Use the apiversion from KUBERNETES_EXEC_INFO

cmd/aws-iam-authenticator/verify.go

@@ -21,9 +21,11 @@ import (
 	"fmt"
 	"os"
 
+	"sigs.k8s.io/aws-iam-authenticator/pkg/metrics"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/token"
 
 	"github.com/aws/aws-sdk-go/aws/endpoints"
+	"github.com/prometheus/client_golang/prometheus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
@@ -70,6 +72,7 @@ var verifyCmd = &cobra.Command{
 
 func init() {
 	rootCmd.AddCommand(verifyCmd)
+	metrics.InitMetrics(prometheus.DefaultRegisterer)
 	verifyCmd.Flags().StringP("token", "t", "", "Token to verify")
 	verifyCmd.Flags().StringP("output", "o", "", "Output format. Only `json` is supported currently.")
 	viper.BindPFlag("token", verifyCmd.Flags().Lookup("token"))

pkg/token/token.go

@@ -38,6 +38,7 @@ import (
 	"github.com/aws/aws-sdk-go/service/sts/stsiface"
 	"github.com/sirupsen/logrus"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/pkg/apis/clientauthentication"
 	clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 	"sigs.k8s.io/aws-iam-authenticator/pkg"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/arn"
@@ -89,7 +90,9 @@ const (
 	clusterIDHeader        = "x-k8s-aws-id"
 	// Format of the X-Amz-Date header used for expiration
 	// https://golang.org/pkg/time/#pkg-constants
-	dateHeaderFormat = "20060102T150405Z"
+	dateHeaderFormat   = "20060102T150405Z"
+	kindExecCredential = "ExecCredential"
+	execInfoEnvKey     = "KUBERNETES_EXEC_INFO"
 )
 
 // Token is generated and used by Kubernetes client-go to authenticate with a Kubernetes cluster.
@@ -338,11 +341,20 @@ func (g generator) GetWithSTS(clusterID string, stsAPI stsiface.STSAPI) (Token,
 
 // FormatJSON formats the json to support ExecCredential authentication
 func (g generator) FormatJSON(token Token) string {
+	apiVersion := clientauthv1beta1.SchemeGroupVersion.String()
+	env := os.Getenv(execInfoEnvKey)
+	if env != "" {
+		cred := &clientauthentication.ExecCredential{}
+		if err := json.Unmarshal([]byte(env), cred); err == nil {
+			apiVersion = cred.APIVersion
+		}
+	}
+
 	expirationTimestamp := metav1.NewTime(token.Expiration)
 	execInput := &clientauthv1beta1.ExecCredential{
 		TypeMeta: metav1.TypeMeta{
-			APIVersion: "client.authentication.k8s.io/v1beta1",
-			Kind:       "ExecCredential",
+			APIVersion: apiVersion,
+			Kind:       kindExecCredential,
 		},
 		Status: &clientauthv1beta1.ExecCredentialStatus{
 			ExpirationTimestamp: &expirationTimestamp,

pkg/token/token_test.go

@@ -10,11 +10,17 @@ import (
 	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
+	"os"
 	"strings"
 	"testing"
 	"time"
 
 	"github.com/prometheus/client_golang/prometheus"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/pkg/apis/clientauthentication"
+	clientauthv1 "k8s.io/client-go/pkg/apis/clientauthentication/v1"
+	clientauthv1alpha1 "k8s.io/client-go/pkg/apis/clientauthentication/v1alpha1"
+	clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/metrics"
 )
 
@@ -318,3 +324,81 @@ func TestVerifyCanonicalARN(t *testing.T) {
 		t.Errorf("expected CannonicalARN to be %q but was %q", canonicalARN, identity.CanonicalARN)
 	}
 }
+
+func TestFormatJson(t *testing.T) {
+	cases := []struct {
+		Name             string
+		EnvKey           string
+		ExpectApiVersion string
+		IsMalformedEnv   bool
+	}{
+		{
+			Name:             "Default",
+			ExpectApiVersion: clientauthv1beta1.SchemeGroupVersion.String(),
+		},
+		{
+			Name:             "Malformed KUBERNETES_EXEC_INFO",
+			EnvKey:           "KUBERNETES_EXEC_INFO",
+			IsMalformedEnv:   true,
+			ExpectApiVersion: clientauthv1beta1.SchemeGroupVersion.String(),
+		},
+		{
+			Name:             "KUBERNETES_EXEC_INFO with v1beta1",
+			EnvKey:           "KUBERNETES_EXEC_INFO",
+			ExpectApiVersion: clientauthv1beta1.SchemeGroupVersion.String(),
+		},
+		{
+			Name:             "KUBERNETES_EXEC_INFO with v1alpha1",
+			EnvKey:           "KUBERNETES_EXEC_INFO",
+			ExpectApiVersion: clientauthv1alpha1.SchemeGroupVersion.String(),
+		},
+		{
+			Name:             "KUBERNETES_EXEC_INFO with v1",
+			EnvKey:           "KUBERNETES_EXEC_INFO",
+			ExpectApiVersion: clientauthv1.SchemeGroupVersion.String(),
+		},
+	}
+	for _, c := range cases {
+		t.Run(c.Name, func(t *testing.T) {
+			expiry, _ := time.Parse(time.RFC3339, "2012-11-01T22:08:41+00:00")
+			token := "token"
+			g, _ := NewGenerator(true, true)
+
+			if c.EnvKey != "" {
+				marshal := make([]byte, 0)
+				if !c.IsMalformedEnv {
+					marshal, _ = json.Marshal(clientauthentication.ExecCredential{
+						TypeMeta: v1.TypeMeta{
+							Kind:       "ExecCredential",
+							APIVersion: c.ExpectApiVersion,
+						},
+					})
+				}
+
+				os.Setenv(c.EnvKey, string(marshal))
+			}
+
+			jsonResponse := g.FormatJSON(Token{Token: token, Expiration: expiry})
+			output := &clientauthentication.ExecCredential{}
+			json.Unmarshal([]byte(jsonResponse), output)
+
+			if output.TypeMeta.Kind != kindExecCredential {
+				t.Errorf("expected Kind to be %s but was %s", kindExecCredential, output.TypeMeta.Kind)
+			}
+
+			if output.TypeMeta.APIVersion != c.ExpectApiVersion {
+				t.Errorf("expected APIVersion to be %s but was %s", c.ExpectApiVersion, output.TypeMeta.APIVersion)
+			}
+
+			if output.Status.Token != token {
+				t.Errorf("expected token to be %s but was %s", token, output.Status.Token)
+			}
+
+			if !output.Status.ExpirationTimestamp.Time.Equal(expiry) {
+				t.Errorf("expected expiration to be %s but was %s", expiry, output.Status.ExpirationTimestamp)
+			}
+
+			os.Unsetenv(c.EnvKey)
+		})
+	}
+}

vendor/modules.txt

@@ -506,6 +506,7 @@ k8s.io/client-go/rest/fake
 k8s.io/client-go/rest/watch
 k8s.io/client-go/testing
 k8s.io/client-go/tools/auth
+k8s.io/client-go/tools/auth/exec
 k8s.io/client-go/tools/cache
 k8s.io/client-go/tools/clientcmd
 k8s.io/client-go/tools/clientcmd/api