codeflare_sdk.common.kubernetes_cluster package

Submodules

codeflare_sdk.common.kubernetes_cluster.auth module

The auth sub-module contains authentication methods for Kubernetes clusters.

Recommended: Use kube-authkit’s AuthConfig directly for new code. Legacy: TokenAuthentication and KubeConfigFileAuthentication are deprecated but still supported.

class codeflare_sdk.common.kubernetes_cluster.auth.Authentication[source]

Bases: object

An abstract class that defines the necessary methods for authenticating to a remote environment. Specifically, this class defines the need for a login() and a logout() function.

login()[source]: Method for logging in to a remote cluster.

logout()[source]: Method for logging out of the remote cluster.

class codeflare_sdk.common.kubernetes_cluster.auth.KubeConfigFileAuthentication(kube_config_path: str = None)[source]

Bases: KubeConfiguration

DEPRECATED: Use kube_authkit.AuthConfig with kubeconfig strategy instead.

A class that defines the necessary methods for passing a user’s own Kubernetes config file. Specifically this class defines the load_kube_config() and config_check() functions.

load_kube_config()[source]: Function for loading a user’s own predefined Kubernetes config file.

class codeflare_sdk.common.kubernetes_cluster.auth.KubeConfiguration[source]

Bases: object

An abstract class that defines the method for loading a user defined config file using the load_kube_config() function

load_kube_config()[source]: Method for setting your Kubernetes configuration to a certain file

logout()[source]: Method for logging out of the remote cluster

class codeflare_sdk.common.kubernetes_cluster.auth.TokenAuthentication(**kwargs)[source]

Bases: Authentication

DEPRECATED: Use kube_authkit.AuthConfig with token strategy instead.

TokenAuthentication is a subclass of Authentication. It can be used to authenticate to a Kubernetes cluster when the user has an API token and the API server address.

login() → str[source]

This function is used to log in to a Kubernetes cluster using the user’s API token and API server address. Depending on the cluster, a user can choose to login in with –insecure-skip-tls-verify by setting skip_tls to True or –certificate-authority by setting skip_tls to False and providing a path to a ca bundle with ca_cert_path.

Note: kube-authkit does not support direct token authentication via AuthConfig, so this uses the legacy implementation.

logout() → str[source]: This function is used to logout of a Kubernetes cluster.

codeflare_sdk.common.kubernetes_cluster.auth.config_check() → str[source]

Check and load the Kubernetes config from the default location.

Uses kube-authkit’s auto-detection when available, falls back to legacy method.

This function checks if a Kubernetes config file exists at the default path (~/.kube/config). If none is provided, it tries to load in-cluster config. If the config_path global variable is set by an external module (e.g., auth.py), this path will be used directly.

Priority: 1. Existing global api_client (already authenticated) 2. kube-authkit auto-detection (kubeconfig, in-cluster, etc.) 3. Legacy method (kubeconfig or in-cluster)

Returns:

str:: The loaded config path if successful.

Raises:

PermissionError:: If no valid credentials or config file is found.

codeflare_sdk.common.kubernetes_cluster.auth.get_api_client() → ApiClient[source]

Retrieve the Kubernetes API client with the default configuration.

This function returns the current API client instance if already loaded, or creates a new API client with the default configuration.

Returns:

client.ApiClient:: The Kubernetes API client object.

codeflare_sdk.common.kubernetes_cluster.auth.set_api_client(new_client: ApiClient)[source]

Set a custom Kubernetes API client for the SDK to use.

This is useful when you want to use kube-authkit or other authentication methods to create an API client and register it with the CodeFlare SDK.

Example:

>>> from kube_authkit import get_k8s_client, AuthConfig
>>> from codeflare_sdk.common.kubernetes_cluster.auth import set_api_client
>>>
>>> auth_config = AuthConfig(k8s_api_host="...", token="...")
>>> api_client = get_k8s_client(config=auth_config)
>>> set_api_client(api_client)

Args:

new_client: The Kubernetes API client instance to use.

codeflare_sdk.common.kubernetes_cluster.kube_api_helpers module

This sub-module exists primarily to be used internally for any Kubernetes API error handling or wrapping.

Module contents

class codeflare_sdk.common.kubernetes_cluster.AuthConfig(method: str | None = None, k8s_api_host: str | None = None, oidc_issuer: str | None = None, client_id: str | None = None, client_secret: str | None = None, token: str | None = None, scopes: list[str] = <factory>, use_device_flow: bool = False, use_keyring: bool = False, oidc_callback_port: int = 8080, ca_cert: str | None = None, verify_ssl: bool = True, kubeconfig_path: str | None = None)[source]

Bases: object

Configuration for Kubernetes/OpenShift authentication.

This dataclass holds all configuration options for authenticating to a Kubernetes or OpenShift cluster. It supports multiple authentication methods and can be configured explicitly or through environment variables.

Args:

method: Authentication method to use. Must be specified. Options:

“auto”: Auto-detect best method by probing the environment
“kubeconfig”: Use ~/.kube/config or KUBECONFIG
“incluster”: Use in-cluster service account
“oidc”: Use OpenID Connect
“openshift”: Use OpenShift OAuth
None (default): Raises ConfigurationError; caller must choose

k8s_api_host: Kubernetes API server URL (auto-detected if None) oidc_issuer: OIDC issuer URL (required for OIDC) client_id: OIDC client ID (required for OIDC) client_secret: OIDC client secret (for confidential clients) token: Bearer token for authentication (optional, for OIDC/OpenShift) scopes: OIDC scopes to request use_device_flow: Use Device Code Flow instead of Authorization Code use_keyring: Store refresh tokens in system keyring oidc_callback_port: Port for OAuth callback server (default: 8080) ca_cert: Path to custom CA certificate bundle verify_ssl: Verify SSL certificates (WARNING: only disable for development) kubeconfig_path: Path to kubeconfig file (overrides KUBECONFIG env var)

Example:

>>> # Explicit OIDC with device flow
>>> config = AuthConfig(
...     method="oidc",
...     oidc_issuer="https://keycloak.example.com/auth/realms/myrealm",
...     client_id="my-client",
...     use_device_flow=True
... )
>>>
>>> # Auto-detection (opt-in)
>>> config = AuthConfig(method="auto")

ca_cert: str | None = None

client_id: str | None = None

client_secret: str | None = None

classmethod from_dict(config_dict: dict) → AuthConfig[source]

Create AuthConfig from dictionary.

This is useful for loading configuration from JSON or YAML files.

Args:

config_dict: Dictionary containing configuration parameters

Returns:

AuthConfig instance

Example:

>>> config_data = {
...     "method": "oidc",
...     "oidc_issuer": "https://keycloak.example.com",
...     "client_id": "my-client"
... }
>>> config = AuthConfig.from_dict(config_data)

k8s_api_host: str | None = None

kubeconfig_path: str | None = None

method: str | None = None

oidc_callback_port: int = 8080

oidc_issuer: str | None = None

scopes: list[str]

token: str | None = None

use_device_flow: bool = False

use_keyring: bool = False

verify_ssl: bool = True

class codeflare_sdk.common.kubernetes_cluster.Authentication[source]

Bases: object

An abstract class that defines the necessary methods for authenticating to a remote environment. Specifically, this class defines the need for a login() and a logout() function.

login()[source]: Method for logging in to a remote cluster.

logout()[source]: Method for logging out of the remote cluster.

class codeflare_sdk.common.kubernetes_cluster.KubeConfigFileAuthentication(kube_config_path: str = None)[source]

Bases: KubeConfiguration

DEPRECATED: Use kube_authkit.AuthConfig with kubeconfig strategy instead.

A class that defines the necessary methods for passing a user’s own Kubernetes config file. Specifically this class defines the load_kube_config() and config_check() functions.

load_kube_config()[source]: Function for loading a user’s own predefined Kubernetes config file.

class codeflare_sdk.common.kubernetes_cluster.KubeConfiguration[source]

Bases: object

An abstract class that defines the method for loading a user defined config file using the load_kube_config() function

load_kube_config()[source]: Method for setting your Kubernetes configuration to a certain file

logout()[source]: Method for logging out of the remote cluster

class codeflare_sdk.common.kubernetes_cluster.TokenAuthentication(**kwargs)[source]

Bases: Authentication

DEPRECATED: Use kube_authkit.AuthConfig with token strategy instead.

TokenAuthentication is a subclass of Authentication. It can be used to authenticate to a Kubernetes cluster when the user has an API token and the API server address.

login() → str[source]

This function is used to log in to a Kubernetes cluster using the user’s API token and API server address. Depending on the cluster, a user can choose to login in with –insecure-skip-tls-verify by setting skip_tls to True or –certificate-authority by setting skip_tls to False and providing a path to a ca bundle with ca_cert_path.

Note: kube-authkit does not support direct token authentication via AuthConfig, so this uses the legacy implementation.

logout() → str[source]: This function is used to logout of a Kubernetes cluster.

codeflare_sdk.common.kubernetes_cluster.config_check() → str[source]

Check and load the Kubernetes config from the default location.

Uses kube-authkit’s auto-detection when available, falls back to legacy method.

This function checks if a Kubernetes config file exists at the default path (~/.kube/config). If none is provided, it tries to load in-cluster config. If the config_path global variable is set by an external module (e.g., auth.py), this path will be used directly.

Priority: 1. Existing global api_client (already authenticated) 2. kube-authkit auto-detection (kubeconfig, in-cluster, etc.) 3. Legacy method (kubeconfig or in-cluster)

Returns:

str:: The loaded config path if successful.

Raises:

PermissionError:: If no valid credentials or config file is found.

codeflare_sdk.common.kubernetes_cluster.get_api_client() → ApiClient[source]

Retrieve the Kubernetes API client with the default configuration.

This function returns the current API client instance if already loaded, or creates a new API client with the default configuration.

Returns:

client.ApiClient:: The Kubernetes API client object.

codeflare_sdk.common.kubernetes_cluster.get_k8s_client(config: AuthConfig | None = None) → ApiClient[source]

Get authenticated Kubernetes API client.

This is the main entry point for the library. It automatically detects the best authentication method based on the environment and configuration, then returns a ready-to-use Kubernetes ApiClient.

Args:

config: AuthConfig instance. Must specify a method.: If None, raises ConfigurationError.

Returns:

Configured Kubernetes ApiClient ready to make API calls

Raises:

ConfigurationError: If configuration is invalid or method not specified AuthenticationError: If authentication fails StrategyNotAvailableError: If requested method is not available

Example:

>>> # Explicit configuration
>>> config = AuthConfig(method="oidc", oidc_issuer="...", client_id="...")
>>> api_client = get_k8s_client(config)
>>> v1 = client.CoreV1Api(api_client)
>>>
>>> # Auto-detection (opt-in)
>>> api_client = get_k8s_client(AuthConfig(method="auto"))

Note:

This is a convenience wrapper around get_k8s_config(). If you need to customize the configuration before creating the client, use get_k8s_config() instead.

codeflare_sdk.common.kubernetes_cluster.set_api_client(new_client: ApiClient)[source]

Set a custom Kubernetes API client for the SDK to use.

This is useful when you want to use kube-authkit or other authentication methods to create an API client and register it with the CodeFlare SDK.

Example:

>>> from kube_authkit import get_k8s_client, AuthConfig
>>> from codeflare_sdk.common.kubernetes_cluster.auth import set_api_client
>>>
>>> auth_config = AuthConfig(k8s_api_host="...", token="...")
>>> api_client = get_k8s_client(config=auth_config)
>>> set_api_client(api_client)

Args:

new_client: The Kubernetes API client instance to use.