kubeclient 4.2.2 → 4.7.0

data/lib/kubeclient/version.rb

@@ -1,4 +1,4 @@
 # Kubernetes REST-API Client
 module Kubeclient
-  VERSION = '4.2.2'.freeze
+  VERSION = '4.7.0'.freeze
 end

data/test/config/gcpauth.kubeconfig

@@ -0,0 +1,22 @@
+apiVersion: v1
+clusters:
+- cluster:
+    server: https://localhost:8443
+    insecure-skip-tls-verify: true
+  name: localhost:8443
+contexts:
+- context:
+    cluster: localhost:8443
+    namespace: default
+    user: application-default-credentials
+  name: localhost/application-default-credentials
+kind: Config
+preferences: {}
+users:
+- name: application-default-credentials
+  user:
+    auth-provider:
+      config:
+        access-token: <fake_token>
+        expiry: 2019-02-19T11:07:29.827352-05:00
+      name: gcp

data/test/config/gcpcmdauth.kubeconfig

@@ -0,0 +1,26 @@
+apiVersion: v1
+clusters:
+- cluster:
+    server: https://localhost:8443
+    insecure-skip-tls-verify: true
+  name: localhost:8443
+contexts:
+- context:
+    cluster: localhost:8443
+    namespace: default
+    user: application-default-credentials
+  name: localhost/application-default-credentials
+kind: Config
+preferences: {}
+users:
+- name: application-default-credentials
+  user:
+    auth-provider:
+      config:
+        access-token: <fake_token>
+        cmd-args: config config-helper --format=json
+        cmd-path: /path/to/gcloud
+        expiry: 2019-04-09T19:26:18Z
+        expiry-key: '{.credential.token_expiry}'
+        token-key: '{.credential.access_token}'
+      name: gcp

data/test/config/oidcauth.kubeconfig

@@ -0,0 +1,25 @@
+apiVersion: v1
+clusters:
+- cluster:
+    server: https://localhost:8443
+    insecure-skip-tls-verify: true
+  name: localhost:8443
+contexts:
+- context:
+    cluster: localhost:8443
+    namespace: default
+    user: oidc-auth-provider
+  name: localhost/oidc-auth-provider
+kind: Config
+preferences: {}
+users:
+- name: oidc-auth-provider
+  user:
+    auth-provider:
+      config:
+        client-id: fake-client-id
+        client-secret: fake-client-secret
+        id-token: fake-id-token
+        idp-issuer-url: https://accounts.google.com
+        refresh-token: fake-refresh-token
+      name: oidc

data/test/json/service_json_patch.json

@@ -0,0 +1,26 @@
+{
+  "status" : {},
+  "kind" : "Service",
+  "apiVersion" : "v1",
+  "spec" : {
+    "ports" : [
+      {
+        "targetPort" : 80,
+        "nodePort" : 0,
+        "port" : 80,
+        "protocol" : "TCP"
+      }
+    ],
+    "clusterIP" : "1.2.3.4",
+    "type": "LoadBalancer"
+  },
+  "metadata" : {
+    "name" : "my-service",
+    "creationTimestamp" : null,
+    "namespace" : "development",
+    "resourceVersion" : "2",
+    "annotations" : {
+      "key" : "value"
+    }
+  }
+}

data/test/json/service_merge_patch.json

@@ -0,0 +1,26 @@
+{
+  "status" : {},
+  "kind" : "Service",
+  "apiVersion" : "v1",
+  "spec" : {
+    "ports" : [
+      {
+        "targetPort" : 80,
+        "nodePort" : 0,
+        "port" : 80,
+        "protocol" : "TCP"
+      }
+    ],
+    "clusterIP" : "1.2.3.4",
+    "type": "NodePort"
+  },
+  "metadata" : {
+    "name" : "my-service",
+    "creationTimestamp" : null,
+    "namespace" : "development",
+    "resourceVersion" : "2",
+    "annotations" : {
+      "key" : "value"
+    }
+  }
+}

data/test/test_config.rb

@@ -123,6 +123,57 @@ class KubeclientConfigTest < MiniTest::Test
     end
   end
 
+  def test_gcp_default_auth
+    Kubeclient::GoogleApplicationDefaultCredentials.expects(:token).returns('token1').once
+    parsed = YAML.safe_load(File.read(config_file('gcpauth.kubeconfig')), [Date, Time])
+    config = Kubeclient::Config.new(parsed, nil)
+    config.context(config.contexts.first)
+  end
+
+  # Each call to .context() obtains a new token, calling .auth_options doesn't change anything.
+  # NOTE: this is not a guarantee, may change, just testing current behavior.
+  def test_gcp_default_auth_renew
+    Kubeclient::GoogleApplicationDefaultCredentials.expects(:token).returns('token1').once
+    parsed = YAML.safe_load(File.read(config_file('gcpauth.kubeconfig')), [Date, Time])
+    config = Kubeclient::Config.new(parsed, nil)
+    context = config.context(config.contexts.first)
+    assert_equal({ bearer_token: 'token1' }, context.auth_options)
+    assert_equal({ bearer_token: 'token1' }, context.auth_options)
+
+    Kubeclient::GoogleApplicationDefaultCredentials.expects(:token).returns('token2').once
+    context2 = config.context(config.contexts.first)
+    assert_equal({ bearer_token: 'token2' }, context2.auth_options)
+    assert_equal({ bearer_token: 'token1' }, context.auth_options)
+  end
+
+  def test_gcp_command_auth
+    Kubeclient::GCPCommandCredentials.expects(:token)
+                                     .with('access-token' => '<fake_token>',
+                                           'cmd-args' => 'config config-helper --format=json',
+                                           'cmd-path' => '/path/to/gcloud',
+                                           'expiry' => '2019-04-09 19:26:18 UTC',
+                                           'expiry-key' => '{.credential.token_expiry}',
+                                           'token-key' => '{.credential.access_token}')
+                                     .returns('token1')
+                                     .once
+    config = Kubeclient::Config.read(config_file('gcpcmdauth.kubeconfig'))
+    config.context(config.contexts.first)
+  end
+
+  def test_oidc_auth_provider
+    Kubeclient::OIDCAuthProvider.expects(:token)
+                                .with('client-id' => 'fake-client-id',
+                                      'client-secret' => 'fake-client-secret',
+                                      'id-token' => 'fake-id-token',
+                                      'idp-issuer-url' => 'https://accounts.google.com',
+                                      'refresh-token' => 'fake-refresh-token')
+                                .returns('token1')
+                                .once
+    parsed = YAML.safe_load(File.read(config_file('oidcauth.kubeconfig')))
+    config = Kubeclient::Config.new(parsed, nil)
+    config.context(config.contexts.first)
+  end
+
   private
 
   def check_context(context, ssl: true)

data/test/test_gcp_command_credentials.rb

@@ -0,0 +1,27 @@
+require_relative 'test_helper'
+require 'open3'
+
+# Unit tests for the GCPCommandCredentials token provider
+class GCPCommandCredentialsTest < MiniTest::Test
+  def test_token
+    opts = { 'cmd-args' => 'config config-helper --format=json',
+             'cmd-path' => '/path/to/gcloud',
+             'expiry-key' => '{.credential.token_expiry}',
+             'token-key' => '{.credential.access_token}' }
+
+    creds = JSON.dump(
+      'credential' => {
+        'access_token' => '9A3A941836F2458175BE18AA1971EBBF47949B07',
+        'token_expiry' => '2019-04-12T15:02:51Z'
+      }
+    )
+
+    st = Minitest::Mock.new
+    st.expect(:success?, true)
+
+    Open3.stub(:capture3, [creds, nil, st]) do
+      assert_equal('9A3A941836F2458175BE18AA1971EBBF47949B07',
+                   Kubeclient::GCPCommandCredentials.token(opts))
+    end
+  end
+end

data/test/test_helper.rb

@@ -2,6 +2,7 @@ require 'bundler/setup'
 require 'minitest/autorun'
 require 'minitest/rg'
 require 'webmock/minitest'
+require 'mocha/minitest'
 require 'json'
 require 'kubeclient'
 

data/test/test_kubeclient.rb

@@ -296,6 +296,22 @@ class KubeclientTest < MiniTest::Test
     )
   end
 
+  def test_entities_with_resource_version
+    version = '329'
+
+    stub_core_api_list
+    stub_get_services
+
+    services = client.get_services(resource_version: version)
+
+    assert_instance_of(Kubeclient::Common::EntityList, services)
+    assert_requested(
+      :get,
+      "http://localhost:8080/api/v1/services?resourceVersion=#{version}",
+      times: 1
+    )
+  end
+
   def test_entities_with_field_selector
     selector = 'involvedObject.name=redis-master'
 

data/test/test_oidc_auth_provider.rb

@@ -0,0 +1,103 @@
+require_relative 'test_helper'
+require 'openid_connect'
+
+class OIDCAuthProviderTest < MiniTest::Test
+  def setup
+    @client_id = 'client_id'
+    @client_secret = 'client_secret'
+    @idp_issuer_url = 'idp_issuer_url'
+    @refresh_token = 'refresh_token'
+    @id_token = 'id_token'
+    @new_id_token = 'new_id_token'
+  end
+
+  def test_expired_token
+    OpenIDConnect::Discovery::Provider::Config.stub(:discover!, discovery_mock) do
+      OpenIDConnect::ResponseObject::IdToken.stub(:decode, id_token_mock(Time.now.to_i - 7200)) do
+        OpenIDConnect::Client.stub(:new, openid_client_mock) do
+          retrieved_id_token = Kubeclient::OIDCAuthProvider.token(
+            'client-id' => @client_id,
+            'client-secret' => @client_secret,
+            'id-token' => @id_token,
+            'idp-issuer-url' => @idp_issuer_url,
+            'refresh-token' => @refresh_token
+          )
+          assert_equal(@new_id_token, retrieved_id_token)
+        end
+      end
+    end
+  end
+
+  def test_valid_token
+    OpenIDConnect::Discovery::Provider::Config.stub(:discover!, discovery_mock) do
+      OpenIDConnect::ResponseObject::IdToken.stub(:decode, id_token_mock(Time.now.to_i + 7200)) do
+        retrieved_id_token = Kubeclient::OIDCAuthProvider.token(
+          'client-id' => @client_id,
+          'client-secret' => @client_secret,
+          'id-token' => @id_token,
+          'idp-issuer-url' => @idp_issuer_url,
+          'refresh-token' => @refresh_token
+        )
+        assert_equal(@id_token, retrieved_id_token)
+      end
+    end
+  end
+
+  def test_missing_id_token
+    OpenIDConnect::Discovery::Provider::Config.stub(:discover!, discovery_mock) do
+      OpenIDConnect::Client.stub(:new, openid_client_mock) do
+        retrieved_id_token = Kubeclient::OIDCAuthProvider.token(
+          'client-id' => @client_id,
+          'client-secret' => @client_secret,
+          'idp-issuer-url' => @idp_issuer_url,
+          'refresh-token' => @refresh_token
+        )
+        assert_equal(@new_id_token, retrieved_id_token)
+      end
+    end
+  end
+
+  def test_token_with_unknown_kid
+    OpenIDConnect::Discovery::Provider::Config.stub(:discover!, discovery_mock) do
+      OpenIDConnect::ResponseObject::IdToken.stub(
+        :decode, ->(_token, _jwks) { raise JSON::JWK::Set::KidNotFound }
+      ) do
+        OpenIDConnect::Client.stub(:new, openid_client_mock) do
+          retrieved_id_token = Kubeclient::OIDCAuthProvider.token(
+            'client-id' => @client_id,
+            'client-secret' => @client_secret,
+            'id-token' => @id_token,
+            'idp-issuer-url' => @idp_issuer_url,
+            'refresh-token' => @refresh_token
+          )
+          assert_equal(@new_id_token, retrieved_id_token)
+        end
+      end
+    end
+  end
+
+  private
+
+  def openid_client_mock
+    access_token = Minitest::Mock.new
+    access_token.expect(@id_token, @new_id_token)
+
+    openid_client = Minitest::Mock.new
+    openid_client.expect(:refresh_token=, nil, [@refresh_token])
+    openid_client.expect(:access_token!, access_token)
+  end
+
+  def id_token_mock(expiry)
+    id_token_mock = Minitest::Mock.new
+    id_token_mock.expect(:exp, expiry)
+  end
+
+  def discovery_mock
+    discovery = Minitest::Mock.new
+    discovery.expect(:jwks, 'jwks')
+    discovery.expect(:authorization_endpoint, 'authz_endpoint')
+    discovery.expect(:token_endpoint, 'token_endpoint')
+    discovery.expect(:userinfo_endpoint, 'userinfo_endpoint')
+    discovery
+  end
+end

data/test/test_pod_log.rb

@@ -69,12 +69,31 @@ class TestPodLog < MiniTest::Test
                      times: 1)
   end
 
+  def test_get_pod_limit_bytes
+    selected_bytes = open_test_file('pod_log.txt').read(10)
+
+    stub_request(:get, %r{/namespaces/default/pods/[a-z0-9-]+/log})
+      .to_return(body: selected_bytes,
+                 status: 200)
+
+    client = Kubeclient::Client.new('http://localhost:8080/api/', 'v1')
+    retrieved_log = client.get_pod_log('redis-master-pod',
+                                       'default',
+                                       limit_bytes: 10)
+
+    assert_equal(selected_bytes, retrieved_log)
+
+    assert_requested(:get,
+                     'http://localhost:8080/api/v1/namespaces/default/pods/redis-master-pod/log?limitBytes=10',
+                     times: 1)
+  end
+
   def test_watch_pod_log
-    expected_lines = open_test_file('pod_log.txt').read.split("\n")
+    file = open_test_file('pod_log.txt')
+    expected_lines = file.read.split("\n")
 
     stub_request(:get, %r{/namespaces/default/pods/[a-z0-9-]+/log\?.*follow})
-      .to_return(body: open_test_file('pod_log.txt'),
-                 status: 200)
+      .to_return(body: file, status: 200)
 
     client = Kubeclient::Client.new('http://localhost:8080/api/', 'v1')
 
@@ -85,6 +104,21 @@ class TestPodLog < MiniTest::Test
     end
   end
 
+  def test_watch_pod_log_with_block
+    file = open_test_file('pod_log.txt')
+    first = file.readlines.first.chomp
+
+    stub_request(:get, %r{/namespaces/default/pods/[a-z0-9-]+/log\?.*follow})
+      .to_return(body: file, status: 200)
+
+    client = Kubeclient::Client.new('http://localhost:8080/api/', 'v1')
+
+    client.watch_pod_log('redis-master-pod', 'default') do |line|
+      assert_equal first, line
+      break
+    end
+  end
+
   def test_watch_pod_log_follow_redirect
     expected_lines = open_test_file('pod_log.txt').read.split("\n")
     redirect = 'http://localhost:1234/api/namespaces/default/pods/redis-master-pod/log'

data/test/test_service.rb

@@ -273,4 +273,58 @@ class TestService < MiniTest::Test
       data['metadata']['annotations']['key'] == 'value'
     end
   end
+
+  def test_json_patch_service
+    service = Kubeclient::Resource.new
+    name = 'my-service'
+
+    service.metadata = {}
+    service.metadata.name      = name
+    service.metadata.namespace = 'development'
+
+    stub_core_api_list
+    expected_url = "http://localhost:8080/api/v1/namespaces/development/services/#{name}"
+    stub_request(:patch, expected_url)
+      .to_return(body: open_test_file('service_json_patch.json'), status: 200)
+
+    patch = [
+      { 'op' => 'add', 'path' => '/spec/type', 'value' => 'LoadBalancer' }
+    ]
+
+    client = Kubeclient::Client.new('http://localhost:8080/api/', 'v1')
+    service = client.json_patch_service(name, patch, 'development')
+    assert_kind_of(RecursiveOpenStruct, service)
+
+    assert_requested(:patch, expected_url, times: 1) do |req|
+      data = JSON.parse(req.body)
+      req.headers['Content-Type'] == 'application/json-patch+json' &&
+        data == patch
+    end
+  end
+
+  def test_merge_patch_service
+    service = Kubeclient::Resource.new
+    name = 'my-service'
+
+    service.metadata = {}
+    service.metadata.name      = name
+    service.metadata.namespace = 'development'
+
+    stub_core_api_list
+    expected_url = "http://localhost:8080/api/v1/namespaces/development/services/#{name}"
+    stub_request(:patch, expected_url)
+      .to_return(body: open_test_file('service_merge_patch.json'), status: 200)
+
+    patch = { spec: { type: 'NodePort' } }
+
+    client = Kubeclient::Client.new('http://localhost:8080/api/', 'v1')
+    service = client.merge_patch_service(name, patch, 'development')
+    assert_kind_of(RecursiveOpenStruct, service)
+
+    assert_requested(:patch, expected_url, times: 1) do |req|
+      data = JSON.parse(req.body)
+      req.headers['Content-Type'] == 'application/merge-patch+json' &&
+        data['spec']['type'] == 'NodePort'
+    end
+  end
 end