ZKpdZddlmZddlmZddlmZddlZddlZddlmZddlm Z ddlm Z dd lm Z dd lm Z dd lmZdd lmZdd lmZGdde j&ZGddeZGddeZdZGddeZd"dZ d#dZdZdZdZdezZd$dZ d%dZ dZ!d Z"d!Z#y)&z-Utilities for loading and parsing kubeconfig.)absolute_import)division)unicode_literalsN)config) exceptions)log) properties)yaml)encoding)files) platformsceZdZdZy)Errorz0Class for errors raised by kubeconfig utilities.N__name__ __module__ __qualname____doc__2lib/googlecloudsdk/api_lib/container/kubeconfig.pyrr#s8rrceZdZdZy)MissingEnvVarErrorzDAn exception raised when required environment variables are missing.Nrrrrrr'sLrrc"eZdZdZfdZxZS)2DNSEndpointOrUseApplicationDefaultCredentialsErrorz>rc|jj|d|jj|d|jj|d|jj d|k(rd|jd<yy)Nr7)r)popr&r(r+get)rkeys rClearzKubeconfig.Clear\sfMMc4 MMc4 JJNN3 zz~~'(C/&(djj"#0rct|jj|jd<t|jj|jd<t|j j|jd<t j|jd5}tj|j|dddtjj|j}tjj|t}tjj!|rt j"|dyy#1swYxYw)zzSave kubeconfig to file. Raises: Error: don't have the permission to open kubeconfig or plugin cache file. r&r(r)T)privateNr>)listr&valuesr+r(r) file_utils FileWriterr*r dumpospathdirnamejoin&GKE_GCLOUD_AUTH_PLUGIN_CACHE_FILE_NAMEexistsWriteFileAtomically)rfprL gke_gcloud_auth_plugin_file_paths r SaveToFilezKubeconfig.SaveToFilecs "$--"6"6"89DJJztzz0023DJJw!$--"6"6"89DJJz   t~~t < ii B =ggoodnn-G')ww||7($ ww~~67$$%ErJ8 = 2#$s)T*)00cDcOL  3 > .55e< ==>sA+A A<A77A<c tj|}|j ||||S#tj$r*}tdj||jd}~wwxYw)Nz&unable to load kubeconfig for {0}: {1})r load_pathrr- inner_errorr[)rYr/rZr4s r LoadFromFilezKubeconfig.LoadFromFilesl ^^H %dMM$ tX  ::  2 9 9))  s1A.%A))A.ctjj|rtdj |tjj |r |j |Stjtjj||t|}|j|S#ttf$r/}tjdj ||Yd}~d}~wwxYw)zARead in the kubeconfig, and if it doesn't exist create one there.z*{0} is a directory. File must be provided.z6unable to load default kubeconfig: {0}; recreating {1}N)rJrKisdirIsADirectoryErrorr-isfiler_rIOErrorrdebugrGMakeDirrLEmptyKubeconfigrS)rYrKr4 kubeconfigs r LoadOrCreatezKubeconfig.LoadOrCreates ww}}T  6 = =d C  ww~~d %%rwwt,-_&-J W   D K Kt    sCC>%C99C>cH|jtjSr<)rir$ DefaultPath)rYs rDefaultzKubeconfig.Defaults   J224 55rcZtjtjd}|rI|j tj }|D]%}|stj j|cStjtjd}|stjjrtjtjd}tjtjd}|r"|r tj j||}|s$tjtjd}|sDtdjtjjr ddtj j|d d S) z(Return default path for kubeconfig file. KUBECONFIGHOME HOMEDRIVEHOMEPATH USERPROFILEzVenvironment variable {vars} or KUBECONFIG must be set to store credentials for kubectlz&HOMEDRIVE/HOMEPATH, USERPROFILE, HOME,)varsz.kuber)r GetEncodedValuerJenvironsplitpathseprKabspathr OperatingSystem IsWindowsrMrr-)rh kubeconfigshome_dir home_drive home_paths rrkzKubeconfig.DefaultPathsH))"**lCJ$$RZZ0k#* , ,$ '' F;H  11;;=++BJJ Dj**2::zBi  77<< I6 ++BJJ F   $$*F**446<%+%   %+%   77<<'8 44rcT|j|jxs |jtt|jj t|jj z|_tt|j j t|j j z|_tt|jj t|jj z|_y)zMerge another kubeconfig into self. In case of overlapping keys, the value in self is kept and the value in the other kubeconfig is lost. Args: kubeconfig: a Kubeconfig instance N)rUr:dictrEr&itemsr(r))rrhs rMergezKubeconfig.Merges 4//M:3M3MN Z & & ()D1D1D1F,GGDMd:++1134tDJJ >  (6655@rr$cdd|i}|r |r td|r||d<n||s||d<n|sd|d<||dS)z0Generate and return a cluster kubeconfig object.serverz'cannot specify both ca_path and ca_datazcertificate-authorityzcertificate-authority-dataTzinsecure-skip-tls-verify)r'r1)r)r'rca_pathca_datahas_dns_endpointr1s rClusterrs^ '  9 :: '.G #$#3,3G () *.G &'7 ++rc x|s|r|s|r| s tdi} t}|r-|s|s|s|s|st|||||| d<nt| | | d<|r |r td|r|| d<n|r|| d<|r | r td|r|| d <n| r| | d <| r(| | d <tj j d |d || dS)aGenerates and returns a user kubeconfig object. Args: name: str, nickname for this user entry. auth_provider: str, authentication provider. auth_provider_cmd_path: str, authentication provider command path. auth_provider_cmd_args: str, authentication provider command args. auth_provider_expiry_key: str, authentication provider expiry key. auth_provider_token_key: str, authentication provider token key. cert_path: str, path to client certificate file. cert_data: str, base64 encoded client certificate data. key_path: str, path to client key file. key_data: str, base64 encoded client key data. dns_endpoint: str, cluster's DNS endpoint. impersonate_service_account: str, service account to impersonate. iam_token: str, IAM token to use for authentication. Returns: dict, valid kubeconfig user entry. Raises: Error: if no auth info is provided (auth_provider or cert AND key) z3either auth_provider or cert & key must be provided)r'cmd_pathcmd_args expiry_key token_keyz auth-providerexecz+cannot specify both cert_path and cert_datazclient-certificatezclient-certificate-dataz)cannot specify both key_path and key_dataz client-keyzclient-key-datatokenz-Added IAM token to kubeconfig entry for user .)r'r2)r _UseExecAuth _AuthProvider_ExecAuthPluginrstatusPrint)r' auth_providerauth_provider_cmd_pathauth_provider_cmd_argsauth_provider_expiry_keyauth_provider_token_key cert_path cert_datakey_pathkey_data dns_endpointimpersonate_service_account iam_tokenr2 use_exec_auths rUserrsP hI( E FF $.-  ! # ",))-+ d?%\3NOd6l9 = >>!*D &/D "# ( ; << !D&D DMJJDTF!LM %%rcd}tjtjd}|r|j dk(rd}|S|r|j dk(rd}|S)zwReturns a bool noting if ExecAuth should be enabled. Returns: bool, which notes if ExecAuth should be enabled TUSE_GKE_GCLOUD_AUTH_PLUGINtruefalseF)r rtrJrulower)ruse_gke_gcloud_auth_plugins rrrOsh-'77jj.  ! $ * * , 6M  ! $ * * , 7M rzPath to sdk installation not found. Please switch to application default credentials using one of $ gcloud config set container/use_application_default_credentials true $ export CLOUDSDK_CONTAINER_USE_APPLICATION_DEFAULT_CREDENTIALS=truezInstall gke-gcloud-auth-plugin for use with kubectl by following https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-access-for-kubectl#install_pluginz{ACTION REQUIRED: gke-gcloud-auth-plugin, which is needed for continued use of kubectl, was not found or is not executable. ctjjjj }|r |r t t }|dtdd}g}|r|jd|r|jd|z|r||d<|S)aQGenerate and return an exec auth plugin config. Constructs an exec auth plugin config entry readable by kubectl. This tells kubectl to call out to gke-gcloud-auth-plugin and parse the output to retrieve access tokens to authenticate to the kubernetes master. Kubernetes GKE Auth Provider plugin is defined at https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins GKE GCloud Exec Auth Plugin code is at https://github.com/kubernetes/cloud-provider-gcp/tree/master/cmd/gke-gcloud-auth-plugin Args: dns_endpoint: str, DNS endpoint. impersonate_service_account: str, service account to impersonate. Returns: dict, valid exec auth plugin config entry. Raises: Error: Only one of --dns-endpoint or USE_APPLICATION_DEFAULT_CREDENTIALS should be set at a time. z$client.authentication.k8s.io/v1beta1T)command apiVersion installHintprovideClusterInfoz%--use_application_default_credentialsz--impersonate_service_account=args) r VALUES containeruse_app_default_credentialsGetBoolr)_GetGkeGcloudPluginCommandAndPrintWarningGKE_GCLOUD_AUTH_INSTALL_HINTappend)rr#use_application_default_credentialsrexec_cfgrs rrr|s4!!==EEG&9 < >> 5 7':1 ( $(KK78 KK03NNO HV /rcd|i}|dk(rtjjjj sd}t j jrd}|stjj}|(tjttttj j#||} t%||r|nd|r|nd|r|ndd}||d <|S#t&$rY%wxYw) aGenerates and returns an auth provider config. Constructs an auth provider config entry readable by kubectl. This tells kubectl to call out to a specific gcloud command and parse the output to retrieve access tokens to authenticate to the kubernetes master. Kubernetes gcp auth provider plugin at https://github.com/kubernetes/kubernetes/tree/master/staging/src/k8s.io/client-go/plugin/pkg/client/auth/gcp Args: name: auth provider name cmd_path: str, authentication provider command path. cmd_args: str, authentication provider command arguments. expiry_key: str, authentication provider expiry key. token_key: str, authentication provider token key. Returns: dict, valid auth provider config entry. Raises: Error: Path to sdk installation not found. Please switch to application default credentials using one of $ gcloud config set container/use_application_default_credentials true $ export CLOUDSDK_CONTAINER_USE_APPLICATION_DEFAULT_CREDENTIALS=true. r'gcpgcloudz gcloud.cmdz"config config-helper --format=jsonz{.credential.access_token}z{.credential.token_expiry})zcmd-pathzcmd-argsz token-keyz expiry-keyr)r rrrrr ryrzrPaths sdk_bin_pathrr4SDK_BIN_PATH_NOT_FOUNDrrJrKrMr Exception) r'rrrrproviderbin_namercfgs rrrs6d^( em))EEMMOH  **,h\\^00l   ()*++lH5h 13!H&J#,Y1M%J*F C$HX /1   s C-- C98C9c^d}tjjrd}|} tj|dgddtj tj |S#t $r tjj}|tjtnZtjj||}tj|dgddtj tj |}Y|S#t $rtjtYY|SwxYwwxYw)zGet Gke Gcloud Plugin Command to be used. Returns Gke Gcloud Plugin Command to be used. Also, prints warning if plugin is not present or doesn't work correctly. Returns: string, Gke Gcloud Plugin Command to be used. zgke-gcloud-auth-pluginzgke-gcloud-auth-plugin.exez --versionF)timeoutcheckstdoutstderr)r ryrz subprocessrunDEVNULLrrrrrcritical GKE_GCLOUD_AUTH_PLUGIN_NOT_FOUNDrJrKrM)rrrsdk_path_bin_names rrrs &(((*+H '5NN +!!!! < ./ 55\\^00l   56GGLLw?  ,%%%%  $ . 5 ll34 .5)5s*8A D,*BD"D(#D,'D((D,c|||ddS)z0Generate and return a context kubeconfig object.)r1r2)r'r3r)r'r1r2s rContextr*s rcdggddigdS)Nv1r>Config)rr)r&r7kind preferencesr(rrrrrgrg5s! r)NNF) NNNNNNNNNNNN)NN)rNNNN)$r __future__rrrrJrgooglecloudsdk.corerrcore_exceptionsrr r googlecloudsdk.core.utilr r rGr rrrrNobjectr$rrrrrrrrrrrgrrrrs 4&' &=#*$-8.9O ! !9MM*H&jjZ ,$!    $W&t8H d$#$# 1jJNEP/d r