Merge pull request #5 from ynqa/bronze

Inclusterconfig, Bearer token, and Basic auth

Author: ynqa

.travis.yml

@@ -0,0 +1,14 @@
+language: rust
+
+rust:
+  - stable
+  - beta
+  - nightly
+
+matrix:
+  allow_failures:
+    - rust: nightly
+
+script:
+  - cargo build
+  - cargo test -v

Cargo.toml

@@ -19,3 +19,6 @@ serde_derive = "1.0.79"
 serde_yaml = "0.8.5"
 openssl = "0.10.12"
 k8s-openapi = { git = "https://github.com/Arnavion/k8s-openapi-codegen", branch = "master", features = ["v1_10"] }
+
+[dev-dependencies]
+tempfile = "3.0.4"

README.md

@@ -1,6 +1,8 @@
 # kubernetes-rust
 
-[![Client Support Level](https://img.shields.io/badge/kubernetes%20client-alpha-green.svg?style=flat&colorA=306CE8)](http://bit.ly/kubernetes-client-support-badge)
+[![Build Status](https://travis-ci.com/ynqa/kubernetes-rust.svg?branch=master)](https://travis-ci.com/ynqa/kubernetes-rust)
+[![Client Capabilities](https://img.shields.io/badge/Kubernetes%20client-Bronze-blue.svg?style=plastic&colorB=cd7f32&colorA=306CE8)](http://bit.ly/kubernetes-client-capabilities-badge)
+[![Client Support Level](https://img.shields.io/badge/kubernetes%20client-beta-green.svg?style=plastic&colorA=306CE8)](http://bit.ly/kubernetes-client-support-badge)
 
 Rust client for [Kubernetes](http://kubernetes.io) API.
 

examples/incluster_config.rs

@@ -0,0 +1,28 @@
+extern crate failure;
+extern crate k8s_openapi;
+extern crate kubernetes;
+
+use k8s_openapi::v1_10::api::core::v1;
+use kubernetes::client::APIClient;
+use kubernetes::config;
+
+fn main() {
+    let kubeconfig = config::incluster_config().expect("failed to load incluster config");
+    let kubeclient = APIClient::new(kubeconfig);
+    let req = v1::Pod::list_core_v1_namespaced_pod(
+        "kube-system",
+        None,
+        None,
+        None,
+        None,
+        None,
+        None,
+        None,
+        None,
+        None,
+    ).expect("failed to define list pod");
+    let list_pod = kubeclient
+        .request::<v1::PodList>(req)
+        .expect("failed to list up pods");
+    println!("{:?}", list_pod);
+}

src/client/mod.rs

@@ -6,6 +6,7 @@ use serde::de::DeserializeOwned;
 
 use super::config::Configuration;
 
+/// APIClient requires `config::Configuration` includes client to connect with kubernetes cluster.
 pub struct APIClient {
     configuration: Rc<Configuration>,
 }
@@ -16,6 +17,7 @@ impl APIClient {
         APIClient { configuration: rc }
     }
 
+    /// Returns kubernetes resources binded `Arnavion/k8s-openapi-codegen` APIs.
     pub fn request<T>(&self, request: http::Request<Vec<u8>>) -> Result<T, Error>
     where
         T: DeserializeOwned,
@@ -28,7 +30,7 @@ impl APIClient {
             http::Method::DELETE => self.configuration.client.delete(&uri_str),
             http::Method::PUT => self.configuration.client.put(&uri_str),
             other => {
-                return Err(Error::from(format_err!("invalid method: {}", other)));
+                return Err(Error::from(format_err!("Invalid method: {}", other)));
             }
         }.body(body);
 

src/config/apis.rs

@@ -6,6 +6,7 @@ use serde_yaml;
 
 use config::utils;
 
+/// Config stores information to connect remote kubernetes cluster.
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct Config {
     pub kind: Option<String>,
@@ -21,24 +22,28 @@ pub struct Config {
     pub extensions: Option<Vec<NamedExtension>>,
 }
 
+/// Preferences stores extensions for cli.
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct Preferences {
     pub colors: Option<bool>,
     pub extensions: Option<Vec<NamedExtension>>,
 }
 
+/// NamedExtention associates name with extension.
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct NamedExtension {
     pub name: String,
     pub extension: String,
 }
 
+/// NamedCluster associates name with cluster.
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct NamedCluster {
     pub name: String,
     pub cluster: Cluster,
 }
 
+/// Cluster stores information to connect kubernetes cluster.
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct Cluster {
     pub server: String,
@@ -50,13 +55,15 @@ pub struct Cluster {
     pub certificate_authority_data: Option<String>,
 }
 
+/// NamedAuthInfo associates name with authentication.
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct NamedAuthInfo {
     pub name: String,
     #[serde(rename = "user")]
     pub auth_info: AuthInfo,
 }
 
+/// AuthInfo stores information to tell cluster who you are.
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct AuthInfo {
     pub username: Option<String>,
@@ -82,12 +89,14 @@ pub struct AuthInfo {
     pub impersonate_groups: Option<Vec<String>>,
 }
 
+/// NamedContext associates name with context.
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct NamedContext {
     pub name: String,
     pub context: Context,
 }
 
+/// Context stores tuple of cluster and user information.
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct Context {
     pub cluster: String,
@@ -105,20 +114,20 @@ impl Config {
 }
 
 impl Cluster {
-    pub fn load_certificate_authority(&self) -> Result<Option<Vec<u8>>, Error> {
-        utils::data_or_file(
+    pub fn load_certificate_authority(&self) -> Result<Vec<u8>, Error> {
+        utils::data_or_file_with_base64(
             &self.certificate_authority_data,
             &self.certificate_authority,
         )
     }
 }
 
 impl AuthInfo {
-    pub fn load_client_certificate(&self) -> Result<Option<Vec<u8>>, Error> {
-        utils::data_or_file(&self.client_certificate_data, &self.client_certificate)
+    pub fn load_client_certificate(&self) -> Result<Vec<u8>, Error> {
+        utils::data_or_file_with_base64(&self.client_certificate_data, &self.client_certificate)
     }
 
-    pub fn load_client_key(&self) -> Result<Option<Vec<u8>>, Error> {
-        utils::data_or_file(&self.client_key_data, &self.client_key)
+    pub fn load_client_key(&self) -> Result<Vec<u8>, Error> {
+        utils::data_or_file_with_base64(&self.client_key_data, &self.client_key)
     }
 }

src/config/incluster_config.rs

@@ -0,0 +1,59 @@
+use std::env;
+
+use failure::Error;
+use openssl::x509::X509;
+
+use config::utils;
+
+pub const SERVICE_HOSTENV: &str = "KUBERNETES_SERVICE_HOST";
+pub const SERVICE_PORTENV: &str = "KUBERNETES_SERVICE_PORT";
+const SERVICE_TOKENFILE: &str = "/var/run/secrets/kubernetes.io/serviceaccount/token";
+const SERVICE_CERTFILE: &str = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt";
+
+/// Returns kubernetes address from specified environment variables.
+pub fn kube_server() -> Option<String> {
+    let f = |(h, p)| format!("https://{}:{}", h, p);
+    kube_host().and_then(|h| kube_port().map(|p| f((h, p))))
+}
+
+fn kube_host() -> Option<String> {
+    env::var(SERVICE_HOSTENV).ok()
+}
+
+fn kube_port() -> Option<String> {
+    env::var(SERVICE_PORTENV).ok()
+}
+
+/// Returns token from specified path in cluster.
+pub fn load_token() -> Result<String, Error> {
+    utils::data_or_file(&None, &Some(SERVICE_TOKENFILE.to_string()))
+}
+
+/// Returns certification from specified path in cluster.
+pub fn load_cert() -> Result<X509, Error> {
+    let ca = utils::data_or_file_with_base64(&None, &Some(SERVICE_CERTFILE.to_string()))?;
+    X509::from_pem(&ca).map_err(Error::from)
+}
+
+#[test]
+fn test_kube_host() {
+    let expected = "fake.io";
+    env::set_var(SERVICE_HOSTENV, expected);
+    assert_eq!(kube_host().unwrap(), expected);
+}
+
+#[test]
+fn test_kube_port() {
+    let expected = "8080";
+    env::set_var(SERVICE_PORTENV, expected);
+    assert_eq!(kube_port().unwrap(), expected);
+}
+
+#[test]
+fn test_kube_server() {
+    let host = "fake.io";
+    let port = "8080";
+    env::set_var(SERVICE_HOSTENV, host);
+    env::set_var(SERVICE_PORTENV, port);
+    assert_eq!(kube_server().unwrap(), "https://fake.io:8080");
+}

src/config/loader.rs src/config/kube_config.rssrc/config/loader.rs renamed to src/config/kube_config.rs

@@ -7,6 +7,7 @@ use openssl::x509::X509;
 
 use config::apis::{AuthInfo, Cluster, Config, Context};
 
+/// KubeConfigLoader loads current context, cluster, and authentication information.
 #[derive(Debug)]
 pub struct KubeConfigLoader {
     pub current_context: Context,
@@ -43,8 +44,8 @@ impl KubeConfigLoader {
     }
 
     pub fn p12(&self, password: &str) -> Result<Pkcs12, Error> {
-        let client_cert = self.user.load_client_certificate()?.unwrap();
-        let client_key = self.user.load_client_key()?.unwrap();
+        let client_cert = &self.user.load_client_certificate()?;
+        let client_key = &self.user.load_client_key()?;
 
         let x509 = X509::from_pem(&client_cert)?;
         let pkey = PKey::private_key_from_pem(&client_key)?;
@@ -55,7 +56,7 @@ impl KubeConfigLoader {
     }
 
     pub fn ca(&self) -> Result<X509, Error> {
-        let ca = self.cluster.load_certificate_authority()?.unwrap();
+        let ca = &self.cluster.load_certificate_authority()?;
         X509::from_pem(&ca).map_err(Error::from)
     }
 }

src/config/mod.rs

@@ -1,12 +1,15 @@
 mod apis;
-mod loader;
+mod incluster_config;
+mod kube_config;
 mod utils;
 
+use base64;
 use failure::Error;
 use reqwest::{header, Certificate, Client, Identity};
 
-use self::loader::KubeConfigLoader;
+use self::kube_config::KubeConfigLoader;
 
+/// Configuration stores kubernetes path and client for requests.
 pub struct Configuration {
     pub base_path: String,
     pub client: Client,
@@ -21,29 +24,91 @@ impl Configuration {
     }
 }
 
+/// Returns a config includes authentication and cluster infomation from kubeconfig file.
+///
+/// # Example
+/// ```no_run
+/// use kubernetes::config;
+///
+/// let kubeconfig = config::load_kube_config()
+///     .expect("failed to load kubeconfig");
+/// ```
 pub fn load_kube_config() -> Result<Configuration, Error> {
-    let kubeconfig = utils::kube_path()
+    let kubeconfig = utils::kubeconfig_path()
         .or_else(utils::default_kube_path)
-        .ok_or(format_err!("Unable to load config"))?;
+        .ok_or(format_err!("Unable to load kubeconfig"))?;
 
     let loader = KubeConfigLoader::load(kubeconfig)?;
 
-    let password = " ";
-    let p12 = loader.p12(password)?;
-    let req_p12 = Identity::from_pkcs12_der(&p12.to_der()?, password)?;
+    let p12 = loader.p12(" ")?;
+    let req_p12 = Identity::from_pkcs12_der(&p12.to_der()?, " ")?;
 
     let ca = loader.ca()?;
     let req_ca = Certificate::from_der(&ca.to_der()?)?;
 
+    let mut headers = header::HeaderMap::new();
+
+    match (
+        utils::data_or_file(&loader.user.token, &loader.user.token_file),
+        (loader.user.username, loader.user.password),
+    ) {
+        (Ok(token), _) => {
+            headers.insert(
+                header::AUTHORIZATION,
+                header::HeaderValue::from_str(&format!("Bearer {}", token))?,
+            );
+        }
+        (_, (Some(u), Some(p))) => {
+            let encoded = base64::encode(&format!("{}:{}", u, p));
+            headers.insert(
+                header::AUTHORIZATION,
+                header::HeaderValue::from_str(&format!("Basic {}", encoded))?,
+            );
+        }
+        _ => {}
+    }
+
     let client_builder = Client::builder()
         .identity(req_p12)
-        .add_root_certificate(req_ca);
-
-    let mut headers = header::HeaderMap::new();
-    headers.insert(header::AUTHORIZATION, header::HeaderValue::from_static(""));
+        .add_root_certificate(req_ca)
+        .default_headers(headers);
 
     Ok(Configuration::new(
         loader.cluster.server,
         client_builder.build()?,
     ))
 }
+
+/// Returns a config which is used by clients within pods on kubernetes.
+/// It will return an error if called from out of kubernetes cluster.
+///
+/// # Example
+/// ```no_run
+/// use kubernetes::config;
+///
+/// let kubeconfig = config::incluster_config()
+///     .expect("failed to load incluster config");
+/// ```
+pub fn incluster_config() -> Result<Configuration, Error> {
+    let server = incluster_config::kube_server().ok_or(format_err!(
+        "Unable to load incluster config, {} and {} must be defined",
+        incluster_config::SERVICE_HOSTENV,
+        incluster_config::SERVICE_PORTENV
+    ))?;
+
+    let ca = incluster_config::load_cert()?;
+    let req_ca = Certificate::from_der(&ca.to_der()?)?;
+
+    let token = incluster_config::load_token()?;
+    let mut headers = header::HeaderMap::new();
+    headers.insert(
+        header::AUTHORIZATION,
+        header::HeaderValue::from_str(&format!("Bearer {}", token))?,
+    );
+
+    let client_builder = Client::builder()
+        .add_root_certificate(req_ca)
+        .default_headers(headers);
+
+    Ok(Configuration::new(server, client_builder.build()?))
+}