Merge remote-tracking branch 'upstream/master' into fix_base64_padding_for_kconfig

Author: bpicolo

.travis.yml

@@ -1,6 +1,6 @@
 # ref: https://docs.travis-ci.com/user/languages/python
 language: python
-dist: trusty
+dist: xenial
 sudo: required
 
 matrix:
@@ -10,7 +10,7 @@ matrix:
      - python: 2.7
        env: TOXENV=py27-functional
      - python: 2.7
-       env: TOXENV=update-pep8
+       env: TOXENV=update-pycodestyle
      - python: 2.7
        env: TOXENV=docs
      - python: 2.7
@@ -25,10 +25,15 @@ matrix:
        env: TOXENV=py36
      - python: 3.6
        env: TOXENV=py36-functional
+     - python: 3.7
+       env: TOXENV=py37
+     - python: 3.7
+       env: TOXENV=py37-functional
 
 install:
   - pip install tox
 
 script:
   - ./run_tox.sh tox
+  - ./hack/verify-boilerplate.sh
 

OWNERS

@@ -1,3 +1,5 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
 approvers:
   - mbohlool
   - yliaog

config/__init__.py

@@ -1,3 +1,5 @@
+#!/usr/bin/env python
+
 # Copyright 2016 The Kubernetes Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

config/config_exception.py

@@ -1,3 +1,5 @@
+#!/usr/bin/env python
+
 # Copyright 2016 The Kubernetes Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

config/dateutil.py

@@ -1,3 +1,5 @@
+#!/usr/bin/env python
+
 # Copyright 2017 The Kubernetes Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

config/dateutil_test.py

@@ -1,3 +1,5 @@
+#!/usr/bin/env python
+
 # Copyright 2016 The Kubernetes Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

config/exec_provider.py

@@ -0,0 +1,97 @@
+#!/usr/bin/env python
+
+# Copyright 2018 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+import json
+import os
+import subprocess
+import sys
+
+from .config_exception import ConfigException
+
+
+class ExecProvider(object):
+    """
+    Implementation of the proposal for out-of-tree client
+    authentication providers as described here --
+    https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auth/kubectl-exec-plugins.md
+
+    Missing from implementation:
+
+    * TLS cert support
+    * caching
+    """
+
+    def __init__(self, exec_config):
+        """
+        exec_config must be of type ConfigNode because we depend on
+        safe_get(self, key) to correctly handle optional exec provider
+        config parameters.
+        """
+        for key in ['command', 'apiVersion']:
+            if key not in exec_config:
+                raise ConfigException(
+                    'exec: malformed request. missing key \'%s\'' % key)
+        self.api_version = exec_config['apiVersion']
+        self.args = [exec_config['command']]
+        if exec_config.safe_get('args'):
+            self.args.extend(exec_config['args'])
+        self.env = os.environ.copy()
+        if exec_config.safe_get('env'):
+            additional_vars = {}
+            for item in exec_config['env']:
+                name = item['name']
+                value = item['value']
+                additional_vars[name] = value
+            self.env.update(additional_vars)
+
+    def run(self, previous_response=None):
+        kubernetes_exec_info = {
+            'apiVersion': self.api_version,
+            'kind': 'ExecCredential',
+            'spec': {
+                'interactive': sys.stdout.isatty()
+            }
+        }
+        if previous_response:
+            kubernetes_exec_info['spec']['response'] = previous_response
+        self.env['KUBERNETES_EXEC_INFO'] = json.dumps(kubernetes_exec_info)
+        process = subprocess.Popen(
+            self.args,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.PIPE,
+            env=self.env,
+            universal_newlines=True)
+        (stdout, stderr) = process.communicate()
+        exit_code = process.wait()
+        if exit_code != 0:
+            msg = 'exec: process returned %d' % exit_code
+            stderr = stderr.strip()
+            if stderr:
+                msg += '. %s' % stderr
+            raise ConfigException(msg)
+        try:
+            data = json.loads(stdout)
+        except ValueError as de:
+            raise ConfigException(
+                'exec: failed to decode process output: %s' % de)
+        for key in ('apiVersion', 'kind', 'status'):
+            if key not in data:
+                raise ConfigException(
+                    'exec: malformed response. missing key \'%s\'' % key)
+        if data['apiVersion'] != self.api_version:
+            raise ConfigException(
+                'exec: plugin api version %s does not match %s' %
+                (data['apiVersion'], self.api_version))
+        return data['status']

config/exec_provider_test.py

@@ -0,0 +1,147 @@
+#!/usr/bin/env python
+
+# Copyright 2018 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+import unittest
+
+import mock
+
+from .config_exception import ConfigException
+from .exec_provider import ExecProvider
+from .kube_config import ConfigNode
+
+
+class ExecProviderTest(unittest.TestCase):
+
+    def setUp(self):
+        self.input_ok = ConfigNode('test', {
+            'command': 'aws-iam-authenticator',
+            'args': ['token', '-i', 'dummy'],
+            'apiVersion': 'client.authentication.k8s.io/v1beta1',
+            'env': None
+        })
+        self.output_ok = """
+        {
+            "apiVersion": "client.authentication.k8s.io/v1beta1",
+            "kind": "ExecCredential",
+            "status": {
+                "token": "dummy"
+            }
+        }
+        """
+
+    def test_missing_input_keys(self):
+        exec_configs = [ConfigNode('test1', {}),
+                        ConfigNode('test2', {'command': ''}),
+                        ConfigNode('test3', {'apiVersion': ''})]
+        for exec_config in exec_configs:
+            with self.assertRaises(ConfigException) as context:
+                ExecProvider(exec_config)
+            self.assertIn('exec: malformed request. missing key',
+                          context.exception.args[0])
+
+    @mock.patch('subprocess.Popen')
+    def test_error_code_returned(self, mock):
+        instance = mock.return_value
+        instance.wait.return_value = 1
+        instance.communicate.return_value = ('', '')
+        with self.assertRaises(ConfigException) as context:
+            ep = ExecProvider(self.input_ok)
+            ep.run()
+        self.assertIn('exec: process returned %d' %
+                      instance.wait.return_value, context.exception.args[0])
+
+    @mock.patch('subprocess.Popen')
+    def test_nonjson_output_returned(self, mock):
+        instance = mock.return_value
+        instance.wait.return_value = 0
+        instance.communicate.return_value = ('', '')
+        with self.assertRaises(ConfigException) as context:
+            ep = ExecProvider(self.input_ok)
+            ep.run()
+        self.assertIn('exec: failed to decode process output',
+                      context.exception.args[0])
+
+    @mock.patch('subprocess.Popen')
+    def test_missing_output_keys(self, mock):
+        instance = mock.return_value
+        instance.wait.return_value = 0
+        outputs = [
+            """
+            {
+                "kind": "ExecCredential",
+                "status": {
+                    "token": "dummy"
+                }
+            }
+            """, """
+            {
+                "apiVersion": "client.authentication.k8s.io/v1beta1",
+                "status": {
+                    "token": "dummy"
+                }
+            }
+            """, """
+            {
+                "apiVersion": "client.authentication.k8s.io/v1beta1",
+                "kind": "ExecCredential"
+            }
+            """
+        ]
+        for output in outputs:
+            instance.communicate.return_value = (output, '')
+            with self.assertRaises(ConfigException) as context:
+                ep = ExecProvider(self.input_ok)
+                ep.run()
+            self.assertIn('exec: malformed response. missing key',
+                          context.exception.args[0])
+
+    @mock.patch('subprocess.Popen')
+    def test_mismatched_api_version(self, mock):
+        instance = mock.return_value
+        instance.wait.return_value = 0
+        wrong_api_version = 'client.authentication.k8s.io/v1'
+        output = """
+        {
+            "apiVersion": "%s",
+            "kind": "ExecCredential",
+            "status": {
+                "token": "dummy"
+            }
+        }
+        """ % wrong_api_version
+        instance.communicate.return_value = (output, '')
+        with self.assertRaises(ConfigException) as context:
+            ep = ExecProvider(self.input_ok)
+            ep.run()
+        self.assertIn(
+            'exec: plugin api version %s does not match' %
+            wrong_api_version,
+            context.exception.args[0])
+
+    @mock.patch('subprocess.Popen')
+    def test_ok_01(self, mock):
+        instance = mock.return_value
+        instance.wait.return_value = 0
+        instance.communicate.return_value = (self.output_ok, '')
+        ep = ExecProvider(self.input_ok)
+        result = ep.run()
+        self.assertTrue(isinstance(result, dict))
+        self.assertTrue('token' in result)
+
+
+if __name__ == '__main__':
+    unittest.main()

config/incluster_config.py

@@ -1,3 +1,5 @@
+#!/usr/bin/env python
+
 # Copyright 2016 The Kubernetes Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -85,7 +87,8 @@ def _set_config(self):
 
 
 def load_incluster_config():
-    """Use the service account kubernetes gives to pods to connect to kubernetes
+    """
+    Use the service account kubernetes gives to pods to connect to kubernetes
     cluster. It's intended for clients that expect to be running inside a pod
     running on kubernetes. It will raise an exception if called from a process
     not running in a kubernetes environment."""

config/incluster_config_test.py

@@ -1,3 +1,5 @@
+#!/usr/bin/env python
+
 # Copyright 2016 The Kubernetes Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");