kubeclient 4.3.0 → 4.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f53d064748148a041be5853562e7789f8cc792735e4916c1859c63bf93f1f8bc
-  data.tar.gz: 15a4ba1b298c4bfb3469765a92ad58e8dd806f470870bbadaaf81a0c7ac3dbf4
+  metadata.gz: 48d448677cbf44234e974ccb8abd00002c729b059f8857120f11d7a017c63f96
+  data.tar.gz: 1db9a01ab5819636816562bd60b563db6e1aa20aa45f8e8b1283da35e1c77a37
 SHA512:
-  metadata.gz: 39b85eead8370920f1dbf6f30720506de756894ae4d34b55a5e589b9ff1c8bce0a6e93c5517d4afbc7bb039b729e760250c7b4ead17b4fced76f52941b6bcf44
-  data.tar.gz: 6c95743f7680fac757b90804050b81488d084fe083749890f069ca8ed1a97158c789d3a912fcccc72f64d089695a9fe0c2085b45dffa492773c82d2ae5b3626d
+  metadata.gz: f3ba57f5db5c09035f1ae3265203f5eb64858b7383c9cb73a9e2186befc4b7c120db3984634626895143c5409c9b943103d93a106274b4d61f57579d2e22ba93
+  data.tar.gz: 2154232e7359a4e3eae7191093338cce2f6daa44abf30f663bbe59631435927519f7e342dd103a485726375bdfde5d556c3a825b3dbd063d23f055e5eb16ad1e

data/.travis.yml

@@ -1,13 +1,29 @@
 language: ruby
+sudo: false
+cache: bundler
+script: bundle exec rake $TASK
+
+os:
+  - linux
+  - osx
 rvm:
-  - "2.2"
+  - "2.2.0"
   - "2.3.0"
   - "2.4.0"
   - "2.5.0"
-  - "2.6.0-preview1"
-sudo: false
-cache: bundler
-script: bundle exec rake $TASK
+  - "2.6.0"
+  - "2.7.0"
 env:
  - TASK=test
- - TASK=rubocop
+matrix:
+  exclude:
+    - os: osx
+      rvm: "2.2.0"
+    - os: osx
+      rvm: "2.3.0"
+  # No point running Rubocop on different rubies, results will be same.
+  # The rubies it expects the code to target are controlled in .rubocop.yml.
+  include:
+    - os: linux
+      rvm: "2.5.0"
+      env: TASK=rubocop

data/CHANGELOG.md

@@ -4,13 +4,57 @@ Notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 Kubeclient release versioning follows [SemVer](https://semver.org/).
 
+## 4.8.0 — 2020-07-03
+
+### Added
+- Support for server-side apply (#448).
+
+### Fixed
+- Declared forgotten dependency on jsonpath, needed for `gcp` provider with `cmd-path` (#450).
+
+## 4.7.0 — 2020-06-14
+
+### Fixed
+- Ruby 2.7 compatibility: bumped minimum recursive-open-struct to one that works on 2.7 (#439).
+- Ruby 2.7 warnings (#433, #438).
+- Improved watch documentation, including behavior planned to change in 5.0.0 (#436).
+
+### Added
+- Google Application Default Credentials: Added `userinfo.email` to requested scopes, which is necessary for RBAC policies (#441).
+
+## 4.6.0 — 2019-12-30
+
+### Fixed
+- AmazonEksCredentials was sometimes leaving base64 padding that IAM auth of the EKS cluster rejects.  Now padding is always stripped. (#424, #423)
+
+### Added
+- Allow calling `watch_foos` methods with a block, simpler to use and guarantees closing the connection. (#425)
+
+- Support `limitBytes` query parameter for `get_pod_log`. (#426)
+
+## 4.5.0 — 2019-09-27
+
+### Added
+- Support `:resourceVersion` parameter in `get_foos` methods (similar to existing support in `watch_foos` methods). (#420)
+
+- Relax dependency on `http` gem to allow both 3.x and 4.x. (#413)
+
+## 4.4.0 — 2019-05-03
+
+### Added
+- GCP configs with `user[auth-provider][name] == 'gcp'` will execute credential plugin (normally the `gcloud config config-helper` subcommand) when the config specifies it in `cmd-path`, `cmd-args` fields (similar to `exec` support).  This code path works without `googleauth` gem.  Otherwise, `GoogleApplicationDefaultCredentials` path will be tried as before. (#410)
+- `AmazonEksCredentials` helper for obtaining a token to authenticate against Amazon EKS. This is not currently integrated in `Config`, you will need to invoke it yourself.  You'll need some aws gems that Kubeclient _does not_ include. (#404, #406)
+
+### Changed
+- OpenID Connect tokens which cannot be validaded because we cannot identify the key they were signed with will be considered expired and refreshed as usual. (#407)
+
 ## 4.3.0 — 2019-03-03
 
 ### Changed
-- `GoogleApplicationDefaultCredentials` will automatically be used in `fetch_user_auth_options` if the `user[auth-provider][name] == 'gcp'` in the provided context. Note that `user[exec]` is checked first in anticipation of this functionality being added to GCP sometime in the future. Kubeclient _does not_ import the required `googleauth` gem, so you will need to import it in your calling application. (#394)
+- `GoogleApplicationDefaultCredentials` will now automatically be used by `Config` if the `user[auth-provider][name] == 'gcp'` in the provided context. Note that `user[exec]` is checked first in anticipation of this functionality being added to GCP sometime in the future. Kubeclient _does not_ include the required `googleauth` gem, so you will need to include it in your calling application. (#394)
 
 ### Added
-- OpenID Connect credentials will automatically be used if the `user[auth-provider][name] == 'oidc'` in the provided context. Note that `user[exec]` is checked first. Kubeclient _does not_ import the required `openid_connect` gem, so you will need to import it in your calling application. (#396)
+- OpenID Connect credentials will automatically be used if the `user[auth-provider][name] == 'oidc'` in the provided context. Note that `user[exec]` is checked first. Kubeclient _does not_ include the required `openid_connect` gem, so you will need to include it in your calling application. (#396)
 
 - Support for `json_patch_#{entity}` and `merge_patch_#{entity}`. `patch_#{entity}` will continue to use strategic merge patch. (#390)
 

data/README.md

@@ -207,7 +207,7 @@ client = Kubeclient::Client.new(
 
 ### Timeouts
 
-Watching never times out.
+Watching configures the socket to never time out (however, sooner or later all watches terminate).
 
 One-off actions like `.get_*`, `.delete_*` have a configurable timeout:
 ```ruby
@@ -287,6 +287,45 @@ Kubeclient::Client.new(
 ```
 
 
+#### Amazon EKS Credentials
+
+On Amazon EKS by default the authentication method is IAM.  When running kubectl a temporary token is generated by shelling out to
+the aws-iam-authenticator binary which is sent to authenticate the user.
+See [aws-iam-authenticator](https://github.com/kubernetes-sigs/aws-iam-authenticator).
+To replicate that functionality, the `Kubeclient::AmazonEksCredentials` class can accept a set of IAM credentials and
+contains a helper method to generate the authentication token for you.
+
+This requires a set of gems which are _not_ included in
+`kubeclient` dependencies (`aws-sigv4`) so you should add them to your bundle.
+You will also require either the `aws-sdk` v2 or `aws-sdk-core` v3 gems to generate the required `Aws:Credentials` object to pass to this method.
+
+To obtain a token:
+
+```ruby
+require 'aws-sdk-core'
+# Use keys
+credentials = Aws::Credentials.new(access_key, secret_key)
+# Or a profile
+credentials = Aws::SharedCredentials.new(profile_name: 'default').credentials
+
+auth_options = {
+  bearer_token: Kubeclient::AmazonEksCredentials.token(credentials, eks_cluster_name)
+}
+client = Kubeclient::Client.new(
+  eks_cluster_https_endpoint, 'v1', auth_options: auth_options
+)
+```
+
+Note that this returns a token good for one minute. If your code requires authorization for longer than that, you should plan to
+acquire a new one, see [How to manually renew](#how-to-manually-renew-expired-credentials) section.
+
+#### Google GCP credential plugin
+
+If kubeconfig file has `user: {auth-provider: {name: gcp, cmd-path: ..., cmd-args: ..., token-key: ...}}`, the command will be executed to obtain a token.
+(Normally this would be a `gcloud config config-helper` command.)
+
+Note that this returns an expiring token. If your code requires authorization for a long time, you should plan to acquire a new one, see [How to manually renew](#how-to-manually-renew-expired-credentials) section.
+
 #### Google's Application Default Credentials
 
 On Google Compute Engine, Google App Engine, or Google Cloud Functions, as well as `gcloud`-configured systems
@@ -296,7 +335,7 @@ kubeclient can use `googleauth` gem to authorize.
 This requires the [`googleauth` gem](https://github.com/google/google-auth-library-ruby) that is _not_ included in
 `kubeclient` dependencies so you should add it to your bundle.
 
-If you use `Config.context(...).auth_options` and the kubeconfig file has `user: {auth-provider: {name: gcp}}`, kubeclient will automatically try this (raising LoadError if you don't have `googleauth` in your bundle).
+If you use `Config.context(...).auth_options` and the kubeconfig file has `user: {auth-provider: {name: gcp}}`, but does not contain `cmd-path` key, kubeclient will automatically try this (raising LoadError if you don't have `googleauth` in your bundle).
 
 Or you can obtain a token manually:
 
@@ -381,16 +420,48 @@ We try to support the last 3 minor versions, matching the [official support poli
 Kubernetes 1.2 and below have known issues and are unsupported.
 Kubernetes 1.3 presumed to still work although nobody is really testing on such old versions...
 
-## Examples:
+## Supported actions & examples:
+
+Summary of main CRUD actions:
+
+```
+get_foos(namespace: 'namespace', **opts)  # namespaced collection
+get_foos(**opts)                          # all namespaces or global collection
+
+get_foo('name', 'namespace', opts)  # namespaced
+get_foo('name', nil, opts)          # global
+
+watch_foos(namespace: ns, **opts)   # namespaced collection
+watch_foos(**opts)                  # all namespaces or global collection
+watch_foos(namespace: ns, name: 'name', **opts)   # namespaced single object
+watch_foos(name: 'name', **opts)                  # global single object
+
+delete_foo('name', 'namespace', opts)    # namespaced
+delete_foo('name', nil, opts)            # global
+
+create_foo(Kubeclient::Resource.new({metadata: {name: 'name', namespace: 'namespace', ...}, ...}))
+create_foo(Kubeclient::Resource.new({metadata: {name: 'name', ...}, ...}))  # global
+
+update_foo(Kubeclient::Resource.new({metadata: {name: 'name', namespace: 'namespace', ...}, ...}))
+update_foo(Kubeclient::Resource.new({metadata: {name: 'name', ...}, ...}))  # global
+
+patch_foo('name', patch, 'namespace')    # namespaced
+patch_foo('name', patch)                 # global
+
+apply_foo(Kubeclient::Resource.new({metadata: {name: 'name', namespace: 'namespace', ...}, ...}), field_manager: 'myapp', **opts)
+apply_foo(Kubeclient::Resource.new({metadata: {name: 'name', ...}, ...}), field_manager: 'myapp', **opts)  # global
+```
 
-#### Get all instances of a specific entity type
+These grew to be quite inconsistent :confounded:, see https://github.com/abonas/kubeclient/issues/312 and https://github.com/abonas/kubeclient/issues/332 for improvement plans.
+
+### Get all instances of a specific entity type
 Such as: `get_pods`, `get_secrets`, `get_services`, `get_nodes`, `get_replication_controllers`, `get_resource_quotas`, `get_limit_ranges`, `get_persistent_volumes`, `get_persistent_volume_claims`, `get_component_statuses`, `get_service_accounts`
 
 ```ruby
 pods = client.get_pods
 ```
 
-Get all entities of a specific type in a namespace:<br>
+Get all entities of a specific type in a namespace:
 
 ```ruby
 services = client.get_services(namespace: 'development')
@@ -408,7 +479,22 @@ You can specify multiple labels (that option will return entities which have bot
 pods = client.get_pods(label_selector: 'name=redis-master,app=redis')
 ```
 
-Get all entities of a specific type in chunks:
+There is also [a limited ability to filter by *some* fields](https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors/).  Which fields are supported is not documented, you can try and see if you get an error...
+```ruby
+client.get_pods(field_selector: 'spec.nodeName=master-0')
+```
+
+You can ask for entities at a specific version by specifying a parameter named `resource_version`:
+```ruby
+pods = client.get_pods(resource_version: '0')
+```
+but it's not guaranteed you'll get it.  See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions to understand the semantics.
+
+With default (`as: :ros`) return format, the returned object acts like an array of the individual pods, but also supports a `.resourceVersion` method.
+
+With `:parsed` and `:parsed_symbolized` formats, the returned data structure matches kubernetes list structure: it's a hash containing  `metadata` and `items` keys, the latter containing the individual pods.
+
+#### Get all entities of a specific type in chunks
 
 ```ruby
 continue = nil
@@ -463,7 +549,87 @@ Other formats are:
  - `:parsed` for `JSON.parse`
  - `:parsed_symbolized` for `JSON.parse(..., symbolize_names: true)`
 
-#### Delete an entity (by name)
+### Watch — Receive entities updates
+
+See https://kubernetes.io/docs/reference/using-api/api-concepts/#efficient-detection-of-changes for an overview.
+
+It is possible to receive live update notices watching the relevant entities:
+
+```ruby
+client.watch_pods do |notice|
+  # process notice data
+end
+```
+
+The notices have `.type` field which may be `'ADDED'`, `'MODIFIED'`, `'DELETED'`, or currently `'ERROR'`, and an `.object` field containing the object.  **UPCOMING CHANGE**: In next major version, we plan to raise exceptions instead of passing on ERROR into the block.
+
+For namespaced entities, the default watches across all namespaces, and you can specify `client.watch_secrets(namespace: 'foo')` to only watch in a single namespace.
+
+You can narrow down using `label_selector:` and `field_selector:` params, like with `get_pods` methods.
+
+You can also watch a single object by specifying `name:` e.g. `client.watch_nodes(name: 'gandalf')` (not namespaced so a name is enough) or `client.watch_pods(namespace: 'foo', name: 'bar')` (namespaced, need both params).
+Note the method name is still plural!  There is no `watch_pod`, only `watch_pods`.  The yielded "type" remains the same — watch notices, it's just they'll always refer to the same object.
+
+You can use `as:` param to control the format of the yielded notices.
+
+#### All watches come to an end!
+
+While nominally the watch block *looks* like an infinite loop, that's unrealistic.  Network connections eventually get severed, and kubernetes apiserver is known to terminate watches.
+
+Unfortunately, this sometimes raises an exception and sometimes the loop just exits.  **UPCOMING CHANGE**: In next major version, non-deliberate termination will always raise an exception; the block will only exit silenty if stopped deliberately.
+
+#### Deliberately stopping a watch
+
+You can use `break` or `return` inside the watch block.
+
+It is possible to interrupt the watcher from another thread with:
+
+```ruby
+watcher = client.watch_pods
+
+watcher.each do |notice|
+  # process notice data
+end
+# <- control will pass here after .finish is called
+
+### In another thread ###
+watcher.finish
+```
+
+#### Starting watch version
+
+You can specify version to start from, commonly used in "List+Watch" pattern:
+```
+list = client.get_pods
+collection_version = list.resourceVersion
+# or with other return formats:
+list = client.get_pods(as: :parsed)
+collection_version = list['metadata']['resourceVersion']
+
+# note spelling resource_version vs resourceVersion.
+client.watch_pods(resource_version: collection_version) do |notice|
+  # process notice data
+end
+```
+It's important to understand [the effects of unset/0/specific resource_version](https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions) as it modifies the behavior of the watch — in some modes you'll first see a burst of synthetic 'ADDED' notices for all existing objects.
+
+If you re-try a terminated watch again without specific resourceVersion, you might see previously seen notices again, and might miss some events.
+
+To attempt resuming a watch from same point, you can try using last resourceVersion observed during the watch.  Or do list+watch again.
+
+Whenever you ask for a specific version, you must be prepared for an 410 "Gone" error if the server no longer recognizes it.
+
+#### Watch events about a particular object
+Events are [entities in their own right](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#event-v1-core).
+You can use the `field_selector` option as part of the watch methods.
+
+```ruby
+client.watch_events(namespace: 'development', field_selector: 'involvedObject.name=redis-master') do |notice|
+  # process notice date
+end
+```
+
+### Delete an entity (by name)
 
 For example: `delete_pod "pod name"` , `delete_replication_controller "rc name"`, `delete_node "node name"`, `delete_secret "secret name"`
 
@@ -487,7 +653,7 @@ delete_options = Kubeclient::Resource.new(
 client.delete_deployment(deployment_name, namespace, delete_options: delete_options)
 ```
 
-#### Create an entity
+### Create an entity
 For example: `create_pod pod_object`, `create_replication_controller rc_obj`, `create_secret secret_object`, `create_resource_quota resource_quota_object`, `create_limit_range limit_range_object`, `create_persistent_volume persistent_volume_object`, `create_persistent_volume_claim persistent_volume_claim_object`, `create_service_account service_account_object`
 
 Input parameter - object of type `Service`, `Pod`, `ReplicationController`.
@@ -513,7 +679,7 @@ service.metadata.labels.role = 'slave'
 client.create_service(service)
 ```
 
-#### Update an entity
+### Update an entity
 For example: `update_pod`, `update_service`, `update_replication_controller`, `update_secret`, `update_resource_quota`, `update_limit_range`, `update_persistent_volume`, `update_persistent_volume_claim`, `update_service_account`
 
 Input parameter - object of type `Pod`, `Service`, `ReplicationController` etc.
@@ -524,7 +690,7 @@ The below example is for v1
 updated = client.update_service(service1)
 ```
 
-#### Patch an entity (by name)
+### Patch an entity (by name)
 For example: `patch_pod`, `patch_service`, `patch_secret`, `patch_resource_quota`, `patch_persistent_volume`
 
 Input parameters - name (string) specifying the entity name, patch (hash) to be applied to the resource, optional: namespace name (string)
@@ -539,41 +705,41 @@ patched = client.patch_pod("docker-registry", {metadata: {annotations: {key: 'va
 
 `patch_#{entity}` is called using a [strategic merge patch](https://kubernetes.io/docs/tasks/run-application/update-api-object-kubectl-patch/#notes-on-the-strategic-merge-patch). `json_patch_#{entity}` and `merge_patch_#{entity}` are also available that use JSON patch and JSON merge patch, respectively. These strategies are useful for resources that do not support strategic merge patch, such as Custom Resources. Consult the [Kubernetes docs](https://kubernetes.io/docs/tasks/run-application/update-api-object-kubectl-patch/#use-a-json-merge-patch-to-update-a-deployment) for more information about the different patch strategies.
 
-#### Get all entities of all types : all_entities
-Returns a hash with the following keys (node, secret, service, pod, replication_controller, namespace, resource_quota, limit_range, endpoint, event, persistent_volume, persistent_volume_claim, component_status and service_account). Each key points to an EntityList of same type.
-This method is a convenience method instead of calling each entity's get method separately.
+### Apply an entity
 
-```ruby
-client.all_entities
-```
+This is similar to `kubectl apply --server-side` (kubeclient doesn't implement logic for client-side apply). See https://kubernetes.io/docs/reference/using-api/api-concepts/#server-side-apply
 
-#### Receive entity updates
-It is possible to receive live update notices watching the relevant entities:
+For example: `apply_pod`
 
-```ruby
-watcher = client.watch_pods
-watcher.each do |notice|
-  # process notice data
-end
-```
+Input parameters - resource (Kubeclient::Resource) representing the desired state of the resource, field_manager (String) to identify the system managing the state of the resource, force (Boolean) whether or not to override a field managed by someone else.
 
-It is possible to interrupt the watcher from another thread with:
+Example:
 
 ```ruby
-watcher.finish
+service = Kubeclient::Resource.new(
+  metadata: {
+    name: 'redis-master',
+    namespace: 'staging',
+  },
+  spec: {
+    ...
+  }
+)
+
+client.apply_service(service, field_manager: 'myapp')
 ```
 
-#### Watch events for a particular object
-You can use the `field_selector` option as part of the watch methods.
+### Get all entities of all types : all_entities
+
+Makes requests for all entities of each discovered kind (in this client's API group).  This method is a convenience method instead of calling each entity's get method separately.
+
+Returns a hash with keys being the *singular* entity kind, in lowercase underscore style.  For example for core API group may return keys `"node'`, `"secret"`, `"service"`, `"pod"`, `"replication_controller"`, `"namespace"`, `"resource_quota"`, `"limit_range"`, `"endpoint"`, `"event"`, `"persistent_volume"`, `"persistent_volume_claim"`, `"component_status"`, `"service_account"`. Each key points to an EntityList of same type.
 
 ```ruby
-watcher = client.watch_events(namespace: 'development', field_selector: 'involvedObject.name=redis-master')
-watcher.each do |notice|
-  # process notice date
-end
+client.all_entities
 ```
 
-#### Get a proxy URL
+### Get a proxy URL
 You can get a complete URL for connecting a kubernetes entity via the proxy.
 
 ```ruby
@@ -588,7 +754,7 @@ client.proxy_url('pod', 'podname', 5001, 'ns')
 # => "https://localhost.localdomain:8443/api/v1/namespaces/ns/pods/podname:5001/proxy"
 ```
 
-#### Get the logs of a pod
+### Get the logs of a pod
 You can get the logs of a running pod, specifying the name of the pod and the
 namespace where the pod is running:
 
@@ -625,16 +791,21 @@ client.get_pod_log('pod-name', 'default', tail_lines: 10)
 # => "..."
 ```
 
+Kubernetes can fetch a specific number of bytes from the log, but the exact size is not guaranteed and last line may not be terminated:
+```ruby
+client.get_pod_log('pod-name', 'default', limit_bytes: 10)
+# => "..."
+```
+
 You can also watch the logs of a pod to get a stream of data:
 
 ```ruby
-watcher = client.watch_pod_log('pod-name', 'default', container: 'ruby')
-watcher.each do |line|
+client.watch_pod_log('pod-name', 'default', container: 'ruby') do |line|
   puts line
 end
 ```
 
-#### Process a template
+### OpenShift: Process a template
 Returns a processed template containing a list of objects to create.
 Input parameter - template (hash)
 Besides its metadata, the template should include a list of objects to be processed and a list of parameters

data/RELEASING.md

@@ -20,7 +20,10 @@ Edit `CHANGELOG.md` as necessary.  Even if all included changes remembered to up
 
 Bump `lib/kubeclient/version.rb` manually, or by using:
 ```bash
-git checkout -b release-$RELEASE_VERSION
+RELEASE_VERSION=x.y.z
+
+git checkout -b "release-$RELEASE_VERSION" $RELEASE_BRANCH
+# Won't work with uncommitted changes, you have to commit the changelog first.
 gem bump --version $RELEASE_VERSION
 git show # View version bump change.
 ```

data/kubeclient.gemspec

@@ -20,7 +20,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ['lib']
   spec.required_ruby_version = '>= 2.2.0'
 
-  spec.add_development_dependency 'bundler', '~> 1.6'
+  spec.add_development_dependency 'bundler', '>= 1.6'
   spec.add_development_dependency 'rake', '~> 12.0'
   spec.add_development_dependency 'minitest'
   spec.add_development_dependency 'minitest-rg'
@@ -31,7 +31,8 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency('mocha', '~> 1.5')
   spec.add_development_dependency 'openid_connect', '~> 1.1'
 
+  spec.add_dependency 'jsonpath', '~> 1.0'
   spec.add_dependency 'rest-client', '~> 2.0'
-  spec.add_dependency 'recursive-open-struct', '~> 1.0', '>= 1.0.4'
-  spec.add_dependency 'http', '~> 3.0'
+  spec.add_dependency 'recursive-open-struct', '~> 1.1', '>= 1.1.1'
+  spec.add_dependency 'http', '>= 3.0', '< 5.0'
 end

data/lib/kubeclient.rb

@@ -1,11 +1,12 @@
 require 'json'
 require 'rest-client'
 
+require 'kubeclient/aws_eks_credentials'
 require 'kubeclient/common'
 require 'kubeclient/config'
 require 'kubeclient/entity_list'
-require 'kubeclient/google_application_default_credentials'
 require 'kubeclient/exec_credentials'
+require 'kubeclient/gcp_auth_provider'
 require 'kubeclient/http_error'
 require 'kubeclient/missing_kind_compatibility'
 require 'kubeclient/oidc_auth_provider'
@@ -27,7 +28,7 @@ module Kubeclient
         uri,
         '/api',
         version,
-        options
+        **options
       )
     end
   end

data/lib/kubeclient/aws_eks_credentials.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module Kubeclient
+  # Get a bearer token to authenticate against aws eks.
+  class AmazonEksCredentials
+    class AmazonEksDependencyError < LoadError # rubocop:disable Lint/InheritException
+    end
+
+    class << self
+      def token(credentials, eks_cluster)
+        begin
+          require 'aws-sigv4'
+          require 'base64'
+          require 'cgi'
+        rescue LoadError => e
+          raise AmazonEksDependencyError,
+                'Error requiring aws gems. Kubeclient itself does not include the following ' \
+                'gems: [aws-sigv4]. To support auth-provider eks, you must ' \
+                "include it in your calling application. Failed with: #{e.message}"
+        end
+        # https://github.com/aws/aws-sdk-ruby/pull/1848
+        # Get a signer
+        # Note - sts only has ONE endpoint (not regional) so 'us-east-1' hardcoding should be OK
+        signer = Aws::Sigv4::Signer.new(
+          service: 'sts',
+          region: 'us-east-1',
+          credentials: credentials
+        )
+
+        # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Sigv4/Signer.html#presign_url-instance_method
+        presigned_url_string = signer.presign_url(
+          http_method: 'GET',
+          url: 'https://sts.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15',
+          body: '',
+          credentials: credentials,
+          expires_in: 60,
+          headers: {
+            'X-K8s-Aws-Id' => eks_cluster
+          }
+        )
+        kube_token = 'k8s-aws-v1.' + Base64.urlsafe_encode64(presigned_url_string.to_s).sub(/=*$/, '') # rubocop:disable Metrics/LineLength
+        kube_token
+      end
+    end
+  end
+end

data/lib/kubeclient/common.rb

@@ -5,7 +5,7 @@ module Kubeclient
   # Common methods
   # this is mixed in by other gems
   module ClientMixin
-    ENTITY_METHODS = %w[get watch delete create update patch json_patch merge_patch].freeze
+    ENTITY_METHODS = %w[get watch delete create update patch json_patch merge_patch apply].freeze
 
     DEFAULT_SSL_OPTIONS = {
       client_cert: nil,
@@ -37,10 +37,11 @@ module Kubeclient
     DEFAULT_HTTP_MAX_REDIRECTS = 10
 
     SEARCH_ARGUMENTS = {
-      'labelSelector' => :label_selector,
-      'fieldSelector' => :field_selector,
-      'limit'         => :limit,
-      'continue'      => :continue
+      'labelSelector'   => :label_selector,
+      'fieldSelector'   => :field_selector,
+      'resourceVersion' => :resource_version,
+      'limit'           => :limit,
+      'continue'        => :continue
     }.freeze
 
     WATCH_ARGUMENTS = {
@@ -212,12 +213,12 @@ module Kubeclient
         end
 
         # watch all entities of a type e.g. watch_nodes, watch_pods, etc.
-        define_singleton_method("watch_#{entity.method_names[1]}") do |options = {}|
+        define_singleton_method("watch_#{entity.method_names[1]}") do |options = {}, &block|
           # This method used to take resource_version as a param, so
           # this conversion is to keep backwards compatibility
           options = { resource_version: options } unless options.is_a?(Hash)
 
-          watch_entities(entity.resource_name, options)
+          watch_entities(entity.resource_name, options, &block)
         end
 
         # get a single entity of a specific type by name
@@ -228,7 +229,7 @@ module Kubeclient
 
         define_singleton_method("delete_#{entity.method_names[0]}") \
         do |name, namespace = nil, opts = {}|
-          delete_entity(entity.resource_name, name, namespace, opts)
+          delete_entity(entity.resource_name, name, namespace, **opts)
         end
 
         define_singleton_method("create_#{entity.method_names[0]}") do |entity_config|
@@ -253,6 +254,10 @@ module Kubeclient
         do |name, patch, namespace = nil|
           patch_entity(entity.resource_name, name, patch, 'merge-patch', namespace)
         end
+
+        define_singleton_method("apply_#{entity.method_names[0]}") do |*args|
+          apply_entity(entity.resource_name, *args)
+        end
       end
     end
     # rubocop:enable  Metrics/BlockLength
@@ -294,7 +299,9 @@ module Kubeclient
     #   :as (:raw|:ros) - defaults to :ros
     #     :raw - return the raw response body as a string
     #     :ros - return a collection of RecursiveOpenStruct objects
-    def watch_entities(resource_name, options = {})
+    # Accepts an optional block, that will be called with each entity,
+    # otherwise returns a WatchStream
+    def watch_entities(resource_name, options = {}, &block)
       ns = build_namespace_prefix(options[:namespace])
 
       path = "watch/#{ns}#{resource_name}"
@@ -305,11 +312,13 @@ module Kubeclient
       WATCH_ARGUMENTS.each { |k, v| params[k] = options[v] if options[v] }
       uri.query = URI.encode_www_form(params) if params.any?
 
-      Kubeclient::Common::WatchStream.new(
+      watcher = Kubeclient::Common::WatchStream.new(
         uri,
         http_options(uri),
         formatter: ->(value) { format_response(options[:as] || @as, value) }
       )
+
+      return_or_yield_to_watcher(watcher, &block)
     end
 
     # Accepts the following options:
@@ -406,6 +415,19 @@ module Kubeclient
       format_response(@as, response.body)
     end
 
+    def apply_entity(resource_name, resource, field_manager:, force: true)
+      name = "#{resource[:metadata][:name]}?fieldManager=#{field_manager}&force=#{force}"
+      ns_prefix = build_namespace_prefix(resource[:metadata][:namespace])
+      response = handle_exception do
+        rest_client[ns_prefix + resource_name + "/#{name}"]
+          .patch(
+            resource.to_json,
+            { 'Content-Type' => 'application/apply-patch+yaml' }.merge(@headers)
+          )
+      end
+      format_response(@as, response.body)
+    end
+
     def all_entities(options = {})
       discover unless @discovered
       @entities.values.each_with_object({}) do |entity, result_hash|
@@ -422,13 +444,14 @@ module Kubeclient
 
     def get_pod_log(pod_name, namespace,
                     container: nil, previous: false,
-                    timestamps: false, since_time: nil, tail_lines: nil)
+                    timestamps: false, since_time: nil, tail_lines: nil, limit_bytes: nil)
       params = {}
       params[:previous] = true if previous
       params[:container] = container if container
       params[:timestamps] = timestamps if timestamps
       params[:sinceTime] = format_datetime(since_time) if since_time
       params[:tailLines] = tail_lines if tail_lines
+      params[:limitBytes] = limit_bytes if limit_bytes
 
       ns = build_namespace_prefix(namespace)
       handle_exception do
@@ -437,7 +460,7 @@ module Kubeclient
       end
     end
 
-    def watch_pod_log(pod_name, namespace, container: nil)
+    def watch_pod_log(pod_name, namespace, container: nil, &block)
       # Adding the "follow=true" query param tells the Kubernetes API to keep
       # the connection open and stream updates to the log.
       params = { follow: true }
@@ -449,7 +472,10 @@ module Kubeclient
       uri.path += "/#{@api_version}/#{ns}pods/#{pod_name}/log"
       uri.query = URI.encode_www_form(params)
 
-      Kubeclient::Common::WatchStream.new(uri, http_options(uri), formatter: ->(value) { value })
+      watcher = Kubeclient::Common::WatchStream.new(
+        uri, http_options(uri), formatter: ->(value) { value }
+      )
+      return_or_yield_to_watcher(watcher, &block)
     end
 
     def proxy_url(kind, name, port, namespace = '')
@@ -586,6 +612,16 @@ module Kubeclient
       raise ArgumentError, msg unless File.readable?(@auth_options[:bearer_token_file])
     end
 
+    def return_or_yield_to_watcher(watcher, &block)
+      return watcher unless block_given?
+
+      begin
+        watcher.each(&block)
+      ensure
+        watcher.finish
+      end
+    end
+
     def http_options(uri)
       options = {
         basic_auth_user: @auth_options[:username],

data/lib/kubeclient/config.rb

@@ -150,17 +150,10 @@ module Kubeclient
       if user.key?('token')
         options[:bearer_token] = user['token']
       elsif user.key?('exec')
-        exec_opts = user['exec'].dup
-        exec_opts['command'] = ext_command_path(exec_opts['command']) if exec_opts['command']
+        exec_opts = expand_command_option(user['exec'], 'command')
         options[:bearer_token] = Kubeclient::ExecCredentials.token(exec_opts)
       elsif user.key?('auth-provider')
-        auth_provider = user['auth-provider']
-        options[:bearer_token] = case auth_provider['name']
-                                 when 'gcp'
-                                 then Kubeclient::GoogleApplicationDefaultCredentials.token
-                                 when 'oidc'
-                                 then Kubeclient::OIDCAuthProvider.token(auth_provider['config'])
-                                 end
+        options[:bearer_token] = fetch_token_from_provider(user['auth-provider'])
       else
         %w[username password].each do |attr|
           options[attr.to_sym] = user[attr] if user.key?(attr)
@@ -168,5 +161,22 @@ module Kubeclient
       end
       options
     end
+
+    def fetch_token_from_provider(auth_provider)
+      case auth_provider['name']
+      when 'gcp'
+        config = expand_command_option(auth_provider['config'], 'cmd-path')
+        Kubeclient::GCPAuthProvider.token(config)
+      when 'oidc'
+        Kubeclient::OIDCAuthProvider.token(auth_provider['config'])
+      end
+    end
+
+    def expand_command_option(config, key)
+      config = config.dup
+      config[key] = ext_command_path(config[key]) if config[key]
+
+      config
+    end
   end
 end

data/lib/kubeclient/gcp_auth_provider.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'kubeclient/google_application_default_credentials'
+require 'kubeclient/gcp_command_credentials'
+
+module Kubeclient
+  # Handle different ways to get a bearer token for Google Cloud Platform.
+  class GCPAuthProvider
+    class << self
+      def token(config)
+        if config.key?('cmd-path')
+          Kubeclient::GCPCommandCredentials.token(config)
+        else
+          Kubeclient::GoogleApplicationDefaultCredentials.token
+        end
+      end
+    end
+  end
+end

data/lib/kubeclient/gcp_command_credentials.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Kubeclient
+  # Generates a bearer token for Google Cloud Platform.
+  class GCPCommandCredentials
+    class << self
+      def token(config)
+        require 'open3'
+        require 'shellwords'
+        require 'json'
+        require 'jsonpath'
+
+        cmd = config['cmd-path']
+        args = config['cmd-args']
+        token_key = config['token-key']
+
+        out, err, st = Open3.capture3(cmd, *args.split(' '))
+
+        raise "exec command failed: #{err}" unless st.success?
+
+        extract_token(out, token_key)
+      end
+
+      private
+
+      def extract_token(output, token_key)
+        JsonPath.on(output, token_key.gsub(/^{|}$/, '')).first
+      end
+    end
+  end
+end

data/lib/kubeclient/google_application_default_credentials.rb

@@ -16,7 +16,12 @@ module Kubeclient
                 'googleauth gem. To support auth-provider gcp, you must include it in your ' \
                 "calling application. Failed with: #{e.message}"
         end
-        scopes = ['https://www.googleapis.com/auth/cloud-platform']
+
+        scopes = [
+          'https://www.googleapis.com/auth/cloud-platform',
+          'https://www.googleapis.com/auth/userinfo.email'
+        ]
+
         authorization = Google::Auth.get_application_default(scopes)
         authorization.apply({})
         authorization.access_token

data/lib/kubeclient/oidc_auth_provider.rb

@@ -21,9 +21,7 @@ module Kubeclient
         discovery = OpenIDConnect::Discovery::Provider::Config.discover! issuer_url
 
         if provider_config.key? 'id-token'
-          id_token = OpenIDConnect::ResponseObject::IdToken.decode provider_config['id-token'],
-                                                                   discovery.jwks
-          return provider_config['id-token'] unless expired?(id_token)
+          return provider_config['id-token'] unless expired?(provider_config['id-token'], discovery)
         end
 
         client = OpenIDConnect::Client.new(
@@ -37,9 +35,17 @@ module Kubeclient
         client.access_token!.id_token
       end
 
-      def expired?(id_token)
+      def expired?(id_token, discovery)
+        decoded_token = OpenIDConnect::ResponseObject::IdToken.decode(
+          id_token,
+          discovery.jwks
+        )
         # If token expired or expiring within 60 seconds
-        Time.now.to_i + 60 > id_token.exp.to_i
+        Time.now.to_i + 60 > decoded_token.exp.to_i
+      rescue JSON::JWK::Set::KidNotFound
+        # Token cannot be verified: the kid it was signed with is not available for discovery
+        # Consider it expired and fetch a new one.
+        true
       end
     end
   end

data/lib/kubeclient/version.rb

@@ -1,4 +1,4 @@
 # Kubernetes REST-API Client
 module Kubeclient
-  VERSION = '4.3.0'.freeze
+  VERSION = '4.8.0'.freeze
 end

data/test/config/gcpcmdauth.kubeconfig

@@ -0,0 +1,26 @@
+apiVersion: v1
+clusters:
+- cluster:
+    server: https://localhost:8443
+    insecure-skip-tls-verify: true
+  name: localhost:8443
+contexts:
+- context:
+    cluster: localhost:8443
+    namespace: default
+    user: application-default-credentials
+  name: localhost/application-default-credentials
+kind: Config
+preferences: {}
+users:
+- name: application-default-credentials
+  user:
+    auth-provider:
+      config:
+        access-token: <fake_token>
+        cmd-args: config config-helper --format=json
+        cmd-path: /path/to/gcloud
+        expiry: 2019-04-09T19:26:18Z
+        expiry-key: '{.credential.token_expiry}'
+        token-key: '{.credential.access_token}'
+      name: gcp

data/test/test_config.rb

@@ -146,6 +146,20 @@ class KubeclientConfigTest < MiniTest::Test
     assert_equal({ bearer_token: 'token1' }, context.auth_options)
   end
 
+  def test_gcp_command_auth
+    Kubeclient::GCPCommandCredentials.expects(:token)
+                                     .with('access-token' => '<fake_token>',
+                                           'cmd-args' => 'config config-helper --format=json',
+                                           'cmd-path' => '/path/to/gcloud',
+                                           'expiry' => '2019-04-09 19:26:18 UTC',
+                                           'expiry-key' => '{.credential.token_expiry}',
+                                           'token-key' => '{.credential.access_token}')
+                                     .returns('token1')
+                                     .once
+    config = Kubeclient::Config.read(config_file('gcpcmdauth.kubeconfig'))
+    config.context(config.contexts.first)
+  end
+
   def test_oidc_auth_provider
     Kubeclient::OIDCAuthProvider.expects(:token)
                                 .with('client-id' => 'fake-client-id',

data/test/test_gcp_command_credentials.rb

@@ -0,0 +1,27 @@
+require_relative 'test_helper'
+require 'open3'
+
+# Unit tests for the GCPCommandCredentials token provider
+class GCPCommandCredentialsTest < MiniTest::Test
+  def test_token
+    opts = { 'cmd-args' => 'config config-helper --format=json',
+             'cmd-path' => '/path/to/gcloud',
+             'expiry-key' => '{.credential.token_expiry}',
+             'token-key' => '{.credential.access_token}' }
+
+    creds = JSON.dump(
+      'credential' => {
+        'access_token' => '9A3A941836F2458175BE18AA1971EBBF47949B07',
+        'token_expiry' => '2019-04-12T15:02:51Z'
+      }
+    )
+
+    st = Minitest::Mock.new
+    st.expect(:success?, true)
+
+    Open3.stub(:capture3, [creds, nil, st]) do
+      assert_equal('9A3A941836F2458175BE18AA1971EBBF47949B07',
+                   Kubeclient::GCPCommandCredentials.token(opts))
+    end
+  end
+end

data/test/test_kubeclient.rb

@@ -296,6 +296,22 @@ class KubeclientTest < MiniTest::Test
     )
   end
 
+  def test_entities_with_resource_version
+    version = '329'
+
+    stub_core_api_list
+    stub_get_services
+
+    services = client.get_services(resource_version: version)
+
+    assert_instance_of(Kubeclient::Common::EntityList, services)
+    assert_requested(
+      :get,
+      "http://localhost:8080/api/v1/services?resourceVersion=#{version}",
+      times: 1
+    )
+  end
+
   def test_entities_with_field_selector
     selector = 'involvedObject.name=redis-master'
 

data/test/test_oidc_auth_provider.rb

@@ -57,6 +57,25 @@ class OIDCAuthProviderTest < MiniTest::Test
     end
   end
 
+  def test_token_with_unknown_kid
+    OpenIDConnect::Discovery::Provider::Config.stub(:discover!, discovery_mock) do
+      OpenIDConnect::ResponseObject::IdToken.stub(
+        :decode, ->(_token, _jwks) { raise JSON::JWK::Set::KidNotFound }
+      ) do
+        OpenIDConnect::Client.stub(:new, openid_client_mock) do
+          retrieved_id_token = Kubeclient::OIDCAuthProvider.token(
+            'client-id' => @client_id,
+            'client-secret' => @client_secret,
+            'id-token' => @id_token,
+            'idp-issuer-url' => @idp_issuer_url,
+            'refresh-token' => @refresh_token
+          )
+          assert_equal(@new_id_token, retrieved_id_token)
+        end
+      end
+    end
+  end
+
   private
 
   def openid_client_mock

data/test/test_pod_log.rb

@@ -69,12 +69,31 @@ class TestPodLog < MiniTest::Test
                      times: 1)
   end
 
+  def test_get_pod_limit_bytes
+    selected_bytes = open_test_file('pod_log.txt').read(10)
+
+    stub_request(:get, %r{/namespaces/default/pods/[a-z0-9-]+/log})
+      .to_return(body: selected_bytes,
+                 status: 200)
+
+    client = Kubeclient::Client.new('http://localhost:8080/api/', 'v1')
+    retrieved_log = client.get_pod_log('redis-master-pod',
+                                       'default',
+                                       limit_bytes: 10)
+
+    assert_equal(selected_bytes, retrieved_log)
+
+    assert_requested(:get,
+                     'http://localhost:8080/api/v1/namespaces/default/pods/redis-master-pod/log?limitBytes=10',
+                     times: 1)
+  end
+
   def test_watch_pod_log
-    expected_lines = open_test_file('pod_log.txt').read.split("\n")
+    file = open_test_file('pod_log.txt')
+    expected_lines = file.read.split("\n")
 
     stub_request(:get, %r{/namespaces/default/pods/[a-z0-9-]+/log\?.*follow})
-      .to_return(body: open_test_file('pod_log.txt'),
-                 status: 200)
+      .to_return(body: file, status: 200)
 
     client = Kubeclient::Client.new('http://localhost:8080/api/', 'v1')
 
@@ -85,6 +104,21 @@ class TestPodLog < MiniTest::Test
     end
   end
 
+  def test_watch_pod_log_with_block
+    file = open_test_file('pod_log.txt')
+    first = file.readlines.first.chomp
+
+    stub_request(:get, %r{/namespaces/default/pods/[a-z0-9-]+/log\?.*follow})
+      .to_return(body: file, status: 200)
+
+    client = Kubeclient::Client.new('http://localhost:8080/api/', 'v1')
+
+    client.watch_pod_log('redis-master-pod', 'default') do |line|
+      assert_equal first, line
+      break
+    end
+  end
+
   def test_watch_pod_log_follow_redirect
     expected_lines = open_test_file('pod_log.txt').read.split("\n")
     redirect = 'http://localhost:1234/api/namespaces/default/pods/redis-master-pod/log'

data/test/test_service.rb

@@ -274,6 +274,33 @@ class TestService < MiniTest::Test
     end
   end
 
+  def test_apply_service
+    service = Kubeclient::Resource.new
+    name = 'my_service'
+
+    service.metadata = {}
+    service.metadata.name      = name
+    service.metadata.namespace = 'development'
+    service.metadata.annotations = {}
+    service.metadata.annotations['key'] = 'value'
+
+    stub_core_api_list
+    resource_name = "#{name}?fieldManager=myapp&force=true"
+    expected_url = "http://localhost:8080/api/v1/namespaces/development/services/#{resource_name}"
+    stub_request(:patch, expected_url)
+      .to_return(body: open_test_file('service_patch.json'), status: 200)
+
+    client = Kubeclient::Client.new('http://localhost:8080/api/', 'v1')
+    service = client.apply_service(service, field_manager: 'myapp')
+    assert_kind_of(RecursiveOpenStruct, service)
+
+    assert_requested(:patch, expected_url, times: 1) do |req|
+      data = JSON.parse(req.body)
+      req.headers['Content-Type'] == 'application/apply-patch+yaml' &&
+        data['metadata']['annotations']['key'] == 'value'
+    end
+  end
+
   def test_json_patch_service
     service = Kubeclient::Resource.new
     name = 'my-service'

data/test/test_watch.rb

@@ -27,6 +27,19 @@ class TestWatch < MiniTest::Test
     end
   end
 
+  def test_watch_pod_block
+    stub_core_api_list
+    stub_request(:get, %r{/watch/pods})
+      .to_return(body: open_test_file('watch_stream.json'),
+                 status: 200)
+
+    client = Kubeclient::Client.new('http://localhost:8080/api/', 'v1')
+    yielded = []
+    client.watch_pods { |notice| yielded << notice.type }
+
+    assert_equal %w[ADDED MODIFIED DELETED], yielded
+  end
+
   def test_watch_pod_raw
     stub_core_api_list
 

metadata

@@ -1,27 +1,27 @@
 --- !ruby/object:Gem::Specification
 name: kubeclient
 version: !ruby/object:Gem::Version
-  version: 4.3.0
+  version: 4.8.0
 platform: ruby
 authors:
 - Alissa Bonas
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-03-03 00:00:00.000000000 Z
+date: 2020-07-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.6'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.6'
 - !ruby/object:Gem::Dependency
@@ -150,6 +150,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.1'
+- !ruby/object:Gem::Dependency
+  name: jsonpath
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: rest-client
   requirement: !ruby/object:Gem::Requirement
@@ -170,34 +184,40 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.4
+        version: 1.1.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.4
+        version: 1.1.1
 - !ruby/object:Gem::Dependency
   name: http
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '3.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '3.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5.0'
 description: A client for Kubernetes REST api
 email:
 - abonas@redhat.com
@@ -216,10 +236,13 @@ files:
 - Rakefile
 - kubeclient.gemspec
 - lib/kubeclient.rb
+- lib/kubeclient/aws_eks_credentials.rb
 - lib/kubeclient/common.rb
 - lib/kubeclient/config.rb
 - lib/kubeclient/entity_list.rb
 - lib/kubeclient/exec_credentials.rb
+- lib/kubeclient/gcp_auth_provider.rb
+- lib/kubeclient/gcp_command_credentials.rb
 - lib/kubeclient/google_application_default_credentials.rb
 - lib/kubeclient/http_error.rb
 - lib/kubeclient/missing_kind_compatibility.rb
@@ -236,6 +259,7 @@ files:
 - test/config/external-key.rsa
 - test/config/external.kubeconfig
 - test/config/gcpauth.kubeconfig
+- test/config/gcpcmdauth.kubeconfig
 - test/config/nouser.kubeconfig
 - test/config/oidcauth.kubeconfig
 - test/config/timestamps.kubeconfig
@@ -304,6 +328,7 @@ files:
 - test/test_config.rb
 - test/test_endpoint.rb
 - test/test_exec_credentials.rb
+- test/test_gcp_command_credentials.rb
 - test/test_google_application_default_credentials.rb
 - test/test_guestbook_go.rb
 - test/test_helper.rb
@@ -347,8 +372,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: A client for Kubernetes REST api
@@ -361,6 +385,7 @@ test_files:
 - test/config/external-key.rsa
 - test/config/external.kubeconfig
 - test/config/gcpauth.kubeconfig
+- test/config/gcpcmdauth.kubeconfig
 - test/config/nouser.kubeconfig
 - test/config/oidcauth.kubeconfig
 - test/config/timestamps.kubeconfig
@@ -429,6 +454,7 @@ test_files:
 - test/test_config.rb
 - test/test_endpoint.rb
 - test/test_exec_credentials.rb
+- test/test_gcp_command_credentials.rb
 - test/test_google_application_default_credentials.rb
 - test/test_guestbook_go.rb
 - test/test_helper.rb