From a1a836650abc2ac17eadbd93a207e770c617880c Mon Sep 17 00:00:00 2001 From: Beni Cherniavsky-Paskin Date: Fri, 1 Mar 2019 01:57:21 +0200 Subject: [PATCH] Don't promise that Config#context is what acts on exec:/auth-provider: Retracts promise made in 0cbf5db635ef084ac9b060cd3b7c1cb7ad03a322 Motivation: I want to let Config and Config::Context expose the underlying data, because why not. Ideally for that, Config#context would become a passive function, moving the work to Config::Context#auth_options (?) There are open questions about this, and probably should figure out a plan around auth renewal (#393) first. Anyway, don't want my hands tied. --- README.md | 26 ++++++++++++++++++++++++-- test/test_config.rb | 3 ++- 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 88aaabd3..3d9633f0 100644 --- a/README.md +++ b/README.md @@ -312,7 +312,7 @@ client = Kubeclient::Client.new( ``` Note that this returns a token good for one hour. If your code requires authorization for longer than that, you should plan to -acquire a new one, by calling `.context()` or `GoogleApplicationDefaultCredentials.token` again. +acquire a new one, see [How to manually renew](#how-to-manually-renew-expired-credentials) section. #### OIDC Auth Provider @@ -329,11 +329,33 @@ If you use `Config.context(...).auth_options` and the `$KUBECONFIG` file has use kubeclient will automatically obtain a token (or use `id-token` if still valid) Tokens are typically short-lived (e.g. 1 hour) and the expiration time is determined by the OIDC Provider (e.g. Google). -If your code requires authentication for longer than that you should obtain a new token periodically using `.context()` +If your code requires authentication for longer than that you should obtain a new token periodically, see [How to manually renew](#how-to-manually-renew-expired-credentials) section. Note: id-tokens retrieved via this provider are not written back to the `$KUBECONFIG` file as they would be when using `kubectl`. +#### How to manually renew expired credentials + +Kubeclient [does not yet](https://github.com/abonas/kubeclient/issues/393) help with this. + +The division of labor between `Config` and `Context` objects may change, for now please make no assumptions at which stage `exec:` and `auth-provider:` are handled and whether they're cached. +The currently guaranteed way to renew is create a new `Config` object. + +The more painful part is that you'll then need to create new `Client` object(s) with the credentials from new config. +So repeat all of this: +```ruby +config = Kubeclient::Config.read(ENV['KUBECONFIG'] || '/path/to/.kube/config') +context = config.context +ssl_options = context.ssl_options +auth_options = context.auth_options + +client = Kubeclient::Client.new( + context.api_endpoint, 'v1', + ssl_options: ssl_options, auth_options: auth_options +) +# and additional Clients if needed... +``` + #### Security: Don't use config from untrusted sources `Config.read` is catastrophically unsafe — it will execute arbitrary command lines specified by the config! diff --git a/test/test_config.rb b/test/test_config.rb index df2dcba4..b769e3f3 100644 --- a/test/test_config.rb +++ b/test/test_config.rb @@ -130,7 +130,8 @@ def test_gcp_default_auth config.context(config.contexts.first) end - # Each call to .context() should obtain a new token, calling .auth_options doesn't change anything + # Each call to .context() obtains a new token, calling .auth_options doesn't change anything. + # NOTE: this is not a guarantee, may change, just testing current behavior. def test_gcp_default_auth_renew Kubeclient::GoogleApplicationDefaultCredentials.expects(:token).returns('token1').once parsed = YAML.safe_load(File.read(config_file('gcpauth.kubeconfig')), [Date, Time])