refactor(kubernetes): Provider implementations deal with Manager instantiations

Removed `*Manager` parameter from `ProviderFactory`.

Provider implementations should deal with the appropriate (base) Manager instantiation
if needed at all.

Manager creation function divided into two explicit functions:
- NewKubeconfigManager: to be used when using KubeConfig files
- NewInClusterManager: to be used inside a cluster

New functions contain validations to ensure they are used in the expected places.
This ensures that the right manager is used by the provider implementation.

Fake kubeconfig for in-cluster Manager is now generated when the Manager is created.
This kubeconfig has the "magic" strings (inClusterKubeConfigDefaultContext) that are
used by the MCP server and tool mutators.

Signed-off-by: Marc Nuri <[email protected]>

Author: manusa

pkg/kubernetes/configuration.go

@@ -38,9 +38,6 @@ func (k *Kubernetes) NamespaceOrDefault(namespace string) string {
 // ConfigurationContextsDefault returns the current context name
 // TODO: Should be moved to the Provider level ?
 func (k *Kubernetes) ConfigurationContextsDefault() (string, error) {
-	if k.manager.inCluster {
-		return inClusterKubeConfigDefaultContext, nil
-	}
 	cfg, err := k.manager.clientCmdConfig.RawConfig()
 	if err != nil {
 		return "", err
@@ -51,9 +48,6 @@ func (k *Kubernetes) ConfigurationContextsDefault() (string, error) {
 // ConfigurationContextsList returns the list of available context names
 // TODO: Should be moved to the Provider level ?
 func (k *Kubernetes) ConfigurationContextsList() (map[string]string, error) {
-	if k.manager.inCluster {
-		return map[string]string{inClusterKubeConfigDefaultContext: ""}, nil
-	}
 	cfg, err := k.manager.clientCmdConfig.RawConfig()
 	if err != nil {
 		return nil, err
@@ -77,21 +71,7 @@ func (k *Kubernetes) ConfigurationContextsList() (map[string]string, error) {
 func (k *Kubernetes) ConfigurationView(minify bool) (runtime.Object, error) {
 	var cfg clientcmdapi.Config
 	var err error
-	if k.manager.inCluster {
-		cfg = *clientcmdapi.NewConfig()
-		cfg.Clusters["cluster"] = &clientcmdapi.Cluster{
-			Server:                k.manager.cfg.Host,
-			InsecureSkipTLSVerify: k.manager.cfg.Insecure,
-		}
-		cfg.AuthInfos["user"] = &clientcmdapi.AuthInfo{
-			Token: k.manager.cfg.BearerToken,
-		}
-		cfg.Contexts[inClusterKubeConfigDefaultContext] = &clientcmdapi.Context{
-			Cluster:  "cluster",
-			AuthInfo: "user",
-		}
-		cfg.CurrentContext = inClusterKubeConfigDefaultContext
-	} else if cfg, err = k.manager.clientCmdConfig.RawConfig(); err != nil {
+	if cfg, err = k.manager.clientCmdConfig.RawConfig(); err != nil {
 		return nil, err
 	}
 	if minify {

pkg/kubernetes/kubernetes_derived_test.go

@@ -47,7 +47,7 @@ users:
 			kubeconfig = "` + strings.ReplaceAll(kubeconfigPath, `\`, `\\`) + `"
 		`)))
 		s.Run("without authorization header returns original manager", func() {
-			testManager, err := NewManager(testStaticConfig, "")
+			testManager, err := NewKubeconfigManager(testStaticConfig, "")
 			s.Require().NoErrorf(err, "failed to create test manager: %v", err)
 			s.T().Cleanup(testManager.Close)
 
@@ -58,7 +58,7 @@ users:
 		})
 
 		s.Run("with invalid authorization header returns original manager", func() {
-			testManager, err := NewManager(testStaticConfig, "")
+			testManager, err := NewKubeconfigManager(testStaticConfig, "")
 			s.Require().NoErrorf(err, "failed to create test manager: %v", err)
 			s.T().Cleanup(testManager.Close)
 
@@ -70,7 +70,7 @@ users:
 		})
 
 		s.Run("with valid bearer token creates derived manager with correct configuration", func() {
-			testManager, err := NewManager(testStaticConfig, "")
+			testManager, err := NewKubeconfigManager(testStaticConfig, "")
 			s.Require().NoErrorf(err, "failed to create test manager: %v", err)
 			s.T().Cleanup(testManager.Close)
 
@@ -138,7 +138,7 @@ users:
 		`)))
 
 		s.Run("with no authorization header returns oauth token required error", func() {
-			testManager, err := NewManager(testStaticConfig, "")
+			testManager, err := NewKubeconfigManager(testStaticConfig, "")
 			s.Require().NoErrorf(err, "failed to create test manager: %v", err)
 			s.T().Cleanup(testManager.Close)
 
@@ -149,7 +149,7 @@ users:
 		})
 
 		s.Run("with invalid authorization header returns oauth token required error", func() {
-			testManager, err := NewManager(testStaticConfig, "")
+			testManager, err := NewKubeconfigManager(testStaticConfig, "")
 			s.Require().NoErrorf(err, "failed to create test manager: %v", err)
 			s.T().Cleanup(testManager.Close)
 
@@ -161,7 +161,7 @@ users:
 		})
 
 		s.Run("with valid bearer token creates derived manager", func() {
-			testManager, err := NewManager(testStaticConfig, "")
+			testManager, err := NewKubeconfigManager(testStaticConfig, "")
 			s.Require().NoErrorf(err, "failed to create test manager: %v", err)
 			s.T().Cleanup(testManager.Close)
 

pkg/kubernetes/manager.go

@@ -25,7 +25,6 @@ import (
 type Manager struct {
 	cfg                     *rest.Config
 	clientCmdConfig         clientcmd.ClientConfig
-	inCluster               bool
 	discoveryClient         discovery.CachedDiscoveryInterface
 	accessControlClientSet  *AccessControlClientset
 	accessControlRESTMapper *AccessControlRESTMapper
@@ -38,33 +37,77 @@ type Manager struct {
 var _ helm.Kubernetes = (*Manager)(nil)
 var _ Openshift = (*Manager)(nil)
 
-func NewManager(config *config.StaticConfig, kubeconfigContext string) (*Manager, error) {
-	k8s := &Manager{
-		staticConfig: config,
+var (
+	ErrorKubeconfigInClusterNotAllowed = errors.New("kubeconfig manager cannot be used in in-cluster deployments")
+	ErrorInClusterNotInCluster         = errors.New("in-cluster manager cannot be used outside of a cluster")
+)
+
+func NewKubeconfigManager(config *config.StaticConfig, kubeconfigContext string) (*Manager, error) {
+	if IsInCluster(config) {
+		return nil, ErrorKubeconfigInClusterNotAllowed
 	}
+
 	pathOptions := clientcmd.NewDefaultPathOptions()
-	if k8s.staticConfig.KubeConfig != "" {
-		pathOptions.LoadingRules.ExplicitPath = k8s.staticConfig.KubeConfig
+	if config.KubeConfig != "" {
+		pathOptions.LoadingRules.ExplicitPath = config.KubeConfig
 	}
-	k8s.clientCmdConfig = clientcmd.NewNonInteractiveDeferredLoadingClientConfig(
+	clientCmdConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(
 		pathOptions.LoadingRules,
 		&clientcmd.ConfigOverrides{
 			ClusterInfo:    clientcmdapi.Cluster{Server: ""},
 			CurrentContext: kubeconfigContext,
 		})
-	var err error
-	if IsInCluster(k8s.staticConfig) {
-		k8s.cfg, err = InClusterConfig()
-		k8s.inCluster = true
-	} else {
-		k8s.cfg, err = k8s.clientCmdConfig.ClientConfig()
+
+	restConfig, err := clientCmdConfig.ClientConfig()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create kubernetes rest config from kubeconfig: %v", err)
 	}
-	if err != nil || k8s.cfg == nil {
-		return nil, fmt.Errorf("failed to create kubernetes rest config: %v", err)
+
+	return newManager(config, restConfig, clientCmdConfig)
+}
+
+func NewInClusterManager(config *config.StaticConfig) (*Manager, error) {
+	if config.KubeConfig != "" {
+		return nil, fmt.Errorf("kubeconfig file %s cannot be used with the in-cluster deployments: %v", config.KubeConfig, ErrorKubeconfigInClusterNotAllowed)
+	}
+
+	if !IsInCluster(config) {
+		return nil, ErrorInClusterNotInCluster
+	}
+
+	restConfig, err := InClusterConfig()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create in-cluster kubernetes rest config: %v", err)
+	}
+
+	// Create a dummy kubeconfig clientcmdapi.Config for in-cluster config to be used in places where clientcmd.ClientConfig is required
+	clientCmdConfig := clientcmdapi.NewConfig()
+	clientCmdConfig.Clusters["cluster"] = &clientcmdapi.Cluster{
+		Server:                restConfig.Host,
+		InsecureSkipTLSVerify: restConfig.Insecure,
+	}
+	clientCmdConfig.AuthInfos["user"] = &clientcmdapi.AuthInfo{
+		Token: restConfig.BearerToken,
+	}
+	clientCmdConfig.Contexts[inClusterKubeConfigDefaultContext] = &clientcmdapi.Context{
+		Cluster:  "cluster",
+		AuthInfo: "user",
+	}
+	clientCmdConfig.CurrentContext = inClusterKubeConfigDefaultContext
+
+	return newManager(config, restConfig, clientcmd.NewDefaultClientConfig(*clientCmdConfig, nil))
+}
+
+func newManager(config *config.StaticConfig, restConfig *rest.Config, clientCmdConfig clientcmd.ClientConfig) (*Manager, error) {
+	k8s := &Manager{
+		staticConfig:    config,
+		cfg:             restConfig,
+		clientCmdConfig: clientCmdConfig,
 	}
 	if k8s.cfg.UserAgent == "" {
 		k8s.cfg.UserAgent = rest.DefaultKubernetesUserAgent()
 	}
+	var err error
 	// TODO: Won't work because not all client-go clients use the shared context (e.g. discovery client uses context.TODO())
 	//k8s.cfg.Wrap(func(original http.RoundTripper) http.RoundTripper {
 	//	return &impersonateRoundTripper{original}
@@ -229,7 +272,6 @@ func (m *Manager) Derived(ctx context.Context) (*Kubernetes, error) {
 	derived := &Kubernetes{
 		manager: &Manager{
 			clientCmdConfig: clientcmd.NewDefaultClientConfig(clientCmdApiConfig, nil),
-			inCluster:       m.inCluster,
 			cfg:             derivedCfg,
 			staticConfig:    m.staticConfig,
 		},