Revert "Use token with kubeconfig set (#46)" (#48)

lmdehaas · superbrothers · commit 9112a93947b3 · 2018-10-24T00:18:25.000+09:00
This reverts commit 160a836.
diff --git a/AUTHORS b/AUTHORS
@@ -7,4 +7,3 @@ Tanner Bruce
 Takuhiro Yoshida
 O. Yuanying
 Anne Schuth
-Werner Buck
diff --git a/README.md b/README.md
@@ -35,8 +35,8 @@ The version of this resource corresponds to the version of kubectl. We recommend
 
 ### cluster configs
 
-- `server`: *Optional.* The address and port of the API server.
-- `token`: *Optional.* Bearer token for authentication to the API server.
+- `server`: *Optional.* The address and port of the API server. Requires `token`.
+- `token`: *Optional.* Bearer token for authentication to the API server. Requires `server`.
 - `namespace`: *Optional.* The namespace scope. Defaults to `default`. If set along with `kubeconfig`, `namespace` will override the namespace in the current-context
 - `certificate_authority`: *Optional.* A certificate file for the certificate authority.
     ```yaml
diff --git a/assets/common.sh b/assets/common.sh
@@ -34,6 +34,9 @@ setup_kubectl() {
     # Optional. The address and port of the API server. Requires token.
     local server
     server="$(jq -r '.source.server // ""' < "$payload")"
+    # Optional. Bearer token for authentication to the API server. Requires server.
+    local token
+    token="$(jq -r '.source.token // ""' < "$payload")"
     # Optional. A certificate file for the certificate authority.
     local certificate_authority
     certificate_authority="$(jq -r '.source.certificate_authority // ""' < "$payload")"
@@ -42,9 +45,23 @@ setup_kubectl() {
     local insecure_skip_tls_verify
     insecure_skip_tls_verify="$(jq -r '.source.insecure_skip_tls_verify // ""' < "$payload")"
 
+    if [[ -z "$server" || -z "$token" ]]; then
+      echoerr 'You must specify "server" and "token", if not specify "kubeconfig".'
+      exit 1
+    fi
+
+    local -r AUTH_NAME=auth
     local -r CLUSTER_NAME=cluster
     local -r CONTEXT_NAME=kubernetes-resource
 
+    # Build options for kubectl config set-credentials
+    # Avoid to expose the token string by using placeholder
+    local set_credentials_opts
+    set_credentials_opts=("--token=**********")
+    exe kubectl config set-credentials "$AUTH_NAME" "${set_credentials_opts[@]}"
+    # placeholder is replaced with actual token string
+    sed -i -e "s/[*]\\{10\\}/$token/" "$KUBECONFIG"
+
     # Build options for kubectl config set-cluster
     local set_cluster_opts
     set_cluster_opts=("--server=$server")
@@ -59,7 +76,7 @@ setup_kubectl() {
     fi
     exe kubectl config set-cluster "$CLUSTER_NAME" "${set_cluster_opts[@]}"
 
-    exe kubectl config set-context "$CONTEXT_NAME" --cluster="$CLUSTER_NAME"
+    exe kubectl config set-context "$CONTEXT_NAME" --user="$AUTH_NAME" --cluster="$CLUSTER_NAME"
 
     exe kubectl config use-context "$CONTEXT_NAME"
 
@@ -94,24 +111,6 @@ setup_kubectl() {
   if [[ -n "$namespace" ]]; then
     exe kubectl config set-context "$(kubectl config current-context)" --namespace="$namespace"
   fi
-  
-  # if providing a token we set a user and override context to support both kubeconfig and generated config
-  local token
-  token="$(jq -r '.source.token // ""' < "$payload")"
-  if [[ -n "$token" ]]; then 
-    local -r AUTH_NAME=auth
-
-    # Build options for kubectl config set-credentials
-    # Avoid to expose the token string by using placeholder
-    local set_credentials_opts
-    set_credentials_opts=("--token=**********")
-    exe kubectl config set-credentials "$AUTH_NAME" "${set_credentials_opts[@]}"
-    # placeholder is replaced with actual token string
-    sed -i -e "s/[*]\\{10\\}/$token/" "$KUBECONFIG"
-
-    # override user of context to one with token   
-    exe kubectl config set-context "$(kubectl config current-context)" --user="$AUTH_NAME" 
-  fi
 
   # Optional. The name of the kubeconfig context to use.
   local context
diff --git a/test/suite.bats b/test/suite.bats
@@ -12,15 +12,6 @@ setup() {
   kubectl config view --flatten --minify > "$kubeconfig_file"
   # Change the current-context to $namespace
   kubectl --kubeconfig "$kubeconfig_file" config set-context ${current_context} --namespace "$namespace"
-  # Create a kubeconfig json without users (no token)
-  kubeconfig_file_no_token="$(mktemp)"
-  kubectl config view --flatten --minify -o json | jq -r 'del(.contexts[0].context.user,.users)' > "$kubeconfig_file_no_token"
-  # create rolebinding for full namespace access to default service account in namespace to avoid forbidden errors with token
-  kubectl create -n $namespace rolebinding --clusterrole=cluster-admin --serviceaccount=$namespace:default testaccount
-  # get default service account
-  serviceaccount=$(kubectl get -n $namespace serviceaccount default -o json | jq -r '.secrets[0].name')
-  # Extract token from service account for testing
-  token="$(kubectl get -n $namespace secret "$serviceaccount" -o json | jq -r '.data["token"]' | base64 -d)"
 }
 
 teardown() {
@@ -66,16 +57,6 @@ teardown() {
   assert_failure
 }
 
-@test "with no credentials in outputs.kubeconfig_file and source.token" {
-  run assets/out <<< "$(jq -n '{"source": {"token": $token}, "params": {"kubectl": $kubectl, "kubeconfig_file": $kubeconfig_file, "namespace": $namespace}}' \
-    --arg token "$token" \
-    --arg kubeconfig_file "$kubeconfig_file_no_token" \
-    --arg kubectl "get ns $namespace -o name" \
-    --arg namespace "$namespace")"
-  assert_match "namespace/$namespace" "$output"
-  assert_success
-}
-
 @test "command substitution in outputs.kubectl" {
   run kubectl --kubeconfig "$kubeconfig_file" run nginx --image=nginx
   assert_success
