Kubectl: Allow [kubectl config set-cluster] to specify certificate-authority data in command.

Totally agree! As a workaround, there is a somewhat non-obvious way to do it already:
kubectl config set clusters.<name-of-cluster>.certificate-authority-data $CADATA

Still think this should be a set-cluster operation, though.

/kind feature
/sig cli
/area kubectl
/priority P2

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

/remove-lifecycle stale

I'm also looking for this feature 👍

2019 and kubectl still wants the files physically on the disk. This is not automation friendly :-)

I would like to use this but also provide client key and client cert data from the command as well. This will make automating the creation on conf files easier without having to write and manage extra files on disk. Reason is we use an external certificate provider and can hold the data in member when generating the conf file if this was available.

The feature is there. Try this:

# Embed certificate authority data for the e2e cluster entry
 kubectl config set-cluster e2e --certificate-authority=~/.kube/e2e/kubernetes.ca.crt --embed-certs=true

So if you have your cluster certificate just as data (AWS EKS for example), just create temp file, put your data into it and run the set-cluster with --embed-certs=true flag.

In automation you always can create files with the following snippet:

cat > my_temp_cert.crt << EOL
DATA1234567890
EOL

@vgarmash-chewy we know about this, but this issue is exactly to not have to do what you described.

Feel free to read again the issue.

https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/#define-clusters-users-and-contexts

Some times you may want to use base64 encoded data here instead of the path of the certification files, then you need add the suffix -data to the keys. For example, certificate-authority-data, client-certificate-data, client-key-data.

in kubectl v1.14.1 I get error: Unexpected args: for using certificate-authority-data.

Although it doesn't explicitly say it can be used with kubectl config set-cluster (and I suppose they mean doing so by writing to the file) I found it confusing.

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

/uninstall-fejta-bot now

/remove-lifecycle stale

If zsh is available it supports creating temporary files from a process' output using =(some command), in addition to the usual fifo version <(another command) supported by sh/bash/etc... so if you have zsh available this does work:

kubectl config set-cluster xyz --embed-certs --certificate-authority =(cat <<'EOF'
-----BEGIN CERTIFICATE-----
xxxxx
-----END CERTIFICATE-----
EOF
)

if kubectl was modified to work with fifos and not just files this would be much more portable.

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

/remove-lifecycle stale

/remove-lifecycle stale

/assign

Totally agree! As a workaround, there is a somewhat non-obvious way to do it already:
kubectl config set clusters.<name-of-cluster>.certificate-authority-data $CADATA

Still think this should be a set-cluster operation, though.

Trying to cleanup the issue list.
Can this issue be closed?

This has been open for almost a couple of years and I don't think a change to set-cluster will occur since there is a pretty simple way to accomplish the same thing as you mentioned...

kubectl config set clusters.<name-of-cluster>.certificate-authority-data $CADATA

Unless there is a compelling reason, I would propose we just close this with the above statement noted as the recommended way to accomplish this if you really need to not write the data out to a temporary file.

@brianpursley the fix seems pretty small, assuming I'm reading the code right. I don't know go well enough to propose a solution. the CA file appears to be read twice, which doesn't work with a fifo.

run calls validate which reads the file once:

https://github.com/kubernetes/kubernetes/blob/bd6640a8e003059ee98f84e7378d97f8337c5e0b/staging/src/k8s.io/kubectl/pkg/cmd/config/create_cluster.go#L184

then calls modifyCluster which reads it again:

https://github.com/kubernetes/kubernetes/blob/bd6640a8e003059ee98f84e7378d97f8337c5e0b/staging/src/k8s.io/kubectl/pkg/cmd/config/create_cluster.go#L145

@NathanHowell OK, thanks for the explanation. I didn't realize there was an underlying issue with multiple reads which would affect fifo. I must have glossed over the point of your comment above, but I think I understand now.

Let me see if I can revisit the PR in a way that can fix the underlying issue...

The PR that was merged will allow you to use process substitution with the --certificate-authority command line option, so you will be able to do this:

kubectl config set-cluster xyz --embed-certs --certificate-authority <(echo $CACERT)

@brianpursley thanks for pushing this through

Great news, thank you very much !!

@brianpursley may we have the same for two other properties?

client-key-data

The following workaround works though

kubectl config set users.<user>.client-certificate-data $CLIENT_CERTIFICATE_DATA
kubectl config set users.<user>.client-key-data $CLIENT_KEY_DATA

@brianpursley may we have the same for two other properties?

client-key-data

@malferov The merged PR fixes those too. https://github.com/kubernetes/kubernetes/pull/91077/files#diff-e7b8759abac71d5e887c99a90de266c6L423-L431