handle aliases for lookup and inventory plugins for authentication options (#500)

Honor aliases for lookup and inventory plugins

rebase and extend the following PR #71
ISSUE TYPE


Bugfix Pull Request

Reviewed-by: Mike Graves <[email protected]>

Author: abikouo

changelogs/fragments/498-k8s-honor-aliases.yaml

@@ -0,0 +1,3 @@
+bugfixes:
+- common - handle ``aliases`` passed from inventory and lookup plugins.
+- module_utils/k8s/client.py - fix issue when trying to authenticate with host, client_cert and client_key parameters only.

plugins/inventory/k8s.py

@@ -118,9 +118,10 @@
 
 from ansible.errors import AnsibleError
 from ansible_collections.kubernetes.core.plugins.module_utils.common import (
-    K8sAnsibleMixin,
     HAS_K8S_MODULE_HELPER,
     k8s_import_exception,
+)
+from ansible_collections.kubernetes.core.plugins.module_utils.k8s.client import (
     get_api_client,
 )
 from ansible.plugins.inventory import BaseInventoryPlugin, Constructable, Cacheable
@@ -146,7 +147,7 @@ class K8sInventoryException(Exception):
     pass
 
 
-class InventoryModule(BaseInventoryPlugin, Constructable, Cacheable, K8sAnsibleMixin):
+class InventoryModule(BaseInventoryPlugin, Constructable, Cacheable):
     NAME = "kubernetes.core.k8s"
 
     connection_plugin = "kubernetes.core.kubectl"

plugins/lookup/k8s.py

@@ -180,10 +180,12 @@
 from ansible.module_utils.common._collections_compat import KeysView
 from ansible.module_utils.common.validation import check_type_bool
 
-from ansible_collections.kubernetes.core.plugins.module_utils.common import (
-    K8sAnsibleMixin,
+from ansible_collections.kubernetes.core.plugins.module_utils.k8s.client import (
     get_api_client,
 )
+from ansible_collections.kubernetes.core.plugins.module_utils.k8s.resource import (
+    create_definitions,
+)
 
 try:
     enable_turbo_mode = check_type_bool(os.environ.get("ENABLE_TURBO_MODE"))
@@ -210,7 +212,7 @@
     k8s_import_exception = e
 
 
-class KubernetesLookup(K8sAnsibleMixin):
+class KubernetesLookup(object):
     def __init__(self):
 
         if not HAS_K8S_MODULE_HELPER:
@@ -240,7 +242,7 @@ def run(self, terms, variables=None, **kwargs):
 
         cluster_info = kwargs.get("cluster_info")
         if cluster_info == "version":
-            return [self.client.version]
+            return [self.client.client.version]
         if cluster_info == "api_groups":
             if isinstance(self.client.resources.api_groups, KeysView):
                 return [list(self.client.resources.api_groups)]
@@ -257,7 +259,12 @@ def run(self, terms, variables=None, **kwargs):
         resource_definition = kwargs.get("resource_definition")
         src = kwargs.get("src")
         if src:
-            resource_definition = self.load_resource_definitions(src)[0]
+            definitions = create_definitions(params=dict(src=src))
+            if definitions:
+                self.kind = definitions[0].kind
+                self.name = definitions[0].name
+                self.namespace = definitions[0].namespace
+                self.api_version = definitions[0].api_version or "v1"
         if resource_definition:
             self.kind = resource_definition.get("kind", self.kind)
             self.api_version = resource_definition.get("apiVersion", self.api_version)
@@ -272,14 +279,15 @@ def run(self, terms, variables=None, **kwargs):
                 "using the 'resource_definition' parameter."
             )
 
-        resource = self.find_resource(self.kind, self.api_version, fail=True)
+        resource = self.client.resource(self.kind, self.api_version)
         try:
-            k8s_obj = resource.get(
+            params = dict(
                 name=self.name,
                 namespace=self.namespace,
                 label_selector=self.label_selector,
                 field_selector=self.field_selector,
             )
+            k8s_obj = self.client.get(resource, **params)
         except NotFoundError:
             return []
 

plugins/module_utils/k8s/client.py

@@ -81,6 +81,9 @@ def _create_auth_spec(module=None, **kwargs) -> Dict:
             auth[true_name] = module.params.get(arg_name)
         elif arg_name in kwargs and kwargs.get(arg_name) is not None:
             auth[true_name] = kwargs.get(arg_name)
+        elif true_name in kwargs and kwargs.get(true_name) is not None:
+            # Aliases in kwargs
+            auth[true_name] = kwargs.get(true_name)
         elif arg_name == "proxy_headers":
             # specific case for 'proxy_headers' which is a dictionary
             proxy_headers = {}
@@ -131,7 +134,11 @@ def auth_set(*names: list) -> bool:
         # Removing trailing slashes if any from hostname
         auth["host"] = auth.get("host").rstrip("/")
 
-    if auth_set("username", "password", "host") or auth_set("api_key", "host"):
+    if (
+        auth_set("username", "password", "host")
+        or auth_set("api_key", "host")
+        or auth_set("cert_file", "key_file", "host")
+    ):
         # We have enough in the parameters to authenticate, no need to load incluster or kubeconfig
         pass
     elif auth_set("kubeconfig") or auth_set("context"):
@@ -346,10 +353,14 @@ def get_api_client(module=None, **kwargs: Optional[Any]) -> K8SClient:
         msg = "Could not create API client: {0}".format(e)
         raise CoreException(msg) from e
 
+    dry_run = False
+    if module:
+        dry_run = module.params.get("dry_run", False)
+
     k8s_client = K8SClient(
         configuration=configuration,
         client=client,
-        dry_run=module.params.get("dry_run", False),
+        dry_run=dry_run,
     )
 
     return k8s_client

tests/integration/targets/inventory_k8s/playbooks/create_resources.yml

@@ -0,0 +1,46 @@
+---
+- name: Create inventory files
+  hosts: localhost
+  gather_facts: false
+
+  collections:
+    - kubernetes.core
+
+  roles:
+    - role: setup_kubeconfig
+      kubeconfig_operation: 'save'
+
+  tasks:
+    - name: Create inventory files
+      copy:
+        content: "{{ item.content }}"
+        dest: "{{ item.path }}"
+      vars:
+        hostname: "{{ lookup('file', user_credentials_dir + '/host_data.txt') }}"
+        test_cert_file: "{{ user_credentials_dir | realpath + '/cert_file_data.txt' }}"
+        test_key_file: "{{ user_credentials_dir | realpath + '/key_file_data.txt' }}"
+        test_ca_cert: "{{ user_credentials_dir | realpath + '/ssl_ca_cert_data.txt' }}"
+      with_items:
+        - path: "test_inventory_aliases_with_ssl_k8s.yml"
+          content: |
+            ---
+            plugin: kubernetes.core.k8s
+            connections:
+              - namespaces:
+                - inventory
+                host: "{{ hostname }}"
+                cert_file: "{{ test_cert_file }}"
+                key_file: "{{ test_key_file }}"
+                verify_ssl: true
+                ssl_ca_cert: "{{ test_ca_cert }}"
+        - path: "test_inventory_aliases_no_ssl_k8s.yml"
+          content: |
+            ---
+            plugin: kubernetes.core.k8s
+            connections:
+              - namespaces:
+                - inventory
+                host: "{{ hostname }}"
+                cert_file: "{{ test_cert_file }}"
+                key_file: "{{ test_key_file }}"
+                verify_ssl: false

tests/integration/targets/inventory_k8s/playbooks/delete_resources.yml

@@ -0,0 +1,30 @@
+---
+- name: Delete inventory namespace
+  hosts: localhost
+  connection: local
+  gather_facts: true
+
+  roles:
+    - role: setup_kubeconfig
+      kubeconfig_operation: 'revert'
+
+  tasks:
+    - name: Delete temporary files
+      file:
+        state: absent
+        path: "{{ user_credentials_dir ~ '/' ~ item }}"
+      ignore_errors: true
+      with_items:
+        - test_inventory_aliases_with_ssl_k8s.yml
+        - test_inventory_aliases_no_ssl_k8s.yml
+        - ssl_ca_cert_data.txt
+        - key_file_data.txt
+        - cert_file_data.txt
+        - host_data.txt
+
+    - name: Remove inventory namespace
+      k8s:
+        api_version: v1
+        kind: Namespace
+        name: inventory
+        state: absent

tests/integration/targets/inventory_k8s/playbooks/play.yml

@@ -88,15 +88,3 @@
     - name: Assert the file content matches expectations
       assert:
         that: (slurped_file.content|b64decode) == file_content
-
-- name: Delete inventory namespace
-  hosts: localhost
-  connection: local
-  gather_facts: no
-  tasks:
-    - name: Remove inventory namespace
-      k8s:
-        api_version: v1
-        kind: Namespace
-        name: inventory
-        state: absent

tests/integration/targets/inventory_k8s/runme.sh

@@ -2,7 +2,28 @@
 
 set -eux
 
+export ANSIBLE_ROLES_PATH="../"
+USER_CREDENTIALS_DIR=$(pwd)
+
+ansible-playbook playbooks/delete_resources.yml -e "user_credentials_dir=${USER_CREDENTIALS_DIR}" "$@"
+
+{
 export ANSIBLE_INVENTORY_ENABLED=kubernetes.core.k8s,yaml
 export ANSIBLE_PYTHON_INTERPRETER=auto_silent
 
-ansible-playbook playbooks/play.yml -i playbooks/test.inventory_k8s.yml "$@"
+ansible-playbook playbooks/play.yml -i playbooks/test.inventory_k8s.yml "$@" &&
+
+ansible-playbook playbooks/create_resources.yml -e "user_credentials_dir=${USER_CREDENTIALS_DIR}" "$@" &&
+
+ansible-inventory -i playbooks/test_inventory_aliases_with_ssl_k8s.yml --list "$@" &&
+
+ansible-inventory -i playbooks/test_inventory_aliases_no_ssl_k8s.yml --list "$@" &&
+
+unset ANSIBLE_INVENTORY_ENABLED &&
+
+ansible-playbook playbooks/delete_resources.yml -e "user_credentials_dir=${USER_CREDENTIALS_DIR}" "$@"
+
+} || {
+    ansible-playbook playbooks/delete_resources.yml -e "user_credentials_dir=${USER_CREDENTIALS_DIR}" "$@"
+    exit 1
+}

tests/integration/targets/lookup_k8s/defaults/main.yml

@@ -2,3 +2,6 @@
 test_namespace:
   - app-development-one
   - app-development-two
+  - app-development-three
+configmap_data: "This is a simple config map data."
+configmap_name: "test-configmap"