From eeaa02933df83e186ee915092afb07507b48fdf1 Mon Sep 17 00:00:00 2001 From: Carlos Sanchez Date: Tue, 23 Jan 2018 18:24:14 +0100 Subject: [PATCH] Use kubernetes-credentials 0.3.0 Allow using StringCredentialsImpl as tokens Move ServiceAccountCredential to kubernetes-credentials --- pom.xml | 2 +- .../kubernetes/KubectlBuildWrapper.java | 3 ++ .../plugins/kubernetes/KubernetesCloud.java | 30 +++++++------- .../kubernetes/KubernetesFactoryAdapter.java | 6 ++- .../OpenShiftBearerTokenCredentialImpl.java | 7 +--- .../OpenShiftTokenCredentialImpl.java | 33 ++++++++++++--- .../kubernetes/ServiceAccountCredential.java | 40 +++---------------- .../plugins/kubernetes/KubernetesTest.java | 17 ++++++-- .../upgradeFrom_1_1/credentials.xml | 13 +++++- 9 files changed, 85 insertions(+), 66 deletions(-) diff --git a/pom.xml b/pom.xml index 79020a53c1..fe969dc185 100644 --- a/pom.xml +++ b/pom.xml @@ -53,7 +53,7 @@ 2.3 2.1.11 - 0.2.0 + 0.3.0-SNAPSHOT 1.16 2.11 1.6 diff --git a/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubectlBuildWrapper.java b/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubectlBuildWrapper.java index 2d4159fee9..2c61caaa8d 100644 --- a/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubectlBuildWrapper.java +++ b/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubectlBuildWrapper.java @@ -28,6 +28,7 @@ import org.apache.commons.codec.binary.Base64; import org.apache.commons.lang.StringUtils; import org.jenkinsci.plugins.kubernetes.credentials.TokenProducer; +import org.jenkinsci.plugins.plaincredentials.StringCredentials; import org.kohsuke.stapler.AncestorInPath; import org.kohsuke.stapler.DataBoundConstructor; import org.kohsuke.stapler.QueryParameter; @@ -112,6 +113,8 @@ public void setUp(Context context, Run build, FilePath workspace, Launcher String login; if (c == null) { throw new AbortException("No credentials defined to setup Kubernetes CLI"); + } else if (c instanceof StringCredentials) { + login = "--token=" + ((StringCredentials) c).getSecret().getPlainText(); } else if (c instanceof TokenProducer) { login = "--token=" + ((TokenProducer) c).getToken(serverUrl, null, true); } else if (c instanceof UsernamePasswordCredentials) { diff --git a/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesCloud.java b/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesCloud.java index edf03528d7..fcc2044fad 100644 --- a/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesCloud.java +++ b/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesCloud.java @@ -25,9 +25,8 @@ import org.apache.commons.codec.binary.Base64; import org.apache.commons.lang.StringUtils; -import org.jenkinsci.plugins.kubernetes.credentials.OpenShiftBearerTokenCredentialImpl; -import org.jenkinsci.plugins.kubernetes.credentials.OpenShiftTokenCredentialImpl; -import org.jenkinsci.plugins.kubernetes.credentials.TokenProducer; +import org.jenkinsci.plugins.plaincredentials.StringCredentials; +import org.jenkinsci.plugins.plaincredentials.impl.StringCredentialsImpl; import org.kohsuke.stapler.DataBoundConstructor; import org.kohsuke.stapler.DataBoundSetter; import org.kohsuke.stapler.QueryParameter; @@ -518,10 +517,12 @@ public String getDisplayName() { public static void addAliases() { Jenkins.XSTREAM2.addCompatibilityAlias( "org.csanchez.jenkins.plugins.kubernetes.OpenShiftBearerTokenCredentialImpl", - OpenShiftBearerTokenCredentialImpl.class); + org.jenkinsci.plugins.kubernetes.credentials.BearerTokenCredentialImpl.class); Jenkins.XSTREAM2.addCompatibilityAlias( "org.csanchez.jenkins.plugins.kubernetes.OpenShiftTokenCredentialImpl", - OpenShiftTokenCredentialImpl.class); + StringCredentialsImpl.class); + Jenkins.XSTREAM2.addCompatibilityAlias("org.csanchez.jenkins.plugins.kubernetes.ServiceAccountCredential", + org.jenkinsci.plugins.kubernetes.credentials.FileSystemServiceAccountCredential.class); } public FormValidation doTestConnection(@QueryParameter String name, @QueryParameter String serverUrl, @QueryParameter String credentialsId, @@ -554,19 +555,20 @@ public FormValidation doTestConnection(@QueryParameter String name, @QueryParame } public ListBoxModel doFillCredentialsIdItems(@QueryParameter String serverUrl) { - return new StandardListBoxModel() - .withEmptySelection() - .withMatching( + return new StandardListBoxModel().withEmptySelection() // + .withMatching( // CredentialsMatchers.anyOf( CredentialsMatchers.instanceOf(StandardUsernamePasswordCredentials.class), CredentialsMatchers.instanceOf(TokenProducer.class), - CredentialsMatchers.instanceOf(StandardCertificateCredentials.class) - ), - CredentialsProvider.lookupCredentials(StandardCredentials.class, - Jenkins.getInstance(), - ACL.SYSTEM, + CredentialsMatchers.instanceOf( + org.jenkinsci.plugins.kubernetes.credentials.TokenProducer.class), + CredentialsMatchers.instanceOf(StandardCertificateCredentials.class), + CredentialsMatchers.instanceOf(StringCredentials.class)), // + CredentialsProvider.lookupCredentials(StandardCredentials.class, // + Jenkins.getInstance(), // + ACL.SYSTEM, // serverUrl != null ? URIRequirementBuilder.fromUri(serverUrl).build() - : Collections.EMPTY_LIST + : Collections.EMPTY_LIST // )); } diff --git a/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesFactoryAdapter.java b/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesFactoryAdapter.java index 5f998c1174..e6370a19a2 100644 --- a/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesFactoryAdapter.java +++ b/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesFactoryAdapter.java @@ -35,6 +35,7 @@ import io.fabric8.kubernetes.client.KubernetesClient; import jenkins.model.Jenkins; import org.jenkinsci.plugins.kubernetes.credentials.TokenProducer; +import org.jenkinsci.plugins.plaincredentials.StringCredentials; /** * @author Nicolas De Loof @@ -117,7 +118,10 @@ public KubernetesClient createClient() throws NoSuchAlgorithmException, Unrecove builder.withNamespace("default"); } - if (credentials instanceof TokenProducer) { + if (credentials instanceof StringCredentials) { + final String token = ((StringCredentials) credentials).getSecret().getPlainText(); + builder.withOauthToken(token); + } else if (credentials instanceof TokenProducer) { final String token = ((TokenProducer) credentials).getToken(serviceAddress, caCertData, skipTlsVerify); builder.withOauthToken(token); } else if (credentials instanceof UsernamePasswordCredentials) { diff --git a/src/main/java/org/csanchez/jenkins/plugins/kubernetes/OpenShiftBearerTokenCredentialImpl.java b/src/main/java/org/csanchez/jenkins/plugins/kubernetes/OpenShiftBearerTokenCredentialImpl.java index df947f7fbd..7d98d71113 100644 --- a/src/main/java/org/csanchez/jenkins/plugins/kubernetes/OpenShiftBearerTokenCredentialImpl.java +++ b/src/main/java/org/csanchez/jenkins/plugins/kubernetes/OpenShiftBearerTokenCredentialImpl.java @@ -1,18 +1,15 @@ package org.csanchez.jenkins.plugins.kubernetes; +import org.jenkinsci.plugins.kubernetes.credentials.BearerTokenCredentialImpl; import org.kohsuke.stapler.DataBoundConstructor; import com.cloudbees.plugins.credentials.CredentialsScope; -import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; - /** * @author Nicolas De Loof */ @Deprecated -@SuppressFBWarnings("NM_SAME_SIMPLE_NAME_AS_SUPERCLASS") -public class OpenShiftBearerTokenCredentialImpl - extends org.jenkinsci.plugins.kubernetes.credentials.OpenShiftBearerTokenCredentialImpl { +public class OpenShiftBearerTokenCredentialImpl extends BearerTokenCredentialImpl { private static final long serialVersionUID = -3725963485838773012L; diff --git a/src/main/java/org/csanchez/jenkins/plugins/kubernetes/OpenShiftTokenCredentialImpl.java b/src/main/java/org/csanchez/jenkins/plugins/kubernetes/OpenShiftTokenCredentialImpl.java index e05beb1ca7..9fa5ee62b9 100644 --- a/src/main/java/org/csanchez/jenkins/plugins/kubernetes/OpenShiftTokenCredentialImpl.java +++ b/src/main/java/org/csanchez/jenkins/plugins/kubernetes/OpenShiftTokenCredentialImpl.java @@ -1,22 +1,45 @@ package org.csanchez.jenkins.plugins.kubernetes; +import org.jenkinsci.plugins.plaincredentials.StringCredentials; import org.kohsuke.stapler.DataBoundConstructor; import com.cloudbees.plugins.credentials.CredentialsScope; +import com.cloudbees.plugins.credentials.impl.BaseStandardCredentials; -import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; +import hudson.Extension; import hudson.util.Secret; /** + * @deprecated Use {@link StringCredentials} * @author Andrew Block */ @Deprecated -@SuppressFBWarnings("NM_SAME_SIMPLE_NAME_AS_SUPERCLASS") -public class OpenShiftTokenCredentialImpl - extends org.jenkinsci.plugins.kubernetes.credentials.OpenShiftTokenCredentialImpl { +public class OpenShiftTokenCredentialImpl extends BaseStandardCredentials implements TokenProducer { + + private final Secret secret; @DataBoundConstructor public OpenShiftTokenCredentialImpl(CredentialsScope scope, String id, String description, Secret secret) { - super(scope, id, description, secret); + super(scope, id, description); + this.secret = secret; + } + + @Override + public String getToken(String serviceAddress, String caCertData, boolean skipTlsVerify) { + return secret.getPlainText(); + } + + public Secret getSecret() { + return secret; } + + @Extension + public static class DescriptorImpl extends BaseStandardCredentialsDescriptor { + + @Override + public String getDisplayName() { + return "OpenShift OAuth token"; + } + } + } diff --git a/src/main/java/org/csanchez/jenkins/plugins/kubernetes/ServiceAccountCredential.java b/src/main/java/org/csanchez/jenkins/plugins/kubernetes/ServiceAccountCredential.java index c866c7aea7..167cf1c439 100644 --- a/src/main/java/org/csanchez/jenkins/plugins/kubernetes/ServiceAccountCredential.java +++ b/src/main/java/org/csanchez/jenkins/plugins/kubernetes/ServiceAccountCredential.java @@ -1,16 +1,10 @@ package org.csanchez.jenkins.plugins.kubernetes; -import com.cloudbees.plugins.credentials.CredentialsScope; -import com.cloudbees.plugins.credentials.impl.BaseStandardCredentials; - -import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; -import hudson.Extension; -import org.apache.commons.io.FileUtils; +import org.jenkinsci.plugins.kubernetes.credentials.FileSystemServiceAccountCredential; import org.jenkinsci.plugins.kubernetes.credentials.TokenProducer; import org.kohsuke.stapler.DataBoundConstructor; -import java.io.File; -import java.io.IOException; +import com.cloudbees.plugins.credentials.CredentialsScope; /** * Read the OAuth bearer token from service account file provisioned by kubernetes @@ -19,38 +13,14 @@ * * @author Nicolas De Loof */ -public class ServiceAccountCredential extends BaseStandardCredentials implements TokenProducer { +@Deprecated +public class ServiceAccountCredential extends FileSystemServiceAccountCredential implements TokenProducer { - private static final String SERVICEACCOUNT_TOKEN_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/token"; + private static final long serialVersionUID = 2739355565227800401L; @DataBoundConstructor public ServiceAccountCredential(CredentialsScope scope, String id, String description) { super(scope, id, description); } - @Override - @SuppressFBWarnings("DMI_HARDCODED_ABSOLUTE_FILENAME") - public String getToken(String serviceAddress, String caCertData, boolean skipTlsVerify) { - try { - return FileUtils.readFileToString(new File(SERVICEACCOUNT_TOKEN_PATH)); - } catch (IOException e) { - return null; - } - } - - @Extension(optional = true) - public static class DescriptorImpl extends BaseStandardCredentialsDescriptor { - - @SuppressFBWarnings("DMI_HARDCODED_ABSOLUTE_FILENAME") - public DescriptorImpl() { - if (!new File(SERVICEACCOUNT_TOKEN_PATH).exists()) { - throw new RuntimeException("Jenkins isn't running inside Kubernetes with Admission Controller."); - } - } - - @Override - public String getDisplayName() { - return "Kubernetes Service Account"; - } - } } diff --git a/src/test/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesTest.java b/src/test/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesTest.java index 3d5d36f738..7e8a859359 100644 --- a/src/test/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesTest.java +++ b/src/test/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesTest.java @@ -32,16 +32,22 @@ import org.csanchez.jenkins.plugins.kubernetes.model.KeyValueEnvVar; import org.csanchez.jenkins.plugins.kubernetes.volumes.EmptyDirVolume; import org.csanchez.jenkins.plugins.kubernetes.volumes.HostPathVolume; +import org.jenkinsci.plugins.kubernetes.credentials.FileSystemServiceAccountCredential; +import org.jenkinsci.plugins.plaincredentials.impl.StringCredentialsImpl; import org.junit.Before; import org.junit.Rule; import org.junit.Test; import org.jvnet.hudson.test.JenkinsRule; import org.jvnet.hudson.test.recipes.LocalData; +import com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey; import com.cloudbees.plugins.credentials.Credentials; +import com.cloudbees.plugins.credentials.CredentialsScope; import com.cloudbees.plugins.credentials.SystemCredentialsProvider; import com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl; +import hudson.util.Secret; + /** * @author Carlos Sanchez * @since 0.9 @@ -64,10 +70,13 @@ public void before() throws Exception { @LocalData() public void upgradeFrom_1_1() throws Exception { List credentials = SystemCredentialsProvider.getInstance().getCredentials(); - assertFalse(credentials.isEmpty()); - UsernamePasswordCredentialsImpl cred = (UsernamePasswordCredentialsImpl) credentials.get(0); - assertEquals("token", cred.getId()); - assertEquals("myusername", cred.getUsername()); + assertEquals(3, credentials.size()); + UsernamePasswordCredentialsImpl cred0 = (UsernamePasswordCredentialsImpl) credentials.get(0); + assertEquals("token", cred0.getId()); + assertEquals("myusername", cred0.getUsername()); + FileSystemServiceAccountCredential cred1 = (FileSystemServiceAccountCredential) credentials.get(1); + StringCredentialsImpl cred2 = (StringCredentialsImpl) credentials.get(2); + assertEquals("mytoken", Secret.toString(cred2.getSecret())); } @Test diff --git a/src/test/resources/org/csanchez/jenkins/plugins/kubernetes/KubernetesTest/upgradeFrom_1_1/credentials.xml b/src/test/resources/org/csanchez/jenkins/plugins/kubernetes/KubernetesTest/upgradeFrom_1_1/credentials.xml index fd320d516c..bc608ab99a 100644 --- a/src/test/resources/org/csanchez/jenkins/plugins/kubernetes/KubernetesTest/upgradeFrom_1_1/credentials.xml +++ b/src/test/resources/org/csanchez/jenkins/plugins/kubernetes/KubernetesTest/upgradeFrom_1_1/credentials.xml @@ -6,13 +6,24 @@ - + GLOBAL token myusername TBRF5XYf8ZzxjIllyloGBQ== + + GLOBAL + kubernetes-service-account + + + + GLOBAL + openshift-oauth-token + + mytoken +