Module: Kerbi::Utils::K8sAuth

Defined in:

lib/utils/k8s_auth.rb

Overview

ALl *_bundle methods return a custom-schema hash that is to be used to create a Kubeclient::Client instance. See its constructor docs to understand. Underlying lib credit: github.com/ManageIQ/kubeclient

Class Method Summary

• .basic_auth_bundle(username:, password:) ⇒ Object

  Basic username password auth.

• .default_kube_config_path ⇒ Object
• .in_cluster_auth_bundle ⇒ Object

  Auth if kerbi is inside a Kubernetes cluster.

• .kube_config_bundle(path: nil, name: nil) ⇒ Object

  Auth using config/credentials from a local kube context entry.

• .token_auth_bundle(bearer_token:) ⇒ Object

  Auth using explicit bearer token for each request.

Class Method Details

.basic_auth_bundle(username:, password:) ⇒ Object

Basic username password auth. See github.com/ManageIQ/kubeclient#authentication

# File 'lib/utils/k8s_auth.rb', line 32

def self.basic_auth_bundle(username:, password:)
  {
    endpoint: "https://localhost:8443/api",
    options: {
      auth_options: {
        username: username,
        password: password
      }
    }
  }
end

.default_kube_config_path ⇒ Object

# File 'lib/utils/k8s_auth.rb', line 82

def self.default_kube_config_path
  ENV['KUBECONFIG'] || "#{Dir.home}/.kube/config"
end

.in_cluster_auth_bundle ⇒ Object

Auth if kerbi is inside a Kubernetes cluster. Uses default credentials in pod’s filesystem. Likely requires extra RBAC resources for that service account to exist, e.g a few Roles/ClusterRoles and RoleBinding/ClusterRoleBindings in order for CRUD methods to actually work. See github.com/ManageIQ/kubeclient#middleware

# File 'lib/utils/k8s_auth.rb', line 65

def self.in_cluster_auth_bundle
  token_path = '/var/run/secrets/kubernetes.io/serviceaccount/token'
  ca_crt_path = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
  auth_options = { bearer_token_file: token_path }

  ssl_options = {}
  ssl_options[:ca_file] = ca_crt_path if File.exist?(ca_crt_path)

  {
    endpoint: "https://kubernetes.default.svc",
    options: {
      auth_options: auth_options,
      ssl_options: ssl_options
    }
  }
end

.kube_config_bundle(path: nil, name: nil) ⇒ Object

Auth using config/credentials from a local kube context entry. See github.com/ManageIQ/kubeclient#kubeclientconfig

# File 'lib/utils/k8s_auth.rb', line 15

def self.kube_config_bundle(path: nil, name: nil)
  path = path || default_kube_config_path
  config = Kubeclient::Config.read(path)
  context = config.context(name)

  {
    endpoint: context.api_endpoint,
    options: {
      ssl_options: context.ssl_options,
      auth_options: context.auth_options
    }
  }
end

.token_auth_bundle(bearer_token:) ⇒ Object

Auth using explicit bearer token for each request. See github.com/ManageIQ/kubeclient#authentication

# File 'lib/utils/k8s_auth.rb', line 47

def self.token_auth_bundle(bearer_token:)
  {
    endpoint: "https://localhost:8443/api",
    options: {
      auth_options: {
        bearer_token: bearer_token
      }
    }
  }
end