use kubeconfig instead of gcp

Author: afarbos

Tiltfile

@@ -102,14 +102,16 @@ FROM golang:1.18 as tilt-helper
 # Support live reloading with Tilt
 RUN wget --output-document /restart.sh --quiet https://raw.githubusercontent.com/windmilleng/rerun-process-wrapper/master/restart.sh  && \
     wget --output-document /start.sh --quiet https://raw.githubusercontent.com/windmilleng/rerun-process-wrapper/master/start.sh && \
-    chmod +x /start.sh && chmod +x /restart.sh
+    chmod +x /start.sh && chmod +x /restart.sh && \
+    touch /process.txt && chmod 0666 /process.txt `# pre-create PID file to allow even non-root users to run the image`
 """
 
 tilt_dockerfile_header = """
 FROM gcr.io/distroless/base:debug as tilt
 WORKDIR /
 COPY --from=tilt-helper /start.sh .
 COPY --from=tilt-helper /restart.sh .
+COPY --from=tilt-helper /process.txt .
 COPY manager .
 """
 

cloud/scope/clients.go

@@ -103,34 +103,6 @@ func newComputeService(ctx context.Context, credentialsRef *infrav1.ObjectRefere
 	return computeSvc, nil
 }
 
-func newTargetPoolsClient(ctx context.Context, credentialsRef *infrav1.ObjectReference, crClient client.Client) (*computerest.TargetPoolsClient, error) {
-	opts, err := defaultClientOptions(ctx, credentialsRef, crClient)
-	if err != nil {
-		return nil, fmt.Errorf("getting default gcp client options: %w", err)
-	}
-
-	targetPoolsClient, err := computerest.NewTargetPoolsRESTClient(ctx, opts...)
-	if err != nil {
-		return nil, errors.Errorf("failed to create target pools client: %v", err)
-	}
-
-	return targetPoolsClient, nil
-}
-
-func newForwardingRulesClient(ctx context.Context, credentialsRef *infrav1.ObjectReference, crClient client.Client) (*computerest.ForwardingRulesClient, error) {
-	opts, err := defaultClientOptions(ctx, credentialsRef, crClient)
-	if err != nil {
-		return nil, fmt.Errorf("getting default gcp client options: %w", err)
-	}
-
-	forwardingRulesClient, err := computerest.NewForwardingRulesRESTClient(ctx, opts...)
-	if err != nil {
-		return nil, errors.Errorf("failed to create gcp forwarding rules client: %v", err)
-	}
-
-	return forwardingRulesClient, nil
-}
-
 func newClusterManagerClient(ctx context.Context, credentialsRef *infrav1.ObjectReference, crClient client.Client) (*container.ClusterManagerClient, error) {
 	opts, err := defaultClientOptions(ctx, credentialsRef, crClient)
 	if err != nil {

cloud/scope/managedcontrolplane.go

@@ -24,7 +24,6 @@ import (
 
 	"sigs.k8s.io/cluster-api/util/conditions"
 
-	compute "cloud.google.com/go/compute/apiv1"
 	container "cloud.google.com/go/container/apiv1"
 	credentials "cloud.google.com/go/iam/credentials/apiv1"
 	resourcemanager "cloud.google.com/go/resourcemanager/apiv3"
@@ -44,8 +43,6 @@ const (
 // ManagedControlPlaneScopeParams defines the input parameters used to create a new Scope.
 type ManagedControlPlaneScopeParams struct {
 	CredentialsClient      *credentials.IamCredentialsClient
-	TargetPoolsClient      *compute.TargetPoolsClient
-	ForwardingRulesClient  *compute.ForwardingRulesClient
 	ManagedClusterClient   *container.ClusterManagerClient
 	TagBindingsClient      *resourcemanager.TagBindingsClient
 	Client                 client.Client
@@ -72,30 +69,13 @@ func NewManagedControlPlaneScope(ctx context.Context, params ManagedControlPlane
 		return nil, fmt.Errorf("getting gcp credentials: %w", err)
 	}
 
-	if params.TargetPoolsClient == nil {
-		targetPoolsClient, err := newTargetPoolsClient(ctx, params.GCPManagedCluster.Spec.CredentialsRef, params.Client)
-		if err != nil {
-			return nil, errors.Errorf("failed to create gcp target pools client: %v", err)
-		}
-		params.TargetPoolsClient = targetPoolsClient
-	}
-
-	if params.ForwardingRulesClient == nil {
-		forwardingRulesClient, err := newForwardingRulesClient(ctx, params.GCPManagedCluster.Spec.CredentialsRef, params.Client)
-		if err != nil {
-			return nil, errors.Errorf("failed to create gcp forwarding rules client: %v", err)
-		}
-		params.ForwardingRulesClient = forwardingRulesClient
-	}
-
 	if params.ManagedClusterClient == nil {
 		managedClusterClient, err := newClusterManagerClient(ctx, params.GCPManagedCluster.Spec.CredentialsRef, params.Client)
 		if err != nil {
 			return nil, errors.Errorf("failed to create gcp managed cluster client: %v", err)
 		}
 		params.ManagedClusterClient = managedClusterClient
 	}
-
 	if params.TagBindingsClient == nil {
 		tagBindingsClient, err := newTagBindingsClient(ctx, params.GCPManagedCluster.Spec.CredentialsRef, params.Client, params.GCPManagedCluster.Spec.Region)
 		if err != nil {
@@ -122,8 +102,6 @@ func NewManagedControlPlaneScope(ctx context.Context, params ManagedControlPlane
 		Cluster:                params.Cluster,
 		GCPManagedCluster:      params.GCPManagedCluster,
 		GCPManagedControlPlane: params.GCPManagedControlPlane,
-		tpClient:               params.TargetPoolsClient,
-		frClient:               params.ForwardingRulesClient,
 		mcClient:               params.ManagedClusterClient,
 		tagBindingsClient:      params.TagBindingsClient,
 		credentialsClient:      params.CredentialsClient,
@@ -140,8 +118,6 @@ type ManagedControlPlaneScope struct {
 	Cluster                *clusterv1.Cluster
 	GCPManagedCluster      *infrav1exp.GCPManagedCluster
 	GCPManagedControlPlane *infrav1exp.GCPManagedControlPlane
-	tpClient               *compute.TargetPoolsClient
-	frClient               *compute.ForwardingRulesClient
 	mcClient               *container.ClusterManagerClient
 	tagBindingsClient      *resourcemanager.TagBindingsClient
 	credentialsClient      *credentials.IamCredentialsClient
@@ -166,8 +142,6 @@ func (s *ManagedControlPlaneScope) PatchObject() error {
 
 // Close closes the current scope persisting the managed control plane configuration and status.
 func (s *ManagedControlPlaneScope) Close() error {
-	s.tpClient.Close()
-	s.frClient.Close()
 	s.mcClient.Close()
 	s.tagBindingsClient.Close()
 	s.credentialsClient.Close()
@@ -184,16 +158,6 @@ func (s *ManagedControlPlaneScope) Client() client.Client {
 	return s.client
 }
 
-// TargetPoolsClient returns a client used to interact with google compute target pools.
-func (s *ManagedControlPlaneScope) TargetPoolsClient() *compute.TargetPoolsClient {
-	return s.tpClient
-}
-
-// ForwardingRulesClient returns a client used to interact with google compute forwarding rules.
-func (s *ManagedControlPlaneScope) ForwardingRulesClient() *compute.ForwardingRulesClient {
-	return s.frClient
-}
-
 // ManagedControlPlaneClient returns a client used to interact with GKE.
 func (s *ManagedControlPlaneScope) ManagedControlPlaneClient() *container.ClusterManagerClient {
 	return s.mcClient

cloud/services/container/clusters/kubeconfig.go

@@ -41,34 +41,35 @@ const (
 	GkeScope = "https://www.googleapis.com/auth/cloud-platform"
 )
 
-func (s *Service) reconcileKubeconfig(ctx context.Context, cluster *containerpb.Cluster, log *logr.Logger) error {
+func (s *Service) reconcileKubeconfig(ctx context.Context, cluster *containerpb.Cluster, log *logr.Logger) (clientcmd.ClientConfig, error) {
 	log.Info("Reconciling kubeconfig")
 	clusterRef := types.NamespacedName{
 		Name:      s.scope.Cluster.Name,
 		Namespace: s.scope.Cluster.Namespace,
 	}
+	var kubeConfig *api.Config
 
 	configSecret, err := secret.GetFromNamespacedName(ctx, s.scope.Client(), clusterRef, secret.Kubeconfig)
 	if err != nil {
 		if !apierrors.IsNotFound(err) {
 			log.Error(err, "getting kubeconfig secret", "name", clusterRef)
-			return fmt.Errorf("getting kubeconfig secret %s: %w", clusterRef, err)
+			return nil, fmt.Errorf("getting kubeconfig secret %s: %w", clusterRef, err)
 		}
 		log.Info("kubeconfig secret not found, creating")
 
-		if createErr := s.createCAPIKubeconfigSecret(
+		if kubeConfig, err = s.createCAPIKubeconfigSecret(
 			ctx,
 			cluster,
 			&clusterRef,
 			log,
-		); createErr != nil {
-			return fmt.Errorf("creating kubeconfig secret: %w", createErr)
+		); err != nil {
+			return nil, fmt.Errorf("creating kubeconfig secret: %w", err)
 		}
-	} else if updateErr := s.updateCAPIKubeconfigSecret(ctx, configSecret); updateErr != nil {
-		return fmt.Errorf("updating kubeconfig secret: %w", err)
+	} else if kubeConfig, err = s.updateCAPIKubeconfigSecret(ctx, configSecret); err != nil {
+		return nil, fmt.Errorf("updating kubeconfig secret: %w", err)
 	}
 
-	return nil
+	return clientcmd.NewDefaultClientConfig(*kubeConfig, nil), nil
 }
 
 func (s *Service) reconcileAdditionalKubeconfigs(ctx context.Context, cluster *containerpb.Cluster, log *logr.Logger) error {
@@ -133,21 +134,21 @@ func (s *Service) createUserKubeconfigSecret(ctx context.Context, cluster *conta
 	return nil
 }
 
-func (s *Service) createCAPIKubeconfigSecret(ctx context.Context, cluster *containerpb.Cluster, clusterRef *types.NamespacedName, log *logr.Logger) error {
+func (s *Service) createCAPIKubeconfigSecret(ctx context.Context, cluster *containerpb.Cluster, clusterRef *types.NamespacedName, log *logr.Logger) (*api.Config, error) {
 	controllerOwnerRef := *metav1.NewControllerRef(s.scope.GCPManagedControlPlane, infrav1exp.GroupVersion.WithKind("GCPManagedControlPlane"))
 
 	contextName := s.getKubeConfigContextName(false)
 
 	cfg, err := s.createBaseKubeConfig(contextName, cluster)
 	if err != nil {
 		log.Error(err, "failed creating base config")
-		return fmt.Errorf("creating base kubeconfig: %w", err)
+		return nil, fmt.Errorf("creating base kubeconfig: %w", err)
 	}
 
 	token, err := s.generateToken(ctx)
 	if err != nil {
 		log.Error(err, "failed generating token")
-		return err
+		return nil, err
 	}
 	cfg.AuthInfos = map[string]*api.AuthInfo{
 		contextName: {
@@ -158,50 +159,50 @@ func (s *Service) createCAPIKubeconfigSecret(ctx context.Context, cluster *conta
 	out, err := clientcmd.Write(*cfg)
 	if err != nil {
 		log.Error(err, "failed serializing kubeconfig to yaml")
-		return fmt.Errorf("serialize kubeconfig to yaml: %w", err)
+		return nil, fmt.Errorf("serialize kubeconfig to yaml: %w", err)
 	}
 
 	kubeconfigSecret := kubeconfig.GenerateSecretWithOwner(*clusterRef, out, controllerOwnerRef)
 	if err := s.scope.Client().Create(ctx, kubeconfigSecret); err != nil {
 		log.Error(err, "failed creating secret")
-		return fmt.Errorf("creating secret: %w", err)
+		return nil, fmt.Errorf("creating secret: %w", err)
 	}
 
-	return nil
+	return cfg, nil
 }
 
-func (s *Service) updateCAPIKubeconfigSecret(ctx context.Context, configSecret *corev1.Secret) error {
+func (s *Service) updateCAPIKubeconfigSecret(ctx context.Context, configSecret *corev1.Secret) (*api.Config, error) {
 	data, ok := configSecret.Data[secret.KubeconfigDataName]
 	if !ok {
-		return errors.Errorf("missing key %q in secret data", secret.KubeconfigDataName)
+		return nil, errors.Errorf("missing key %q in secret data", secret.KubeconfigDataName)
 	}
 
 	config, err := clientcmd.Load(data)
 	if err != nil {
-		return errors.Wrap(err, "failed to convert kubeconfig Secret into a clientcmdapi.Config")
+		return nil, errors.Wrap(err, "failed to convert kubeconfig Secret into a clientcmdapi.Config")
 	}
 
 	token, err := s.generateToken(ctx)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	contextName := s.getKubeConfigContextName(false)
 	config.AuthInfos[contextName].Token = token
 
 	out, err := clientcmd.Write(*config)
 	if err != nil {
-		return errors.Wrap(err, "failed to serialize config to yaml")
+		return nil, errors.Wrap(err, "failed to serialize config to yaml")
 	}
 
 	configSecret.Data[secret.KubeconfigDataName] = out
 
 	err = s.scope.Client().Update(ctx, configSecret)
 	if err != nil {
-		return fmt.Errorf("updating kubeconfig secret: %w", err)
+		return nil, fmt.Errorf("updating kubeconfig secret: %w", err)
 	}
 
-	return nil
+	return config, nil
 }
 
 func (s *Service) getKubeConfigContextName(isUser bool) string {