[wip] native Kubernetes client

[timothyb89]

This adds a native Kubernetes client to replace the kubectl proxy subprocess. That is, a kubeconfig parser with some integration with reqwest to configure proxies and auth, or the rust equivalent of tiny-kubernetes. It only strictly needs serde_yaml, reqwest, and base64.

Ideally this should end up being much smaller than a 'proper' client and can easily support the few functions we actually care about (auth, proxies, streamed responses, websockets, exotic kubeconfig formats, ...).

This at least properly parses all the kubeconfigs I have handy, including minikube, microk8s, eks, kubeadm, and a few others.

Closes #28

[timothyb89]

I can at least auth against DigitalOcean now (uses embedded client + CA certs). Minikube and some kubeadm clusters are broken since rustls doesn't support IP address hosts (rustls/hyper-rustls#56 (comment)). Also, native-tls (via reqwest, at least) doesn't support PEM certificates so we're stuck with rustls.

Should look into whether or not ClientBuilder::danger_accept_invalid_hostnames() is enough to at least make this functional, otherwise we'll need to keep kubectl proxy support around...

[timothyb89]

Also, still need some in-cluster auth support...

[timothyb89]

More TLS issues...

• native-tls can't build Identity structs from PEMs: from_pem implemented for Certificate, but TlsConnectorBuilder.identity still required Pkcs12 sfackler/rust-native-tls#77
• potential workaround for using native-tls with PEM certificates: Switch TlsAcceptor::builder input from PKCS#12 to PKCS#8 + cert list sfackler/rust-native-tls#27 (comment)
• the rustls backend doesn't support danger_accept_invalid_hostnames() (though I'm not sure this would work if it did)

This is all to say, there is probably a path forward with native-tls, however it:

• requires vendored openssl
  • this massively increases build times and binary size (adds ~1 MiB per cargo-bloat)
  • complicates Windows and macOS builds
• still requires ugly hacks to even read certs

I think rustls + the kubectl proxy hack will continue to be the best solution, and hopefully we can drop the hack if/when rustls gets IP address support.

[timothyb89]

Additional ssl-related complications if we want websocket support:

• neither rust-websocket nor ws-rs support rustls, so native-tls is required
• use of client/server certs is undocumented in either library; may just mean configuring native-tls's TlsConnectorBuilder

So the only way forward if we want websockets looks like:

• use native-tls and accept the increased static linux binary size
• figure out some hack to convert pem client certs into der for native-tls / reqwest, preferably without vendoring openssl
• implement separate auth codepaths for reqwest and websocket/ws

Frankly, I'm tempted to sit on this a while and see if the library situation improves.

[timothyb89]

Not a ton of movement over the last 8 months, unfortunately:

• there's been a hint of movement on webpki so ip hostnames may be supported in the near future.
• native-tls still doesn't support .pem certificates
• no websocket libraries support rustls