feat(kubectl): Generate kubeconfig dynamically (#62)

modules/kubectl-wrapper/README.md

@@ -31,10 +31,12 @@ module "kubectl" {
 | create\_cmd\_triggers | List of any additional triggers for the create command execution. | map | `<map>` | no |
 | enabled | Flag to optionally disable usage of this module. | bool | `"true"` | no |
 | gcloud\_sdk\_version | The gcloud sdk version to download. | string | `"281.0.0"` | no |
+| internal\_ip | Use internal ip for the cluster endpoint. | bool | `"false"` | no |
 | kubectl\_create\_command | The kubectl command to create resources. | string | n/a | yes |
 | kubectl\_destroy\_command | The kubectl command to destroy resources. | string | n/a | yes |
 | module\_depends\_on | List of modules or resources this module depends on. | list | `<list>` | no |
 | project\_id | The project ID hosting the cluster. Optional if use_existing_context is true. | string | `""` | no |
+| service\_account\_key\_file | Path to service account key file to auth as for running `gcloud container clusters get-credentials`. | string | `""` | no |
 | skip\_download | Whether to skip downloading gcloud (assumes gcloud and kubectl is already available outside the module) | bool | `"true"` | no |
 | upgrade | Whether to upgrade gcloud at runtime | bool | `"true"` | no |
 | use\_existing\_context | Use existing kubecontext to auth kube-api. | bool | `"false"` | no |

modules/kubectl-wrapper/main.tf

@@ -15,36 +15,22 @@
  */
 
 locals {
-  cluster_endpoint       = "https://${data.google_container_cluster.primary.0.endpoint}"
-  cluster_ca_certificate = data.google_container_cluster.primary.0.master_auth.0.cluster_ca_certificate
-  token                  = data.google_client_config.default.0.access_token
-  create_cmd             = var.use_existing_context ? var.kubectl_create_command : "${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} ${var.kubectl_create_command}"
-  destroy_cmd            = var.use_existing_context ? var.kubectl_destroy_command : "${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} ${var.kubectl_destroy_command}"
-}
-
-data "google_container_cluster" "primary" {
-  count    = var.enabled && ! var.use_existing_context ? 1 : 0
-  name     = var.cluster_name
-  project  = var.project_id
-  location = var.cluster_location
-}
-
-data "google_client_config" "default" {
-  count = var.enabled && ! var.use_existing_context ? 1 : 0
+  base_cmd = "${var.cluster_name} ${var.cluster_location} ${var.project_id} ${var.internal_ip} ${var.use_existing_context}"
 }
 
 module "gcloud_kubectl" {
-  source                = "../.."
-  module_depends_on     = var.module_depends_on
-  additional_components = var.additional_components
-  skip_download         = var.skip_download
-  gcloud_sdk_version    = var.gcloud_sdk_version
-  enabled               = var.enabled
-  upgrade               = var.upgrade
+  source                   = "../.."
+  module_depends_on        = var.module_depends_on
+  additional_components    = var.additional_components
+  skip_download            = var.skip_download
+  gcloud_sdk_version       = var.gcloud_sdk_version
+  enabled                  = var.enabled
+  upgrade                  = var.upgrade
+  service_account_key_file = var.service_account_key_file
 
   create_cmd_entrypoint  = "${path.module}/scripts/kubectl_wrapper.sh"
-  create_cmd_body        = local.create_cmd
+  create_cmd_body        = "${local.base_cmd} ${var.kubectl_create_command}"
   create_cmd_triggers    = var.create_cmd_triggers
   destroy_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh"
-  destroy_cmd_body       = local.destroy_cmd
+  destroy_cmd_body       = "${local.base_cmd} ${var.kubectl_destroy_command}"
 }

modules/kubectl-wrapper/scripts/kubectl_wrapper.sh

@@ -21,33 +21,47 @@ if [ "$#" -lt 3 ]; then
     exit 1
 fi
 
-HOST=$1
-TOKEN=$2
-CA_CERTIFICATE=$3
+CLUSTER_NAME=$1
+LOCATION=$2
+PROJECT_ID=$3
+INTERNAL=$4
+USE_EXISTING_CONTEXT=$5
 
-shift 3
+shift 5
 
-RANDOM_ID="${RANDOM}_${RANDOM}"
-export TMPDIR="/tmp/kubectl_wrapper_${RANDOM_ID}"
+if $USE_EXISTING_CONTEXT ;then
 
-function cleanup {
-    rm -rf "${TMPDIR}"
-}
-trap cleanup EXIT
+    "$@"
 
-mkdir "${TMPDIR}"
+else
 
-export KUBECONFIG="${TMPDIR}/config"
+    RANDOM_ID="${RANDOM}_${RANDOM}"
+    export TMPDIR="/tmp/kubectl_wrapper_${RANDOM_ID}"
 
-# shellcheck disable=SC1117
-base64 --help | grep "\--decode" && B64_ARG="--decode" || B64_ARG="-d"
-echo "${CA_CERTIFICATE}" | base64 ${B64_ARG} > "${TMPDIR}/ca_certificate"
+    function cleanup {
+        rm -rf "${TMPDIR}"
+    }
+    trap cleanup EXIT
 
-kubectl config set-cluster kubectl-wrapper --server="${HOST}" --certificate-authority="${TMPDIR}/ca_certificate" --embed-certs=true 1>/dev/null
-rm -f "${TMPDIR}/ca_certificate"
-kubectl config set-context kubectl-wrapper --cluster=kubectl-wrapper --user=kubectl-wrapper --namespace=default 1>/dev/null
-kubectl config set-credentials kubectl-wrapper --token="${TOKEN}" 1>/dev/null
-kubectl config use-context kubectl-wrapper 1>/dev/null
-kubectl version 1>/dev/null
+    mkdir "${TMPDIR}"
 
-"$@"
+    export KUBECONFIG="${TMPDIR}/config"
+
+    LOCATION_TYPE=$(grep -o "-" <<< "${LOCATION}" | wc -l)
+
+    CMD="gcloud container clusters get-credentials ${CLUSTER_NAME} --project ${PROJECT_ID}"
+
+    if [[ $LOCATION_TYPE -eq 2 ]] ;then
+        CMD+=" --zone ${LOCATION}"
+    else
+        CMD+=" --region ${LOCATION}"
+    fi
+
+    if $INTERNAL ;then
+        CMD+=" --internal-ip"
+    fi
+
+    $CMD
+
+    "$@"
+fi

modules/kubectl-wrapper/variables.tf

@@ -87,3 +87,14 @@ variable "use_existing_context" {
   type        = bool
   default     = false
 }
+
+variable "internal_ip" {
+  description = "Use internal ip for the cluster endpoint."
+  type        = bool
+  default     = false
+}
+
+variable "service_account_key_file" {
+  description = "Path to service account key file to auth as for running `gcloud container clusters get-credentials`."
+  default     = ""
+}