In cluster config with custom auth?

[danrspencer]

For reasons that we're pretty sure are sensible, we want to have two service accounts used within a single application. To do this we obviously need to generate two clients from different config, which is where it gets interesting. I've got the service account secrets mounted into the pod so I was hoping to just write something like:

async fn get_service_account_client(secret_path: &str) -> Result<Client> {
    let mut config = kube::Config::infer()
        .await
        .context("Could not infer kube config")?;
    
    config.auth = kube::config::AuthInfo {
        token_file: Some(format!("{}/token", secret_path)),
        ..Default::default()
    };

    Ok(Client::try_from(config)?)
}

But the auth field is private, so instead I've had to write ... this:

async fn get_service_account_client(secret_path: &str) -> Result<Client> {
    let default_config = kube::Config::infer()
        .await
        .context("Could not infer kube config")?;

    const DEFAULT: &str = "default";
    let kubeconfig = kube::config::Kubeconfig {
        current_context: Some(DEFAULT.to_string()),
        contexts: vec![kube::config::NamedContext {
            name: DEFAULT.to_string(),
            context: kube::config::Context {
                cluster: DEFAULT.to_string(),
                user: DEFAULT.to_string(),
                namespace: Some(default_config.default_namespace.clone()),
                extensions: None,
            },
        }],
        auth_infos: vec![kube::config::NamedAuthInfo {
            name: DEFAULT.to_string(),
            auth_info: kube::config::AuthInfo {
                token_file: Some(format!("{}/token", secret_path)),
                ..Default::default()
            },
        }],
        clusters: vec![kube::config::NamedCluster {
            name: DEFAULT.to_string(),
            cluster: kube::config::Cluster {
                server: default_config.cluster_url.to_string(),
                insecure_skip_tls_verify: Some(default_config.accept_invalid_certs),
                certificate_authority: None,
                certificate_authority_data: None,
                proxy_url: None,
                extensions: None,
            },
        }],
        ..Default::default()
    };

    let config = kube::Config::from_custom_kubeconfig(
        kubeconfig,
        &kube::config::KubeConfigOptions {
            context: None,
            cluster: None,
            user: None,
        },
    )
    .await?;

    Ok(Client::try_from(config)?)
}

What's the reason for the auth field being pub(crate)? Given that it is private, is there a better way of doing what I'm doing?

[clux]

heyhey. i am pretty sure the pub (crate) is only a bit of hesitance to expose a larger surface area for the public api. AuthInfo is already public though - through the kubeconfig - so i'd much rather that you would be able to use the first setup you listed there rather than jump through hoops to do the same thing. i don't really see a cleaner way to accomplish what you are trying to do.

shouldn't be a problem to merge a pr making it pub. you wanna open one?

[danrspencer]

Happy to, cheers.

#959