Merge pull request #51 from akshaymankar/kube-config-loader

Kube config loader

Author: k8s-ci-robot

.travis.yml

@@ -96,11 +96,11 @@ matrix:
   #  compiler: ": #stack 8.0.2"
   #  addons: {apt: {packages: [libgmp-dev]}}
 
-  - env: BUILD=stack ARGS="--resolver lts-11"
+  - env: BUILD=stack ARGS="--resolver lts-11 --stack-yaml stack-8.2.2.yaml"
     compiler: ": #stack 8.2.2"
     addons: {apt: {packages: [libgmp-dev]}}
 
-  - env: BUILD=stack ARGS="--resolver lts-12"
+  - env: BUILD=stack ARGS="--resolver lts-12 --stack-yaml stack-8.4.4.yaml"
     compiler: ": #stack 8.4.4"
     addons: {apt: {packages: [libgmp-dev]}}
 
@@ -139,11 +139,11 @@ matrix:
   #  compiler: ": #stack 8.0.2 osx"
   #  os: osx
 
-  - env: BUILD=stack ARGS="--resolver lts-11"
+  - env: BUILD=stack ARGS="--resolver lts-11 --stack-yaml stack-8.2.2.yaml"
     compiler: ": #stack 8.2.2 osx"
     os: osx
 
-  - env: BUILD=stack ARGS="--resolver lts-12"
+  - env: BUILD=stack ARGS="--resolver lts-12 --stack-yaml stack-8.4.4.yaml"
     compiler: ": #stack 8.4.4 osx"
     os: osx
 
@@ -223,7 +223,7 @@ script:
   set -ex
   case "$BUILD" in
     stack)
-      travis_wait 30 stack --no-terminal $ARGS test --bench --no-run-benchmarks --haddock --no-haddock-deps
+      stack --no-terminal $ARGS test --bench --no-run-benchmarks --haddock --no-haddock-deps
       ;;
     cabal)
       cabal install --enable-tests --enable-benchmarks --force-reinstalls --ghc-options=-O0 --reorder-goals --max-backjumps=-1 $CABALARGS $PACKAGES

kubernetes-client/README.md

@@ -2,6 +2,52 @@
 
 ## Example
 
+### Load KubeConfig file
+
+```haskell
+import Control.Concurrent.STM (atomically, newTVar)
+import Kubernetes.Client      (KubeConfigSource (..), mkKubeClientConfig)
+import Kubernetes.OpenAPI     (Accept (..), MimeJSON (..), dispatchMime)
+
+import qualified Data.Map                      as Map
+import qualified Kubernetes.OpenAPI.API.CoreV1 as CoreV1
+
+main :: IO ()
+main = do
+    oidcCache <- atomically $ newTVar $ Map.fromList []
+    (mgr, kcfg) <- mkKubeClientConfig oidcCache $ KubeConfigFile "/path/to/kubeconfig"
+    dispatchMime
+            mgr
+            kcfg
+            (CoreV1.listPodForAllNamespaces (Accept MimeJSON))
+        >>= print
+```
+
+### Load InCluster Config
+
+```haskell
+import Control.Concurrent.STM (atomically, newTVar)
+import Data.Function          ((&))
+import Kubernetes.Client      (KubeConfigSource (..), mkKubeClientConfig)
+import Kubernetes.OpenAPI     (Accept (..), MimeJSON (..), dispatchMime)
+import Network.TLS            (credentialLoadX509)
+
+import qualified Data.Map                      as Map
+import qualified Kubernetes.OpenAPI.API.CoreV1 as CoreV1
+
+main :: IO ()
+main = do
+    oidcCache <- atomically $ newTVar $ Map.fromList []
+    (mgr, kcfg) <- mkKubeClientConfig oidcCache KubeConfigCluster
+    dispatchMime
+            mgr
+            kcfg
+            (CoreV1.listPodForAllNamespaces (Accept MimeJSON))
+        >>= print
+```
+
+### Load config from URL and paths
+
 ```haskell
 {-# LANGUAGE OverloadedStrings #-}
 

kubernetes-client/example/App.hs

@@ -2,18 +2,20 @@
 
 module Main where
 
-import           Data.Function                 ((&))
-import           Kubernetes.Client             (defaultTLSClientParams,
-                                                disableServerCertValidation,
-                                                disableServerNameValidation,
-                                                disableValidateAuthMethods,
-                                                loadPEMCerts, newManager,
-                                                setCAStore, setClientCert,
-                                                setMasterURI, setTokenAuth)
-import           Kubernetes.OpenAPI            (Accept (..), MimeJSON (..),
-                                                dispatchMime, newConfig)
+import Control.Concurrent.STM (atomically, newTVar)
+import Data.Function          ((&))
+import Kubernetes.Client      (KubeConfigSource (..), defaultTLSClientParams,
+                               disableServerCertValidation,
+                               disableServerNameValidation,
+                               disableValidateAuthMethods, mkKubeClientConfig,
+                               loadPEMCerts, newManager, setCAStore,
+                               setClientCert, setMasterURI, setTokenAuth)
+import Kubernetes.OpenAPI     (Accept (..), MimeJSON (..), dispatchMime,
+                               newConfig)
+import Network.TLS            (credentialLoadX509)
+
+import qualified Data.Map                      as Map
 import qualified Kubernetes.OpenAPI.API.CoreV1 as CoreV1
-import           Network.TLS                   (credentialLoadX509)
 
 example :: IO ()
 example = do
@@ -42,5 +44,25 @@ example = do
             (CoreV1.listPodForAllNamespaces (Accept MimeJSON))
         >>= print
 
+exampleWithKubeConfig :: IO ()
+exampleWithKubeConfig = do
+    oidcCache <- atomically $ newTVar $ Map.fromList []
+    (mgr, kcfg) <- mkKubeClientConfig oidcCache $ KubeConfigFile "/path/to/kubeconfig"
+    dispatchMime
+            mgr
+            kcfg
+            (CoreV1.listPodForAllNamespaces (Accept MimeJSON))
+        >>= print
+
+exampleWithInClusterConfig :: IO ()
+exampleWithInClusterConfig = do
+    oidcCache <- atomically $ newTVar $ Map.fromList []
+    (mgr, kcfg) <- mkKubeClientConfig oidcCache KubeConfigCluster
+    dispatchMime
+            mgr
+            kcfg
+            (CoreV1.listPodForAllNamespaces (Accept MimeJSON))
+        >>= print
+
 main :: IO ()
 main = return ()

kubernetes-client/package.yaml

@@ -13,40 +13,58 @@ license: Apache-2.0
 license-file: LICENSE
 library:
   source-dirs: src
+  ghc-options:
+  - -Wall
 tests:
   spec:
     main: Spec.hs
     source-dirs: test
     dependencies:
       - kubernetes-client
       - hspec
+      - hspec-attoparsec
       - yaml
+      - file-embed
   example:
     main: App.hs
     source-dirs: example
     dependencies:
       - kubernetes-client
 extra-source-files:
-  - test/testdata/*
+  - test/testdata/**/*
   - README.md
 dependencies:
   - base >=4.7 && <5.0
-  - bytestring >=0.10.0 && <0.11
-  - aeson >=1.2.2 && <1.5
-  - connection >=0.2.8
-  - containers >= 0.6.0.1
-  - data-default-class >=0.1.2.0
+  - base64-bytestring
+  - bytestring >=0.10 && <0.11
+  - aeson >=1.2 && <1.5
+  - attoparsec >=0.13 && <0.14
+  - jsonpath >=0.1 && <0.2
+  - connection >=0.2
+  - containers >= 0.5
+  - data-default-class >=0.1
+  - either >=5.0
+  - filepath >=1.4
+  - hoauth2 >=1.8
   - http-client >=0.5 && <0.7
-  - http-client-tls >=0.3.5.3
+  - http-client-tls >=0.3
+  - jose-jwt >=0.8
   - kubernetes-client-core ==0.1.0.1
-  - microlens >=0.4.3 && <0.5
-  - mtl >=2.2.1
-  - pem >=0.2.4
+  - microlens >=0.4 && <0.5
+  - mtl >=2.2
+  - oidc-client >=0.4
+  - pem >=0.2
   - safe-exceptions >=0.1.0.0
-  - streaming-bytestring >= 0.1.5 && < 0.2.0
+  - stm >=2.4
+  - streaming-bytestring >= 0.1 && < 0.2.0
   - text >=0.11 && <1.3
+  - time >=1.8
+  - timerep >=2.0
   - tls >=1.4.1
-  - x509 >=1.7.5
-  - x509-system >=1.6.6
-  - x509-store >=1.6.7
-  - x509-validation >=1.6.11
+  - typed-process >=0.2
+  - uri-bytestring >=0.3
+  - x509 >=1.7
+  - x509-system >=1.6
+  - x509-store >=1.6
+  - x509-validation >=1.6
+  - yaml >=0.8.32

kubernetes-client/src/Kubernetes/Client/Auth/ClientCert.hs

@@ -0,0 +1,41 @@
+module Kubernetes.Client.Auth.ClientCert where
+
+import Control.Exception.Safe                (Exception, throwM)
+import Data.Text.Encoding
+import Kubernetes.Client.Auth.Internal.Types
+import Kubernetes.Client.Internal.TLSUtils
+import Kubernetes.Client.KubeConfig
+import Kubernetes.OpenAPI                    (KubernetesClientConfig (..))
+import Network.TLS
+
+-- | Detects if kuebconfig file provides 'client-certificate', if it configures TLS client params with the client certificate
+clientCertFileAuth :: DetectAuth
+clientCertFileAuth auth (tlsParams, cfg) = do
+  certFile <- clientCertificate auth
+  keyFile <- clientKey auth
+  return $ do
+    cert <- credentialLoadX509 certFile keyFile
+            >>= either (throwM . CredentialLoadException) return
+    let newParams = (setClientCert cert tlsParams)
+        newCfg = (disableValidateAuthMethods cfg)
+    return (newParams, newCfg)
+
+-- | Detects if kuebconfig file provides 'client-certificate-data', if it configures TLS client params with the client certificate
+clientCertDataAuth :: DetectAuth
+clientCertDataAuth auth (tlsParams, cfg) = do
+  certB64 <- encodeUtf8 <$> clientCertificateData auth
+  keyB64 <- encodeUtf8 <$> clientKeyData auth
+  Just $  do
+    cert <- loadB64EncodedCert certB64 keyB64
+    let newParams = (setClientCert cert tlsParams)
+        newCfg = (disableValidateAuthMethods cfg)
+    return (newParams, newCfg)
+
+-- |Disables the client-side auth methods validation. This is necessary if you are using client cert authentication.
+disableValidateAuthMethods :: KubernetesClientConfig -> KubernetesClientConfig
+disableValidateAuthMethods kcfg = kcfg { configValidateAuthMethods = False }
+
+data CredentialLoadException = CredentialLoadException String
+  deriving Show
+
+instance Exception CredentialLoadException