search

nubank / k8s-api

Kubernetes client, data driven
Apache License 2.0
150 stars 13 forks source link

Automatically obtain hosts and tokens from `~/.kube/config` #14

Open leifericf opened 1 year ago

leifericf commented 1 year ago

I've been struggling to obtain the correct hosts and (decoded) tokens from the ~/.kube/config directory on my developer machine to use this library for a few days. This has become a bigger challenge than I anticipated, as my organization uses Azure CLI with certificates to obtain these tokens for several environments via Azure Active Directory/SSO with 2FA.

Upon researching, I discovered that the official Kubernetes clients support automatically loading config files from ~/.kube/config. Here is the relevant code from their Java client, and for their JavaScript client. In particular, loadFromDetault (link) or loadFromCluster (link) seem to be the relevant functions from the JavaScript client.

The Clojure library kube-api (link) also contains an implementation in kubeconfig.clj (link) and auth.clj (link).

Another reference that might be useful is the K9s codebase (here is their config-related Go package).

Would it be interesting to have a similar feature implemented in k8s-api? This could make it easier for people with their requisite hosts and tokens in their ~/.kube/config directory to use the library with less hassle.

One possible implementation might be to use the official Kubernetes Java client to avoid porting all that code to Clojure. However, creating that dependency and using Java interop might not be desirable.

leifericf commented 1 year ago

Here is how I'm currently shelling out to kubectl to obtain the K8s servers from my ~/.kube/config file. I'm working on a similar approach to load and decode the tokens, but I haven't been able to get it working (yet).

(ns kubernetes
  (:require [cheshire.core :as json]
            [clojure.java.shell :as shell]))

(defn- sh-out->json [opts & args]
  (-> (apply shell/sh opts args)
      :out
      (json/parse-string keyword)))

(defn- get-servers [k8s-config]
  (for [{:keys [name cluster]} (:clusters k8s-config)]
    {:name name :server (:server cluster)}))

(def servers
  (-> (sh-out->json "kubectl" "config" "view" "-o" "json")
      get-servers))

I've been referencing this guide for loading and decoding the tokens for use via curl.

(defn- get-tokens [secrets]
  ;; How to select and decode tokens correctly?
  )

(def tokens
  (-> (sh-out->json "kubectl" "get" "secrets" "-o" "json")
      get-tokens))

I suppose I must also match the correct server with the correct (decoded) token somehow.