kubeclient 0.3.0 → 4.9.2

data/lib/kubeclient/config.rb

@@ -0,0 +1,195 @@
+require 'yaml'
+require 'base64'
+require 'pathname'
+
+module Kubeclient
+  # Kubernetes client configuration class
+  class Config
+    # Kubernetes client configuration context class
+    class Context
+      attr_reader :api_endpoint, :api_version, :ssl_options, :auth_options, :namespace
+
+      def initialize(api_endpoint, api_version, ssl_options, auth_options, namespace)
+        @api_endpoint = api_endpoint
+        @api_version = api_version
+        @ssl_options = ssl_options
+        @auth_options = auth_options
+        @namespace = namespace
+      end
+    end
+
+    # data (Hash) - Parsed kubeconfig data.
+    # kcfg_path (string) - Base directory for resolving relative references to external files.
+    #   If set to nil, all external lookups & commands are disabled (even for absolute paths).
+    # See also the more convenient Config.read
+    def initialize(data, kcfg_path)
+      @kcfg = data
+      @kcfg_path = kcfg_path
+      raise 'Unknown kubeconfig version' if @kcfg['apiVersion'] != 'v1'
+    end
+
+    # Builds Config instance by parsing given file, with lookups relative to file's directory.
+    def self.read(filename)
+      parsed =
+        if RUBY_VERSION >= '2.6'
+          YAML.safe_load(File.read(filename), permitted_classes: [Date, Time])
+        else
+          YAML.safe_load(File.read(filename), [Date, Time])
+        end
+      Config.new(parsed, File.dirname(filename))
+    end
+
+    def contexts
+      @kcfg['contexts'].map { |x| x['name'] }
+    end
+
+    def context(context_name = nil)
+      cluster, user, namespace = fetch_context(context_name || @kcfg['current-context'])
+
+      if user.key?('exec')
+        exec_opts = expand_command_option(user['exec'], 'command')
+        user['exec_result'] = ExecCredentials.run(exec_opts)
+      end
+
+      ca_cert_data     = fetch_cluster_ca_data(cluster)
+      client_cert_data = fetch_user_cert_data(user)
+      client_key_data  = fetch_user_key_data(user)
+      auth_options     = fetch_user_auth_options(user)
+
+      ssl_options = {}
+
+      if !ca_cert_data.nil?
+        cert_store = OpenSSL::X509::Store.new
+        cert_store.add_cert(OpenSSL::X509::Certificate.new(ca_cert_data))
+        ssl_options[:verify_ssl] = OpenSSL::SSL::VERIFY_PEER
+        ssl_options[:cert_store] = cert_store
+      else
+        ssl_options[:verify_ssl] = OpenSSL::SSL::VERIFY_NONE
+      end
+
+      unless client_cert_data.nil?
+        ssl_options[:client_cert] = OpenSSL::X509::Certificate.new(client_cert_data)
+      end
+
+      unless client_key_data.nil?
+        ssl_options[:client_key] = OpenSSL::PKey.read(client_key_data)
+      end
+
+      Context.new(cluster['server'], @kcfg['apiVersion'], ssl_options, auth_options, namespace)
+    end
+
+    private
+
+    def allow_external_lookups?
+      @kcfg_path != nil
+    end
+
+    def ext_file_path(path)
+      unless allow_external_lookups?
+        raise "Kubeclient::Config: external lookups disabled, can't load '#{path}'"
+      end
+      Pathname(path).absolute? ? path : File.join(@kcfg_path, path)
+    end
+
+    def ext_command_path(path)
+      unless allow_external_lookups?
+        raise "Kubeclient::Config: external lookups disabled, can't execute '#{path}'"
+      end
+      # Like go client https://github.com/kubernetes/kubernetes/pull/59495#discussion_r171138995,
+      # distinguish 3 cases:
+      # - absolute (e.g. /path/to/foo)
+      # - $PATH-based (e.g. curl)
+      # - relative to config file's dir (e.g. ./foo)
+      if Pathname(path).absolute?
+        path
+      elsif File.basename(path) == path
+        path
+      else
+        File.join(@kcfg_path, path)
+      end
+    end
+
+    def fetch_context(context_name)
+      context = @kcfg['contexts'].detect do |x|
+        break x['context'] if x['name'] == context_name
+      end
+
+      raise KeyError, "Unknown context #{context_name}" unless context
+
+      cluster = @kcfg['clusters'].detect do |x|
+        break x['cluster'] if x['name'] == context['cluster']
+      end
+
+      raise KeyError, "Unknown cluster #{context['cluster']}" unless cluster
+
+      user = @kcfg['users'].detect do |x|
+        break x['user'] if x['name'] == context['user']
+      end || {}
+
+      namespace = context['namespace']
+
+      [cluster, user, namespace]
+    end
+
+    def fetch_cluster_ca_data(cluster)
+      if cluster.key?('certificate-authority')
+        File.read(ext_file_path(cluster['certificate-authority']))
+      elsif cluster.key?('certificate-authority-data')
+        Base64.decode64(cluster['certificate-authority-data'])
+      end
+    end
+
+    def fetch_user_cert_data(user)
+      if user.key?('client-certificate')
+        File.read(ext_file_path(user['client-certificate']))
+      elsif user.key?('client-certificate-data')
+        Base64.decode64(user['client-certificate-data'])
+      elsif user.key?('exec_result') && user['exec_result'].key?('clientCertificateData')
+        user['exec_result']['clientCertificateData']
+      end
+    end
+
+    def fetch_user_key_data(user)
+      if user.key?('client-key')
+        File.read(ext_file_path(user['client-key']))
+      elsif user.key?('client-key-data')
+        Base64.decode64(user['client-key-data'])
+      elsif user.key?('exec_result') && user['exec_result'].key?('clientKeyData')
+        user['exec_result']['clientKeyData']
+      end
+    end
+
+    def fetch_user_auth_options(user)
+      options = {}
+      if user.key?('token')
+        options[:bearer_token] = user['token']
+      elsif user.key?('exec_result') && user['exec_result'].key?('token')
+        options[:bearer_token] = user['exec_result']['token']
+      elsif user.key?('auth-provider')
+        options[:bearer_token] = fetch_token_from_provider(user['auth-provider'])
+      else
+        %w[username password].each do |attr|
+          options[attr.to_sym] = user[attr] if user.key?(attr)
+        end
+      end
+      options
+    end
+
+    def fetch_token_from_provider(auth_provider)
+      case auth_provider['name']
+      when 'gcp'
+        config = expand_command_option(auth_provider['config'], 'cmd-path')
+        Kubeclient::GCPAuthProvider.token(config)
+      when 'oidc'
+        Kubeclient::OIDCAuthProvider.token(auth_provider['config'])
+      end
+    end
+
+    def expand_command_option(config, key)
+      config = config.dup
+      config[key] = ext_command_path(config[key]) if config[key]
+
+      config
+    end
+  end
+end

data/lib/kubeclient/entity_list.rb

@@ -3,14 +3,19 @@ module Kubeclient
   module Common
     # Kubernetes Entity List
     class EntityList < DelegateClass(Array)
-      attr_reader :kind, :resourceVersion
+      attr_reader :continue, :kind, :resourceVersion
 
-      def initialize(kind, resource_version, list)
+      def initialize(kind, resource_version, list, continue = nil)
         @kind = kind
         # rubocop:disable Style/VariableName
         @resourceVersion = resource_version
+        @continue = continue
         super(list)
       end
+
+      def last?
+        continue.nil?
+      end
     end
   end
 end

data/lib/kubeclient/exec_credentials.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+module Kubeclient
+  # An exec-based client auth provide
+  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuration
+  # Inspired by https://github.com/kubernetes/client-go/blob/master/plugin/pkg/client/auth/exec/exec.go
+  class ExecCredentials
+    class << self
+      def run(opts)
+        require 'open3'
+        require 'json'
+
+        raise ArgumentError, 'exec options are required' if opts.nil?
+
+        cmd = opts['command']
+        args = opts['args']
+        env = map_env(opts['env'])
+
+        # Validate exec options
+        validate_opts(opts)
+
+        out, err, st = Open3.capture3(env, cmd, *args)
+
+        raise "exec command failed: #{err}" unless st.success?
+
+        creds = JSON.parse(out)
+        validate_credentials(opts, creds)
+        creds['status']
+      end
+
+      private
+
+      def validate_opts(opts)
+        raise KeyError, 'exec command is required' unless opts['command']
+      end
+
+      def validate_client_credentials_status(status)
+        has_client_cert_data = status.key?('clientCertificateData')
+        has_client_key_data = status.key?('clientKeyData')
+
+        if has_client_cert_data && !has_client_key_data
+          raise 'exec plugin didn\'t return client key data'
+        end
+
+        if !has_client_cert_data && has_client_key_data
+          raise 'exec plugin didn\'t return client certificate data'
+        end
+
+        has_client_cert_data && has_client_key_data
+      end
+
+      def validate_credentials_status(status)
+        raise 'exec plugin didn\'t return a status field' if status.nil?
+
+        has_client_credentials = validate_client_credentials_status(status)
+        has_token = status.key?('token')
+
+        if has_client_credentials && has_token
+          raise 'exec plugin returned both token and client data'
+        end
+
+        return if has_client_credentials || has_token
+
+        raise 'exec plugin didn\'t return a token or client data' unless has_token
+      end
+
+      def validate_credentials(opts, creds)
+        # out should have ExecCredential structure
+        raise 'invalid credentials' if creds.nil?
+
+        # Verify apiVersion?
+        api_version = opts['apiVersion']
+        if api_version && api_version != creds['apiVersion']
+          raise "exec plugin is configured to use API version #{api_version}, " \
+            "plugin returned version #{creds['apiVersion']}"
+        end
+
+        validate_credentials_status(creds['status'])
+      end
+
+      # Transform name/value pairs to hash
+      def map_env(env)
+        return {} unless env
+
+        Hash[env.map { |e| [e['name'], e['value']] }]
+      end
+    end
+  end
+end

data/lib/kubeclient/gcp_auth_provider.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'kubeclient/google_application_default_credentials'
+require 'kubeclient/gcp_command_credentials'
+
+module Kubeclient
+  # Handle different ways to get a bearer token for Google Cloud Platform.
+  class GCPAuthProvider
+    class << self
+      def token(config)
+        if config.key?('cmd-path')
+          Kubeclient::GCPCommandCredentials.token(config)
+        else
+          Kubeclient::GoogleApplicationDefaultCredentials.token
+        end
+      end
+    end
+  end
+end

data/lib/kubeclient/gcp_command_credentials.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Kubeclient
+  # Generates a bearer token for Google Cloud Platform.
+  class GCPCommandCredentials
+    class << self
+      def token(config)
+        require 'open3'
+        require 'shellwords'
+        require 'json'
+        require 'jsonpath'
+
+        cmd = config['cmd-path']
+        args = config['cmd-args']
+        token_key = config['token-key']
+
+        out, err, st = Open3.capture3(cmd, *args.split(' '))
+
+        raise "exec command failed: #{err}" unless st.success?
+
+        extract_token(out, token_key)
+      end
+
+      private
+
+      def extract_token(output, token_key)
+        JsonPath.on(output, token_key.gsub(/^{|}$/, '')).first
+      end
+    end
+  end
+end

data/lib/kubeclient/google_application_default_credentials.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Kubeclient
+  # Get a bearer token from the Google's application default credentials.
+  class GoogleApplicationDefaultCredentials
+    class GoogleDependencyError < LoadError # rubocop:disable Lint/InheritException
+    end
+
+    class << self
+      def token
+        begin
+          require 'googleauth'
+        rescue LoadError => e
+          raise GoogleDependencyError,
+                'Error requiring googleauth gem. Kubeclient itself does not include the ' \
+                'googleauth gem. To support auth-provider gcp, you must include it in your ' \
+                "calling application. Failed with: #{e.message}"
+        end
+
+        scopes = [
+          'https://www.googleapis.com/auth/cloud-platform',
+          'https://www.googleapis.com/auth/userinfo.email'
+        ]
+
+        authorization = Google::Auth.get_application_default(scopes)
+        authorization.apply({})
+        authorization.access_token
+      end
+    end
+  end
+end

data/lib/kubeclient/http_error.rb

@@ -0,0 +1,25 @@
+# TODO: remove this on next major version bump
+# Deprected http exception
+class KubeException < StandardError
+  attr_reader :error_code, :message, :response
+
+  def initialize(error_code, message, response)
+    @error_code = error_code
+    @message = message
+    @response = response
+  end
+
+  def to_s
+    string = "HTTP status code #{@error_code}, #{@message}"
+    if @response.is_a?(RestClient::Response) && @response.request
+      string << " for #{@response.request.method.upcase} #{@response.request.url}"
+    end
+    string
+  end
+end
+
+module Kubeclient
+  # Exception that is raised when a http request fails
+  class HttpError < KubeException
+  end
+end

data/lib/kubeclient/missing_kind_compatibility.rb

@@ -0,0 +1,68 @@
+module Kubeclient
+  module Common
+    # Backward compatibility for old versions where kind is missing (e.g. OpenShift Enterprise 3.1)
+    class MissingKindCompatibility
+      MAPPING = {
+        'bindings'                   => 'Binding',
+        'componentstatuses'          => 'ComponentStatus',
+        'endpoints'                  => 'Endpoints',
+        'events'                     => 'Event',
+        'limitranges'                => 'LimitRange',
+        'namespaces'                 => 'Namespace',
+        'nodes'                      => 'Node',
+        'persistentvolumeclaims'     => 'PersistentVolumeClaim',
+        'persistentvolumes'          => 'PersistentVolume',
+        'pods'                       => 'Pod',
+        'podtemplates'               => 'PodTemplate',
+        'replicationcontrollers'     => 'ReplicationController',
+        'resourcequotas'             => 'ResourceQuota',
+        'secrets'                    => 'Secret',
+        'securitycontextconstraints' => 'SecurityContextConstraints',
+        'serviceaccounts'            => 'ServiceAccount',
+        'services'                   => 'Service',
+        'buildconfigs'               => 'BuildConfig',
+        'builds'                     => 'Build',
+        'clusternetworks'            => 'ClusterNetwork',
+        'clusterpolicies'            => 'ClusterPolicy',
+        'clusterpolicybindings'      => 'ClusterPolicyBinding',
+        'clusterrolebindings'        => 'ClusterRoleBinding',
+        'clusterroles'               => 'ClusterRole',
+        'deploymentconfigrollbacks'  => 'DeploymentConfigRollback',
+        'deploymentconfigs'          => 'DeploymentConfig',
+        'generatedeploymentconfigs'  => 'DeploymentConfig',
+        'groups'                     => 'Group',
+        'hostsubnets'                => 'HostSubnet',
+        'identities'                 => 'Identity',
+        'images'                     => 'Image',
+        'imagestreamimages'          => 'ImageStreamImage',
+        'imagestreammappings'        => 'ImageStreamMapping',
+        'imagestreams'               => 'ImageStream',
+        'imagestreamtags'            => 'ImageStreamTag',
+        'localresourceaccessreviews' => 'LocalResourceAccessReview',
+        'localsubjectaccessreviews'  => 'LocalSubjectAccessReview',
+        'netnamespaces'              => 'NetNamespace',
+        'oauthaccesstokens'          => 'OAuthAccessToken',
+        'oauthauthorizetokens'       => 'OAuthAuthorizeToken',
+        'oauthclientauthorizations'  => 'OAuthClientAuthorization',
+        'oauthclients'               => 'OAuthClient',
+        'policies'                   => 'Policy',
+        'policybindings'             => 'PolicyBinding',
+        'processedtemplates'         => 'Template',
+        'projectrequests'            => 'ProjectRequest',
+        'projects'                   => 'Project',
+        'resourceaccessreviews'      => 'ResourceAccessReview',
+        'rolebindings'               => 'RoleBinding',
+        'roles'                      => 'Role',
+        'routes'                     => 'Route',
+        'subjectaccessreviews'       => 'SubjectAccessReview',
+        'templates'                  => 'Template',
+        'useridentitymappings'       => 'UserIdentityMapping',
+        'users'                      => 'User'
+      }.freeze
+
+      def self.resource_kind(name)
+        MAPPING[name]
+      end
+    end
+  end
+end

data/lib/kubeclient/oidc_auth_provider.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module Kubeclient
+  # Uses OIDC id-tokens and refreshes them if they are stale.
+  class OIDCAuthProvider
+    class OpenIDConnectDependencyError < LoadError # rubocop:disable Lint/InheritException
+    end
+
+    class << self
+      def token(provider_config)
+        begin
+          require 'openid_connect'
+        rescue LoadError => e
+          raise OpenIDConnectDependencyError,
+                'Error requiring openid_connect gem. Kubeclient itself does not include the ' \
+                'openid_connect gem. To support auth-provider oidc, you must include it in your ' \
+                "calling application. Failed with: #{e.message}"
+        end
+
+        issuer_url = provider_config['idp-issuer-url']
+        discovery = OpenIDConnect::Discovery::Provider::Config.discover! issuer_url
+
+        if provider_config.key? 'id-token'
+          return provider_config['id-token'] unless expired?(provider_config['id-token'], discovery)
+        end
+
+        client = OpenIDConnect::Client.new(
+          identifier: provider_config['client-id'],
+          secret: provider_config['client-secret'],
+          authorization_endpoint: discovery.authorization_endpoint,
+          token_endpoint: discovery.token_endpoint,
+          userinfo_endpoint: discovery.userinfo_endpoint
+        )
+        client.refresh_token = provider_config['refresh-token']
+        client.access_token!.id_token
+      end
+
+      def expired?(id_token, discovery)
+        decoded_token = OpenIDConnect::ResponseObject::IdToken.decode(
+          id_token,
+          discovery.jwks
+        )
+        # If token expired or expiring within 60 seconds
+        Time.now.to_i + 60 > decoded_token.exp.to_i
+      rescue JSON::JWK::Set::KidNotFound
+        # Token cannot be verified: the kid it was signed with is not available for discovery
+        # Consider it expired and fetch a new one.
+        true
+      end
+    end
+  end
+end

data/lib/kubeclient/resource.rb

@@ -0,0 +1,11 @@
+require 'recursive_open_struct'
+
+module Kubeclient
+  # Represents all the objects returned by Kubeclient
+  class Resource < RecursiveOpenStruct
+    def initialize(hash = nil, args = {})
+      args[:recurse_over_arrays] = true
+      super(hash, args)
+    end
+  end
+end

data/lib/kubeclient/resource_not_found_error.rb

@@ -0,0 +1,4 @@
+module Kubeclient
+  class ResourceNotFoundError < HttpError
+  end
+end

data/lib/kubeclient/version.rb

@@ -1,4 +1,4 @@
 # Kubernetes REST-API Client
 module Kubeclient
-  VERSION = '0.3.0'
+  VERSION = '4.9.2'.freeze
 end