kubeclient 4.9.3 → 4.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3f402a08fef66f160df49d507487769073b248828869a2c874d78e947b1d6686
-  data.tar.gz: 5d371f47861538f1e3e9deced8d1c41be1e0ca857ab8ed0607a75417948bb6f6
+  metadata.gz: 68296079e6db48ae555a4ca1f53c39b4c6349f3aebb426f443f884c984b904a1
+  data.tar.gz: 1524dfc158d01ac299c732f54dcf5e757cbd112eb07f3358ba798c3c8b09977d
 SHA512:
-  metadata.gz: f06a16d02e150194d06a4aa2c37a23bd1b7bbef4daca379ed7f60dd9581310b98cd3026d86e90b1b23d861fe6186d05e003d41380cb1edeaf7a2e52ccc594520
-  data.tar.gz: 7fbceb84c48af3bf4f28eadb05a2807a61196a26a66d72eb836ee5faa23d9a22fb1bd8e76fd16febd794007f1f0fd487000db40f543143789d33225c2350ccd0
+  metadata.gz: 0aa6e0f5d6934ef4de10a71a1388f53323ab235ca4b3c1a560b99a483fba3603c51cf463a5211554ab2d97d1dfce6a5623ce65898c0f188c231476b320180bc3
+  data.tar.gz: a6319a5a38d228db8b0ed08eb356d7539858cb0660ec2dba376177a3c02568b19ea42d5799feef04b5d86dc4284673c978d6cdaf82b286f3642ae33a0449eba0

data/.github/workflows/actions.yml

@@ -16,7 +16,9 @@ jobs:
       matrix:
         ruby: [ '2.5', '2.6', '2.7', '3.0', '3.1', 'ruby-head', 'truffleruby-head' ]
         os_and_command:
-        - os: 'macos-latest'
+        - os: macos-latest
+          command: 'env TESTOPTS="--verbose" bundle exec rake test'
+        - os: windows-latest
           command: 'env TESTOPTS="--verbose" bundle exec rake test'
         - os: ubuntu-latest
           # Sometimes minitest starts and then just hangs printing nothing.
@@ -35,7 +37,6 @@ jobs:
       with:
         ruby-version: ${{ matrix.ruby }}
         bundler-cache: false # disable running 'bundle install' and caching installed gems see https://github.com/httprb/http/issues/572
-    - run: gem install rake bundler
     - run: bundle install
     - run: ${{ matrix.os_and_command.command }}
     timeout-minutes: 10

data/CHANGELOG.md

@@ -4,7 +4,21 @@ Notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 Kubeclient release versioning follows [SemVer](https://semver.org/).
 
-## 4.9.3 — 2021-03-23
+## 4.10.0 — 2022-08-29
+
+### Added
+
+- When using `:bearer_token_file`, re-read the file on every request. (#566 closed #561)
+
+  Kubernetes version 1.21 graduated [BoundServiceAccountTokenVolume feature][] to beta
+  and enabled it by default, so standard in-cluster auth now uses short-lived tokens.
+
+  This changes allows a long-lived `Client` object to keep working when the token file gets
+  rotated.  It's not optimized at all, if you feel the performance overhead, please report!
+
+  [BoundServiceAccountTokenVolume feature]: https://github.com/kubernetes/enhancements/issues/542
+
+## 4.9.3 — 2022-03-23
 
 ### Fixed
 
@@ -23,12 +37,16 @@ Kubeclient release versioning follows [SemVer](https://semver.org/).
   This was broken IN ALL RELEASES MADE BEFORE 2022, ever since
   [`Kubeclient::Config` was created](https://github.com/ManageIQ/kubeclient/pull/127/files#diff-32e70f2f6781a9e9c7b83ae5e7eaf5ffd068a05649077fa38f6789e72f3de837R41-R48).
 
+  [#554](https://github.com/ManageIQ/kubeclient/issues/554).
+
 - Bug fix: kubeconfig `insecure-skip-tls-verify` field was ignored.
   When kubeconfig did define custom CA, `Config` was returning hard-coded `VERIFY_PEER`.
 
   Now we honor it, return `VERIFY_NONE` iff kubeconfig has explicit
   `insecure-skip-tls-verify: true`, otherwise `VERIFY_PEER`.
 
+  [#555](https://github.com/ManageIQ/kubeclient/issues/555).
+
 - `Config`: fixed parsing of `certificate-authority` file containing concatenation of
   several certificates.  Previously, server's cert was checked against only first CA cert,
   resulting in possible "certificate verify failed" errors.

data/README.md

@@ -13,8 +13,7 @@ To learn more about groups and versions in kubernetes refer to [k8s docs](https:
 
 If you use `Kubeclient::Config`, all gem versions released before 2022 could return incorrect `ssl_options[:verify_ssl]`,
 endangering your connection and cluster credentials.
-See [latest CHANGELOG.md](https://github.com/ManageIQ/kubeclient/blob/master/CHANGELOG.md) for details and which versions got a fix.
-Open an issue if you want a backport to another version.
+See https://github.com/ManageIQ/kubeclient/issues/554 for details and which versions got a fix.
 
 ## Installation
 

data/kubeclient.gemspec

@@ -23,7 +23,7 @@ Gem::Specification.new do |spec|
 
   spec.add_development_dependency 'bundler', '>= 1.6'
   spec.add_development_dependency 'rake', '~> 12.0'
-  spec.add_development_dependency 'minitest'
+  spec.add_development_dependency 'minitest', '~> 5.15.0'
   spec.add_development_dependency 'minitest-rg'
   spec.add_development_dependency 'webmock', '~> 3.0'
   spec.add_development_dependency 'vcr'
@@ -32,6 +32,8 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency('mocha', '~> 1.5')
   spec.add_development_dependency 'openid_connect', '~> 1.1'
   spec.add_development_dependency 'net-smtp'
+  # needed on Windows, at least for openid_connect
+  spec.add_development_dependency 'tzinfo-data'
 
   spec.add_dependency 'jsonpath', '~> 1.0'
   spec.add_dependency 'rest-client', '~> 2.0'

data/lib/kubeclient/common.rb

@@ -78,7 +78,7 @@ module Kubeclient
       @api_version = version
       @headers = {}
       @ssl_options = ssl_options
-      @auth_options = auth_options
+      @auth_options = auth_options.dup
       @socket_options = socket_options
       # Allow passing partial timeouts hash, without unspecified
       # @timeouts[:foo] == nil resulting in infinite timeout.
@@ -87,11 +87,18 @@ module Kubeclient
       @http_max_redirects = http_max_redirects
       @as = as
 
-      if auth_options[:bearer_token]
-        bearer_token(@auth_options[:bearer_token])
-      elsif auth_options[:bearer_token_file]
+      @log = Logger.new(STDOUT)
+      @log.formatter = proc do |severity, datetime, progname, msg|
+          "#{datetime} [#{severity}]: #{msg}\n"
+      end
+
+      if auth_options[:bearer_token_file]
         validate_bearer_token_file
+        @log.info("Reading bearer token from #{@auth_options[:bearer_token_file]}")
         bearer_token(File.read(@auth_options[:bearer_token_file]))
+      elsif auth_options[:bearer_token]
+        bearer_token(@auth_options[:bearer_token])
+        @log.info("bearer_token_file path not provided. Kubeclient will not be able to refresh the token if it expires")
       end
     end
 
@@ -136,6 +143,11 @@ module Kubeclient
       @discovered = true
     end
 
+    def get_headers
+      bearer_token(File.read(@auth_options[:bearer_token_file])) if @auth_options[:bearer_token_file]
+      @headers
+    end
+
     def self.parse_definition(kind, name)
       # Kubernetes gives us 3 inputs:
       #   kind: "ComponentStatus", "NetworkPolicy", "Endpoints"
@@ -349,7 +361,7 @@ module Kubeclient
       ns_prefix = build_namespace_prefix(options[:namespace])
       response = handle_exception do
         rest_client[ns_prefix + resource_name]
-          .get({ 'params' => params }.merge(@headers))
+          .get({ 'params' => params }.merge(get_headers))
       end
       format_response(options[:as] || @as, response.body, entity_type)
     end
@@ -362,7 +374,7 @@ module Kubeclient
       ns_prefix = build_namespace_prefix(namespace)
       response = handle_exception do
         rest_client[ns_prefix + resource_name + "/#{name}"]
-          .get(@headers)
+          .get(get_headers)
       end
       format_response(options[:as] || @as, response.body)
     end
@@ -378,7 +390,7 @@ module Kubeclient
           rs.options.merge(
             method: :delete,
             url: rs.url,
-            headers: { 'Content-Type' => 'application/json' }.merge(@headers),
+            headers: { 'Content-Type' => 'application/json' }.merge(get_headers),
             payload: payload
           )
         )
@@ -400,7 +412,7 @@ module Kubeclient
       hash[:apiVersion] = @api_group + @api_version
       response = handle_exception do
         rest_client[ns_prefix + resource_name]
-          .post(hash.to_json, { 'Content-Type' => 'application/json' }.merge(@headers))
+          .post(hash.to_json, { 'Content-Type' => 'application/json' }.merge(get_headers))
       end
       format_response(@as, response.body)
     end
@@ -410,7 +422,7 @@ module Kubeclient
       ns_prefix = build_namespace_prefix(entity_config[:metadata][:namespace])
       response = handle_exception do
         rest_client[ns_prefix + resource_name + "/#{name}"]
-          .put(entity_config.to_h.to_json, { 'Content-Type' => 'application/json' }.merge(@headers))
+          .put(entity_config.to_h.to_json, { 'Content-Type' => 'application/json' }.merge(get_headers))
       end
       format_response(@as, response.body)
     end
@@ -421,7 +433,7 @@ module Kubeclient
         rest_client[ns_prefix + resource_name + "/#{name}"]
           .patch(
             patch.to_json,
-            { 'Content-Type' => "application/#{strategy}+json" }.merge(@headers)
+            { 'Content-Type' => "application/#{strategy}+json" }.merge(get_headers)
           )
       end
       format_response(@as, response.body)
@@ -434,7 +446,7 @@ module Kubeclient
         rest_client[ns_prefix + resource_name + "/#{name}"]
           .patch(
             resource.to_json,
-            { 'Content-Type' => 'application/apply-patch+yaml' }.merge(@headers)
+            { 'Content-Type' => 'application/apply-patch+yaml' }.merge(get_headers)
           )
       end
       format_response(@as, response.body)
@@ -468,7 +480,7 @@ module Kubeclient
       ns = build_namespace_prefix(namespace)
       handle_exception do
         rest_client[ns + "pods/#{pod_name}/log"]
-          .get({ 'params' => params }.merge(@headers))
+          .get({ 'params' => params }.merge(get_headers))
       end
     end
 
@@ -506,7 +518,7 @@ module Kubeclient
       ns_prefix = build_namespace_prefix(template[:metadata][:namespace])
       response = handle_exception do
         rest_client[ns_prefix + 'processedtemplates']
-          .post(template.to_h.to_json, { 'Content-Type' => 'application/json' }.merge(@headers))
+          .post(template.to_h.to_json, { 'Content-Type' => 'application/json' }.merge(get_headers))
       end
       JSON.parse(response)
     end
@@ -519,7 +531,7 @@ module Kubeclient
     end
 
     def api
-      response = handle_exception { create_rest_client.get(@headers) }
+      response = handle_exception { create_rest_client.get(get_headers) }
       JSON.parse(response)
     end
 
@@ -593,7 +605,7 @@ module Kubeclient
     end
 
     def fetch_entities
-      JSON.parse(handle_exception { rest_client.get(@headers) })
+      JSON.parse(handle_exception { rest_client.get(get_headers) })
     end
 
     def bearer_token(bearer_token)
@@ -638,11 +650,11 @@ module Kubeclient
       options = {
         basic_auth_user: @auth_options[:username],
         basic_auth_password: @auth_options[:password],
-        headers: @headers,
+        headers: get_headers,
         http_proxy_uri: @http_proxy_uri,
         http_max_redirects: http_max_redirects
       }
-
+      options[:bearer_token_file] = @auth_options[:bearer_token_file] if @auth_options[:bearer_token_file]
       if uri.scheme == 'https'
         options[:ssl] = {
           ca_file: @ssl_options[:ca_file],

data/lib/kubeclient/version.rb

@@ -1,4 +1,4 @@
 # Kubernetes REST-API Client
 module Kubeclient
-  VERSION = '4.9.3'.freeze
+  VERSION = '4.10.0'.freeze
 end

data/lib/kubeclient/watch_stream.rb

@@ -79,6 +79,7 @@ module Kubeclient
       end
 
       def build_client_options
+        @http_options[:headers][:Authorization] = "Bearer #{File.read(@http_options[:bearer_token_file])}" if @http_options[:bearer_token_file]
         client_options = {
           headers: @http_options[:headers],
           proxy: using_proxy

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kubeclient
 version: !ruby/object:Gem::Version
-  version: 4.9.3
+  version: 4.10.0
 platform: ruby
 authors:
 - Alissa Bonas
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-03-23 00:00:00.000000000 Z
+date: 2022-08-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -42,16 +42,16 @@ dependencies:
   name: minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 5.15.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 5.15.0
 - !ruby/object:Gem::Dependency
   name: minitest-rg
   requirement: !ruby/object:Gem::Requirement
@@ -164,6 +164,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: tzinfo-data
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: jsonpath
   requirement: !ruby/object:Gem::Requirement