Support in-cluster config

Author: yuanying

kubernetes/lib/kubernetes/config/incluster_config.rb

@@ -0,0 +1,84 @@
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'kubernetes/configuration'
+require 'kubernetes/config/error'
+
+module Kubernetes
+
+  class InClusterConfig
+
+    class << self
+
+      #
+      # Use the service account kubernetes gives to pods to connect to kubernetes
+      # cluster. It's intended for clients that expect to be running inside a pod
+      # running on kubernetes. It will raise an exception if called from a process
+      # not running in a kubernetes environment.
+      def load(client_configuration: Configuration.default)
+        config = self.new
+        config.configure(client_configuration)
+      end
+
+    end
+
+    SERVICE_HOST_ENV_NAME = "KUBERNETES_SERVICE_HOST"
+    SERVICE_PORT_ENV_NAME = "KUBERNETES_SERVICE_PORT"
+    SERVICE_TOKEN_FILENAME = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+    SERVICE_CA_CERT_FILENAME = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+
+    attr_accessor :host
+    attr_accessor :port
+    attr_accessor :token
+
+    def validate
+      unless (self.host = self.env[SERVICE_HOST_ENV_NAME]) && (self.port = self.env[SERVICE_PORT_ENV_NAME])
+        raise ConfigError.new("Service host/port is not set")
+      end
+      raise ConfigError.new("Service token file does not exists") unless File.file?(self.token_file)
+      raise ConfigError.new("Service token file does not exists") unless File.file?(self.ca_cert)
+    end
+
+    def env
+      @env ||= ENV
+      @env
+    end
+
+    def ca_cert
+      @ca_cert ||= SERVICE_CA_CERT_FILENAME
+      @ca_cert
+    end
+
+    def token_file
+      @token_file ||= SERVICE_TOKEN_FILENAME
+      @token_file
+    end
+
+    def load_token
+      open(self.token_file) do |io|
+        self.token = io.read.chomp
+      end
+    end
+
+    def configure(configuration)
+      validate
+      load_token
+      configuration.api_key['authorization'] = "Bearer #{self.token}"
+      configuration.scheme = 'https'
+      configuration.host = "#{self.host}:#{self.port}"
+      configuration.ssl_ca_cert = self.ca_cert
+    end
+  end
+
+end

kubernetes/spec/config/incluster_config_spec.rb

@@ -0,0 +1,120 @@
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'spec_helper'
+require 'config/matchers'
+
+require 'kubernetes/config/incluster_config'
+
+
+describe Kubernetes::InClusterConfig do
+
+  context '#configure' do
+    let(:incluster_config) do
+      Kubernetes::InClusterConfig.new.tap do |c|
+        c.instance_variable_set(:@env, {
+          Kubernetes::InClusterConfig::SERVICE_HOST_ENV_NAME => 'localhost',
+          Kubernetes::InClusterConfig::SERVICE_PORT_ENV_NAME => '443',
+        })
+        c.instance_variable_set(:@ca_cert, file_fixture('certs/ca.crt').to_s)
+        c.instance_variable_set(:@token_file, file_fixture('tokens/token').to_s)
+      end
+    end
+
+    it 'should configure configuration' do
+      expected = Kubernetes::Configuration.new do |c|
+        c.scheme = 'https'
+        c.host = 'localhost:443'
+        c.ssl_ca_cert = file_fixture('certs/ca.crt').to_s
+        c.api_key['authorization'] = 'Bearer token1'
+      end
+      actual = Kubernetes::Configuration.new
+
+      incluster_config.configure(actual)
+      expect(actual).to be_same_configuration_as(expected)
+    end
+  end
+
+  context '#validate' do
+    let(:incluster_config) do
+      Kubernetes::InClusterConfig.new.tap do |c|
+        c.instance_variable_set(:@env, {
+          Kubernetes::InClusterConfig::SERVICE_HOST_ENV_NAME => 'localhost',
+          Kubernetes::InClusterConfig::SERVICE_PORT_ENV_NAME => '443',
+        })
+        c.instance_variable_set(:@ca_cert, file_fixture('certs/ca.crt').to_s)
+        c.instance_variable_set(:@token_file, file_fixture('tokens/token').to_s)
+      end
+    end
+
+    context 'if valid environment' do
+
+      it 'shold not raise ConfigError' do
+        expect { incluster_config.validate }.not_to raise_error
+      end
+    end
+
+    context 'if SERVICE_HOST_ENV_NAME env variable is not set' do
+
+      it 'should raise ConfigError' do
+        incluster_config.env[Kubernetes::InClusterConfig::SERVICE_HOST_ENV_NAME] = nil
+
+        expect { incluster_config.validate }.to raise_error(Kubernetes::ConfigError)
+      end
+    end
+
+    context 'if SERVICE_PORT_ENV_NAME env variable is not set' do
+
+      it 'should raise ConfigError' do
+        incluster_config.env[Kubernetes::InClusterConfig::SERVICE_PORT_ENV_NAME] = nil
+
+        expect { incluster_config.validate }.to raise_error(Kubernetes::ConfigError)
+      end
+    end
+
+    context 'if ca_cert file is not exist' do
+
+      it 'shold raise ConfigError' do
+        incluster_config.instance_variable_set(:@ca_cert, 'certs/no_ca.crt')
+
+        expect { incluster_config.validate }.to raise_error(Kubernetes::ConfigError)
+      end
+    end
+
+    context 'if token file is not exist' do
+
+      it 'shold raise ConfigError' do
+        incluster_config.instance_variable_set(:@token_file, 'tokens/no_token')
+
+        expect { incluster_config.validate }.to raise_error(Kubernetes::ConfigError)
+      end
+    end
+  end
+
+  context '#ca_cert' do
+    let(:incluster_config) { Kubernetes::InClusterConfig.new }
+
+    it 'shold return "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"' do
+      expect(incluster_config.ca_cert).to eq('/var/run/secrets/kubernetes.io/serviceaccount/ca.crt')
+    end
+  end
+
+  context '#token_file' do
+    let(:incluster_config) { Kubernetes::InClusterConfig.new }
+
+    it 'shold return "/var/run/secrets/kubernetes.io/serviceaccount/token"' do
+      expect(incluster_config.token_file).to eq('/var/run/secrets/kubernetes.io/serviceaccount/token')
+    end
+  end
+end

kubernetes/spec/config/kube_config_spec.rb

@@ -14,6 +14,7 @@
 
 require 'base64'
 require 'spec_helper'
+require 'config/matchers'
 
 require 'kubernetes/config/kube_config'
 
@@ -163,21 +164,6 @@
   ],
 }
 
-RSpec::Matchers.define :be_same_configuration_as do |expected|
-  match do |actual|
-    to_h = Proc.new do |configuration|
-      {}.tap do |hash|
-        configuration.instance_variables.each do |var|
-          value = configuration.instance_variable_get(var)
-          if value.kind_of?(Hash) || value.kind_of?(String)
-            hash[var.to_s.tr('@', '')] = value
-          end
-        end
-      end
-    end
-    to_h.call(actual) == to_h.call(expected)
-  end
-end
 
 describe Kubernetes::KubeConfig do
   let(:kube_config) { Kubernetes::KubeConfig.new(file_fixture('config/config').to_s, TEST_KUBE_CONFIG) }

kubernetes/spec/config/matchers.rb

@@ -0,0 +1,29 @@
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+RSpec::Matchers.define :be_same_configuration_as do |expected|
+  match do |actual|
+    to_h = Proc.new do |configuration|
+      {}.tap do |hash|
+        configuration.instance_variables.each do |var|
+          value = configuration.instance_variable_get(var)
+          if value.kind_of?(Hash) || value.kind_of?(String)
+            hash[var.to_s.tr('@', '')] = value
+          end
+        end
+      end
+    end
+    to_h.call(actual) == to_h.call(expected)
+  end
+end