Pass cluster info to exec credential plugins (provideClusterInfo)#1808
Pass cluster info to exec credential plugins (provideClusterInfo)#1808mutsaddi-deshaw wants to merge 6 commits into
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: mutsaddi-deshaw The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Welcome @mutsaddi-deshaw! |
k8s-ci-robot
added
cncf-cla: no
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds support for passing cluster details to Kubernetes exec credential plugins (via KUBERNETES_EXEC_INFO.spec.cluster) and ensures CA data can be surfaced consistently (inline or file-resolved), with new unit tests covering cluster mapping/serialization.
Changes:
- Add
CaDatato persist base64 CA data resolved from kubeconfig inline data or CA file path. - Extend exec credential flow to optionally include
spec.clusterinKUBERNETES_EXEC_INFO, with sharedToExecClusterInfoconversion. - Add/expand tests validating cluster info mapping, optional field omission, and nested extension serialization.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/KubernetesClient.Tests/ExternalExecutionTests.cs | Adds unit tests for exec cluster info mapping and inclusion/omission in KUBERNETES_EXEC_INFO. |
| src/KubernetesClient/KubernetesClientConfiguration.cs | Adds CaData property to retain resolved base64 CA data. |
| src/KubernetesClient/KubernetesClientConfiguration.ConfigFile.cs | Resolves/records CaData, adds cluster injection for exec plugins, and introduces ToExecClusterInfo. |
| src/KubernetesClient/Authentication/ExecTokenProvider.cs | Threads optional cluster info through token refresh exec calls. |
| src/KubernetesClient.Aot/KubernetesClientConfiguration.ConfigFile.cs | Mirrors exec cluster injection and ToExecClusterInfo for AOT build (without extensions). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
mutsaddi-deshaw
force-pushed
the
mutsaddi-deshaw-provide-cluster-info
branch
from
e6c77d0 to
3749bdf
Compare
- Omit spec.cluster key when ProvideClusterInfo is false (don't emit null) - Omit insecure-skip-tls-verify when false (omitempty per spec) - Resolve CA from file path (mirroring client-go's dataFromSliceOrFile) - Use resolved Host/TlsServerName/CaData instead of raw kubeconfig values - Preserve binary compatibility via method overloads - Guard against cluster=null when ProvideClusterInfo=true - Add nested extension and edge-case tests
| var execExtension = cluster.Extensions? | ||
| .FirstOrDefault(e => e.Name == "client.authentication.k8s.io/exec"); | ||
| if (execExtension != null) | ||
| { | ||
| object extConfig = execExtension.Extension; | ||
| if (extConfig != null) | ||
| { | ||
| node["config"] = JsonNode.Parse(JsonSerializer.Serialize(extConfig)); | ||
| } | ||
| } |
There was a problem hiding this comment.
Dictionary<object, object> serialization with System.Text.Json is officially supported with default options when the runtime key type is a supported type. See Supported key types
| object extConfig = execExtension.Extension; | ||
| if (extConfig != null) | ||
| { | ||
| node["config"] = JsonNode.Parse(JsonSerializer.Serialize(extConfig)); | ||
| } |
| var caPath = GetFullPath(k8SConfig, clusterDetails.ClusterEndpoint.CertificateAuthority); | ||
| CertificateAuthorityData = Convert.ToBase64String(File.ReadAllBytes(caPath)); | ||
|
|
||
| // File-path loaders auto-detect cert format (PEM/DER/PFX), which the | ||
| // byte-based APIs do not reliably do on pre-.NET 9. The second read is |
There was a problem hiding this comment.
Can a non-PEM CA file can realistically occur? kubeconfig CA files are PEM per spec, and I think such a file wouldn't work with kubectl or client-go either. client-go appears to forward the raw bytes unchanged and the non-AOT C# client also seems to assume PEM (CertUtils.LoadPemFileCert). Do we have a real scenario that produces a DER/PFX CA in a kubeconfig? If not, I'd rather not add handling for input the spec disallows.
|
@mutsaddi-deshaw clean up git commit author |
kubernetes-prow
Bot
added
cncf-cla: yes
@tg123 happy to fix, but could you clarify what you'd like cleaned up on the commit author? |
Implements support for
provideClusterInfo: truein a kubeconfig user'sexecblock. Per the exec credential plugin protocol (client.authentication.k8s.io), when this flag is set the client passes the cluster's connection details to the plugin viaspec.clusterinKUBERNETES_EXEC_INFO. TheprovideClusterInfo/installHintfields were added in #620, but forwarding the cluster info was left as a TODO (#618 / #620). This PR completes that.Forwards
server,insecure-skip-tls-verify,certificate-authority-data(resolved from inline data or a CA file path),tls-server-name, and theexecextensionconfig.Note: the AOT client forwards all scalar cluster fields but not config. The AOT
ClusterEndpointanyway omitsExtensionscurrently.