Extend kubernetes client flags to match kubectl

probe/kubernetes/client.go

@@ -12,6 +12,8 @@ import (
 	"k8s.io/kubernetes/pkg/client/cache"
 	"k8s.io/kubernetes/pkg/client/restclient"
 	"k8s.io/kubernetes/pkg/client/unversioned"
+	"k8s.io/kubernetes/pkg/client/unversioned/clientcmd"
+	clientcmdapi "k8s.io/kubernetes/pkg/client/unversioned/clientcmd/api"
 	"k8s.io/kubernetes/pkg/fields"
 	"k8s.io/kubernetes/pkg/labels"
 	"k8s.io/kubernetes/pkg/util/wait"
@@ -62,35 +64,79 @@ func runReflectorUntil(r *cache.Reflector, resyncPeriod time.Duration, stopCh <-
 	go wait.Until(loggingListAndWatch, resyncPeriod, stopCh)
 }
 
+// ClientConfig establishes the configuration for the kubernetes client
+type ClientConfig struct {
+	Interval             time.Duration
+	CertificateAuthority string
+	ClientCertificate    string
+	ClientKey            string
+	Cluster              string
+	Context              string
+	Insecure             bool
+	Kubeconfig           string
+	Password             string
+	Server               string
+	Token                string
+	User                 string
+	Username             string
+}
+
 // NewClient returns a usable Client. Don't forget to Stop it.
-func NewClient(addr string, resyncPeriod time.Duration) (Client, error) {
-	var config *restclient.Config
-	if addr != "" {
-		config = &restclient.Config{Host: addr}
-	} else {
-		// If no API server address was provided, assume we are running
+func NewClient(config ClientConfig) (Client, error) {
+	var restConfig *restclient.Config
+	if config.Server == "" && config.Kubeconfig == "" {
+		// If no API server address or kubeconfig was provided, assume we are running
 		// inside a pod. Try to connect to the API server through its
 		// Service environment variables, using the default Service
 		// Account Token.
 		var err error
-		if config, err = restclient.InClusterConfig(); err != nil {
+		if restConfig, err = restclient.InClusterConfig(); err != nil {
+			return nil, err
+		}
+	} else {
+		var err error
+		restConfig, err = clientcmd.NewNonInteractiveDeferredLoadingClientConfig(
+			&clientcmd.ClientConfigLoadingRules{ExplicitPath: config.Kubeconfig},
+			&clientcmd.ConfigOverrides{
+				AuthInfo: clientcmdapi.AuthInfo{
+					ClientCertificate: config.ClientCertificate,
+					ClientKey:         config.ClientKey,
+					Token:             config.Token,
+					Username:          config.Username,
+					Password:          config.Password,
+				},
+				ClusterInfo: clientcmdapi.Cluster{
+					Server:                config.Server,
+					InsecureSkipTLSVerify: config.Insecure,
+					CertificateAuthority:  config.CertificateAuthority,
+				},
+				Context: clientcmdapi.Context{
+					Cluster:  config.Cluster,
+					AuthInfo: config.User,
+				},
+				CurrentContext: config.Context,
+			},
+		).ClientConfig()
+		if err != nil {
 			return nil, err
 		}
+
 	}
+	log.Infof("kubernetes: targeting api server %s", restConfig.Host)
 
-	c, err := unversioned.New(config)
+	c, err := unversioned.New(restConfig)
 	if err != nil {
 		return nil, err
 	}
 
-	ec, err := unversioned.NewExtensions(config)
+	ec, err := unversioned.NewExtensions(restConfig)
 	if err != nil {
 		return nil, err
 	}
 
 	result := &client{
 		quit:             make(chan struct{}),
-		resyncPeriod:     resyncPeriod,
+		resyncPeriod:     config.Interval,
 		client:           c,
 		extensionsClient: ec,
 	}

prog/main.go

@@ -14,16 +14,24 @@ import (
 
 	"github.com/weaveworks/scope/app"
 	"github.com/weaveworks/scope/common/xfer"
+	"github.com/weaveworks/scope/probe/kubernetes"
 	"github.com/weaveworks/weave/common"
 )
 
 var (
 	// set at build time
 	version = "dev"
 	// tokens to be elided when logging
-	serviceTokenFlag = "service-token"
-	probeTokenFlag   = "probe.token"
-	sensitiveFlags   = []string{serviceTokenFlag, probeTokenFlag}
+	serviceTokenFlag       = "service-token"
+	probeTokenFlag         = "probe.token"
+	kubernetesPasswordFlag = "probe.kubernetes.password"
+	kubernetesTokenFlag    = "probe.kubernetes.token"
+	sensitiveFlags         = []string{
+		serviceTokenFlag,
+		probeTokenFlag,
+		kubernetesPasswordFlag,
+		kubernetesTokenFlag,
+	}
 )
 
 type prefixFormatter struct {
@@ -86,9 +94,8 @@ type probeFlags struct {
 	dockerInterval time.Duration
 	dockerBridge   string
 
-	kubernetesEnabled  bool
-	kubernetesAPI      string
-	kubernetesInterval time.Duration
+	kubernetesEnabled bool
+	kubernetesConfig  kubernetes.ClientConfig
 
 	weaveEnabled  bool
 	weaveAddr     string
@@ -200,8 +207,20 @@ func main() {
 
 	// K8s
 	flag.BoolVar(&flags.probe.kubernetesEnabled, "probe.kubernetes", false, "collect kubernetes-related attributes for containers, should only be enabled on the master node")
-	flag.StringVar(&flags.probe.kubernetesAPI, "probe.kubernetes.api", "", "Address of kubernetes master api")
-	flag.DurationVar(&flags.probe.kubernetesInterval, "probe.kubernetes.interval", 10*time.Second, "how often to do a full resync of the kubernetes data")
+	flag.DurationVar(&flags.probe.kubernetesConfig.Interval, "probe.kubernetes.interval", 10*time.Second, "how often to do a full resync of the kubernetes data")
+	flag.StringVar(&flags.probe.kubernetesConfig.Server, "probe.kubernetes.api", "", "The address and port of the Kubernetes API server (deprecated in favor of equivalent probe.kubernetes.server)")
+	flag.StringVar(&flags.probe.kubernetesConfig.CertificateAuthority, "probe.kubernetes.certificate-authority", "", "Path to a cert. file for the certificate authority")
+	flag.StringVar(&flags.probe.kubernetesConfig.ClientCertificate, "probe.kubernetes.client-certificate", "", "Path to a client certificate file for TLS")
+	flag.StringVar(&flags.probe.kubernetesConfig.ClientKey, "probe.kubernetes.client-key", "", "Path to a client key file for TLS")
+	flag.StringVar(&flags.probe.kubernetesConfig.Cluster, "probe.kubernetes.cluster", "", "The name of the kubeconfig cluster to use")
+	flag.StringVar(&flags.probe.kubernetesConfig.Context, "probe.kubernetes.context", "", "The name of the kubeconfig context to use")
+	flag.BoolVar(&flags.probe.kubernetesConfig.Insecure, "probe.kubernetes.insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
+	flag.StringVar(&flags.probe.kubernetesConfig.Kubeconfig, "probe.kubernetes.kubeconfig", "", "Path to the kubeconfig file to use")
+	flag.StringVar(&flags.probe.kubernetesConfig.Password, kubernetesPasswordFlag, "", "Password for basic authentication to the API server")
+	flag.StringVar(&flags.probe.kubernetesConfig.Server, "probe.kubernetes.server", "", "The address and port of the Kubernetes API server")
+	flag.StringVar(&flags.probe.kubernetesConfig.Token, kubernetesTokenFlag, "", "Bearer token for authentication to the API server")
+	flag.StringVar(&flags.probe.kubernetesConfig.User, "probe.kubernetes.user", "", "The name of the kubeconfig user to use")
+	flag.StringVar(&flags.probe.kubernetesConfig.Username, "probe.kubernetes.username", "", "Username for basic authentication to the API server")
 
 	// Weave
 	flag.StringVar(&flags.probe.weaveAddr, "probe.weave.addr", "127.0.0.1:6784", "IP address & port of the Weave router")

prog/probe.go

@@ -88,7 +88,6 @@ func probeMain(flags probeFlags) {
 		hostID   = hostName // TODO(pb): we should sanitize the hostname
 	)
 	log.Infof("probe starting, version %s, ID %s", version, probeID)
-	log.Infof("command line: %v", os.Args)
 	checkpointFlags := map[string]string{}
 	if flags.kubernetesEnabled {
 		checkpointFlags["kubernetes_enabled"] = "true"
@@ -169,15 +168,15 @@ func probeMain(flags probeFlags) {
 	}
 
 	if flags.kubernetesEnabled {
-		if client, err := kubernetes.NewClient(flags.kubernetesAPI, flags.kubernetesInterval); err == nil {
+		if client, err := kubernetes.NewClient(flags.kubernetesConfig); err == nil {
 			defer client.Stop()
 			reporter := kubernetes.NewReporter(client, clients, probeID, hostID, p)
 			defer reporter.Stop()
 			p.AddReporter(reporter)
 			p.AddTagger(reporter)
 		} else {
 			log.Errorf("Kubernetes: failed to start client: %v", err)
-			log.Errorf("Kubernetes: make sure to run Scope inside a POD with a service account or provide a valid kubernetes.api url")
+			log.Errorf("Kubernetes: make sure to run Scope inside a POD with a service account or provide valid probe.kubernetes.* flags")
 		}
 	}