Skip to content

Commit

Permalink
Add disable environment override option. (#594)
Browse files Browse the repository at this point in the history 
Add flag to convert-kubeconfig for allowing disabling environment override.
Use the flag in "kubelogin get-token" to disregard possible set environment variables.

Provides solution for #196

Co-authored-by: Daniel Persson <[email protected]>
  • Loading branch information
@dpersson
dpersson and Daniel Persson authored Jan 29, 2025
1 parent 76f17d0 commit b852805
Show file tree
Hide file tree
Showing 4 changed files with 116 additions and 57 deletions.
80 changes: 43 additions & 37 deletions pkg/internal/converter/convert.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,43 +18,45 @@ const (
cfgEnvironment = "environment"
cfgConfigMode = "config-mode"

argClientID = "--client-id"
argServerID = "--server-id"
argTenantID = "--tenant-id"
argEnvironment = "--environment"
argClientSecret = "--client-secret"
argClientCert = "--client-certificate"
argClientCertPassword = "--client-certificate-password"
argIsLegacy = "--legacy"
argUsername = "--username"
argPassword = "--password"
argLoginMethod = "--login"
argIdentityResourceID = "--identity-resource-id"
argAuthorityHost = "--authority-host"
argFederatedTokenFile = "--federated-token-file"
argTokenCacheDir = "--token-cache-dir"
argIsPoPTokenEnabled = "--pop-enabled"
argPoPTokenClaims = "--pop-claims"

flagAzureConfigDir = "azure-config-dir"
flagClientID = "client-id"
flagContext = "context"
flagServerID = "server-id"
flagTenantID = "tenant-id"
flagEnvironment = "environment"
flagClientSecret = "client-secret"
flagClientCert = "client-certificate"
flagClientCertPassword = "client-certificate-password"
flagIsLegacy = "legacy"
flagUsername = "username"
flagPassword = "password"
flagLoginMethod = "login"
flagIdentityResourceID = "identity-resource-id"
flagAuthorityHost = "authority-host"
flagFederatedTokenFile = "federated-token-file"
flagTokenCacheDir = "token-cache-dir"
flagIsPoPTokenEnabled = "pop-enabled"
flagPoPTokenClaims = "pop-claims"
argClientID = "--client-id"
argServerID = "--server-id"
argTenantID = "--tenant-id"
argEnvironment = "--environment"
argClientSecret = "--client-secret"
argClientCert = "--client-certificate"
argClientCertPassword = "--client-certificate-password"
argIsLegacy = "--legacy"
argUsername = "--username"
argPassword = "--password"
argLoginMethod = "--login"
argIdentityResourceID = "--identity-resource-id"
argAuthorityHost = "--authority-host"
argFederatedTokenFile = "--federated-token-file"
argTokenCacheDir = "--token-cache-dir"
argIsPoPTokenEnabled = "--pop-enabled"
argPoPTokenClaims = "--pop-claims"
argDisableEnvironmentOverride = "--disable-environment-override"

flagAzureConfigDir = "azure-config-dir"
flagClientID = "client-id"
flagContext = "context"
flagServerID = "server-id"
flagTenantID = "tenant-id"
flagEnvironment = "environment"
flagClientSecret = "client-secret"
flagClientCert = "client-certificate"
flagClientCertPassword = "client-certificate-password"
flagIsLegacy = "legacy"
flagUsername = "username"
flagPassword = "password"
flagLoginMethod = "login"
flagIdentityResourceID = "identity-resource-id"
flagAuthorityHost = "authority-host"
flagFederatedTokenFile = "federated-token-file"
flagTokenCacheDir = "token-cache-dir"
flagIsPoPTokenEnabled = "pop-enabled"
flagPoPTokenClaims = "pop-claims"
flagDisableEnvironmentOverride = "disable-environment-override"

execName = "kubelogin"
getTokenCommand = "get-token"
Expand Down Expand Up @@ -361,6 +363,10 @@ func Convert(o Options, pathOptions *clientcmd.PathOptions) error {
return err
}

if o.isSet(flagDisableEnvironmentOverride) {
exec.Args = append(exec.Args, argDisableEnvironmentOverride)
}

case token.MSILogin:

if o.isSet(flagClientID) {
Expand Down
25 changes: 25 additions & 0 deletions pkg/internal/converter/convert_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1335,6 +1335,31 @@ func TestConvert(t *testing.T) {
},
command: execName,
},
{
name: "test with exec format kubeconfig, convert from devicecode to spn with environment override flag disabled.",
execArgItems: []string{
getTokenCommand,
argServerID, serverID,
argClientID, clientID,
argTenantID, tenantID,
argEnvironment, envName,
argLoginMethod, token.DeviceCodeLogin,
},
overrideFlags: map[string]string{
flagLoginMethod: token.ServicePrincipalLogin,
flagDisableEnvironmentOverride: "true",
},
expectedArgs: []string{
getTokenCommand,
argEnvironment, envName,
argServerID, serverID,
argTenantID, tenantID,
argClientID, clientID,
argLoginMethod, token.ServicePrincipalLogin,
argDisableEnvironmentOverride,
},
command: execName,
},
}
rootTmpDir, err := os.MkdirTemp("", "kubelogin-test")
if err != nil {
Expand Down
46 changes: 26 additions & 20 deletions pkg/internal/token/options.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,26 +14,27 @@ import (
)

type Options struct {
LoginMethod string
ClientID string
ClientSecret string
ClientCert string
ClientCertPassword string
Username string
Password string
ServerID string
TenantID string
Environment string
IsLegacy bool
Timeout time.Duration
TokenCacheDir string
tokenCacheFile string
IdentityResourceID string
FederatedTokenFile string
AuthorityHost string
UseAzureRMTerraformEnv bool
IsPoPTokenEnabled bool
PoPTokenClaims string
LoginMethod string
ClientID string
ClientSecret string
ClientCert string
ClientCertPassword string
Username string
Password string
ServerID string
TenantID string
Environment string
IsLegacy bool
Timeout time.Duration
TokenCacheDir string
tokenCacheFile string
IdentityResourceID string
FederatedTokenFile string
AuthorityHost string
UseAzureRMTerraformEnv bool
IsPoPTokenEnabled bool
PoPTokenClaims string
DisableEnvironmentOverride bool
}

const (
Expand Down Expand Up @@ -108,6 +109,7 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {
fs.DurationVar(&o.Timeout, "timeout", 30*time.Second,
fmt.Sprintf("Timeout duration for Azure CLI token requests. It may be specified in %s environment variable", "AZURE_CLI_TIMEOUT"))
fs.StringVar(&o.PoPTokenClaims, "pop-claims", o.PoPTokenClaims, "contains a comma-separated list of claims to attach to the pop token in the format `key=val,key2=val2`. At minimum, specify the ARM ID of the cluster as `u=ARM_ID`")
fs.BoolVar(&o.DisableEnvironmentOverride, "disable-environment-override", o.DisableEnvironmentOverride, "Enable or disable the use of env-variables. Default false")
}

func (o *Options) Validate() error {
Expand Down Expand Up @@ -141,6 +143,10 @@ func (o *Options) Validate() error {
func (o *Options) UpdateFromEnv() {
o.tokenCacheFile = getCacheFileName(o)

if o.DisableEnvironmentOverride {
return
}

if o.UseAzureRMTerraformEnv {
if v, ok := os.LookupEnv(env.TerraformClientID); ok {
o.ClientID = v
Expand Down
22 changes: 22 additions & 0 deletions pkg/internal/token/options_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -253,3 +253,25 @@ func TestParsePoPClaims(t *testing.T) {
})
}
}

func TestDisableEnvironmentOverride(t *testing.T) {
t.Run("TestDisableEnvironmentOverride", func(t *testing.T) {
t.Setenv(env.KubeloginClientID, "client-id from env")
o := Options{ClientID: "client-id from options"}
o.DisableEnvironmentOverride = true
o.UpdateFromEnv()
if o.ClientID != "client-id from options" {
t.Fatalf("expected client-id to be 'client-id from options', got %s", o.ClientID)
}
})

t.Run("TestEnableEnvironmentOverride", func(t *testing.T) {
t.Setenv(env.KubeloginClientID, "client-id from env")
o := Options{ClientID: "client-id from options"}
o.DisableEnvironmentOverride = false
o.UpdateFromEnv()
if o.ClientID != "client-id from env" {
t.Fatalf("expected client-id to be 'client-id from env', got %s", o.ClientID)
}
})
}

0 comments on commit b852805

Please sign in to comment.