- k8s.io/api v0.23.4
+ k8s.io/api v0.23.5
  k8s.io/apiextensions-apiserver v0.23.4
- k8s.io/apimachinery v0.23.4
- k8s.io/client-go v0.23.4
+ k8s.io/apimachinery v0.23.5
+ k8s.io/client-go v0.23.5
  sigs.k8s.io/cli-utils v0.29.3
  sigs.k8s.io/controller-runtime v0.11.1
  sigs.k8s.io/kustomize/api v0.11.2