Support providing username in akcess allow command (#17)

* Support to provide username to `allow access` command

* Update readme for username support

README.md

@@ -100,6 +100,12 @@ mv akcess /usr/local/bin
 » akcess allow --verb list --resource pods
 ```
 
+- Allow access to get pods from `default` namespace and username `test`
+
+```
+» akcess allow --verb list --resource pods --username test
+```
+
 - Allow access to see logs of pod with name `nginx` in `test` namespace
 
 ```

cmd/root.go

@@ -77,6 +77,7 @@ func init() {
 	allowCmd.Flags().StringSliceVarP(&options.ResourceNames, "resource-name", "", []string{}, "Resource names to allow access on, they are not validated to be present on the cluster")
 	allowCmd.Flags().Int32VarP(&options.ValidFor, "for", "f", 86400, "Duration the access will be allowed for (in minutes), for example --for 10. Defaults to 1 day")
 	allowCmd.Flags().StringArrayVarP(&options.Labels, "labels", "l", []string{}, "Labels of the resources the specified access should be allowed on. For example, if you want to allow access to see logs of a set of pods that have same labels, instead of specifying all those pods separately using --resource-name field we can just specify label that is common among those resources")
+	allowCmd.Flags().StringVarP(&options.Username, "username", "u", "", "Username to be used in KubeConfig file")
 	// required flags for allow command
 	allowCmd.MarkFlagRequired("resource")
 	allowCmd.MarkFlagRequired("verb")

pkg/allow/allow.go

@@ -20,7 +20,6 @@ import (
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
-	apirand "k8s.io/apimachinery/pkg/util/rand"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/wait"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
@@ -46,17 +45,18 @@ type AllowOptions struct {
 	SubResourcePresent bool
 	Mapper             meta.RESTMapper
 	Clients            kube.Client
+	Username           string
 }
 
 func Access(o *AllowOptions, id uuid.UUID) ([]byte, error) {
-	commonName := fmt.Sprintf("%s-%s", utils.Name, apirand.String(5))
+	username := utils.Username(o.Username)
 
 	key, err := privateKey()
 	if err != nil {
 		return nil, errors.Wrap(err, "Getting private key")
 	}
 
-	csr, err := csrForPrivateKey(key, commonName)
+	csr, err := csrForPrivateKey(key, username)
 	if err != nil {
 		return nil, errors.Wrap(err, "Generating CSR for private key")
 	}
@@ -122,7 +122,7 @@ func Access(o *AllowOptions, id uuid.UUID) ([]byte, error) {
 	}
 
 	// role binding
-	rb := kube.RoleBindingObject(roleObj.Name, commonName, o.Namespace, id)
+	rb := kube.RoleBindingObject(roleObj.Name, username, o.Namespace, id)
 	_, err = o.Clients.CreateRoleBinding(rb)
 	if err != nil {
 		return nil, errors.Wrap(err, "Creating rolebinding object")
@@ -135,7 +135,7 @@ func Access(o *AllowOptions, id uuid.UUID) ([]byte, error) {
 	}
 
 	// Generate KubeConfig file
-	return outputKubeConfig(clientconfig, key, csrOp.Status.Certificate, commonName)
+	return outputKubeConfig(clientconfig, key, csrOp.Status.Certificate, username)
 }
 
 func privateKey() (*rsa.PrivateKey, error) {

pkg/utils/util.go

@@ -24,6 +24,7 @@ import (
 
 	"github.com/pkg/errors"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	apirand "k8s.io/apimachinery/pkg/util/rand"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
@@ -215,3 +216,10 @@ func FilePath() (string, string) {
 	}
 	return fmt.Sprintf("%s/.%s/config", fileRoot, Name), fileRoot
 }
+
+func Username(u string) string {
+	if u == "" {
+		return fmt.Sprintf("%s-%s", Name, apirand.String(5))
+	}
+	return u
+}