@metaplay/metaplay-auth 1.4.1 → 1.5.0

package/package.json

@@ -1,45 +1,43 @@
 {
   "name": "@metaplay/metaplay-auth",
   "description": "Utility CLI for authenticating with the Metaplay Auth and making authenticated calls to infrastructure endpoints.",
-  "version": "1.4.1",
+  "version": "1.5.0",
   "type": "module",
   "license": "SEE LICENSE IN LICENSE",
   "homepage": "https://metaplay.io",
   "bin": {
-    "metaplay-auth": "dist/index.js"
+    "metaplay-auth": "dist/index.cjs"
   },
   "scripts": {
     "dev": "tsx index.ts",
-    "prepublish": "tsc"
+    "bake-version": "node -p \"'export const PACKAGE_VERSION = ' + JSON.stringify(require('./package.json').version)\" > src/version.ts"
   },
   "publishConfig": {
     "access": "public"
   },
   "devDependencies": {
     "@metaplay/eslint-config": "workspace:*",
-    "@metaplay/typescript-config": "workspace:*",
-    "@types/dockerode": "^3.3.28",
+    "@types/dockerode": "^3.3.29",
     "@types/express": "^4.17.21",
     "@types/js-yaml": "^4.0.9",
     "@types/jsonwebtoken": "^9.0.5",
     "@types/jwk-to-pem": "^2.0.3",
-    "@types/node": "^20.12.5",
+    "@types/node": "^20.14.8",
+    "@types/semver": "^7.5.8",
+    "esbuild": "^0.23.0",
     "tsx": "^4.7.1",
-    "typescript": "^5.1.6",
-    "vitest": "^1.4.0"
-  },
-  "dependencies": {
-    "@aws-sdk/client-ecr": "^3.549.0",
-    "@kubernetes/client-node": "^1.0.0-rc4",
+    "typescript": "5.4.x",
+    "vitest": "^1.4.0",
+    "@aws-sdk/client-ecr": "^3.620.0",
+    "@kubernetes/client-node": "^1.0.0-rc6",
     "@ory/client": "^1.9.0",
-    "@types/semver": "^7.5.8",
     "commander": "^12.0.0",
     "dockerode": "^4.0.2",
     "h3": "^1.11.1",
     "js-yaml": "^4.1.0",
     "jsonwebtoken": "^9.0.2",
     "jwk-to-pem": "^2.0.5",
-    "open": "^10.1.0",
+    "open": "^8.4.2",
     "semver": "^7.6.0",
     "tslog": "^4.9.2"
   }

package/src/auth.ts

@@ -12,6 +12,12 @@ import { setSecret, getSecret, removeSecret } from './secret_store.js'
 
 import { logger } from './logging.js'
 
+export interface TokenSet {
+  id_token?: string
+  access_token: string
+  refresh_token?: string
+}
+
 // oauth2 client details (maybe move these to be discovered from some online location to make changes easier to manage?)
 const clientId = 'c16ea663-ced3-46c6-8f85-38c9681fe1f0'
 const baseURL = 'https://auth.metaplay.dev'
@@ -275,7 +281,7 @@ async function extendCurrentSessionWithRefreshToken (refreshToken: string): Prom
 
   // Check if the response is OK
   if (!response.ok) {
-    const responseJSON = await response.json()
+    const responseJSON = await response.json() as { error: string, error_description: string }
 
     logger.error('Failed to refresh tokens.')
     logger.error(`Error Type: ${responseJSON.error}`)
@@ -288,7 +294,7 @@ async function extendCurrentSessionWithRefreshToken (refreshToken: string): Prom
     throw new Error('Failed extending current session, exiting. Please log in again.')
   }
 
-  return await response.json()
+  return await response.json() as { id_token: string, access_token: string, refresh_token: string }
 }
 
 /**
@@ -310,7 +316,7 @@ async function getTokensWithAuthorizationCode (state: string, redirectUri: strin
       body: `grant_type=authorization_code&code=${code}&redirect_uri=${encodeURIComponent(redirectUri)}&client_id=${clientId}&code_verifier=${verifier}&state=${encodeURIComponent(state)}`
     })
 
-    return await response.json()
+    return await response.json() as { id_token: string, access_token: string, refresh_token: string }
   } catch (error) {
     if (error instanceof Error) {
       logger.error(`Error exchanging code for tokens: ${error.message}`)
@@ -322,9 +328,9 @@ async function getTokensWithAuthorizationCode (state: string, redirectUri: strin
 /**
  * Load tokens from the local secret store.
  */
-export async function loadTokens (): Promise<{ id_token?: string, access_token: string, refresh_token?: string }> {
+export async function loadTokens (): Promise<TokenSet> {
   try {
-    const tokens = await getSecret('tokens') as { id_token?: string, access_token: string, refresh_token?: string }
+    const tokens = await getSecret('tokens') as TokenSet
 
     if (!tokens) {
       throw new Error('Unable to load tokens. You need to login first.')

package/src/deployment.ts

@@ -1,6 +1,11 @@
-import { KubeConfig, CoreV1Api, V1Pod } from '@kubernetes/client-node'
+import { KubeConfig, CoreV1Api, type V1Pod, type CoreV1ApiListNamespacedPodRequest, type CoreV1ApiReadNamespacedPodLogRequest } from '@kubernetes/client-node'
 import { logger } from './logging.js'
-import type { CoreV1ApiListNamespacedPodRequest, CoreV1ApiReadNamespacedPodLogRequest } from '@kubernetes/client-node'
+import { TargetEnvironment } from 'targetenvironment.js'
+import { exit } from 'process'
+import { unlink, writeFile } from 'fs/promises'
+import { executeCommand, type ExecuteCommandResult } from './utils.js'
+import os from 'os'
+import path from 'path'
 
 enum GameServerPodPhase {
   Ready = 'Ready', // Successfully started and ready to accept traffic
@@ -16,7 +21,7 @@ interface GameServerPodStatus {
   details?: any
 }
 
-async function fetchGameServerPods (k8sApi: CoreV1Api, namespace: string) {
+async function fetchGameServerPods (k8sApi: CoreV1Api, namespace: string): Promise<V1Pod[]> {
   // Define label selector for gameserver
   logger.debug(`Fetching game server pods from Kubernetes: namespace=${namespace}`)
   const param: CoreV1ApiListNamespacedPodRequest = {
@@ -32,7 +37,7 @@ async function fetchGameServerPods (k8sApi: CoreV1Api, namespace: string) {
     return response.items
   } catch (error) {
     // \todo Better error handling ..
-    console.log('Failed to fetch pods from Kubernetes:', error)
+    console.error('Failed to fetch pods from Kubernetes:', error)
     throw new Error('Failed to fetch pods from Kubernetes')
   }
 }
@@ -77,9 +82,9 @@ function resolvePodContainersConditions (pod: V1Pod): GameServerPodStatus {
       // Try to detecth why the previous launch failed
       if (containerState.waiting) {
         const reason = containerState.waiting.reason
-        if (knownContainerFailureReasons.includes(reason as string)) {
+        if (reason && knownContainerFailureReasons.includes(reason)) {
           return { phase: GameServerPodPhase.Failed, message: `Container ${containerName} is in waiting state, reason=${reason}`, details: containerState.waiting }
-        } else if (knownContainerPendingReasons.includes(reason as string)) {
+        } else if (reason && knownContainerPendingReasons.includes(reason)) {
           return { phase: GameServerPodPhase.Pending, message: `Container ${containerName} is in waiting state, reason=${reason}`, details: containerState.waiting }
         } else {
           return { phase: GameServerPodPhase.Unknown, message: `Container ${containerName} is in waiting state, reason=${reason}`, details: containerState.waiting }
@@ -141,7 +146,20 @@ function resolvePodStatusConditions (pod: V1Pod): GameServerPodStatus {
   return { phase: GameServerPodPhase.Ready, message: 'Pod is ready to serve traffic' }
 }
 
-function resolvePodStatus (pod: V1Pod): GameServerPodStatus {
+function resolvePodGameServerImageTag (pod: V1Pod): string | null {
+  // Find the shard-server spec from the pod and extract image tag from spec
+  const containerSpec = pod.spec?.containers?.find(containerSpec => containerSpec.name === 'shard-server')
+  if (!containerSpec) {
+    return null
+  }
+  if (!containerSpec.image) {
+    return null
+  }
+  const [_, imageTag] = containerSpec.image.split(':')
+  return imageTag
+}
+
+function resolvePodStatus (pod: V1Pod, requiredImageTag: string | null): GameServerPodStatus {
   // logger.debug('resolvePodStatus(): pod =', JSON.stringify(pod, undefined, 2))
 
   if (!pod) {
@@ -152,6 +170,14 @@ function resolvePodStatus (pod: V1Pod): GameServerPodStatus {
     return { phase: GameServerPodPhase.Unknown, message: 'Unable to access pod.status from Kubernetes' }
   }
 
+  // Check the pod has the expected image.
+  if (requiredImageTag !== null) {
+    const podImageTag = resolvePodGameServerImageTag(pod)
+    if (podImageTag !== requiredImageTag) {
+      return { phase: GameServerPodPhase.Unknown, message: `Image tag is not (yet?) updated. Pod image is ${podImageTag ?? 'unknown'}, expecting ${requiredImageTag}.` }
+    }
+  }
+
   // Handle status.phase
   const podPhase = pod.status?.phase
   switch (podPhase) {
@@ -163,8 +189,14 @@ function resolvePodStatus (pod: V1Pod): GameServerPodStatus {
       // Pod has been scheduled and start -- note that the containers may have failed!
       return resolvePodStatusConditions(pod)
 
-    case 'Succeeded': // Should not happen, the game server pods should never stop
-    case 'Failed': // Should not happen, the game server pods should never stop
+    case 'Succeeded':
+      // Should not happen, the game server pods should never stop
+      return { phase: GameServerPodPhase.Unknown, message: 'Pod has unexpectedly terminated (with a clean exit status)' }
+
+    case 'Failed':
+      // Should not happen, the game server pods should never stop
+      return { phase: GameServerPodPhase.Unknown, message: 'Pod has unexpectedly terminated (with a failure exit status)' }
+
     case 'Unknown':
     default:
       return { phase: GameServerPodPhase.Unknown, message: `Invalid pod.status.phase: ${podPhase}` }
@@ -200,11 +232,11 @@ async function fetchPodLogs (k8sApi: CoreV1Api, pod: V1Pod) {
   }
 }
 
-async function checkGameServerPod (k8sApi: CoreV1Api, pod: V1Pod) {
+async function checkGameServerPod (k8sApi: CoreV1Api, pod: V1Pod, requiredImageTag: string | null) {
   // console.log('Pod:', JSON.stringify(pod, undefined, 2))
 
   // Classify game server status
-  const podStatus = resolvePodStatus(pod)
+  const podStatus = resolvePodStatus(pod, requiredImageTag)
   const podName = pod.metadata?.name ?? '<unable to resolve name>'
 
   // If game server launch failed, get the error logs
@@ -218,7 +250,7 @@ async function checkGameServerPod (k8sApi: CoreV1Api, pod: V1Pod) {
 }
 
 async function delay (ms: number): Promise<void> {
-  return await new Promise<void>(resolve => setTimeout(resolve, ms))
+  await new Promise<void>(resolve => setTimeout(resolve, ms))
 }
 
 function anyPodsInPhase (podStatuses: GameServerPodStatus[], phase: GameServerPodPhase): boolean {
@@ -229,7 +261,7 @@ function allPodsInPhase (podStatuses: GameServerPodStatus[], phase: GameServerPo
   return podStatuses.every(status => status.phase === phase)
 }
 
-export async function checkGameServerDeployment (namespace: string, kubeconfig: KubeConfig): Promise<number> {
+export async function checkGameServerDeployment (namespace: string, kubeconfig: KubeConfig, requiredImageTag: string | null): Promise<number> {
   const k8sApi = kubeconfig.makeApiClient(CoreV1Api)
 
   // Figure out when to stop
@@ -242,7 +274,7 @@ export async function checkGameServerDeployment (namespace: string, kubeconfig:
     logger.debug(`Found ${pods?.length} pod(s) deployed in Kubernetes`)
     if (pods.length > 0) {
       // Resolve status for all pods
-      const podStatuses = await Promise.all(pods.map(async pod => await checkGameServerPod(k8sApi, pod)))
+      const podStatuses = await Promise.all(pods.map(async pod => await checkGameServerPod(k8sApi, pod, requiredImageTag)))
       logger.debug(`Pod phases: ${podStatuses.map(status => status.phase)}`)
 
       // Handle state of the deployment
@@ -285,3 +317,81 @@ export async function checkGameServerDeployment (namespace: string, kubeconfig:
     await delay(2000)
   }
 }
+
+export async function debugGameServer (targetEnv: TargetEnvironment, targetPodName?: string) {
+  // Initialize kubeconfig for target environment
+  logger.debug('Get kubeconfig')
+  let kubeconfigPayload
+  const kubeconfig = new KubeConfig()
+  try {
+    kubeconfigPayload = await targetEnv.getKubeConfig()
+    kubeconfig.loadFromString(kubeconfigPayload)
+  } catch (error) {
+    console.error(`Failed to fetch kubeconfig for environment: ${error}`)
+    exit(1)
+  }
+
+  // Fetch environment details
+  logger.debug('Get environment details')
+  const envInfo = await targetEnv.getEnvironmentDetails()
+  const kubernetesNamespace = envInfo.deployment.kubernetes_namespace
+
+  // Resolve which pods are running in the target environment
+  logger.debug('Get running game server pods')
+  const k8sApi = kubeconfig.makeApiClient(CoreV1Api)
+  const gameServerPods = await fetchGameServerPods(k8sApi, kubernetesNamespace)
+
+  // If no pod name is specified, automaticalyl target a singleton pod or fail if there are multiple
+  if (!targetPodName) {
+    if (gameServerPods.length === 1) {
+      const metadata = gameServerPods[0].metadata
+      if (!metadata?.name) {
+        throw new Error('Unable to resolve name for the Kubernetes pod!')
+      }
+      targetPodName = metadata.name
+    } else {
+      const podNames = gameServerPods.map(pod => pod.metadata?.name).join(', ')
+      console.error(`Multiple game server pods running: ${podNames}\nPlease specify which you want to debug.`)
+      exit(1)
+    }
+  }
+
+  // Execute 'kubectl debug ..'
+  const tmpKubeconfigPath = path.join(os.tmpdir(), `temp-kubeconfig-${+Date.now()}`)
+  try {
+    // Write kubeconfig to a file
+    logger.debug(`Write temporary kubeconfig to ${tmpKubeconfigPath}`)
+    await writeFile(tmpKubeconfigPath, kubeconfigPayload)
+
+    // Run kubctl
+    // const args = [`--kubeconfig=${tmpKubeconfigPath}`, `--namespace=${kubernetesNamespace}`, 'get', 'pods']
+    const args = [
+      `--kubeconfig=${tmpKubeconfigPath}`,
+      `--namespace=${kubernetesNamespace}`,
+      'debug',
+      targetPodName,
+      '-it',
+      '--profile=general',
+      '--image=metaplay/diagnostics:latest',
+      '--target=shard-server'
+    ]
+    console.log(`Execute: kubectl ${args.join(' ')}`)
+    const execResult = await executeCommand('kubectl', args, true)
+
+    // Remove temporary kubeconfig
+    logger.debug('Delete temporary kubeconfig')
+    await unlink(tmpKubeconfigPath)
+
+    // Forward exit code
+    if (execResult?.exitCode !== 0) {
+      console.error(`kubectl failed failed with exit code ${execResult.exitCode}`)
+      exit(execResult.exitCode)
+    }
+  } catch (err) {
+    console.error(`Failed to execute 'kubectl': ${err}. You need to have kubectl installed to debug a game server with metaplay-auth.`)
+
+    // Remove temporary kubeconfig
+    logger.debug('Delete temporary kubeconfig')
+    await unlink(tmpKubeconfigPath)
+  }
+}