Make sure gcp-auth addon can be enabled on startup (#9318)

* fix documentation for gcp-auth addon

* make sure kube-system pods are up before enabling gcp-auth

* fix lint

* add failurePolicy for webhook

* only install addons if asked

* better comment

* slightly less hacky code

* defer addons properly

* simplify code for performance

deploy/addons/gcp-auth/gcp-auth-webhook.yaml

@@ -131,10 +131,17 @@ metadata:
     app: gcp-auth
 webhooks:
 - name: gcp-auth-mutate.k8s.io
+  failurePolicy: Fail
   objectSelector:
     matchExpressions:
       - key: gcp-auth-skip-secret
         operator: DoesNotExist
+  namespaceSelector:
+    matchExpressions:
+      - key: name
+        operator: NotIn
+        values:
+        - kube-system
   sideEffects: None
   admissionReviewVersions: ["v1","v1beta1"]
   clientConfig:

pkg/addons/addons.go

@@ -324,7 +324,18 @@ func verifyAddonStatus(cc *config.ClusterConfig, name string, val string) error
 }
 
 func verifyGCPAuthAddon(cc *config.ClusterConfig, name string, val string) error {
-	return verifyAddonStatusInternal(cc, name, val, "gcp-auth")
+	enable, err := strconv.ParseBool(val)
+	if err != nil {
+		return errors.Wrapf(err, "parsing bool: %s", name)
+	}
+	err = verifyAddonStatusInternal(cc, name, val, "gcp-auth")
+
+	if enable && err == nil {
+		out.T(style.Notice, "Your GCP credentials will now be mounted into every pod created in the {{.name}} cluster.", out.V{"name": cc.Name})
+		out.T(style.Notice, "If you don't want your credentials mounted into a specific pod, add a label with the `gcp-auth-skip-secret` key to your pod configuration.")
+	}
+
+	return err
 }
 
 func verifyAddonStatusInternal(cc *config.ClusterConfig, name string, val string, ns string) error {
@@ -394,24 +405,45 @@ func Start(wg *sync.WaitGroup, cc *config.ClusterConfig, toEnable map[string]boo
 
 	var awg sync.WaitGroup
 
-	defer func() { // making it show after verifications( not perfect till #7613 is closed)
+	enabledAddons := []string{}
+	deferredAddons := []string{}
+
+	defer func() { // making it show after verifications (see #7613)
 		register.Reg.SetStep(register.EnablingAddons)
-		out.T(style.AddonEnable, "Enabled addons: {{.addons}}", out.V{"addons": strings.Join(toEnableList, ", ")})
+		out.T(style.AddonEnable, "Enabled addons: {{.addons}}", out.V{"addons": strings.Join(enabledAddons, ", ")})
 	}()
 	for _, a := range toEnableList {
+		if a == "gcp-auth" {
+			deferredAddons = append(deferredAddons, a)
+			continue
+		}
+
 		awg.Add(1)
 		go func(name string) {
 			err := RunCallbacks(cc, name, "true")
 			if err != nil {
 				out.WarningT("Enabling '{{.name}}' returned an error: {{.error}}", out.V{"name": name, "error": err})
+			} else {
+				enabledAddons = append(enabledAddons, name)
 			}
 			awg.Done()
 		}(a)
 	}
 
 	// Wait until all of the addons are enabled before updating the config (not thread safe)
 	awg.Wait()
-	for _, a := range toEnableList {
+
+	// Now run the deferred addons
+	for _, a := range deferredAddons {
+		err := RunCallbacks(cc, a, "true")
+		if err != nil {
+			out.WarningT("Enabling '{{.name}}' returned an error: {{.error}}", out.V{"name": a, "error": err})
+		} else {
+			enabledAddons = append(enabledAddons, a)
+		}
+	}
+
+	for _, a := range enabledAddons {
 		if err := Set(cc, a, "true"); err != nil {
 			glog.Errorf("store failed: %v", err)
 		}

pkg/addons/config.go

@@ -169,7 +169,7 @@ var Addons = []*Addon{
 	{
 		name:      "gcp-auth",
 		set:       SetBool,
-		callbacks: []setFn{gcpauth.EnableOrDisable, enableOrDisableAddon, verifyGCPAuthAddon, gcpauth.DisplayAddonMessage},
+		callbacks: []setFn{gcpauth.EnableOrDisable, enableOrDisableAddon, verifyGCPAuthAddon},
 	},
 	{
 		name:      "volumesnapshots",

pkg/addons/gcpauth/enable.go

@@ -60,7 +60,7 @@ func enableAddon(cfg *config.ClusterConfig) error {
 	ctx := context.Background()
 	creds, err := google.FindDefaultCredentials(ctx)
 	if err != nil {
-		exit.Message(reason.InternalCredsNotFound, "Could not find any GCP credentials. Either run `gcloud auth login` or set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of your credentials file.")
+		exit.Message(reason.InternalCredsNotFound, "Could not find any GCP credentials. Either run `gcloud auth application-default login` or set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of your credentials file.")
 	}
 
 	f := assets.NewMemoryAssetTarget(creds.JSON, credentialsPath, "0444")
@@ -116,16 +116,3 @@ func disableAddon(cfg *config.ClusterConfig) error {
 
 	return nil
 }
-
-// DisplayAddonMessage display an gcp auth addon specific message to the user
-func DisplayAddonMessage(cfg *config.ClusterConfig, name string, val string) error {
-	enable, err := strconv.ParseBool(val)
-	if err != nil {
-		return errors.Wrapf(err, "parsing bool: %s", name)
-	}
-	if enable {
-		out.T(style.Notice, "Your GCP credentials will now be mounted into every pod created in the {{.name}} cluster.", out.V{"name": cfg.Name})
-		out.T(style.Notice, "If you don't want your credentials mounted into a specific pod, add a label with the `gcp-auth-skip-secret` key to your pod configuration.")
-	}
-	return nil
-}

site/content/en/docs/handbook/addons/gcp-auth.md

@@ -5,7 +5,7 @@ weight: 1
 date: 2020-07-15
 ---
 
-If you have a containerized GCP app with a Kubernetes yaml, you can automatically add your credentials to all your deployed pods dynamically with this minikube addon. You just need to have a credentials file, which can be generated with `gcloud auth login`. If you already have a json credentials file you want specify, use the GOOGLE_APPLICATION_CREDENTIALS environment variable.
+If you have a containerized GCP app with a Kubernetes yaml, you can automatically add your credentials to all your deployed pods dynamically with this minikube addon. You just need to have a credentials file, which can be generated with `gcloud auth application-default login`. If you already have a json credentials file you want specify, use the GOOGLE_APPLICATION_CREDENTIALS environment variable.
 
 - Start a cluster:
 ```