Add KubernetesAuthContext to Kubernetes commands (#1133)

* Add AuthContext to Kubernetes commands

* Add labels and annotations

* Remove IAuthContext

* Add space

* Nullable for backwards compatibility

* Update k8s client to fix build

* Tidy up labels

* Review comments

* Remove env var toggle

Author: eddymoulton

source/Octopus.Tentacle.Client/Scripts/KubernetesScriptServiceV1Executor.cs

@@ -65,7 +65,8 @@ StartKubernetesScriptCommandV1 Map(ExecuteScriptCommand command)
                 kubernetesScriptCommand.ScriptPodServiceAccountName,
                 kubernetesScriptCommand.Scripts,
                 kubernetesScriptCommand.Files.ToArray(),
-                kubernetesScriptCommand.IsRawScript);
+                kubernetesScriptCommand.IsRawScript,
+                kubernetesScriptCommand.AuthContext);
         }
 
         static ScriptOperationExecutionResult Map(KubernetesScriptStatusResponseV1 scriptStatusResponse)

source/Octopus.Tentacle.Client/Scripts/Models/Builders/ExecuteKubernetesScriptCommandBuilder.cs

@@ -8,6 +8,7 @@ public class ExecuteKubernetesScriptCommandBuilder : ExecuteScriptCommandBuilder
         KubernetesImageConfiguration? configuration;
         string? scriptPodServiceAccountName;
         bool isRawScript;
+        KubernetesAgentAuthContext? authContext;
 
         public ExecuteKubernetesScriptCommandBuilder(string taskId)
             : base(taskId, ScriptIsolationLevel.NoIsolation) //Kubernetes Agents don't need isolation since the scripts won't clash with each other (it won't clash more than Workers anyway)
@@ -32,6 +33,12 @@ public ExecuteKubernetesScriptCommandBuilder IsRawScript()
             return this;
         }
 
+        public ExecuteKubernetesScriptCommandBuilder WithAuthContext(KubernetesAgentAuthContext context)
+        {
+            authContext = context;
+            return this;
+        }
+
         public override ExecuteScriptCommand Build()
             => new ExecuteKubernetesScriptCommand(
                 ScriptTicket,
@@ -43,7 +50,8 @@ public override ExecuteScriptCommand Build()
                 Files.ToArray(),
                 configuration,
                 scriptPodServiceAccountName,
-                isRawScript
+                isRawScript,
+                authContext
             );
     }
 }

source/Octopus.Tentacle.Client/Scripts/Models/ExecuteKubernetesScriptCommand.cs

@@ -12,6 +12,8 @@ public class ExecuteKubernetesScriptCommand : ExecuteScriptCommand
 
         public bool IsRawScript { get; }
 
+        public KubernetesAgentAuthContext? AuthContext { get; }
+
         public ExecuteKubernetesScriptCommand(
             ScriptTicket scriptTicket,
             string taskId,
@@ -22,12 +24,14 @@ public ExecuteKubernetesScriptCommand(
             ScriptFile[] additionalFiles,
             KubernetesImageConfiguration? imageConfiguration, 
             string? scriptPodServiceAccountName,
-            bool isRawScript)
+            bool isRawScript,
+            KubernetesAgentAuthContext? authContext)
             : base(scriptTicket, taskId, scriptBody, arguments, isolationConfiguration, additionalScripts, additionalFiles)
         {
             ImageConfiguration = imageConfiguration;
             ScriptPodServiceAccountName = scriptPodServiceAccountName;
             IsRawScript = isRawScript;
+            AuthContext = authContext;
         }
     }
 }

source/Octopus.Tentacle.Contracts/KubernetesAgentAuthContext.cs

@@ -0,0 +1,22 @@
+using System;
+
+namespace Octopus.Tentacle.Contracts
+{
+    public class KubernetesAgentAuthContext
+    {
+        public KubernetesAgentAuthContext(string spaceSlug, string projectSlug, string environmentSlug, string? tenantSlug, string stepSlug)
+        {
+            SpaceSlug = spaceSlug;
+            ProjectSlug = projectSlug;
+            EnvironmentSlug = environmentSlug;
+            TenantSlug = tenantSlug;
+            StepSlug = stepSlug;
+        }
+
+        public string SpaceSlug { get; }
+        public string ProjectSlug { get; }
+        public string EnvironmentSlug { get; }
+        public string? TenantSlug { get; }
+        public string StepSlug { get; }
+    }
+}

source/Octopus.Tentacle.Contracts/KubernetesScriptServiceV1/StartKubernetesScriptCommandV1.cs

@@ -18,7 +18,8 @@ public StartKubernetesScriptCommandV1(
             string? scriptPodServiceAccountName,
             Dictionary<ScriptType, string>? additionalScripts,
             ScriptFile[]? additionalFiles,
-            bool isRawScript)
+            bool isRawScript,
+            KubernetesAgentAuthContext? authContext)
         {
             Arguments = arguments;
             TaskId = taskId;
@@ -30,6 +31,7 @@ public StartKubernetesScriptCommandV1(
             PodImageConfiguration = podImageConfiguration;
             ScriptPodServiceAccountName = scriptPodServiceAccountName;
             IsRawScript = isRawScript;
+            AuthContext = authContext;
 
             if (additionalFiles != null)
                 Files.AddRange(additionalFiles);
@@ -58,5 +60,7 @@ public StartKubernetesScriptCommandV1(
         public string[] Arguments { get; }
 
         public string? ScriptPodServiceAccountName { get; }
+
+        public KubernetesAgentAuthContext? AuthContext { get; }
     }
 }

source/Octopus.Tentacle/Kubernetes/KubernetesConfig.cs

@@ -79,6 +79,8 @@ public static class KubernetesConfig
 
         public static string MetricsEnableVariableName => $"{EnvVarPrefix}__ENABLEMETRICSCAPTURE";
 
+        public static readonly string AgentLabelNamespace = "agent.octopus.com";
+
         public static bool MetricsIsEnabled
         {
             get
@@ -118,5 +120,8 @@ static string GetRequiredEnvVar(string variable, string errorMessage)
 
         static string GetEnvironmentVariableOrDefault(string variable, string defaultValue)
             => Environment.GetEnvironmentVariable(variable) ?? defaultValue;
+
+        static bool GetBoolEnvironmentVariableOrDefault(string variable, bool defaultValue)
+            => bool.TryParse(Environment.GetEnvironmentVariable(variable), out var result) ? result : defaultValue;
     }
 }

source/Octopus.Tentacle/Kubernetes/KubernetesScriptPodCreator.cs

@@ -12,6 +12,7 @@
 using Newtonsoft.Json;
 using Octopus.Tentacle.Configuration;
 using Octopus.Tentacle.Configuration.Instances;
+using Octopus.Tentacle.Contracts;
 using Octopus.Tentacle.Contracts.KubernetesScriptServiceV1;
 using Octopus.Tentacle.Core.Diagnostics;
 using Octopus.Tentacle.Core.Services.Scripts.Locking;
@@ -205,7 +206,7 @@ async Task CreatePod(StartKubernetesScriptCommandV1 command, IScriptWorkspace wo
                     Name = podName,
                     NamespaceProperty = KubernetesConfig.Namespace,
                     Labels = Merge(scriptPodTemplate?.Spec.PodMetadata?.Labels, GetScriptPodLabels(tentacleScriptLog, command)),
-                    Annotations = Merge(scriptPodTemplate?.Spec.PodMetadata?.Annotations, ParseScriptPodAnnotations(tentacleScriptLog))
+                    Annotations = Merge(scriptPodTemplate?.Spec.PodMetadata?.Annotations, GetScriptPodAnnotations(tentacleScriptLog, command))
                 },
                 //if the script pod template spec has been defined, use that
                 Spec = scriptPodTemplate?.Spec.PodSpec ?? new V1PodSpec
@@ -380,7 +381,7 @@ protected V1ResourceRequirements GetScriptPodResourceRequirements(InMemoryTentac
                     var message = $"Failed to deserialize env.{KubernetesConfig.PodResourceJsonVariableName} into valid pod resource requirements.{Environment.NewLine}JSON value: {json}{Environment.NewLine}Using default resource requests for script pod.";
                     //if we can't parse the JSON, fall back to the defaults below and warn the user
                     log.WarnFormat(e, message);
-                    //write a verbose message to the script log. 
+                    //write a verbose message to the script log.
                     tentacleScriptLog.Verbose(message);
                 }
             }
@@ -433,7 +434,14 @@ V1Affinity ParseScriptPodAffinity(InMemoryTentacleScriptLog tentacleScriptLog)
                 KubernetesConfig.PodAnnotationsJsonVariableName,
                 "pod annotations");
 
-        Dictionary<string, string>? GetScriptPodLabels(InMemoryTentacleScriptLog tentacleScriptLog, StartKubernetesScriptCommandV1 command)
+        Dictionary<string, string>? GetScriptPodAnnotations(InMemoryTentacleScriptLog tentacleScriptLog, StartKubernetesScriptCommandV1 command)
+        {
+            var annotations = ParseScriptPodAnnotations(tentacleScriptLog) ?? new Dictionary<string, string>();
+            annotations.AddRange(GetAuthContext(command));
+            return annotations;
+        }
+
+        Dictionary<string, string> GetScriptPodLabels(InMemoryTentacleScriptLog tentacleScriptLog, StartKubernetesScriptCommandV1 command)
         {
             var labels = new Dictionary<string, string>
             {
@@ -451,9 +459,54 @@ V1Affinity ParseScriptPodAffinity(InMemoryTentacleScriptLog tentacleScriptLog)
                 labels.AddRange(extraLabels);
             }
 
+            labels.Add($"{KubernetesConfig.AgentLabelNamespace}/permissions", "enabled");
+            labels.AddRange(GetAuthContext(command, true));
+
             return labels;
         }
 
+        static Dictionary<string, string> GetAuthContext(StartKubernetesScriptCommandV1 command, bool hash = false)
+        {
+            var dict = new Dictionary<string, string>();
+
+            if (command.AuthContext is null)
+            {
+                return dict;
+            }
+
+            dict[$"{KubernetesConfig.AgentLabelNamespace}/project"] = hash
+                ? HashValue(command.AuthContext.ProjectSlug)
+                : command.AuthContext.ProjectSlug;
+
+            dict[$"{KubernetesConfig.AgentLabelNamespace}/environment"] = hash
+                ? HashValue(command.AuthContext.EnvironmentSlug)
+                : command.AuthContext.EnvironmentSlug;
+
+            if (command.AuthContext.TenantSlug is not null)
+            {
+                dict[$"{KubernetesConfig.AgentLabelNamespace}/tenant"] = hash
+                    ? HashValue(command.AuthContext.TenantSlug)
+                    : command.AuthContext.TenantSlug;
+            }
+
+            dict[$"{KubernetesConfig.AgentLabelNamespace}/step"] = hash
+                ? HashValue(command.AuthContext.StepSlug)
+                : command.AuthContext.StepSlug;
+
+            dict[$"{KubernetesConfig.AgentLabelNamespace}/space"] = hash
+                ? HashValue(command.AuthContext.SpaceSlug)
+                : command.AuthContext.SpaceSlug;
+
+            return dict;
+        }
+
+        static string HashValue(string value)
+        {
+            using var sha1 = SHA1.Create();
+            var bytes = sha1.ComputeHash(Encoding.UTF8.GetBytes(value));
+            return BitConverter.ToString(bytes).Replace("-","");
+        }
+
         [return: NotNullIfNotNull("defaultValue")]
         T? ParseScriptPodJson<T>(InMemoryTentacleScriptLog tentacleScriptLog, string? json, string envVarName, string description, T? defaultValue = null) where T : class
         {
@@ -472,7 +525,7 @@ V1Affinity ParseScriptPodAffinity(InMemoryTentacleScriptLog tentacleScriptLog)
 
                 //if we can't parse the JSON, fall back to the defaults below and warn the user
                 log.WarnFormat(e, message);
-                //write a verbose message to the script log. 
+                //write a verbose message to the script log.
                 tentacleScriptLog.Verbose(message);
             }