Add auth top-level command

7 files changed, 77 insertions, 24 deletions

diff --git a/client/go/auth0/auth0.go b/client/go/auth0/auth0.go
index 43b42cb8960..aeac2e1a77a 100644
--- a/client/go/auth0/auth0.go
+++ b/client/go/auth0/auth0.go
@@ -25,7 +25,7 @@ import (
 
 const accessTokenExpThreshold = 5 * time.Minute
 
-var errUnauthenticated = errors.New("not logged in. Try 'vespa login'")
+var errUnauthenticated = errors.New("not logged in. Try 'vespa auth login'")
 
 type config struct {
 	Systems map[string]System `json:"systems"`
@@ -216,7 +216,7 @@ func (a *Auth0) getSystem() (System, error) {
 
 	s, ok := a.config.Systems[a.system]
 	if !ok {
-		return System{}, fmt.Errorf("unable to find system: %s; run 'vespa login' to configure a new system", a.system)
+		return System{}, fmt.Errorf("unable to find system: %s; run 'vespa auth login' to configure a new system", a.system)
 	}
 
 	return s, nil
diff --git a/client/go/cmd/api_key.go b/client/go/cmd/api_key.go
index 9832f04e3f0..f6113adf5d6 100644
--- a/client/go/cmd/api_key.go
+++ b/client/go/cmd/api_key.go
@@ -16,15 +16,24 @@ import (
 var overwriteKey bool
 
 func init() {
-	rootCmd.AddCommand(apiKeyCmd)
 	apiKeyCmd.Flags().BoolVarP(&overwriteKey, "force", "f", false, "Force overwrite of existing API key")
 	apiKeyCmd.MarkPersistentFlagRequired(applicationFlag)
 }
 
+var example string
+
+func apiKeyExample() string {
+	if vespa.Auth0AccessTokenEnabled() {
+		return "$ vespa auth api-key -a my-tenant.my-app.my-instance"
+	} else {
+		return "$ vespa api-key -a my-tenant.my-app.my-instance"
+	}
+}
+
 var apiKeyCmd = &cobra.Command{
 	Use:               "api-key",
 	Short:             "Create a new user API key for authentication with Vespa Cloud",
-	Example:           "$ vespa api-key -a my-tenant.my-app.my-instance",
+	Example:           apiKeyExample(),
 	DisableAutoGenTag: true,
 	Args:              cobra.ExactArgs(0),
 	Run: func(cmd *cobra.Command, args []string) {
diff --git a/client/go/cmd/auth.go b/client/go/cmd/auth.go
new file mode 100644
index 00000000000..8f306356267
--- /dev/null
+++ b/client/go/cmd/auth.go
@@ -0,0 +1,32 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+	"github.com/vespa-engine/vespa/client/go/vespa"
+)
+
+func init() {
+	if vespa.Auth0AccessTokenEnabled() {
+		rootCmd.AddCommand(authCmd)
+		authCmd.AddCommand(certCmd)
+		authCmd.AddCommand(apiKeyCmd)
+		authCmd.AddCommand(loginCmd)
+		authCmd.AddCommand(logoutCmd)
+	} else {
+		rootCmd.AddCommand(certCmd)
+		rootCmd.AddCommand(apiKeyCmd)
+	}
+}
+
+var authCmd = &cobra.Command{
+	Use:   "auth",
+	Short: "Manage Vespa Cloud credentials",
+	Long:  `Manage Vespa Cloud credentials.`,
+
+	DisableAutoGenTag: true,
+	Run: func(cmd *cobra.Command, args []string) {
+		// Root command does nothing
+		cmd.Help()
+		exitFunc(1)
+	},
+}
diff --git a/client/go/cmd/cert.go b/client/go/cmd/cert.go
index eaf3fc564dd..6fbe19b524d 100644
--- a/client/go/cmd/cert.go
+++ b/client/go/cmd/cert.go
@@ -16,15 +16,22 @@ import (
 var overwriteCertificate bool
 
 func init() {
-	rootCmd.AddCommand(certCmd)
 	certCmd.Flags().BoolVarP(&overwriteCertificate, "force", "f", false, "Force overwrite of existing certificate and private key")
 	certCmd.MarkPersistentFlagRequired(applicationFlag)
 }
 
+func certExample() string {
+	if vespa.Auth0AccessTokenEnabled() {
+		return "$ vespa auth cert -a my-tenant.my-app.my-instance"
+	} else {
+		return "$ vespa cert -a my-tenant.my-app.my-instance"
+	}
+}
+
 var certCmd = &cobra.Command{
 	Use:               "cert",
 	Short:             "Create a new private key and self-signed certificate for Vespa Cloud deployment",
-	Example:           "$ vespa cert -a my-tenant.my-app.my-instance",
+	Example:           certExample(),
 	DisableAutoGenTag: true,
 	Args:              cobra.MaximumNArgs(1),
 	Run: func(cmd *cobra.Command, args []string) {
@@ -66,8 +73,14 @@ var certCmd = &cobra.Command{
 			}
 		}
 		if pkg.IsZip() {
+			var msg string
+			if vespa.Auth0AccessTokenEnabled() {
+				msg = "Try running 'mvn clean' before 'vespa auth cert', and then 'mvn package'"
+			} else {
+				msg = "Try running 'mvn clean' before 'vespa cert', and then 'mvn package'"
+			}
 			fatalErrHint(fmt.Errorf("Cannot add certificate to compressed application package %s", pkg.Path),
-				"Try running 'mvn clean' before 'vespa cert', and then 'mvn package'")
+				msg)
 			return
 		}
 
diff --git a/client/go/cmd/helpers.go b/client/go/cmd/helpers.go
index 89ea87f198e..f065ae0c680 100644
--- a/client/go/cmd/helpers.go
+++ b/client/go/cmd/helpers.go
@@ -205,7 +205,13 @@ func getTarget() vespa.Target {
 		}
 		kp, err := tls.LoadX509KeyPair(certificateFile, privateKeyFile)
 		if err != nil {
-			fatalErrHint(err, "Deployment to cloud requires a certificate. Try 'vespa cert'")
+			var msg string
+			if vespa.Auth0AccessTokenEnabled() {
+				msg = "Deployment to cloud requires a certificate. Try 'vespa auth cert'"
+			} else {
+				msg = "Deployment to cloud requires a certificate. Try 'vespa cert'"
+			}
+			fatalErrHint(err, msg)
 		}
 		var cloudAuth string
 		if vespa.Auth0AccessTokenEnabled() {
@@ -262,7 +268,13 @@ func getDeploymentOpts(cfg *Config, pkg vespa.ApplicationPackage, target vespa.T
 	if opts.IsCloud() {
 		deployment := deploymentFromArgs()
 		if !opts.ApplicationPackage.HasCertificate() {
-			fatalErrHint(fmt.Errorf("Missing certificate in application package"), "Applications in Vespa Cloud require a certificate", "Try 'vespa cert'")
+			var msg string
+			if vespa.Auth0AccessTokenEnabled() {
+				msg = "Try 'vespa auth cert'"
+			} else {
+				msg = "Try 'vespa cert'"
+			}
+			fatalErrHint(fmt.Errorf("Missing certificate in application package"), "Applications in Vespa Cloud require a certificate", msg)
 			return opts
 		}
 		var err error
diff --git a/client/go/cmd/login.go b/client/go/cmd/login.go
index f7b412a4613..5011b290b9f 100644
--- a/client/go/cmd/login.go
+++ b/client/go/cmd/login.go
@@ -6,17 +6,11 @@ import (
 	"github.com/vespa-engine/vespa/client/go/vespa"
 )
 
-func init() {
-	if vespa.Auth0AccessTokenEnabled() {
-		rootCmd.AddCommand(loginCmd)
-	}
-}
-
 var loginCmd = &cobra.Command{
 	Use:               "login",
 	Args:              cobra.NoArgs,
 	Short:             "Authenticate the Vespa CLI",
-	Example:           "$ vespa login",
+	Example:           "$ vespa auth login",
 	DisableAutoGenTag: true,
 	RunE: func(cmd *cobra.Command, args []string) error {
 		ctx := cmd.Context()
diff --git a/client/go/cmd/logout.go b/client/go/cmd/logout.go
index e3cfe6733eb..ddc1d36d5e1 100644
--- a/client/go/cmd/logout.go
+++ b/client/go/cmd/logout.go
@@ -3,20 +3,13 @@ package cmd
 import (
 	"github.com/spf13/cobra"
 	"github.com/vespa-engine/vespa/client/go/auth0"
-	"github.com/vespa-engine/vespa/client/go/vespa"
 )
 
-func init() {
-	if vespa.Auth0AccessTokenEnabled() {
-		rootCmd.AddCommand(logoutCmd)
-	}
-}
-
 var logoutCmd = &cobra.Command{
 	Use:               "logout",
 	Args:              cobra.NoArgs,
 	Short:             "Log out of Vespa Cli",
-	Example:           "$ vespa logout",
+	Example:           "$ vespa auth logout",
 	DisableAutoGenTag: true,
 	SilenceUsage:      true,
 	RunE: func(cmd *cobra.Command, args []string) error {