k8s-api icon indicating copy to clipboard operation
k8s-api copied to clipboard

Published 20 hours ago verified publisher icon nubank

Automatically obtain hosts and tokens from `~/.kube/config`

Open leifericf opened this issue 10 months ago • 1 comments

I've been struggling to obtain the correct hosts and (decoded) tokens from the ~/.kube/config directory on my developer machine to use this library for a few days. This has become a bigger challenge than I anticipated, as my organization uses Azure CLI with certificates to obtain these tokens for several environments via Azure Active Directory/SSO with 2FA.

Upon researching, I discovered that the official Kubernetes clients support automatically loading config files from ~/.kube/config. Here is the relevant code from their Java client, and for their JavaScript client. In particular, loadFromDetault (link) or loadFromCluster (link) seem to be the relevant functions from the JavaScript client.

The Clojure library kube-api (link) also contains an implementation in kubeconfig.clj (link) and auth.clj (link).

Another reference that might be useful is the K9s codebase (here is their config-related Go package).

Would it be interesting to have a similar feature implemented in k8s-api? This could make it easier for people with their requisite hosts and tokens in their ~/.kube/config directory to use the library with less hassle.

One possible implementation might be to use the official Kubernetes Java client to avoid porting all that code to Clojure. However, creating that dependency and using Java interop might not be desirable.

leifericf avatar Oct 24 '23 08:10 leifericf

Here is how I'm currently shelling out to kubectl to obtain the K8s servers from my ~/.kube/config file. I'm working on a similar approach to load and decode the tokens, but I haven't been able to get it working (yet).

(ns kubernetes
  (:require [cheshire.core :as json]
            [clojure.java.shell :as shell]))

(defn- sh-out->json [opts & args]
  (-> (apply shell/sh opts args)
      :out
      (json/parse-string keyword)))

(defn- get-servers [k8s-config]
  (for [{:keys [name cluster]} (:clusters k8s-config)]
    {:name name :server (:server cluster)}))

(def servers
  (-> (sh-out->json "kubectl" "config" "view" "-o" "json")
      get-servers))

I've been referencing this guide for loading and decoding the tokens for use via curl.

(defn- get-tokens [secrets]
  ;; How to select and decode tokens correctly?
  )

(def tokens
  (-> (sh-out->json "kubectl" "get" "secrets" "-o" "json")
      get-tokens))

I suppose I must also match the correct server with the correct (decoded) token somehow.

leifericf avatar Oct 24 '23 08:10 leifericf