Die Applications

This is being moved into its own separate opt-in application
microservice, at long last.  This also adds in a client, as the
application service is going to have to have some smarts that clean up
when clusters vanish at the very least.

README.md

@@ -168,7 +168,7 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: https://unikorn-cloud.github.io/unikorn
+    repoURL: https://unikorn-cloud.github.io/kubernetes
     chart: unikorn
     targetRevision: v0.1.8
   destination:

charts/kubernetes/Chart.yaml

@@ -4,8 +4,8 @@ description: A Helm chart for deploying Unikorn Kubernetes Service
 
 type: application
 
-version: v0.2.39
-appVersion: v0.2.39
+version: v0.2.40
+appVersion: v0.2.40
 
 icon: https://raw.githubusercontent.com/unikorn-cloud/assets/main/images/logos/dark-on-light/icon.png
 

pkg/client/client.go

@@ -0,0 +1,108 @@
+/*
+Copyright 2024 the Unikorn Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package client
+
+import (
+	"context"
+	"net/http"
+
+	"go.opentelemetry.io/otel"
+	"go.opentelemetry.io/otel/propagation"
+
+	coreclient "github.com/unikorn-cloud/core/pkg/client"
+	"github.com/unikorn-cloud/identity/pkg/middleware/authorization"
+	"github.com/unikorn-cloud/identity/pkg/middleware/openapi/accesstoken"
+	"github.com/unikorn-cloud/kubernetes/pkg/openapi"
+
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+type Options = coreclient.HTTPOptions
+
+// NewOptions must be used to create options for consistency.
+func NewOptions() *Options {
+	return coreclient.NewHTTPOptions("kubernetes")
+}
+
+// Client wraps up the raw OpenAPI client with things to make it useable e.g.
+// authorization and TLS.
+type Client struct {
+	// client is a Kubenetes client.
+	client client.Client
+	// options allows setting of option from the CLI
+	options *Options
+	// clientOptions may be specified to inject client certificates etc.
+	clientOptions *coreclient.HTTPClientOptions
+}
+
+// New creates a new client.
+func New(client client.Client, options *Options, clientOptions *coreclient.HTTPClientOptions) *Client {
+	return &Client{
+		client:        client,
+		options:       options,
+		clientOptions: clientOptions,
+	}
+}
+
+// HTTPClient returns a new http client that will transparently do oauth2 header
+// injection and refresh token updates.
+func (c *Client) HTTPClient(ctx context.Context) (*http.Client, error) {
+	// Handle non-system CA certificates for the OIDC discovery protocol
+	// and oauth2 token refresh. This will return nil if none is specified
+	// and default to the system roots.
+	tlsClientConfig, err := coreclient.TLSClientConfig(ctx, c.client, c.options, c.clientOptions)
+	if err != nil {
+		return nil, err
+	}
+
+	client := &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: tlsClientConfig,
+		},
+	}
+
+	return client, nil
+}
+
+// accessTokenInjector implements OAuth2 bearer token authorization.
+func accessTokenInjector(ctx context.Context, req *http.Request) error {
+	accessToken, err := accesstoken.FromContext(ctx)
+	if err != nil {
+		return err
+	}
+
+	req.Header.Set("Authorization", "bearer "+accessToken)
+	otel.GetTextMapPropagator().Inject(ctx, propagation.HeaderCarrier(req.Header))
+	authorization.InjectClientCert(ctx, req.Header)
+
+	return nil
+}
+
+// Client returns a new OpenAPI client that can be used to access the API.
+func (c *Client) Client(ctx context.Context) (*openapi.ClientWithResponses, error) {
+	httpClient, err := c.HTTPClient(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	client, err := openapi.NewClientWithResponses(c.options.Host(), openapi.WithHTTPClient(httpClient), openapi.WithRequestEditorFn(accessTokenInjector))
+	if err != nil {
+		return nil, err
+	}
+
+	return client, nil
+}