Use tsh as an exec plugin from kubeconfig #3691

awly · 2020-05-11T17:11:05Z

Feature Request

Instead of writing raw client key/cert into kubeconfig on tsh login, generate an exec plugin section.
This will cause kubectl to execute tsh (with configurable flags or env vars) to fetch the client key/cert.
tsh should have some helper logic to generate that exec section in kubeconfig and also prompt login if credentials have expired.

Motivation

when user's credentials expire today, the user gets obscure x509 errors from kubectl; with exec plugin this can be changed to a login prompt or at least a helpful error message.
if a user only works with a fixed set of k8s clusters, they don't need to interact with tsh at all after initial setup.

Who's it for?

OSS User, Pro, Enterprise

cc @webvictim @benarent

The text was updated successfully, but these errors were encountered:

awly · 2020-06-11T18:08:54Z

#3690 is a good approximation of the UX we expect.
Read through that implementation before starting to learn any gotchas.

awly added the kubernetes-access label May 11, 2020

awly added this to the 5.0 Codename TBD milestone May 11, 2020

awly self-assigned this May 11, 2020

awly mentioned this issue May 11, 2020

idea: Credential plugin for kubectl #3690

Closed

awly mentioned this issue Nov 10, 2020

Add "tsh kube" commands #4769

Merged

awly closed this as completed in #4769 Nov 11, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use tsh as an exec plugin from kubeconfig #3691

Use tsh as an exec plugin from kubeconfig #3691

awly commented May 11, 2020

awly commented Jun 11, 2020

Use tsh as an exec plugin from kubeconfig #3691

Use tsh as an exec plugin from kubeconfig #3691

Comments

awly commented May 11, 2020

Feature Request

Motivation

Who's it for?

awly commented Jun 11, 2020