Inclusterconfig, Bearer token, and Basic auth

Author: ynqa

README.md

@@ -1,6 +1,7 @@
 # kubernetes-rust
 
-[![Client Support Level](https://img.shields.io/badge/kubernetes%20client-alpha-green.svg?style=flat&colorA=306CE8)](http://bit.ly/kubernetes-client-support-badge)
+[![Client Capabilities](https://img.shields.io/badge/Kubernetes%20client-Bronze-blue.svg?style=plastic&colorB=cd7f32&colorA=306CE8)](http://bit.ly/kubernetes-client-capabilities-badge)
+[![Client Support Level](https://img.shields.io/badge/kubernetes%20client-beta-green.svg?style=plastic&colorA=306CE8)](http://bit.ly/kubernetes-client-support-badge)
 
 Rust client for [Kubernetes](http://kubernetes.io) API.
 

src/client/mod.rs

@@ -28,7 +28,7 @@ impl APIClient {
             http::Method::DELETE => self.configuration.client.delete(&uri_str),
             http::Method::PUT => self.configuration.client.put(&uri_str),
             other => {
-                return Err(Error::from(format_err!("invalid method: {}", other)));
+                return Err(Error::from(format_err!("Invalid method: {}", other)));
             }
         }.body(body);
 

src/config/apis.rs

@@ -106,7 +106,7 @@ impl Config {
 
 impl Cluster {
     pub fn load_certificate_authority(&self) -> Result<Option<Vec<u8>>, Error> {
-        utils::data_or_file(
+        utils::load_data_or_file(
             &self.certificate_authority_data,
             &self.certificate_authority,
         )
@@ -115,10 +115,10 @@ impl Cluster {
 
 impl AuthInfo {
     pub fn load_client_certificate(&self) -> Result<Option<Vec<u8>>, Error> {
-        utils::data_or_file(&self.client_certificate_data, &self.client_certificate)
+        utils::load_data_or_file(&self.client_certificate_data, &self.client_certificate)
     }
 
     pub fn load_client_key(&self) -> Result<Option<Vec<u8>>, Error> {
-        utils::data_or_file(&self.client_key_data, &self.client_key)
+        utils::load_data_or_file(&self.client_key_data, &self.client_key)
     }
 }

src/config/incluster_config.rs

@@ -0,0 +1,37 @@
+use std::env;
+
+use failure::Error;
+use openssl::x509::X509;
+
+use config::utils;
+
+pub const SERVICE_HOSTENV: &str = "KUBERNETES_SERVICE_HOST";
+pub const SERVICE_PORTENV: &str = "KUBERNETES_SERVICE_PORT";
+const SERVICE_TOKENFILE: &str = "/var/run/secrets/kubernetes.io/serviceaccount/token";
+const SERVICE_CERTFILE: &str = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt";
+
+pub fn kube_server() -> Option<String> {
+    let f = |(h, p)| format!("https://{}{}", h, p);
+    kube_host().and_then(|h| kube_port().map(|p| f((h, p))))
+}
+
+fn kube_host() -> Option<String> {
+    env::var(SERVICE_HOSTENV).ok()
+}
+
+fn kube_port() -> Option<String> {
+    env::var(SERVICE_PORTENV).ok()
+}
+
+pub fn load_token() -> Result<String, Error> {
+    utils::load_token_data_or_file(&None, &Some(SERVICE_TOKENFILE.to_string()))?.ok_or(format_err!(
+        "Unable to load token from {}",
+        SERVICE_TOKENFILE
+    ))
+}
+
+pub fn load_cert() -> Result<X509, Error> {
+    let ca = utils::load_data_or_file(&None, &Some(SERVICE_CERTFILE.to_string()))?
+        .ok_or(format_err!("Unable to load certificate"))?;
+    X509::from_pem(&ca).map_err(Error::from)
+}

src/config/loader.rs src/config/kube_config.rssrc/config/loader.rs renamed to src/config/kube_config.rs

@@ -43,8 +43,14 @@ impl KubeConfigLoader {
     }
 
     pub fn p12(&self, password: &str) -> Result<Pkcs12, Error> {
-        let client_cert = self.user.load_client_certificate()?.unwrap();
-        let client_key = self.user.load_client_key()?.unwrap();
+        let client_cert = self
+            .user
+            .load_client_certificate()?
+            .ok_or(format_err!("Unable to load client certificate"))?;
+        let client_key = self
+            .user
+            .load_client_key()?
+            .ok_or(format_err!("Unable to load client key"))?;
 
         let x509 = X509::from_pem(&client_cert)?;
         let pkey = PKey::private_key_from_pem(&client_key)?;
@@ -55,7 +61,10 @@ impl KubeConfigLoader {
     }
 
     pub fn ca(&self) -> Result<X509, Error> {
-        let ca = self.cluster.load_certificate_authority()?.unwrap();
+        let ca = self
+            .cluster
+            .load_certificate_authority()?
+            .ok_or(format_err!("Unable to load certificate authority"))?;
         X509::from_pem(&ca).map_err(Error::from)
     }
 }

src/config/mod.rs

@@ -1,11 +1,13 @@
 mod apis;
-mod loader;
+mod incluster_config;
+mod kube_config;
 mod utils;
 
+use base64;
 use failure::Error;
 use reqwest::{header, Certificate, Client, Identity};
 
-use self::loader::KubeConfigLoader;
+use self::kube_config::KubeConfigLoader;
 
 pub struct Configuration {
     pub base_path: String,
@@ -22,15 +24,14 @@ impl Configuration {
 }
 
 pub fn load_kube_config() -> Result<Configuration, Error> {
-    let kubeconfig = utils::kube_path()
+    let kubeconfig = utils::kubeconfig_path()
         .or_else(utils::default_kube_path)
-        .ok_or(format_err!("Unable to load config"))?;
+        .ok_or(format_err!("Unable to load kubeconfig"))?;
 
     let loader = KubeConfigLoader::load(kubeconfig)?;
 
-    let password = " ";
-    let p12 = loader.p12(password)?;
-    let req_p12 = Identity::from_pkcs12_der(&p12.to_der()?, password)?;
+    let p12 = loader.p12(" ")?;
+    let req_p12 = Identity::from_pkcs12_der(&p12.to_der()?, " ")?;
 
     let ca = loader.ca()?;
     let req_ca = Certificate::from_der(&ca.to_der()?)?;
@@ -40,10 +41,51 @@ pub fn load_kube_config() -> Result<Configuration, Error> {
         .add_root_certificate(req_ca);
 
     let mut headers = header::HeaderMap::new();
-    headers.insert(header::AUTHORIZATION, header::HeaderValue::from_static(""));
+
+    match (
+        utils::load_token_data_or_file(&loader.user.token, &loader.user.token_file)?,
+        (loader.user.username, loader.user.password),
+    ) {
+        (Some(token), _) => {
+            headers.insert(
+                header::AUTHORIZATION,
+                header::HeaderValue::from_str(&format!("Bearer {}", token))?,
+            );
+        }
+        (_, (Some(u), Some(p))) => {
+            let encoded = base64::encode(&format!("{}:{}", u, p));
+            headers.insert(
+                header::AUTHORIZATION,
+                header::HeaderValue::from_str(&format!("Basic {}", encoded))?,
+            );
+        }
+        _ => {}
+    }
 
     Ok(Configuration::new(
         loader.cluster.server,
         client_builder.build()?,
     ))
 }
+
+pub fn incluster_config() -> Result<Configuration, Error> {
+    let server = incluster_config::kube_server().ok_or(format_err!(
+        "Unable to load incluster config, {} and {} must be defined",
+        incluster_config::SERVICE_HOSTENV,
+        incluster_config::SERVICE_PORTENV
+    ))?;
+
+    let ca = incluster_config::load_cert()?;
+    let req_ca = Certificate::from_der(&ca.to_der()?)?;
+
+    let client_builder = Client::builder().add_root_certificate(req_ca);
+
+    let token = incluster_config::load_token()?;
+    let mut headers = header::HeaderMap::new();
+    headers.insert(
+        header::AUTHORIZATION,
+        header::HeaderValue::from_str(&format!("Bearer {}", token))?,
+    );
+
+    Ok(Configuration::new(server, client_builder.build()?))
+}

src/config/utils.rs

@@ -9,15 +9,15 @@ use failure::Error;
 
 const KUBECONFIG: &str = "KUBECONFIG";
 
-pub fn kube_path() -> Option<PathBuf> {
+pub fn kubeconfig_path() -> Option<PathBuf> {
     env::var_os(KUBECONFIG).map(PathBuf::from)
 }
 
 pub fn default_kube_path() -> Option<PathBuf> {
     home_dir().map(|h| h.join(".kube").join("config"))
 }
 
-pub fn data_or_file(
+pub fn load_data_or_file(
     data: &Option<String>,
     file: &Option<String>,
 ) -> Result<Option<Vec<u8>>, Error> {
@@ -32,3 +32,19 @@ pub fn data_or_file(
         _ => Ok(None),
     }
 }
+
+pub fn load_token_data_or_file(
+    data: &Option<String>,
+    file: &Option<String>,
+) -> Result<Option<String>, Error> {
+    match (data, file) {
+        (Some(d), _) => Ok(Some(d.to_string())),
+        (_, Some(f)) => {
+            let mut s = String::new();
+            let mut ff = File::open(f)?;
+            ff.read_to_string(&mut s)?;
+            Ok(Some(s))
+        }
+        _ => Ok(None),
+    }
+}