Add support for kubeconfig auth provider

2i2c-org · May 3, 2021 · aaaef2c · aaaef2c
1 parent b5b0016
commit aaaef2c
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 19 deletions.
diff --git a/config/hubs/schema.yaml b/config/hubs/schema.yaml
@@ -14,9 +14,23 @@ properties:
     type: string
     description: |
       Cloud provider this cluster is running on. Used to perform
-      authentication against the cluster. Currently supports gcp.
+      authentication against the cluster. Currently supports gcp
+      and raw kubeconfig files.
     enum: 
       - gcp
+      - kubeconfig
+  kubeconfig:
+    type: object
+    description: |
+      Configuration to connect to a cluster purely via a kubeconfig
+      file. 
+    additionalProperties: false
+    properties:
+      file:
+        type: string
+        descriptiON: |
+          Path to kubeconfig file (encrypted with sops) to use for
+          connecting to the cluster
   gcp:
     type: object
     additionalProperties: false

diff --git a/deployer/hub.py b/deployer/hub.py
@@ -37,12 +37,23 @@ def build_image(self):
 
     @contextmanager
     def auth(self):
-        with tempfile.NamedTemporaryFile() as kubeconfig:
-            # FIXME: This is dumb
-            os.environ['KUBECONFIG'] = kubeconfig.name
-            assert self.spec['provider'] == 'gcp'
-
+        if self.spec['provider'] == 'gcp':
             yield from self.auth_gcp()
+        elif self.spec['provider'] == 'kubeconfig':
+            yield from self.auth_kubeconfig()
+        else:
+            raise ValueError(f'Provider {self.spec["provider"]} not supported')
+
+
+    def auth_kubeconfig(self):
+        config = self.spec['kubeconfig']
+        config_path = config['file']
+
+        with decrypt_file(config_path) as decrypted_key_path:
+            # FIXME: This is dumb
+            print(decrypted_key_path)
+            os.environ['KUBECONFIG'] = decrypted_key_path
+            yield
 
     def auth_gcp(self):
         config = self.spec['gcp']
@@ -52,23 +63,23 @@ def auth_gcp(self):
         # Else, it'll just have a `zone` key set. Let's respect either.
         location = config.get('zone', config.get('region'))
         cluster = config['cluster']
+        with tempfile.NamedTemporaryFile() as kubeconfig:
+            with decrypt_file(key_path) as decrypted_key_path:
+                subprocess.check_call([
+                    'gcloud', 'auth',
+                    'activate-service-account',
+                    '--key-file', os.path.abspath(decrypted_key_path)
+                ])
 
-        with decrypt_file(key_path) as decrypted_key_path:
             subprocess.check_call([
-                'gcloud', 'auth',
-                'activate-service-account',
-                '--key-file', os.path.abspath(decrypted_key_path)
+                'gcloud', 'container', 'clusters',
+                # --zone works with regions too
+                f'--zone={location}',
+                f'--project={project}',
+                'get-credentials', cluster
             ])
 
-        subprocess.check_call([
-            'gcloud', 'container', 'clusters',
-            # --zone works with regions too
-            f'--zone={location}',
-            f'--project={project}',
-            'get-credentials', cluster
-        ])
-
-        yield
+            yield
 
 
 class Hub: