Implement OIDC Auth Provider

[rhysm]

Adds ability for Kubeclient to utilize the oidc auth-provider both by
re-using the id-token that is inside the kubeconfig if it is not expired
and refreshing it if the token has passed expiry.

[cben]

Sorry for delay, reviewing...
This is cool!
k8s docs: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens

[cben]

Excellent 💯, very minor comments

[cben]

Is it always 1 hour? Isn't expiration up to the oidc server?

[rhysm]

Updated for clarity.

[cben]

See next comment about the wording "refresh".

[rhysm]

Updated for clarity.

[cben]

Is this timezone independent? 👍 looks good, Time.now knows its timezone and Time.now.to_i is same either way:

~ $ env TZ= ruby -e 'p Time.now'
2019-02-27 10:47:22 +0000
~ $ ruby -e 'p Time.now'
2019-02-27 12:47:26 +0200
~ $ env TZ= ruby -e 'p Time.now.to_i'
1551264454
~ $ env ruby -e 'p Time.now.to_i'
1551264463

[rhysm]

The openid_connect gem performs the same check except for the 60 second grace so I believe it will be fine.

[cben]

[optional nit, your call] The name auth_provider sounds like this would contain the ['auth-provider'] part of the config, but it contains the ['auth-provider']['config'] sub-part. Maybe config? auth_provider_config (ouch)? provider_config?

[rhysm]

Good point, I've gone with provider_config.

[cben]

What if the config doesn't contain id-token at all? (Is that possible?)
As we can always obtain a new one, let's allow this?

[rhysm]

I'm not sure how you'd get into that state but kubectl supports it so I've implemented it too.

[cben]

The wordings "will refresh" ... "will not automatically refresh" sounds confusing on a quick read.
I propose here saying:

If you use Config.context(...).auth_options and the kubeconfig file has user: {auth-provider: {name: gcp}}, kubeclient will automatically obtain a token (or use id-token if still valid)

to me "obtain" is one-time action, doesn't imply ability to keep refreshing it, nor sounds as action done to the token so less expectation it'll write it back to the config file (the disclaimer below is still good).

The other change is because this section talks abstractly about "the OIDC Auth Provider" but I wanted to say specifically how to invoke this (Client doesn't do this, Config does)

[cben]

(one day if we implement #393, we can reword these sections in terms of "refresh" or "renewal")

[rhysm]

Updated README for more clarity, let me know what you think.

[cben]

perfect!

[cben]

BTW, a security question:
Kubeclient supports opt-out from some "dangerous" config handling — reading local files, and exec:.
(For scenarios where you take config from untrusted source, which I warn against anyway, and I haven't seen anyone doing, but on general principles...)
Do you think this opt-out should also disable OIDC (and GCP #394) auth-providers?

On one hand, making a network request is not risky to your machine(?).
On the other, that's still "acting on data" vs passively reading it. However the goal of Config is to feed it to Client which will act on a lot of it by network requests anyway so that's hardly a criterion...

[cben]

released in gem 4.3.0.