Refactor GKE Kubeconfig handling

Signed-off-by: Rick Lane <[email protected]>
datawire · Apr 12, 2024 · 94950cc · 94950cc
1 parent 2b249f0
commit 94950cc
Show file tree

Hide file tree

Showing 4 changed files with 73 additions and 12 deletions.
diff --git a/.github/actions/gke-kubeconfig/action.yaml b/.github/actions/gke-kubeconfig/action.yaml
@@ -22,10 +22,7 @@ runs:
       with:
         credentials_json: ${{ inputs.gkeCredentials }}
         create_credentials_file: true
-    - name: Get cluster credentials using GitHub action
-      uses: google-github-actions/get-gke-credentials@v2
+    - name: Install gke-gcloud-auth-plugin
+      uses: google-github-actions/setup-gcloud@v2
       with:
-        project_id: ${{ env.GOOGLE_CLOUD_PROJECT }}
-        location: ${{ inputs.location }}
-        cluster_name: ${{ inputs.clusterName }}
-        use_auth_provider: ${{ inputs.useAuthProvider }}
+        install_components: gke-gcloud-auth-plugin
diff --git a/.github/actions/provision-cluster/create.js b/.github/actions/provision-cluster/create.js
@@ -12,6 +12,7 @@ async function create() {
   const version = core.getInput("version");
   const lifespan = core.getInput("lifespan");
   const kubeconfigPath = core.getInput("kubeconfig");
+  const useAuthProvider = core.getInput("useAuthProvider");
 
   let provider = registry.getProvider(distribution);
 
@@ -30,7 +31,10 @@ async function create() {
   core.setOutput("location", cluster?.zone);
 
   core.notice(`Creating ${distribution} cluster ${cluster.name} ...`);
-  let kubeconfig = await provider.makeKubeconfig(cluster);
+  let kubeconfig = await provider.makeKubeconfig(
+    cluster,
+    useAuthProvider === "true"
+  );
   core.notice(`Cluster created: ${cluster.name}!`);
   let contents = JSON.stringify(kubeconfig, undefined, 2) + "\n";
   utils.writeFile(kubeconfigPath, contents);

diff --git a/.github/actions/provision-cluster/lib/gke.js b/.github/actions/provision-cluster/lib/gke.js
@@ -102,7 +102,62 @@ class Client {
   }
 
   // Make a functioning kubeconfig from a cluster object.
-  async makeKubeconfig(cluster) {
+  async makeKubeconfig(cluster, useAuthProvider = false) {
+    if (useAuthProvider) {
+      return this.makeKubeconfigUsingAuthProvider(cluster);
+    }
+
+    return this.makeKubeconfigWithToken(cluster);
+  }
+
+  async makeKubeconfigUsingAuthProvider(cluster) {
+    let kubeconfig = {
+      apiVersion: "v1",
+      kind: "Config",
+      clusters: [
+        {
+          cluster: {
+            "certificate-authority-data":
+              cluster.masterAuth.clusterCaCertificate,
+            server: `https://${cluster.endpoint}`,
+          },
+          name: "gke-cluster",
+        },
+      ],
+      users: [
+        {
+          name: "gke-user",
+          user: {
+            exec: {
+              apiVersion: "client.authentication.k8s.io/v1beta1",
+              args: null,
+              command: "gke-gcloud-auth-plugin",
+              env: null,
+              installHint:
+                "Install gke-gcloud-auth-plugin for use with kubectl by following https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke",
+              interactiveMode: "IfAvailable",
+              provideClusterInfo: true,
+            },
+          },
+        },
+      ],
+      contexts: [
+        {
+          context: {
+            cluster: "gke-cluster",
+            namespace: "default",
+            user: "gke-user",
+          },
+          name: "gke-context",
+        },
+      ],
+      "current-context": "gke-context",
+    };
+
+    return kubeconfig;
+  }
+
+  async makeKubeconfigWithToken(cluster) {
     let token = await this.client.auth.getAccessToken();
 
     let kubeconfig = {

diff --git a/.github/workflows/matrix.yaml b/.github/workflows/matrix.yaml
@@ -26,9 +26,12 @@ jobs:
         client_os: [ubuntu]
         client_arch: [latest]
         clusters:
-         - version: "1.27"
-         - version: "1.27"
-           config: '{ "initialNodeCount" : 2 }'
+        - version: "1.27"
+          useAuthProvider: "true"
+        - version: "1.27"
+          useAuthProvider: "false"
+        - version: "1.27"
+          config: '{ "initialNodeCount" : 2 }'
     runs-on: ${{ matrix.client_os }}-${{ matrix.client_arch }}
     env:
       GKE_CREDENTIALS: ${{ secrets.GOOGLE_APPLICATION_CREDENTIALS }}
@@ -42,8 +45,9 @@ jobs:
           kubeconfig: kubeconfig.yaml
           gkeCredentials: ${{ env.GKE_CREDENTIALS }}
           gkeConfig: ${{ matrix.clusters.config }}
-          useAuthProvider: "false"
+          useAuthProvider: ${{ matrix.clusters.useAuthProvider }}
       - run: |
+          kubectl config view
           kubectl version
           kubectl get pods -A
       - name: "validate gke config"
@@ -77,5 +81,6 @@ jobs:
           kubeconfig: kubeconfig.yaml
           kubeceptionToken: ${{ env.KUBECEPTION_TOKEN }}
       - run: |
+          kubectl config view
           kubectl version
           kubectl get pods -A