Add flags to control kubeconfig support

Two new flags were added to allow users to enable the
use of user.Exec and InsecureTLS in the kubeconfigs
provided remote apply reconciliations.

Breaking change: both functionalities are no longer
enabled by default.

Signed-off-by: Paulo Gomes <[email protected]>

controllers/kustomization_controller.go

@@ -57,6 +57,7 @@ import (
 	apiacl "github.com/fluxcd/pkg/apis/acl"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/runtime/acl"
+	runtimeClient "github.com/fluxcd/pkg/runtime/client"
 	"github.com/fluxcd/pkg/runtime/events"
 	"github.com/fluxcd/pkg/runtime/metrics"
 	"github.com/fluxcd/pkg/runtime/predicates"
@@ -88,6 +89,7 @@ type KustomizationReconciler struct {
 	statusManager         string
 	NoCrossNamespaceRefs  bool
 	DefaultServiceAccount string
+	KubeConfigOpts        runtimeClient.KubeConfigOptions
 }
 
 // KustomizationReconcilerOptions contains options for the KustomizationReconciler.
@@ -343,7 +345,7 @@ func (r *KustomizationReconciler) reconcile(
 	}
 
 	// setup the Kubernetes client for impersonation
-	impersonation := NewKustomizeImpersonation(kustomization, r.Client, r.StatusPoller, r.DefaultServiceAccount)
+	impersonation := NewKustomizeImpersonation(kustomization, r.Client, r.StatusPoller, r.DefaultServiceAccount, r.KubeConfigOpts)
 	kubeClient, statusPoller, err := impersonation.GetClient(ctx)
 	if err != nil {
 		return kustomizev1.KustomizationNotReady(
@@ -926,7 +928,7 @@ func (r *KustomizationReconciler) finalize(ctx context.Context, kustomization ku
 		kustomization.Status.Inventory.Entries != nil {
 		objects, _ := ListObjectsInInventory(kustomization.Status.Inventory)
 
-		impersonation := NewKustomizeImpersonation(kustomization, r.Client, r.StatusPoller, r.DefaultServiceAccount)
+		impersonation := NewKustomizeImpersonation(kustomization, r.Client, r.StatusPoller, r.DefaultServiceAccount, r.KubeConfigOpts)
 		if impersonation.CanFinalize(ctx) {
 			kubeClient, _, err := impersonation.GetClient(ctx)
 			if err != nil {

controllers/kustomization_impersonation.go

@@ -31,6 +31,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/config"
 
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
+
+	runtimeClient "github.com/fluxcd/pkg/runtime/client"
 )
 
 // KustomizeImpersonation holds the state for impersonating a service account.
@@ -39,19 +41,22 @@ type KustomizeImpersonation struct {
 	kustomization         kustomizev1.Kustomization
 	statusPoller          *polling.StatusPoller
 	defaultServiceAccount string
+	kubeConfigOpts        runtimeClient.KubeConfigOptions
 }
 
 // NewKustomizeImpersonation creates a new KustomizeImpersonation.
 func NewKustomizeImpersonation(
 	kustomization kustomizev1.Kustomization,
 	kubeClient client.Client,
 	statusPoller *polling.StatusPoller,
-	defaultServiceAccount string) *KustomizeImpersonation {
+	defaultServiceAccount string,
+	kubeConfigOpts runtimeClient.KubeConfigOptions) *KustomizeImpersonation {
 	return &KustomizeImpersonation{
 		defaultServiceAccount: defaultServiceAccount,
 		kustomization:         kustomization,
 		statusPoller:          statusPoller,
 		Client:                kubeClient,
+		kubeConfigOpts:        kubeConfigOpts,
 	}
 }
 
@@ -141,6 +146,8 @@ func (ki *KustomizeImpersonation) clientForKubeConfig(ctx context.Context) (clie
 	if err != nil {
 		return nil, nil, err
 	}
+
+	restConfig = runtimeClient.KubeConfig(restConfig, ki.kubeConfigOpts)
 	ki.setImpersonationConfig(restConfig)
 
 	restMapper, err := apiutil.NewDynamicRESTMapper(restConfig)

go.mod

@@ -17,7 +17,7 @@ require (
 	github.com/fluxcd/pkg/apis/acl v0.0.3
 	github.com/fluxcd/pkg/apis/kustomize v0.3.2
 	github.com/fluxcd/pkg/apis/meta v0.12.1
-	github.com/fluxcd/pkg/runtime v0.13.2
+	github.com/fluxcd/pkg/runtime v0.13.3
 	github.com/fluxcd/pkg/ssa v0.15.1
 	github.com/fluxcd/pkg/testserver v0.2.0
 	github.com/fluxcd/pkg/untar v0.1.0