Fix K8s cluster token when using serviceAccount

Signed-off-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>

Author: pditommaso

modules/nextflow/src/main/groovy/nextflow/k8s/K8sConfig.groovy

@@ -17,6 +17,8 @@
 
 package nextflow.k8s
 
+import javax.annotation.Nullable
+
 import groovy.transform.CompileStatic
 import groovy.transform.Memoized
 import groovy.transform.PackageScope
@@ -208,18 +210,10 @@ class K8sConfig implements Map<String,Object> {
     ClientConfig getClient() {
 
         final result = ( target.client instanceof Map
-                ? clientFromMap(target.client as Map)
-                : clientDiscovery(target.context as String)
+                ? clientFromNextflow(target.client as Map, target.namespace as String, target.serviceAccount as String)
+                : clientDiscovery(target.context as String, target.namespace as String, target.serviceAccount as String)
         )
 
-        if( target.namespace ) {
-            result.namespace = target.namespace as String
-        }
-
-        if( target.serviceAccount ) {
-            result.serviceAccount = target.serviceAccount as String
-        }
-
         if( target.httpConnectTimeout )
             result.httpConnectTimeout = target.httpConnectTimeout as Duration
 
@@ -232,12 +226,39 @@ class K8sConfig implements Map<String,Object> {
         return result
     }
 
-    @PackageScope ClientConfig clientFromMap( Map map ) {
-        ClientConfig.fromMap(map)
+    /**
+     * Get the K8s client config from the declaration made in the Nextflow config file
+     *
+     * @param map
+     *      A map representing the clint configuration options define in the nextflow
+     *      config file
+     * @param namespace
+     *      The K8s namespace to be used. If omitted {@code default} is used.
+     * @param serviceAccount
+     *      The K8s service account to be used. If omitted {@code default} is used.
+     * @return
+     *      The Kubernetes {@link ClientConfig} object
+     */
+    @PackageScope ClientConfig clientFromNextflow(Map map, @Nullable String namespace, @Nullable String serviceAccount ) {
+        ClientConfig.fromNextflowConfig(map,namespace,serviceAccount)
     }
 
-    @PackageScope ClientConfig clientDiscovery( String ctx ) {
-        ClientConfig.discover(ctx)
+    /**
+     * Discover the K8s client config from the execution environment
+     * that can be either a `.kube/config` file or service meta file
+     * when running in a pod.
+     *
+     * @param contextName
+     *      The name of the configuration context to be used
+     * @param namespace
+     *      The Kubernetes namespace to be used
+     * @param serviceAccount
+     *      The Kubernetes serviceAccount to be used
+     * @return
+     *      The discovered Kube {@link ClientConfig} object
+     */
+    @PackageScope ClientConfig clientDiscovery(String contextName, String namespace, String serviceAccount) {
+        ClientConfig.discover(contextName, namespace, serviceAccount)
     }
 
     void checkStorageAndPaths(K8sClient client) {

modules/nextflow/src/main/groovy/nextflow/k8s/client/ClientConfig.groovy

@@ -82,7 +82,7 @@ class ClientConfig {
     }
 
     String toString() {
-        "${this.class.getSimpleName()}[ server=$server, namespace=$namespace, token=${cut(token)}, sslCert=${cut(sslCert)}, clientCert=${cut(clientCert)}, clientKey=${cut(clientKey)}, verifySsl=$verifySsl, fromFile=$isFromCluster, httpReadTimeout=$httpReadTimeout, httpConnectTimeout=$httpConnectTimeout, maxErrorRetry=$maxErrorRetry ]"
+        "${this.class.getSimpleName()}[ server=$server, namespace=$namespace, serviceAccount=$serviceAccount, token=${cut(token)}, sslCert=${cut(sslCert)}, clientCert=${cut(clientCert)}, clientKey=${cut(clientKey)}, verifySsl=$verifySsl, fromFile=$isFromCluster, httpReadTimeout=$httpReadTimeout, httpConnectTimeout=$httpConnectTimeout, maxErrorRetry=$maxErrorRetry ]"
     }
 
     private String cut(String str) {
@@ -95,43 +95,45 @@ class ClientConfig {
         cut(bytes.encodeBase64().toString())
     }
 
-    static ClientConfig discover(String context=null) {
-        new ConfigDiscovery(context: context).discover()
+    static ClientConfig discover(String context, String namespace, String serviceAccount) {
+        new ConfigDiscovery().discover(context, namespace, serviceAccount)
     }
 
-    static ClientConfig fromMap(Map map) {
-        def result = new ClientConfig()
-        if( map.server )
-            result.server = map.server
+    static ClientConfig fromNextflowConfig(Map opts, String namespace, String serviceAccount) {
+        final result = new ClientConfig()
+
+        if( opts.server )
+            result.server = opts.server
+
+        if( opts.token )
+            result.token = opts.token
+        else if( opts.tokenFile )
+            result.token = Paths.get(opts.tokenFile.toString()).getText('UTF-8')
 
-        if( map.token )
-            result.token = map.token
-        else if( map.tokenFile )
-            result.token = Paths.get(map.tokenFile.toString()).getText('UTF-8')
+        result.namespace = namespace ?: opts.namespace ?: 'default'
 
-        if( map.namespace )
-            result.namespace = map.namespace
+        result.serviceAccount = serviceAccount ?: 'default'
 
-        if( map.verifySsl )
-            result.verifySsl = map.verifySsl as boolean
+        if( opts.verifySsl )
+            result.verifySsl = opts.verifySsl as boolean
 
-        if( map.sslCert )
-            result.sslCert = map.sslCert.toString().decodeBase64()
-        else if( map.sslCertFile )
-            result.sslCert = Paths.get(map.sslCertFile.toString()).bytes
+        if( opts.sslCert )
+            result.sslCert = opts.sslCert.toString().decodeBase64()
+        else if( opts.sslCertFile )
+            result.sslCert = Paths.get(opts.sslCertFile.toString()).bytes
 
-        if( map.clientCert )
-            result.clientCert = map.clientCert.toString().decodeBase64()
-        else if( map.clientCertFile )
-            result.clientCert = Paths.get(map.clientCertFile.toString()).bytes
+        if( opts.clientCert )
+            result.clientCert = opts.clientCert.toString().decodeBase64()
+        else if( opts.clientCertFile )
+            result.clientCert = Paths.get(opts.clientCertFile.toString()).bytes
 
-        if( map.clientKey )
-            result.clientKey = map.clientKey.toString().decodeBase64()
-        else if( map.clientKeyFile )
-            result.clientKey = Paths.get(map.clientKeyFile.toString()).bytes
+        if( opts.clientKey )
+            result.clientKey = opts.clientKey.toString().decodeBase64()
+        else if( opts.clientKeyFile )
+            result.clientKey = Paths.get(opts.clientKeyFile.toString()).bytes
 
-        if( map.maxErrorRetry )
-            result.maxErrorRetry = map.maxErrorRetry as Integer
+        if( opts.maxErrorRetry )
+            result.maxErrorRetry = opts.maxErrorRetry as Integer
 
         return result
     }

modules/nextflow/src/main/groovy/nextflow/k8s/client/ConfigDiscovery.groovy

@@ -36,32 +36,37 @@ class ConfigDiscovery {
 
     private Map<String,String> env = System.getenv()
 
-    private ClientConfig config
-
-    private String context
+    ConfigDiscovery() { }
 
     /**
-     * Discover Kubernetes service from current environment settings
+     * Discover Kubernetes client configuration from current environment using
+     * either the .kube/config file or the pod service service account virtual
+     * file system when running in a pod.
+     *
+     * @param contextName The K8s config context name.
+     * @param namespace The K8s cluster namespace
+     * @param serviceAccount The K8s cluster service account
+     * @return The e
      */
-    ClientConfig discover() {
-
-        config = new ClientConfig()
+    ClientConfig discover(String contextName, String namespace, String serviceAccount) {
 
         // Note: System.getProperty('user.home') may not report the correct home path when
         // running in a container. Use env HOME instead.
         def home = System.getenv('HOME')
         def kubeConfig = env.get('KUBECONFIG') ? env.get('KUBECONFIG') : "$home/.kube/config"
         def configFile = Paths.get(kubeConfig)
 
+        // determine the Kubernetes client configuration via the `.kube/config` file
         if( configFile.exists() ) {
-            return fromConfig(configFile)
+            return fromKubeConfig(configFile, contextName, namespace, serviceAccount)
         }
         else {
             log.debug "K8s config file does not exist: $configFile"
         }
 
+        // determine the Kubernetes client configuration via the pod environment
         if( env.get('KUBERNETES_SERVICE_HOST') ) {
-            return fromCluster(env)
+            return fromCluster(env, namespace, serviceAccount)
         }
         else {
             log.debug "K8s env variable KUBERNETES_SERVICE_HOST is not defined"
@@ -70,7 +75,7 @@ class ConfigDiscovery {
         throw new IllegalStateException("Unable to lookup Kubernetes cluster configuration")
     }
 
-    protected ClientConfig fromCluster(Map<String,String> env) {
+    protected ClientConfig fromCluster(Map<String,String> env, String cfgNamespace, String serviceAccount) {
 
         // See https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod
 
@@ -82,17 +87,21 @@ class ConfigDiscovery {
         final token = path('/var/run/secrets/kubernetes.io/serviceaccount/token').text
         final namespace = path('/var/run/secrets/kubernetes.io/serviceaccount/namespace').text
 
-        new ClientConfig( server: server, token: token, namespace: namespace, sslCert: cert, isFromCluster: true )
+        if( namespace && namespace != cfgNamespace )
+            log.warn ("K8s namespace provided in the nextflow configuration does not match with pod namespace")
+
+        new ClientConfig( server: server, token: token, namespace: namespace, serviceAccount: serviceAccount, sslCert: cert, isFromCluster: true )
     }
 
     protected Path path(String path) {
        Paths.get(path)
     }
 
-    protected ClientConfig fromConfig(Path path) {
+    protected ClientConfig fromKubeConfig(Path path, String contextName, String namespace, String serviceAccount) {
         def yaml = (Map)new Yaml().load(Files.newInputStream(path))
 
-        final contextName = context ?: yaml."current-context" as String
+        contextName ?= yaml."current-context" as String
+
         final allContext = yaml.contexts as List
         final allClusters = yaml.clusters as List
         final allUsers = yaml.users as List
@@ -104,17 +113,18 @@ class ConfigDiscovery {
         final user = allUsers.find{ Map it -> it.name == userName } ?.user ?: [:]
         final cluster = allClusters.find{ Map it -> it.name == clusterName } ?.cluster ?: [:]
 
-        def config = ClientConfig.fromUserAndCluster(user, cluster, path)
+        final config = ClientConfig.fromUserAndCluster(user, cluster, path)
 
-        if( context?.namespace ) {
-            config.namespace = context?.namespace
-        }
+        // the namespace provided should have priority over the context current namespace
+        config.namespace = namespace ?: context?.namespace ?: 'default'
+
+        config.serviceAccount = serviceAccount ?: 'default'
 
         if( config.clientCert && config.clientKey ) {
             config.keyManagers = createKeyManagers(config.clientCert, config.clientKey)
         }
         else if( !config.token ) {
-            config.token = discoverAuthToken()
+            config.token = discoverAuthToken(config.namespace, serviceAccount)
         }
 
         return config
@@ -151,20 +161,27 @@ class ConfigDiscovery {
         return kmf.getKeyManagers();
     }
 
-    protected String discoverAuthToken() {
-        def cmd = /echo $(kubectl describe secret $(kubectl get secrets | grep default | cut -f1 -d ' ') | grep -E '^token' | cut -f2 -d':' | tr -d '\t')/
-        def proc = new ProcessBuilder('bash','-o','pipefail','-c', cmd).redirectErrorStream(true).start()
-        def status = proc.waitFor()
+    String discoverAuthToken(String namespace, String serviceAccount) {
+        namespace ?= 'default'
+        serviceAccount ?= 'default'
+
+        final cmd = "kubectl -n ${namespace} get secret `kubectl -n ${namespace} get serviceaccount ${serviceAccount} -o jsonpath='{.secrets[0].name}'` -o jsonpath='{.data.token}'"
+        final proc = new ProcessBuilder('bash','-o','pipefail','-c', cmd).redirectErrorStream(true).start()
+        final status = proc.waitFor()
         if( status==0 ) {
-            return proc.text.trim()
+            try {
+                return new String(proc.text.trim().decodeBase64())
+            }
+            catch( Exception e ) {
+                log.warn "Unable to read K8s cluster auth token -- cause: ${e.message}"
+            }
         }
         else {
             final msg = proc.text
             final cause = msg ? "-- cause:\n${msg.indent('  ')}" : ''
             log.debug "[K8s] unable to fetch auth token ${cause}"
-            return null
         }
+        return null
     }
 
-
 }

modules/nextflow/src/test/groovy/nextflow/k8s/K8sConfigTest.groovy

@@ -24,6 +24,8 @@ import nextflow.k8s.model.PodSecurityContext
 import nextflow.k8s.model.PodVolumeClaim
 import nextflow.util.Duration
 import spock.lang.Specification
+import spock.lang.Unroll
+
 /**
  *
  * @author Paolo Di Tommaso <paolo.ditommaso@gmail.com>
@@ -180,19 +182,26 @@ class K8sConfigTest extends Specification {
 
     }
 
+    @Unroll
     def 'should create client config with discovery' () {
 
         given:
-        def CONTEXT = 'pizza'
-        def CONFIG = [context: CONTEXT]
+        def CONFIG = [context: CONTEXT, namespace: NAMESPACE, serviceAccount: SERVICE_ACCOUNT]
         K8sConfig config = Spy(K8sConfig, constructorArgs: [ CONFIG ])
 
         when:
         def client = config.getClient()
         then:
-        1 * config.clientDiscovery(CONTEXT) >> new ClientConfig(namespace: 'foo', server: 'bar')
-        client.server == 'bar'
-        client.namespace == 'foo'
+        1 * config.clientDiscovery(CONTEXT, NAMESPACE, SERVICE_ACCOUNT) >> new ClientConfig(namespace: NAMESPACE, server: SERVER)
+        and:
+        client.server == SERVER
+        client.namespace == NAMESPACE ?: 'default'
+        client.serviceAccount == SERVICE_ACCOUNT ?: 'default'
+
+        where:
+        CONTEXT     | SERVER    | NAMESPACE | SERVICE_ACCOUNT
+        'foo'       | 'host.com'| null      | null
+        'bar'       | 'this.com'| 'ns1'     | 'sa2'
 
     }
 

modules/nextflow/src/test/groovy/nextflow/k8s/client/ClientConfigTest.groovy

@@ -56,12 +56,25 @@ class ClientConfigTest extends Specification {
                 clientKey: 'world'.bytes.encodeBase64().toString() ]
 
         when:
-        def result = ClientConfig.fromMap(MAP)
+        def result = ClientConfig.fromNextflowConfig(MAP, null, null)
 
         then:
         result.server == 'foo.com'
         result.token == 'blah-blah'
         result.namespace == 'my-namespace'
+        result.serviceAccount == 'default'
+        result.verifySsl
+        result.clientCert == 'hello'.bytes
+        result.clientKey == 'world'.bytes
+        result.sslCert == 'fizzbuzz'.bytes
+
+        when:
+        result = ClientConfig.fromNextflowConfig(MAP, 'ns1', 'sa2')
+        then:
+        result.server == 'foo.com'
+        result.token == 'blah-blah'
+        result.namespace == 'ns1'
+        result.serviceAccount == 'sa2'
         result.verifySsl
         result.clientCert == 'hello'.bytes
         result.clientKey == 'world'.bytes
@@ -89,12 +102,13 @@ class ClientConfigTest extends Specification {
                 clientKeyFile: file3 ]
 
         when:
-        def result = ClientConfig.fromMap(MAP)
+        def result = ClientConfig.fromNextflowConfig(MAP, null, null)
 
         then:
         result.server == 'foo.com'
         result.token == 'blah-blah'
         result.namespace == 'my-namespace'
+        result.serviceAccount == 'default'
         !result.verifySsl
         result.sslCert == file1.text.bytes
         result.clientCert == file2.text.bytes