kubeclient 4.9.3 → 4.10.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3f402a08fef66f160df49d507487769073b248828869a2c874d78e947b1d6686
-  data.tar.gz: 5d371f47861538f1e3e9deced8d1c41be1e0ca857ab8ed0607a75417948bb6f6
+  metadata.gz: 287033950a2bdc37a0d5829270cffa4c6db6802e315cd54db01d91a98961964b
+  data.tar.gz: c469d2d8a274bafb576f876d9f62a6e8384ef20943a0aa1b93f4f05dbeb721e2
 SHA512:
-  metadata.gz: f06a16d02e150194d06a4aa2c37a23bd1b7bbef4daca379ed7f60dd9581310b98cd3026d86e90b1b23d861fe6186d05e003d41380cb1edeaf7a2e52ccc594520
-  data.tar.gz: 7fbceb84c48af3bf4f28eadb05a2807a61196a26a66d72eb836ee5faa23d9a22fb1bd8e76fd16febd794007f1f0fd487000db40f543143789d33225c2350ccd0
+  metadata.gz: ccb85f7481dc3b20db30c919a94182e92fdab97e70e5f14f621449006d40a7626ff87351fbcb97e5affa5a1fab9207c7b6401c37d6c5b1cb1c4f68dc12ed25ce
+  data.tar.gz: 04fe6ad1089bc48590923fcae56274733c1063d5ece677bca85d97c1602c252c86bed15d067099ef1a618e475f95a387fcf58a75f58f70fe1152b4181bf43127

data/.github/workflows/actions.yml

@@ -16,7 +16,9 @@ jobs:
       matrix:
         ruby: [ '2.5', '2.6', '2.7', '3.0', '3.1', 'ruby-head', 'truffleruby-head' ]
         os_and_command:
-        - os: 'macos-latest'
+        - os: macos-latest
+          command: 'env TESTOPTS="--verbose" bundle exec rake test'
+        - os: windows-latest
           command: 'env TESTOPTS="--verbose" bundle exec rake test'
         - os: ubuntu-latest
           # Sometimes minitest starts and then just hangs printing nothing.
@@ -35,7 +37,6 @@ jobs:
       with:
         ruby-version: ${{ matrix.ruby }}
         bundler-cache: false # disable running 'bundle install' and caching installed gems see https://github.com/httprb/http/issues/572
-    - run: gem install rake bundler
     - run: bundle install
     - run: ${{ matrix.os_and_command.command }}
     timeout-minutes: 10

data/CHANGELOG.md

@@ -4,7 +4,27 @@ Notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 Kubeclient release versioning follows [SemVer](https://semver.org/).
 
-## 4.9.3 — 2021-03-23
+## 4.10.1 — 2022-10-01
+
+### Removed
+
+- Dropped debug logging about bearer token options that was added in 4.10.0. (#577)
+
+## 4.10.0 — 2022-08-29
+
+### Added
+
+- When using `:bearer_token_file`, re-read the file on every request. (#566 closed #561)
+
+  Kubernetes version 1.21 graduated [BoundServiceAccountTokenVolume feature][] to beta
+  and enabled it by default, so standard in-cluster auth now uses short-lived tokens.
+
+  This changes allows a long-lived `Client` object to keep working when the token file gets
+  rotated.  It's not optimized at all, if you feel the performance overhead, please report!
+
+  [BoundServiceAccountTokenVolume feature]: https://github.com/kubernetes/enhancements/issues/542
+
+## 4.9.3 — 2022-03-23
 
 ### Fixed
 
@@ -23,12 +43,16 @@ Kubeclient release versioning follows [SemVer](https://semver.org/).
   This was broken IN ALL RELEASES MADE BEFORE 2022, ever since
   [`Kubeclient::Config` was created](https://github.com/ManageIQ/kubeclient/pull/127/files#diff-32e70f2f6781a9e9c7b83ae5e7eaf5ffd068a05649077fa38f6789e72f3de837R41-R48).
 
+  [#554](https://github.com/ManageIQ/kubeclient/issues/554).
+
 - Bug fix: kubeconfig `insecure-skip-tls-verify` field was ignored.
   When kubeconfig did define custom CA, `Config` was returning hard-coded `VERIFY_PEER`.
 
   Now we honor it, return `VERIFY_NONE` iff kubeconfig has explicit
   `insecure-skip-tls-verify: true`, otherwise `VERIFY_PEER`.
 
+  [#555](https://github.com/ManageIQ/kubeclient/issues/555).
+
 - `Config`: fixed parsing of `certificate-authority` file containing concatenation of
   several certificates.  Previously, server's cert was checked against only first CA cert,
   resulting in possible "certificate verify failed" errors.

data/README.md

@@ -13,8 +13,7 @@ To learn more about groups and versions in kubernetes refer to [k8s docs](https:
 
 If you use `Kubeclient::Config`, all gem versions released before 2022 could return incorrect `ssl_options[:verify_ssl]`,
 endangering your connection and cluster credentials.
-See [latest CHANGELOG.md](https://github.com/ManageIQ/kubeclient/blob/master/CHANGELOG.md) for details and which versions got a fix.
-Open an issue if you want a backport to another version.
+See https://github.com/ManageIQ/kubeclient/issues/554 for details and which versions got a fix.
 
 ## Installation
 
@@ -105,8 +104,8 @@ client = Kubeclient::Client.new(
 ### Authentication
 
 If you are using basic authentication or bearer tokens as described
-[here](https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authentication.md) then you can specify one
-of the following:
+[here](https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authentication.md)
+then you can specify one of the following:
 
 ```ruby
 auth_options = {
@@ -118,7 +117,7 @@ client = Kubeclient::Client.new(
 )
 ```
 
-or
+or (fixed token, if it expires it's up to you to create a new `Client` object):
 
 ```ruby
 auth_options = {
@@ -129,7 +128,7 @@ client = Kubeclient::Client.new(
 )
 ```
 
-or
+or (will automatically re-read the token if file is updated):
 
 ```ruby
 auth_options = {

data/RELEASING.md

@@ -4,10 +4,6 @@
 Kubeclient release versioning follows [SemVer](https://semver.org/).
 At some point in time it is decided to release version x.y.z.
 
-```bash
-RELEASE_BRANCH="master"
-```
-
 ## 0. (once) Install gem-release, needed for several commands here:
 
 ```bash
@@ -16,13 +12,17 @@ gem install gem-release
 
 ## 1. PR(s) for changelog & bump
 
-Edit `CHANGELOG.md` as necessary.  Even if all included changes remembered to update it, you should replace "Unreleased" section header with appropriate "x.y.z — 20yy-mm-dd" header.
-
-Bump `lib/kubeclient/version.rb` manually, or by using:
 ```bash
+RELEASE_BRANCH="master"
 RELEASE_VERSION=x.y.z
 
 git checkout -b "release-$RELEASE_VERSION" $RELEASE_BRANCH
+```
+
+Edit `CHANGELOG.md` as necessary.  Even if all included changes remembered to update it, you should replace "Unreleased" section header with appropriate "x.y.z — 20yy-mm-dd" header.
+
+Bump `lib/kubeclient/version.rb` manually, or by using:
+```bash
 # Won't work with uncommitted changes, you have to commit the changelog first.
 gem bump --version $RELEASE_VERSION
 git show # View version bump change.
@@ -46,7 +46,7 @@ Make sure we're locally after the bump PR *merge commit*:
 ```bash
 git checkout $RELEASE_BRANCH
 git status # Make sure there are no local changes
-git pull --ff-only https://github.com/abonas/kubeclient $RELEASE_BRANCH
+git pull --ff-only https://github.com/ManageIQ/kubeclient $RELEASE_BRANCH
 git log -n1
 ```
 

data/kubeclient.gemspec

@@ -23,7 +23,7 @@ Gem::Specification.new do |spec|
 
   spec.add_development_dependency 'bundler', '>= 1.6'
   spec.add_development_dependency 'rake', '~> 12.0'
-  spec.add_development_dependency 'minitest'
+  spec.add_development_dependency 'minitest', '~> 5.15.0'
   spec.add_development_dependency 'minitest-rg'
   spec.add_development_dependency 'webmock', '~> 3.0'
   spec.add_development_dependency 'vcr'
@@ -32,6 +32,8 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency('mocha', '~> 1.5')
   spec.add_development_dependency 'openid_connect', '~> 1.1'
   spec.add_development_dependency 'net-smtp'
+  # needed on Windows, at least for openid_connect
+  spec.add_development_dependency 'tzinfo-data'
 
   spec.add_dependency 'jsonpath', '~> 1.0'
   spec.add_dependency 'rest-client', '~> 2.0'

data/lib/kubeclient/common.rb

@@ -78,7 +78,7 @@ module Kubeclient
       @api_version = version
       @headers = {}
       @ssl_options = ssl_options
-      @auth_options = auth_options
+      @auth_options = auth_options.dup
       @socket_options = socket_options
       # Allow passing partial timeouts hash, without unspecified
       # @timeouts[:foo] == nil resulting in infinite timeout.
@@ -87,11 +87,11 @@ module Kubeclient
       @http_max_redirects = http_max_redirects
       @as = as
 
-      if auth_options[:bearer_token]
-        bearer_token(@auth_options[:bearer_token])
-      elsif auth_options[:bearer_token_file]
+      if auth_options[:bearer_token_file]
         validate_bearer_token_file
         bearer_token(File.read(@auth_options[:bearer_token_file]))
+      elsif auth_options[:bearer_token]
+        bearer_token(@auth_options[:bearer_token])
       end
     end
 
@@ -136,6 +136,11 @@ module Kubeclient
       @discovered = true
     end
 
+    def get_headers
+      bearer_token(File.read(@auth_options[:bearer_token_file])) if @auth_options[:bearer_token_file]
+      @headers
+    end
+
     def self.parse_definition(kind, name)
       # Kubernetes gives us 3 inputs:
       #   kind: "ComponentStatus", "NetworkPolicy", "Endpoints"
@@ -349,7 +354,7 @@ module Kubeclient
       ns_prefix = build_namespace_prefix(options[:namespace])
       response = handle_exception do
         rest_client[ns_prefix + resource_name]
-          .get({ 'params' => params }.merge(@headers))
+          .get({ 'params' => params }.merge(get_headers))
       end
       format_response(options[:as] || @as, response.body, entity_type)
     end
@@ -362,7 +367,7 @@ module Kubeclient
       ns_prefix = build_namespace_prefix(namespace)
       response = handle_exception do
         rest_client[ns_prefix + resource_name + "/#{name}"]
-          .get(@headers)
+          .get(get_headers)
       end
       format_response(options[:as] || @as, response.body)
     end
@@ -378,7 +383,7 @@ module Kubeclient
           rs.options.merge(
             method: :delete,
             url: rs.url,
-            headers: { 'Content-Type' => 'application/json' }.merge(@headers),
+            headers: { 'Content-Type' => 'application/json' }.merge(get_headers),
             payload: payload
           )
         )
@@ -400,7 +405,7 @@ module Kubeclient
       hash[:apiVersion] = @api_group + @api_version
       response = handle_exception do
         rest_client[ns_prefix + resource_name]
-          .post(hash.to_json, { 'Content-Type' => 'application/json' }.merge(@headers))
+          .post(hash.to_json, { 'Content-Type' => 'application/json' }.merge(get_headers))
       end
       format_response(@as, response.body)
     end
@@ -410,7 +415,7 @@ module Kubeclient
       ns_prefix = build_namespace_prefix(entity_config[:metadata][:namespace])
       response = handle_exception do
         rest_client[ns_prefix + resource_name + "/#{name}"]
-          .put(entity_config.to_h.to_json, { 'Content-Type' => 'application/json' }.merge(@headers))
+          .put(entity_config.to_h.to_json, { 'Content-Type' => 'application/json' }.merge(get_headers))
       end
       format_response(@as, response.body)
     end
@@ -421,7 +426,7 @@ module Kubeclient
         rest_client[ns_prefix + resource_name + "/#{name}"]
           .patch(
             patch.to_json,
-            { 'Content-Type' => "application/#{strategy}+json" }.merge(@headers)
+            { 'Content-Type' => "application/#{strategy}+json" }.merge(get_headers)
           )
       end
       format_response(@as, response.body)
@@ -434,7 +439,7 @@ module Kubeclient
         rest_client[ns_prefix + resource_name + "/#{name}"]
           .patch(
             resource.to_json,
-            { 'Content-Type' => 'application/apply-patch+yaml' }.merge(@headers)
+            { 'Content-Type' => 'application/apply-patch+yaml' }.merge(get_headers)
           )
       end
       format_response(@as, response.body)
@@ -468,7 +473,7 @@ module Kubeclient
       ns = build_namespace_prefix(namespace)
       handle_exception do
         rest_client[ns + "pods/#{pod_name}/log"]
-          .get({ 'params' => params }.merge(@headers))
+          .get({ 'params' => params }.merge(get_headers))
       end
     end
 
@@ -506,7 +511,7 @@ module Kubeclient
       ns_prefix = build_namespace_prefix(template[:metadata][:namespace])
       response = handle_exception do
         rest_client[ns_prefix + 'processedtemplates']
-          .post(template.to_h.to_json, { 'Content-Type' => 'application/json' }.merge(@headers))
+          .post(template.to_h.to_json, { 'Content-Type' => 'application/json' }.merge(get_headers))
       end
       JSON.parse(response)
     end
@@ -519,7 +524,7 @@ module Kubeclient
     end
 
     def api
-      response = handle_exception { create_rest_client.get(@headers) }
+      response = handle_exception { create_rest_client.get(get_headers) }
       JSON.parse(response)
     end
 
@@ -593,7 +598,7 @@ module Kubeclient
     end
 
     def fetch_entities
-      JSON.parse(handle_exception { rest_client.get(@headers) })
+      JSON.parse(handle_exception { rest_client.get(get_headers) })
     end
 
     def bearer_token(bearer_token)
@@ -638,11 +643,11 @@ module Kubeclient
       options = {
         basic_auth_user: @auth_options[:username],
         basic_auth_password: @auth_options[:password],
-        headers: @headers,
+        headers: get_headers,
         http_proxy_uri: @http_proxy_uri,
         http_max_redirects: http_max_redirects
       }
-
+      options[:bearer_token_file] = @auth_options[:bearer_token_file] if @auth_options[:bearer_token_file]
       if uri.scheme == 'https'
         options[:ssl] = {
           ca_file: @ssl_options[:ca_file],

data/lib/kubeclient/version.rb

@@ -1,4 +1,4 @@
 # Kubernetes REST-API Client
 module Kubeclient
-  VERSION = '4.9.3'.freeze
+  VERSION = '4.10.1'.freeze
 end

data/lib/kubeclient/watch_stream.rb

@@ -79,6 +79,7 @@ module Kubeclient
       end
 
       def build_client_options
+        @http_options[:headers][:Authorization] = "Bearer #{File.read(@http_options[:bearer_token_file])}" if @http_options[:bearer_token_file]
         client_options = {
           headers: @http_options[:headers],
           proxy: using_proxy

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kubeclient
 version: !ruby/object:Gem::Version
-  version: 4.9.3
+  version: 4.10.1
 platform: ruby
 authors:
 - Alissa Bonas
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-03-23 00:00:00.000000000 Z
+date: 2022-10-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -42,16 +42,16 @@ dependencies:
   name: minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 5.15.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 5.15.0
 - !ruby/object:Gem::Dependency
   name: minitest-rg
   requirement: !ruby/object:Gem::Requirement
@@ -164,6 +164,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: tzinfo-data
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: jsonpath
   requirement: !ruby/object:Gem::Requirement