kubeclient 4.2.2 → 4.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9e11771dcb8f222f6c3a3bb4fb1c8b3db8cc745a9d2dbe8b2ff3edfe02382f3d
-  data.tar.gz: a5edd9efc28428fd2e5d232a1bdce0a1f5d0bd56fad06cff4d10e82e03bdc3f6
+  metadata.gz: f53d064748148a041be5853562e7789f8cc792735e4916c1859c63bf93f1f8bc
+  data.tar.gz: 15a4ba1b298c4bfb3469765a92ad58e8dd806f470870bbadaaf81a0c7ac3dbf4
 SHA512:
-  metadata.gz: 17cdfd31bf3df9292a2edf052071e99b30e62ee6ebfd05bce7b710623cc7c0ae57acb1c469787cee49bd472dc1661d687908acbb364cc8d36723f7ee4b07d273
-  data.tar.gz: f739a8fc768a688853e2f6e55232087bdfbdc31b26a86ca6ffe6ecc87996b72906a2d60d674c5aae3d5023d578b5cc9d20611a349f1cfc0d2ee1d2511e4f4c7c
+  metadata.gz: 39b85eead8370920f1dbf6f30720506de756894ae4d34b55a5e589b9ff1c8bce0a6e93c5517d4afbc7bb039b729e760250c7b4ead17b4fced76f52941b6bcf44
+  data.tar.gz: 6c95743f7680fac757b90804050b81488d084fe083749890f069ca8ed1a97158c789d3a912fcccc72f64d089695a9fe0c2085b45dffa492773c82d2ae5b3626d

data/.rubocop.yml

@@ -14,12 +14,16 @@ Metrics/ParameterLists:
   CountKeywordArgs: false
 Metrics/CyclomaticComplexity:
   Max: 8
+Metrics/PerceivedComplexity:
+  Max: 8
 Metrics/ModuleLength:
   Enabled: false
 Style/MethodCallWithArgsParentheses:
   Enabled: true
   IgnoredMethods: [require, raise, include, attr_reader, refute, assert]
   Exclude: [Gemfile, Rakefile, kubeclient.gemspec, Gemfile.dev.rb]
+Metrics/BlockLength:
+  Exclude: [kubeclient.gemspec]
 Security/MarshalLoad:
   Exclude: [test/**/*]
 Style/FileName:

data/CHANGELOG.md

@@ -4,6 +4,16 @@ Notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 Kubeclient release versioning follows [SemVer](https://semver.org/).
 
+## 4.3.0 — 2019-03-03
+
+### Changed
+- `GoogleApplicationDefaultCredentials` will automatically be used in `fetch_user_auth_options` if the `user[auth-provider][name] == 'gcp'` in the provided context. Note that `user[exec]` is checked first in anticipation of this functionality being added to GCP sometime in the future. Kubeclient _does not_ import the required `googleauth` gem, so you will need to import it in your calling application. (#394)
+
+### Added
+- OpenID Connect credentials will automatically be used if the `user[auth-provider][name] == 'oidc'` in the provided context. Note that `user[exec]` is checked first. Kubeclient _does not_ import the required `openid_connect` gem, so you will need to import it in your calling application. (#396)
+
+- Support for `json_patch_#{entity}` and `merge_patch_#{entity}`. `patch_#{entity}` will continue to use strategic merge patch. (#390)
+
 ## 4.2.2 — 2019-01-09
 
 ### Added

data/README.md

@@ -166,29 +166,6 @@ namespace = File.read('/var/run/secrets/kubernetes.io/serviceaccount/namespace')
 ```
 You can find information about tokens in [this guide](https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod) and in [this reference](http://kubernetes.io/docs/admin/authentication/).
 
-#### Google's Application Default Credentials
-
-On Google Compute Engine, Google App Engine, or Google Cloud Functions, as well as `gcloud`-configured systems
-with [application default credentials](https://developers.google.com/identity/protocols/application-default-credentials),
-you can use the token provider to authorize `kubeclient`.
-
-This requires the [`googleauth` gem](https://github.com/google/google-auth-library-ruby) that is _not_ included in
-`kubeclient` dependencies so you should add it to your bundle.
-
-```ruby
-require 'googleauth'
-
-auth_options = {
-  bearer_token: Kubeclient::GoogleApplicationDefaultCredentials.token
-}
-client = Kubeclient::Client.new(
-  'https://localhost:8443/api/', 'v1', auth_options: auth_options
-)
-```
-
-Note that this token is good for one hour. If your code runs for longer than that, you should plan to
-acquire a new one.
-
 ### Non-blocking IO
 
 You can also use kubeclient with non-blocking sockets such as Celluloid::IO, see [here](https://github.com/httprb/http/wiki/Parallel-requests-with-Celluloid%3A%3AIO)
@@ -303,12 +280,82 @@ context = config.context('default/192-168-99-100:8443/system:admin')
 
 Kubeclient::Client.new(
   context.api_endpoint,
-  context.api_version,
+  'v1',
   ssl_options: context.ssl_options,
   auth_options: context.auth_options
 )
 ```
 
+
+#### Google's Application Default Credentials
+
+On Google Compute Engine, Google App Engine, or Google Cloud Functions, as well as `gcloud`-configured systems
+with [application default credentials](https://developers.google.com/identity/protocols/application-default-credentials),
+kubeclient can use `googleauth` gem to authorize.
+
+This requires the [`googleauth` gem](https://github.com/google/google-auth-library-ruby) that is _not_ included in
+`kubeclient` dependencies so you should add it to your bundle.
+
+If you use `Config.context(...).auth_options` and the kubeconfig file has `user: {auth-provider: {name: gcp}}`, kubeclient will automatically try this (raising LoadError if you don't have `googleauth` in your bundle).
+
+Or you can obtain a token manually:
+
+```ruby
+require 'googleauth'
+
+auth_options = {
+  bearer_token: Kubeclient::GoogleApplicationDefaultCredentials.token
+}
+client = Kubeclient::Client.new(
+  'https://localhost:8443/api/', 'v1', auth_options: auth_options
+)
+```
+
+Note that this returns a token good for one hour. If your code requires authorization for longer than that, you should plan to
+acquire a new one, see [How to manually renew](#how-to-manually-renew-expired-credentials) section.
+
+#### OIDC Auth Provider
+
+If the cluster you are using has OIDC authentication enabled you can use the `openid_connect` gem to obtain
+id-tokens if the one in your kubeconfig has expired.
+
+This requires the [`openid_connect` gem](https://github.com/nov/openid_connect) which is not included in
+the `kubeclient` dependencies so should be added to your own applications bundle.
+
+The OIDC Auth Provider will not perform the initial setup of your `$KUBECONFIG` file. You will need to use something
+like [`dexter`](https://github.com/gini/dexter) in order to configure the auth-provider in your `$KUBECONFIG` file.
+
+If you use `Config.context(...).auth_options` and the `$KUBECONFIG` file has user: `{auth-provider: {name: oidc}}`,
+kubeclient will automatically obtain a token (or use `id-token` if still valid)
+
+Tokens are typically short-lived (e.g. 1 hour) and the expiration time is determined by the OIDC Provider (e.g. Google).
+If your code requires authentication for longer than that you should obtain a new token periodically, see [How to manually renew](#how-to-manually-renew-expired-credentials) section.
+
+Note: id-tokens retrieved via this provider are not written back to the `$KUBECONFIG` file as they would be when
+using `kubectl`.
+
+#### How to manually renew expired credentials
+
+Kubeclient [does not yet](https://github.com/abonas/kubeclient/issues/393) help with this.
+
+The division of labor between `Config` and `Context` objects may change, for now please make no assumptions at which stage `exec:` and `auth-provider:` are handled and whether they're cached.
+The currently guaranteed way to renew is create a new `Config` object.
+
+The more painful part is that you'll then need to create new `Client` object(s) with the credentials from new config.
+So repeat all of this:
+```ruby
+config = Kubeclient::Config.read(ENV['KUBECONFIG'] || '/path/to/.kube/config')
+context = config.context
+ssl_options = context.ssl_options
+auth_options = context.auth_options
+
+client = Kubeclient::Client.new(
+    context.api_endpoint, 'v1',
+    ssl_options: ssl_options, auth_options: auth_options
+)
+# and additional Clients if needed...
+```
+
 #### Security: Don't use config from untrusted sources
 
 `Config.read` is catastrophically unsafe — it will execute arbitrary command lines specified by the config!
@@ -490,6 +537,8 @@ The below example is for v1
 patched = client.patch_pod("docker-registry", {metadata: {annotations: {key: 'value'}}}, "default")
 ```
 
+`patch_#{entity}` is called using a [strategic merge patch](https://kubernetes.io/docs/tasks/run-application/update-api-object-kubectl-patch/#notes-on-the-strategic-merge-patch). `json_patch_#{entity}` and `merge_patch_#{entity}` are also available that use JSON patch and JSON merge patch, respectively. These strategies are useful for resources that do not support strategic merge patch, such as Custom Resources. Consult the [Kubernetes docs](https://kubernetes.io/docs/tasks/run-application/update-api-object-kubectl-patch/#use-a-json-merge-patch-to-update-a-deployment) for more information about the different patch strategies.
+
 #### Get all entities of all types : all_entities
 Returns a hash with the following keys (node, secret, service, pod, replication_controller, namespace, resource_quota, limit_range, endpoint, event, persistent_volume, persistent_volume_claim, component_status and service_account). Each key points to an EntityList of same type.
 This method is a convenience method instead of calling each entity's get method separately.

data/kubeclient.gemspec

@@ -28,6 +28,8 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'vcr'
   spec.add_development_dependency 'rubocop', '= 0.49.1'
   spec.add_development_dependency 'googleauth', '~> 0.5.1'
+  spec.add_development_dependency('mocha', '~> 1.5')
+  spec.add_development_dependency 'openid_connect', '~> 1.1'
 
   spec.add_dependency 'rest-client', '~> 2.0'
   spec.add_dependency 'recursive-open-struct', '~> 1.0', '>= 1.0.4'

data/lib/kubeclient.rb

@@ -8,6 +8,7 @@ require 'kubeclient/google_application_default_credentials'
 require 'kubeclient/exec_credentials'
 require 'kubeclient/http_error'
 require 'kubeclient/missing_kind_compatibility'
+require 'kubeclient/oidc_auth_provider'
 require 'kubeclient/resource'
 require 'kubeclient/resource_not_found_error'
 require 'kubeclient/version'

data/lib/kubeclient/common.rb

@@ -5,7 +5,7 @@ module Kubeclient
   # Common methods
   # this is mixed in by other gems
   module ClientMixin
-    ENTITY_METHODS = %w[get watch delete create update patch].freeze
+    ENTITY_METHODS = %w[get watch delete create update patch json_patch merge_patch].freeze
 
     DEFAULT_SSL_OPTIONS = {
       client_cert: nil,
@@ -203,6 +203,7 @@ module Kubeclient
       namespace.to_s.empty? ? '' : "namespaces/#{namespace}/"
     end
 
+    # rubocop:disable  Metrics/BlockLength
     def define_entity_methods
       @entities.values.each do |entity|
         # get all entities of a type e.g. get_nodes, get_pods, etc.
@@ -238,11 +239,23 @@ module Kubeclient
           update_entity(entity.resource_name, entity_config)
         end
 
-        define_singleton_method("patch_#{entity.method_names[0]}") do |name, patch, namespace = nil|
-          patch_entity(entity.resource_name, name, patch, namespace)
+        define_singleton_method("patch_#{entity.method_names[0]}") \
+        do |name, patch, namespace = nil|
+          patch_entity(entity.resource_name, name, patch, 'strategic-merge-patch', namespace)
+        end
+
+        define_singleton_method("json_patch_#{entity.method_names[0]}") \
+        do |name, patch, namespace = nil|
+          patch_entity(entity.resource_name, name, patch, 'json-patch', namespace)
+        end
+
+        define_singleton_method("merge_patch_#{entity.method_names[0]}") \
+        do |name, patch, namespace = nil|
+          patch_entity(entity.resource_name, name, patch, 'merge-patch', namespace)
         end
       end
     end
+    # rubocop:enable  Metrics/BlockLength
 
     def self.underscore_entity(entity_name)
       entity_name.gsub(/([a-z])([A-Z])/, '\1_\2').downcase
@@ -381,13 +394,13 @@ module Kubeclient
       format_response(@as, response.body)
     end
 
-    def patch_entity(resource_name, name, patch, namespace = nil)
+    def patch_entity(resource_name, name, patch, strategy, namespace)
       ns_prefix = build_namespace_prefix(namespace)
       response = handle_exception do
         rest_client[ns_prefix + resource_name + "/#{name}"]
           .patch(
             patch.to_json,
-            { 'Content-Type' => 'application/strategic-merge-patch+json' }.merge(@headers)
+            { 'Content-Type' => "application/#{strategy}+json" }.merge(@headers)
           )
       end
       format_response(@as, response.body)

data/lib/kubeclient/config.rb

@@ -153,6 +153,14 @@ module Kubeclient
         exec_opts = user['exec'].dup
         exec_opts['command'] = ext_command_path(exec_opts['command']) if exec_opts['command']
         options[:bearer_token] = Kubeclient::ExecCredentials.token(exec_opts)
+      elsif user.key?('auth-provider')
+        auth_provider = user['auth-provider']
+        options[:bearer_token] = case auth_provider['name']
+                                 when 'gcp'
+                                 then Kubeclient::GoogleApplicationDefaultCredentials.token
+                                 when 'oidc'
+                                 then Kubeclient::OIDCAuthProvider.token(auth_provider['config'])
+                                 end
       else
         %w[username password].each do |attr|
           options[attr.to_sym] = user[attr] if user.key?(attr)

data/lib/kubeclient/google_application_default_credentials.rb

@@ -3,9 +3,19 @@
 module Kubeclient
   # Get a bearer token from the Google's application default credentials.
   class GoogleApplicationDefaultCredentials
+    class GoogleDependencyError < LoadError # rubocop:disable Lint/InheritException
+    end
+
     class << self
       def token
-        require 'googleauth'
+        begin
+          require 'googleauth'
+        rescue LoadError => e
+          raise GoogleDependencyError,
+                'Error requiring googleauth gem. Kubeclient itself does not include the ' \
+                'googleauth gem. To support auth-provider gcp, you must include it in your ' \
+                "calling application. Failed with: #{e.message}"
+        end
         scopes = ['https://www.googleapis.com/auth/cloud-platform']
         authorization = Google::Auth.get_application_default(scopes)
         authorization.apply({})

data/lib/kubeclient/oidc_auth_provider.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module Kubeclient
+  # Uses OIDC id-tokens and refreshes them if they are stale.
+  class OIDCAuthProvider
+    class OpenIDConnectDependencyError < LoadError # rubocop:disable Lint/InheritException
+    end
+
+    class << self
+      def token(provider_config)
+        begin
+          require 'openid_connect'
+        rescue LoadError => e
+          raise OpenIDConnectDependencyError,
+                'Error requiring openid_connect gem. Kubeclient itself does not include the ' \
+                'openid_connect gem. To support auth-provider oidc, you must include it in your ' \
+                "calling application. Failed with: #{e.message}"
+        end
+
+        issuer_url = provider_config['idp-issuer-url']
+        discovery = OpenIDConnect::Discovery::Provider::Config.discover! issuer_url
+
+        if provider_config.key? 'id-token'
+          id_token = OpenIDConnect::ResponseObject::IdToken.decode provider_config['id-token'],
+                                                                   discovery.jwks
+          return provider_config['id-token'] unless expired?(id_token)
+        end
+
+        client = OpenIDConnect::Client.new(
+          identifier: provider_config['client-id'],
+          secret: provider_config['client-secret'],
+          authorization_endpoint: discovery.authorization_endpoint,
+          token_endpoint: discovery.token_endpoint,
+          userinfo_endpoint: discovery.userinfo_endpoint
+        )
+        client.refresh_token = provider_config['refresh-token']
+        client.access_token!.id_token
+      end
+
+      def expired?(id_token)
+        # If token expired or expiring within 60 seconds
+        Time.now.to_i + 60 > id_token.exp.to_i
+      end
+    end
+  end
+end

data/lib/kubeclient/version.rb

@@ -1,4 +1,4 @@
 # Kubernetes REST-API Client
 module Kubeclient
-  VERSION = '4.2.2'.freeze
+  VERSION = '4.3.0'.freeze
 end

data/test/config/gcpauth.kubeconfig

@@ -0,0 +1,22 @@
+apiVersion: v1
+clusters:
+- cluster:
+    server: https://localhost:8443
+    insecure-skip-tls-verify: true
+  name: localhost:8443
+contexts:
+- context:
+    cluster: localhost:8443
+    namespace: default
+    user: application-default-credentials
+  name: localhost/application-default-credentials
+kind: Config
+preferences: {}
+users:
+- name: application-default-credentials
+  user:
+    auth-provider:
+      config:
+        access-token: <fake_token>
+        expiry: 2019-02-19T11:07:29.827352-05:00
+      name: gcp

data/test/config/oidcauth.kubeconfig

@@ -0,0 +1,25 @@
+apiVersion: v1
+clusters:
+- cluster:
+    server: https://localhost:8443
+    insecure-skip-tls-verify: true
+  name: localhost:8443
+contexts:
+- context:
+    cluster: localhost:8443
+    namespace: default
+    user: oidc-auth-provider
+  name: localhost/oidc-auth-provider
+kind: Config
+preferences: {}
+users:
+- name: oidc-auth-provider
+  user:
+    auth-provider:
+      config:
+        client-id: fake-client-id
+        client-secret: fake-client-secret
+        id-token: fake-id-token
+        idp-issuer-url: https://accounts.google.com
+        refresh-token: fake-refresh-token
+      name: oidc

data/test/json/service_json_patch.json

@@ -0,0 +1,26 @@
+{
+  "status" : {},
+  "kind" : "Service",
+  "apiVersion" : "v1",
+  "spec" : {
+    "ports" : [
+      {
+        "targetPort" : 80,
+        "nodePort" : 0,
+        "port" : 80,
+        "protocol" : "TCP"
+      }
+    ],
+    "clusterIP" : "1.2.3.4",
+    "type": "LoadBalancer"
+  },
+  "metadata" : {
+    "name" : "my-service",
+    "creationTimestamp" : null,
+    "namespace" : "development",
+    "resourceVersion" : "2",
+    "annotations" : {
+      "key" : "value"
+    }
+  }
+}

data/test/json/service_merge_patch.json

@@ -0,0 +1,26 @@
+{
+  "status" : {},
+  "kind" : "Service",
+  "apiVersion" : "v1",
+  "spec" : {
+    "ports" : [
+      {
+        "targetPort" : 80,
+        "nodePort" : 0,
+        "port" : 80,
+        "protocol" : "TCP"
+      }
+    ],
+    "clusterIP" : "1.2.3.4",
+    "type": "NodePort"
+  },
+  "metadata" : {
+    "name" : "my-service",
+    "creationTimestamp" : null,
+    "namespace" : "development",
+    "resourceVersion" : "2",
+    "annotations" : {
+      "key" : "value"
+    }
+  }
+}

data/test/test_config.rb

@@ -123,6 +123,43 @@ class KubeclientConfigTest < MiniTest::Test
     end
   end
 
+  def test_gcp_default_auth
+    Kubeclient::GoogleApplicationDefaultCredentials.expects(:token).returns('token1').once
+    parsed = YAML.safe_load(File.read(config_file('gcpauth.kubeconfig')), [Date, Time])
+    config = Kubeclient::Config.new(parsed, nil)
+    config.context(config.contexts.first)
+  end
+
+  # Each call to .context() obtains a new token, calling .auth_options doesn't change anything.
+  # NOTE: this is not a guarantee, may change, just testing current behavior.
+  def test_gcp_default_auth_renew
+    Kubeclient::GoogleApplicationDefaultCredentials.expects(:token).returns('token1').once
+    parsed = YAML.safe_load(File.read(config_file('gcpauth.kubeconfig')), [Date, Time])
+    config = Kubeclient::Config.new(parsed, nil)
+    context = config.context(config.contexts.first)
+    assert_equal({ bearer_token: 'token1' }, context.auth_options)
+    assert_equal({ bearer_token: 'token1' }, context.auth_options)
+
+    Kubeclient::GoogleApplicationDefaultCredentials.expects(:token).returns('token2').once
+    context2 = config.context(config.contexts.first)
+    assert_equal({ bearer_token: 'token2' }, context2.auth_options)
+    assert_equal({ bearer_token: 'token1' }, context.auth_options)
+  end
+
+  def test_oidc_auth_provider
+    Kubeclient::OIDCAuthProvider.expects(:token)
+                                .with('client-id' => 'fake-client-id',
+                                      'client-secret' => 'fake-client-secret',
+                                      'id-token' => 'fake-id-token',
+                                      'idp-issuer-url' => 'https://accounts.google.com',
+                                      'refresh-token' => 'fake-refresh-token')
+                                .returns('token1')
+                                .once
+    parsed = YAML.safe_load(File.read(config_file('oidcauth.kubeconfig')))
+    config = Kubeclient::Config.new(parsed, nil)
+    config.context(config.contexts.first)
+  end
+
   private
 
   def check_context(context, ssl: true)

data/test/test_helper.rb

@@ -2,6 +2,7 @@ require 'bundler/setup'
 require 'minitest/autorun'
 require 'minitest/rg'
 require 'webmock/minitest'
+require 'mocha/minitest'
 require 'json'
 require 'kubeclient'
 

data/test/test_oidc_auth_provider.rb

@@ -0,0 +1,84 @@
+require_relative 'test_helper'
+require 'openid_connect'
+
+class OIDCAuthProviderTest < MiniTest::Test
+  def setup
+    @client_id = 'client_id'
+    @client_secret = 'client_secret'
+    @idp_issuer_url = 'idp_issuer_url'
+    @refresh_token = 'refresh_token'
+    @id_token = 'id_token'
+    @new_id_token = 'new_id_token'
+  end
+
+  def test_expired_token
+    OpenIDConnect::Discovery::Provider::Config.stub(:discover!, discovery_mock) do
+      OpenIDConnect::ResponseObject::IdToken.stub(:decode, id_token_mock(Time.now.to_i - 7200)) do
+        OpenIDConnect::Client.stub(:new, openid_client_mock) do
+          retrieved_id_token = Kubeclient::OIDCAuthProvider.token(
+            'client-id' => @client_id,
+            'client-secret' => @client_secret,
+            'id-token' => @id_token,
+            'idp-issuer-url' => @idp_issuer_url,
+            'refresh-token' => @refresh_token
+          )
+          assert_equal(@new_id_token, retrieved_id_token)
+        end
+      end
+    end
+  end
+
+  def test_valid_token
+    OpenIDConnect::Discovery::Provider::Config.stub(:discover!, discovery_mock) do
+      OpenIDConnect::ResponseObject::IdToken.stub(:decode, id_token_mock(Time.now.to_i + 7200)) do
+        retrieved_id_token = Kubeclient::OIDCAuthProvider.token(
+          'client-id' => @client_id,
+          'client-secret' => @client_secret,
+          'id-token' => @id_token,
+          'idp-issuer-url' => @idp_issuer_url,
+          'refresh-token' => @refresh_token
+        )
+        assert_equal(@id_token, retrieved_id_token)
+      end
+    end
+  end
+
+  def test_missing_id_token
+    OpenIDConnect::Discovery::Provider::Config.stub(:discover!, discovery_mock) do
+      OpenIDConnect::Client.stub(:new, openid_client_mock) do
+        retrieved_id_token = Kubeclient::OIDCAuthProvider.token(
+          'client-id' => @client_id,
+          'client-secret' => @client_secret,
+          'idp-issuer-url' => @idp_issuer_url,
+          'refresh-token' => @refresh_token
+        )
+        assert_equal(@new_id_token, retrieved_id_token)
+      end
+    end
+  end
+
+  private
+
+  def openid_client_mock
+    access_token = Minitest::Mock.new
+    access_token.expect(@id_token, @new_id_token)
+
+    openid_client = Minitest::Mock.new
+    openid_client.expect(:refresh_token=, nil, [@refresh_token])
+    openid_client.expect(:access_token!, access_token)
+  end
+
+  def id_token_mock(expiry)
+    id_token_mock = Minitest::Mock.new
+    id_token_mock.expect(:exp, expiry)
+  end
+
+  def discovery_mock
+    discovery = Minitest::Mock.new
+    discovery.expect(:jwks, 'jwks')
+    discovery.expect(:authorization_endpoint, 'authz_endpoint')
+    discovery.expect(:token_endpoint, 'token_endpoint')
+    discovery.expect(:userinfo_endpoint, 'userinfo_endpoint')
+    discovery
+  end
+end

data/test/test_service.rb

@@ -273,4 +273,58 @@ class TestService < MiniTest::Test
       data['metadata']['annotations']['key'] == 'value'
     end
   end
+
+  def test_json_patch_service
+    service = Kubeclient::Resource.new
+    name = 'my-service'
+
+    service.metadata = {}
+    service.metadata.name      = name
+    service.metadata.namespace = 'development'
+
+    stub_core_api_list
+    expected_url = "http://localhost:8080/api/v1/namespaces/development/services/#{name}"
+    stub_request(:patch, expected_url)
+      .to_return(body: open_test_file('service_json_patch.json'), status: 200)
+
+    patch = [
+      { 'op' => 'add', 'path' => '/spec/type', 'value' => 'LoadBalancer' }
+    ]
+
+    client = Kubeclient::Client.new('http://localhost:8080/api/', 'v1')
+    service = client.json_patch_service(name, patch, 'development')
+    assert_kind_of(RecursiveOpenStruct, service)
+
+    assert_requested(:patch, expected_url, times: 1) do |req|
+      data = JSON.parse(req.body)
+      req.headers['Content-Type'] == 'application/json-patch+json' &&
+        data == patch
+    end
+  end
+
+  def test_merge_patch_service
+    service = Kubeclient::Resource.new
+    name = 'my-service'
+
+    service.metadata = {}
+    service.metadata.name      = name
+    service.metadata.namespace = 'development'
+
+    stub_core_api_list
+    expected_url = "http://localhost:8080/api/v1/namespaces/development/services/#{name}"
+    stub_request(:patch, expected_url)
+      .to_return(body: open_test_file('service_merge_patch.json'), status: 200)
+
+    patch = { spec: { type: 'NodePort' } }
+
+    client = Kubeclient::Client.new('http://localhost:8080/api/', 'v1')
+    service = client.merge_patch_service(name, patch, 'development')
+    assert_kind_of(RecursiveOpenStruct, service)
+
+    assert_requested(:patch, expected_url, times: 1) do |req|
+      data = JSON.parse(req.body)
+      req.headers['Content-Type'] == 'application/merge-patch+json' &&
+        data['spec']['type'] == 'NodePort'
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kubeclient
 version: !ruby/object:Gem::Version
-  version: 4.2.2
+  version: 4.3.0
 platform: ruby
 authors:
 - Alissa Bonas
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-01-09 00:00:00.000000000 Z
+date: 2019-03-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -122,6 +122,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.5.1
+- !ruby/object:Gem::Dependency
+  name: mocha
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: openid_connect
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
 - !ruby/object:Gem::Dependency
   name: rest-client
   requirement: !ruby/object:Gem::Requirement
@@ -195,6 +223,7 @@ files:
 - lib/kubeclient/google_application_default_credentials.rb
 - lib/kubeclient/http_error.rb
 - lib/kubeclient/missing_kind_compatibility.rb
+- lib/kubeclient/oidc_auth_provider.rb
 - lib/kubeclient/resource.rb
 - lib/kubeclient/resource_not_found_error.rb
 - lib/kubeclient/version.rb
@@ -206,7 +235,9 @@ files:
 - test/config/external-cert.pem
 - test/config/external-key.rsa
 - test/config/external.kubeconfig
+- test/config/gcpauth.kubeconfig
 - test/config/nouser.kubeconfig
+- test/config/oidcauth.kubeconfig
 - test/config/timestamps.kubeconfig
 - test/config/userauth.kubeconfig
 - test/json/bindings_list.json
@@ -258,7 +289,9 @@ files:
 - test/json/service_account.json
 - test/json/service_account_list.json
 - test/json/service_illegal_json_404.json
+- test/json/service_json_patch.json
 - test/json/service_list.json
+- test/json/service_merge_patch.json
 - test/json/service_patch.json
 - test/json/service_update.json
 - test/json/template.json
@@ -279,6 +312,7 @@ files:
 - test/test_missing_methods.rb
 - test/test_namespace.rb
 - test/test_node.rb
+- test/test_oidc_auth_provider.rb
 - test/test_persistent_volume.rb
 - test/test_persistent_volume_claim.rb
 - test/test_pod.rb
@@ -326,7 +360,9 @@ test_files:
 - test/config/external-cert.pem
 - test/config/external-key.rsa
 - test/config/external.kubeconfig
+- test/config/gcpauth.kubeconfig
 - test/config/nouser.kubeconfig
+- test/config/oidcauth.kubeconfig
 - test/config/timestamps.kubeconfig
 - test/config/userauth.kubeconfig
 - test/json/bindings_list.json
@@ -378,7 +414,9 @@ test_files:
 - test/json/service_account.json
 - test/json/service_account_list.json
 - test/json/service_illegal_json_404.json
+- test/json/service_json_patch.json
 - test/json/service_list.json
+- test/json/service_merge_patch.json
 - test/json/service_patch.json
 - test/json/service_update.json
 - test/json/template.json
@@ -399,6 +437,7 @@ test_files:
 - test/test_missing_methods.rb
 - test/test_namespace.rb
 - test/test_node.rb
+- test/test_oidc_auth_provider.rb
 - test/test_persistent_volume.rb
 - test/test_persistent_volume_claim.rb
 - test/test_pod.rb