Make Client configurable #540

kazk · 2021-05-25T22:48:36Z

Customize client with Layers:

use kube::{client::ConfigExt, Client, Config};
use tower::ServiceBuilder;
use tower_http::{decompression::DecompressionLayer, trace::TraceLayer};

let config = Config::infer().await?;
let https = config.native_tls_https_connector()?;
let client = Client::new(
    ServiceBuilder::new()
        .layer(config.base_uri_layer())
        .option_layer(config.auth_layer()?)
        .layer(DecompressionLayer::new())
        .layer(TraceLayer::new_for_http())
        .service(hyper::Client::builder().build(https)),
);

Customize HttpsConnector:

let https = ServiceBuilder::new()
    .layer(layer_fn(|c| {
        let mut conn = TimeoutConnector::new(c);
        conn.set_connect_timeout(Some(Duration::from_secs(5)));
        conn
    }))
    .service(config.native_tls_https_connector()?);

It's also possible to create HttpsConnector from TlsConnector:

let https = {
    let tls = tokio_native_tls::TlsConnector::from(
        config.native_tls_connector()?
    );
    let mut http = HttpConnector::new();
    http.enforce_http(false);
    HttpsConnector::from((http, tls))
};

TLS Enhancements

Add kube::client::ConfigExt extending Config for custom Client. This includes methods to configure TLS connection when building a custom client (Make Client configurable with Layers #539)
- native-tls: Config::native_tls_https_connector and Config::native_tls_connector
- rustls-tls: Config::rustls_https_connector and Config::rustls_client_config
Remove the requirement of having native-tls or rustls-tls enabled when client is enabled. Allow one, both or none.
- When both, the default Service will use native-tls because of rustls cannot reach a cluster through ip #153. rustls can be still used with a custom client. Users will have an option to configure TLS at runtime.
- When none, HTTP connector is used.
Remove TLS features from kube-runtime
- BREAKING: Features must be removed if specified
Remove client feature from native-tls and rust-tls features
- config + native-tls/rustls-tls can be used independently, e.g., to create a simple HTTP client
- BREAKING: client feature must be added if default-features = false

Layers

ConfigExt::base_uri_layer (BaseUriLayer) to set cluster URL (Make Client configurable with Layers #539)
ConfigExt::auth_layer that returns optional layer to manage Authorization header (Make Client configurable with Layers #539)
gzip: Replaced custom decompression module with DecompressionLayer from tower-http (Make Client configurable with Layers #539)
Replaced custom LogRequest with TraceLayer from tower-http (Make Client configurable with Layers #539)
- Request body is no longer shown
Basic and Bearer authentication using AddAuthorizationLayer (borrowing from Add AddAuthorization middleware tower-rs/tower-http#95 until released)

Changes

BREAKING: Remove headers from Config. It was originally added to allow injecting arbitrary headers, but now a custom client can be used to do that.
Add support for loading proxy URL from kube config. Proxy itself is not supported yet.

Dependency Changes

Remove static_assertions since it's no longer used
Replace tokio_rustls with rustls and webpki since we're not using tokio_rustls directly
Replace uses of rustls::internal::pemfile with rustls-pemfile
Remove url and always use http::Uri
- BREAKING: Config::cluster_url is now http::Uri
- BREAKING: Error::InternalUrlError(url::ParseError) and Error::MalformedUrl(url::ParseError) replaced by Error::InvalidUri(http::uri::InvalidUri)

Closes #539

kube/src/lib.rs

kazk · 2021-06-01T10:00:31Z

kube/src/client/mod.rs

+        // Transform response body to `hyper::Body` and use type erased error to avoid type parameters.
+        let service = MapResponseBodyLayer::new(|b| hyper::Body::wrap_stream(body::IntoStream::new(b)))
+            .layer(service)
+            .map_err(|e| e.into());


Took me a few days to come up with this, but should be worth it. This change allows us to take advantage of the Tower ecosystem much more without introducing type parameters to Client.

Shouldn't be a breaking change, but need to test more to make sure.

examples/pod_api.rs

examples/custom_client.rs

clux

looks great. just small philosophical comments. have not dug through the tls stuff much yet.

examples/Cargo.toml

examples/custom_client_trace.rs

examples/custom_client_tls.rs

examples/custom_client_trace.rs

kube-runtime/Cargo.toml

kube/src/client/body.rs

kube/src/client/mod.rs

- Add `Config::native_tls_connector` and `Config::rustls_client_config` - Remove the requirement of having `native-tls` or `rustls-tls` enabled when `client` is enabled. Allow one, both or none. - When both, the default Service will use `native-tls` because of kube-rs#153. `rustls` can be still used with a custom client. Users will have an option to configure TLS at runtime. - When none, HTTP connector is used. - Note that `oauth` feature still requires tls feature. - Remove tls features from kube-runtime

Still a dependency of hyper-rustls, but we're not using tokio-rustls. Depend on rustls directly instead.

`config` + `native-tls`/`rustls-tls` can be used independently. For example, to create a simple HTTP client.

Allow using more from the Tower ecosystem.

Keeping this simple for now by default, but it's fully customizable.

kube/src/client/config_ext.rs

examples/custom_client.rs

kube/src/client/auth/refreshing_token.rs

- Move TLS methods to `ConfigExt` - Prepare to move `Auth` method to `ConfigExt` - `.option_layer(config.auth_layer()?)`

clux

Looks amazing. Huge work 💯

Had another go over. TLS looks all great, good error handling everywhere, docs everywhere, things with TODOs are all pub(crate).

Left (another) philosiphical naming nit, but beyond this I am all good with this.

clux · 2021-06-05T11:25:48Z

kube/src/client/config_ext.rs

+/// Extensions to [`Config`](crate::Config) for custom [`Client`](crate::Client).
+///
+/// See [`Client::new`](crate::Client::new) for an example.
+///
+/// This trait is sealed and cannot be implemented.
+pub trait ConfigExt: private::Sealed {


I didn't know about this pattern, but am a fan. Feels like a very smart way to avoid having all the public methods in a big namespace 👍

Yeah, the downside is the extra import, but I think the explicit kube::client::ConfigExt actually makes sense for this. I also wanted to keep client stuff out of the config module.

kube/src/client/middleware/base_uri.rs

clux · 2021-06-05T11:55:59Z

I'll leave it to you to make the final call on naming, and will make a release after you merge this :-)

clux · 2021-06-05T22:47:19Z

Release in 0.56.0! Thank you so much!

kazk mentioned this pull request May 25, 2021

Make Client configurable with Layers #539

Closed

10 tasks

kazk commented May 25, 2021

View reviewed changes

kube/src/lib.rs Outdated Show resolved Hide resolved

kazk force-pushed the polish-tls-support branch 2 times, most recently from 0a570c5 to 56735a0 Compare May 27, 2021 03:31

kazk changed the title ~~Improve TLS support~~ Make Client configurable May 27, 2021

kazk force-pushed the polish-tls-support branch 3 times, most recently from 96bf9b9 to 357938b Compare May 31, 2021 22:48

kazk commented Jun 1, 2021

View reviewed changes

examples/pod_api.rs Outdated Show resolved Hide resolved

kazk force-pushed the polish-tls-support branch 2 times, most recently from 9505fcb to 5d52d12 Compare June 2, 2021 04:31

kazk commented Jun 2, 2021

View reviewed changes

examples/pod_api.rs Show resolved Hide resolved

kazk commented Jun 2, 2021

View reviewed changes

examples/custom_client.rs Outdated Show resolved Hide resolved

kazk mentioned this pull request Jun 2, 2021

Better logging of api calls from client interface #26

Closed

kazk requested a review from clux June 2, 2021 07:37

clux reviewed Jun 2, 2021

View reviewed changes

kazk force-pushed the polish-tls-support branch from 336d5f5 to 06668cb Compare June 3, 2021 09:38

kazk added 12 commits June 3, 2021 13:11

Depend on rustls directly instead of tokio-rustls

196503f

Still a dependency of hyper-rustls, but we're not using tokio-rustls. Depend on rustls directly instead.

Use rustls-pemfile instead of internal module

741df23

Add custom client example

d436112

Remove client from native-tls and rust-tls

a0efcfa

`config` + `native-tls`/`rustls-tls` can be used independently. For example, to create a simple HTTP client.

Change Service's Error to Into<BoxError>

cb081ae

Always use http::Uri instead of url::Url

93e6c65

Add SetBaseUriLayer to set base URI of requests

7eb8697

Remove hyper::Body dependency from services

50634fd

Relax Service's response body type

0d9e8d0

Allow using more from the Tower ecosystem.

Replace custom decompression module with DecompressionLayer

6649d97

Replace LogRequest layer with TraceLayer

992231d

Keeping this simple for now by default, but it's fully customizable.

kazk added 2 commits June 4, 2021 12:08

Refactor the default service stack

583cdbb

Rename Authentication to Auth

54baa61

kazk force-pushed the polish-tls-support branch from 5536567 to 1bdb02f Compare June 4, 2021 20:42

clux reviewed Jun 4, 2021

View reviewed changes

kube/src/client/config_ext.rs Outdated Show resolved Hide resolved

clux reviewed Jun 4, 2021

View reviewed changes

examples/custom_client.rs Outdated Show resolved Hide resolved

clux reviewed Jun 4, 2021

View reviewed changes

kube/src/client/auth/refreshing_token.rs Outdated Show resolved Hide resolved

kazk mentioned this pull request Jun 5, 2021

Readd optional proxy support #438

Closed

kazk added 6 commits June 4, 2021 18:17

Add client::ConfigExt to extend Config for Client

0514408

- Move TLS methods to `ConfigExt` - Prepare to move `Auth` method to `ConfigExt` - `.option_layer(config.auth_layer()?)`

Add ConfigExt::base_uri_layer

b6f939d

Rename to RefreshTokenLayer

2258750

Discourage using middleware directly

0f0994e

Remove headers from Config

1b08927

Support loading proxy URL

f009ff6

kazk force-pushed the polish-tls-support branch 2 times, most recently from 709d605 to 614c7c4 Compare June 5, 2021 04:15

Add ConfigExt::auth_layer hiding details

79096a9

kazk force-pushed the polish-tls-support branch from 614c7c4 to 79096a9 Compare June 5, 2021 04:28

Document custom client

1153536

kazk force-pushed the polish-tls-support branch from bb115c9 to 1153536 Compare June 5, 2021 05:59

kazk marked this pull request as ready for review June 5, 2021 06:13

Add missing feature tags

8c540c0

clux approved these changes Jun 5, 2021

View reviewed changes

Rename to BaseUriLayer

38782b5

kazk merged commit afd032d into kube-rs:master Jun 5, 2021

kazk deleted the polish-tls-support branch June 5, 2021 21:23

clux added a commit that referenced this pull request Jun 5, 2021

changelog additions for 0.56 from #540

e0029d7

clux mentioned this pull request Jun 6, 2021

add moving with_default_namespace Client setter - fixes #543 #544

Merged

4 tasks

kazk mentioned this pull request Nov 1, 2022

Segfault on musl when running in alpine #1058

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Make Client configurable #540

Make Client configurable #540

kazk commented May 25, 2021 •

edited

kazk Jun 1, 2021 •

edited

clux left a comment

clux left a comment

clux Jun 5, 2021

kazk Jun 5, 2021

clux commented Jun 5, 2021

clux commented Jun 5, 2021

Make Client configurable #540

Make Client configurable #540

Conversation

kazk commented May 25, 2021 • edited

TLS Enhancements

Layers

Changes

Dependency Changes

kazk Jun 1, 2021 • edited

Choose a reason for hiding this comment

clux left a comment

Choose a reason for hiding this comment

clux left a comment

Choose a reason for hiding this comment

clux Jun 5, 2021

Choose a reason for hiding this comment

kazk Jun 5, 2021

Choose a reason for hiding this comment

clux commented Jun 5, 2021

clux commented Jun 5, 2021

kazk commented May 25, 2021 •

edited

kazk Jun 1, 2021 •

edited