add ability to impersonate for kubectl-wrapper module #91
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thanks for the PR! 🚀 |
|
@bharathkkb I wasn't sure how to add to the main gcloud module: https://github.com/terraform-google-modules/terraform-google-gcloud/blob/master/main.tf ... but it'd be nice to add impersonation there as well 😃 |
bharathkkb
requested changes
Apr 25, 2021
There was a problem hiding this comment.
Thanks for the PR
Regarding gcloud module, users can generally use this approach https://github.com/terraform-google-modules/terraform-example-foundation/blob/e30fe8cbd267b9f2e5dad9bc8fdb4360880b1cd4/1-org/envs/shared/scc_notification.tf#L45
|
I have no visiblity into why the CI fails 🙃. This is what I see:
|
bharathkkb
reviewed
Apr 30, 2021
There was a problem hiding this comment.
@yashbhutwala CI output
You can also run them locally. I believe the issue is var.impersonate_service_account is string with default "" so conditional should be var.impersonate_service_account == "" ?
Running command `terraform apply -lock=true -lock-timeout=0s -input=false -auto-approve=true -no-color -parallelism=10 -refresh=true ` in directory /workspace/test/fixtures/kubectl_wrapper_example
module.gke.data.google_client_config.default: Refreshing state...
module.gke.module.gke.data.google_client_config.default: Refreshing state...
module.gke.module.kubectl-local-yaml.module.gcloud_kubectl.data.external.env_override[0]: Refreshing state...
module.gke.module.kubectl-imperative.module.gcloud_kubectl.data.external.env_override[0]: Refreshing state...
Error: Incorrect condition type
on ../../../modules/kubectl-wrapper/main.tf line 32, in module "gcloud_kubectl":
32: create_cmd_body = var.impersonate_service_account ? "${local.base_cmd} ${var.impersonate_service_account} ${var.kubectl_create_command}" : "${local.base_cmd} ${var.kubectl_create_command}"
|----------------
| var.impersonate_service_account is ""
The condition expression must be of type bool.
Error: Incorrect condition type
on ../../../modules/kubectl-wrapper/main.tf line 32, in module "gcloud_kubectl":
32: create_cmd_body = var.impersonate_service_account ? "${local.base_cmd} ${var.impersonate_service_account} ${var.kubectl_create_command}" : "${local.base_cmd} ${var.kubectl_create_command}"
|----------------
| var.impersonate_service_account is ""
The condition expression must be of type bool.
Error: Incorrect condition type
on ../../../modules/kubectl-wrapper/main.tf line 35, in module "gcloud_kubectl":
35: destroy_cmd_body = var.impersonate_service_account ? "${local.base_cmd} ${var.impersonate_service_account} ${var.kubectl_destroy_command}" : "${local.base_cmd} ${var.kubectl_destroy_command}"
|----------------
| var.impersonate_service_account is ""
The condition expression must be of type bool.
Error: Incorrect condition type
on ../../../modules/kubectl-wrapper/main.tf line 35, in module "gcloud_kubectl":
35: destroy_cmd_body = var.impersonate_service_account ? "${local.base_cmd} ${var.impersonate_service_account} ${var.kubectl_destroy_command}" : "${local.base_cmd} ${var.kubectl_destroy_command}"
|----------------
| var.impersonate_service_account is ""
The condition expression must be of type bool.
>>>>>> ------Exception-------
>>>>>> Class: Kitchen::ActionFailed
>>>>>> Message: 1 actions failed.
>>>>>> Converge failed on instance <kubectl-wrapper-example-default>. Please see .kitchen/logs/kubectl-wrapper-example-default.log for more details
>>>>>> ----------------------
|
@bharathkkb I don't have a GCP account where I can run this or bandwidth to figure out setting it up. I tried to fix the conditional. Can you please communicate what the latest failure is? Is it possible to automate dumping the logs to a GitHub comment here? |
|
@bharathkkb I understand your time is valuable. If you're busy, can one of the other maintainers of this repo help please? |
bharathkkb
reviewed
May 7, 2021
There was a problem hiding this comment.
@yashbhutwala apologies, missed this. Here is the CI error. It looks like the command is malformed gcloud container clusters get-credentials gke-on-vpc-cluster --project ci-gcloud-0546 --impersonate-service-account=kubectl Within the wrapper we should only add the flag if impersonate-sa has a valid value
module.gke.module.gke.module.gcloud_wait_for_cluster.null_resource.module_depends_on[0]: Creating...
module.gke.module.gke.module.gcloud_wait_for_cluster.null_resource.module_depends_on[0]: Creation complete after 0s [id=655032079276369943]
module.gke.module.gke.module.gcloud_delete_default_kube_dns_configmap.null_resource.module_depends_on[0]: Creating...
module.gke.module.gke.module.gcloud_delete_default_kube_dns_configmap.null_resource.module_depends_on[0]: Creation complete after 0s [id=6235501171251231086]
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.module_depends_on[0]: Creating...
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.module_depends_on[0]: Creation complete after 0s [id=1356930797925402823]
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_destroy_command[0]: Creating...
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0]: Creating...
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0]: Provisioning with 'local-exec'...
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_destroy_command[0]: Creation complete after 0s [id=9113003221126712514]
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): Executing: ["/bin/sh" "-c" "PATH=/google-cloud-sdk/bin:$PATH\n../../../modules/kubectl-wrapper/scripts/kubectl_wrapper.sh gke-on-vpc-cluster us-central1 ci-gcloud-0546 false false kubectl run --generator=run-pod/v1 nginx-imperative --image=nginx\n"]
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): + '[' 10 -lt 5 ']'
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): + CLUSTER_NAME=gke-on-vpc-cluster
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): + LOCATION=us-central1
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): + PROJECT_ID=ci-gcloud-0546
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): + INTERNAL=false
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): + USE_EXISTING_CONTEXT=false
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): + IMPERSONATE_SERVICE_ACCOUNT=kubectl
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): + shift 5
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): + false
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): + RANDOM_ID=14311_22329
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): + export TMPDIR=/tmp/kubectl_wrapper_14311_22329
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): + TMPDIR=/tmp/kubectl_wrapper_14311_22329
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): + trap cleanup EXIT
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): + mkdir /tmp/kubectl_wrapper_14311_22329
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.additional_components_destroy[0]: Creating...
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.additional_components_destroy[0]: Creation complete after 0s [id=3831978060019404227]
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): + export KUBECONFIG=/tmp/kubectl_wrapper_14311_22329/config
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): + KUBECONFIG=/tmp/kubectl_wrapper_14311_22329/config
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): ++ wc -l
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): ++ grep -o -
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): + LOCATION_TYPE=1
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): + CMD='gcloud container clusters get-credentials gke-on-vpc-cluster --project ci-gcloud-0546 --impersonate-service-account=kubectl'
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): + [[ 1 -eq 2 ]]
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): + CMD+=' --region us-central1'
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): + false
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): + gcloud container clusters get-credentials gke-on-vpc-cluster --project ci-gcloud-0546 --impersonate-service-account=kubectl --region us-central1
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): WARNING: This command is using service account impersonation. All API calls will be executed as [kubectl].
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): ERROR: (gcloud.container.clusters.get-credentials) INVALID_ARGUMENT: Request contains an invalid argument.
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): + cleanup
module.gke.module.kubectl-imperative.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): + rm -rf /tmp/kubectl_wrapper_14311_22329
Error: Error running command 'PATH=/google-cloud-sdk/bin:$PATH
../../../modules/kubectl-wrapper/scripts/kubectl_wrapper.sh gke-on-vpc-cluster us-central1 ci-gcloud-0546 false false kubectl run --generator=run-pod/v1 nginx-imperative --image=nginx
': exit status 1. Output: + '[' 10 -lt 5 ']'
+ CLUSTER_NAME=gke-on-vpc-cluster
+ LOCATION=us-central1
+ PROJECT_ID=ci-gcloud-0546
+ INTERNAL=false
+ USE_EXISTING_CONTEXT=false
+ IMPERSONATE_SERVICE_ACCOUNT=kubectl
+ shift 5
+ false
+ RANDOM_ID=14311_22329
+ export TMPDIR=/tmp/kubectl_wrapper_14311_22329
+ TMPDIR=/tmp/kubectl_wrapper_14311_22329
+ trap cleanup EXIT
+ mkdir /tmp/kubectl_wrapper_14311_22329
+ export KUBECONFIG=/tmp/kubectl_wrapper_14311_22329/config
+ KUBECONFIG=/tmp/kubectl_wrapper_14311_22329/config
++ wc -l
++ grep -o -
+ LOCATION_TYPE=1
+ CMD='gcloud container clusters get-credentials gke-on-vpc-cluster --project ci-gcloud-0546 --impersonate-service-account=kubectl'
+ [[ 1 -eq 2 ]]
+ CMD+=' --region us-central1'
+ false
+ gcloud container clusters get-credentials gke-on-vpc-cluster --project ci-gcloud-0546 --impersonate-service-account=kubectl --region us-central1
WARNING: This command is using service account impersonation. All API calls will be executed as [kubectl].
ERROR: (gcloud.container.clusters.get-credentials) INVALID_ARGUMENT: Request contains an invalid argument.
+ cleanup
+ rm -rf /tmp/kubectl_wrapper_14311_22329
```
|
ah interesting, thanks @bharathkkb, but I'm not quite sure how I'd check for that 🤔 . It'd be easier if I made it a breaking change by changing the |
|
@bharathkkb looks like CI is green finally ✅ 😄! Can you re-review please? |
yashbhutwala
commented
May 7, 2021
bharathkkb
approved these changes
May 8, 2021
|
Thank you @bharathkkb for your review! Can you possibly release this in a point release so we can use it in the gke module please? 😃 |
|
@bharathkkb can you please create a release with this PR, so we can use it to resolve terraform-google-modules/terraform-google-kubernetes-engine#874? |
|
Thank you @bharathkkb, please review terraform-google-modules/terraform-google-kubernetes-engine#903 when you get a chance. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #90 here for usage in fixing terraform-google-modules/terraform-google-kubernetes-engine#874 upstream