Merge pull request #213 from keylimetoolbox/auth_default_account

Allow authorization with Google application default credentials

Author: cben

README.md

@@ -167,6 +167,29 @@ namespace = File.read('/var/run/secrets/kubernetes.io/serviceaccount/namespace')
 ```
 You can find information about tokens in [this guide](https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod) and in [this reference](http://kubernetes.io/docs/admin/authentication/).
 
+#### Google's Application Default Credentials
+
+On Google Compute Engine, Google App Engine, or Google Cloud Functions, as well as `gcloud`-configured systems
+with [application default credentials](https://developers.google.com/identity/protocols/application-default-credentials), 
+you can use the token provider to authorize `kubeclient`.
+
+This requires the [`googleauth` gem](https://github.com/google/google-auth-library-ruby) that is _not_ included in 
+`kubeclient` dependencies so you should add it to your bundle.
+
+```ruby
+require 'googleauth'
+
+auth_options = {
+  bearer_token: Kubeclient::GoogleApplicationDefaultCredentials.token
+}
+client = Kubeclient::Client.new(
+  'https://localhost:8443/api/', 'v1', auth_options: auth_options
+)
+```
+
+Note that this token is good for one hour. If your code runs for longer than that, you should plan to 
+acquire a new one.
+
 ### Non-blocking IO
 
 You can also use kubeclient with non-blocking sockets such as Celluloid::IO, see [here](https://github.com/httprb/http/wiki/Parallel-requests-with-Celluloid%3A%3AIO)

kubeclient.gemspec

@@ -27,6 +27,8 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'webmock', '~> 3.0.1'
   spec.add_development_dependency 'vcr'
   spec.add_development_dependency 'rubocop', '= 0.49.1'
+  spec.add_development_dependency 'googleauth', '~> 0.5.1'
+
   spec.add_dependency 'rest-client', '~> 2.0'
   spec.add_dependency 'recursive-open-struct', '~> 1.0', '>= 1.0.4'
   spec.add_dependency 'http', '~> 2.2.2'

lib/kubeclient.rb

@@ -4,6 +4,7 @@
 require 'kubeclient/common'
 require 'kubeclient/config'
 require 'kubeclient/entity_list'
+require 'kubeclient/google_application_default_credentials'
 require 'kubeclient/http_error'
 require 'kubeclient/missing_kind_compatibility'
 require 'kubeclient/resource'

lib/kubeclient/common.rb

@@ -1,5 +1,6 @@
 require 'json'
 require 'rest-client'
+
 module Kubeclient
   # Common methods
   # this is mixed in by other gems

lib/kubeclient/google_application_default_credentials.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module Kubeclient
+  # Get a bearer token from the Google's application default credentials.
+  class GoogleApplicationDefaultCredentials
+    class << self
+      def token
+        require 'googleauth'
+        scopes = ['https://www.googleapis.com/auth/cloud-platform']
+        authorization = Google::Auth.get_application_default(scopes)
+        authorization.apply({})
+        authorization.access_token
+      end
+    end
+  end
+end

test/test_google_application_default_credentials.rb

@@ -0,0 +1,15 @@
+require_relative 'test_helper'
+require 'googleauth'
+
+# Unit tests for the ApplicationDefaultCredentials token provider
+class GoogleApplicationDefaultCredentialsTest < MiniTest::Test
+  def test_token
+    auth = Minitest::Mock.new
+    auth.expect(:apply, nil, [{}])
+    auth.expect(:access_token, 'valid_token')
+
+    Google::Auth.stub(:get_application_default, auth) do
+      assert_equal('valid_token', Kubeclient::GoogleApplicationDefaultCredentials.token)
+    end
+  end
+end

test/test_kubeclient.rb

@@ -651,13 +651,13 @@ def test_init_username_and_bearer_token
     assert_equal(expected_msg, exception.message)
   end
 
-  def test_init_user_and_bearer_token
+  def test_init_username_and_bearer_token_file
     expected_msg = 'Invalid auth options: specify only one of username/password,' \
       ' bearer_token or bearer_token_file'
     exception = assert_raises(ArgumentError) do
       Kubeclient::Client.new(
         'http://localhost:8080',
-        auth_options: { username: 'username', bearer_token: 'token' }
+        auth_options: { username: 'username', bearer_token_file: 'token-file' }
       )
     end
     assert_equal(expected_msg, exception.message)