kubeclient 4.3.0 → 4.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f53d064748148a041be5853562e7789f8cc792735e4916c1859c63bf93f1f8bc
-  data.tar.gz: 15a4ba1b298c4bfb3469765a92ad58e8dd806f470870bbadaaf81a0c7ac3dbf4
+  metadata.gz: 688623a12e9f3e68f6573b39d0d8e58ddee8848154d72670848d05096453a827
+  data.tar.gz: fa3432fed8c342a2686a9f0f1ba599f7e87fa85ac42aa410f39b61674754e6ca
 SHA512:
-  metadata.gz: 39b85eead8370920f1dbf6f30720506de756894ae4d34b55a5e589b9ff1c8bce0a6e93c5517d4afbc7bb039b729e760250c7b4ead17b4fced76f52941b6bcf44
-  data.tar.gz: 6c95743f7680fac757b90804050b81488d084fe083749890f069ca8ed1a97158c789d3a912fcccc72f64d089695a9fe0c2085b45dffa492773c82d2ae5b3626d
+  metadata.gz: c6543f0f8494b64d3d56342dab4dc7ff70eeeb97f6a18cfa2915885c56c5e9051e0cd8df6eba330129330b8ba3e3e4088838f8b06cc10093f40a280e52e870b9
+  data.tar.gz: 7df2f38d1b116a137446935c4c166236c7ce04027cd17bc038047bdfee817c4b4a734d6a5775dafc1e1d02ed1ad3ec15843d5fcb59d0ca62c459dfe0de1848cb

data/CHANGELOG.md

@@ -4,13 +4,24 @@ Notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 Kubeclient release versioning follows [SemVer](https://semver.org/).
 
+## Unreleased
+
+## 4.4.0 — 2019-05-03
+
+### Added
+- GCP configs with `user[auth-provider][name] == 'gcp'` will execute credential plugin (normally the `gcloud config config-helper` subcommand) when the config specifies it in `cmd-path`, `cmd-args` fields (similar to `exec` support).  This code path works without `googleauth` gem.  Otherwise, `GoogleApplicationDefaultCredentials` path will be tried as before. (#410)
+- `AmazonEksCredentials` helper for obtaining a token to authenticate against Amazon EKS. This is not currently integrated in `Config`, you will need to invoke it yourself.  You'll need some aws gems that Kubeclient _does not_ include. (#404, #406)
+
+### Changed
+- OpenID Connect tokens which cannot be validaded because we cannot identify the key they were signed with will be considered expired and refreshed as usual. (#407)
+
 ## 4.3.0 — 2019-03-03
 
 ### Changed
-- `GoogleApplicationDefaultCredentials` will automatically be used in `fetch_user_auth_options` if the `user[auth-provider][name] == 'gcp'` in the provided context. Note that `user[exec]` is checked first in anticipation of this functionality being added to GCP sometime in the future. Kubeclient _does not_ import the required `googleauth` gem, so you will need to import it in your calling application. (#394)
+- `GoogleApplicationDefaultCredentials` will now automatically be used by `Config` if the `user[auth-provider][name] == 'gcp'` in the provided context. Note that `user[exec]` is checked first in anticipation of this functionality being added to GCP sometime in the future. Kubeclient _does not_ include the required `googleauth` gem, so you will need to include it in your calling application. (#394)
 
 ### Added
-- OpenID Connect credentials will automatically be used if the `user[auth-provider][name] == 'oidc'` in the provided context. Note that `user[exec]` is checked first. Kubeclient _does not_ import the required `openid_connect` gem, so you will need to import it in your calling application. (#396)
+- OpenID Connect credentials will automatically be used if the `user[auth-provider][name] == 'oidc'` in the provided context. Note that `user[exec]` is checked first. Kubeclient _does not_ include the required `openid_connect` gem, so you will need to include it in your calling application. (#396)
 
 - Support for `json_patch_#{entity}` and `merge_patch_#{entity}`. `patch_#{entity}` will continue to use strategic merge patch. (#390)
 

data/README.md

@@ -287,6 +287,45 @@ Kubeclient::Client.new(
 ```
 
 
+#### Amazon EKS Credentials
+
+On Amazon EKS by default the authentication method is IAM.  When running kubectl a temporary token is generated by shelling out to
+the aws-iam-authenticator binary which is sent to authenticate the user.
+See [aws-iam-authenticator](https://github.com/kubernetes-sigs/aws-iam-authenticator).
+To replicate that functionality, the `Kubeclient::AmazonEksCredentials` class can accept a set of IAM credentials and
+contains a helper method to generate the authentication token for you.
+
+This requires a set of gems which are _not_ included in
+`kubeclient` dependencies (`aws-sigv4`) so you should add them to your bundle.
+You will also require either the `aws-sdk` v2 or `aws-sdk-core` v3 gems to generate the required `Aws:Credentials` object to pass to this method.
+
+To obtain a token:
+
+```ruby
+require 'aws-sdk-core'
+# Use keys
+credentials = Aws::Credentials.new(access_key, secret_key)
+# Or a profile
+credentials = Aws::SharedCredentials.new(profile_name: 'default').credentials
+
+auth_options = {
+  bearer_token: Kubeclient::AmazonEksCredentials.token(credentials, eks_cluster_name)
+}
+client = Kubeclient::Client.new(
+  eks_cluster_https_endpoint, 'v1', auth_options: auth_options
+)
+```
+
+Note that this returns a token good for one minute. If your code requires authorization for longer than that, you should plan to
+acquire a new one, see [How to manually renew](#how-to-manually-renew-expired-credentials) section.
+
+#### Google GCP credential plugin
+
+If kubeconfig file has `user: {auth-provider: {name: gcp, cmd-path: ..., cmd-args: ..., token-key: ...}}`, the command will be executed to obtain a token.
+(Normally this would be a `gcloud config config-helper` command.)
+
+Note that this returns an expiring token. If your code requires authorization for a long time, you should plan to acquire a new one, see [How to manually renew](#how-to-manually-renew-expired-credentials) section.
+
 #### Google's Application Default Credentials
 
 On Google Compute Engine, Google App Engine, or Google Cloud Functions, as well as `gcloud`-configured systems
@@ -296,7 +335,7 @@ kubeclient can use `googleauth` gem to authorize.
 This requires the [`googleauth` gem](https://github.com/google/google-auth-library-ruby) that is _not_ included in
 `kubeclient` dependencies so you should add it to your bundle.
 
-If you use `Config.context(...).auth_options` and the kubeconfig file has `user: {auth-provider: {name: gcp}}`, kubeclient will automatically try this (raising LoadError if you don't have `googleauth` in your bundle).
+If you use `Config.context(...).auth_options` and the kubeconfig file has `user: {auth-provider: {name: gcp}}`, but does not contain `cmd-path` key, kubeclient will automatically try this (raising LoadError if you don't have `googleauth` in your bundle).
 
 Or you can obtain a token manually:
 

data/RELEASING.md

@@ -21,6 +21,7 @@ Edit `CHANGELOG.md` as necessary.  Even if all included changes remembered to up
 Bump `lib/kubeclient/version.rb` manually, or by using:
 ```bash
 git checkout -b release-$RELEASE_VERSION
+# Won't work with uncommitted changes, you have to commit the changelog first.
 gem bump --version $RELEASE_VERSION
 git show # View version bump change.
 ```

data/kubeclient.gemspec

@@ -30,6 +30,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'googleauth', '~> 0.5.1'
   spec.add_development_dependency('mocha', '~> 1.5')
   spec.add_development_dependency 'openid_connect', '~> 1.1'
+  spec.add_development_dependency 'jsonpath', '~> 1.0'
 
   spec.add_dependency 'rest-client', '~> 2.0'
   spec.add_dependency 'recursive-open-struct', '~> 1.0', '>= 1.0.4'

data/lib/kubeclient.rb

@@ -1,11 +1,12 @@
 require 'json'
 require 'rest-client'
 
+require 'kubeclient/aws_eks_credentials'
 require 'kubeclient/common'
 require 'kubeclient/config'
 require 'kubeclient/entity_list'
-require 'kubeclient/google_application_default_credentials'
 require 'kubeclient/exec_credentials'
+require 'kubeclient/gcp_auth_provider'
 require 'kubeclient/http_error'
 require 'kubeclient/missing_kind_compatibility'
 require 'kubeclient/oidc_auth_provider'

data/lib/kubeclient/aws_eks_credentials.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module Kubeclient
+  # Get a bearer token to authenticate against aws eks.
+  class AmazonEksCredentials
+    class AmazonEksDependencyError < LoadError # rubocop:disable Lint/InheritException
+    end
+
+    class << self
+      def token(credentials, eks_cluster)
+        begin
+          require 'aws-sigv4'
+          require 'base64'
+          require 'cgi'
+        rescue LoadError => e
+          raise AmazonEksDependencyError,
+                'Error requiring aws gems. Kubeclient itself does not include the following ' \
+                'gems: [aws-sigv4]. To support auth-provider eks, you must ' \
+                "include it in your calling application. Failed with: #{e.message}"
+        end
+        # https://github.com/aws/aws-sdk-ruby/pull/1848
+        # Get a signer
+        # Note - sts only has ONE endpoint (not regional) so 'us-east-1' hardcoding should be OK
+        signer = Aws::Sigv4::Signer.new(
+          service: 'sts',
+          region: 'us-east-1',
+          credentials: credentials
+        )
+
+        # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Sigv4/Signer.html#presign_url-instance_method
+        presigned_url_string = signer.presign_url(
+          http_method: 'GET',
+          url: 'https://sts.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15',
+          body: '',
+          credentials: credentials,
+          expires_in: 60,
+          headers: {
+            'X-K8s-Aws-Id' => eks_cluster
+          }
+        )
+        kube_token = 'k8s-aws-v1.' + Base64.urlsafe_encode64(presigned_url_string.to_s).chomp('==')
+        kube_token
+      end
+    end
+  end
+end

data/lib/kubeclient/config.rb

@@ -150,17 +150,10 @@ module Kubeclient
       if user.key?('token')
         options[:bearer_token] = user['token']
       elsif user.key?('exec')
-        exec_opts = user['exec'].dup
-        exec_opts['command'] = ext_command_path(exec_opts['command']) if exec_opts['command']
+        exec_opts = expand_command_option(user['exec'], 'command')
         options[:bearer_token] = Kubeclient::ExecCredentials.token(exec_opts)
       elsif user.key?('auth-provider')
-        auth_provider = user['auth-provider']
-        options[:bearer_token] = case auth_provider['name']
-                                 when 'gcp'
-                                 then Kubeclient::GoogleApplicationDefaultCredentials.token
-                                 when 'oidc'
-                                 then Kubeclient::OIDCAuthProvider.token(auth_provider['config'])
-                                 end
+        options[:bearer_token] = fetch_token_from_provider(user['auth-provider'])
       else
         %w[username password].each do |attr|
           options[attr.to_sym] = user[attr] if user.key?(attr)
@@ -168,5 +161,22 @@ module Kubeclient
       end
       options
     end
+
+    def fetch_token_from_provider(auth_provider)
+      case auth_provider['name']
+      when 'gcp'
+        config = expand_command_option(auth_provider['config'], 'cmd-path')
+        Kubeclient::GCPAuthProvider.token(config)
+      when 'oidc'
+        Kubeclient::OIDCAuthProvider.token(auth_provider['config'])
+      end
+    end
+
+    def expand_command_option(config, key)
+      config = config.dup
+      config[key] = ext_command_path(config[key]) if config[key]
+
+      config
+    end
   end
 end

data/lib/kubeclient/gcp_auth_provider.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'kubeclient/google_application_default_credentials'
+require 'kubeclient/gcp_command_credentials'
+
+module Kubeclient
+  # Handle different ways to get a bearer token for Google Cloud Platform.
+  class GCPAuthProvider
+    class << self
+      def token(config)
+        if config.key?('cmd-path')
+          Kubeclient::GCPCommandCredentials.token(config)
+        else
+          Kubeclient::GoogleApplicationDefaultCredentials.token
+        end
+      end
+    end
+  end
+end

data/lib/kubeclient/gcp_command_credentials.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Kubeclient
+  # Generates a bearer token for Google Cloud Platform.
+  class GCPCommandCredentials
+    class << self
+      def token(config)
+        require 'open3'
+        require 'shellwords'
+        require 'json'
+        require 'jsonpath'
+
+        cmd = config['cmd-path']
+        args = config['cmd-args']
+        token_key = config['token-key']
+
+        out, err, st = Open3.capture3(cmd, *args.split(' '))
+
+        raise "exec command failed: #{err}" unless st.success?
+
+        extract_token(out, token_key)
+      end
+
+      private
+
+      def extract_token(output, token_key)
+        JsonPath.on(output, token_key.gsub(/^{|}$/, '')).first
+      end
+    end
+  end
+end

data/lib/kubeclient/oidc_auth_provider.rb

@@ -21,9 +21,7 @@ module Kubeclient
         discovery = OpenIDConnect::Discovery::Provider::Config.discover! issuer_url
 
         if provider_config.key? 'id-token'
-          id_token = OpenIDConnect::ResponseObject::IdToken.decode provider_config['id-token'],
-                                                                   discovery.jwks
-          return provider_config['id-token'] unless expired?(id_token)
+          return provider_config['id-token'] unless expired?(provider_config['id-token'], discovery)
         end
 
         client = OpenIDConnect::Client.new(
@@ -37,9 +35,17 @@ module Kubeclient
         client.access_token!.id_token
       end
 
-      def expired?(id_token)
+      def expired?(id_token, discovery)
+        decoded_token = OpenIDConnect::ResponseObject::IdToken.decode(
+          id_token,
+          discovery.jwks
+        )
         # If token expired or expiring within 60 seconds
-        Time.now.to_i + 60 > id_token.exp.to_i
+        Time.now.to_i + 60 > decoded_token.exp.to_i
+      rescue JSON::JWK::Set::KidNotFound
+        # Token cannot be verified: the kid it was signed with is not available for discovery
+        # Consider it expired and fetch a new one.
+        true
       end
     end
   end

data/lib/kubeclient/version.rb

@@ -1,4 +1,4 @@
 # Kubernetes REST-API Client
 module Kubeclient
-  VERSION = '4.3.0'.freeze
+  VERSION = '4.4.0'.freeze
 end

data/test/config/gcpcmdauth.kubeconfig

@@ -0,0 +1,26 @@
+apiVersion: v1
+clusters:
+- cluster:
+    server: https://localhost:8443
+    insecure-skip-tls-verify: true
+  name: localhost:8443
+contexts:
+- context:
+    cluster: localhost:8443
+    namespace: default
+    user: application-default-credentials
+  name: localhost/application-default-credentials
+kind: Config
+preferences: {}
+users:
+- name: application-default-credentials
+  user:
+    auth-provider:
+      config:
+        access-token: <fake_token>
+        cmd-args: config config-helper --format=json
+        cmd-path: /path/to/gcloud
+        expiry: 2019-04-09T19:26:18Z
+        expiry-key: '{.credential.token_expiry}'
+        token-key: '{.credential.access_token}'
+      name: gcp

data/test/test_config.rb

@@ -146,6 +146,20 @@ class KubeclientConfigTest < MiniTest::Test
     assert_equal({ bearer_token: 'token1' }, context.auth_options)
   end
 
+  def test_gcp_command_auth
+    Kubeclient::GCPCommandCredentials.expects(:token)
+                                     .with('access-token' => '<fake_token>',
+                                           'cmd-args' => 'config config-helper --format=json',
+                                           'cmd-path' => '/path/to/gcloud',
+                                           'expiry' => '2019-04-09 19:26:18 UTC',
+                                           'expiry-key' => '{.credential.token_expiry}',
+                                           'token-key' => '{.credential.access_token}')
+                                     .returns('token1')
+                                     .once
+    config = Kubeclient::Config.read(config_file('gcpcmdauth.kubeconfig'))
+    config.context(config.contexts.first)
+  end
+
   def test_oidc_auth_provider
     Kubeclient::OIDCAuthProvider.expects(:token)
                                 .with('client-id' => 'fake-client-id',

data/test/test_gcp_command_credentials.rb

@@ -0,0 +1,27 @@
+require_relative 'test_helper'
+require 'open3'
+
+# Unit tests for the GCPCommandCredentials token provider
+class GCPCommandCredentialsTest < MiniTest::Test
+  def test_token
+    opts = { 'cmd-args' => 'config config-helper --format=json',
+             'cmd-path' => '/path/to/gcloud',
+             'expiry-key' => '{.credential.token_expiry}',
+             'token-key' => '{.credential.access_token}' }
+
+    creds = JSON.dump(
+      'credential' => {
+        'access_token' => '9A3A941836F2458175BE18AA1971EBBF47949B07',
+        'token_expiry' => '2019-04-12T15:02:51Z'
+      }
+    )
+
+    st = Minitest::Mock.new
+    st.expect(:success?, true)
+
+    Open3.stub(:capture3, [creds, nil, st]) do
+      assert_equal('9A3A941836F2458175BE18AA1971EBBF47949B07',
+                   Kubeclient::GCPCommandCredentials.token(opts))
+    end
+  end
+end

data/test/test_oidc_auth_provider.rb

@@ -57,6 +57,25 @@ class OIDCAuthProviderTest < MiniTest::Test
     end
   end
 
+  def test_token_with_unknown_kid
+    OpenIDConnect::Discovery::Provider::Config.stub(:discover!, discovery_mock) do
+      OpenIDConnect::ResponseObject::IdToken.stub(
+        :decode, ->(_token, _jwks) { raise JSON::JWK::Set::KidNotFound }
+      ) do
+        OpenIDConnect::Client.stub(:new, openid_client_mock) do
+          retrieved_id_token = Kubeclient::OIDCAuthProvider.token(
+            'client-id' => @client_id,
+            'client-secret' => @client_secret,
+            'id-token' => @id_token,
+            'idp-issuer-url' => @idp_issuer_url,
+            'refresh-token' => @refresh_token
+          )
+          assert_equal(@new_id_token, retrieved_id_token)
+        end
+      end
+    end
+  end
+
   private
 
   def openid_client_mock

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kubeclient
 version: !ruby/object:Gem::Version
-  version: 4.3.0
+  version: 4.4.0
 platform: ruby
 authors:
 - Alissa Bonas
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-03-03 00:00:00.000000000 Z
+date: 2019-05-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -150,6 +150,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.1'
+- !ruby/object:Gem::Dependency
+  name: jsonpath
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: rest-client
   requirement: !ruby/object:Gem::Requirement
@@ -216,10 +230,13 @@ files:
 - Rakefile
 - kubeclient.gemspec
 - lib/kubeclient.rb
+- lib/kubeclient/aws_eks_credentials.rb
 - lib/kubeclient/common.rb
 - lib/kubeclient/config.rb
 - lib/kubeclient/entity_list.rb
 - lib/kubeclient/exec_credentials.rb
+- lib/kubeclient/gcp_auth_provider.rb
+- lib/kubeclient/gcp_command_credentials.rb
 - lib/kubeclient/google_application_default_credentials.rb
 - lib/kubeclient/http_error.rb
 - lib/kubeclient/missing_kind_compatibility.rb
@@ -236,6 +253,7 @@ files:
 - test/config/external-key.rsa
 - test/config/external.kubeconfig
 - test/config/gcpauth.kubeconfig
+- test/config/gcpcmdauth.kubeconfig
 - test/config/nouser.kubeconfig
 - test/config/oidcauth.kubeconfig
 - test/config/timestamps.kubeconfig
@@ -304,6 +322,7 @@ files:
 - test/test_config.rb
 - test/test_endpoint.rb
 - test/test_exec_credentials.rb
+- test/test_gcp_command_credentials.rb
 - test/test_google_application_default_credentials.rb
 - test/test_guestbook_go.rb
 - test/test_helper.rb
@@ -361,6 +380,7 @@ test_files:
 - test/config/external-key.rsa
 - test/config/external.kubeconfig
 - test/config/gcpauth.kubeconfig
+- test/config/gcpcmdauth.kubeconfig
 - test/config/nouser.kubeconfig
 - test/config/oidcauth.kubeconfig
 - test/config/timestamps.kubeconfig
@@ -429,6 +449,7 @@ test_files:
 - test/test_config.rb
 - test/test_endpoint.rb
 - test/test_exec_credentials.rb
+- test/test_gcp_command_credentials.rb
 - test/test_google_application_default_credentials.rb
 - test/test_guestbook_go.rb
 - test/test_helper.rb