Remove -k flag and simplify

4 files changed, 25 insertions, 31 deletions

diff --git a/client/go/cmd/config.go b/client/go/cmd/config.go
index 447bad14444..417dfd77198 100644
--- a/client/go/cmd/config.go
+++ b/client/go/cmd/config.go
@@ -252,8 +252,18 @@ func (c *Config) x509KeyPair(app vespa.ApplicationID) (KeyPair, error) {
 	}, nil
 }
 
+func (c *Config) apiKeyFileFromEnv() (string, bool) {
+	override, ok := c.environment["VESPA_CLI_API_KEY_FILE"]
+	return override, ok
+}
+
+func (c *Config) apiKeyFromEnv() ([]byte, bool) {
+	override, ok := c.environment["VESPA_CLI_API_KEY"]
+	return []byte(override), ok
+}
+
 func (c *Config) apiKeyPath(tenantName string) string {
-	if override, ok := c.get(apiKeyFileFlag); ok {
+	if override, ok := c.apiKeyFileFromEnv(); ok {
 		return override
 	}
 	return filepath.Join(c.homeDir, tenantName+".api-key.pem")
@@ -264,26 +274,25 @@ func (c *Config) authConfigPath() string {
 }
 
 func (c *Config) readAPIKey(tenantName string) ([]byte, error) {
-	if override, ok := c.get(apiKeyFlag); ok {
-		return []byte(override), nil
+	if override, ok := c.apiKeyFromEnv(); ok {
+		return override, nil
 	}
 	return os.ReadFile(c.apiKeyPath(tenantName))
 }
 
 // useAPIKey returns true if an API key should be used when authenticating with system.
 func (c *Config) useAPIKey(cli *CLI, system vespa.System, tenantName string) bool {
-	if _, ok := c.get(apiKeyFlag); ok {
+	if _, ok := c.apiKeyFromEnv(); ok {
 		return true
 	}
-	if _, ok := c.get(apiKeyFileFlag); ok {
+	if _, ok := c.apiKeyFileFromEnv(); ok {
 		return true
 	}
-	// If no Auth0 token is created, fall back to tenant api key, but warn that this functionality is deprecated
-	// TODO: Remove this when users have had time to migrate over to Auth0 device flow authentication
 	if !cli.isCI() {
-		a, err := auth0.New(c.authConfigPath(), system.Name, system.URL)
-		if err != nil || !a.HasCredentials() {
-			cli.printWarning("Use of API key is deprecated", "Authenticate with Auth0 instead: 'vespa auth login'")
+		// Fall back to API key, if present and Auth0 has not been configured
+		client, err := auth0.New(c.authConfigPath(), system.Name, system.URL)
+		if err != nil || !client.HasCredentials() {
+			cli.printWarning("Regular authentication is preferred over API key in a non-CI context", "Authenticate with 'vespa auth login'")
 			return util.PathExists(c.apiKeyPath(tenantName))
 		}
 	}
@@ -387,9 +396,6 @@ func (c *Config) set(option, value string) error {
 			viper.Set(option, value)
 			return nil
 		}
-	case apiKeyFileFlag:
-		viper.Set(option, value)
-		return nil
 	}
 	return fmt.Errorf("invalid option or value: %q: %q", option, value)
 }
diff --git a/client/go/cmd/config_test.go b/client/go/cmd/config_test.go
index 0d47d170845..4fb9ac606cc 100644
--- a/client/go/cmd/config_test.go
+++ b/client/go/cmd/config_test.go
@@ -22,17 +22,12 @@ func TestConfig(t *testing.T) {
 	assertConfigCommand(t, "", "config", "set", "target", "http://127.0.0.1:8080")
 	assertConfigCommand(t, "", "config", "set", "target", "https://127.0.0.1")
 	assertConfigCommand(t, "target = https://127.0.0.1\n", "config", "get", "target")
-	assertEnvConfigCommand(t, "api-key-file = /tmp/private.key\n", []string{"VESPA_CLI_API_KEY_FILE=/tmp/private.key"}, "config", "get", "api-key-file")
-	assertConfigCommand(t, "", "config", "set", "api-key-file", "/tmp/private.key")
-	assertConfigCommand(t, "api-key-file = /tmp/private.key\n", "config", "get", "api-key-file")
 
 	assertConfigCommandErr(t, "Error: invalid application: \"foo\"\n", "config", "set", "application", "foo")
 	assertConfigCommand(t, "application = <unset>\n", "config", "get", "application")
 	assertConfigCommand(t, "", "config", "set", "application", "t1.a1.i1")
 	assertConfigCommand(t, "application = t1.a1.i1\n", "config", "get", "application")
 
-	assertConfigCommand(t, "api-key-file = /tmp/private.key\napplication = t1.a1.i1\ncolor = auto\ninstance = <unset>\nquiet = false\ntarget = https://127.0.0.1\nwait = 0\nzone = <unset>\n", "config", "get")
-
 	assertConfigCommand(t, "", "config", "set", "wait", "60")
 	assertConfigCommandErr(t, "Error: wait option must be an integer >= 0, got \"foo\"\n", "config", "set", "wait", "foo")
 	assertConfigCommand(t, "wait = 60\n", "config", "get", "wait")
@@ -67,17 +62,15 @@ func assertConfigCommandErr(t *testing.T, expected string, args ...string) {
 
 func TestUseAPIKey(t *testing.T) {
 	cli, _, _ := newTestCLI(t)
-
 	assert.False(t, cli.config.useAPIKey(cli, vespa.PublicSystem, "t1"))
 
-	cli.config.set(apiKeyFileFlag, "/tmp/foo")
+	cli, _, _ = newTestCLI(t, "VESPA_CLI_API_KEY_FILE=/tmp/foo")
 	assert.True(t, cli.config.useAPIKey(cli, vespa.PublicSystem, "t1"))
-	cli.config.set(apiKeyFileFlag, "")
 
 	cli, _, _ = newTestCLI(t, "VESPA_CLI_API_KEY=foo")
 	assert.True(t, cli.config.useAPIKey(cli, vespa.PublicSystem, "t1"))
 
-	// Test deprecated functionality
+	// Prefer Auth0, if configured
 	authContent := `
 {
     "version": 1,
diff --git a/client/go/cmd/prod_test.go b/client/go/cmd/prod_test.go
index 30c801c5612..9ccc39e02a1 100644
--- a/client/go/cmd/prod_test.go
+++ b/client/go/cmd/prod_test.go
@@ -184,7 +184,8 @@ func TestProdSubmit(t *testing.T) {
 	}
 
 	stdout.Reset()
-	assert.Nil(t, cli.Run("prod", "submit", "-k", filepath.Join(cli.config.homeDir, "t1.api-key.pem")))
+	cli.Environment["VESPA_CLI_API_KEY_FILE"] = filepath.Join(cli.config.homeDir, "t1.api-key.pem")
+	assert.Nil(t, cli.Run("prod", "submit"))
 	assert.Contains(t, stdout.String(), "Success: Submitted")
 	assert.Contains(t, stdout.String(), "See https://console.vespa-cloud.com/tenant/t1/application/a1/prod/deployment for deployment progress")
 }
@@ -210,7 +211,8 @@ func TestProdSubmitWithJava(t *testing.T) {
 	copyFile(t, filepath.Join(pkgDir, "target", "application-test.zip"), testZipFile)
 
 	stdout.Reset()
-	assert.Nil(t, cli.Run("prod", "submit", "-k", filepath.Join(cli.config.homeDir, "t1.api-key.pem"), pkgDir))
+	cli.Environment["VESPA_CLI_API_KEY_FILE"] = filepath.Join(cli.config.homeDir, "t1.api-key.pem")
+	assert.Nil(t, cli.Run("prod", "submit", pkgDir))
 	assert.Contains(t, stdout.String(), "Success: Submitted")
 	assert.Contains(t, stdout.String(), "See https://console.vespa-cloud.com/tenant/t1/application/a1/prod/deployment for deployment progress")
 }
diff --git a/client/go/cmd/root.go b/client/go/cmd/root.go
index 452b1f30834..92ff98d8756 100644
--- a/client/go/cmd/root.go
+++ b/client/go/cmd/root.go
@@ -33,8 +33,6 @@ const (
 	waitFlag        = "wait"
 	colorFlag       = "color"
 	quietFlag       = "quiet"
-	apiKeyFileFlag  = "api-key-file"
-	apiKeyFlag      = "api-key"
 )
 
 // CLI holds the Vespa CLI command tree, configuration and dependencies.
@@ -65,7 +63,6 @@ type Flags struct {
 	waitSecs    int
 	color       string
 	quiet       bool
-	apiKeyFile  string
 }
 
 // ErrCLI is an error returned to the user. It wraps an exit status, a regular error and optional hints for resolving
@@ -158,9 +155,6 @@ func (c *CLI) loadConfig() error {
 	bindings.bindFlag(waitFlag, c.cmd)
 	bindings.bindFlag(colorFlag, c.cmd)
 	bindings.bindFlag(quietFlag, c.cmd)
-	bindings.bindFlag(apiKeyFileFlag, c.cmd)
-	bindings.bindEnvironment(apiKeyFlag, "VESPA_CLI_API_KEY") // not bound to a flag because we don't want secrets in argv
-	bindings.bindEnvironment(apiKeyFileFlag, "VESPA_CLI_API_KEY_FILE")
 	config, err := loadConfig(c.Environment, bindings)
 	if err != nil {
 		return err
@@ -206,7 +200,6 @@ func (c *CLI) configureFlags() {
 	c.cmd.PersistentFlags().IntVarP(&flags.waitSecs, waitFlag, "w", 0, "Number of seconds to wait for a service to become ready")
 	c.cmd.PersistentFlags().StringVarP(&flags.color, colorFlag, "c", "auto", "Whether to use colors in output.")
 	c.cmd.PersistentFlags().BoolVarP(&flags.quiet, quietFlag, "q", false, "Quiet mode. Only errors will be printed")
-	c.cmd.PersistentFlags().StringVarP(&flags.apiKeyFile, apiKeyFileFlag, "k", "", "Path to API key used for cloud authentication")
 	c.flags = &flags
 }