fix(ci): k8s cluster auth (cherry-pick to release-1.8)

.ci/pipelines/cluster/eks/aws.sh

@@ -57,37 +57,6 @@ aws_eks_get_load_balancer_hostname() {
   fi
 }
 
-# Verify EKS cluster connectivity
-aws_eks_verify_cluster() {
-  echo "Verifying EKS cluster connectivity..."
-
-  if ! kubectl cluster-info > /dev/null 2>&1; then
-    echo "Error: Cannot connect to EKS cluster. Please check KUBECONFIG."
-    return 1
-  fi
-
-  echo "Successfully connected to EKS cluster"
-  kubectl get nodes --no-headers | wc -l | xargs echo "Number of nodes:"
-}
-
-# Get EKS cluster information
-aws_eks_get_cluster_info() {
-  echo "EKS Cluster Information:"
-  echo "========================"
-
-  # Get cluster version
-  kubectl version --short 2> /dev/null | grep "Server Version" || echo "Server Version: Unable to determine"
-
-  # Get node information
-  echo "Node Information:"
-  kubectl get nodes -o custom-columns="NAME:.metadata.name,STATUS:.status.conditions[?(@.type=='Ready')].status,ROLES:.metadata.labels.node\.kubernetes\.io/role,SPOT:.metadata.labels.kubernetes\.aws\.com/spot" 2> /dev/null || echo "Unable to get node information"
-
-  # Get installed addons
-  echo "Installed Addons:"
-  kubectl get pods -A -l app.kubernetes.io/name=aws-load-balancer-controller 2> /dev/null | grep -q aws-load-balancer-controller && echo "- AWS Load Balancer Controller" || echo "- AWS Load Balancer Controller: Not found"
-  kubectl get pods -A -l app.kubernetes.io/name=aws-ebs-csi-driver 2> /dev/null | grep -q ebs-csi && echo "- AWS EBS CSI Driver" || echo "- AWS EBS CSI Driver: Not found"
-}
-
 # Function to setup EKS ingress hosts configuration
 configure_eks_ingress_and_dns() {
   local namespace=$1
@@ -356,7 +325,7 @@ get_eks_certificate() {
 get_cluster_aws_region() {
   # Get region from EKS cluster ARN
   local cluster_arn
-  cluster_arn=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}' 2> /dev/null)
+  cluster_arn=$(KUBECONFIG="${SHARED_DIR}/kubeconfig" kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}' 2> /dev/null)
 
   # Extract region from EKS cluster URL
   if [[ "${cluster_arn}" =~ \.([a-z0-9-]+)\.eks\.amazonaws\.com ]]; then

.ci/pipelines/cluster/gke/gcloud.sh

@@ -5,19 +5,6 @@ source "$DIR"/utils.sh
 # shellcheck source=.ci/pipelines/install-methods/operator.sh
 source "$DIR"/install-methods/operator.sh
 
-gcloud_auth() {
-  local service_account_name=$1
-  local service_account_key_location=$2
-  gcloud auth activate-service-account "${service_account_name}" --key-file "${service_account_key_location}"
-}
-
-gcloud_gke_get_credentials() {
-  local cluster_name=$1
-  local cluster_region=$2
-  local project=$3
-  gcloud container clusters get-credentials "${cluster_name}" --region "${cluster_region}" --project "${project}"
-}
-
 gcloud_ssl_cert_create() {
   local cert_name=$1
   local domain=$2

.ci/pipelines/cluster/k8s/k8s-utils.sh

@@ -1,49 +1,5 @@
 #!/bin/bash
 
-re_create_k8s_service_account_and_get_token() {
-  local sa_namespace="default"
-  local sa_name="tester-sa-2"
-  local sa_binding_name="${sa_name}-binding"
-  local sa_secret_name="${sa_name}-secret"
-  local token
-  if token="$(kubectl get secret ${sa_secret_name} -n ${sa_namespace} -o jsonpath='{.data.token}' 2> /dev/null)"; then
-    K8S_CLUSTER_TOKEN=$(echo "${token}" | base64 --decode)
-    echo "Acquired existing token for the service account into K8S_CLUSTER_TOKEN"
-  else
-    echo "Creating service account"
-    if ! kubectl get serviceaccount ${sa_name} -n ${sa_namespace} &> /dev/null; then
-      echo "Creating service account ${sa_name}..."
-      kubectl create serviceaccount ${sa_name} -n ${sa_namespace}
-      echo "Creating cluster role binding..."
-      kubectl create clusterrolebinding ${sa_binding_name} \
-        --clusterrole=cluster-admin \
-        --serviceaccount=${sa_namespace}:${sa_name}
-      echo "Service account and binding created successfully"
-    else
-      echo "Service account ${sa_name} already exists in namespace ${sa_namespace}"
-    fi
-    echo "Creating secret for service account"
-    kubectl apply --namespace="${sa_namespace}" -f - << EOF
-apiVersion: v1
-kind: Secret
-metadata:
-  name: ${sa_secret_name}
-  namespace: ${sa_namespace}
-  annotations:
-    kubernetes.io/service-account.name: ${sa_name}
-type: kubernetes.io/service-account-token
-EOF
-    sleep 5
-    token="$(kubectl get secret ${sa_secret_name} -n ${sa_namespace} -o jsonpath='{.data.token}' 2> /dev/null)"
-    K8S_CLUSTER_TOKEN=$(echo "${token}" | base64 --decode)
-    echo "Acquired token for the service account into K8S_CLUSTER_TOKEN"
-  fi
-  K8S_CLUSTER_TOKEN_ENCODED=$(printf "%s" $K8S_CLUSTER_TOKEN | base64 | tr -d '\n')
-  K8S_SERVICE_ACCOUNT_TOKEN=$K8S_CLUSTER_TOKEN_ENCODED
-  OCM_CLUSTER_TOKEN=$K8S_CLUSTER_TOKEN_ENCODED
-  export K8S_CLUSTER_TOKEN K8S_CLUSTER_TOKEN_ENCODED K8S_SERVICE_ACCOUNT_TOKEN OCM_CLUSTER_TOKEN
-}
-
 patch_and_restart() {
   local namespace=$1
   local resource_type=$2

.ci/pipelines/env_variables.sh

@@ -170,9 +170,9 @@ KEYCLOAK_AUTH_REALM=$(cat /tmp/secrets/KEYCLOAK_AUTH_REALM)
 
 REGISTRY_REDHAT_IO_SERVICE_ACCOUNT_DOCKERCONFIGJSON=$(cat /tmp/secrets/REGISTRY_REDHAT_IO_SERVICE_ACCOUNT_DOCKERCONFIGJSON)
 
-IS_OPENSHIFT=""
-CONTAINER_PLATFORM=""
-CONTAINER_PLATFORM_VERSION=""
+IS_OPENSHIFT="${IS_OPENSHIFT:-true}"
+CONTAINER_PLATFORM="${CONTAINER_PLATFORM:-unknown}"
+CONTAINER_PLATFORM_VERSION="${CONTAINER_PLATFORM_VERSION:-unknown}"
 
 GITHUB_OAUTH_APP_ID=$(cat /tmp/secrets/GITHUB_OAUTH_APP_ID)
 GITHUB_OAUTH_APP_SECRET=$(cat /tmp/secrets/GITHUB_OAUTH_APP_SECRET)

.ci/pipelines/jobs/aks-helm.sh

@@ -6,10 +6,14 @@ source "$DIR"/utils.sh
 source "$DIR"/cluster/aks/aks-helm-deployment.sh
 # shellcheck source=.ci/pipelines/cluster/aks/az.sh
 source "$DIR"/cluster/aks/az.sh
+# shellcheck source=.ci/pipelines/lib/common.sh
+source "$DIR"/lib/common.sh
 
 handle_aks_helm() {
   echo "Starting AKS Helm deployment"
 
+  common::kubectl_login
+
   K8S_CLUSTER_ROUTER_BASE=$(kubectl get svc nginx --namespace app-routing-system -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
   export K8S_CLUSTER_ROUTER_BASE
 

.ci/pipelines/jobs/aks-operator.sh

@@ -6,10 +6,14 @@ source "$DIR"/install-methods/operator.sh
 source "$DIR"/cluster/aks/aks-operator-deployment.sh
 # shellcheck source=.ci/pipelines/cluster/k8s/k8s-utils.sh
 source "$DIR"/cluster/k8s/k8s-utils.sh
+# shellcheck source=.ci/pipelines/lib/common.sh
+source "$DIR"/lib/common.sh
 
 handle_aks_operator() {
   echo "Starting AKS Operator deployment"
 
+  common::kubectl_login
+
   K8S_CLUSTER_ROUTER_BASE=$(kubectl get svc nginx --namespace app-routing-system -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
   export K8S_CLUSTER_ROUTER_BASE
 

.ci/pipelines/jobs/auth-providers.sh

@@ -4,10 +4,12 @@
 source "$DIR"/utils.sh
 # shellcheck source=.ci/pipelines/install-methods/operator.sh
 source "$DIR"/install-methods/operator.sh
+# shellcheck source=.ci/pipelines/lib/common.sh
+source "$DIR"/lib/common.sh
 
 handle_auth_providers() {
   local retry_operator_installation="${1:-1}"
-  oc_login
+  common::oc_login
   configure_namespace "${OPERATOR_MANAGER}"
   install_rhdh_operator "${OPERATOR_MANAGER}" "$retry_operator_installation"
   wait_for_backstage_crd "default"

.ci/pipelines/jobs/eks-helm.sh

@@ -8,15 +8,13 @@ source "$DIR"/cluster/eks/eks-helm-deployment.sh
 source "$DIR"/cluster/eks/aws.sh
 # shellcheck source=.ci/pipelines/cluster/k8s/k8s-utils.sh
 source "$DIR"/cluster/k8s/k8s-utils.sh
+# shellcheck source=.ci/pipelines/lib/common.sh
+source "$DIR"/lib/common.sh
 
 handle_eks_helm() {
   echo "Starting EKS Helm deployment"
 
-  # Verify EKS cluster connectivity
-  aws_eks_verify_cluster
-
-  # Get cluster information
-  aws_eks_get_cluster_info
+  common::kubectl_login
 
   NAME_SPACE="showcase-k8s-ci-nightly"
   NAME_SPACE_RBAC="showcase-rbac-k8s-ci-nightly"
@@ -27,8 +25,6 @@ handle_eks_helm() {
   OCM_CLUSTER_URL=$(printf "%s" "$K8S_CLUSTER_URL" | base64 | tr -d '\n')
   export K8S_CLUSTER_URL K8S_CLUSTER_API_SERVER_URL OCM_CLUSTER_URL
 
-  re_create_k8s_service_account_and_get_token
-
   cluster_setup_k8s_helm
 
   EKS_INSTANCE_DOMAIN_NAME=$(generate_dynamic_domain_name)

.ci/pipelines/jobs/eks-operator.sh

@@ -8,15 +8,13 @@ source "$DIR"/cluster/eks/eks-operator-deployment.sh
 source "$DIR"/cluster/k8s/k8s-utils.sh
 # shellcheck source=.ci/pipelines/cluster/eks/aws.sh
 source "$DIR"/cluster/eks/aws.sh
+# shellcheck source=.ci/pipelines/lib/common.sh
+source "$DIR"/lib/common.sh
 
 handle_eks_operator() {
   echo "Starting EKS Operator deployment"
 
-  # Verify EKS cluster connectivity
-  aws_eks_verify_cluster
-
-  # Get cluster information
-  aws_eks_get_cluster_info
+  common::kubectl_login
 
   NAME_SPACE="showcase-k8s-ci-nightly"
   NAME_SPACE_RBAC="showcase-rbac-k8s-ci-nightly"
@@ -27,8 +25,6 @@ handle_eks_operator() {
   OCM_CLUSTER_URL=$(printf "%s" "$K8S_CLUSTER_URL" | base64 | tr -d '\n')
   export K8S_CLUSTER_URL K8S_CLUSTER_API_SERVER_URL OCM_CLUSTER_URL
 
-  re_create_k8s_service_account_and_get_token
-
   cluster_setup_k8s_operator
 
   prepare_operator "3"

.ci/pipelines/jobs/gke-helm.sh

@@ -8,10 +8,14 @@ source "$DIR"/cluster/gke/gcloud.sh
 source "$DIR"/cluster/gke/gke-helm-deployment.sh
 # shellcheck source=.ci/pipelines/cluster/k8s/k8s-utils.sh
 source "$DIR"/cluster/k8s/k8s-utils.sh
+# shellcheck source=.ci/pipelines/lib/common.sh
+source "$DIR"/lib/common.sh
 
 handle_gke_helm() {
   echo "Starting GKE Helm deployment"
 
+  common::kubectl_login
+
   IS_OPENSHIFT=false
   export IS_OPENSHIFT
 
@@ -20,17 +24,13 @@ handle_gke_helm() {
   NAME_SPACE_RBAC="showcase-rbac-k8s-ci-nightly"
   export K8S_CLUSTER_ROUTER_BASE NAME_SPACE NAME_SPACE_RBAC
 
-  gcloud_auth "${GKE_SERVICE_ACCOUNT_NAME}" "/tmp/secrets/GKE_SERVICE_ACCOUNT_KEY"
-  gcloud_gke_get_credentials "${GKE_CLUSTER_NAME}" "${GKE_CLUSTER_REGION}" "${GOOGLE_CLOUD_PROJECT}"
   gcloud_ssl_cert_create "$GKE_CERT_NAME" "$GKE_INSTANCE_DOMAIN_NAME" "$GOOGLE_CLOUD_PROJECT"
 
   K8S_CLUSTER_URL=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
   K8S_CLUSTER_API_SERVER_URL=$(printf "%s" "$K8S_CLUSTER_URL" | base64 | tr -d '\n')
   OCM_CLUSTER_URL=$(printf "%s" "$K8S_CLUSTER_URL" | base64 | tr -d '\n')
   export K8S_CLUSTER_URL K8S_CLUSTER_API_SERVER_URL OCM_CLUSTER_URL
 
-  re_create_k8s_service_account_and_get_token # Populate K8S_CLUSTER_TOKEN
-
   cluster_setup_k8s_helm
 
   initiate_gke_helm_deployment

.ci/pipelines/jobs/gke-operator.sh

@@ -10,27 +10,27 @@ source "$DIR"/cluster/gke/gke-operator-deployment.sh
 source "$DIR"/install-methods/operator.sh
 # shellcheck source=.ci/pipelines/cluster/k8s/k8s-utils.sh
 source "$DIR"/cluster/k8s/k8s-utils.sh
+# shellcheck source=.ci/pipelines/lib/common.sh
+source "$DIR"/lib/common.sh
 
 handle_gke_operator() {
   echo "Starting GKE Operator deployment"
 
+  common::kubectl_login
+
   IS_OPENSHIFT=false
   export IS_OPENSHIFT
 
   K8S_CLUSTER_ROUTER_BASE=$GKE_INSTANCE_DOMAIN_NAME
   export K8S_CLUSTER_ROUTER_BASE
 
-  gcloud_auth "${GKE_SERVICE_ACCOUNT_NAME}" "/tmp/secrets/GKE_SERVICE_ACCOUNT_KEY"
-  gcloud_gke_get_credentials "${GKE_CLUSTER_NAME}" "${GKE_CLUSTER_REGION}" "${GOOGLE_CLOUD_PROJECT}"
   gcloud_ssl_cert_create "$GKE_CERT_NAME" "$GKE_INSTANCE_DOMAIN_NAME" "$GOOGLE_CLOUD_PROJECT"
 
   K8S_CLUSTER_URL=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
   K8S_CLUSTER_API_SERVER_URL=$(printf "%s" "$K8S_CLUSTER_URL" | base64 | tr -d '\n')
   OCM_CLUSTER_URL=$(printf "%s" "$K8S_CLUSTER_URL" | base64 | tr -d '\n')
   export K8S_CLUSTER_URL K8S_CLUSTER_API_SERVER_URL OCM_CLUSTER_URL
 
-  re_create_k8s_service_account_and_get_token # Populate K8S_CLUSTER_TOKEN
-
   cluster_setup_k8s_operator
 
   prepare_operator

.ci/pipelines/jobs/ocp-nightly.sh

@@ -2,13 +2,15 @@
 
 # shellcheck source=.ci/pipelines/utils.sh
 source "$DIR"/utils.sh
+# shellcheck source=.ci/pipelines/lib/common.sh
+source "$DIR"/lib/common.sh
 
 handle_ocp_nightly() {
   export NAME_SPACE="showcase-ci-nightly"
   export NAME_SPACE_RBAC="showcase-rbac-nightly"
   export NAME_SPACE_POSTGRES_DB="postgress-external-db-nightly"
 
-  oc_login
+  common::oc_login
 
   K8S_CLUSTER_ROUTER_BASE=$(oc get route console -n openshift-console -o=jsonpath='{.spec.host}' | sed 's/^[^.]*\.//')
   export K8S_CLUSTER_ROUTER_BASE

.ci/pipelines/jobs/ocp-operator.sh

@@ -4,6 +4,8 @@
 source "$DIR"/utils.sh
 # shellcheck source=.ci/pipelines/install-methods/operator.sh
 source "$DIR"/install-methods/operator.sh
+# shellcheck source=.ci/pipelines/lib/common.sh
+source "$DIR"/lib/common.sh
 
 initiate_operator_deployments() {
   echo "Initiating Operator-backed deployments on OCP"
@@ -51,7 +53,7 @@ run_operator_runtime_config_change_tests() {
 }
 
 handle_ocp_operator() {
-  oc_login
+  common::oc_login
 
   K8S_CLUSTER_ROUTER_BASE=$(oc get route console -n openshift-console -o=jsonpath='{.spec.host}' | sed 's/^[^.]*\.//')
   export K8S_CLUSTER_ROUTER_BASE

.ci/pipelines/jobs/ocp-pull.sh

@@ -1,8 +1,11 @@
 #!/bin/bash
 
+# shellcheck source=.ci/pipelines/lib/common.sh
+source "$DIR"/lib/common.sh
+
 handle_ocp_pull() {
   echo "Configuring namespace: ${NAME_SPACE}"
-  oc_login
+  common::oc_login
   echo "OCP version: $(oc version)"
 
   K8S_CLUSTER_ROUTER_BASE=$(oc get route console -n openshift-console -o=jsonpath='{.spec.host}' | sed 's/^[^.]*\.//')

.ci/pipelines/jobs/upgrade.sh

@@ -2,6 +2,8 @@
 
 # shellcheck source=.ci/pipelines/utils.sh
 source "$DIR"/utils.sh
+# shellcheck source=.ci/pipelines/lib/common.sh
+source "$DIR"/lib/common.sh
 
 handle_ocp_helm_upgrade() {
   export NAME_SPACE="showcase-upgrade-nightly"
@@ -26,7 +28,7 @@ handle_ocp_helm_upgrade() {
   echo "Using previous release version: ${previous_release_version} and chart version: ${CHART_VERSION_BASE}"
   export TAG_NAME_BASE=$previous_release_version
 
-  oc_login
+  common::oc_login
 
   K8S_CLUSTER_ROUTER_BASE=$(oc get route console -n openshift-console -o=jsonpath='{.spec.host}' | sed 's/^[^.]*\.//')
   export K8S_CLUSTER_ROUTER_BASE