Calamari icon indicating copy to clipboard operation
Calamari copied to clipboard
verified publisher icon OctopusDeploy

Warn customers if their GKE auth tooling is incorrect

Open mjhilton opened this issue 3 years ago • 1 comments

Background

From kubctl 1.26 onward, some auth code which used to be integrated in the tool (for doing Azure- and GCloud-specific OAuth flows) has been removed, making it the vendor's responsibility to publish authentication plugins that implement their required auth logic.

This PR is designed to help customers choose the correct tooling for their situation, and guide them to the right information if they're not in a compatible state.

Before

If customers run into an incompatible scenario (eg they use kubectl >= 1.26, but don't have the gke-gcloud-auth-plugin installed), their auth to the cluster and therefore any step that tries to deploy to the cluster will fail.

The warnings provided by the kubectl tooling may or may not be clear enough for the customer to understand what's gone wrong or what they need to do to fix it - they're out of our control.

After

If customers are in a situation where their GKE auth would fail, we write a warning message to the logs, and direct them to a link that can help them remediate the scenario.

Fixes OctopusDeploy/Issues#7621. Addresses [sc-6271] (internal).

Notes/implementation details

This PR also bundles a series of refactorings that were done to make the code easier to reason about before implementing the main change.

The Azure equivalent is fine as-is, because the way we authenticate to Azure never invoked the Azure-specific auth from kubectl; instead it generates generic certificate-based auth credentials directly into the kubeconfig.

The warning message for the problematic GKE configuration uses an oc.to link which is configured via short.io. It currently points just to the GCloud blog about this change, but we could/should probably create our own first-party blog content to put the changes in clearer context for Octopus users. This can be done at any time without a code change, we just update where the oc.to link points to.

mjhilton avatar Nov 17 '22 03:11 mjhilton

This pull request has been linked to Shortcut Story #6271: Update Kubernetes integration to support plugin-based architecture for vendor auth.

shortcut-integration[bot] avatar Nov 17 '22 03:11 shortcut-integration[bot]