From 8c3f17af382310c67b794b099ae88263b8f1d2b3 Mon Sep 17 00:00:00 2001 From: Noah Stride Date: Mon, 24 Jun 2024 11:10:19 +0100 Subject: [PATCH 1/4] Render kubernetes template without exec plugin when using non-directory destination --- lib/tbot/config/template_kubernetes.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/lib/tbot/config/template_kubernetes.go b/lib/tbot/config/template_kubernetes.go index 993602ae6b505..d5023f1a1ec6e 100644 --- a/lib/tbot/config/template_kubernetes.go +++ b/lib/tbot/config/template_kubernetes.go @@ -199,6 +199,14 @@ func (t *templateKubernetes) render( kubernetesClusterName: t.clusterName, } + destinationDir, isDirectoryDest := destination.(*DestinationDirectory) + if !t.disableExecPlugin { + if !isDirectoryDest { + log.WarnContext(ctx, "Kubernetes template will be rendered without exec plugin because destination is not a directory. Explicitly set `disable_exec_plugin: true` in the output to suppress this message") + t.disableExecPlugin = true + } + } + var cfg *clientcmdapi.Config if t.disableExecPlugin { // If they've disabled the exec plugin, we just write the credentials @@ -214,14 +222,6 @@ func (t *templateKubernetes) render( // We only support directory mode for this since the exec plugin needs // to know the path to read the credentials from, and this is // unpredictable with other types of destination. - destinationDir, ok := destination.(*DestinationDirectory) - if !ok { - return trace.BadParameter( - "Destination %s must be a directory in exec plugin mode", - destination, - ) - } - executablePath, err := t.executablePathGetter() if err != nil { return trace.Wrap(err) From e0633a81a67626bc57adbb87e58b33d7836bfcaf Mon Sep 17 00:00:00 2001 From: Noah Stride Date: Mon, 24 Jun 2024 12:38:11 +0100 Subject: [PATCH 2/4] Switch to info level for warning --- lib/tbot/config/template_kubernetes.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/tbot/config/template_kubernetes.go b/lib/tbot/config/template_kubernetes.go index d5023f1a1ec6e..d6426ce893430 100644 --- a/lib/tbot/config/template_kubernetes.go +++ b/lib/tbot/config/template_kubernetes.go @@ -202,7 +202,7 @@ func (t *templateKubernetes) render( destinationDir, isDirectoryDest := destination.(*DestinationDirectory) if !t.disableExecPlugin { if !isDirectoryDest { - log.WarnContext(ctx, "Kubernetes template will be rendered without exec plugin because destination is not a directory. Explicitly set `disable_exec_plugin: true` in the output to suppress this message") + log.InfoContext(ctx, "Kubernetes template will be rendered without exec plugin because destination is not a directory. Explicitly set `disable_exec_plugin: true` in the output to suppress this message") t.disableExecPlugin = true } } From 6e97fa41e45e16f6b1149b642c6a5e39f447a570 Mon Sep 17 00:00:00 2001 From: Noah Stride Date: Tue, 25 Jun 2024 09:41:44 +0100 Subject: [PATCH 3/4] Update lib/tbot/config/template_kubernetes.go Co-authored-by: Edoardo Spadolini --- lib/tbot/config/template_kubernetes.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/tbot/config/template_kubernetes.go b/lib/tbot/config/template_kubernetes.go index d6426ce893430..cf08add345c74 100644 --- a/lib/tbot/config/template_kubernetes.go +++ b/lib/tbot/config/template_kubernetes.go @@ -202,7 +202,7 @@ func (t *templateKubernetes) render( destinationDir, isDirectoryDest := destination.(*DestinationDirectory) if !t.disableExecPlugin { if !isDirectoryDest { - log.InfoContext(ctx, "Kubernetes template will be rendered without exec plugin because destination is not a directory. Explicitly set `disable_exec_plugin: true` in the output to suppress this message") + log.InfoContext(ctx, "Kubernetes template will be rendered without exec plugin because destination is not a directory. Explicitly set `disable_exec_plugin: true` in the output to suppress this message", "destination", destination) t.disableExecPlugin = true } } From 10778886f5d44f0fd1bc40baff0c73d37204bff6 Mon Sep 17 00:00:00 2001 From: Noah Stride Date: Tue, 25 Jun 2024 10:49:31 +0100 Subject: [PATCH 4/4] Address review feedback --- lib/tbot/bot/destination.go | 9 ++++++++- lib/tbot/config/template_kubernetes.go | 19 +++++++++++-------- 2 files changed, 19 insertions(+), 9 deletions(-) diff --git a/lib/tbot/bot/destination.go b/lib/tbot/bot/destination.go index 3ccc1165c528f..ca5065d918b7e 100644 --- a/lib/tbot/bot/destination.go +++ b/lib/tbot/bot/destination.go @@ -16,7 +16,10 @@ limitations under the License. package bot -import "context" +import ( + "context" + "fmt" +) // Destination can persist renewable certificates. type Destination interface { @@ -51,4 +54,8 @@ type Destination interface { // MarshalYAML enables the yaml package to correctly marshal the Destination // as YAML including the type header. MarshalYAML() (interface{}, error) + + // Stringer so that Destination's implements fmt.Stringer which allows for + // better logging. + fmt.Stringer } diff --git a/lib/tbot/config/template_kubernetes.go b/lib/tbot/config/template_kubernetes.go index cf08add345c74..007c2a4dd3be5 100644 --- a/lib/tbot/config/template_kubernetes.go +++ b/lib/tbot/config/template_kubernetes.go @@ -33,6 +33,7 @@ import ( "github.com/gravitational/teleport/lib/kube/kubeconfig" "github.com/gravitational/teleport/lib/tbot/bot" "github.com/gravitational/teleport/lib/tbot/identity" + logutils "github.com/gravitational/teleport/lib/utils/log" ) const defaultKubeconfigPath = "kubeconfig.yaml" @@ -199,14 +200,22 @@ func (t *templateKubernetes) render( kubernetesClusterName: t.clusterName, } + // In exec plugin mode, we write the credentials to disk and write a + // kubeconfig that execs `tbot` to load those credentials. + + // We only support directory mode for this since the exec plugin needs + // to know the path to read the credentials from, and this is + // unpredictable with other types of destination. destinationDir, isDirectoryDest := destination.(*DestinationDirectory) if !t.disableExecPlugin { if !isDirectoryDest { - log.InfoContext(ctx, "Kubernetes template will be rendered without exec plugin because destination is not a directory. Explicitly set `disable_exec_plugin: true` in the output to suppress this message", "destination", destination) + log.InfoContext( + ctx, + "Kubernetes template will be rendered without exec plugin because destination is not a directory. Explicitly set `disable_exec_plugin: true` in the output to suppress this message", + "destination", logutils.StringerAttr(destination)) t.disableExecPlugin = true } } - var cfg *clientcmdapi.Config if t.disableExecPlugin { // If they've disabled the exec plugin, we just write the credentials @@ -216,12 +225,6 @@ func (t *templateKubernetes) render( return trace.Wrap(err) } } else { - // In exec plugin mode, we write the credentials to disk and write a - // kubeconfig that execs `tbot` to load those credentials. - - // We only support directory mode for this since the exec plugin needs - // to know the path to read the credentials from, and this is - // unpredictable with other types of destination. executablePath, err := t.executablePathGetter() if err != nil { return trace.Wrap(err)