Merge pull request #1930 from yliaog/automated-release-of-25.2.0b1-upstream-release-25.0-1666284251

Automated release of 25.2.0b1 upstream release 25.0 1666284251

Author: k8s-ci-robot

CHANGELOG.md

@@ -1,3 +1,10 @@
+# v25.2.0b1
+
+Kubernetes API Version: v1.25.3
+
+### Feature
+- Adds support for loading CA certificates from a file using the `idp-certificate-authority` key for the oidc plugin. (#1916, @vgupta3)
+
 # v25.2.0a1
 
 Kubernetes API Version: v1.25.2

README.md

@@ -94,7 +94,7 @@ supported versions of Kubernetes clusters.
 - [client 22.y.z](https://pypi.org/project/kubernetes/22.6.0/): Kubernetes 1.21 or below (+-), Kubernetes 1.22 (✓), Kubernetes 1.23 or above (+-)
 - [client 23.y.z](https://pypi.org/project/kubernetes/23.6.0/): Kubernetes 1.22 or below (+-), Kubernetes 1.23 (✓), Kubernetes 1.24 or above (+-)
 - [client 24.y.z](https://pypi.org/project/kubernetes/24.2.0/): Kubernetes 1.23 or below (+-), Kubernetes 1.24 (✓), Kubernetes 1.25 or above (+-)
-- [client 25.y.z](https://pypi.org/project/kubernetes/25.2.0a1/): Kubernetes 1.24 or below (+-), Kubernetes 1.25 (✓), Kubernetes 1.26 or above (+-)
+- [client 25.y.z](https://pypi.org/project/kubernetes/25.2.0b1/): Kubernetes 1.24 or below (+-), Kubernetes 1.25 (✓), Kubernetes 1.26 or above (+-)
 
 > See [here](#homogenizing-the-kubernetes-python-client-versions) for an explanation of why there is no v13-v16 release.
 

examples/node_labels.py

@@ -16,7 +16,7 @@
 This example demonstrates the following:
     - Get a list of all the cluster nodes
     - Iterate through each node list item
-        - Add or overwirite label "foo" with the value "bar"
+        - Add or overwrite label "foo" with the value "bar"
         - Remove the label "baz"
     - Return the list of node with updated labels
 """

examples/rollout-daemonset.py

@@ -2,7 +2,7 @@
 This example covers the following:
     - Create daemonset
     - Update daemonset
-    - List contoller revisions which belong to specified daemonset
+    - List controller revisions which belong to specified daemonset
     - Roll out daemonset
 """
 

kubernetes/README.md

@@ -4,7 +4,7 @@ No description provided (generated by Openapi Generator https://github.com/opena
 This Python package is automatically generated by the [OpenAPI Generator](https://openapi-generator.tech) project:
 
 - API version: release-1.25
-- Package version: 25.2.0a1
+- Package version: 25.2.0b1
 - Build package: org.openapitools.codegen.languages.PythonClientCodegen
 
 ## Requirements.

kubernetes/__init__.py

@@ -14,7 +14,7 @@
 
 __project__ = 'kubernetes'
 # The version is auto-updated. Please do not edit.
-__version__ = "25.2.0a1"
+__version__ = "25.2.0b1"
 
 import kubernetes.client
 import kubernetes.config

kubernetes/base/config/kube_config.py

@@ -398,7 +398,7 @@ def _load_oid_token(self, provider):
 
         if PY3:
             jwt_attributes = json.loads(
-                base64.b64decode(parts[1] + padding).decode('utf-8')
+                base64.urlsafe_b64decode(parts[1] + padding).decode('utf-8')
             )
         else:
             jwt_attributes = json.loads(
@@ -439,6 +439,9 @@ def _refresh_oidc(self, provider):
 
             config.ssl_ca_cert = ca_cert.name
 
+        elif 'idp-certificate-authority' in provider['config']:
+            config.ssl_ca_cert = provider['config']['idp-certificate-authority']
+
         else:
             config.verify_ssl = False
 

kubernetes/base/config/kube_config_test.py

@@ -17,6 +17,7 @@
 import io
 import json
 import os
+from pprint import pprint
 import shutil
 import tempfile
 import unittest
@@ -485,6 +486,13 @@ class TestKubeConfigLoader(BaseTestCase):
                     "user": "expired_oidc"
                 }
             },
+            {
+                "name": "expired_oidc_with_idp_ca_file",
+                "context": {
+                    "cluster": "default",
+                    "user": "expired_oidc_with_idp_ca_file"
+                }
+            },
             {
                 "name": "expired_oidc_nocert",
                 "context": {
@@ -799,6 +807,23 @@ class TestKubeConfigLoader(BaseTestCase):
                     }
                 }
             },
+            {
+                "name": "expired_oidc_with_idp_ca_file",
+                "user": {
+                    "auth-provider": {
+                        "name": "oidc",
+                        "config": {
+                            "client-id": "tectonic-kubectl",
+                            "client-secret": "FAKE_SECRET",
+                            "id-token": TEST_OIDC_EXPIRED_LOGIN,
+                            "idp-certificate-authority": TEST_CERTIFICATE_AUTH,
+                            "idp-issuer-url": "https://example.org/identity",
+                            "refresh-token":
+                                "lucWJjEhlxZW01cXI3YmVlcYnpxNGhzk"
+                        }
+                    }
+                }
+            },
             {
                 "name": "expired_oidc_nocert",
                 "user": {
@@ -1059,6 +1084,33 @@ def test_oidc_with_refresh(self, mock_ApiClient, mock_OAuth2Session):
         self.assertTrue(loader._load_auth_provider_token())
         self.assertEqual("Bearer abc123", loader.token)
 
+    @mock.patch('kubernetes.config.kube_config.OAuth2Session.refresh_token')
+    @mock.patch('kubernetes.config.kube_config.ApiClient.request')
+    def test_oidc_with_idp_ca_file_refresh(self, mock_ApiClient, mock_OAuth2Session):
+        mock_response = mock.MagicMock()
+        type(mock_response).status = mock.PropertyMock(
+            return_value=200
+        )
+        type(mock_response).data = mock.PropertyMock(
+            return_value=json.dumps({
+                "token_endpoint": "https://example.org/identity/token"
+            })
+        )
+
+        mock_ApiClient.return_value = mock_response
+
+        mock_OAuth2Session.return_value = {"id_token": "abc123",
+                                           "refresh_token": "newtoken123"}
+
+        loader = KubeConfigLoader(
+            config_dict=self.TEST_KUBE_CONFIG,
+            active_context="expired_oidc_with_idp_ca_file",
+        )
+
+
+        self.assertTrue(loader._load_auth_provider_token())
+        self.assertEqual("Bearer abc123", loader.token)
+
     @mock.patch('kubernetes.config.kube_config.OAuth2Session.refresh_token')
     @mock.patch('kubernetes.config.kube_config.ApiClient.request')
     def test_oidc_with_refresh_nocert(

kubernetes/client/__init__.py

@@ -14,7 +14,7 @@
 
 from __future__ import absolute_import
 
-__version__ = "25.2.0a1"
+__version__ = "25.2.0b1"
 
 # import apis into sdk package
 from kubernetes.client.api.well_known_api import WellKnownApi

kubernetes/client/api_client.py

@@ -78,7 +78,7 @@ def __init__(self, configuration=None, header_name=None, header_value=None,
             self.default_headers[header_name] = header_value
         self.cookie = cookie
         # Set default User-Agent.
-        self.user_agent = 'OpenAPI-Generator/25.2.0a1/python'
+        self.user_agent = 'OpenAPI-Generator/25.2.0b1/python'
         self.client_side_validation = configuration.client_side_validation
 
     def __enter__(self):