Don't promise that Config#context is what acts on exec:/auth-provider:

Retracts promise made in 0cbf5db Motivation: I want to let Config and Config::Context expose the underlying data, because why not. Ideally for that, Config#context would become a passive function, moving the work to Config::Context#auth_options (?) There are open questions about this, and probably should figure out a plan around auth renewal (ManageIQ#393) first. Anyway, don't want my hands tied.
cben · Mar 1, 2019 · a1a8366 · a1a8366
1 parent c593c9e
commit a1a8366
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -312,7 +312,7 @@ client = Kubeclient::Client.new(
 ```
 
 Note that this returns a token good for one hour. If your code requires authorization for longer than that, you should plan to
-acquire a new one, by calling `.context()` or `GoogleApplicationDefaultCredentials.token` again.
+acquire a new one, see [How to manually renew](#how-to-manually-renew-expired-credentials) section.
 
 #### OIDC Auth Provider
 
@@ -329,11 +329,33 @@ If you use `Config.context(...).auth_options` and the `$KUBECONFIG` file has use
 kubeclient will automatically obtain a token (or use `id-token` if still valid)
 
 Tokens are typically short-lived (e.g. 1 hour) and the expiration time is determined by the OIDC Provider (e.g. Google).
-If your code requires authentication for longer than that you should obtain a new token periodically using `.context()`
+If your code requires authentication for longer than that you should obtain a new token periodically, see [How to manually renew](#how-to-manually-renew-expired-credentials) section.
 
 Note: id-tokens retrieved via this provider are not written back to the `$KUBECONFIG` file as they would be when
 using `kubectl`.
 
+#### How to manually renew expired credentials
+
+Kubeclient [does not yet](https://github.com/abonas/kubeclient/issues/393) help with this.
+
+The division of labor between `Config` and `Context` objects may change, for now please make no assumptions at which stage `exec:` and `auth-provider:` are handled and whether they're cached.
+The currently guaranteed way to renew is create a new `Config` object.
+
+The more painful part is that you'll then need to create new `Client` object(s) with the credentials from new config.
+So repeat all of this:
+```ruby
+config = Kubeclient::Config.read(ENV['KUBECONFIG'] || '/path/to/.kube/config')
+context = config.context
+ssl_options = context.ssl_options
+auth_options = context.auth_options
+
+client = Kubeclient::Client.new(
+    context.api_endpoint, 'v1',
+    ssl_options: ssl_options, auth_options: auth_options
+)
+# and additional Clients if needed...
+```
+
 #### Security: Don't use config from untrusted sources
 
 `Config.read` is catastrophically unsafe — it will execute arbitrary command lines specified by the config!

diff --git a/test/test_config.rb b/test/test_config.rb
@@ -130,7 +130,8 @@ def test_gcp_default_auth
     config.context(config.contexts.first)
   end
 
-  # Each call to .context() should obtain a new token, calling .auth_options doesn't change anything
+  # Each call to .context() obtains a new token, calling .auth_options doesn't change anything.
+  # NOTE: this is not a guarantee, may change, just testing current behavior.
   def test_gcp_default_auth_renew
     Kubeclient::GoogleApplicationDefaultCredentials.expects(:token).returns('token1').once
     parsed = YAML.safe_load(File.read(config_file('gcpauth.kubeconfig')), [Date, Time])