kubernetes-client/csharp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Out-of-tree client authentication providers (UserCredentials exec option) for asp.net core applications (#359)

Browse Source 
* Adding the user credentials exec abillity
	new file:   src/KubernetesClient/KubeConfigModels/ExecCredentialResponse.cs
	new file:   src/KubernetesClient/KubeConfigModels/ExternalExecution.cs
	modified:   src/KubernetesClient/KubeConfigModels/UserCredentials.cs
	modified:   src/KubernetesClient/KubernetesClientConfiguration.ConfigFile.cs

* Fixed a few issues with the process spawning and some null references issues

* Removed unused import that caused the build to fail (Mail)

* Added preprocessor directive that will disable out-of-tree client authentication in case it is not a asp.net core app

* Added tests to the new external execution (out-of-tree client authentication) extension

* Trying to fix failing tests that fail apparently due to the preprocessor symbol

* Trying to fix failing macos tests

* Added the -n (do not output trailing newline) and the -E options to the echo command in OSX

* initializing arguments variable

* Changes according to tg123 comments
Changed OSX testing command to printf to try and solve the JSON
parsing errors

* Added missing references

* Environment.UserInteractive and Process applies to .NET Standard >= 2.0 according to Microsoft documentation
This commit is contained in:
Kubernetes Prow Robot
2020-03-05 09:12:38 -08:00
committed by GitHub
parent e11cc58e56
commit b07e78afa4
5 changed files with 296 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

203
src/KubernetesClient/KubernetesClientConfiguration.ConfigFile.cs
View File

@@ -1,5 +1,9 @@
using System;
#if NETSTANDARD2_0
using Newtonsoft.Json;
using System.Collections.Generic;
using System.Diagnostics;
#endif
using System.IO;
using System.Linq;
using System.Runtime.InteropServices;
@@ -8,6 +12,7 @@ using System.Threading.Tasks;
using k8s.Exceptions;
using k8s.KubeConfigModels;
namespace k8s
{
public partial class KubernetesClientConfiguration
@@ -28,15 +33,19 @@ namespace k8s
/// <summary>
/// Initializes a new instance of the <see cref="KubernetesClientConfiguration" /> from config file
/// </summary>
public static KubernetesClientConfiguration BuildDefaultConfig() {
public static KubernetesClientConfiguration BuildDefaultConfig()
{
var kubeconfig = Environment.GetEnvironmentVariable("KUBECONFIG");
if (kubeconfig != null) {
if (kubeconfig != null)
{
return BuildConfigFromConfigFile(kubeconfigPath: kubeconfig);
}
if (File.Exists(KubeConfigDefaultLocation)) {
if (File.Exists(KubeConfigDefaultLocation))
{
return BuildConfigFromConfigFile(kubeconfigPath: KubeConfigDefaultLocation);
}
if (IsInCluster()) {
if (IsInCluster())
{
return InClusterConfig();
}
var config = new KubernetesClientConfiguration();
@@ -150,7 +159,7 @@ namespace k8s
var k8SConfiguration = new KubernetesClientConfiguration();
currentContext = currentContext ?? k8SConfig.CurrentContext;
// only init context if context if set
// only init context if context is set
if (currentContext != null)
{
k8SConfiguration.InitializeContext(k8SConfig, currentContext);
@@ -214,7 +223,7 @@ namespace k8s
Host = clusterDetails.ClusterEndpoint.Server;
SkipTlsVerify = clusterDetails.ClusterEndpoint.SkipTlsVerify;
if(!Uri.TryCreate(Host, UriKind.Absolute, out Uri uri))
if (!Uri.TryCreate(Host, UriKind.Absolute, out Uri uri))
{
throw new KubeConfigException($"Bad server host URL `{Host}` (cannot be parsed)");
}
@@ -294,65 +303,81 @@ namespace k8s
switch (userDetails.UserCredentials.AuthProvider.Name)
{
case "azure":
{
var config = userDetails.UserCredentials.AuthProvider.Config;
if (config.ContainsKey("expires-on"))
{
var expiresOn = Int32.Parse(config["expires-on"]);
DateTimeOffset expires;
#if NET452
var config = userDetails.UserCredentials.AuthProvider.Config;
if (config.ContainsKey("expires-on"))
{
var expiresOn = Int32.Parse(config["expires-on"]);
DateTimeOffset expires;
#if NET452
var epoch = new DateTimeOffset(1970, 1, 1, 0, 0, 0, TimeSpan.Zero);
expires = epoch.AddSeconds(expiresOn);
#else
expires = DateTimeOffset.FromUnixTimeSeconds(expiresOn);
#endif
#else
expires = DateTimeOffset.FromUnixTimeSeconds(expiresOn);
#endif
if (DateTimeOffset.Compare(expires
, DateTimeOffset.Now)
<= 0)
{
var tenantId = config["tenant-id"];
var clientId = config["client-id"];
var apiServerId = config["apiserver-id"];
var refresh = config["refresh-token"];
var newToken = RenewAzureToken(tenantId
, clientId
, apiServerId
, refresh);
config["access-token"] = newToken;
}
}
AccessToken = config["access-token"];
userCredentialsFound = true;
break;
}
case "gcp":
{
var config = userDetails.UserCredentials.AuthProvider.Config;
const string keyExpire = "expiry";
if (config.ContainsKey(keyExpire))
{
if (DateTimeOffset.TryParse(config[keyExpire]
, out DateTimeOffset expires))
{
if (DateTimeOffset.Compare(expires
, DateTimeOffset.Now)
<= 0)
{
throw new KubeConfigException("Refresh not supported.");
var tenantId = config["tenant-id"];
var clientId = config["client-id"];
var apiServerId = config["apiserver-id"];
var refresh = config["refresh-token"];
var newToken = RenewAzureToken(tenantId
, clientId
, apiServerId
, refresh);
config["access-token"] = newToken;
}
}
}
AccessToken = config["access-token"];
userCredentialsFound = true;
break;
}
AccessToken = config["access-token"];
userCredentialsFound = true;
break;
}
case "gcp":
{
var config = userDetails.UserCredentials.AuthProvider.Config;
const string keyExpire = "expiry";
if (config.ContainsKey(keyExpire))
{
if (DateTimeOffset.TryParse(config[keyExpire]
, out DateTimeOffset expires))
{
if (DateTimeOffset.Compare(expires
, DateTimeOffset.Now)
<= 0)
{
throw new KubeConfigException("Refresh not supported.");
}
}
}
AccessToken = config["access-token"];
userCredentialsFound = true;
break;
}
}
}
}
#if NETSTANDARD2_0
if (userDetails.UserCredentials.ExternalExecution != null)
{
if (string.IsNullOrWhiteSpace(userDetails.UserCredentials.ExternalExecution.Command))
throw new KubeConfigException(
"External command execution to receive user credentials must include a command to execute");
if (string.IsNullOrWhiteSpace(userDetails.UserCredentials.ExternalExecution.ApiVersion))
throw new KubeConfigException("External command execution missing ApiVersion key");
var token = ExecuteExternalCommand(userDetails.UserCredentials.ExternalExecution);
AccessToken = token;
userCredentialsFound = true;
}
#endif
if (!userCredentialsFound)
{
throw new KubeConfigException(
@@ -365,6 +390,84 @@ namespace k8s
throw new KubeConfigException("Refresh not supported.");
}
#if NETSTANDARD2_0
/// <summary>
/// Implementation of the proposal for out-of-tree client
/// authentication providers as described here --
/// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auth/kubectl-exec-plugins.md
/// Took inspiration from python exec_provider.py --
/// https://github.com/kubernetes-client/python-base/blob/master/config/exec_provider.py
/// </summary>
/// <param name="config">The external command execution configuration</param>
/// <returns>The token received from the external commmand execution</returns>
public static string ExecuteExternalCommand(ExternalExecution config)
{
var execInfo = new Dictionary<string, dynamic>
{
{"apiVersion", config.ApiVersion},
{"kind", "ExecCredentials"},
{"spec", new Dictionary<string, bool>
{
{"interactive", Environment.UserInteractive}
}}
};
var process = new Process();
process.StartInfo.Environment.Add("KUBERNETES_EXEC_INFO",
JsonConvert.SerializeObject(execInfo));
if (config.EnvironmentVariables != null)
foreach (var configEnvironmentVariableKey in config.EnvironmentVariables.Keys)
process.StartInfo.Environment.Add(key: configEnvironmentVariableKey,
value: config.EnvironmentVariables[configEnvironmentVariableKey]);
process.StartInfo.FileName = config.Command;
if (config.Arguments != null)
process.StartInfo.Arguments = string.Join(" ", config.Arguments);
process.StartInfo.RedirectStandardOutput = true;
process.StartInfo.RedirectStandardError = true;
process.StartInfo.UseShellExecute = false;
try
{
process.Start();
}
catch (Exception ex)
{
throw new KubeConfigException($"external exec failed due to: {ex.Message}");
}
var stdout = process.StandardOutput.ReadToEnd();
var stderr = process.StandardOutput.ReadToEnd();
if (string.IsNullOrWhiteSpace(stderr) == false)
throw new KubeConfigException($"external exec failed due to: {stderr}");
// Wait for a maximum of 5 seconds, if a response takes longer probably something went wrong...
process.WaitForExit(5);
try
{
var responseObject = JsonConvert.DeserializeObject<ExecCredentialResponse>(stdout);
if (responseObject == null || responseObject.ApiVersion != config.ApiVersion)
throw new KubeConfigException(
$"external exec failed because api version {responseObject.ApiVersion} does not match {config.ApiVersion}");
return responseObject.Status["token"];
}
catch (JsonSerializationException ex)
{
throw new KubeConfigException($"external exec failed due to failed deserialization process: {ex}");
}
catch (Exception ex)
{
throw new KubeConfigException($"external exec failed due to uncaught exception: {ex}");
}
}
#endif
/// <summary>
/// Loads entire Kube Config from default or explicit file path
/// </summary>