p[SrSSKJr SSKJr SSKJr SSKrSSKrSSKrSSKrSSK J r SSK J r SSK J r SS K Jr SS KJr SS KJr SS KJr S rSr"SS\ R,5r"SS\5rSrSrSrSrSrSr"SS\5rS(Sjr S)Sjr!Sr"Sr#S\#-r$S r%S*S!jr&S"r'S#r(S$\#-r)S%r*S&r+S'r,g)+z,Utilities for generating kubeconfig entries.)absolute_import)division)unicode_literalsN)config) exceptions)log)yaml)encoding)files) platformsa! Fetch credentials for a running {kind} cluster. This command updates a kubeconfig file with appropriate credentials and endpoint information to point kubectl at a specific {kind} cluster. By default, credentials are written to ``HOME/.kube/config''. You can provide an alternate path by setting the ``KUBECONFIG'' environment variable. If ``KUBECONFIG'' contains multiple paths, the first one is used. This command enables switching to a specific cluster, when working with multiple clusters. It can also be used to access a previously created cluster from a new workstation. The command will configure kubectl to automatically refresh its credentials using the same identity as the gcloud command-line tool. See [](https://cloud.google.com/kubernetes-engine/docs/kubectl) for kubectl documentation. z To get credentials of a cluster named ``my-cluster'' managed in location ``us-west1'', run: $ {command} my-cluster --location=us-west1 c\rSrSrSrSrg)Error8z>Class for errors raised by edgecontainer kubeconfig utilities.N__name__ __module__ __qualname____firstlineno____doc____static_attributes__rAlib/googlecloudsdk/command_lib/edge_cloud/container/kubeconfig.pyrr8sFrrc\rSrSrSrSrg)MissingEnvVarError<zDAn exception raised when required environment variables are missing.rNrrrrrr<sLrrc&SnURXUS9$)aGenerates a kubeconfig context for a Edge Container cluster. Args: project_id: str, project ID associated with the cluster. location: str, Google location of the cluster. cluster_id: str, ID of the cluster. Returns: The context for the kubeconfig entry. z2edgecontainer_{project_id}_{location}_{cluster_id}) project_idlocation cluster_id)format)rrr templates rGenerateContextr#@s'B( :  GGrcbSnURURcSOURS-UUUS9$)aLGenerates command arguments for kubeconfig's authorization provider. Args: track: ReleaseTrack of gcloud command. cluster_id: str, ID of the cluster. project_id: str, ID of the project of the cluster. location: str, Google location of the cluster. Returns: The command arguments for kubeconfig's authorization provider. zr{prefix}edge-cloud container clusters print-access-token {cluster_id} --project={project_id} --location={location} )prefixr rr)r!r')trackr rrr"s rGenerateAuthProviderCmdArgsr)PsEB  <<'RU\\C-?  rcSSUSUSU/$)z(Returns exec auth provider command args.z--use_edge_cloudz --projectz --locationz --clusterr)r rrs rGenerateExecAuthCmdArgsr+hs# rc t[R5n[5n[XU5URU'USR [XU55 0nUR c[R"S5 O[UR 5US'URc[R"S5 O[UR5US'[U40UD6nUSS XcRU'US R U5 [US S 5nUcS n0nURc[R"S 5 O[UR5US '[!USR#UR$U540UD6UR&U'USR [!USR#UR$U540UD65 UR)U5 XS'[*R,"U[.R05 UR35 [R4R7SR#U55 g)a<Generates a kubeconfig entry based on offline credential for a Edge Container cluster. Args: cluster: object, Edge Container cluster. context: str, context for the kubeconfig entry. credential_resp: Response from GetOfflineCredential API. Raises: Error: don't have the permission to open kubeconfig file contextsNz)Offline credential is missing client key.key_dataz1Offline credential is missing client certificate. cert_datauserexecusersporti.Cluster is missing certificate authority data.ca_data https://{}:{}clusterscurrent-contextNA new kubeconfig entry "{}" has been generated and set as the current context.) KubeconfigDefaultEmptyKubeconfigContextr-append clientKeyrerror_GetPemDataForKubeconfigclientCertificateUserr2getattrclusterCaCertificatewarningClusterr!endpointr7SetCurrentContextr dumpsysstderr SaveToFilestatusPrint) clustercontextcredential_resp kubeconfigkubeconfig_for_output user_kwargsr0r3cluster_kwargss r&GenerateKubeconfigForOfflineCredentialrWvs!!#*)+!(7!C*g #**77W+MN+&II9:6!!K &&.IIAB7)) K  g % %$ 6l6"7 ''- &# &$ \ D. !!)KK@A 8$$!N9") %%g&6&6="AO"*g #**   !1!14 8  w'-4)*)) !3::. **rcJ[R5n[XU5URU'SUUSSUS.n[ U40UD6nXuR U'0nUR c[R"S5 O[UR 5US'[USS 5n U cS n [US RURU 540UD6URU'URU5 UR!5 [R"R%S RU55 g) aGenerates a kubeconfig entry for a Edge Container cluster. Args: cluster: object, Edge Container cluster. context: str, context for the kubeconfig entry. cmd_path: str, authentication provider command path. cmd_args: str, authentication provider command arguments. exec_args: str, exec auth command arguments. Raises: Error: don't have the permission to open kubeconfig file gcpz {.expireTime}z{.accessToken}) auth_providerauth_provider_cmd_pathauth_provider_cmd_argsauth_provider_expiry_keyauth_provider_token_keyexec_auth_argsNr4r5r3i+r6r9)r:r;r=r-rCr2rErrFrArDrGr!rHr7rIrMrNrO) rPrQcmd_pathcmd_args exec_argsrSrUr0rVr3s rGenerateKubeconfigrcs"!!#*!(7!C*g ( ("1!1! + g % %$"7. !!)KK@A 8$$!N9 &$ '$ \ D!( %%g&6&6="QAO"Q*g w' ***rcj[R"URS55RS5$)Nzutf-8)base64 b64encodeencodedecode)pems rrArAs)   #**W- . 5 5g >>rc\rSrSrSrSr\S5r\S5rSr Sr Sr \ S 5r \ S 5r\ S 5r\ S 5r\S 5rSrSrg)r:z1Interface for interacting with a kubeconfig file.c0X lXl0Ul0Ul0UlURSHnX0RUS'M URSHnX@RUS'M URSHnXPRUS'M g)Nr7namer2r-) _filename_datar7r2r-)selfraw_datafilenamerPr0rQs r__init__Kubeconfig.__init__sNJDMDJDM::j)'.mmGFO$* 7#!%jjf$::j)'.mmGFO$*rc URS$Nr8rorps rcurrent_contextKubeconfig.current_contexts ::' ((rcUR$N)rnrxs rrrKubeconfig.filenames >>rc URRUS5 URRUS5 URRUS5 URR S5U:XaSURS'gg)Nr8r%)r-popr7r2roget)rpkeys rClearKubeconfig.ClearsfMMc4 MMc4 JJNN3 zz~~'(C/&(djj"#0rc[URR55URS'[URR55URS'[UR R55URS'[ R"URSS9n[R"URU5 SSS5 g!,(df  g=f)z^Save kubeconfig to file. Raises: Error: don't have the permission to open kubeconfig file. r7r2r-T)privateN) listr7valuesror2r- file_utils FileWriterrnr rJ)rpfps rrMKubeconfig.SaveToFile s "$--"6"6"89DJJztzz0023DJJw!$--"6"6"89DJJz   t~~t < ii B = < 2#$)T**188idi*+ +3 > .55e< ==>sA*A B'BBc[R"U5nUR U5 U"X!5$![Ra)n[SRXR55eSnAff=f)Nz&unable to load kubeconfig for {0}: {1})r load_pathrr! inner_errorr)rrrrr@s r LoadFromFileKubeconfig.LoadFromFile(sh( ^^H %dMM$ t  ::( :AA %%' (((s1A.$A))A.cVURU5$![[4an[R"SR X!55 [ R"[RRU55 U"[5U5nUR5 UsSnA$SnAff=f)zARead in the kubeconfig, and if it doesn't exist create one there.z6unable to load default kubeconfig: {0}; recreating {1}N) rrIOErrorrdebugr!rMakeDirospathdirnamer<rM)rrrr@rSs r LoadOrCreateKubeconfig.LoadOrCreate2s   h '' 7  iiHOO 23((3j  sB(A:B#B(#B(cHUR[R55$r|)rr: DefaultPath)rs rr;Kubeconfig.Default?s   J224 55rc[R"[RS5nU(aAUR [R 5Sn[R RU5$[R"[RS5nU(d[RR5(a[R"[RS5n[R"[RS5nU(a&U(a[R RX#5nU(d%[R"[RS5nU(dC[SR[RR5(aSS 95eSS 95e[R RUS S 5$) z(Return default path for kubeconfig file. KUBECONFIGrHOME HOMEDRIVEHOMEPATH USERPROFILEzVenvironment variable {vars} or KUBECONFIG must be set to store credentials for kubectlz&HOMEDRIVE/HOMEPATH, USERPROFILE, HOME,)varsz.kuber)r GetEncodedValuerenvironsplitpathseprabspathr OperatingSystem IsWindowsjoinrr!)rShome_dir home_drive home_paths rrKubeconfig.DefaultPathCsA))"**lCJ##BJJ/2j WW__Z (('' F;H  11;;==++BJJ Dj**2::zBi  77<< 6 ++BJJ F   $$*F?Hyy{@+;%+%8 9917%+%8 99 77<<'8 44rc^URUR=(d UR5 [[URR 55[URR 55-5Ul[[UR R 55[UR R 55-5Ul[[URR 55[URR 55-5Ulg)zMerge another kubeconfig into self. In case of overlapping keys, the value in self is kept and the value in the other kubeconfig is lost. Args: kubeconfig: a Kubeconfig instance N)rIrydictrr7itemsr2r-)rprSs rMergeKubeconfig.Merge^s 4//M:3M3MN Z & & ()D1D1D1F,GGIDMd:++1134tDJJ >  66554Irr:c~SU0nU(aU(a [S5eU(aX$S'OU(aX4S'OSUS'XS.$)z0Generate and return a cluster kubeconfig object.serverz'cannot specify both ca_path and ca_datazcertificate-authorityzcertificate-authority-dataTzinsecure-skip-tls-verify)rmrP)r)rmrca_pathr5rPs rrGrGosO '  9 :: '. #$,3 ()*.G &' ++rc U(d'U(aU(dU(aU (d [S5e0n [5(a[U 5U S'O3U(a,U(dU(dU(dU(a[UUUUUS9U S'U(aU(a [S5eU(aXkS'O U(aX{S'U(aU (a [S5eU(aXS 'O U (aXS 'X S .$) a&Generates and returns a user kubeconfig object. Args: name: str, nickname for this user entry. auth_provider: str, authentication provider. auth_provider_cmd_path: str, authentication provider command path. auth_provider_cmd_args: str, authentication provider command args. auth_provider_expiry_key: str, authentication provider expiry key. auth_provider_token_key: str, authentication provider token key. cert_path: str, path to client certificate file. cert_data: str, base64 encoded client certificate data. key_path: str, path to client key file. key_data: str, base64 encoded client key data. exec_auth_args: list, exec auth provider command arguments. Returns: dict, valid kubeconfig user entry. Raises: Error: if no auth info is provided (auth_provider or cert AND key) z3either auth_provider or cert & key must be providedr1)rmr`ra expiry_key token_keyz auth-providerz+cannot specify both cert_path and cert_datazclient-certificatezclient-certificate-dataz)cannot specify both key_path and key_dataz client-keyzclient-key-data)rmr0)r _UseExecAuth_ExecAuthPlugin _AuthProvider) rmrZr[r\r]r^ cert_pathr/key_pathr.r_r0s rrCrCsB I(  E FF $^^">2DL  ! # ",))-+ d?9 = >>!* &/ "# ( ; << !&  %%rzPath to sdk installation not found. Please check your installation or use the `--auth-provider-cmd-path` flag to provide the path to gcloud manually.zInstall gke-gcloud-auth-plugin for use with kubectl by following https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke z{ACTION REQUIRED: gke-gcloud-auth-plugin, which is needed for continued use of kubectl, was not found or is not executable. c2[5nUUS[SS.nU$)aGenerate and return an exec auth plugin config. Args: exec_auth_args: list, exec auth provider command arguments. Constructs an exec auth plugin config entry readable by kubectl. This tells kubectl to call out to gke-gcloud-auth-plugin and parse the output to retrieve access tokens to authenticate to the kubernetes master. Kubernetes GKE Auth Provider plugin is defined at https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins GKE GCloud Exec Auth Plugin code is at https://github.com/kubernetes/cloud-provider-gcp/tree/master/cmd/gke-gcloud-auth-plugin Returns: dict, valid exec auth plugin config entry. z$client.authentication.k8s.io/v1beta1T)commandargs apiVersion installHintprovideClusterInfo))_GetGkeGcloudPluginCommandAndPrintWarningGKE_GCLOUD_AUTH_INSTALL_HINT)r_rexec_cfgs rrrs+( 6 7':1 ( /rcZSU0nUS:XaSn[RR5(aSnUcP[R"5R nUc[ [5e[RRXv5nUU(aUOSU(aUOSU(aUOSS.nXS 'U$) aGenerates and returns an auth provider config. Constructs an auth provider config entry readable by kubectl. This tells kubectl to call out to a specific gcloud command and parse the output to retrieve access tokens to authenticate to the kubernetes master. Kubernetes gcp auth provider plugin at https://github.com/kubernetes/kubernetes/tree/master/staging/src/k8s.io/client-go/plugin/pkg/client/auth/gcp Args: name: auth provider name cmd_path: str, authentication provider command path. cmd_args: str, authentication provider command arguments. expiry_key: str, authentication provider expiry key. token_key: str, authentication provider token key. Returns: dict, valid auth provider config entry. Raises: Error: Path to sdk installation not found. Please switch to application default credentials using one of $ gcloud config set container/use_application_default_credentials true $ export CLOUDSDK_CONTAINER_USE_APPLICATION_DEFAULT_CREDENTIALS=true. rmrYgcloudz gcloud.cmdz"config config-helper --format=jsonz{.credential.access_token}z{.credential.token_expiry})zcmd-pathzcmd-argsz token-keyz expiry-keyr) r rrrPaths sdk_bin_pathrSDK_BIN_PATH_NOT_FOUNDrrr) rmr`rarrproviderbin_namercfgs rrrs:d^( U]H  **,,h\\^00l  *++l5h !H&J#I(D%J*F C$X /rcSn[R"[RU5nUb\UR 5S:XagUR 5S:wa3[ R "SRXR 555 g)z4Returns a bool noting if ExecAuth should be enabled.USE_GKE_GCLOUD_AUTH_PLUGINfalseFtruez.Ignoring unsupported env value found for {}={}T)r rrrlowerrrFr!)env_flaguse_gke_gcloud_auth_plugins rrr9sv )('77 HM +!'')W4  # ) ) +v 5 kk : A A88:  rc Sn[RR5(aSnUn[R"US/SS[R [R S9 [ U5 U$![a [R"5RnUc[R"[5 O[RR!X!5n[R"US/SS[R [R S9 UnU$![a [R"[5 U$f=fU$f=f)zGets Gke Gcloud Plugin Command to be used. Returns Gke Gcloud Plugin Command to be used. Also, prints warning if plugin is not present or doesn't work correctly. Returns: string, Gke Gcloud Plugin Command to be used. zgke-gcloud-auth-pluginzgke-gcloud-auth-plugin.exez --versionF)timeoutcheckstdoutrL)r rr subprocessrunDEVNULL_ValidateGkeGcloudPluginVersion Exceptionrrrrcritical GKE_GCLOUD_AUTH_PLUGIN_NOT_FOUNDrrr)rrrsdk_path_bin_names rrrLs!&(((**+H '5NNG[)$,,$,, . $G,, .+ 55\\^00l   56GGLL?);7 "(00(00  2 $ . 5 ll34 .5 7 .+5s=AA.. E9>    & - -LL67..rcUUUS.S.$)z0Generate and return a context kubeconfig object.)rPr0)rmrQr)rmrPr0s rr=r=s rcS//SS0/S.$)Nv1r%Config)rr-r7r8kind preferencesr2rrrrr<r<s! r)NN) NNNNNNNNNN)rYNNNN)-r __future__rrrrerrrKgooglecloudsdk.corerrcore_exceptionsrr googlecloudsdk.core.utilr r rr COMMAND_DESCRIPTIONCOMMAND_EXAMPLErrr#r)r+rWrcrAobjectr:rGrCrrrrrrrrrr=r<rrrrs33&'  &=#$-8. GO ! !GMM G 0 =@,*^?IID ," $ $"&!%G&V # ; !! B! <~&,^+-IJ& 80 r