This adds support for credential-plugin authentication.

https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins

This is used by the Kubernetes AWS IAM authenticator.

https://github.com/kubernetes-sigs/aws-iam-authenticator

I took the data types from here:

https://github.com/kubernetes/client-go/blob/03bfb9bdcfe5482795b999f39ca3ed9ad42ce5bb/pkg/apis/clientauthentication/v1beta1/types.go

There is a timestamp that should probably be converted to a time object. I haven't looked into how the Go client handles refreshing the credentials.

Hey there.

Package names (Cargo.toml) should never contain "-rust" or "_rust". They are totally redundant and pretty annoying for users.

Trying to fix #97.

Tried propagating BoxStream and the corresponding Send requirement on K it forced (this is reasonable because a kube object is always just raw data, no refcounts or other magic - but we might have to propagate it to k8s-openapi).

I think it got almost all the way there, but now it complains at informer in poll(). It wants K to implement Sync as well, and that certainly is unreasonable. But it seems to come from Send being required on &K not being satisfied, looks like in a closure?

error[E0277]: `K` cannot be shared between threads safely
   --> src/api/informer.rs:204:20
    |
204 |                 }).boxed())
    |                    ^^^^^ `K` cannot be shared between threads safely
    |
    = help: the trait `std::marker::Sync` is not implemented for `K`
    = help: consider adding a `where K: std::marker::Sync` bound
    = note: required because of the requirements on the impl of `std::marker::Send` for `&K`
    = note: required because it appears within the type `for<'r, 's, 't0, 't1, 't2, 't3, 't4, 't5, 't6, 't7> {std::result::Result<api::resource::WatchEvent<K>, Error>, K, K, K, &'r K, K, api::metadata::ObjectMeta, &'s api::metadata::ObjectMeta, &'t0 std::option::Option<std::string::String>, std::option::Option<std::string::String>, std::option::Option<std::string::String>, std::string::String, &'t1 std::string::String, std::string::String, std::string::String, &'t2 futures_util::lock::mutex::Mutex<std::string::String>, std::sync::Arc<futures_util::lock::mutex::Mutex<std::string::String>>, futures_util::lock::mutex::MutexLockFuture<'t3, std::string::String>, futures_util::lock::mutex::MutexLockFuture<'t4, std::string::String>, (), ErrorResponse, bool, bool, bool, &'t5 futures_util::lock::mutex::Mutex<bool>, std::sync::Arc<futures_util::lock::mutex::Mutex<bool>>, futures_util::lock::mutex::MutexLockFuture<'t6, bool>, futures_util::lock::mutex::MutexLockFuture<'t7, bool>, ()}`
    = note: required because it appears within the type `[static generator@src/api/informer.rs:179:32: 203:22 event:std::result::Result<api::resource::WatchEvent<K>, Error>, version:std::sync::Arc<futures_util::lock::mutex::Mutex<std::string::String>>, needs_resync:std::sync::Arc<futures_util::lock::mutex::Mutex<bool>> for<'r, 's, 't0, 't1, 't2, 't3, 't4, 't5, 't6, 't7> {std::result::Result<api::resource::WatchEvent<K>, Error>, K, K, K, &'r K, K, api::metadata::ObjectMeta, &'s api::metadata::ObjectMeta, &'t0 std::option::Option<std::string::String>, std::option::Option<std::string::String>, std::option::Option<std::string::String>, std::string::String, &'t1 std::string::String, std::string::String, std::string::String, &'t2 futures_util::lock::mutex::Mutex<std::string::String>, std::sync::Arc<futures_util::lock::mutex::Mutex<std::string::String>>, futures_util::lock::mutex::MutexLockFuture<'t3, std::string::String>, futures_util::lock::mutex::MutexLockFuture<'t4, std::string::String>, (), ErrorResponse, bool, bool, bool, &'t5 futures_util::lock::mutex::Mutex<bool>, std::sync::Arc<futures_util::lock::mutex::Mutex<bool>>, futures_util::lock::mutex::MutexLockFuture<'t6, bool>, futures_util::lock::mutex::MutexLockFuture<'t7, bool>, ()}]`
    = note: required because it appears within the type `std::future::GenFuture<[static generator@src/api/informer.rs:179:32: 203:22 event:std::result::Result<api::resource::WatchEvent<K>, Error>, version:std::sync::Arc<futures_util::lock::mutex::Mutex<std::string::String>>, needs_resync:std::sync::Arc<futures_util::lock::mutex::Mutex<bool>> for<'r, 's, 't0, 't1, 't2, 't3, 't4, 't5, 't6, 't7> {std::result::Result<api::resource::WatchEvent<K>, Error>, K, K, K, &'r K, K, api::metadata::ObjectMeta, &'s api::metadata::ObjectMeta, &'t0 std::option::Option<std::string::String>, std::option::Option<std::string::String>, std::option::Option<std::string::String>, std::string::String, &'t1 std::string::String, std::string::String, std::string::String, &'t2 futures_util::lock::mutex::Mutex<std::string::String>, std::sync::Arc<futures_util::lock::mutex::Mutex<std::string::String>>, futures_util::lock::mutex::MutexLockFuture<'t3, std::string::String>, futures_util::lock::mutex::MutexLockFuture<'t4, std::string::String>, (), ErrorResponse, bool, bool, bool, &'t5 futures_util::lock::mutex::Mutex<bool>, std::sync::Arc<futures_util::lock::mutex::Mutex<bool>>, futures_util::lock::mutex::MutexLockFuture<'t6, bool>, futures_util::lock::mutex::MutexLockFuture<'t7, bool>, ()}]>`
    = note: required because it appears within the type `impl core::future::future::Future`
    = note: required because it appears within the type `std::option::Option<impl core::future::future::Future>`
    = note: required because it appears within the type `futures_util::stream::stream::then::Then<std::pin::Pin<std::boxed::Box<dyn futures_core::stream::Stream<Item = std::result::Result<api::resource::WatchEvent<K>, Error>> + std::marker::Send>>, impl core::future::future::Future, [closure@src/api/informer.rs:175:32: 204:18 needs_resync:std::sync::Arc<futures_util::lock::mutex::Mutex<bool>>, version:std::sync::Arc<futures_util::lock::mutex::Mutex<std::string::String>>]>`

error: aborting due to previous error

Watch API returns non-json as json:

GET /api/v1/namespaces/test/pods?watch=1&resourceVersion=10245
---
200 OK
Transfer-Encoding: chunked
Content-Type: application/json
{
  "type": "ADDED",
  "object": {"kind": "Pod", "apiVersion": "v1", "metadata": {"resourceVersion": "10596", ...}, ...}
}
{
  "type": "MODIFIED",
  "object": {"kind": "Pod", "apiVersion": "v1", "metadata": {"resourceVersion": "11020", ...}, ...}
}

Maybe it's possible to parse each chunk as json? Maybe this needs a custom deserializer? Just making a note of this. Not sure how to parse this yet.

Make load_kube_config less strict by allowing auth with only client key data and a token (like ones generated from a service account).

If client certs are missing, we also allow people to set insecure-skip-verify.

Allow the desired context name, cluster name, and user name to be specified when loading the Kubernetes configuration.

Do you prefer an option struct or separate arguments?

option struct

#[derive(Default)]
pub struct ConfigOptions {
    pub context: Option<String>,
    pub cluster: Option<String>,
    pub user: Option<String>,
}

pub fn load_kube_config_with(options: ConfigOptions)

usage:

let config_opts = config::ConfigOptions {
    context: "mycontext",
    ..Default::default()
};

let kubeconfig = config::load_kube_config_with(config_opts)?;

arguments

pub fn load_kube_config_with(
    context: Option<String>,
    cluster: Option<String>,
    user: Option<String>,
)

usage:

let kubeconfig = config::load_kube_config_with(Some("mycontext"), None, None)?;

Overview

• [x] Add interface for Inclusterconfig from #1.
• [x] Add optional authorization header from #2.

Others.

• [x] Add tests.
• [x] Add travis ci config.
• [x] Add docstring

This brings the crate up to date with changes in the ecosystem.

The changes here backwards-incompatible, but allow it to be easily used with recent tokio (std::future based) and k8s-openapi-codegen versions (previously broken by a switch to [email protected]).

The file system I/O is still done with blocking APIs, as the code looks tricky to migrate. The consumer can schedule that part with spawn_blocking if needed.

Tests and the list_pod example work. I haven't tested the incluster_config example.

Running the example code:

#[test]
fn test_general() {
    let kubeconfig = config::load_kube_config().expect("failed to load kubeconfig");
    let kubeclient = APIClient::new(kubeconfig);
    let (req, _) = api::Pod::list_namespaced_pod("kube-system", Default::default())
        .expect("failed to create a request");
    let list_pod = kubeclient
        .request::<api::PodList>(req)
        .expect("failed to list up pods");
    println!("{:?}", list_pod);
}

---- test::test_general stdout ----
thread 'test::test_general' panicked at 'failed to list up pods: Error(Hyper(Error(Connect, Custom { kind: Other, error: Error { code: -67843, message: "The certificate was not trusted." } })), "https://<uuid>.k8s.ondigitalocean.com/api/v1/namespaces/kube-system/pods?")', src/main.rs:76:24


failures:
    test::test_general

test result: FAILED. 0 passed; 1 failed; 0 ignored; 0 measured; 0 filtered out

Currently there doesn't appear to be a websocket implementation for connect_core_v1_get_namespaced_pod_exec. It would be great to have one. The python k8s client has an implementation here. The ws crate could be used for the implementation. Thanks!

The API for CRDs is generated by kube as soon as the CRD is posted. Thus these structs are not normally available in the openapi bindings or something else (the crd might not even have a schema in older versions of kube). This is usually not a problem, because if you're using rust, you might have a more precise struct for this anyway, but it would be nice to have an API wrapper for this call somehow maybe?

The go toolchain does some awkward codegeneration that they force people to do more-or-less manually, but that shouldn't be necessary when you have serde and rust on your side. Still, not sure what's the best way to tackle this.

Currently, am just calling the api the easy way: https://github.com/Babylonpartners/shipcat/blob/8e1fd9c1e0bfef1a9f642f9d7d64b1b938f00ae2/raftcat/src/kube.rs#L13-L19 (and thus avoiding the openapi bindings entirely because that's all i need atm) but wondered if you/someone had thoughts on this.

One thing I noticed is that data returned from the kube api is assumed to be parseable into the struct you give it: https://github.com/ynqa/kubernetes-rust/blob/9c5f29f1f70d31042371db8ed6782486a41c8e3b/src/client/mod.rs#L37

however, we have no real information on what went wrong if kube returns an error struct. We simply get a json parsing failed (usually "unexpected EOF" via serde) because the string is attempted to be coerced into a different struct to the one that contains the error.

This happens if you query for information about your own custom resources and you've failed to add the necessary rbac rules for it, but i'm sure there are many other cases.

There's currently got a fork to help me deal with this issue in my account (and to get some debug back when it's failed for now). I might be looking to submit a pr back if I stumble across a good solution to it. In the mean time, just thought this ought to be raised.

At any rate, thanks for this crate! It's allowed me to write a kube app with rust with only minor tweaks!