kubeclient 4.7.0 → 4.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 886ba443bde8e7b8a2403dc5cc300fa53f8ffdad30782f2c7c58911049d7d322
-  data.tar.gz: 340073ed06a0252095adb47a73ea972332e2615afdefe9fab5f357db61ceb2f4
+  metadata.gz: 21e5de1343a8f393c8eef653af1bb41e061bbee7fafa5d8cedafe8c163653071
+  data.tar.gz: aebdf094e7b05239467c8120382e47b65c82e031092cfc728b605f158257800a
 SHA512:
-  metadata.gz: 129ca12cda43fdb8e7c2b7400f31b6086cbd06ba4c7874a4c88d07fdcfeb165b88acb620a9673a1a3a7d60f12571cef48e4167f1dd65c8c68d35022db2264320
-  data.tar.gz: 6184774412f3d0fa0d5a16e43520530cf279a8f8d23129f50d9973a91f58cb8bf1db4c55ddccecb710ab7577ab1737a3eba569096b8b257935ee9463e23c34c6
+  metadata.gz: 161d8585521513897f730c0c1ab5f060634533cff048e146819dfa5c93e60afbdb67a4ed314245d61e343f7eca891454b2022e4ed9ced0117d518a8c2eb78ffa
+  data.tar.gz: 7f42460a4528177faccc81526ffc0904a5a7cc89ac56013fe99c208b6ab6cc2e7f289e1a654cb67f5f85985ffcd98af4b9e93b49cd052963d4d333697f50a7d5

data/.github/workflows/actions.yml

@@ -0,0 +1,43 @@
+name: CI
+on:
+  push:
+    branches:
+    - '**'
+    tags:
+    - '**'
+  pull_request:
+    branches:
+    - '**'
+jobs:
+  build:
+    continue-on-error: true
+    runs-on: ${{ matrix.os_and_command.os }}
+    strategy:
+      matrix:
+        ruby: [ '2.7', '3.0', '3.1', '3.2', 'ruby-head', 'truffleruby-head' ]
+        os_and_command:
+        - os: macos-latest
+          command: 'env TESTOPTS="--verbose" bundle exec rake test'
+        - os: windows-latest
+          command: 'env TESTOPTS="--verbose" bundle exec rake test'
+        - os: ubuntu-latest
+          # Sometimes minitest starts and then just hangs printing nothing.
+          # Github by default kills after 6hours(!). Hopefully SIGTERM may let it print some details?
+          command: 'timeout --signal=TERM 3m env TESTOPTS="--verbose" test/config/update_certs_k0s.rb'
+        include:
+        # run rubocop against lowest supported ruby
+        - os: ubuntu-latest
+          ruby: '2.7'
+          command: 'bundle exec rake rubocop'
+    name: ${{ matrix.os_and_command.os }} ${{ matrix.ruby }} rake ${{ matrix.os_and_command.command }}
+    steps:
+    - uses: actions/checkout@v4
+    # actions/setup-ruby did not support truffle or bundler caching
+    - uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+        bundler-cache: false # disable running 'bundle install' and caching installed gems see https://github.com/httprb/http/issues/572
+    - run: bundle install
+    - run: ${{ matrix.os_and_command.command }}
+    timeout-minutes: 10
+

data/.rubocop.yml

@@ -1,35 +1,132 @@
 AllCops:
   DisplayCopNames: true
-  TargetRubyVersion: 2.2 # Oldest version kubeclient supports
+  TargetRubyVersion: 2.7 # Oldest version kubeclient supports
 MethodLength:
   Enabled: false
 ClassLength:
   Enabled: false
 Metrics/AbcSize:
   Enabled: false
-Metrics/LineLength:
-  Max: 100
 Metrics/ParameterLists:
   Max: 5
   CountKeywordArgs: false
-Metrics/CyclomaticComplexity:
-  Max: 8
-Metrics/PerceivedComplexity:
-  Max: 8
 Metrics/ModuleLength:
   Enabled: false
-Style/MethodCallWithArgsParentheses:
-  Enabled: true
-  IgnoredMethods: [require, raise, include, attr_reader, refute, assert]
-  Exclude: [Gemfile, Rakefile, kubeclient.gemspec, Gemfile.dev.rb]
 Metrics/BlockLength:
   Exclude: [kubeclient.gemspec]
 Security/MarshalLoad:
   Exclude: [test/**/*]
 Style/FileName:
   Exclude: [Gemfile, Rakefile, Gemfile.dev.rb]
-Style/MethodCallWithArgsParentheses:
-  IgnoredMethods:
-  - require_relative
 Style/RegexpLiteral:
   Enabled: false
+
+# Cops that have active offences in the codebase.
+Lint/RedundantCopDisableDirective:
+  Enabled: false
+Metrics/CyclomaticComplexity:
+  Enabled: false
+  Max: 8
+Metrics/PerceivedComplexity:
+  Enabled: false
+  Max: 8
+Style/MethodCallWithArgsParentheses:
+  Enabled: false
+  IgnoredMethods: [require, require_relative, raise, include, attr_reader, refute, assert]
+  Exclude: [Gemfile, Rakefile, kubeclient.gemspec, Gemfile.dev.rb]
+Style/FrozenStringLiteralComment:
+  Enabled: false
+Lint/UnreachableLoop:
+  Enabled: false
+Style/RedundantRegexpEscape:
+  Enabled: false
+Layout/MultilineMethodCallIndentation:
+  Enabled: false
+Lint/UselessAssignment:
+  Enabled: false
+Style/StringLiterals:
+  Enabled: false
+Layout/ExtraSpacing:
+  Enabled: false
+Layout/IndentationWidth:
+  Enabled: false
+Naming/MethodParameterName:
+  Enabled: false
+Layout/HashAlignment:
+  Enabled: false
+Layout/TrailingWhitespace:
+  Enabled: false
+Naming/RescuedExceptionsVariableName:
+  Enabled: false
+Style/RedundantBegin:
+  Enabled: false
+Style/WordArray:
+  Enabled: false
+Style/ExplicitBlockArgument:
+  Enabled: false
+Layout/LeadingEmptyLines:
+  Enabled: false
+Layout/EmptyLineAfterGuardClause:
+  Enabled: false
+Style/SafeNavigation:
+  Enabled: false
+Style/SoleNestedConditional:
+  Enabled: false
+Lint/MissingSuper:
+  Enabled: false
+Style/IfUnlessModifier:
+  Enabled: false
+Layout/LineLength:
+  Enabled: false
+Lint/MissingCopEnableDirective:
+  Enabled: false
+Naming/MethodName:
+  Enabled: false
+Style/StringConcatenation:
+  Enabled: false
+Style/SlicingWithRange:
+  Enabled: false
+Lint/MixedRegexpCaptureTypes:
+  Enabled: false
+Style/AccessorGrouping:
+  Enabled: false
+Style/HashEachMethods:
+  Enabled: false
+Naming/AccessorMethodName:
+  Enabled: false
+Style/RedundantAssignment:
+  Enabled: false
+Gemspec/OrderedDependencies:
+  Enabled: false
+Style/ExpandPathArguments:
+  Enabled: false
+Style/Encoding:
+  Enabled: false
+
+# New Cops to configure
+Lint/DuplicateBranch: # (new in 1.3)
+  Enabled: false
+Lint/DuplicateRegexpCharacterClassElement: # (new in 1.1)
+  Enabled: false
+Lint/EmptyBlock: # (new in 1.1)
+  Enabled: false
+Lint/EmptyClass: # (new in 1.3)
+  Enabled: false
+Lint/NoReturnInBeginEndBlocks: # (new in 1.2)
+  Enabled: false
+Lint/ToEnumArguments: # (new in 1.1)
+  Enabled: false
+Lint/UnmodifiedReduceAccumulator: # (new in 1.1)
+  Enabled: false
+Style/ArgumentsForwarding: # (new in 1.1)
+  Enabled: false
+Style/CollectionCompact: # (new in 1.2)
+  Enabled: false
+Style/DocumentDynamicEvalDefinition: # (new in 1.1)
+  Enabled: false
+Style/NegatedIfElseCondition: # (new in 1.2)
+  Enabled: false
+Style/NilLambda: # (new in 1.3)
+  Enabled: false
+Style/SwapValues: # (new in 1.1)
+  Enabled: false

data/CHANGELOG.md

@@ -4,6 +4,125 @@ Notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 Kubeclient release versioning follows [SemVer](https://semver.org/).
 
+## 4.12.0 - 2024-06-18
+
+### Added
+- Add test coverage for Ruby 3.2 (#615)
+- Allow a region when getting a signer for Aws::Sts (#507)
+- Update the AWS STS endpoint to be regional as the method is now regional (#528)
+- Assume role support for aws eks credentials (#630)
+
+### Fixed
+- [v4.y] Regenerated expired test TLS certs by running `test/config/update_certs_k0s.rb`.
+- [v4.y] Regenerated expired test TLS certs (#611)
+- Regenerated expired test TLS certs (#632)
+
+### Changed
+- Update actions/checkout (#590)
+- chore(deps): update actions/checkout action to v4 (#619)
+
+## 4.11.0 — 2022-12-22
+
+### Removed
+
+- Dropped support for EOL Ruby versions 2.5, 2.6. (#589)
+
+### Added
+
+- Relaxed dependency on `http` gem (used for watches) to allow 5.y.z versions. (#589)
+
+  - Specifically, http 5.1.1 may fix issues watching with IPv6. (#585)
+
+## 4.10.1 — 2022-10-01
+
+### Removed
+
+- Dropped debug logging about bearer token options that was added in 4.10.0. (#577)
+
+## 4.10.0 — 2022-08-29
+
+### Added
+
+- When using `:bearer_token_file`, re-read the file on every request. (#566 closed #561)
+
+  Kubernetes version 1.21 graduated [BoundServiceAccountTokenVolume feature][] to beta
+  and enabled it by default, so standard in-cluster auth now uses short-lived tokens.
+
+  This changes allows a long-lived `Client` object to keep working when the token file gets
+  rotated.  It's not optimized at all, if you feel the performance overhead, please report!
+
+  [BoundServiceAccountTokenVolume feature]: https://github.com/kubernetes/enhancements/issues/542
+
+## 4.9.3 — 2022-03-23
+
+### Fixed
+
+- VULNERABILITY FIX: Previously, whenever kubeconfig did not define custom CA
+  (normal situation for production clusters with public domain and certificate!),
+  `Config` was returning ssl_options[:verify_ssl] hard-coded to `VERIFY_NONE` :-(
+
+  Assuming you passed those ssl_options to Kubeclient::Client, this means that
+  instead of checking server's certificate against your system CA store,
+  it would accept ANY certificate, allowing easy man-in-the middle attacks.
+
+  This is especially dangerous with user/password or token credentials
+  because MITM attacker could simply steal those credentials to the cluster
+  and do anything you could do on the cluster.
+
+  This was broken IN ALL RELEASES MADE BEFORE 2022, ever since
+  [`Kubeclient::Config` was created](https://github.com/ManageIQ/kubeclient/pull/127/files#diff-32e70f2f6781a9e9c7b83ae5e7eaf5ffd068a05649077fa38f6789e72f3de837R41-R48).
+
+  [#554](https://github.com/ManageIQ/kubeclient/issues/554).
+
+- Bug fix: kubeconfig `insecure-skip-tls-verify` field was ignored.
+  When kubeconfig did define custom CA, `Config` was returning hard-coded `VERIFY_PEER`.
+
+  Now we honor it, return `VERIFY_NONE` iff kubeconfig has explicit
+  `insecure-skip-tls-verify: true`, otherwise `VERIFY_PEER`.
+
+  [#555](https://github.com/ManageIQ/kubeclient/issues/555).
+
+- `Config`: fixed parsing of `certificate-authority` file containing concatenation of
+  several certificates.  Previously, server's cert was checked against only first CA cert,
+  resulting in possible "certificate verify failed" errors.
+
+  An important use case is a chain of root & intermediate cert(s) - necessary when cluster's CA
+  itself is signed by another custom CA.
+  But also helps when you simply concatenate independent certs. (#461, #552)
+
+  - Still broken (#460): inline `certificate-authority-data` is still parsed using `add_cert`
+    method that handles only one cert.
+
+These don't affect code that supplies `Client` parameters directly,
+only code that uses `Config`.
+
+## 4.9.2 — 2021-05-30
+
+### Added
+- Ruby 3.0 compatibility (#500, #505).
+
+### Removed
+- Reduce .gem size by dropping test/ directory, it's useless at run time (#502).
+
+## 4.9.1 — 2020-08-31
+### Fixed
+- Now should work with apiserver deployed not at root of domain but a sub-path,
+  which is standard with Rancher.
+  Notably, `create_...` methods were sending bad apiVersion and getting 400 error.
+  (#457, hopefully fixes #318, #418 and https://gitlab.com/gitlab-org/gitlab/-/issues/22043)
+
+## 4.9.0 - 2020-08-03
+### Added
+- Support for `user: exec` credential plugins using TLS client auth (#453)
+
+## 4.8.0 — 2020-07-03
+
+### Added
+- Support for server-side apply (#448).
+
+### Fixed
+- Declared forgotten dependency on jsonpath, needed for `gcp` provider with `cmd-path` (#450).
+
 ## 4.7.0 — 2020-06-14
 
 ### Fixed

data/README.md

@@ -9,6 +9,12 @@ The client supports GET, POST, PUT, DELETE on all the entities available in kube
 The client currently supports Kubernetes REST api version v1.
 To learn more about groups and versions in kubernetes refer to [k8s docs](https://kubernetes.io/docs/api/)
 
+## VULNERABILITY❗
+
+If you use `Kubeclient::Config`, all gem versions released before 2022 could return incorrect `ssl_options[:verify_ssl]`,
+endangering your connection and cluster credentials.
+See https://github.com/ManageIQ/kubeclient/issues/554 for details and which versions got a fix.
+
 ## Installation
 
 Add this line to your application's Gemfile:
@@ -98,8 +104,8 @@ client = Kubeclient::Client.new(
 ### Authentication
 
 If you are using basic authentication or bearer tokens as described
-[here](https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authentication.md) then you can specify one
-of the following:
+[here](https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authentication.md)
+then you can specify one of the following:
 
 ```ruby
 auth_options = {
@@ -111,7 +117,7 @@ client = Kubeclient::Client.new(
 )
 ```
 
-or
+or (fixed token, if it expires it's up to you to create a new `Client` object):
 
 ```ruby
 auth_options = {
@@ -122,7 +128,7 @@ client = Kubeclient::Client.new(
 )
 ```
 
-or
+or (will automatically re-read the token if file is updated):
 
 ```ruby
 auth_options = {
@@ -307,10 +313,14 @@ require 'aws-sdk-core'
 credentials = Aws::Credentials.new(access_key, secret_key)
 # Or a profile
 credentials = Aws::SharedCredentials.new(profile_name: 'default').credentials
+# Or for an STS Assumed Role Credentials or any other credential Provider other than Static Credentials
+credentials = Aws::AssumeRoleCredentials.new({ client: sts_client, role_arn: role_arn, role_session_name: session_name })
 
+# Kubeclient Auth Options
 auth_options = {
   bearer_token: Kubeclient::AmazonEksCredentials.token(credentials, eks_cluster_name)
 }
+
 client = Kubeclient::Client.new(
   eks_cluster_https_endpoint, 'v1', auth_options: auth_options
 )
@@ -447,6 +457,9 @@ update_foo(Kubeclient::Resource.new({metadata: {name: 'name', ...}, ...}))  # gl
 
 patch_foo('name', patch, 'namespace')    # namespaced
 patch_foo('name', patch)                 # global
+
+apply_foo(Kubeclient::Resource.new({metadata: {name: 'name', namespace: 'namespace', ...}, ...}), field_manager: 'myapp', **opts)
+apply_foo(Kubeclient::Resource.new({metadata: {name: 'name', ...}, ...}), field_manager: 'myapp', **opts)  # global
 ```
 
 These grew to be quite inconsistent :confounded:, see https://github.com/abonas/kubeclient/issues/312 and https://github.com/abonas/kubeclient/issues/332 for improvement plans.
@@ -702,6 +715,30 @@ patched = client.patch_pod("docker-registry", {metadata: {annotations: {key: 'va
 
 `patch_#{entity}` is called using a [strategic merge patch](https://kubernetes.io/docs/tasks/run-application/update-api-object-kubectl-patch/#notes-on-the-strategic-merge-patch). `json_patch_#{entity}` and `merge_patch_#{entity}` are also available that use JSON patch and JSON merge patch, respectively. These strategies are useful for resources that do not support strategic merge patch, such as Custom Resources. Consult the [Kubernetes docs](https://kubernetes.io/docs/tasks/run-application/update-api-object-kubectl-patch/#use-a-json-merge-patch-to-update-a-deployment) for more information about the different patch strategies.
 
+### Apply an entity
+
+This is similar to `kubectl apply --server-side` (kubeclient doesn't implement logic for client-side apply). See https://kubernetes.io/docs/reference/using-api/api-concepts/#server-side-apply
+
+For example: `apply_pod`
+
+Input parameters - resource (Kubeclient::Resource) representing the desired state of the resource, field_manager (String) to identify the system managing the state of the resource, force (Boolean) whether or not to override a field managed by someone else.
+
+Example:
+
+```ruby
+service = Kubeclient::Resource.new(
+  metadata: {
+    name: 'redis-master',
+    namespace: 'staging',
+  },
+  spec: {
+    ...
+  }
+)
+
+client.apply_service(service, field_manager: 'myapp')
+```
+
 ### Get all entities of all types : all_entities
 
 Makes requests for all entities of each discovered kind (in this client's API group).  This method is a convenience method instead of calling each entity's get method separately.

data/RELEASING.md

@@ -4,10 +4,6 @@
 Kubeclient release versioning follows [SemVer](https://semver.org/).
 At some point in time it is decided to release version x.y.z.
 
-```bash
-RELEASE_BRANCH="master"
-```
-
 ## 0. (once) Install gem-release, needed for several commands here:
 
 ```bash
@@ -16,13 +12,17 @@ gem install gem-release
 
 ## 1. PR(s) for changelog & bump
 
-Edit `CHANGELOG.md` as necessary.  Even if all included changes remembered to update it, you should replace "Unreleased" section header with appropriate "x.y.z — 20yy-mm-dd" header.
-
-Bump `lib/kubeclient/version.rb` manually, or by using:
 ```bash
+RELEASE_BRANCH="master"
 RELEASE_VERSION=x.y.z
 
 git checkout -b "release-$RELEASE_VERSION" $RELEASE_BRANCH
+```
+
+Edit `CHANGELOG.md` as necessary.  Even if all included changes remembered to update it, you should replace "Unreleased" section header with appropriate "x.y.z — 20yy-mm-dd" header.
+
+Bump `lib/kubeclient/version.rb` manually, or by using:
+```bash
 # Won't work with uncommitted changes, you have to commit the changelog first.
 gem bump --version $RELEASE_VERSION
 git show # View version bump change.
@@ -46,7 +46,7 @@ Make sure we're locally after the bump PR *merge commit*:
 ```bash
 git checkout $RELEASE_BRANCH
 git status # Make sure there are no local changes
-git pull --ff-only https://github.com/abonas/kubeclient $RELEASE_BRANCH
+git pull --ff-only https://github.com/ManageIQ/kubeclient $RELEASE_BRANCH
 git log -n1
 ```
 

data/kubeclient.gemspec

@@ -14,15 +14,16 @@ Gem::Specification.new do |spec|
   spec.homepage      = 'https://github.com/abonas/kubeclient'
   spec.license       = 'MIT'
 
-  spec.files         = `git ls-files -z`.split("\x0")
+  git_files = `git ls-files -z`.split("\x0")
+  spec.files         = git_files.grep_v(%r{^(test|spec|features)/})
   spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
-  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.test_files    = []
   spec.require_paths = ['lib']
-  spec.required_ruby_version = '>= 2.2.0'
+  spec.required_ruby_version = '>= 2.7.0'
 
   spec.add_development_dependency 'bundler', '>= 1.6'
-  spec.add_development_dependency 'rake', '~> 12.0'
-  spec.add_development_dependency 'minitest'
+  spec.add_development_dependency 'rake', '~> 13.0'
+  spec.add_development_dependency 'minitest', '~> 5.15.0'
   spec.add_development_dependency 'minitest-rg'
   spec.add_development_dependency 'webmock', '~> 3.0'
   spec.add_development_dependency 'vcr'
@@ -30,9 +31,12 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'googleauth', '~> 0.5.1'
   spec.add_development_dependency('mocha', '~> 1.5')
   spec.add_development_dependency 'openid_connect', '~> 1.1'
-  spec.add_development_dependency 'jsonpath', '~> 1.0'
+  spec.add_development_dependency 'net-smtp'
+  # needed on Windows, at least for openid_connect
+  spec.add_development_dependency 'tzinfo-data'
 
+  spec.add_dependency 'jsonpath', '~> 1.0'
   spec.add_dependency 'rest-client', '~> 2.0'
   spec.add_dependency 'recursive-open-struct', '~> 1.1', '>= 1.1.1'
-  spec.add_dependency 'http', '>= 3.0', '< 5.0'
+  spec.add_dependency 'http', '>= 3.0', '< 6.0'
 end

data/lib/kubeclient/aws_eks_credentials.rb

@@ -7,7 +7,7 @@ module Kubeclient
     end
 
     class << self
-      def token(credentials, eks_cluster)
+      def token(credentials, eks_cluster, region: 'us-east-1')
         begin
           require 'aws-sigv4'
           require 'base64'
@@ -20,17 +20,26 @@ module Kubeclient
         end
         # https://github.com/aws/aws-sdk-ruby/pull/1848
         # Get a signer
-        # Note - sts only has ONE endpoint (not regional) so 'us-east-1' hardcoding should be OK
-        signer = Aws::Sigv4::Signer.new(
-          service: 'sts',
-          region: 'us-east-1',
-          credentials: credentials
-        )
+        signer = if credentials.respond_to?(:credentials)
+                   Aws::Sigv4::Signer.new(
+                     service: 'sts',
+                     region: region,
+                     credentials_provider: credentials
+                   )
+                 else
+                   Aws::Sigv4::Signer.new(
+                     service: 'sts',
+                     region: region,
+                     credentials: credentials
+                   )
+                 end
+
+        credentials = credentials.credentials if credentials.respond_to?(:credentials)
 
         # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Sigv4/Signer.html#presign_url-instance_method
         presigned_url_string = signer.presign_url(
           http_method: 'GET',
-          url: 'https://sts.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15',
+          url: "https://sts.#{region}.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15",
           body: '',
           credentials: credentials,
           expires_in: 60,