Merge pull request #154 from britive/develop

v1.8.0rc2

Author: theborch

CHANGELOG.md

@@ -3,6 +3,28 @@
 * As of v1.4.0 release candidates will be published in an effort to get new features out faster while still allowing
 time for full QA testing before moving the release candidate to a full release.
 
+## v1.8.0rc2 [2024-06-07]
+
+__What's New:__
+
+* Added a new global config setting for CA bundle certificates.
+
+__Enhancements:__
+
+* Added new `ca_bundle` global setting for user provided CA bundle certs.
+
+__Bug Fixes:__
+
+* Switched `pybritive-kube-exec` to full path in for kube config.
+
+__Dependencies:__
+
+* `britive>=2.25.0rc4`
+
+__Other:__
+
+* None
+
 ## v1.8.0rc1 [2024-06-03]
 
 __What's New:__

docs/index.md

@@ -71,6 +71,17 @@ As such, any functionality of `requests` can be used, including setting an HTTP
 
 ### Custom TLS Certificates
 
+This can be set in the `pybritive.config` `global` settings by setting `ca_bundle`, e.g.:
+
+```toml
+[global]
+default_tenant=tenant
+output_format=json
+credential_backend=file
+# replace "/location/of/the/CA_BUNDLE_FILE.pem" with the path to the desired CA bundle file
+ca_bundle=/location/of/the/CA_BUNDLE_FILE.pem
+```
+
 Setting custom TLS certificates functionality of `requests` can also be used.
 
 * Certificate bundles will be set via environment variables.

requirements.txt

@@ -1,6 +1,6 @@
 beautifulsoup4
 boto3
-britive>=2.25.0rc3
+britive>=2.25.0rc4
 certifi
 charset-normalizer
 click~=8.1.7

src/pybritive/__init__.py

@@ -1 +1 @@
-__version__ = '1.8.0rc1'
+__version__ = '1.8.0rc2'

src/pybritive/helpers/config.py

@@ -43,6 +43,7 @@ def coalesce(*arg):
     'credential_backend',
     'auto-refresh-profile-cache',
     'auto-refresh-kube-config',
+    'ca_bundle',
 ]
 
 tenant_fields = ['name', 'output_format', 'sso_idp']
@@ -69,6 +70,7 @@ def __init__(self, cli: object, tenant_name: str = None):
         self.loaded = False
         self.validation_error_messages = []
         self.gcloud_key_file_path: str = str(Path(self.path).parent / 'pybritive-gcloud-key-files')
+        self.global_ca_bundle = None
 
     def clear_gcloud_auth_key_files(self, profile=None):
         path = Path(self.gcloud_key_file_path)
@@ -123,6 +125,7 @@ def load(self, force=False):
                     self.tenants_by_name[name] = item
         self.aliases_and_names = {**self.tenants, **self.tenants_by_name}
         self.profile_aliases = self.config.get('profile-aliases', {})
+        self.global_ca_bundle = self.config.get('ca_bundle', {})
         self.loaded = True
 
     def get_tenant(self):
@@ -300,6 +303,11 @@ def validate_global(self, section, fields):
                 if value not in tenant_aliases_from_sections:
                     error = f'Invalid {section} field {field} value {value} provided. Tenant not found.'
                     self.validation_error_messages.append(error)
+            if field == 'ca_bundle':
+                ca_bundle_file_path = Path(value).expanduser()
+                if not Path.is_file(ca_bundle_file_path):
+                    error = f'Invalid {field} file {ca_bundle_file_path}. File does not exist.'
+                    self.validation_error_messages.append(error)
 
     def validate_profile_aliases(self, section, fields):
         for field, value in fields.items():

src/pybritive/helpers/credentials.py

@@ -74,7 +74,10 @@ def _setup_requests_session(self):
         self.session = requests.Session()
         retries = Retry(total=5, backoff_factor=1, status_forcelist=[429, 500, 502, 503, 504])
         self.session.mount('https://', HTTPAdapter(max_retries=retries))
-
+        global_ca_bundle = self.cli.config.get_tenant().get('ca_bundle')
+        if global_ca_bundle and not os.getenv('REQUESTS_CA_BUNDLE', os.getenv('CURL_CA_BUNDLE')):
+            os.environ['PYBRITIVE_CA_BUNDLE'] = global_ca_bundle
+            self.session.verify = global_ca_bundle
         # allow the disabling of TLS/SSL verification for testing in development (mostly local development)
         if os.getenv('BRITIVE_NO_VERIFY_SSL') and '.dev.' in self.tenant:
             # turn off ssl verification

src/pybritive/helpers/kube_config_builder.py

@@ -1,10 +1,10 @@
-import click
-import yaml
+import base64
+import os
 from pathlib import Path
+import shutil
+import yaml
 from .config import ConfigManager
 from ..britive_cli import BritiveCli
-import os
-import base64
 
 
 def sanitize(name: str):
@@ -19,7 +19,7 @@ def check_env_var(filename, cli: BritiveCli):
     # no env var present
     if not kubeconfig:
         command = f'export KUBECONFIG=~/.kube/config:{filename}'
-        cli.print(f'Please ensure your KUBECONFIG environment variable includes the Britive managed kube config file.')
+        cli.print('Please ensure your KUBECONFIG environment variable includes the Britive managed kube config file.')
         cli.print(command)
     else:
         for configfile in kubeconfig.split(':'):
@@ -28,8 +28,7 @@ def check_env_var(filename, cli: BritiveCli):
                 return  # we found what we came for - silently continue
 
         # if we get here we need to instruct the user to add the britive managed kube config file
-        cli.print(f'Please modify your KUBECONFIG environment variable to include the '
-                  f'Britive managed kube config file.')
+        cli.print('Please modify your KUBECONFIG environment variable to include the Britive managed kube config file.')
         command = f'export KUBECONFIG="${{KUBECONFIG}}:{filename}"'
         cli.print(command)
 
@@ -40,7 +39,7 @@ def merge_new_with_existing(clusters, contexts, users, filename, tenant):
     # them with the above created items
     existing_kubeconfig = {}
     if Path(filename).exists():
-        with open(filename, 'r') as f:
+        with open(filename, 'r', encoding='utf-8') as f:
             existing_kubeconfig = yaml.safe_load(f) or {}
 
     prefix = f'{tenant}-'
@@ -57,16 +56,10 @@ def merge_new_with_existing(clusters, contexts, users, filename, tenant):
         if not user.get('name', '').startswith(prefix):
             users.append(user)
 
-    kubeconfig = {
-        'apiVersion': 'v1',
-        'clusters': clusters,
-        'contexts': contexts,
-        'users': users,
-        'kind': 'Config'
-    }
+    kubeconfig = {'apiVersion': 'v1', 'clusters': clusters, 'contexts': contexts, 'users': users, 'kind': 'Config'}
 
     # write out the config file
-    with open(filename, 'w') as f:
+    with open(filename, 'w', encoding='utf-8') as f:
         yaml.safe_dump(kubeconfig, f, default_flow_style=False, encoding='utf-8')
 
 
@@ -90,7 +83,7 @@ def parse_profiles(profiles, aliases):
                 'cert': profile['cert'],
                 'escaped_profile': escaped_profile_str,
                 'profile': f"{profile['app']}/{profile['env']}/{profile['profile']}".lower(),
-                'alias': alias
+                'alias': alias,
             }
         cluster_names[env_profile]['apps'].append(sanitize(profile['app']))
     return [cluster_names, assigned_aliases]
@@ -110,24 +103,28 @@ def valid_cert(cert: str, profile: str, cli: BritiveCli):
 
 
 def build_tenant_config(tenant, cluster_names, username, cli: BritiveCli):
-    users = [
-        {
-            'name': username,
-            'user': {
-                'exec': {
-                    'apiVersion': 'client.authentication.k8s.io/v1beta1',
-                    'command': 'pybritive-kube-exec',
-                    'args': [
-                        '-t',
-                        tenant
-                    ],
-                    'env': None,
-                    'interactiveMode': 'Never',
-                    'provideClusterInfo': True
-                }
+    kube_exec_full_path = shutil.which('pybritive-kube-exec')
+    if not kube_exec_full_path:
+        kube_exec_full_path = 'pybritive-kube-exec'
+    users = (
+        [
+            {
+                'name': username,
+                'user': {
+                    'exec': {
+                        'apiVersion': 'client.authentication.k8s.io/v1beta1',
+                        'command': kube_exec_full_path,
+                        'args': ['-t', tenant],
+                        'env': None,
+                        'interactiveMode': 'Never',
+                        'provideClusterInfo': True,
+                    }
+                },
             }
-        }
-    ] if len(cluster_names.keys()) > 0 else []
+        ]
+        if len(cluster_names.keys()) > 0
+        else []
+    )
     contexts = []
     clusters = []
 
@@ -153,22 +150,17 @@ def build_tenant_config(tenant, cluster_names, username, cli: BritiveCli):
                         'extensions': [
                             {
                                 'name': 'client.authentication.k8s.io/exec',
-                                'extension': {
-                                    'britive-profile': details.get('alias') or details['escaped_profile']
-                                }
+                                'extension': {'britive-profile': details.get('alias') or details['escaped_profile']},
                             }
-                        ]
-                    }
+                        ],
+                    },
                 }
             )
 
             contexts.append(
                 {
                     'name': details.get('alias') or f'{tenant}-{name}',
-                    'context': {
-                        'cluster': f'{tenant}-{name}',
-                        'user': username
-                    }
+                    'context': {'cluster': f'{tenant}-{name}', 'user': username},
                 }
             )
     return [clusters, contexts, users]
@@ -189,10 +181,7 @@ def build_kube_config(profiles: list, config: ConfigManager, username: str, cli:
 
     # establish the 3 elements of the config
     clusters, contexts, users = build_tenant_config(
-        tenant=tenant,
-        cluster_names=cluster_names,
-        username=username,
-        cli=cli
+        tenant=tenant, cluster_names=cluster_names, username=username, cli=cli
     )
 
     # calculate the path for the config
@@ -202,13 +191,7 @@ def build_kube_config(profiles: list, config: ConfigManager, username: str, cli:
 
     # merge any existing config with the new config
     # and write it to disk
-    merge_new_with_existing(
-        clusters=clusters,
-        contexts=contexts,
-        users=users,
-        tenant=tenant,
-        filename=filename
-    )
+    merge_new_with_existing(clusters=clusters, contexts=contexts, users=users, tenant=tenant, filename=filename)
 
     # if required ensure we tell the user they need to modify their KUBECONFIG env var
     # in order to pick up the Britive managed kube config file