Enable "gcp" authentication structure for bearer token in .kube/config #211
Conversation
This adds the ability to parse the bearer token from ~/.kube/config stored by Google Cloud Platform. This token is only good for an hour since it was last renewed with a `kubectl` command. So if a 401 error is returned adds a note to the exception message when the token is expired. Also updates other auth failure tests that were bypassing exception parsing in Kubeclient::ClientMixing#handle_exception.
|
@moolitayer @enoodle can you review? |
| @@ -477,5 +482,16 @@ def http_options(uri) | |||
|
|
|||
| options.merge(@socket_options) | |||
| end | |||
|
|
|||
| def expired_token_message(http_code, message) | |||
There was a problem hiding this comment.
What is the error returned from the server in this case? I would prefer to keep mirroring the returned exception.
There was a problem hiding this comment.
@moolitayer intended to include the original message. That's why it passes in message and carries that through. Maybe I misunderstood your comment.
Another option would be to have a TokenExpiredException (or something) that takes the original exception as an argument and adds the expiration message. I thought this was a simpler approach.
There was a problem hiding this comment.
I would be happier if we can avoid the check. Are you worried here that the user will not understand what is going on?
| @@ -477,5 +482,16 @@ def http_options(uri) | |||
|
|
|||
| options.merge(@socket_options) | |||
| end | |||
|
|
|||
| def expired_token_message(http_code, message) | |||
There was a problem hiding this comment.
Consider changing the name of the method to something like check_token_expiration as it adds to the mesasge.
There was a problem hiding this comment.
Good suggestion. I wasn't happy with the original name. Fixed 22912ce
| @auth_options.key?(:bearer_token_expiry) && | ||
| @auth_options[:bearer_token_expiry] < Time.now | ||
| return message + '. Your token has expired. If you are using `kubectl`, running any '\ | ||
| 'command should renew your token.' |
There was a problem hiding this comment.
Maybe I don't understand this but it does not seem like a flow that a normal Kubeclient user would use.
(use library to talk to api while using command line tool to get authentication token). Can we do the same thing kubectl does to renew the token? what is needed for the kubectl to give back a token (meaning do you have to be pre authenticated against www.googleapis.com/auth/cloud-platform ?)
This seems relevant: https://github.com/kubernetes/kubernetes/blob/3e51ca2e16479763bc832e893e1b9ffa34310b7e/plugin/pkg/client/auth/gcp/gcp.go#L56
There was a problem hiding this comment.
@moolitayer I agree. That was my reason for opening #210 before opening a PR. I'd much prefer that I not have to run kubectl to get the token.
That link and the docs here[1] describe getting the default token (at least with Go). I looked at google-auth-library-ruby but don't see anything for the token, just for default credential. Digging into this issue[2] I wonder if we can just use the default credentials and bypass the config file completely.
Are you Ok adding a dependency on google-auth-library-ruby if that works?
[1] https://developers.google.com/identity/protocols/application-default-credentials
[2] kubernetes/kubernetes#30617 (comment)
There was a problem hiding this comment.
I opened #213 which provides support for using Google's default application credentials. I think this is a better solution as long as you are fine with a dependency on googleauth gem.
| @@ -115,6 +115,11 @@ def fetch_user_auth_options(user) | |||
| options = {} | |||
| if user.key?('token') | |||
| options[:bearer_token] = user['token'] | |||
| elsif user.key?('auth-provider') && | |||
| user['auth-provider'].key?('config') && | |||
| user['auth-provider']['config'].key?('access-token') | |||
There was a problem hiding this comment.
do we need to check if the auth provider is gcp OR is this the same for all auth providers?
|
Closing this as I don't think it's a reasonable solution. See #213 for a better approach to handling GCP authorizations. |
This adds the ability to parse the bearer token from ~/.kube/config
stored by Google Cloud Platform. This token is only good for an hour
since it was last renewed with a
kubectlcommand. So if a 401 erroris returned adds a note to the exception message when the token is
expired.
Also updates other auth failure tests that were bypassing exception
parsing in
Kubeclient::ClientMixing#handle_exception.Addresses #210