Fix multiple problems in K8s::Client.autoconfig #107
Conversation
| @@ -68,7 +68,17 @@ def self.in_cluster_config(namespace: nil, **options) | |||
| # @return [K8s::Client] | |||
| def self.autoconfig(namespace: nil, **options) | |||
| if ENV.values_at('KUBE_TOKEN', 'KUBE_CA', 'KUBE_SERVER').none? { |v| v.nil? || v.empty? } | |||
| configuration = K8s::Config.build(server: ENV['KUBE_SERVER'], ca: ENV['KUBE_CA'], auth_token: options[:auth_token] || ENV['KUBE_TOKEN']) | |||
| unless Base64.decode64(ENV['KUBE_CA']).match?(/CERTIFICATE/) | |||
There was a problem hiding this comment.
Is this worth anything?
(The KUBE_CA must be base64, it's decoded and ran through various magics of OpenSSL in transport.rb)
It does not strict_decode64 because transport.rb doesn't either, maybe it could?
There was a problem hiding this comment.
That should validate that KUBE_CA is actually something usable 👍
| @@ -68,7 +68,17 @@ def self.in_cluster_config(namespace: nil, **options) | |||
| # @return [K8s::Client] | |||
| def self.autoconfig(namespace: nil, **options) | |||
| if ENV.values_at('KUBE_TOKEN', 'KUBE_CA', 'KUBE_SERVER').none? { |v| v.nil? || v.empty? } | |||
| configuration = K8s::Config.build(server: ENV['KUBE_SERVER'], ca: ENV['KUBE_CA'], auth_token: options[:auth_token] || ENV['KUBE_TOKEN']) | |||
| unless Base64.decode64(ENV['KUBE_CA']).match?(/CERTIFICATE/) | |||
There was a problem hiding this comment.
That should validate that KUBE_CA is actually something usable 👍
| end | ||
|
|
||
| begin | ||
| token = options[:auth_token] || Base64.strict_decode64(ENV['KUBE_TOKEN']) |
There was a problem hiding this comment.
This forces the token to always be base64 encoded. the previous version tried to figure out if it's base64 or not. but yes, it was not perfect in any way...
This might break existing use cases for people. :/
There was a problem hiding this comment.
It's impossible to detect base64 reliably. Either we should allow only plain or only base64. And some tokens may contain characters that are unsuitable for env / config files, so it might be better to just allow base64.
If the base64 decoding fails, it gives a fairly clear error message:
raise ArgumentError, 'KUBE_TOKEN does not seem to be base64 encoded'
|
#112 warrants a release, can we get this in as well? |
The
K8s::Client.autoconfighad several problems:KUBE_TOKENwas not workingKUBE_CAwas not checked for base64 at all. The check in this PR is a little so-and-so.~/.kube/configwould not have worked.