p[dZddlmZddlmZddlmZddlZddlZddlZddlZddl m Z ddl m Z ddl m Z dd l mZdd lmZdd lmZdd lmZd ZdZGdde j,ZGddeZdZdZdZdZdZdZGddeZd(dZ d)dZ!dZ"dZ#de#zZ$d Z% d*d!Z&d"Z'd#Z(d$e#zZ)d%Z*d&Z+d'Z,y)+z,Utilities for generating kubeconfig entries.)absolute_import)division)unicode_literalsN)config) exceptions)log)yaml)encoding)files) platformsa! Fetch credentials for a running {kind} cluster. This command updates a kubeconfig file with appropriate credentials and endpoint information to point kubectl at a specific {kind} cluster. By default, credentials are written to ``HOME/.kube/config''. You can provide an alternate path by setting the ``KUBECONFIG'' environment variable. If ``KUBECONFIG'' contains multiple paths, the first one is used. This command enables switching to a specific cluster, when working with multiple clusters. It can also be used to access a previously created cluster from a new workstation. The command will configure kubectl to automatically refresh its credentials using the same identity as the gcloud command-line tool. See [](https://cloud.google.com/kubernetes-engine/docs/kubectl) for kubectl documentation. z To get credentials of a cluster named ``my-cluster'' managed in location ``us-west1'', run: $ {command} my-cluster --location=us-west1 ceZdZdZy)Errorz>Class for errors raised by edgecontainer kubeconfig utilities.N__name__ __module__ __qualname____doc__Alib/googlecloudsdk/command_lib/edge_cloud/container/kubeconfig.pyrr8sFrrceZdZdZy)MissingEnvVarErrorzDAn exception raised when required environment variables are missing.Nrrrrrr<sLrrc.d}|j|||S)aGenerates a kubeconfig context for a Edge Container cluster. Args: project_id: str, project ID associated with the cluster. location: str, Google location of the cluster. cluster_id: str, ID of the cluster. Returns: The context for the kubeconfig entry. z2edgecontainer_{project_id}_{location}_{cluster_id}) project_idlocation cluster_id)format)rrrtemplates rGenerateContextr@s)B( h:  GGrcfd}|j|jdn|jdz|||S)a\Generates command arguments for kubeconfig's authorization provider. Args: track: ReleaseTrack of gcloud command. cluster_id: str, ID of the cluster. project_id: str, ID of the project of the cluster. location: str, Google location of the cluster. Returns: The command arguments for kubeconfig's authorization provider. zr{prefix}edge-cloud container clusters print-access-token {cluster_id} --project={project_id} --location={location} )prefixrrr)rr#)trackrrrrs rGenerateAuthProviderCmdArgsr%PsEB  <<'RU\\C-?  rcdd|d|d|gS)z(Returns exec auth provider command args.z--use_edge_cloudz --projectz --locationz --clusterr)rrrs rGenerateExecAuthCmdArgsr'hs# rc ltj}t}t||||j|<|dj t|||i}|j tjdnt|j |d<|jtjdnt|j|d<t|fi|}|dd=||j|<|d j |t|d d }|d }i}|jtjd nt|j|d <t!|dj#|j$|fi||j&|<|dj t!|dj#|j$|fi||j)|||d<t+j,|t.j0|j3tj4j7dj#|y)aJGenerates a kubeconfig entry based on offline credential for a Edge Container cluster. Args: cluster: object, Edge Container cluster. context: str, context for the kubeconfig entry. credential_resp: Response from GetOfflineCredential API. Raises: Error: don't have the permission to open kubeconfig file contextsNz)Offline credential is missing client key.key_dataz1Offline credential is missing client certificate. cert_datauserexecusersporti.Cluster is missing certificate authority data.ca_data https://{}:{}clusterscurrent-contextNA new kubeconfig entry "{}" has been generated and set as the current context.) KubeconfigDefaultEmptyKubeconfigContextr)append clientKeyrerror_GetPemDataForKubeconfigclientCertificateUserr.getattrclusterCaCertificatewarningClusterrendpointr3SetCurrentContextr dumpsysstderr SaveToFilestatusPrint) clustercontextcredential_resp kubeconfigkubeconfig_for_output user_kwargsr,r/cluster_kwargss r&GenerateKubeconfigForOfflineCredentialrSvs!!#*)+!('7!C*g #**77GW+MN+&II9:6!!K &&.IIAB7)) K  g % %$ 6l6"*7 ''- &# &$ \ D. !!)KK@A 8$$!N9") %%g&6&6="AO"*g #**   !1!14 8  w'-4)*)) !3::. **rcHtj}t||||j|<d||dd|d}t |fi|}||j |<i}|j tjdnt|j |d<t|dd } | d } t|d j|j| fi||j|<|j||j!tj"j%d j|y) aGenerates a kubeconfig entry for a Edge Container cluster. Args: cluster: object, Edge Container cluster. context: str, context for the kubeconfig entry. cmd_path: str, authentication provider command path. cmd_args: str, authentication provider command arguments. exec_args: str, exec auth command arguments. Raises: Error: don't have the permission to open kubeconfig file gcpz {.expireTime}z{.accessToken}) auth_providerauth_provider_cmd_pathauth_provider_cmd_argsauth_provider_expiry_keyauth_provider_token_keyexec_auth_argsNr0r1r/i+r2r5)r6r7r9r)r?r.rArrBr=r@rCrrDr3rErIrJrK) rLrMcmd_pathcmd_args exec_argsrOrQr,rRr/s rGenerateKubeconfigr_s&!!#*!('7!C*g ( ("1!1! + g % %$"*7. !!)KK@A 8$$!N9 &$ '$ \ D!( %%g&6&6="QAO"Q*g w' ***rchtj|jdjdS)Nzutf-8)base64 b64encodeencodedecode)pems rr=r=s)   #**W- . 5 5g >>rceZdZdZdZedZedZdZdZ dZ e dZ e d Z e d Ze d Zed Zd Zy)r6z1Interface for interacting with a kubeconfig file.c.||_||_i|_i|_i|_|jdD]}||j|d<|jdD]}||j|d<|jdD]}||j|d<y)Nr3namer.r)) _filename_datar3r.r))selfraw_datafilenamerLr,rMs r__init__zKubeconfig.__init__sDNDJDMDJDM::j)'.dmmGFO$* 7#!%djjf$::j)'.dmmGFO$*rc |jdSNr4rjrks rcurrent_contextzKubeconfig.current_contexts ::' ((rc|jSN)rirrs rrmzKubeconfig.filenames >>rc|jj|d|jj|d|jj|d|jj d|k(rd|jd<yy)Nr4r!)r)popr3r.rjget)rkkeys rClearzKubeconfig.ClearsfMMc4 MMc4 JJNN3 zz~~'(C/&(djj"#0rct|jj|jd<t|jj|jd<t|j j|jd<t j|jd5}tj|j|dddy#1swYyxYw)zjSave kubeconfig to file. Raises: Error: don't have the permission to open kubeconfig file. r3r.r)T)privateN) listr3valuesrjr.r) file_utils FileWriterrir rF)rkfps rrIzKubeconfig.SaveToFile s "$--"6"6"89DJJztzz0023DJJw!$--"6"6"89DJJz   t~~t < ii B = < 2#$s)T*1883id3i*+ +3 > .55e< ==>sA+A A<A77A<c tj|}|j ||||S#tj$r*}tdj||jd}~wwxYw)Nz&unable to load kubeconfig for {0}: {1})r load_pathrr inner_errorr)rrmrr<s r LoadFromFilezKubeconfig.LoadFromFile(sl( ^^H %dMM$ tX  ::( :AA E%%' (((s1A.%A))A.cR |j|S#ttf$r}tjdj ||t jtjj||t|}|j|cYd}~Sd}~wwxYw)zARead in the kubeconfig, and if it doesn't exist create one there.z6unable to load default kubeconfig: {0}; recreating {1}N) rrIOErrorrdebugrrMakeDirospathdirnamer8rI)rrmr<rOs r LoadOrCreatezKubeconfig.LoadOrCreate2s   h '' 7  iiHOO 23((3j  sB&A9B!B&!B&cH|jtjSru)rr6 DefaultPath)rs rr7zKubeconfig.Default?s   J224 55rcJtjtjd}|rA|j tj d}tj j|Stjtjd}|stjjrtjtjd}tjtjd}|r"|r tj j||}|s$tjtjd}|sDtdjtjjr d d tj j|d d S) z(Return default path for kubeconfig file. KUBECONFIGrHOME HOMEDRIVEHOMEPATH USERPROFILEzVenvironment variable {vars} or KUBECONFIG must be set to store credentials for kubectlz&HOMEDRIVE/HOMEPATH, USERPROFILE, HOME,)varsz.kuber)r GetEncodedValuerenvironsplitpathseprabspathr OperatingSystem IsWindowsjoinrr)rOhome_dir home_drive home_paths rrzKubeconfig.DefaultPathCs@))"**lCJ##BJJ/2j WW__Z (('' F;H  11;;=++BJJ Dj**2::zBi  77<< I6 ++BJJ F   $$*F?Hyy{@+;%+%8 9917%+%8 99 77<<'8 44rcT|j|jxs |jtt|jj t|jj z|_tt|j j t|j j z|_tt|jj t|jj z|_y)zMerge another kubeconfig into self. In case of overlapping keys, the value in self is kept and the value in the other kubeconfig is lost. Args: kubeconfig: a Kubeconfig instance N)rErsdictr}r3itemsr.r))rkrOs rMergezKubeconfig.Merge^s 4//M:3M3MN Z & & ()D1D1D1F,GGIDMd:++1134tDJJ >  66554Irr6c\d|i}|r |r td|r||d<n |r||d<nd|d<||dS)z0Generate and return a cluster kubeconfig object.serverz'cannot specify both ca_path and ca_datazcertificate-authorityzcertificate-authority-dataTzinsecure-skip-tls-verify)rhrL)r)rhrca_pathr1rLs rrCrCosU '  9 :: '.G #$,3G ()*.G &'7 ++rc |s|r|s|r| s tdi} trt| | d<n|r|s|s|s|rt|||||| d<|r |r td|r|| d<n|r|| d<|r | r td|r|| d <n| r| | d <|| d S) aHGenerates and returns a user kubeconfig object. Args: name: str, nickname for this user entry. auth_provider: str, authentication provider. auth_provider_cmd_path: str, authentication provider command path. auth_provider_cmd_args: str, authentication provider command args. auth_provider_expiry_key: str, authentication provider expiry key. auth_provider_token_key: str, authentication provider token key. cert_path: str, path to client certificate file. cert_data: str, base64 encoded client certificate data. key_path: str, path to client key file. key_data: str, base64 encoded client key data. exec_auth_args: list, exec auth provider command arguments. Returns: dict, valid kubeconfig user entry. Raises: Error: if no auth info is provided (auth_provider or cert AND key) z3either auth_provider or cert & key must be providedr-)rhr\r] expiry_key token_keyz auth-providerz+cannot specify both cert_path and cert_datazclient-certificatezclient-certificate-dataz)cannot specify both key_path and key_dataz client-keyzclient-key-data)rhr,)r _UseExecAuth_ExecAuthPlugin _AuthProvider) rhrVrWrXrYrZ cert_pathr+key_pathr*r[r,s rr?r?sB I(  E FF $^">2DL  ! # ",))-+ d?9 = >>!*D &/D "# ( ; << !D&D  %%rzPath to sdk installation not found. Please check your installation or use the `--auth-provider-cmd-path` flag to provide the path to gcloud manually.zInstall gke-gcloud-auth-plugin for use with kubectl by following https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke z{ACTION REQUIRED: gke-gcloud-auth-plugin, which is needed for continued use of kubectl, was not found or is not executable. c2t}||dtdd}|S)aGenerate and return an exec auth plugin config. Args: exec_auth_args: list, exec auth provider command arguments. Constructs an exec auth plugin config entry readable by kubectl. This tells kubectl to call out to gke-gcloud-auth-plugin and parse the output to retrieve access tokens to authenticate to the kubernetes master. Kubernetes GKE Auth Provider plugin is defined at https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins GKE GCloud Exec Auth Plugin code is at https://github.com/kubernetes/cloud-provider-gcp/tree/master/cmd/gke-gcloud-auth-plugin Returns: dict, valid exec auth plugin config entry. z$client.authentication.k8s.io/v1beta1T)commandargs apiVersion installHintprovideClusterInfo))_GetGkeGcloudPluginCommandAndPrintWarningGKE_GCLOUD_AUTH_INSTALL_HINT)r[rexec_cfgs rrrs+( 6 7':1 ( /rc.d|i}|dk(rd}tjjrd}|Otjj }|t ttjj||}||r|nd|r|nd|r|ndd}||d <|S) aGenerates and returns an auth provider config. Constructs an auth provider config entry readable by kubectl. This tells kubectl to call out to a specific gcloud command and parse the output to retrieve access tokens to authenticate to the kubernetes master. Kubernetes gcp auth provider plugin at https://github.com/kubernetes/kubernetes/tree/master/staging/src/k8s.io/client-go/plugin/pkg/client/auth/gcp Args: name: auth provider name cmd_path: str, authentication provider command path. cmd_args: str, authentication provider command arguments. expiry_key: str, authentication provider expiry key. token_key: str, authentication provider token key. Returns: dict, valid auth provider config entry. Raises: Error: Path to sdk installation not found. Please switch to application default credentials using one of $ gcloud config set container/use_application_default_credentials true $ export CLOUDSDK_CONTAINER_USE_APPLICATION_DEFAULT_CREDENTIALS=true. rhrUgcloudz gcloud.cmdz"config config-helper --format=jsonz{.credential.access_token}z{.credential.token_expiry})zcmd-pathzcmd-argsz token-keyz expiry-keyr) r rrrPaths sdk_bin_pathrSDK_BIN_PATH_NOT_FOUNDrrr) rhr\r]rrproviderbin_namercfgs rrrs:d^( U]H  **,h\\^00l  *++lH5h !H&J#I(D%J*F C$HX /rcd}tjtj|}|Z|j dk(ry|j dk7r3t j dj||j y)z4Returns a bool noting if ExecAuth should be enabled.USE_GKE_GCLOUD_AUTH_PLUGINfalseFtruez.Ignoring unsupported env value found for {}={}T)r rrrlowerrrBr)env_flaguse_gke_gcloud_auth_plugins rrr9sy )('77 HM +!'')W4  # ) ) +v 5 kk : A A288:  rctd}tjjrd}|} tj|dgddtj tj t ||S#t$r tjj}|tjtnZtjj!||}tj|dgddtj tj |}Y|S#t$rtjtYY|SwxYwwxYw)zGets Gke Gcloud Plugin Command to be used. Returns Gke Gcloud Plugin Command to be used. Also, prints warning if plugin is not present or doesn't work correctly. Returns: string, Gke Gcloud Plugin Command to be used. zgke-gcloud-auth-pluginzgke-gcloud-auth-plugin.exez --versionF)timeoutcheckstdoutrH)r rr subprocessrunDEVNULL_ValidateGkeGcloudPluginVersion Exceptionrrrrcritical GKE_GCLOUD_AUTH_PLUGIN_NOT_FOUNDrrr)rrrsdk_path_bin_names rrrLs&(((*+H '5NNG[)$,,$,, . $G,, .+ 55\\^00l   56GGLLw?);7 "(00(00  2 $ . 5 ll34 .5%5s+AA++ D75BD  "D3.D72D33D7zkACTION REQUIRED: gke-gcloud-auth-plugin, which is needed for continued use of kubectl needs to be updated. ctj|dgdddd}d|jvr)d|jvrt j t yyy)zValidate Gke Gcloud Plugin Command to be used. GDCE will depend on the newest available version, so warn customers if they have an older version installed. Args: command: Gke Gcloud Plugin Command to be used. z--helprFT)rrcapture_outputtextz--project stringN)rrrHrrr%GKE_GCLOUD_AUTH_PLUGIN_NOT_UP_TO_DATE)rresults rrrsW >>    & - -LL67..rc|||ddS)z0Generate and return a context kubeconfig object.)rLr,)rhrMr)rhrLr,s rr9r9s rcdggddigdS)Nv1r!Config)rr)r3r4kind preferencesr.rrrrr8r8s! r)NN) NNNNNNNNNN)rUNNNN)-r __future__rrrrarrrGgooglecloudsdk.corerrcore_exceptionsrr googlecloudsdk.core.utilr r rr COMMAND_DESCRIPTIONCOMMAND_EXAMPLErrrr%r'rSr_r=objectr6rCr?rrrrrrrrrr9r8rrrrs33&'  &=#$-8. GO ! !GMM G 0 =@,*^?IID ," $ $"&!%G&V # ; !! B! <~&,^+-IJ& 80 r