@metaplay/metaplay-auth 1.2.0 → 1.3.0

package/dist/src/stackapi.js

@@ -1,21 +1,21 @@
 import { isValidFQDN, getGameserverAdminUrl } from './utils.js';
 import { logger } from './logging.js';
+import { dump } from 'js-yaml';
+import { getUserinfo } from './auth.js';
 export class StackAPI {
     accessToken;
-    _stack_api_base_uri;
-    constructor(accessToken) {
+    _stackApiBaseUrl;
+    constructor(accessToken, stackApiBaseUrl) {
         if (accessToken == null) {
             throw new Error('accessToken must be provided');
         }
         this.accessToken = accessToken;
-        this._stack_api_base_uri = 'https://infra.p1.metaplay.io/stackapi';
-    }
-    get stack_api_base_uri() {
-        return this._stack_api_base_uri.replace(/\/$/, '');
-    }
-    set stack_api_base_uri(uri) {
-        uri = uri.replace(/\/$/, ''); // Remove trailing slash
-        this._stack_api_base_uri = uri;
+        if (stackApiBaseUrl) {
+            this._stackApiBaseUrl = stackApiBaseUrl.replace(/\/$/, ''); // Remove trailing slash
+        }
+        else {
+            this._stackApiBaseUrl = 'https://infra.p1.metaplay.io/stackapi';
+        }
     }
     async getAwsCredentials(gs) {
         let url = '';
@@ -25,11 +25,11 @@ export class StackAPI {
                 url = `https://${adminUrl}/.infra/credentials/aws`;
             }
             else {
-                url = `${this.stack_api_base_uri}/v0/credentials/${gs.gameserver}/aws`;
+                url = `${this._stackApiBaseUrl}/v0/credentials/${gs.gameserver}/aws`;
             }
         }
         else if (gs.organization != null && gs.project != null && gs.environment != null) {
-            url = `${this.stack_api_base_uri}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}/credentials/aws`;
+            url = `${this._stackApiBaseUrl}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}/credentials/aws`;
         }
         else {
             throw new Error('Invalid arguments for getAwsCredentials');
@@ -55,11 +55,11 @@ export class StackAPI {
                 url = `https://${adminUrl}/.infra/credentials/k8s`;
             }
             else {
-                url = `${this.stack_api_base_uri}/v0/credentials/${gs.gameserver}/k8s`;
+                url = `${this._stackApiBaseUrl}/v0/credentials/${gs.gameserver}/k8s`;
             }
         }
         else if (gs.organization != null && gs.project != null && gs.environment != null) {
-            url = `${this.stack_api_base_uri}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}/credentials/k8s`;
+            url = `${this._stackApiBaseUrl}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}/credentials/k8s`;
         }
         else {
             throw new Error('Invalid arguments for getKubeConfig');
@@ -77,6 +77,137 @@ export class StackAPI {
         }
         return await response.text();
     }
+    /**
+     * Get a `kubeconfig` payload which invokes `metaplay-auth get-kubernetes-execcredential` to get the actual
+     * access credentials each time the kubeconfig is used.
+     * @param gs Game server environment to get credentials for.
+     * @returns The kubeconfig YAML.
+     */
+    async getKubeConfigExecCredential(gs) {
+        let url = '';
+        let gsSlug = '';
+        const execArgs = ['get-kubernetes-execcredential'];
+        if (gs.gameserver != null) {
+            const adminUrl = getGameserverAdminUrl(gs.gameserver);
+            url = `https://${adminUrl}/.infra/credentials/k8s?type=execcredential`;
+            gsSlug = gs.gameserver;
+            execArgs.push('--gameserver', gs.gameserver);
+        }
+        else if (gs.organization != null && gs.project != null && gs.environment != null) {
+            url = `${this._stackApiBaseUrl}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}/credentials/k8s?type=execcredential`;
+            gsSlug = `${gs.organization}.${gs.project}.${gs.environment}`;
+            execArgs.push('--organization', gs.organization, '--project', gs.project, '--environment', gs.environment);
+        }
+        else {
+            throw new Error('Invalid arguments for getKubeConfigExecCredential');
+        }
+        logger.debug(`Getting Kubernetes KubeConfig from ${url}...`);
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: {
+                Authorization: `Bearer ${this.accessToken}`,
+                'Content-Type': 'application/json'
+            }
+        });
+        if (response.status !== 200) {
+            throw new Error(`Failed to fetch Kubernetes KubeConfig: ${response.statusText}`);
+        }
+        // get the execcredential and morph it into a kubeconfig which calls metaplay-auth for the token
+        let kubeExecCredential;
+        try {
+            kubeExecCredential = await response.json();
+        }
+        catch {
+            throw new Error('Failed to fetch Kubernetes KubeConfig: the server response is not JSON');
+        }
+        if (!kubeExecCredential.spec.cluster) {
+            throw new Error('Received kubeExecCredential with missing spec.cluster');
+        }
+        let namespace = 'default';
+        let user = 'user';
+        try {
+            const environment = await this.getEnvironmentDetails(gs);
+            namespace = environment.deployment?.kubernetes_namespace ?? namespace;
+        }
+        catch (e) {
+            logger.debug('Failed to get environment details, using defaults', e);
+        }
+        try {
+            const userinfo = await getUserinfo(this.accessToken);
+            user = userinfo.sub ?? user;
+        }
+        catch (e) {
+            logger.debug('Failed to get userinfo, using defaults', e);
+        }
+        const kubeConfig = {
+            apiVersion: 'v1',
+            kind: 'Config',
+            'current-context': gsSlug,
+            clusters: [
+                {
+                    cluster: {
+                        'certificate-authority-data': kubeExecCredential.spec.cluster.certificateAuthorityData,
+                        server: kubeExecCredential.spec.cluster.server
+                    },
+                    name: kubeExecCredential.spec.cluster.server
+                }
+            ],
+            contexts: [
+                {
+                    context: {
+                        cluster: kubeExecCredential.spec.cluster.server,
+                        namespace,
+                        user
+                    },
+                    name: gsSlug,
+                }
+            ],
+            users: [
+                {
+                    name: user,
+                    user: {
+                        exec: {
+                            apiVersion: 'client.authentication.k8s.io/v1beta1',
+                            command: 'metaplay-auth',
+                            args: execArgs,
+                        }
+                    }
+                }
+            ],
+        };
+        // return as yaml for easier consumption
+        return dump(kubeConfig);
+    }
+    async getKubeExecCredential(gs) {
+        let url = '';
+        if (gs.gameserver != null) {
+            if (isValidFQDN(gs.gameserver)) {
+                const adminUrl = getGameserverAdminUrl(gs.gameserver);
+                url = `https://${adminUrl}/.infra/credentials/k8s?type=execcredential`;
+            }
+            else {
+                url = `${this._stackApiBaseUrl}/v0/credentials/${gs.gameserver}/k8s?type=execcredential`;
+            }
+        }
+        else if (gs.organization != null && gs.project != null && gs.environment != null) {
+            url = `${this._stackApiBaseUrl}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}/credentials/k8s?type=execcredential`;
+        }
+        else {
+            throw new Error('Invalid arguments for getKubeConfig');
+        }
+        logger.debug(`Getting Kubernetes ExecCredential from ${url}...`);
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: {
+                Authorization: `Bearer ${this.accessToken}`,
+                'Content-Type': 'application/json'
+            }
+        });
+        if (response.status !== 200) {
+            throw new Error(`Failed to fetch Kubernetes ExecCredential: ${response.statusText}`);
+        }
+        return await response.text();
+    }
     async getEnvironmentDetails(gs) {
         let url = '';
         if (gs.gameserver != null) {
@@ -85,11 +216,11 @@ export class StackAPI {
                 url = `https://${adminUrl}/.infra/environment`;
             }
             else {
-                url = `${this.stack_api_base_uri}/v0/deployments/${gs.gameserver}`;
+                url = `${this._stackApiBaseUrl}/v0/deployments/${gs.gameserver}`;
             }
         }
         else if (gs.organization != null && gs.project != null && gs.environment != null) {
-            url = `${this.stack_api_base_uri}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}`;
+            url = `${this._stackApiBaseUrl}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}`;
         }
         else {
             throw new Error('Invalid arguments for environment details');

package/dist/src/stackapi.js.map

@@ -1 +1 @@
-{"version":3,"file":"stackapi.js","sourceRoot":"","sources":["../../src/stackapi.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAA;AAC/D,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAgBrC,MAAM,OAAO,QAAQ;IACF,WAAW,CAAQ;IAE5B,mBAAmB,CAAQ;IAEnC,YAAa,WAAmB;QAC9B,IAAI,WAAW,IAAI,IAAI,EAAE;YACvB,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAA;SAChD;QAED,IAAI,CAAC,WAAW,GAAG,WAAW,CAAA;QAC9B,IAAI,CAAC,mBAAmB,GAAG,uCAAuC,CAAA;IACpE,CAAC;IAED,IAAI,kBAAkB;QACpB,OAAO,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;IACpD,CAAC;IAED,IAAI,kBAAkB,CAAE,GAAW;QACjC,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA,CAAC,wBAAwB;QACrD,IAAI,CAAC,mBAAmB,GAAG,GAAG,CAAA;IAChC,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAE,EAAgB;QACvC,IAAI,GAAG,GAAG,EAAE,CAAA;QACZ,IAAI,EAAE,CAAC,UAAU,IAAI,IAAI,EAAE;YACzB,IAAI,WAAW,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE;gBAC9B,MAAM,QAAQ,GAAG,qBAAqB,CAAC,EAAE,CAAC,UAAU,CAAC,CAAA;gBACrD,GAAG,GAAG,WAAW,QAAQ,yBAAyB,CAAA;aACnD;iBAAM;gBACL,GAAG,GAAG,GAAG,IAAI,CAAC,kBAAkB,mBAAmB,EAAE,CAAC,UAAU,MAAM,CAAA;aACvE;SACF;aAAM,IAAI,EAAE,CAAC,YAAY,IAAI,IAAI,IAAI,EAAE,CAAC,OAAO,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,IAAI,IAAI,EAAE;YAClF,GAAG,GAAG,GAAG,IAAI,CAAC,kBAAkB,eAAe,EAAE,CAAC,YAAY,IAAI,EAAE,CAAC,OAAO,IAAI,EAAE,CAAC,WAAW,kBAAkB,CAAA;SACjH;aAAM;YACL,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAA;SAC3D;QAED,MAAM,CAAC,KAAK,CAAC,gCAAgC,GAAG,KAAK,CAAC,CAAA;QACtD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,IAAI,CAAC,WAAW,EAAE;gBAC3C,cAAc,EAAE,kBAAkB;aACnC;SACF,CAAC,CAAA;QAEF,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;YAC3B,MAAM,IAAI,KAAK,CAAC,oCAAoC,QAAQ,CAAC,UAAU,mBAAmB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;SAC7G;QAED,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;IAC9B,CAAC;IAED,KAAK,CAAC,aAAa,CAAE,EAAgB;QACnC,IAAI,GAAG,GAAG,EAAE,CAAA;QACZ,IAAI,EAAE,CAAC,UAAU,IAAI,IAAI,EAAE;YACzB,IAAI,WAAW,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE;gBAC9B,MAAM,QAAQ,GAAG,qBAAqB,CAAC,EAAE,CAAC,UAAU,CAAC,CAAA;gBACrD,GAAG,GAAG,WAAW,QAAQ,yBAAyB,CAAA;aACnD;iBAAM;gBACL,GAAG,GAAG,GAAG,IAAI,CAAC,kBAAkB,mBAAmB,EAAE,CAAC,UAAU,MAAM,CAAA;aACvE;SACF;aAAM,IAAI,EAAE,CAAC,YAAY,IAAI,IAAI,IAAI,EAAE,CAAC,OAAO,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,IAAI,IAAI,EAAE;YAClF,GAAG,GAAG,GAAG,IAAI,CAAC,kBAAkB,eAAe,EAAE,CAAC,YAAY,IAAI,EAAE,CAAC,OAAO,IAAI,EAAE,CAAC,WAAW,kBAAkB,CAAA;SACjH;aAAM;YACL,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAA;SACvD;QAED,MAAM,CAAC,KAAK,CAAC,2BAA2B,GAAG,KAAK,CAAC,CAAA;QAEjD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,IAAI,CAAC,WAAW,EAAE;gBAC3C,cAAc,EAAE,kBAAkB;aACnC;SACF,CAAC,CAAA;QAEF,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;YAC3B,MAAM,IAAI,KAAK,CAAC,gCAAgC,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAA;SACvE;QAED,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;IAC9B,CAAC;IAED,KAAK,CAAC,qBAAqB,CAAE,EAAgB;QAC3C,IAAI,GAAG,GAAG,EAAE,CAAA;QACZ,IAAI,EAAE,CAAC,UAAU,IAAI,IAAI,EAAE;YACzB,IAAI,WAAW,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE;gBAC9B,MAAM,QAAQ,GAAG,qBAAqB,CAAC,EAAE,CAAC,UAAU,CAAC,CAAA;gBACrD,GAAG,GAAG,WAAW,QAAQ,qBAAqB,CAAA;aAC/C;iBAAM;gBACL,GAAG,GAAG,GAAG,IAAI,CAAC,kBAAkB,mBAAmB,EAAE,CAAC,UAAU,EAAE,CAAA;aACnE;SACF;aAAM,IAAI,EAAE,CAAC,YAAY,IAAI,IAAI,IAAI,EAAE,CAAC,OAAO,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,IAAI,IAAI,EAAE;YAClF,GAAG,GAAG,GAAG,IAAI,CAAC,kBAAkB,eAAe,EAAE,CAAC,YAAY,IAAI,EAAE,CAAC,OAAO,IAAI,EAAE,CAAC,WAAW,EAAE,CAAA;SACjG;aAAM;YACL,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAA;SAC7D;QAED,MAAM,CAAC,KAAK,CAAC,oCAAoC,GAAG,KAAK,CAAC,CAAA;QAC1D,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,KAAK;YACb,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,IAAI,CAAC,WAAW,EAAE;gBAC3C,cAAc,EAAE,kBAAkB;aACnC;SACF,CAAC,CAAA;QAEF,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;YAC3B,MAAM,IAAI,KAAK,CAAC,wCAAwC,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAA;SAC/E;QAED,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;IAC9B,CAAC;CACF"}
+{"version":3,"file":"stackapi.js","sourceRoot":"","sources":["../../src/stackapi.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAA;AAC/D,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AACrC,OAAO,EAAE,IAAI,EAAE,MAAM,SAAS,CAAA;AAC9B,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAA;AAsEvC,MAAM,OAAO,QAAQ;IACF,WAAW,CAAQ;IAEnB,gBAAgB,CAAQ;IAEzC,YAAa,WAAmB,EAAE,eAAmC;QACnE,IAAI,WAAW,IAAI,IAAI,EAAE;YACvB,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAA;SAChD;QAED,IAAI,CAAC,WAAW,GAAG,WAAW,CAAA;QAE9B,IAAI,eAAe,EAAE;YACnB,IAAI,CAAC,gBAAgB,GAAG,eAAe,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA,CAAC,wBAAwB;SACpF;aAAM;YACL,IAAI,CAAC,gBAAgB,GAAG,uCAAuC,CAAA;SAChE;IACH,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAE,EAAgB;QACvC,IAAI,GAAG,GAAG,EAAE,CAAA;QACZ,IAAI,EAAE,CAAC,UAAU,IAAI,IAAI,EAAE;YACzB,IAAI,WAAW,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE;gBAC9B,MAAM,QAAQ,GAAG,qBAAqB,CAAC,EAAE,CAAC,UAAU,CAAC,CAAA;gBACrD,GAAG,GAAG,WAAW,QAAQ,yBAAyB,CAAA;aACnD;iBAAM;gBACL,GAAG,GAAG,GAAG,IAAI,CAAC,gBAAgB,mBAAmB,EAAE,CAAC,UAAU,MAAM,CAAA;aACrE;SACF;aAAM,IAAI,EAAE,CAAC,YAAY,IAAI,IAAI,IAAI,EAAE,CAAC,OAAO,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,IAAI,IAAI,EAAE;YAClF,GAAG,GAAG,GAAG,IAAI,CAAC,gBAAgB,eAAe,EAAE,CAAC,YAAY,IAAI,EAAE,CAAC,OAAO,IAAI,EAAE,CAAC,WAAW,kBAAkB,CAAA;SAC/G;aAAM;YACL,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAA;SAC3D;QAED,MAAM,CAAC,KAAK,CAAC,gCAAgC,GAAG,KAAK,CAAC,CAAA;QACtD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,IAAI,CAAC,WAAW,EAAE;gBAC3C,cAAc,EAAE,kBAAkB;aACnC;SACF,CAAC,CAAA;QAEF,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;YAC3B,MAAM,IAAI,KAAK,CAAC,oCAAoC,QAAQ,CAAC,UAAU,mBAAmB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;SAC7G;QAED,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;IAC9B,CAAC;IAED,KAAK,CAAC,aAAa,CAAE,EAAgB;QACnC,IAAI,GAAG,GAAG,EAAE,CAAA;QACZ,IAAI,EAAE,CAAC,UAAU,IAAI,IAAI,EAAE;YACzB,IAAI,WAAW,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE;gBAC9B,MAAM,QAAQ,GAAG,qBAAqB,CAAC,EAAE,CAAC,UAAU,CAAC,CAAA;gBACrD,GAAG,GAAG,WAAW,QAAQ,yBAAyB,CAAA;aACnD;iBAAM;gBACL,GAAG,GAAG,GAAG,IAAI,CAAC,gBAAgB,mBAAmB,EAAE,CAAC,UAAU,MAAM,CAAA;aACrE;SACF;aAAM,IAAI,EAAE,CAAC,YAAY,IAAI,IAAI,IAAI,EAAE,CAAC,OAAO,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,IAAI,IAAI,EAAE;YAClF,GAAG,GAAG,GAAG,IAAI,CAAC,gBAAgB,eAAe,EAAE,CAAC,YAAY,IAAI,EAAE,CAAC,OAAO,IAAI,EAAE,CAAC,WAAW,kBAAkB,CAAA;SAC/G;aAAM;YACL,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAA;SACvD;QAED,MAAM,CAAC,KAAK,CAAC,2BAA2B,GAAG,KAAK,CAAC,CAAA;QAEjD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,IAAI,CAAC,WAAW,EAAE;gBAC3C,cAAc,EAAE,kBAAkB;aACnC;SACF,CAAC,CAAA;QAEF,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;YAC3B,MAAM,IAAI,KAAK,CAAC,gCAAgC,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAA;SACvE;QAED,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;IAC9B,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,2BAA2B,CAAE,EAAgB;QACjD,IAAI,GAAG,GAAG,EAAE,CAAA;QACZ,IAAI,MAAM,GAAG,EAAE,CAAA;QACf,MAAM,QAAQ,GAAG,CAAC,+BAA+B,CAAC,CAAA;QAClD,IAAI,EAAE,CAAC,UAAU,IAAI,IAAI,EAAE;YACzB,MAAM,QAAQ,GAAG,qBAAqB,CAAC,EAAE,CAAC,UAAU,CAAC,CAAA;YACrD,GAAG,GAAG,WAAW,QAAQ,6CAA6C,CAAA;YACtE,MAAM,GAAG,EAAE,CAAC,UAAU,CAAA;YACtB,QAAQ,CAAC,IAAI,CAAC,cAAc,EAAE,EAAE,CAAC,UAAU,CAAC,CAAA;SAC7C;aAAM,IAAI,EAAE,CAAC,YAAY,IAAI,IAAI,IAAI,EAAE,CAAC,OAAO,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,IAAI,IAAI,EAAE;YAClF,GAAG,GAAG,GAAG,IAAI,CAAC,gBAAgB,eAAe,EAAE,CAAC,YAAY,IAAI,EAAE,CAAC,OAAO,IAAI,EAAE,CAAC,WAAW,sCAAsC,CAAA;YAClI,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,IAAI,EAAE,CAAC,OAAO,IAAI,EAAE,CAAC,WAAW,EAAE,CAAA;YAC7D,QAAQ,CAAC,IAAI,CAAC,gBAAgB,EAAE,EAAE,CAAC,YAAY,EAAE,WAAW,EAAE,EAAE,CAAC,OAAO,EAAE,eAAe,EAAE,EAAE,CAAC,WAAW,CAAC,CAAA;SAC3G;aAAM;YACL,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAA;SACrE;QAED,MAAM,CAAC,KAAK,CAAC,sCAAsC,GAAG,KAAK,CAAC,CAAA;QAE5D,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,IAAI,CAAC,WAAW,EAAE;gBAC3C,cAAc,EAAE,kBAAkB;aACnC;SACF,CAAC,CAAA;QAEF,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;YAC3B,MAAM,IAAI,KAAK,CAAC,0CAA0C,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAA;SACjF;QAED,gGAAgG;QAChG,IAAI,kBAAkB,CAAA;QACtB,IAAI;YACF,kBAAkB,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAwB,CAAA;SACjE;QAAC,MAAM;YACN,MAAM,IAAI,KAAK,CAAC,wEAAwE,CAAC,CAAA;SAC1F;QAED,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,OAAO,EAAE;YACpC,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAA;SACzE;QAED,IAAI,SAAS,GAAG,SAAS,CAAA;QACzB,IAAI,IAAI,GAAG,MAAM,CAAA;QAEjB,IAAI;YACF,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAA;YACxD,SAAS,GAAG,WAAW,CAAC,UAAU,EAAE,oBAAoB,IAAI,SAAS,CAAA;SACtE;QAAC,OAAO,CAAC,EAAE;YACV,MAAM,CAAC,KAAK,CAAC,mDAAmD,EAAE,CAAC,CAAC,CAAA;SACrE;QAED,IAAI;YACF,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;YACpD,IAAI,GAAG,QAAQ,CAAC,GAAG,IAAI,IAAI,CAAA;SAC5B;QAAC,OAAO,CAAC,EAAE;YACV,MAAM,CAAC,KAAK,CAAC,wCAAwC,EAAE,CAAC,CAAC,CAAA;SAC1D;QAED,MAAM,UAAU,GAAe;YAC7B,UAAU,EAAE,IAAI;YAChB,IAAI,EAAE,QAAQ;YACd,iBAAiB,EAAE,MAAM;YACzB,QAAQ,EAAE;gBACR;oBACE,OAAO,EAAE;wBACP,4BAA4B,EAAE,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,wBAAwB;wBACtF,MAAM,EAAE,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM;qBAC/C;oBACD,IAAI,EAAE,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM;iBAC7C;aACF;YACD,QAAQ,EAAE;gBACR;oBACE,OAAO,EAAE;wBACP,OAAO,EAAE,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM;wBAC/C,SAAS;wBACT,IAAI;qBACL;oBACD,IAAI,EAAE,MAAM;iBACb;aACF;YACD,KAAK,EAAE;gBACL;oBACE,IAAI,EAAE,IAAI;oBACV,IAAI,EAAE;wBACJ,IAAI,EAAE;4BACJ,UAAU,EAAE,sCAAsC;4BAClD,OAAO,EAAE,eAAe;4BACxB,IAAI,EAAE,QAAQ;yBACf;qBACF;iBACF;aACF;SACF,CAAA;QAED,wCAAwC;QACxC,OAAO,IAAI,CAAC,UAAU,CAAC,CAAA;IACzB,CAAC;IAED,KAAK,CAAC,qBAAqB,CAAE,EAAgB;QAC3C,IAAI,GAAG,GAAG,EAAE,CAAA;QACZ,IAAI,EAAE,CAAC,UAAU,IAAI,IAAI,EAAE;YACzB,IAAI,WAAW,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE;gBAC9B,MAAM,QAAQ,GAAG,qBAAqB,CAAC,EAAE,CAAC,UAAU,CAAC,CAAA;gBACrD,GAAG,GAAG,WAAW,QAAQ,6CAA6C,CAAA;aACvE;iBAAM;gBACL,GAAG,GAAG,GAAG,IAAI,CAAC,gBAAgB,mBAAmB,EAAE,CAAC,UAAU,0BAA0B,CAAA;aACzF;SACF;aAAM,IAAI,EAAE,CAAC,YAAY,IAAI,IAAI,IAAI,EAAE,CAAC,OAAO,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,IAAI,IAAI,EAAE;YAClF,GAAG,GAAG,GAAG,IAAI,CAAC,gBAAgB,eAAe,EAAE,CAAC,YAAY,IAAI,EAAE,CAAC,OAAO,IAAI,EAAE,CAAC,WAAW,sCAAsC,CAAA;SACnI;aAAM;YACL,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAA;SACvD;QAED,MAAM,CAAC,KAAK,CAAC,0CAA0C,GAAG,KAAK,CAAC,CAAA;QAEhE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,IAAI,CAAC,WAAW,EAAE;gBAC3C,cAAc,EAAE,kBAAkB;aACnC;SACF,CAAC,CAAA;QAEF,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;YAC3B,MAAM,IAAI,KAAK,CAAC,8CAA8C,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAA;SACrF;QAED,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;IAC9B,CAAC;IAED,KAAK,CAAC,qBAAqB,CAAE,EAAgB;QAC3C,IAAI,GAAG,GAAG,EAAE,CAAA;QACZ,IAAI,EAAE,CAAC,UAAU,IAAI,IAAI,EAAE;YACzB,IAAI,WAAW,CAAC,EAAE,CAAC,UAAU,CAAC,EAAE;gBAC9B,MAAM,QAAQ,GAAG,qBAAqB,CAAC,EAAE,CAAC,UAAU,CAAC,CAAA;gBACrD,GAAG,GAAG,WAAW,QAAQ,qBAAqB,CAAA;aAC/C;iBAAM;gBACL,GAAG,GAAG,GAAG,IAAI,CAAC,gBAAgB,mBAAmB,EAAE,CAAC,UAAU,EAAE,CAAA;aACjE;SACF;aAAM,IAAI,EAAE,CAAC,YAAY,IAAI,IAAI,IAAI,EAAE,CAAC,OAAO,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,IAAI,IAAI,EAAE;YAClF,GAAG,GAAG,GAAG,IAAI,CAAC,gBAAgB,eAAe,EAAE,CAAC,YAAY,IAAI,EAAE,CAAC,OAAO,IAAI,EAAE,CAAC,WAAW,EAAE,CAAA;SAC/F;aAAM;YACL,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAA;SAC7D;QAED,MAAM,CAAC,KAAK,CAAC,oCAAoC,GAAG,KAAK,CAAC,CAAA;QAC1D,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,KAAK;YACb,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,IAAI,CAAC,WAAW,EAAE;gBAC3C,cAAc,EAAE,kBAAkB;aACnC;SACF,CAAC,CAAA;QAEF,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;YAC3B,MAAM,IAAI,KAAK,CAAC,wCAAwC,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAA;SAC/E;QAED,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;IAC9B,CAAC;CACF"}

package/index.ts

@@ -2,17 +2,42 @@
 import { Command } from 'commander'
 import { loginAndSaveTokens, machineLoginAndSaveTokens, extendCurrentSession, loadTokens, removeTokens } from './src/auth.js'
 import { StackAPI } from './src/stackapi.js'
+import type { GameserverId } from './src/stackapi.js'
 import { checkGameServerDeployment } from './src/deployment.js'
 import { logger, setLogLevel } from './src/logging.js'
+import { isValidFQDN } from './src/utils.js'
 import { exit } from 'process'
 import { ECRClient, GetAuthorizationTokenCommand } from '@aws-sdk/client-ecr'
 
+/**
+ * Helper for parsing the GameserverId type from the command line arguments. Accepts either the gameserver address or the
+ * (organization, project, environment) tuple from options.
+ */
+function resolveGameserverId (address: string | undefined, options: any): GameserverId {
+  // If address is specified, use it, otherwise assume options has organization, project, and environment
+  if (address) {
+    if (isValidFQDN(address)) {
+      return { gameserver: address }
+    } else {
+      const parts = address.split('-')
+      if (parts.length !== 3) {
+        throw new Error('Invalid gameserver address syntax: specify either <organiation>-<project>-<environment> or a fully-qualified domain name (eg, idler-develop.p1.metaplay.io)')
+      }
+      return { organization: parts[0], project: parts[1], environment: parts[2] }
+    }
+  } else if (options.organization && options.project && options.environment) {
+    return { organization: options.organization, project: options.project, environment: options.environment }
+  } else {
+    throw new Error('Could not determine target environment from arguments: You need to specify either a gameserver address or an organization, project, and environment. Run this command with --help flag for more information.')
+  }
+}
+
 const program = new Command()
 
 program
   .name('metaplay-auth')
   .description('Authenticate with Metaplay and get AWS and Kubernetes credentials for game servers.')
-  .version('1.2.0')
+  .version('1.3.0')
   .option('-d, --debug', 'enable debug output')
   .hook('preAction', (thisCommand) => {
     // Handle debug flag for all commands.
@@ -94,43 +119,76 @@ program.command('show-tokens')
   })
 
 program.command('get-kubeconfig')
-  .description('get kubeconfig for deployment')
-  .argument('[gameserver]', 'address of gameserver (e.g. idler-develop.p1.metaplay.io)')
+  .description('get kubeconfig for target environment')
+  .argument('[gameserver]', 'address of gameserver (e.g. metaplay-idler-develop or idler-develop.p1.metaplay.io)')
   .option('-s, --stack-api <stack-api-base-path>', 'explicit stack api (e.g. https://infra.p1.metaplay.io/stackapi/)')
   .option('-o, --organization <organization>', 'organization name (e.g. metaplay)')
   .option('-p, --project <project>', 'project name (e.g. idler)')
   .option('-e, --environment <environment>', 'environment name (e.g. develop)')
+  .option('-t, --type <format>', 'output format (static or dynamic)', 'static')
   .hook('preAction', async () => {
     await extendCurrentSession()
   })
   .action(async (gameserver, options) => {
     try {
       const tokens = await loadTokens()
-
-      if (!gameserver && !(options.organization && options.project && options.environment)) {
-        throw new Error('Could not determine a deployment to fetch the KubeConfigs from. You need to specify either a gameserver or an organization, project, and environment')
+      const stackApi = new StackAPI(tokens.access_token, options.stackApi)
+      const gameserverId = resolveGameserverId(gameserver, options)
+
+      if (options.type === 'dynamic') {
+        const credentials = await stackApi.getKubeConfigExecCredential(gameserverId)
+        console.log(credentials)
+      } else if (options.type === 'static') {
+        const credentials = await stackApi.getKubeConfig(gameserverId)
+        console.log(credentials)
+      } else {
+        throw new Error('Invalid type; must be one of static or dynamic')
       }
-
-      const stackApi = new StackAPI(tokens.access_token)
-      if (options.stackApi) {
-        stackApi.stack_api_base_uri = options.stackApi
+    } catch (error) {
+      if (error instanceof Error) {
+        console.error('Error getting KubeConfig:', error)
       }
+      exit(1)
+    }
+  })
 
-      const payload = gameserver ? { gameserver } : { organization: options.organization, project: options.project, environment: options.environment }
+/**
+ * Get the Kubernetes credentials in the execcredential format which can be used within the `kubeconfig` file:
+ * The kubeconfig can invoke this command to fetch the Kubernetes credentials just-in-time which allows us to
+ * generate kubeconfig files that don't contain access tokens and are longer-lived (the authentication is the
+ * same as that of metaplay-auth itself). Use `metaplay-auth get-kubeconfig -t dynamic ...` to create a
+ * kubeconfig that uses this command.
+ */
+// todo: maybe this should be a hidden command as it's not very useful for end users and clutters help?
+program.command('get-kubernetes-execcredential')
+  .description('get kubernetes credentials in execcredential format (only intended to be used within a kubeconfig)')
+  .argument('[gameserver]', 'address of gameserver (e.g. metaplay-idler-develop or idler-develop.p1.metaplay.io)')
+  .option('-s, --stack-api <stack-api-base-path>', 'explicit stack api (e.g. https://infra.p1.metaplay.io/stackapi/)')
+  .option('-o, --organization <organization>', 'organization name (e.g. metaplay)')
+  .option('-p, --project <project>', 'project name (e.g. idler)')
+  .option('-e, --environment <environment>', 'environment name (e.g. develop)')
+  .hook('preAction', async () => {
+    await extendCurrentSession()
+  })
+  .action(async (gameserver, options) => {
+    try {
+      const tokens = await loadTokens()
+      const stackApi = new StackAPI(tokens.access_token, options.stackApi)
+      const gameserverId = resolveGameserverId(gameserver, options)
 
-      const credentials = await stackApi.getKubeConfig(payload)
+      const credentials = await stackApi.getKubeExecCredential(gameserverId)
       console.log(credentials)
     } catch (error) {
       if (error instanceof Error) {
-        console.error(`Error getting KubeConfig: ${error.message}`)
+        console.error(`Error getting Kubernetes ExecCredential: ${error.message}`)
       }
       exit(1)
     }
   })
 
 program.command('get-aws-credentials')
-  .description('get AWS credentials for deployment')
-  .argument('[gameserver]', 'address of gameserver (e.g. idler-develop.p1.metaplay.io)')
+  .description('get AWS credentials for target environment')
+  .argument('[gameserver]', 'address of gameserver (e.g. metaplay-idler-develop or idler-develop.p1.metaplay.io)')
   .option('-s, --stack-api <stack-api-base-path>', 'explicit stack api (e.g. https://infra.p1.metaplay.io/stackapi/)')
   .option('-o, --organization <organization>', 'organization name (e.g. metaplay)')
   .option('-p, --project <project>', 'project name (e.g. idler)')
@@ -146,19 +204,10 @@ program.command('get-aws-credentials')
       }
 
       const tokens = await loadTokens()
+      const stackApi = new StackAPI(tokens.access_token, options.stackApi)
+      const gameserverId = resolveGameserverId(gameserver, options)
 
-      if (!gameserver && !(options.organization && options.project && options.environment)) {
-        throw new Error('Could not determine a deployment to fetch the AWS credentials from. You need to specify either a gameserver or an organization, project, and environment')
-      }
-
-      const stackApi = new StackAPI(tokens.access_token)
-      if (options.stackApi) {
-        stackApi.stack_api_base_uri = options.stackApi
-      }
-
-      const payload = gameserver ? { gameserver } : { organization: options.organization, project: options.project, environment: options.environment }
-
-      const credentials = await stackApi.getAwsCredentials(payload)
+      const credentials = await stackApi.getAwsCredentials(gameserverId)
 
       if (options.format === 'env') {
         console.log(`export AWS_ACCESS_KEY_ID=${credentials.AccessKeyId}`)
@@ -179,8 +228,8 @@ program.command('get-aws-credentials')
   })
 
 program.command('get-docker-login')
-  .description('get docker login credentials for pushing the server image')
-  .argument('[gameserver]', 'address of gameserver (e.g. idler-develop.p1.metaplay.io)')
+  .description('get docker login credentials for pushing the server image to target environment')
+  .argument('[gameserver]', 'address of gameserver (e.g. metaplay-idler-develop or idler-develop.p1.metaplay.io)')
   .option('-o, --organization <organization>', 'organization name (e.g. metaplay)')
   .option('-p, --project <project>', 'project name (e.g. idler)')
   .option('-e, --environment <environment>', 'environment name (e.g. develop)')
@@ -195,24 +244,16 @@ program.command('get-docker-login')
       }
 
       const tokens = await loadTokens()
-
-      if (!gameserver && !(options.organization && options.project && options.environment)) {
-        throw new Error('Could not determine a game server deployment. You need to specify either a gameserver or an organization, project, and environment')
-      }
-
-      const stackApi = new StackAPI(tokens.access_token)
-      if (options.stackApi) {
-        stackApi.stack_api_base_uri = options.stackApi
-      }
+      const stackApi = new StackAPI(tokens.access_token, options.stackApi)
+      const gameserverId = resolveGameserverId(gameserver, options)
 
       // Fetch AWS credentials from Metaplay cloud
       logger.debug('Get AWS credentials from Metaplay')
-      const payload = gameserver ? { gameserver } : { organization: options.organization, project: options.project, environment: options.environment }
-      const credentials = await stackApi.getAwsCredentials(payload)
+      const credentials = await stackApi.getAwsCredentials(gameserverId)
 
       // Get environment info (region is needed for ECR)
       logger.debug('Get environment info')
-      const environment = await stackApi.getEnvironmentDetails(payload)
+      const environment = await stackApi.getEnvironmentDetails(gameserverId)
       const awsRegion = environment.deployment.aws_region
       const dockerRepo = environment.deployment.ecr_repo
 
@@ -262,8 +303,8 @@ program.command('get-docker-login')
   })
 
 program.command('get-environment')
-  .description('get environment details for deployment')
-  .argument('[gameserver]', 'address of gameserver (e.g. idler-develop.p1.metaplay.io)')
+  .description('get details of an environment')
+  .argument('[gameserver]', 'address of gameserver (e.g. metaplay-idler-develop or idler-develop.p1.metaplay.io)')
   .option('-s, --stack-api <stack-api-base-path>', 'explicit stack api (e.g. https://infra.p1.metaplay.io/stackapi/)')
   .option('-o, --organization <organization>', 'organization name (e.g. metaplay)')
   .option('-p, --project <project>', 'project name (e.g. idler)')
@@ -274,19 +315,10 @@ program.command('get-environment')
   .action(async (gameserver, options) => {
     try {
       const tokens = await loadTokens()
+      const stackApi = new StackAPI(tokens.access_token, options.stackApi)
+      const gameserverId = resolveGameserverId(gameserver, options)
 
-      if (!gameserver && !(options.organization && options.project && options.environment)) {
-        throw new Error('Could not determine a deployment to fetch environment details from. You need to specify either a gameserver or an organization, project, and environment')
-      }
-
-      const stackApi = new StackAPI(tokens.access_token)
-      if (options.stackApi) {
-        stackApi.stack_api_base_uri = options.stackApi
-      }
-
-      const payload = gameserver ? { gameserver } : { organization: options.organization, project: options.project, environment: options.environment }
-
-      const environment = await stackApi.getEnvironmentDetails(payload)
+      const environment = await stackApi.getEnvironmentDetails(gameserverId)
       console.log(JSON.stringify(environment))
     } catch (error) {
       if (error instanceof Error) {
@@ -310,8 +342,8 @@ program.command('check-deployment')
       // Run the checks and exit with success/failure exitCode depending on result
       const exitCode = await checkGameServerDeployment(namespace)
       exit(exitCode)
-    } catch (error) {
-      console.error(`Failed to check deployment status: ${error}`)
+    } catch (error: any) {
+      console.error(`Failed to check deployment status: ${error.message}`)
       exit(1)
     }
   })

package/package.json

@@ -1,38 +1,40 @@
 {
   "name": "@metaplay/metaplay-auth",
   "description": "Utility CLI for authenticating with the Metaplay Auth and making authenticated calls to infrastructure endpoints.",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "type": "module",
   "license": "SEE LICENSE IN LICENSE",
   "homepage": "https://metaplay.io",
   "bin": "dist/index.js",
+  "scripts": {
+    "dev": "tsx index.ts",
+    "prepublish": "tsc"
+  },
   "publishConfig": {
     "access": "public"
   },
   "devDependencies": {
+    "@metaplay/eslint-config": "workspace:*",
+    "@metaplay/typescript-config": "workspace:*",
     "@types/express": "^4.17.21",
+    "@types/js-yaml": "^4.0.9",
     "@types/jsonwebtoken": "^9.0.5",
     "@types/jwk-to-pem": "^2.0.3",
-    "@types/node": "^20.11.28",
+    "@types/node": "^20.12.5",
     "tsx": "^4.7.1",
     "typescript": "^5.1.6",
-    "vitest": "^1.3.1",
-    "@metaplay/eslint-config": "1.0.0",
-    "@metaplay/typescript-config": "1.0.0"
+    "vitest": "^1.4.0"
   },
   "dependencies": {
-    "@aws-sdk/client-ecr": "^3.535.0",
-    "@kubernetes/client-node": "^0.20.0",
-    "@ory/client": "^1.6.2",
+    "@aws-sdk/client-ecr": "^3.549.0",
+    "@kubernetes/client-node": "^1.0.0-rc4",
+    "@ory/client": "^1.9.0",
     "commander": "^12.0.0",
-    "h3": "^1.10.2",
+    "h3": "^1.11.1",
+    "js-yaml": "^4.1.0",
     "jsonwebtoken": "^9.0.2",
     "jwk-to-pem": "^2.0.5",
-    "open": "^10.0.2",
+    "open": "^10.1.0",
     "tslog": "^4.9.2"
-  },
-  "scripts": {
-    "dev": "tsx index.ts",
-    "prepublish": "tsc"
   }
 }

package/src/auth.ts

@@ -7,7 +7,7 @@ import open from 'open'
 import { randomBytes, createHash } from 'node:crypto'
 import jwt from 'jsonwebtoken'
 import jwkToPem from 'jwk-to-pem'
-import { Configuration, WellknownApi } from '@ory/client'
+import { Configuration, WellknownApi, OidcApi } from '@ory/client'
 import { setSecret, getSecret, removeSecret } from './secret_store.js'
 
 import { logger } from './logging.js'
@@ -20,6 +20,9 @@ const tokenEndpoint = `${baseURL}/oauth2/token`
 const wellknownApi = new WellknownApi(new Configuration({
   basePath: baseURL,
 }))
+const oidcApi = new OidcApi(new Configuration({
+  basePath: baseURL,
+}))
 
 /**
  * A helper function which generates a code verifier and challenge for exchaning code from Ory server.
@@ -31,6 +34,34 @@ function generateCodeVerifierAndChallenge (): { verifier: string, challenge: str
   return { verifier, challenge }
 }
 
+/**
+ * A helper function which fetches the user's info from an OIDC userinfo endpoint for the given token.
+ * @param token The token to fetch the userinfo for.
+ * @returns An object containing the user's info.
+ */
+export async function getUserinfo (token: string): Promise<any> {
+  logger.debug('Trying to find OIDC well-known endpoints...')
+  const oidcRes = await oidcApi.discoverOidcConfiguration()
+
+  const userinfoEndpoint = oidcRes.data?.userinfo_endpoint
+  if (!userinfoEndpoint) {
+    throw new Error('No userinfo endpoint found in OIDC configuration')
+  }
+  logger.debug(`Found userinfo endpoint: ${userinfoEndpoint}`)
+
+  const userinfoRes = await fetch(userinfoEndpoint, {
+    headers: {
+      Authorization: `Bearer ${token}`
+    }
+  })
+
+  if (userinfoRes.status < 200 || userinfoRes.status >= 300) {
+    throw new Error(`Failed to fetch userinfo: ${userinfoRes.status} ${userinfoRes.statusText}`)
+  }
+
+  return await userinfoRes.json()
+}
+
 /**
  * A helper function which finds an local available port to listen on.
  * @returns A promise that resolves to an available port.

package/src/deployment.ts

@@ -1,7 +1,7 @@
-import { promises as fs, existsSync } from 'fs'
+import { existsSync } from 'fs'
 import { KubeConfig, CoreV1Api, V1Pod } from '@kubernetes/client-node'
 import { logger } from './logging.js'
-import { error } from 'console'
+import type { CoreV1ApiListNamespacedPodRequest, CoreV1ApiReadNamespacedPodLogRequest } from '@kubernetes/client-node'
 
 enum GameServerPodPhase {
   Pending = 'Pending', // Still being deployed
@@ -18,14 +18,17 @@ interface GameServerPodStatus {
 
 async function fetchGameServerPods (k8sApi: CoreV1Api, namespace: string) {
   // Define label selector for gameserver
-  const labelSelector = 'app=metaplay-server'
+  const param: CoreV1ApiListNamespacedPodRequest = {
+    namespace,
+    labelSelector: 'app=metaplay-server'
+  }
 
   try {
     // Get gameserver pods in the namespace
-    const response = await k8sApi.listNamespacedPod(namespace, undefined, undefined, undefined, undefined, labelSelector)
+    const response = await k8sApi.listNamespacedPod(param)
 
     // Return pod statuses
-    return response.body.items
+    return response.items
   } catch (error) {
     // \todo Better error handling ..
     console.log('Failed to fetch pods from Kubernetes:', error)
@@ -168,13 +171,19 @@ async function fetchPodLogs (k8sApi: CoreV1Api, pod: V1Pod) {
     throw new Error('Unable to determine pod metadata')
   }
 
-  const pretty = 'True'
-  const previous = false
-  const tailLines = 100
-  const timestamps = true
+  const params: CoreV1ApiReadNamespacedPodLogRequest = {
+    name: podName,
+    namespace,
+    container: containerName,
+    pretty: 'true',
+    previous: false,
+    tailLines: 100,
+    timestamps: true
+  }
+
   try {
-    const response = await k8sApi.readNamespacedPodLog(podName, namespace, containerName, undefined, undefined, undefined, pretty, previous, undefined, tailLines, timestamps)
-    return response.body
+    const response: string = await k8sApi.readNamespacedPodLog(params)
+    return response
   } catch (error) {
     // \todo Better error handling ..
     console.log('Failed to fetch pod logs from Kubernetes:', error)
@@ -218,7 +227,12 @@ export async function checkGameServerDeployment (namespace: string): Promise<num
 
   // Create Kubernetes API instance (with default kubeconfig)
   const kc = new KubeConfig()
-  kc.loadFromFile(kubeconfigPath)
+  // Loda kubeconfig from file and throw error if validation fails.
+  try {
+    kc.loadFromFile(kubeconfigPath)
+  } catch (error) {
+    throw new Error(`Failed to load or validate kubeconfig. ${error}`)
+  }
   const k8sApi = kc.makeApiClient(CoreV1Api)
 
   // Figure out when to stop