Adding google cloud auth per exec

[gnunicorn]

Looks like the latest gcloud-setup uses some exec-path-features in the kubectl config system, that is not yet implemented. This PR implements it. If there is not access-token nor id-token given, but a command specified, that command is run with the configured parameters and the output is searched (considered to be json) with the path configured. The token is then used. Errors are thrown as appropriate.

Example kubectl config:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: XXXXXXX
    server: https://36.XXX.XXX.XX
  name: generic_name
contexts:
- context:
    cluster: generic_name
    user: generic_name
  name: generic_name
current-context: generic_name
kind: Config
preferences: {}
users:
- name: generic_name
  user:
    auth-provider:
      config:
        cmd-args: config config-helper --format=json
        cmd-path: /opt/google-cloud-sdk/bin/gcloud
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp

[clux]

left some comments

[clux]

isn't this else case happening when token.is_some(), don't you need another is_none check?

[gnunicorn]

good catch, this is supposed to be the else for the previous block. will fix.

[clux]

Hah, hacky. This at least makes it easy to understand, but it probably won't work well if people use a more complicated JSONPath selector?

How would you feel like using https://crates.io/crates/jsonpath_lib ? It looks like a good swap-in.
We can probably benefit from selector helpers using that anyway in the API.

[gnunicorn]

didn't want to add any dependency before sending it up, but if that is fine with you I am happy to add this.

[clux]

Please, this feels like one of those libraries that matches very well anyway :-)

[clux]

Hey! Thanks a lot for this. Will definitely want this in here. Just left some comments on a few things.

Also have one request if it's possible; a way to test it. I know it's not great to have to have a gcp cluster for testing, so maybe a test config embedded in that file which causes a shellout to a local script that just echoes some static json?

[gnunicorn]

Also have one request if it's possible; a way to test it. I know it's not great to have to have a gcp cluster for testing, so maybe a test config embedded in that file which causes a shellout to a local script that just echoes some static json?

Good idea. How about just using echo as the command and then a static json as the param? Does that work on all supported platforms? Does this target windows? I could make a linux-only-test if that's okay.

[clux]

Also have one request if it's possible; a way to test it. I know it's not great to have to have a gcp cluster for testing, so maybe a test config embedded in that file which causes a shellout to a local script that just echoes some static json?

Good idea. How about just using echo as the command and then a static json as the param? Does that work on all supported platforms? Does this target windows? I could make a linux-only-test if that's okay.

Yeah, echo is a good idea with static json. cargo test on CI is primarily for linux so this is fine.

[gnunicorn]

@clux addressed your suggestions: now uses the jsonpath-lib and has a test for the feature.

do you mind publishing a release soon after? I'd like to use this is a cli and it would be nice to not depend on git for it :) .

[clux]

@clux addressed your suggestions: now uses the jsonpath-lib and has a test for the feature.

do you mind publishing a release soon after? I'd like to use this is a cli and it would be nice to not depend on git for it :) .

Awesome, tyvm! I only left a few small questions there for my own sanity. But error handling and code looks great.
Would be happy to release ASAP once merged.

[gnunicorn]

so, I found one more quirk ... even though I get an access_token immediately, it sometimes refuses to use that with an error message, telling me to try again later – and seconds after it worked. Not sure, if we can/want to do anything about that ...

[clux]

so, I found one more quirk ... even though I get an access_token immediately, it sometimes refuses to use that with an error message, telling me to try again later – and seconds after it worked. Not sure, if we can/want to do anything about that ...

Does that error cause a whole re-authentication cycle? We don't write to our local config, but kubectl probably updates the config. We might need some mechanism for updating the local kube config for it. We could raise an issue to deal with this (actually serialize the kube config ourselves). If it causes a re-auth then that is a bit of a problem. If it can be fixed with waiting on a condition (preferable to sleeping) then that would be best.

Is there something you need to wait for in gcp before it's valid?

[clux]

At any rate, I am happy to merge this as it stands and make a release today. Though would be good to keep track of any upcoming work needed for avoiding re-authing. Have linked #84 which seem covered by this PR.

[clux]

I'll merge it for now anyway, we can tackle the other things when we get to it. Thanks again for your work!

[clux]

Released in 0.43.0 :-)