Class: K8s::Transport

Inherits:

Object

• Object
• K8s::Transport

Includes:

Logging

Defined in:

lib/k8s/transport.rb

Overview

Excon-based HTTP transport handling request/response body JSON encoding

Constant Summary

EXCON_MIDDLEWARES =

Excon middlewares for requests

[
  # XXX: necessary? redirected requests omit authz headers?
  Excon::Middleware::RedirectFollower
]

REQUEST_HEADERS =

Default request headers

{
  'Accept' => 'application/json'
}.freeze

DELETE_OPTS_BODY_VERSION_MIN =

Min version of Kube API for which delete options need to be sent as request body

Gem::Version.new('1.11')

Constants included from Logging

Logging::LOG_LEVEL, Logging::LOG_TARGET

Instance Attribute Summary

• #options ⇒ Object readonly

  Returns the value of attribute options.

• #path_prefix ⇒ Object readonly

  Returns the value of attribute path_prefix.

• #server ⇒ Object readonly

  Returns the value of attribute server.

Class Method Summary

• .config(config, server: nil, **overrides) ⇒ K8s::Transport

  Construct transport from kubeconfig.

• .in_cluster_config(**options) ⇒ K8s::Transport

  In-cluster config within a kube pod, using the kubernetes service envs and serviceaccount secrets.

• .token_from_auth_provider(auth_provider) ⇒ String
• .token_from_exec(exec_conf) ⇒ String

Instance Method Summary

• #build_excon ⇒ Excon::Connection
• #excon ⇒ Excon::Connection
• #format_request(options) ⇒ String
• #get(*path, **options) ⇒ Array<response_class, Hash, NilClass>
• #gets(*paths, **options) ⇒ Array<response_class, Hash, NilClass>
• #initialize(server, auth_token: nil, auth_username: nil, auth_password: nil, **options) ⇒ Transport constructor

  A new instance of Transport.

• #need_delete_body? ⇒ Boolean

  True if delete options should be sent as bode of the DELETE request.

• #parse_response(response, request_options, response_class: nil) ⇒ response_class, Hash
• #path(*parts) ⇒ String
• #request(response_class: nil, **options) ⇒ response_class, Hash
• #request_options(request_object: nil, content_type: 'application/json', **options) ⇒ Hash
• #requests(*options, skip_missing: false, skip_forbidden: false, retry_errors: true, **common_options) ⇒ Array<response_class, Hash, NilClass>
• #version ⇒ K8s::API::Version

Methods included from Logging

included, #logger, #logger!

Methods included from Logging::ModuleMethods

#debug!, #log_level, #log_level=, #quiet!, #verbose!

Constructor Details

#initialize(server, auth_token: nil, auth_username: nil, auth_password: nil, **options) ⇒ Transport

Returns a new instance of Transport.

Parameters:

• server (String) —

  URL with protocol://host:port (paths are preserved as well)

• auth_token (String) (defaults to: nil) —

  optional Authorization: Bearer token

• auth_username (String) (defaults to: nil) —

  optional Basic authentication username

• auth_password (String) (defaults to: nil) —

  optional Basic authentication password

• options (Hash) —

  @see Excon.new

# File 'lib/k8s/transport.rb', line 162

def initialize(server, auth_token: nil, auth_username: nil, auth_password: nil, **options)
  uri = URI.parse(server)
  @server = "#{uri.scheme}://#{uri.host}:#{uri.port}"
  @path_prefix = File.join('/', uri.path, '/') # add leading and/or trailing slashes
  @auth_token = auth_token
  @auth_username = auth_username
  @auth_password = auth_password
  @options = options

  logger! progname: @server
end

Instance Attribute Details

#options ⇒ Object (readonly)

Returns the value of attribute options.

# File 'lib/k8s/transport.rb', line 155

def options
  @options
end

#path_prefix ⇒ Object (readonly)

Returns the value of attribute path_prefix.

# File 'lib/k8s/transport.rb', line 155

def path_prefix
  @path_prefix
end

#server ⇒ Object (readonly)

Returns the value of attribute server.

# File 'lib/k8s/transport.rb', line 155

def server
  @server
end

Class Method Details

.config(config, server: nil, **overrides) ⇒ K8s::Transport

Construct transport from kubeconfig

Parameters:

• config (K8s::Config)
• server (String) (defaults to: nil) —

  override cluster.server from config

• overrides —

  @see #initialize

Returns:

• (K8s::Transport)

# File 'lib/k8s/transport.rb', line 34

def self.config(config, server: nil, **overrides)
  options = {}

  server ||= config.cluster.server

  if config.cluster.insecure_skip_tls_verify
    logger.debug "Using config with .cluster.insecure_skip_tls_verify"

    options[:ssl_verify_peer] = false
  end

  if path = config.cluster.certificate_authority
    logger.debug "Using config with .cluster.certificate_authority"

    options[:ssl_ca_file] = path
  end

  if data = config.cluster.certificate_authority_data
    logger.debug "Using config with .cluster.certificate_authority_data"

    ssl_cert_store = options[:ssl_cert_store] = OpenSSL::X509::Store.new
    ssl_cert_store.add_cert(OpenSSL::X509::Certificate.new(Base64.decode64(data)))
  end

  if (cert = config.user.client_certificate) && (key = config.user.client_key)
    logger.debug "Using config with .user.client_certificate/client_key"

    options[:client_cert] = cert
    options[:client_key] = key
  end

  if (cert_data = config.user.client_certificate_data) && (key_data = config.user.client_key_data)
    logger.debug "Using config with .user.client_certificate_data/client_key_data"

    options[:client_cert_data] = Base64.decode64(cert_data)
    options[:client_key_data] = Base64.decode64(key_data)
  end

  if token = config.user.token
    logger.debug "Using config with .user.token=..."

    options[:auth_token] = token
  elsif config.user.auth_provider && auth_provider = config.user.auth_provider.config
    logger.debug "Using config with .user.auth-provider.name=#{config.user.auth_provider.name}"
    options[:auth_token] = token_from_auth_provider(auth_provider)
  elsif exec_conf = config.user.exec
    logger.debug "Using config with .user.exec.command=#{exec_conf.command}"
    options[:auth_token] = token_from_exec(exec_conf)
  elsif config.user.username && config.user.password
    logger.debug "Using config with .user.password=..."

    options[:auth_username] = config.user.username
    options[:auth_password] = config.user.password
  end

  logger.info "Using config with server=#{server}"

  new(server, **options, **overrides)
end

.in_cluster_config(**options) ⇒ K8s::Transport

In-cluster config within a kube pod, using the kubernetes service envs and serviceaccount secrets

Parameters:

• options (Hash) —

  see #new

Returns:

• (K8s::Transport)

Raises:

• (K8s::Error::Config) —

  when the environment variables KUBERNETES_SEVICE_HOST and KUBERNETES_SERVICE_PORT_HTTPS are not set

• (Errno::ENOENT, Errno::EACCES) —

  when /var/run/secrets/kubernetes.io/serviceaccount/ca.crt or /var/run/secrets/kubernetes.io/serviceaccount/token can not be read

# File 'lib/k8s/transport.rb', line 133

def self.in_cluster_config(**options)
  host = ENV['KUBERNETES_SERVICE_HOST'].to_s
  raise(K8s::Error::Configuration, "in_cluster_config failed: KUBERNETES_SERVICE_HOST environment not set") if host.empty?

  port = ENV['KUBERNETES_SERVICE_PORT_HTTPS'].to_s
  raise(K8s::Error::Configuration, "in_cluster_config failed: KUBERNETES_SERVICE_PORT_HTTPS environment not set") if port.empty?

  host_with_ipv6_brackets_if_needed = if host.include? "::"
    "[#{host}]"
  else
    host
  end

  new(
    "https://#{host_with_ipv6_brackets_if_needed}:#{port}",
    ssl_verify_peer: options.key?(:ssl_verify_peer) ? options.delete(:ssl_verify_peer) : true,
    ssl_ca_file: options.delete(:ssl_ca_file) || File.join((ENV['TELEPRESENCE_ROOT'] || '/'), 'var/run/secrets/kubernetes.io/serviceaccount/ca.crt'),
    auth_token: options.delete(:auth_token) || File.read(File.join((ENV['TELEPRESENCE_ROOT'] || '/'), 'var/run/secrets/kubernetes.io/serviceaccount/token')),
    **options
  )
end

.token_from_auth_provider(auth_provider) ⇒ String

Parameters:

• auth_provider (K8s::Config::UserAuthProvider)

Returns:

• (String)

# File 'lib/k8s/transport.rb', line 96

def self.token_from_auth_provider(auth_provider)
  if auth_provider['id-token']
    json_path = auth_provider['id-token']
  else
    auth_data = `#{auth_provider['cmd-path']} #{auth_provider['cmd-args']}`.strip
    if auth_provider['token-key']
      json_path = JsonPath.new(auth_provider['token-key'][1...-1])
      json_path.first(auth_data)
    else
      auth_data
    end
  end
end

.token_from_exec(exec_conf) ⇒ String

Parameters:

• exec_conf (K8s::Config::UserExec)

Returns:

• (String)

# File 'lib/k8s/transport.rb', line 112

def self.token_from_exec(exec_conf)
  cmd = [exec_conf.command]
  cmd += exec_conf.args if exec_conf.args
  orig_env = ENV.to_h
  if envs = exec_conf.env
    envs.each do |env|
      ENV[env['name']] = env['value']
    end
  end
  auth_json = `#{cmd.join(' ')}`.strip
  ENV.replace(orig_env)

  JSON.parse(auth_json).dig('status', 'token')
end

Instance Method Details

#build_excon ⇒ Excon::Connection

Returns:

• (Excon::Connection)

# File 'lib/k8s/transport.rb', line 180

def build_excon
  Excon.new(
    @server,
    persistent: true,
    middlewares: EXCON_MIDDLEWARES,
    headers: REQUEST_HEADERS,
    **@options
  )
end

#excon ⇒ Excon::Connection

Returns:

• (Excon::Connection)

# File 'lib/k8s/transport.rb', line 175

def excon
  @excon ||= build_excon
end

#format_request(options) ⇒ String

Parameters:

• options (Hash) —

  as passed to Excon#request

Returns:

• (String)

# File 'lib/k8s/transport.rb', line 220

def format_request(options)
  method = options[:method]
  path = options[:path]
  body = nil

  if options[:query]
    path += Excon::Utils.query_string(options)
  end

  if obj = options[:request_object]
    body = "<#{obj.class.name}>"
  end

  [method, path, body].compact.join " "
end

#get(*path, **options) ⇒ Array<response_class, Hash, NilClass>

Parameters:

• path (Array<String>) —

  @see #path

• options (Hash) —

  @see #request

Returns:

• (Array<response_class, Hash, NilClass>)

# File 'lib/k8s/transport.rb', line 372

def get(*path, **options)
  options = options.merge({ method: 'GET', path: self.path(*path) })
  request(**options)
end

#gets(*paths, **options) ⇒ Array<response_class, Hash, NilClass>

Parameters:

• paths (Array<String>)
• options (Hash) —

  @see #request

Returns:

• (Array<response_class, Hash, NilClass>)

# File 'lib/k8s/transport.rb', line 380

def gets(*paths, **options)
  requests(
    *paths.map do |path|
      {
        method: 'GET',
        path: self.path(path)
      }
    end,
    **options
  )
end

#need_delete_body? ⇒ Boolean

Returns true if delete options should be sent as bode of the DELETE request.

Returns:

• (Boolean) —

  true if delete options should be sent as bode of the DELETE request

# File 'lib/k8s/transport.rb', line 365

def need_delete_body?
  @need_delete_body ||= Gem::Version.new(version.gitVersion.match(/^v*((\d|\.)*)/)[1]) < DELETE_OPTS_BODY_VERSION_MIN
end

#parse_response(response, request_options, response_class: nil) ⇒ response_class, Hash

Parameters:

• response (Hash) —

  as returned by Excon#request

• request_options (Hash) —

  as passed to Excon#request

• response_class (Class) (defaults to: nil) —

  coerce into response body using #new

Returns:

• (response_class, Hash)

Raises:

• (K8s::Error)
• (Excon::Error) —

  TODO: wrap

# File 'lib/k8s/transport.rb', line 242

def parse_response(response, request_options, response_class: nil)
  method = request_options[:method]
  path = request_options[:path]
  content_type = response.headers['Content-Type']&.split(';', 2)&.first

  case content_type
  when 'application/json'
    response_data = Yajl::Parser.parse(response.body)

  when 'text/plain'
    response_data = response.body # XXX: broken if status 2xx
  else
    raise K8s::Error::API.new(method, path, response.status, "Invalid response Content-Type: #{response.headers['Content-Type'].inspect}")
  end

  if response.status.between? 200, 299
    return response_data if content_type == 'text/plain'

    unless response_data.is_a? Hash
      raise K8s::Error::API.new(method, path, response.status, "Invalid JSON response: #{response_data.inspect}")
    end

    return response_data unless response_class

    response_class.new(response_data)
  else
    error_class = K8s::Error::HTTP_STATUS_ERRORS[response.status] || K8s::Error::API

    if response_data.is_a?(Hash) && response_data['kind'] == 'Status'
      status = K8s::API::MetaV1::Status.new(response_data)

      raise error_class.new(method, path, response.status, response.reason_phrase, status)
    elsif response_data
      raise error_class.new(method, path, response.status, "#{response.reason_phrase}: #{response_data}")
    else
      raise error_class.new(method, path, response.status, response.reason_phrase)
    end
  end
end

#path(*parts) ⇒ String

Parameters:

• parts (Array<String>) —

  join path parts together to build the full URL

Returns:

• (String)

# File 'lib/k8s/transport.rb', line 192

def path(*parts)
  joined_parts = File.join(*parts)
  joined_parts.start_with?(path_prefix) ? joined_parts : File.join(path_prefix, joined_parts)
end

#request(response_class: nil, **options) ⇒ response_class, Hash

Parameters:

• response_class (Class) (defaults to: nil) —

  coerce into response class using #new

• options (Hash) —

  @see Excon#request

Returns:

• (response_class, Hash)

# File 'lib/k8s/transport.rb', line 285

def request(response_class: nil, **options)
  if options[:method] == 'DELETE' && need_delete_body?
    options[:request_object] = options.delete(:query)
  end

  excon_options = request_options(**options)

  start = Time.now
  excon_client = options[:response_block] ? build_excon : excon
  response = excon_client.request(**excon_options)
  t = Time.now - start

  obj = options[:response_block] ? {} : parse_response(response, options, response_class: response_class)
rescue K8s::Error::API => e
  logger.warn { "#{format_request(options)} => HTTP #{e.code} #{e.reason} in #{'%.3f' % t}s" }
  logger.debug { "Request: #{excon_options[:body]}" } if excon_options[:body]
  logger.debug { "Response: #{response.body}" }
  raise
else
  logger.info { "#{format_request(options)} => HTTP #{response.status}: <#{obj.class}> in #{'%.3f' % t}s" }
  logger.debug { "Request: #{excon_options[:body]}" } if excon_options[:body]
  logger.debug { "Response: #{response.body}" }
  obj
end

#request_options(request_object: nil, content_type: 'application/json', **options) ⇒ Hash

Parameters:

• request_object (Object) (defaults to: nil) —

  include request body using to_json

• content_type (String) (defaults to: 'application/json') —

  request body content-type

• options (Hash) —

  @see Excon#request

Returns:

• (Hash)

# File 'lib/k8s/transport.rb', line 201

def request_options(request_object: nil, content_type: 'application/json', **options)
  options[:headers] ||= {}

  if @auth_token
    options[:headers]['Authorization'] = "Bearer #{@auth_token}"
  elsif @auth_username && @auth_password
    options[:headers]['Authorization'] = "Basic #{Base64.strict_encode64("#{@auth_username}:#{@auth_password}")}"
  end

  if request_object
    options[:headers]['Content-Type'] = content_type
    options[:body] = request_object.to_json
  end

  options
end

#requests(*options, skip_missing: false, skip_forbidden: false, retry_errors: true, **common_options) ⇒ Array<response_class, Hash, NilClass>

Parameters:

• options (Array<Hash>) —

  @see #request

• skip_missing (Boolean) (defaults to: false) —

  return nil for HTTP 404 responses

• skip_forbidden (Boolean) (defaults to: false) —

  return nil for HTTP 403 responses

• retry_errors (Boolean) (defaults to: true) —

  retry with non-pipelined request for HTTP 503 responses

• common_options (Hash) —

  @see #request, merged with the per-request options

Returns:

• (Array<response_class, Hash, NilClass>)

# File 'lib/k8s/transport.rb', line 316

def requests(*options, skip_missing: false, skip_forbidden: false, retry_errors: true, **common_options)
  return [] if options.empty? # excon chokes

  start = Time.now
  responses = excon.requests(
    options.map{ |opts| request_options(**common_options.merge(opts)) }
  )
  t = Time.now - start

  objects = responses.zip(options).map{ |response, request_options|
    response_class = request_options[:response_class] || common_options[:response_class]

    begin
      parse_response(response, request_options,
                     response_class: response_class)
    rescue K8s::Error::NotFound
      raise unless skip_missing

      nil
    rescue K8s::Error::Forbidden
      raise unless skip_forbidden

      nil
    rescue K8s::Error::ServiceUnavailable => e
      raise unless retry_errors

      logger.warn { "Retry #{format_request(request_options)} => HTTP #{e.code} #{e.reason} in #{'%.3f' % t}s" }

      # only retry the failed request, not the entire pipeline
      request(response_class: response_class, **common_options.merge(request_options))
    end
  }
rescue K8s::Error => e
  logger.warn { "[#{options.map{ |o| format_request(o) }.join ', '}] => HTTP #{e.code} #{e.reason} in #{'%.3f' % t}s" }
  raise
else
  logger.info { "[#{options.map{ |o| format_request(o) }.join ', '}] => HTTP [#{responses.map(&:status).join ', '}] in #{'%.3f' % t}s" }
  objects
end

#version ⇒ K8s::API::Version

Returns:

• (K8s::API::Version)

# File 'lib/k8s/transport.rb', line 357

def version
  @version ||= get(
    '/version',
    response_class: K8s::API::Version
  )
end