Add ProxyConnector

Signed-off-by: kazk <[email protected]>

examples/Cargo.toml

@@ -194,6 +194,10 @@ path = "admission_controller.rs"
 name = "custom_client"
 path = "custom_client.rs"
 
+[[example]]
+name = "custom_client_proxy"
+path = "custom_client_proxy.rs"
+
 [[example]]
 name = "custom_client_tls"
 path = "custom_client_tls.rs"

examples/custom_client_proxy.rs

@@ -0,0 +1,69 @@
+use http::Uri;
+use hyper::client::HttpConnector;
+use k8s_openapi::api::core::v1::ConfigMap;
+use tower::ServiceBuilder;
+
+use kube::{
+    api::{Api, ListParams},
+    client::{ConfigExt, ProxyConnector},
+    Client, Config,
+};
+
+/*
+// Need to set `client_certs` so that `mitmproxy` can make requests as an authorized user.
+//
+// Store client certs and key as PEM (adjust the query for your user):
+```bash
+kubectl config view \
+    --raw \
+    -o jsonpath='{.users[?(@.name == "admin@k3d-dev")].user.client-certificate-data}' \
+| base64 -d \
+> client-certs.pem
+
+kubectl config view \
+    --raw \
+    -o jsonpath='{.users[?(@.name == "admin@k3d-dev")].user.client-key-data}' \
+| base64 -d \
+>> client-certs.pem
+```
+
+// `--ssl-insecure` is necessary because the API server uses self signed certificates:
+```bash
+mitmproxy -p 5000 --ssl-insecure --set client_certs=$(pwd)/client-certs.pem
+# or
+mitmweb -p 5000 --ssl-insecure --set client_certs=$(pwd)/client-certs.pem
+```
+// After running this example, you should be able to inspect
+// `GET /api/v1/namespaces/default/configmaps`
+ */
+
+#[tokio::main]
+async fn main() -> anyhow::Result<()> {
+    std::env::set_var("RUST_LOG", "trace");
+    // TODO Client should use ProxyConnector based on environment variables or proxy_url
+    // std::env::set_var("HTTPS_PROXY", "http://localhost:5000");
+    tracing_subscriber::fmt::init();
+
+    let mut config = Config::infer().await?;
+    config.accept_invalid_certs = true;
+    let connector = {
+        let tls = config.native_tls_connector()?;
+        let mut http = HttpConnector::new();
+        http.enforce_http(false);
+        let proxy_url = "http://localhost:5000".parse::<Uri>().unwrap();
+        ProxyConnector::native_tls(proxy_url, http, tls)
+    };
+
+    let service = ServiceBuilder::new()
+        .layer(config.base_uri_layer())
+        .layer(tower_http::trace::TraceLayer::new_for_http())
+        .service(hyper::Client::builder().build(connector));
+    let client = Client::new(service, config.default_namespace);
+
+    let cms: Api<ConfigMap> = Api::namespaced(client, "default");
+    for cm in cms.list(&ListParams::default()).await? {
+        println!("{:?}", cm);
+    }
+
+    Ok(())
+}

kube-client/Cargo.toml

@@ -18,7 +18,7 @@ edition = "2021"
 [features]
 default = ["client", "native-tls"]
 native-tls = ["openssl", "hyper-tls", "tokio-native-tls"]
-rustls-tls = ["rustls", "rustls-pemfile", "hyper-rustls"]
+rustls-tls = ["rustls", "rustls-pemfile", "hyper-rustls", "tokio-rustls", "webpki"]
 openssl-tls = ["openssl", "hyper-openssl"]
 ws = ["client", "tokio-tungstenite", "rand", "kube-core/ws"]
 oauth = ["client", "tame-oauth"]
@@ -28,6 +28,7 @@ jsonpatch = ["kube-core/jsonpatch"]
 admission = ["kube-core/admission"]
 config = ["__non_core", "pem", "dirs"]
 deprecated-crd-v1beta1 = ["kube-core/deprecated-crd-v1beta1"]
+socks-proxy = ["tokio-socks"]
 
 # private feature sets; do not use
 __non_core = ["tracing", "serde_yaml", "base64"]
@@ -72,6 +73,9 @@ rand = { version = "0.8.3", optional = true }
 secrecy = { version = "0.8.0", features = ["alloc", "serde"] }
 tracing = { version = "0.1.29", features = ["log"], optional = true }
 hyper-openssl = { version = "0.9.1", optional = true }
+tokio-socks = { version = "0.5.1", optional = true }
+tokio-rustls = { version = "0.23.2", optional = true }
+webpki = { version = "0.22.0", optional = true }
 
 [dependencies.k8s-openapi]
 version = "0.14.0"

kube-client/src/client/mod.rs

@@ -38,6 +38,8 @@ mod config_ext;
 pub use auth::Error as AuthError;
 pub use config_ext::ConfigExt;
 pub mod middleware;
+mod proxy;
+pub use proxy::ProxyConnector;
 #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "openssl-tls"))]
 mod tls;
 #[cfg(feature = "native-tls")] pub use tls::native_tls::Error as NativeTlsError;