kubeclient 4.2.2 → 4.7.0

data/RELEASING.md

@@ -20,7 +20,10 @@ Edit `CHANGELOG.md` as necessary.  Even if all included changes remembered to up
 
 Bump `lib/kubeclient/version.rb` manually, or by using:
 ```bash
-git checkout -b release-$RELEASE_VERSION
+RELEASE_VERSION=x.y.z
+
+git checkout -b "release-$RELEASE_VERSION" $RELEASE_BRANCH
+# Won't work with uncommitted changes, you have to commit the changelog first.
 gem bump --version $RELEASE_VERSION
 git show # View version bump change.
 ```

data/kubeclient.gemspec

@@ -20,7 +20,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ['lib']
   spec.required_ruby_version = '>= 2.2.0'
 
-  spec.add_development_dependency 'bundler', '~> 1.6'
+  spec.add_development_dependency 'bundler', '>= 1.6'
   spec.add_development_dependency 'rake', '~> 12.0'
   spec.add_development_dependency 'minitest'
   spec.add_development_dependency 'minitest-rg'
@@ -28,8 +28,11 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'vcr'
   spec.add_development_dependency 'rubocop', '= 0.49.1'
   spec.add_development_dependency 'googleauth', '~> 0.5.1'
+  spec.add_development_dependency('mocha', '~> 1.5')
+  spec.add_development_dependency 'openid_connect', '~> 1.1'
+  spec.add_development_dependency 'jsonpath', '~> 1.0'
 
   spec.add_dependency 'rest-client', '~> 2.0'
-  spec.add_dependency 'recursive-open-struct', '~> 1.0', '>= 1.0.4'
-  spec.add_dependency 'http', '~> 3.0'
+  spec.add_dependency 'recursive-open-struct', '~> 1.1', '>= 1.1.1'
+  spec.add_dependency 'http', '>= 3.0', '< 5.0'
 end

data/lib/kubeclient.rb

@@ -1,13 +1,15 @@
 require 'json'
 require 'rest-client'
 
+require 'kubeclient/aws_eks_credentials'
 require 'kubeclient/common'
 require 'kubeclient/config'
 require 'kubeclient/entity_list'
-require 'kubeclient/google_application_default_credentials'
 require 'kubeclient/exec_credentials'
+require 'kubeclient/gcp_auth_provider'
 require 'kubeclient/http_error'
 require 'kubeclient/missing_kind_compatibility'
+require 'kubeclient/oidc_auth_provider'
 require 'kubeclient/resource'
 require 'kubeclient/resource_not_found_error'
 require 'kubeclient/version'
@@ -26,7 +28,7 @@ module Kubeclient
         uri,
         '/api',
         version,
-        options
+        **options
       )
     end
   end

data/lib/kubeclient/aws_eks_credentials.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module Kubeclient
+  # Get a bearer token to authenticate against aws eks.
+  class AmazonEksCredentials
+    class AmazonEksDependencyError < LoadError # rubocop:disable Lint/InheritException
+    end
+
+    class << self
+      def token(credentials, eks_cluster)
+        begin
+          require 'aws-sigv4'
+          require 'base64'
+          require 'cgi'
+        rescue LoadError => e
+          raise AmazonEksDependencyError,
+                'Error requiring aws gems. Kubeclient itself does not include the following ' \
+                'gems: [aws-sigv4]. To support auth-provider eks, you must ' \
+                "include it in your calling application. Failed with: #{e.message}"
+        end
+        # https://github.com/aws/aws-sdk-ruby/pull/1848
+        # Get a signer
+        # Note - sts only has ONE endpoint (not regional) so 'us-east-1' hardcoding should be OK
+        signer = Aws::Sigv4::Signer.new(
+          service: 'sts',
+          region: 'us-east-1',
+          credentials: credentials
+        )
+
+        # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Sigv4/Signer.html#presign_url-instance_method
+        presigned_url_string = signer.presign_url(
+          http_method: 'GET',
+          url: 'https://sts.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15',
+          body: '',
+          credentials: credentials,
+          expires_in: 60,
+          headers: {
+            'X-K8s-Aws-Id' => eks_cluster
+          }
+        )
+        kube_token = 'k8s-aws-v1.' + Base64.urlsafe_encode64(presigned_url_string.to_s).sub(/=*$/, '') # rubocop:disable Metrics/LineLength
+        kube_token
+      end
+    end
+  end
+end

data/lib/kubeclient/common.rb

@@ -5,7 +5,7 @@ module Kubeclient
   # Common methods
   # this is mixed in by other gems
   module ClientMixin
-    ENTITY_METHODS = %w[get watch delete create update patch].freeze
+    ENTITY_METHODS = %w[get watch delete create update patch json_patch merge_patch].freeze
 
     DEFAULT_SSL_OPTIONS = {
       client_cert: nil,
@@ -37,10 +37,11 @@ module Kubeclient
     DEFAULT_HTTP_MAX_REDIRECTS = 10
 
     SEARCH_ARGUMENTS = {
-      'labelSelector' => :label_selector,
-      'fieldSelector' => :field_selector,
-      'limit'         => :limit,
-      'continue'      => :continue
+      'labelSelector'   => :label_selector,
+      'fieldSelector'   => :field_selector,
+      'resourceVersion' => :resource_version,
+      'limit'           => :limit,
+      'continue'        => :continue
     }.freeze
 
     WATCH_ARGUMENTS = {
@@ -203,6 +204,7 @@ module Kubeclient
       namespace.to_s.empty? ? '' : "namespaces/#{namespace}/"
     end
 
+    # rubocop:disable  Metrics/BlockLength
     def define_entity_methods
       @entities.values.each do |entity|
         # get all entities of a type e.g. get_nodes, get_pods, etc.
@@ -211,12 +213,12 @@ module Kubeclient
         end
 
         # watch all entities of a type e.g. watch_nodes, watch_pods, etc.
-        define_singleton_method("watch_#{entity.method_names[1]}") do |options = {}|
+        define_singleton_method("watch_#{entity.method_names[1]}") do |options = {}, &block|
           # This method used to take resource_version as a param, so
           # this conversion is to keep backwards compatibility
           options = { resource_version: options } unless options.is_a?(Hash)
 
-          watch_entities(entity.resource_name, options)
+          watch_entities(entity.resource_name, options, &block)
         end
 
         # get a single entity of a specific type by name
@@ -227,7 +229,7 @@ module Kubeclient
 
         define_singleton_method("delete_#{entity.method_names[0]}") \
         do |name, namespace = nil, opts = {}|
-          delete_entity(entity.resource_name, name, namespace, opts)
+          delete_entity(entity.resource_name, name, namespace, **opts)
         end
 
         define_singleton_method("create_#{entity.method_names[0]}") do |entity_config|
@@ -238,11 +240,23 @@ module Kubeclient
           update_entity(entity.resource_name, entity_config)
         end
 
-        define_singleton_method("patch_#{entity.method_names[0]}") do |name, patch, namespace = nil|
-          patch_entity(entity.resource_name, name, patch, namespace)
+        define_singleton_method("patch_#{entity.method_names[0]}") \
+        do |name, patch, namespace = nil|
+          patch_entity(entity.resource_name, name, patch, 'strategic-merge-patch', namespace)
+        end
+
+        define_singleton_method("json_patch_#{entity.method_names[0]}") \
+        do |name, patch, namespace = nil|
+          patch_entity(entity.resource_name, name, patch, 'json-patch', namespace)
+        end
+
+        define_singleton_method("merge_patch_#{entity.method_names[0]}") \
+        do |name, patch, namespace = nil|
+          patch_entity(entity.resource_name, name, patch, 'merge-patch', namespace)
         end
       end
     end
+    # rubocop:enable  Metrics/BlockLength
 
     def self.underscore_entity(entity_name)
       entity_name.gsub(/([a-z])([A-Z])/, '\1_\2').downcase
@@ -281,7 +295,9 @@ module Kubeclient
     #   :as (:raw|:ros) - defaults to :ros
     #     :raw - return the raw response body as a string
     #     :ros - return a collection of RecursiveOpenStruct objects
-    def watch_entities(resource_name, options = {})
+    # Accepts an optional block, that will be called with each entity,
+    # otherwise returns a WatchStream
+    def watch_entities(resource_name, options = {}, &block)
       ns = build_namespace_prefix(options[:namespace])
 
       path = "watch/#{ns}#{resource_name}"
@@ -292,11 +308,13 @@ module Kubeclient
       WATCH_ARGUMENTS.each { |k, v| params[k] = options[v] if options[v] }
       uri.query = URI.encode_www_form(params) if params.any?
 
-      Kubeclient::Common::WatchStream.new(
+      watcher = Kubeclient::Common::WatchStream.new(
         uri,
         http_options(uri),
         formatter: ->(value) { format_response(options[:as] || @as, value) }
       )
+
+      return_or_yield_to_watcher(watcher, &block)
     end
 
     # Accepts the following options:
@@ -381,13 +399,13 @@ module Kubeclient
       format_response(@as, response.body)
     end
 
-    def patch_entity(resource_name, name, patch, namespace = nil)
+    def patch_entity(resource_name, name, patch, strategy, namespace)
       ns_prefix = build_namespace_prefix(namespace)
       response = handle_exception do
         rest_client[ns_prefix + resource_name + "/#{name}"]
           .patch(
             patch.to_json,
-            { 'Content-Type' => 'application/strategic-merge-patch+json' }.merge(@headers)
+            { 'Content-Type' => "application/#{strategy}+json" }.merge(@headers)
           )
       end
       format_response(@as, response.body)
@@ -409,13 +427,14 @@ module Kubeclient
 
     def get_pod_log(pod_name, namespace,
                     container: nil, previous: false,
-                    timestamps: false, since_time: nil, tail_lines: nil)
+                    timestamps: false, since_time: nil, tail_lines: nil, limit_bytes: nil)
       params = {}
       params[:previous] = true if previous
       params[:container] = container if container
       params[:timestamps] = timestamps if timestamps
       params[:sinceTime] = format_datetime(since_time) if since_time
       params[:tailLines] = tail_lines if tail_lines
+      params[:limitBytes] = limit_bytes if limit_bytes
 
       ns = build_namespace_prefix(namespace)
       handle_exception do
@@ -424,7 +443,7 @@ module Kubeclient
       end
     end
 
-    def watch_pod_log(pod_name, namespace, container: nil)
+    def watch_pod_log(pod_name, namespace, container: nil, &block)
       # Adding the "follow=true" query param tells the Kubernetes API to keep
       # the connection open and stream updates to the log.
       params = { follow: true }
@@ -436,7 +455,10 @@ module Kubeclient
       uri.path += "/#{@api_version}/#{ns}pods/#{pod_name}/log"
       uri.query = URI.encode_www_form(params)
 
-      Kubeclient::Common::WatchStream.new(uri, http_options(uri), formatter: ->(value) { value })
+      watcher = Kubeclient::Common::WatchStream.new(
+        uri, http_options(uri), formatter: ->(value) { value }
+      )
+      return_or_yield_to_watcher(watcher, &block)
     end
 
     def proxy_url(kind, name, port, namespace = '')
@@ -573,6 +595,16 @@ module Kubeclient
       raise ArgumentError, msg unless File.readable?(@auth_options[:bearer_token_file])
     end
 
+    def return_or_yield_to_watcher(watcher, &block)
+      return watcher unless block_given?
+
+      begin
+        watcher.each(&block)
+      ensure
+        watcher.finish
+      end
+    end
+
     def http_options(uri)
       options = {
         basic_auth_user: @auth_options[:username],

data/lib/kubeclient/config.rb

@@ -150,9 +150,10 @@ module Kubeclient
       if user.key?('token')
         options[:bearer_token] = user['token']
       elsif user.key?('exec')
-        exec_opts = user['exec'].dup
-        exec_opts['command'] = ext_command_path(exec_opts['command']) if exec_opts['command']
+        exec_opts = expand_command_option(user['exec'], 'command')
         options[:bearer_token] = Kubeclient::ExecCredentials.token(exec_opts)
+      elsif user.key?('auth-provider')
+        options[:bearer_token] = fetch_token_from_provider(user['auth-provider'])
       else
         %w[username password].each do |attr|
           options[attr.to_sym] = user[attr] if user.key?(attr)
@@ -160,5 +161,22 @@ module Kubeclient
       end
       options
     end
+
+    def fetch_token_from_provider(auth_provider)
+      case auth_provider['name']
+      when 'gcp'
+        config = expand_command_option(auth_provider['config'], 'cmd-path')
+        Kubeclient::GCPAuthProvider.token(config)
+      when 'oidc'
+        Kubeclient::OIDCAuthProvider.token(auth_provider['config'])
+      end
+    end
+
+    def expand_command_option(config, key)
+      config = config.dup
+      config[key] = ext_command_path(config[key]) if config[key]
+
+      config
+    end
   end
 end

data/lib/kubeclient/gcp_auth_provider.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'kubeclient/google_application_default_credentials'
+require 'kubeclient/gcp_command_credentials'
+
+module Kubeclient
+  # Handle different ways to get a bearer token for Google Cloud Platform.
+  class GCPAuthProvider
+    class << self
+      def token(config)
+        if config.key?('cmd-path')
+          Kubeclient::GCPCommandCredentials.token(config)
+        else
+          Kubeclient::GoogleApplicationDefaultCredentials.token
+        end
+      end
+    end
+  end
+end

data/lib/kubeclient/gcp_command_credentials.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Kubeclient
+  # Generates a bearer token for Google Cloud Platform.
+  class GCPCommandCredentials
+    class << self
+      def token(config)
+        require 'open3'
+        require 'shellwords'
+        require 'json'
+        require 'jsonpath'
+
+        cmd = config['cmd-path']
+        args = config['cmd-args']
+        token_key = config['token-key']
+
+        out, err, st = Open3.capture3(cmd, *args.split(' '))
+
+        raise "exec command failed: #{err}" unless st.success?
+
+        extract_token(out, token_key)
+      end
+
+      private
+
+      def extract_token(output, token_key)
+        JsonPath.on(output, token_key.gsub(/^{|}$/, '')).first
+      end
+    end
+  end
+end

data/lib/kubeclient/google_application_default_credentials.rb

@@ -3,10 +3,25 @@
 module Kubeclient
   # Get a bearer token from the Google's application default credentials.
   class GoogleApplicationDefaultCredentials
+    class GoogleDependencyError < LoadError # rubocop:disable Lint/InheritException
+    end
+
     class << self
       def token
-        require 'googleauth'
-        scopes = ['https://www.googleapis.com/auth/cloud-platform']
+        begin
+          require 'googleauth'
+        rescue LoadError => e
+          raise GoogleDependencyError,
+                'Error requiring googleauth gem. Kubeclient itself does not include the ' \
+                'googleauth gem. To support auth-provider gcp, you must include it in your ' \
+                "calling application. Failed with: #{e.message}"
+        end
+
+        scopes = [
+          'https://www.googleapis.com/auth/cloud-platform',
+          'https://www.googleapis.com/auth/userinfo.email'
+        ]
+
         authorization = Google::Auth.get_application_default(scopes)
         authorization.apply({})
         authorization.access_token

data/lib/kubeclient/oidc_auth_provider.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module Kubeclient
+  # Uses OIDC id-tokens and refreshes them if they are stale.
+  class OIDCAuthProvider
+    class OpenIDConnectDependencyError < LoadError # rubocop:disable Lint/InheritException
+    end
+
+    class << self
+      def token(provider_config)
+        begin
+          require 'openid_connect'
+        rescue LoadError => e
+          raise OpenIDConnectDependencyError,
+                'Error requiring openid_connect gem. Kubeclient itself does not include the ' \
+                'openid_connect gem. To support auth-provider oidc, you must include it in your ' \
+                "calling application. Failed with: #{e.message}"
+        end
+
+        issuer_url = provider_config['idp-issuer-url']
+        discovery = OpenIDConnect::Discovery::Provider::Config.discover! issuer_url
+
+        if provider_config.key? 'id-token'
+          return provider_config['id-token'] unless expired?(provider_config['id-token'], discovery)
+        end
+
+        client = OpenIDConnect::Client.new(
+          identifier: provider_config['client-id'],
+          secret: provider_config['client-secret'],
+          authorization_endpoint: discovery.authorization_endpoint,
+          token_endpoint: discovery.token_endpoint,
+          userinfo_endpoint: discovery.userinfo_endpoint
+        )
+        client.refresh_token = provider_config['refresh-token']
+        client.access_token!.id_token
+      end
+
+      def expired?(id_token, discovery)
+        decoded_token = OpenIDConnect::ResponseObject::IdToken.decode(
+          id_token,
+          discovery.jwks
+        )
+        # If token expired or expiring within 60 seconds
+        Time.now.to_i + 60 > decoded_token.exp.to_i
+      rescue JSON::JWK::Set::KidNotFound
+        # Token cannot be verified: the kid it was signed with is not available for discovery
+        # Consider it expired and fetch a new one.
+        true
+      end
+    end
+  end
+end