Merge pull request #109 from negz/gkeauthhurtsmybrain

Support GKE OAuth Authorization
crossplane-contrib · Sep 18, 2021 · 1e9548a · 1e9548a
2 parents 2dcbdd0 + 771e919
commit 1e9548a
Show file tree

Hide file tree

Showing 11 changed files with 447 additions and 108 deletions.
diff --git a/apis/v1alpha1/types.go b/apis/v1alpha1/types.go
@@ -24,8 +24,15 @@ import (
 
 // A ProviderConfigSpec defines the desired state of a Provider.
 type ProviderConfigSpec struct {
-	// Credentials required to authenticate to this provider.
+	// Credentials used to connect to the Kubernetes API. Typically a
+	// kubeconfig file. Use InjectedIdentity for in-cluster config.
 	Credentials ProviderCredentials `json:"credentials"`
+
+	// Identity used to authenticate to the Kubernetes API. The identity
+	// credentials can be used to supplement kubeconfig 'credentials', for
+	// example by configuring a bearer token source such as OAuth.
+	// +optional
+	Identity *Identity `json:"identity,omitempty"`
 }
 
 // ProviderCredentials required to authenticate.
@@ -37,6 +44,23 @@ type ProviderCredentials struct {
 	xpv1.CommonCredentialSelectors `json:",inline"`
 }
 
+// IdentityType used to authenticate to the Kubernetes API.
+type IdentityType string
+
+// Supported identity types.
+const (
+	IdentityTypeGoogleApplicationCredentials = "GoogleApplicationCredentials"
+)
+
+// Identity used to authenticate.
+type Identity struct {
+	// Type of identity.
+	// +kubebuilder:validation:Enum=GoogleApplicationCredentials
+	Type IdentityType `json:"type"`
+
+	ProviderCredentials `json:",inline"`
+}
+
 // A ProviderConfigStatus defines the status of a Provider.
 type ProviderConfigStatus struct {
 	xpv1.ProviderConfigStatus `json:",inline"`

diff --git a/apis/v1alpha1/zz_generated.deepcopy.go b/apis/v1alpha1/zz_generated.deepcopy.go
diff --git a/apis/v1beta1/types.go b/apis/v1beta1/types.go
@@ -24,8 +24,15 @@ import (
 
 // A ProviderConfigSpec defines the desired state of a Provider.
 type ProviderConfigSpec struct {
-	// Credentials required to authenticate to this provider.
+	// Credentials used to connect to the Kubernetes API. Typically a
+	// kubeconfig file. Use InjectedIdentity for in-cluster config.
 	Credentials ProviderCredentials `json:"credentials"`
+
+	// Identity used to authenticate to the Kubernetes API. The identity
+	// credentials can be used to supplement kubeconfig 'credentials', for
+	// example by configuring a bearer token source such as OAuth.
+	// +optional
+	Identity *Identity `json:"identity,omitempty"`
 }
 
 // ProviderCredentials required to authenticate.
@@ -37,6 +44,23 @@ type ProviderCredentials struct {
 	xpv1.CommonCredentialSelectors `json:",inline"`
 }
 
+// IdentityType used to authenticate to the Kubernetes API.
+type IdentityType string
+
+// Supported identity types.
+const (
+	IdentityTypeGoogleApplicationCredentials = "GoogleApplicationCredentials"
+)
+
+// Identity used to authenticate.
+type Identity struct {
+	// Type of identity.
+	// +kubebuilder:validation:Enum=GoogleApplicationCredentials
+	Type IdentityType `json:"type"`
+
+	ProviderCredentials `json:",inline"`
+}
+
 // A ProviderConfigStatus defines the status of a Provider.
 type ProviderConfigStatus struct {
 	xpv1.ProviderConfigStatus `json:",inline"`

diff --git a/apis/v1beta1/zz_generated.deepcopy.go b/apis/v1beta1/zz_generated.deepcopy.go
diff --git a/examples/provider-config/provider-config-with-secret.yaml b/examples/provider-config/provider-config-with-secret.yaml
@@ -1,11 +1,18 @@
 apiVersion: helm.crossplane.io/v1beta1
 kind: ProviderConfig
 metadata:
-  name: helm-provider
+  name: default
 spec:
   credentials:
     source: Secret
     secretRef:
-      name: cluster-config
+      name: cluster-credentials
       namespace: crossplane-system
       key: kubeconfig
+# identity:
+#   type: GoogleApplicationCredentials
+#   source: Secret
+#   secretRef:
+#     name: gcp-credentials
+#     namespace: crossplane-system
+#     key: credentials.json
diff --git a/go.mod b/go.mod
@@ -7,6 +7,7 @@ require (
 	github.com/crossplane/crossplane-tools v0.0.0-20210320162312-1baca298c527
 	github.com/google/go-cmp v0.5.6
 	github.com/pkg/errors v0.9.1
+	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6
 	helm.sh/helm/v3 v3.6.3
 	k8s.io/api v0.21.2

diff --git a/package/crds/helm.crossplane.io_providerconfigs.yaml b/package/crds/helm.crossplane.io_providerconfigs.yaml
@@ -48,7 +48,8 @@ spec:
             description: A ProviderConfigSpec defines the desired state of a Provider.
             properties:
               credentials:
-                description: Credentials required to authenticate to this provider.
+                description: Credentials used to connect to the Kubernetes API. Typically
+                  a kubeconfig file. Use InjectedIdentity for in-cluster config.
                 properties:
                   env:
                     description: Env is a reference to an environment variable that
@@ -100,6 +101,67 @@ spec:
                 required:
                 - source
                 type: object
+              identity:
+                description: Identity used to authenticate to the Kubernetes API.
+                  The identity credentials can be used to supplement kubeconfig 'credentials',
+                  for example by configuring a bearer token source such as OAuth.
+                properties:
+                  env:
+                    description: Env is a reference to an environment variable that
+                      contains credentials that must be used to connect to the provider.
+                    properties:
+                      name:
+                        description: Name is the name of an environment variable.
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  fs:
+                    description: Fs is a reference to a filesystem location that contains
+                      credentials that must be used to connect to the provider.
+                    properties:
+                      path:
+                        description: Path is a filesystem path.
+                        type: string
+                    required:
+                    - path
+                    type: object
+                  secretRef:
+                    description: A SecretRef is a reference to a secret key that contains
+                      the credentials that must be used to connect to the provider.
+                    properties:
+                      key:
+                        description: The key to select.
+                        type: string
+                      name:
+                        description: Name of the secret.
+                        type: string
+                      namespace:
+                        description: Namespace of the secret.
+                        type: string
+                    required:
+                    - key
+                    - name
+                    - namespace
+                    type: object
+                  source:
+                    description: Source of the provider credentials.
+                    enum:
+                    - None
+                    - Secret
+                    - InjectedIdentity
+                    - Environment
+                    - Filesystem
+                    type: string
+                  type:
+                    description: Type of identity.
+                    enum:
+                    - GoogleApplicationCredentials
+                    type: string
+                required:
+                - source
+                - type
+                type: object
             required:
             - credentials
             type: object
@@ -181,7 +243,8 @@ spec:
             description: A ProviderConfigSpec defines the desired state of a Provider.
             properties:
               credentials:
-                description: Credentials required to authenticate to this provider.
+                description: Credentials used to connect to the Kubernetes API. Typically
+                  a kubeconfig file. Use InjectedIdentity for in-cluster config.
                 properties:
                   env:
                     description: Env is a reference to an environment variable that
@@ -233,6 +296,67 @@ spec:
                 required:
                 - source
                 type: object
+              identity:
+                description: Identity used to authenticate to the Kubernetes API.
+                  The identity credentials can be used to supplement kubeconfig 'credentials',
+                  for example by configuring a bearer token source such as OAuth.
+                properties:
+                  env:
+                    description: Env is a reference to an environment variable that
+                      contains credentials that must be used to connect to the provider.
+                    properties:
+                      name:
+                        description: Name is the name of an environment variable.
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  fs:
+                    description: Fs is a reference to a filesystem location that contains
+                      credentials that must be used to connect to the provider.
+                    properties:
+                      path:
+                        description: Path is a filesystem path.
+                        type: string
+                    required:
+                    - path
+                    type: object
+                  secretRef:
+                    description: A SecretRef is a reference to a secret key that contains
+                      the credentials that must be used to connect to the provider.
+                    properties:
+                      key:
+                        description: The key to select.
+                        type: string
+                      name:
+                        description: Name of the secret.
+                        type: string
+                      namespace:
+                        description: Namespace of the secret.
+                        type: string
+                    required:
+                    - key
+                    - name
+                    - namespace
+                    type: object
+                  source:
+                    description: Source of the provider credentials.
+                    enum:
+                    - None
+                    - Secret
+                    - InjectedIdentity
+                    - Environment
+                    - Filesystem
+                    type: string
+                  type:
+                    description: Type of identity.
+                    enum:
+                    - GoogleApplicationCredentials
+                    type: string
+                required:
+                - source
+                - type
+                type: object
             required:
             - credentials
             type: object

diff --git a/pkg/clients/client.go b/pkg/clients/client.go
@@ -17,17 +17,15 @@ limitations under the License.
 package clients
 
 import (
-	"fmt"
-
 	"github.com/pkg/errors"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/client-go/tools/clientcmd/api"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-// NewRestConfig returns a rest config given a secret with connection information.
-func NewRestConfig(kubeconfig []byte) (*rest.Config, error) {
+// NewRESTConfig returns a REST config given a secret with connection information.
+func NewRESTConfig(kubeconfig []byte) (*rest.Config, error) {
 	ac, err := clientcmd.Load(kubeconfig)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to load kubeconfig")
@@ -53,11 +51,14 @@ func restConfigFromAPIConfig(c *api.Config) (*rest.Config, error) {
 	ctx := c.Contexts[c.CurrentContext]
 	cluster := c.Clusters[ctx.Cluster]
 	if cluster == nil {
-		return nil, errors.New(fmt.Sprintf("cluster for currentContext (%s) not found", c.CurrentContext))
+		return nil, errors.Errorf("cluster for currentContext (%s) not found", c.CurrentContext)
 	}
 	user := c.AuthInfos[ctx.AuthInfo]
 	if user == nil {
-		return nil, errors.New(fmt.Sprintf("auth info for currentContext (%s) not found", c.CurrentContext))
+		// We don't require a user because it's possible user
+		// authorization configuration will be loaded from a separate
+		// set of identity credentials (e.g. Google Application Creds).
+		user = &api.AuthInfo{}
 	}
 	return &rest.Config{
 		Host:            cluster.Server,