Add support for OpenIDConnect token refresh #49
Conversation
should I add proper tests, with mocked out oauth dependencies? |
dbf658e
to
072a3d1
Compare
rebased, black-ified, poetry-fied |
Yes, sure, will do. |
@pshchelo thanks! |
rebased, conflicts resolved fixed. again, tested against our local keycloak, token is refreshed and the config file is updated. @hjacobs plz review |
Sorry for the delayed response. I will have a look tomorrow. |
@@ -173,6 +173,12 @@ def users(self): | |||
us[ur["name"]] = u = copy.deepcopy(ur["user"]) | |||
BytesOrFile.maybe_set(u, "client-certificate", self.kubeconfig_file) | |||
BytesOrFile.maybe_set(u, "client-key", self.kubeconfig_file) | |||
if "auth-provider" in u: | |||
BytesOrFile.maybe_set( | |||
u["auth-provider"]["config"], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the config key might not be present (would raise KeyError)
@pshchelo can you provide me some instructions on how to test this locally with a test setup (e.g. Keycloak + kind or Minikube)? |
pykube/http.py
Outdated
else: | ||
verify = None | ||
# TODO add timeouts | ||
response = requests.get( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please add a timeout like your TODO already suggests 😏
pykube/http.py
Outdated
verify=verify, | ||
) | ||
|
||
if response.status_code != HTTPStatus.OK: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if you want to catch all errors (e.g. connection problems), you would need to wrap it in try
/except
--- I assume you want to ignore failures and continue with the old token
I'll try to come up with something, most probably with OpenID connect thru free tier of Google or Okta. |
@hjacobs added timeouts (using already configured default http one in the your question on how to test this stuff eventually led to me writing a blog post on that https://pshchelo.github.io/pykube-oidc-refresh.html using dev Okta account for OpenID provider, microk8s snap on Ubuntu for simple Kubernetes cluster, and self-written script to get a refresh token (see the post). If you have any questions, I'll be happy to try and answer :-) |
@hjacobs ping ^ |
Creatively adapted from kubernetes-client/python-base. Adds new setup extra 'oidc' to install required OAuth-related libraries. Tested with local Keycloak installation.
Creatively adapted from kubernetes-client/python-base.
Adds new setup extra 'oidc' to install required OAuth-related libraries.
Tested with local Keycloak installation.