如何在 Ansible 中检索已创建的 Google Kubernetes (GKE) 集群的凭据？

Question

I'm creating a cluster and node pool with

- name: "Create Google Kubernetes Engine Cluster to be setup with with kubectl"
  gcp_container_cluster:
    name: "{{cluster_name}}"
    project: "{{project_id}}"
    auth_kind: "serviceaccount"
    location: "{{cluster_location}}"
    logging_service: "none"
    monitoring_service: "none"
    service_account_contents: "{{service_account_contents}}"
    initial_node_count: 1
  register: cluster
- name: "Create node pool for system pods"
  gcp_container_node_pool:
    name: "default-pool"
    project: "{{project_id}}"
    cluster: "{{ cluster }}"
    auth_kind: "serviceaccount"
    location: "{{cluster_location}}"
    autoscaling:
      enabled: "no"
    initial_node_count: 1
    service_account_contents: "{{service_account_contents}}"
    config:
      machine_type: "g1-small"
      disk_size_gb: 25
      preemptible: "no"
    management:
      auto_repair: "yes"
      auto_upgrade: "yes"

which works fine, however I find no information how to authenticate and thus gain authorization for kubectl commands executed with the Ansible k8s module.

First of all, the documentation is not helpful both in terms of wording and examples. I didn't find any guide, blogpost or else and feel like I'm the first person performing this tasks with Ansible. I examined the returned cluster object (stored with register above) closely, but didn't find anything suitable. This applies to both gcp_container_cluster and gcp_container_cluster_info .

As far as I understand I need to obtain a kubeconfig somehow with an Ansible module which I can use in the k8s module, like I'd do with gcloud container clusters get-credentials . I'd like to see if there's a built-in way first before I do a hacky workaround using shell commands in Ansible.

I'm using Ansible 2.9.10 on Ubuntu 20.04.

Answer 1

When you create the cluster using the gcp_container_cluster , the return value will include the path where the kubeconfig file is stored . You can refer to this path using your example with {{ cluster.kubectlPath }}.

When you want to use the k8s module, you can define the kubeconfig file path to use for the module.. It will look something like this:

    - name: "Create Google Kubernetes Engine Cluster to be setup with with kubectl"
      gcp_container_cluster:
        name: "{{cluster_name}}"
        kubectlPath: /path/to/save/config
        [...]
      register: cluster
    - name: "Create k8s resource"
      k8s:
        kubeconfig: "{{ cluster.kubectlPath }}"
        definition:
          [...]

EDIT: I misread the document, in the "response" section it clarifies that this field must be set for the file to be written in this path, there is no default value for this field.

Answer 2

This seems to be impossible due to https://github.com/ansible/ansible/issues/66096 .

I circumvented this with

- name: "Circumvent https://github.com/ansible/ansible/issues/66096 which makes it impossible to retrieve the
kubecontext retrieved during cluster creation, asked
https://stackoverflow.com/questions/62799952/how-to-update-the-ansible-gcp-container-cluster-module for input"
  block:
    - name: "Create temporary file for gcloud key"
      tempfile: ~
      register: gcloud_key_tempfile
    - name: "Write gcloud key to temporary file"
      copy: content="{{ service_account_contents }}" dest={{ gcloud_key_tempfile.path }}
    - name: "Retrieve k8s credentials through gcloud shell commands"
      shell: |
        gcloud config set project {{ project_id }}
        gcloud config set compute/zone {{ cluster_location }}
        gcloud auth activate-service-account --key-file {{ gcloud_key_tempfile.path }}
        env KUBECONFIG={{kubectl_tempfile.path}} gcloud container clusters get-credentials {{ cluster_name }}
    - set_fact:
        kubeconfig_path: "{{ kubectl_tempfile.path }}"
  always:
    - name: "Remove temporary file for gcloud key"
      file: dest="{{ gcloud_key_tempfile.path }}" state=absent