engenho-types 0.1.4

Typed Kubernetes resource catalog for engenho. Generated from upstream OpenAPI v3 via forge-gen (Pillar 12 — generation over composition). One #[derive(KubeResource, TataraDomain)] per kind; no hand-authored types per the engenho prime directive.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145

//! `KubeAuth` — the typed surface every connection negotiates against.
//!
//! Models the four auth methods upstream `client-go` supports:
//! anonymous, bearer token, mTLS (client cert + key), and an
//! exec-plugin (`kubectl --user` style — runs a credential helper).
//!
//! Each variant carries only the *configuration*, not the resolved
//! material. Resolution (e.g. running an exec plugin, reading a
//! certificate file) is the implementation's responsibility — the
//! typed surface stays pure.

use serde::{Deserialize, Serialize};
use std::path::PathBuf;

/// Auth configuration for a `KubeClient`. Construct via
/// [`Self::from_kubeconfig`] (parsing) or one of the explicit
/// constructors.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
#[serde(tag = "kind", rename_all = "kebab-case")]
pub enum KubeAuth {
    /// No credentials. Most clusters will reject this; used by some
    /// readiness probes + by the apiserver's own discovery endpoints.
    Anonymous,

    /// Bearer-token in the `Authorization: Bearer …` header. The
    /// token may be inline (`Inline`) or loaded from a file at every
    /// request (`File` — for ServiceAccount tokens that rotate).
    BearerToken(TokenSource),

    /// Mutual TLS — client cert + private key. The CA the apiserver
    /// presents is verified against [`KubeAuth::server_ca`] of the
    /// containing connection (separate field, not in this enum).
    ClientCert {
        /// PEM-encoded x509 certificate (inline) or path.
        cert: BytesOrPath,
        /// PEM-encoded private key (inline) or path.
        key: BytesOrPath,
    },

    /// Run an external binary that produces a credential (token /
    /// cert chain) per `ExecCredential` protocol. Mirrors
    /// `client.authentication.k8s.io/v1.ExecConfig`.
    Exec {
        /// Path or PATH-resolvable name of the helper binary.
        command: String,
        /// Args passed to the helper.
        args:    Vec<String>,
        /// Env vars to set in the helper's process.
        env:     Vec<ExecEnv>,
        /// API version the helper returns (`client.authentication.k8s.io/v1`).
        api_version: String,
    },
}

/// Inline vs file source for a bearer token.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
#[serde(tag = "from", rename_all = "kebab-case")]
pub enum TokenSource {
    /// The token bytes inline.
    Inline {
        /// Bearer token (sent as `Authorization: Bearer <token>`).
        token: String,
    },
    /// Path to a file containing the token. Re-read per request so
    /// rotated ServiceAccount tokens pick up automatically (matches
    /// upstream client-go behavior).
    File {
        /// Filesystem path holding the token (one line, no trailing newline).
        path: PathBuf,
    },
}

/// Either inline bytes or a path on disk.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
#[serde(untagged)]
pub enum BytesOrPath {
    /// Path to a file. Resolved at connection time.
    Path { path: PathBuf },
    /// Inline content (typically base64-encoded PEM, the kubeconfig
    /// convention).
    Inline { data: String },
}

/// Env var passed to the exec credential helper.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub struct ExecEnv {
    /// Variable name.
    pub name:  String,
    /// Variable value.
    pub value: String,
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn anonymous_is_yaml_safe() {
        let v = KubeAuth::Anonymous;
        let s = serde_yaml::to_string(&v).unwrap();
        assert!(s.contains("kind: anonymous"));
        let back: KubeAuth = serde_yaml::from_str(&s).unwrap();
        assert_eq!(v, back);
    }

    #[test]
    fn bearer_inline_round_trips() {
        let v = KubeAuth::BearerToken(TokenSource::Inline { token: "abc".into() });
        let s = serde_yaml::to_string(&v).unwrap();
        let back: KubeAuth = serde_yaml::from_str(&s).unwrap();
        assert_eq!(v, back);
    }

    #[test]
    fn bearer_file_round_trips() {
        let v = KubeAuth::BearerToken(TokenSource::File { path: "/var/run/sa-token".into() });
        let s = serde_yaml::to_string(&v).unwrap();
        let back: KubeAuth = serde_yaml::from_str(&s).unwrap();
        assert_eq!(v, back);
    }

    #[test]
    fn client_cert_inline_round_trips() {
        let v = KubeAuth::ClientCert {
            cert: BytesOrPath::Inline { data: "PEM-BYTES".into() },
            key:  BytesOrPath::Inline { data: "PEM-KEY".into() },
        };
        let s = serde_yaml::to_string(&v).unwrap();
        let back: KubeAuth = serde_yaml::from_str(&s).unwrap();
        assert_eq!(v, back);
    }

    #[test]
    fn exec_round_trips() {
        let v = KubeAuth::Exec {
            command: "aws-iam-authenticator".into(),
            args:    vec!["token".into(), "-i".into(), "my-cluster".into()],
            env:     vec![ExecEnv { name: "AWS_REGION".into(), value: "us-east-1".into() }],
            api_version: "client.authentication.k8s.io/v1".into(),
        };
        let s = serde_yaml::to_string(&v).unwrap();
        let back: KubeAuth = serde_yaml::from_str(&s).unwrap();
        assert_eq!(v, back);
    }
}