kubelet 0.7.0

A Kubernetes kubelet implementation in Rust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112

//! Resolves image pull secrets

use k8s_openapi::api::core::v1::Secret;
use kube::api::Api;
use oci_distribution::secrets::RegistryAuth;

/// Resolves registry authentication from image pull secrets
pub struct RegistryAuthResolver {
    kube_client: kube::Client,
    pod_namespace: String,
    image_pull_secret_names: Vec<String>,
}

impl RegistryAuthResolver {
    /// Creates a resolver for the given pod
    pub fn new(client: kube::Client, pod: &crate::pod::Pod) -> Self {
        // TODO: is it safe to capture this stuff or might we need to re-resolve e.g.
        // the list of secret names after a pod modify?
        RegistryAuthResolver {
            kube_client: client,
            pod_namespace: pod.namespace().to_owned(),
            image_pull_secret_names: pod.image_pull_secrets(),
        }
    }

    /// Get the registry authentication method appropriate to the given image reference
    pub async fn resolve_registry_auth(
        &self,
        reference: &oci_distribution::Reference,
    ) -> anyhow::Result<RegistryAuth> {
        let secrets_api: Api<Secret> =
            Api::namespaced(self.kube_client.clone(), &self.pod_namespace);

        let secret_futures: Vec<_> = self
            .image_pull_secret_names
            .iter()
            .map(|name| secrets_api.get(name))
            .collect();
        let secret_results = futures::future::join_all(secret_futures).await;

        for secret_result in secret_results {
            match secret_result {
                Err(e) => return Err(e.into()),
                Ok(secret) => {
                    if let Some(auth) = parse_auth(&secret, reference.registry()) {
                        return Ok(auth);
                    }
                }
            }
        }

        Ok(RegistryAuth::Anonymous)
    }
}

fn parse_auth(secret: &Secret, registry_name: &str) -> Option<RegistryAuth> {
    if let Some(data) = secret.data.as_ref() {
        parse_auth_from_secret_data(data, registry_name)
    } else {
        None
    }
}

fn parse_auth_from_secret_data(
    secret_data: &std::collections::BTreeMap<String, k8s_openapi::ByteString>,
    registry_name: &str,
) -> Option<RegistryAuth> {
    secret_data
        .values()
        .find_map(|v| parse_auth_from_secret_value(v, registry_name))
}

fn parse_auth_from_secret_value(
    secret_value: &k8s_openapi::ByteString,
    registry_name: &str,
) -> Option<RegistryAuth> {
    // We are intereted in secret_value if it is of the form
    // {
    //   "auths": {
    //     "reg1": { ... },
    //     "reg2": { ... }
    //   }
    // }
    parse_byte_string_json(secret_value)
        .and_then(|value| parse_auth_from_json_value(&value, registry_name))
}

fn parse_byte_string_json(byte_string: &k8s_openapi::ByteString) -> Option<serde_json::Value> {
    serde_json::from_slice(&byte_string.0).ok()
}

fn parse_auth_from_json_value(
    json_value: &serde_json::Value,
    registry_name: &str,
) -> Option<RegistryAuth> {
    json_value
        .get("auths")
        .and_then(|auths| auths.get(registry_name))
        .and_then(|creds| parse_auth_from_json_creds(creds))
}

fn parse_auth_from_json_creds(json_creds: &serde_json::Value) -> Option<RegistryAuth> {
    let username = json_creds.get("username");
    let password = json_creds.get("password");
    // TODO: my test creds also included an entry "auth" - should we return this? (e.g. bearer auth?)
    match (username, password) {
        (Some(serde_json::Value::String(u)), Some(serde_json::Value::String(p))) => {
            Some(RegistryAuth::Basic(u.to_owned(), p.to_owned()))
        }
        _ => None,
    }
}