RubyGems - kubeclient - Versions diffs - 4.7.0 → 4.12.0 - Mend

kubeclient 4.7.0 → 4.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (117) hide show

checksums.yaml +4 -4
data/.github/workflows/actions.yml +43 -0
data/.rubocop.yml +111 -14
data/CHANGELOG.md +119 -0
data/README.md +41 -4
data/RELEASING.md +8 -8
data/kubeclient.gemspec +11 -7
data/lib/kubeclient/aws_eks_credentials.rb +17 -8
data/lib/kubeclient/common.rb +55 -21
data/lib/kubeclient/config.rb +33 -13
data/lib/kubeclient/exec_credentials.rb +33 -4
data/lib/kubeclient/version.rb +1 -1
data/lib/kubeclient/watch_stream.rb +1 -0
metadata +46 -222
data/.travis.yml +0 -29
data/test/cassettes/kubernetes_guestbook.yml +0 -879
data/test/config/allinone.kubeconfig +0 -20
data/test/config/execauth.kubeconfig +0 -62
data/test/config/external-ca.pem +0 -18
data/test/config/external-cert.pem +0 -19
data/test/config/external-key.rsa +0 -27
data/test/config/external.kubeconfig +0 -20
data/test/config/gcpauth.kubeconfig +0 -22
data/test/config/gcpcmdauth.kubeconfig +0 -26
data/test/config/nouser.kubeconfig +0 -16
data/test/config/oidcauth.kubeconfig +0 -25
data/test/config/timestamps.kubeconfig +0 -25
data/test/config/userauth.kubeconfig +0 -28
data/test/json/bindings_list.json +0 -10
data/test/json/component_status.json +0 -17
data/test/json/component_status_list.json +0 -52
data/test/json/config.istio.io_api_resource_list.json +0 -679
data/test/json/config_map_list.json +0 -9
data/test/json/core_api_resource_list.json +0 -181
data/test/json/core_api_resource_list_without_kind.json +0 -129
data/test/json/core_oapi_resource_list_without_kind.json +0 -197
data/test/json/created_endpoint.json +0 -28
data/test/json/created_namespace.json +0 -20
data/test/json/created_secret.json +0 -16
data/test/json/created_security_context_constraint.json +0 -65
data/test/json/created_service.json +0 -31
data/test/json/empty_pod_list.json +0 -9
data/test/json/endpoint_list.json +0 -48
data/test/json/entity_list.json +0 -56
data/test/json/event_list.json +0 -35
data/test/json/extensions_v1beta1_api_resource_list.json +0 -217
data/test/json/limit_range.json +0 -23
data/test/json/limit_range_list.json +0 -31
data/test/json/namespace.json +0 -13
data/test/json/namespace_exception.json +0 -8
data/test/json/namespace_list.json +0 -32
data/test/json/node.json +0 -29
data/test/json/node_list.json +0 -37
data/test/json/node_notice.json +0 -160
data/test/json/persistent_volume.json +0 -37
data/test/json/persistent_volume_claim.json +0 -32
data/test/json/persistent_volume_claim_list.json +0 -40
data/test/json/persistent_volume_claims_nil_items.json +0 -8
data/test/json/persistent_volume_list.json +0 -45
data/test/json/pod.json +0 -92
data/test/json/pod_list.json +0 -79
data/test/json/pod_template_list.json +0 -9
data/test/json/pods_1.json +0 -265
data/test/json/pods_2.json +0 -102
data/test/json/pods_410.json +0 -9
data/test/json/processed_template.json +0 -27
data/test/json/replication_controller.json +0 -57
data/test/json/replication_controller_list.json +0 -66
data/test/json/resource_quota.json +0 -46
data/test/json/resource_quota_list.json +0 -54
data/test/json/secret_list.json +0 -44
data/test/json/security.openshift.io_api_resource_list.json +0 -69
data/test/json/security_context_constraint_list.json +0 -375
data/test/json/service.json +0 -33
data/test/json/service_account.json +0 -25
data/test/json/service_account_list.json +0 -82
data/test/json/service_illegal_json_404.json +0 -1
data/test/json/service_json_patch.json +0 -26
data/test/json/service_list.json +0 -97
data/test/json/service_merge_patch.json +0 -26
data/test/json/service_patch.json +0 -25
data/test/json/service_update.json +0 -22
data/test/json/template.json +0 -27
data/test/json/template.openshift.io_api_resource_list.json +0 -75
data/test/json/template_list.json +0 -35
data/test/json/versions_list.json +0 -6
data/test/json/watch_stream.json +0 -3
data/test/test_common.rb +0 -95
data/test/test_component_status.rb +0 -29
data/test/test_config.rb +0 -222
data/test/test_endpoint.rb +0 -54
data/test/test_exec_credentials.rb +0 -125
data/test/test_gcp_command_credentials.rb +0 -27
data/test/test_google_application_default_credentials.rb +0 -15
data/test/test_guestbook_go.rb +0 -235
data/test/test_helper.rb +0 -18
data/test/test_kubeclient.rb +0 -881
data/test/test_limit_range.rb +0 -25
data/test/test_missing_methods.rb +0 -80
data/test/test_namespace.rb +0 -59
data/test/test_node.rb +0 -70
data/test/test_oidc_auth_provider.rb +0 -103
data/test/test_persistent_volume.rb +0 -29
data/test/test_persistent_volume_claim.rb +0 -28
data/test/test_pod.rb +0 -81
data/test/test_pod_log.rb +0 -157
data/test/test_process_template.rb +0 -80
data/test/test_replication_controller.rb +0 -47
data/test/test_resource_list_without_kind.rb +0 -78
data/test/test_resource_quota.rb +0 -23
data/test/test_secret.rb +0 -62
data/test/test_security_context_constraint.rb +0 -62
data/test/test_service.rb +0 -330
data/test/test_service_account.rb +0 -26
data/test/test_watch.rb +0 -195
data/test/txt/pod_log.txt +0 -6
data/test/valid_token_file +0 -1

data/lib/kubeclient/common.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module Kubeclient
   # Common methods
   # this is mixed in by other gems
   module ClientMixin
-    ENTITY_METHODS = %w[get watch delete create update patch json_patch merge_patch].freeze
+    ENTITY_METHODS = %w[get watch delete create update patch json_patch merge_patch apply].freeze
     DEFAULT_SSL_OPTIONS = {
       client_cert: nil,
@@ -78,7 +78,7 @@ module Kubeclient
       @api_version = version
       @headers = {}
       @ssl_options = ssl_options
-      @auth_options = auth_options
+      @auth_options = auth_options.dup
       @socket_options = socket_options
       # Allow passing partial timeouts hash, without unspecified
       # @timeouts[:foo] == nil resulting in infinite timeout.
@@ -87,11 +87,11 @@ module Kubeclient
       @http_max_redirects = http_max_redirects
       @as = as
-      if auth_options[:bearer_token]
-        bearer_token(@auth_options[:bearer_token])
-      elsif auth_options[:bearer_token_file]
+      if auth_options[:bearer_token_file]
         validate_bearer_token_file
         bearer_token(File.read(@auth_options[:bearer_token_file]))
+      elsif auth_options[:bearer_token]
+        bearer_token(@auth_options[:bearer_token])
       end
     end
@@ -136,6 +136,11 @@ module Kubeclient
       @discovered = true
     end
+    def get_headers
+      bearer_token(File.read(@auth_options[:bearer_token_file])) if @auth_options[:bearer_token_file]
+      @headers
+    end
     def self.parse_definition(kind, name)
       # Kubernetes gives us 3 inputs:
       #   kind: "ComponentStatus", "NetworkPolicy", "Endpoints"
@@ -194,10 +199,22 @@ module Kubeclient
     def handle_uri(uri, path)
       raise ArgumentError, 'Missing uri' unless uri
       @api_endpoint = (uri.is_a?(URI) ? uri : URI.parse(uri))
-      @api_endpoint.path = path if @api_endpoint.path.empty?
-      @api_endpoint.path = @api_endpoint.path.chop if @api_endpoint.path.end_with?('/')
-      components = @api_endpoint.path.to_s.split('/') # ["", "api"] or ["", "apis", batch]
-      @api_group = components.length > 2 ? components[2] + '/' : ''
+      # This regex will anchor at the last `/api`, `/oapi` or`/apis/:group`) part of the URL
+      # The whole path will be matched and if existing, the api_group will be extracted.
+      re = /^(?<path>.*\/o?api(?:s\/(?<apigroup>[^\/]+))?)$/mi
+      match = re.match(@api_endpoint.path.chomp('/'))
+      if match
+        # Since `re` captures 2 groups, match will always have 3 elements
+        # If thus we have a non-nil value in match 2, this is our api_group.
+        @api_group = match[:apigroup].nil? ? '' : match[:apigroup] + '/'
+        @api_endpoint.path = match[:path]
+      else
+        # This is a fallback, for when `/api` was not provided as part of the uri
+        @api_group = ''
+        @api_endpoint.path = @api_endpoint.path.chomp('/') + path
+      end
     end
     def build_namespace_prefix(namespace)
@@ -254,6 +271,10 @@ module Kubeclient
         do |name, patch, namespace = nil|
           patch_entity(entity.resource_name, name, patch, 'merge-patch', namespace)
         end
+        define_singleton_method("apply_#{entity.method_names[0]}") do |resource, opts = {}|
+          apply_entity(entity.resource_name, resource, **opts)
+        end
       end
     end
     # rubocop:enable  Metrics/BlockLength
@@ -333,7 +354,7 @@ module Kubeclient
       ns_prefix = build_namespace_prefix(options[:namespace])
       response = handle_exception do
         rest_client[ns_prefix + resource_name]
-          .get({ 'params' => params }.merge(@headers))
+          .get({ 'params' => params }.merge(get_headers))
       end
       format_response(options[:as] || @as, response.body, entity_type)
     end
@@ -346,7 +367,7 @@ module Kubeclient
       ns_prefix = build_namespace_prefix(namespace)
       response = handle_exception do
         rest_client[ns_prefix + resource_name + "/#{name}"]
-          .get(@headers)
+          .get(get_headers)
       end
       format_response(options[:as] || @as, response.body)
     end
@@ -362,7 +383,7 @@ module Kubeclient
           rs.options.merge(
             method: :delete,
             url: rs.url,
-            headers: { 'Content-Type' => 'application/json' }.merge(@headers),
+            headers: { 'Content-Type' => 'application/json' }.merge(get_headers),
             payload: payload
           )
         )
@@ -384,7 +405,7 @@ module Kubeclient
       hash[:apiVersion] = @api_group + @api_version
       response = handle_exception do
         rest_client[ns_prefix + resource_name]
-          .post(hash.to_json, { 'Content-Type' => 'application/json' }.merge(@headers))
+          .post(hash.to_json, { 'Content-Type' => 'application/json' }.merge(get_headers))
       end
       format_response(@as, response.body)
     end
@@ -394,7 +415,7 @@ module Kubeclient
       ns_prefix = build_namespace_prefix(entity_config[:metadata][:namespace])
       response = handle_exception do
         rest_client[ns_prefix + resource_name + "/#{name}"]
-          .put(entity_config.to_h.to_json, { 'Content-Type' => 'application/json' }.merge(@headers))
+          .put(entity_config.to_h.to_json, { 'Content-Type' => 'application/json' }.merge(get_headers))
       end
       format_response(@as, response.body)
     end
@@ -405,7 +426,20 @@ module Kubeclient
         rest_client[ns_prefix + resource_name + "/#{name}"]
           .patch(
             patch.to_json,
-            { 'Content-Type' => "application/#{strategy}+json" }.merge(@headers)
+            { 'Content-Type' => "application/#{strategy}+json" }.merge(get_headers)
+          )
+      end
+      format_response(@as, response.body)
+    end
+    def apply_entity(resource_name, resource, field_manager:, force: true)
+      name = "#{resource[:metadata][:name]}?fieldManager=#{field_manager}&force=#{force}"
+      ns_prefix = build_namespace_prefix(resource[:metadata][:namespace])
+      response = handle_exception do
+        rest_client[ns_prefix + resource_name + "/#{name}"]
+          .patch(
+            resource.to_json,
+            { 'Content-Type' => 'application/apply-patch+yaml' }.merge(get_headers)
           )
       end
       format_response(@as, response.body)
@@ -439,7 +473,7 @@ module Kubeclient
       ns = build_namespace_prefix(namespace)
       handle_exception do
         rest_client[ns + "pods/#{pod_name}/log"]
-          .get({ 'params' => params }.merge(@headers))
+          .get({ 'params' => params }.merge(get_headers))
       end
     end
@@ -477,7 +511,7 @@ module Kubeclient
       ns_prefix = build_namespace_prefix(template[:metadata][:namespace])
       response = handle_exception do
         rest_client[ns_prefix + 'processedtemplates']
-          .post(template.to_h.to_json, { 'Content-Type' => 'application/json' }.merge(@headers))
+          .post(template.to_h.to_json, { 'Content-Type' => 'application/json' }.merge(get_headers))
       end
       JSON.parse(response)
     end
@@ -490,7 +524,7 @@ module Kubeclient
     end
     def api
-      response = handle_exception { create_rest_client.get(@headers) }
+      response = handle_exception { create_rest_client.get(get_headers) }
       JSON.parse(response)
     end
@@ -564,7 +598,7 @@ module Kubeclient
     end
     def fetch_entities
-      JSON.parse(handle_exception { rest_client.get(@headers) })
+      JSON.parse(handle_exception { rest_client.get(get_headers) })
     end
     def bearer_token(bearer_token)
@@ -609,11 +643,11 @@ module Kubeclient
       options = {
         basic_auth_user: @auth_options[:username],
         basic_auth_password: @auth_options[:password],
-        headers: @headers,
+        headers: get_headers,
         http_proxy_uri: @http_proxy_uri,
         http_max_redirects: http_max_redirects
       }
+      options[:bearer_token_file] = @auth_options[:bearer_token_file] if @auth_options[:bearer_token_file]
       if uri.scheme == 'https'
         options[:ssl] = {
           ca_file: @ssl_options[:ca_file],

data/lib/kubeclient/config.rb CHANGED Viewed

@@ -30,7 +30,12 @@ module Kubeclient
     # Builds Config instance by parsing given file, with lookups relative to file's directory.
     def self.read(filename)
-      parsed = YAML.safe_load(File.read(filename), [Date, Time])
+      parsed =
+        if RUBY_VERSION >= '2.6'
+          YAML.safe_load(File.read(filename), permitted_classes: [Date, Time])
+        else
+          YAML.safe_load(File.read(filename), [Date, Time])
+        end
       Config.new(parsed, File.dirname(filename))
     end
@@ -41,20 +46,27 @@ module Kubeclient
     def context(context_name = nil)
       cluster, user, namespace = fetch_context(context_name || @kcfg['current-context'])
-      ca_cert_data     = fetch_cluster_ca_data(cluster)
+      if user.key?('exec')
+        exec_opts = expand_command_option(user['exec'], 'command')
+        user['exec_result'] = ExecCredentials.run(exec_opts)
+      end
       client_cert_data = fetch_user_cert_data(user)
       client_key_data  = fetch_user_key_data(user)
       auth_options     = fetch_user_auth_options(user)
       ssl_options = {}
-      if !ca_cert_data.nil?
+      ssl_options[:verify_ssl] = if cluster['insecure-skip-tls-verify'] == true
+                                   OpenSSL::SSL::VERIFY_NONE
+                                 else
+                                   OpenSSL::SSL::VERIFY_PEER
+                                 end
+      if cluster_ca_data?(cluster)
         cert_store = OpenSSL::X509::Store.new
-        cert_store.add_cert(OpenSSL::X509::Certificate.new(ca_cert_data))
-        ssl_options[:verify_ssl] = OpenSSL::SSL::VERIFY_PEER
+        populate_cert_store_from_cluster_ca_data(cluster, cert_store)
         ssl_options[:cert_store] = cert_store
-      else
-        ssl_options[:verify_ssl] = OpenSSL::SSL::VERIFY_NONE
       end
       unless client_cert_data.nil?
@@ -121,11 +133,16 @@ module Kubeclient
       [cluster, user, namespace]
     end
-    def fetch_cluster_ca_data(cluster)
+    def cluster_ca_data?(cluster)
+      cluster.key?('certificate-authority') || cluster.key?('certificate-authority-data')
+    end
+    def populate_cert_store_from_cluster_ca_data(cluster, cert_store)
       if cluster.key?('certificate-authority')
-        File.read(ext_file_path(cluster['certificate-authority']))
+        cert_store.add_file(ext_file_path(cluster['certificate-authority']))
       elsif cluster.key?('certificate-authority-data')
-        Base64.decode64(cluster['certificate-authority-data'])
+        ca_cert_data = Base64.decode64(cluster['certificate-authority-data'])
+        cert_store.add_cert(OpenSSL::X509::Certificate.new(ca_cert_data))
       end
     end
@@ -134,6 +151,8 @@ module Kubeclient
         File.read(ext_file_path(user['client-certificate']))
       elsif user.key?('client-certificate-data')
         Base64.decode64(user['client-certificate-data'])
+      elsif user.key?('exec_result') && user['exec_result'].key?('clientCertificateData')
+        user['exec_result']['clientCertificateData']
       end
     end
@@ -142,6 +161,8 @@ module Kubeclient
         File.read(ext_file_path(user['client-key']))
       elsif user.key?('client-key-data')
         Base64.decode64(user['client-key-data'])
+      elsif user.key?('exec_result') && user['exec_result'].key?('clientKeyData')
+        user['exec_result']['clientKeyData']
       end
     end
@@ -149,9 +170,8 @@ module Kubeclient
       options = {}
       if user.key?('token')
         options[:bearer_token] = user['token']
-      elsif user.key?('exec')
-        exec_opts = expand_command_option(user['exec'], 'command')
-        options[:bearer_token] = Kubeclient::ExecCredentials.token(exec_opts)
+      elsif user.key?('exec_result') && user['exec_result'].key?('token')
+        options[:bearer_token] = user['exec_result']['token']
       elsif user.key?('auth-provider')
         options[:bearer_token] = fetch_token_from_provider(user['auth-provider'])
       else

data/lib/kubeclient/exec_credentials.rb CHANGED Viewed

@@ -6,7 +6,7 @@ module Kubeclient
   # Inspired by https://github.com/kubernetes/client-go/blob/master/plugin/pkg/client/auth/exec/exec.go
   class ExecCredentials
     class << self
-      def token(opts)
+      def run(opts)
         require 'open3'
         require 'json'
@@ -25,7 +25,7 @@ module Kubeclient
         creds = JSON.parse(out)
         validate_credentials(opts, creds)
-        creds['status']['token']
+        creds['status']
       end
       private
@@ -34,6 +34,36 @@ module Kubeclient
         raise KeyError, 'exec command is required' unless opts['command']
       end
+      def validate_client_credentials_status(status)
+        has_client_cert_data = status.key?('clientCertificateData')
+        has_client_key_data = status.key?('clientKeyData')
+        if has_client_cert_data && !has_client_key_data
+          raise 'exec plugin didn\'t return client key data'
+        end
+        if !has_client_cert_data && has_client_key_data
+          raise 'exec plugin didn\'t return client certificate data'
+        end
+        has_client_cert_data && has_client_key_data
+      end
+      def validate_credentials_status(status)
+        raise 'exec plugin didn\'t return a status field' if status.nil?
+        has_client_credentials = validate_client_credentials_status(status)
+        has_token = status.key?('token')
+        if has_client_credentials && has_token
+          raise 'exec plugin returned both token and client data'
+        end
+        return if has_client_credentials || has_token
+        raise 'exec plugin didn\'t return a token or client data' unless has_token
+      end
       def validate_credentials(opts, creds)
         # out should have ExecCredential structure
         raise 'invalid credentials' if creds.nil?
@@ -45,8 +75,7 @@ module Kubeclient
             "plugin returned version #{creds['apiVersion']}"
         end
-        raise 'exec plugin didn\'t return a status field' if creds['status'].nil?
-        raise 'exec plugin didn\'t return a token' if creds['status']['token'].nil?
+        validate_credentials_status(creds['status'])
       end
       # Transform name/value pairs to hash

data/lib/kubeclient/version.rb CHANGED Viewed

@@ -1,4 +1,4 @@
 # Kubernetes REST-API Client
 module Kubeclient
-  VERSION = '4.7.0'.freeze
+  VERSION = '4.12.0'.freeze
 end

data/lib/kubeclient/watch_stream.rb CHANGED Viewed

@@ -79,6 +79,7 @@ module Kubeclient
       end
       def build_client_options
+        @http_options[:headers][:Authorization] = "Bearer #{File.read(@http_options[:bearer_token_file])}" if @http_options[:bearer_token_file]
         client_options = {
           headers: @http_options[:headers],
           proxy: using_proxy