diff --git a/deploy/addons/gcp-auth/gcp-auth-webhook.yaml b/deploy/addons/gcp-auth/gcp-auth-webhook.yaml index cb06808cc744..81f4de2cc14e 100644 --- a/deploy/addons/gcp-auth/gcp-auth-webhook.yaml +++ b/deploy/addons/gcp-auth/gcp-auth-webhook.yaml @@ -131,10 +131,17 @@ metadata: app: gcp-auth webhooks: - name: gcp-auth-mutate.k8s.io + failurePolicy: Fail objectSelector: matchExpressions: - key: gcp-auth-skip-secret operator: DoesNotExist + namespaceSelector: + matchExpressions: + - key: name + operator: NotIn + values: + - kube-system sideEffects: None admissionReviewVersions: ["v1","v1beta1"] clientConfig: diff --git a/pkg/addons/addons.go b/pkg/addons/addons.go index 8235e0cfd964..a7ca64a21ea2 100644 --- a/pkg/addons/addons.go +++ b/pkg/addons/addons.go @@ -324,7 +324,18 @@ func verifyAddonStatus(cc *config.ClusterConfig, name string, val string) error } func verifyGCPAuthAddon(cc *config.ClusterConfig, name string, val string) error { - return verifyAddonStatusInternal(cc, name, val, "gcp-auth") + enable, err := strconv.ParseBool(val) + if err != nil { + return errors.Wrapf(err, "parsing bool: %s", name) + } + err = verifyAddonStatusInternal(cc, name, val, "gcp-auth") + + if enable && err == nil { + out.T(style.Notice, "Your GCP credentials will now be mounted into every pod created in the {{.name}} cluster.", out.V{"name": cc.Name}) + out.T(style.Notice, "If you don't want your credentials mounted into a specific pod, add a label with the `gcp-auth-skip-secret` key to your pod configuration.") + } + + return err } func verifyAddonStatusInternal(cc *config.ClusterConfig, name string, val string, ns string) error { @@ -394,16 +405,26 @@ func Start(wg *sync.WaitGroup, cc *config.ClusterConfig, toEnable map[string]boo var awg sync.WaitGroup - defer func() { // making it show after verifications( not perfect till #7613 is closed) + enabledAddons := []string{} + deferredAddons := []string{} + + defer func() { // making it show after verifications (see #7613) register.Reg.SetStep(register.EnablingAddons) - out.T(style.AddonEnable, "Enabled addons: {{.addons}}", out.V{"addons": strings.Join(toEnableList, ", ")}) + out.T(style.AddonEnable, "Enabled addons: {{.addons}}", out.V{"addons": strings.Join(enabledAddons, ", ")}) }() for _, a := range toEnableList { + if a == "gcp-auth" { + deferredAddons = append(deferredAddons, a) + continue + } + awg.Add(1) go func(name string) { err := RunCallbacks(cc, name, "true") if err != nil { out.WarningT("Enabling '{{.name}}' returned an error: {{.error}}", out.V{"name": name, "error": err}) + } else { + enabledAddons = append(enabledAddons, name) } awg.Done() }(a) @@ -411,7 +432,18 @@ func Start(wg *sync.WaitGroup, cc *config.ClusterConfig, toEnable map[string]boo // Wait until all of the addons are enabled before updating the config (not thread safe) awg.Wait() - for _, a := range toEnableList { + + // Now run the deferred addons + for _, a := range deferredAddons { + err := RunCallbacks(cc, a, "true") + if err != nil { + out.WarningT("Enabling '{{.name}}' returned an error: {{.error}}", out.V{"name": a, "error": err}) + } else { + enabledAddons = append(enabledAddons, a) + } + } + + for _, a := range enabledAddons { if err := Set(cc, a, "true"); err != nil { glog.Errorf("store failed: %v", err) } diff --git a/pkg/addons/config.go b/pkg/addons/config.go index 088698d91a29..980915f407e6 100644 --- a/pkg/addons/config.go +++ b/pkg/addons/config.go @@ -169,7 +169,7 @@ var Addons = []*Addon{ { name: "gcp-auth", set: SetBool, - callbacks: []setFn{gcpauth.EnableOrDisable, enableOrDisableAddon, verifyGCPAuthAddon, gcpauth.DisplayAddonMessage}, + callbacks: []setFn{gcpauth.EnableOrDisable, enableOrDisableAddon, verifyGCPAuthAddon}, }, { name: "volumesnapshots", diff --git a/pkg/addons/gcpauth/enable.go b/pkg/addons/gcpauth/enable.go index 46c9ca0ec3f0..a394d481ef5a 100644 --- a/pkg/addons/gcpauth/enable.go +++ b/pkg/addons/gcpauth/enable.go @@ -60,7 +60,7 @@ func enableAddon(cfg *config.ClusterConfig) error { ctx := context.Background() creds, err := google.FindDefaultCredentials(ctx) if err != nil { - exit.Message(reason.InternalCredsNotFound, "Could not find any GCP credentials. Either run `gcloud auth login` or set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of your credentials file.") + exit.Message(reason.InternalCredsNotFound, "Could not find any GCP credentials. Either run `gcloud auth application-default login` or set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of your credentials file.") } f := assets.NewMemoryAssetTarget(creds.JSON, credentialsPath, "0444") @@ -116,16 +116,3 @@ func disableAddon(cfg *config.ClusterConfig) error { return nil } - -// DisplayAddonMessage display an gcp auth addon specific message to the user -func DisplayAddonMessage(cfg *config.ClusterConfig, name string, val string) error { - enable, err := strconv.ParseBool(val) - if err != nil { - return errors.Wrapf(err, "parsing bool: %s", name) - } - if enable { - out.T(style.Notice, "Your GCP credentials will now be mounted into every pod created in the {{.name}} cluster.", out.V{"name": cfg.Name}) - out.T(style.Notice, "If you don't want your credentials mounted into a specific pod, add a label with the `gcp-auth-skip-secret` key to your pod configuration.") - } - return nil -} diff --git a/site/content/en/docs/handbook/addons/gcp-auth.md b/site/content/en/docs/handbook/addons/gcp-auth.md index 14194909e9bf..19aabd3920fe 100644 --- a/site/content/en/docs/handbook/addons/gcp-auth.md +++ b/site/content/en/docs/handbook/addons/gcp-auth.md @@ -5,7 +5,7 @@ weight: 1 date: 2020-07-15 --- -If you have a containerized GCP app with a Kubernetes yaml, you can automatically add your credentials to all your deployed pods dynamically with this minikube addon. You just need to have a credentials file, which can be generated with `gcloud auth login`. If you already have a json credentials file you want specify, use the GOOGLE_APPLICATION_CREDENTIALS environment variable. +If you have a containerized GCP app with a Kubernetes yaml, you can automatically add your credentials to all your deployed pods dynamically with this minikube addon. You just need to have a credentials file, which can be generated with `gcloud auth application-default login`. If you already have a json credentials file you want specify, use the GOOGLE_APPLICATION_CREDENTIALS environment variable. - Start a cluster: ```