From d065c9820ce387a903933e990b8f43d2b6e0b099 Mon Sep 17 00:00:00 2001
From: Katherine Door <me@kitty.sh>
Date: Fri, 31 May 2024 08:45:34 +0200
Subject: [PATCH] Add write-kubeconfig-group flag to server (#9233)

* Add write-kubeconfig-group flag to server
* update kubectl unable to read config message for kubeconfig mode/group

Signed-off-by: Katherine Pata <me@kitty.sh>
(cherry picked from commit 7a0ea3c9539c9ac8efb560de32395c9611db7969)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
---
 pkg/cli/cmds/server.go      |  7 +++++++
 pkg/cli/server/server.go    |  1 +
 pkg/daemons/config/types.go |  1 +
 pkg/kubectl/main.go         |  3 ++-
 pkg/server/server.go        |  7 +++++++
 pkg/util/file.go            | 23 +++++++++++++++++++++++
 6 files changed, 41 insertions(+), 1 deletion(-)

diff --git a/pkg/cli/cmds/server.go b/pkg/cli/cmds/server.go
index af23985ffe30..f6a09e1ef2bc 100644
--- a/pkg/cli/cmds/server.go
+++ b/pkg/cli/cmds/server.go
@@ -45,6 +45,7 @@ type Server struct {
 	DisableAgent             bool
 	KubeConfigOutput         string
 	KubeConfigMode           string
+	KubeConfigGroup          string
 	HelmJobImage             string
 	TLSSan                   cli.StringSlice
 	TLSSanSecurity           bool
@@ -256,6 +257,12 @@ var ServerFlags = []cli.Flag{
 		Destination: &ServerConfig.KubeConfigMode,
 		EnvVar:      version.ProgramUpper + "_KUBECONFIG_MODE",
 	},
+	&cli.StringFlag{
+		Name:        "write-kubeconfig-group",
+		Usage:       "(client) Write kubeconfig with this group",
+		Destination: &ServerConfig.KubeConfigGroup,
+		EnvVar:      version.ProgramUpper + "_KUBECONFIG_GROUP",
+	},
 	&cli.StringFlag{
 		Name:        "helm-job-image",
 		Usage:       "(helm) Default image to use for helm jobs",
diff --git a/pkg/cli/server/server.go b/pkg/cli/server/server.go
index 2368bad3a454..b5a74a41ceb9 100644
--- a/pkg/cli/server/server.go
+++ b/pkg/cli/server/server.go
@@ -133,6 +133,7 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
 	serverConfig.ControlConfig.DataDir = cfg.DataDir
 	serverConfig.ControlConfig.KubeConfigOutput = cfg.KubeConfigOutput
 	serverConfig.ControlConfig.KubeConfigMode = cfg.KubeConfigMode
+	serverConfig.ControlConfig.KubeConfigGroup = cfg.KubeConfigGroup
 	serverConfig.ControlConfig.HelmJobImage = cfg.HelmJobImage
 	serverConfig.ControlConfig.Rootless = cfg.Rootless
 	serverConfig.ControlConfig.ServiceLBNamespace = cfg.ServiceLBNamespace
diff --git a/pkg/daemons/config/types.go b/pkg/daemons/config/types.go
index f77facb4d898..a2d8905e97bd 100644
--- a/pkg/daemons/config/types.go
+++ b/pkg/daemons/config/types.go
@@ -180,6 +180,7 @@ type Control struct {
 	ServiceNodePortRange     *utilnet.PortRange
 	KubeConfigOutput         string
 	KubeConfigMode           string
+	KubeConfigGroup          string
 	HelmJobImage             string
 	DataDir                  string
 	KineTLS                  bool
diff --git a/pkg/kubectl/main.go b/pkg/kubectl/main.go
index f3d77f24a11d..dfcab9292dca 100644
--- a/pkg/kubectl/main.go
+++ b/pkg/kubectl/main.go
@@ -54,7 +54,8 @@ func checkReadConfigPermissions(configFile string) error {
 	if err != nil {
 		if os.IsPermission(err) {
 			return fmt.Errorf("Unable to read %s, please start server "+
-				"with --write-kubeconfig-mode to modify kube config permissions", configFile)
+				"with --write-kubeconfig-mode or --write-kubeconfig-group "+
+				"to modify kube config permissions", configFile)
 		}
 	}
 	file.Close()
diff --git a/pkg/server/server.go b/pkg/server/server.go
index a716039b56f0..29dc25fd285d 100644
--- a/pkg/server/server.go
+++ b/pkg/server/server.go
@@ -475,6 +475,13 @@ func writeKubeConfig(certs string, config *Config) error {
 		util.SetFileModeForPath(kubeConfig, os.FileMode(0600))
 	}
 
+	if config.ControlConfig.KubeConfigGroup != "" {
+		err := util.SetFileGroupForPath(kubeConfig, config.ControlConfig.KubeConfigGroup)
+		if err != nil {
+			logrus.Errorf("Failed to set %s to group %s: %v", kubeConfig, config.ControlConfig.KubeConfigGroup, err)
+		}
+	}
+
 	if kubeConfigSymlink != kubeConfig {
 		if err := writeConfigSymlink(kubeConfig, kubeConfigSymlink); err != nil {
 			logrus.Errorf("Failed to write kubeconfig symlink: %v", err)
diff --git a/pkg/util/file.go b/pkg/util/file.go
index d584ec8105c0..6d1a05ca84ad 100644
--- a/pkg/util/file.go
+++ b/pkg/util/file.go
@@ -2,7 +2,9 @@ package util
 
 import (
 	"os"
+	"os/user"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"time"
 
@@ -14,6 +16,27 @@ func SetFileModeForPath(name string, mode os.FileMode) error {
 	return os.Chmod(name, mode)
 }
 
+func SetFileGroupForPath(name string, group string) error {
+	// Try to use as group id
+	gid, err := strconv.Atoi(group)
+	if err == nil {
+		return os.Chown(name, -1, gid)
+	}
+
+	// Otherwise, it must be a group name
+	g, err := user.LookupGroup(group)
+	if err != nil {
+		return err
+	}
+
+	gid, err = strconv.Atoi(g.Gid)
+	if err != nil {
+		return err
+	}
+
+	return os.Chown(name, -1, gid)
+}
+
 func SetFileModeForFile(file *os.File, mode os.FileMode) error {
 	return file.Chmod(mode)
 }