#72 suppport client-side SSL certs from kubeconfig file

2017-01-15 18:15:17 +01:00
parent cb1332495f
commit e54a0fb5f5
3 changed files with 45 additions and 12 deletions
--- a/kube_ops_view/cluster_discovery.py
+++ b/kube_ops_view/cluster_discovery.py
@@ -10,6 +10,7 @@ import requests
 import tokens
 from requests.auth import AuthBase

+# default URL points to kubectl proxy
 DEFAULT_CLUSTERS = 'http://localhost:8001/'
 CLUSTER_ID_INVALID_CHARS = re.compile('[^a-z0-9:-]')

@@ -26,16 +27,21 @@ def generate_cluster_id(url: str):
    return CLUSTER_ID_INVALID_CHARS.sub('-', url.lower()).strip('-')


-class StaticTokenAuth(AuthBase):
-    def __init__(self, token):
-        self.token = token
+class StaticAuthorizationHeaderAuth(AuthBase):
+    '''Static authentication with given "Authorization" header'''
+
+    def __init__(self, authorization):
+        self.authorization = authorization

    def __call__(self, request):
-        request.headers['Authorization'] = 'Bearer {}'.format(self.token)
+        request.headers['Authorization'] = self.authorization
        return request


 class OAuthTokenAuth(AuthBase):
+    '''Dynamic authentication using the "tokens" library to load OAuth tokens from file
+    (potentially mounted from a Kubernetes secret)'''
+
    def __init__(self, token_name):
        self.token_name = token_name
        tokens.manage(token_name)
@@ -47,11 +53,13 @@ class OAuthTokenAuth(AuthBase):


 class Cluster:
-    def __init__(self, id, api_server_url, ssl_ca_cert=None, auth=None):
+    def __init__(self, id, api_server_url, ssl_ca_cert=None, auth=None, cert_file=None, key_file=None):
        self.id = id
        self.api_server_url = api_server_url
        self.ssl_ca_cert = ssl_ca_cert
        self.auth = auth
+        self.cert_file = cert_file
+        self.key_file = key_file


 class StaticClusterDiscoverer:
@@ -72,7 +80,7 @@ class StaticClusterDiscoverer:
                    generate_cluster_id(config.host),
                    config.host,
                    ssl_ca_cert=config.ssl_ca_cert,
-                    auth=StaticTokenAuth(config.api_key['authorization'].split(' ', 1)[-1]))
+                    auth=StaticAuthorizationHeaderAuth(config.api_key['authorization']))
            self._clusters.append(cluster)
        else:
            for api_server_url in api_server_urls:
@@ -121,21 +129,32 @@ class ClusterRegistryDiscoverer:

 class KubeconfigDiscoverer:

-    def __init__(self, kubeconfig_path: Path):
+    def __init__(self, kubeconfig_path: Path, contexts: set):
        self._path = kubeconfig_path
+        self._contexts = contexts

    def get_clusters(self):
        # Kubernetes Python client expects "vintage" string path
        config_file = str(self._path)
        contexts, current_context = kubernetes.config.list_kube_config_contexts(config_file)
        for context in contexts:
+            if self._contexts and context['name'] not in self._contexts:
+                # filter out
+                continue
            config = kubernetes.client.ConfigurationObject()
            kubernetes.config.load_kube_config(config_file, context=context['name'], client_configuration=config)
+            authorization = config.api_key.get('authorization')
+            if authorization:
+                auth = StaticAuthorizationHeaderAuth(authorization)
+            else:
+                auth = None
            cluster = Cluster(
                context['name'],
                config.host,
                ssl_ca_cert=config.ssl_ca_cert,
-                auth=StaticTokenAuth(config.api_key['authorization'].split(' ', 1)[-1]))
+                cert_file=config.cert_file,
+                key_file=config.key_file,
+                auth=auth)
            yield cluster