feat(deployer): authenticate to GKE via WIF and generate scoped kubeconfig#342
Merged
Conversation
Refs: sparkfabrik-innovation-team/board#4351 Assisted-by: opencode/github-copilot/claude-sonnet-4.6
Member
|
/describe |
Refs: sparkfabrik-innovation-team/board#4351 Assisted-by: opencode/github-copilot/claude-sonnet-4.6
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds a new Kubernetes authentication path for GitLab CI pipelines targeting GKE: when Workload Identity Federation (WIF) is enabled, the deployer can authenticate via gcloud and generate a namespace-defaulted kubeconfig, while preserving the legacy static-token path.
Changes:
- Extend
create_kubeconfig()/ensure_deploy_variables()to support a WIF+GKE execution branch driven byENABLE_GCP_WIF=1andK8S_CLUSTER_NAME. - Wire WIF+GKE kubeconfig generation into the shared GitLab CI
before_scriptafter GitLab Agent setup. - Document the new authentication mode and variables (README + changelog) and add OpenSpec workflow artifacts/commands.
Reviewed changes
Copilot reviewed 27 out of 27 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| templates/.gitlab-ci-template.yml | Adds a gated create_kubeconfig call in before_script for WIF+GKE pipelines. |
| scripts/src/functions.bash | Implements WIF+GKE kubeconfig creation via gcloud get-credentials and adjusts variable validation logic. |
| README.md | Documents legacy token auth vs WIF+GKE variables/behavior and ordering with GitLab Agent. |
| CHANGELOG.md | Adds unreleased entries describing the new WIF+GKE kubeconfig and validation behavior. |
| openspec/config.yaml | Adds OpenSpec configuration scaffold for spec-driven workflow. |
| openspec/changes/wif-gke-kubeconfig/.openspec.yaml | Adds OpenSpec change metadata. |
| openspec/changes/wif-gke-kubeconfig/proposal.md | Captures the “why/what” for WIF+GKE kubeconfig support. |
| openspec/changes/wif-gke-kubeconfig/design.md | Captures design decisions, execution order, and risks/trade-offs. |
| openspec/changes/wif-gke-kubeconfig/tasks.md | Tracks implementation tasks and validation checklist for the change. |
| openspec/changes/wif-gke-kubeconfig/specs/wif-gke-kubeconfig/spec.md | Adds delta spec describing WIF+GKE kubeconfig requirements. |
| openspec/changes/wif-gke-kubeconfig/specs/kubeconfig-creation/spec.md | Adds delta spec describing multi-path kubeconfig creation + validation requirements. |
| .opencode/skills/openspec-propose/SKILL.md | Adds OpenSpec “propose” skill definition for OpenCode workflow. |
| .opencode/skills/openspec-explore/SKILL.md | Adds OpenSpec “explore” skill definition for OpenCode workflow. |
| .opencode/skills/openspec-archive-change/SKILL.md | Adds OpenSpec “archive change” skill definition for OpenCode workflow. |
| .opencode/skills/openspec-apply-change/SKILL.md | Adds OpenSpec “apply change” skill definition for OpenCode workflow. |
| .opencode/command/opsx-propose.md | Adds /opsx-propose command documentation for OpenCode workflow. |
| .opencode/command/opsx-explore.md | Adds /opsx-explore command documentation for OpenCode workflow. |
| .opencode/command/opsx-archive.md | Adds /opsx-archive command documentation for OpenCode workflow. |
| .opencode/command/opsx-apply.md | Adds /opsx-apply command documentation for OpenCode workflow. |
| .github/skills/openspec-propose/SKILL.md | Adds OpenSpec “propose” skill definition for GitHub workflow. |
| .github/skills/openspec-explore/SKILL.md | Adds OpenSpec “explore” skill definition for GitHub workflow. |
| .github/skills/openspec-archive-change/SKILL.md | Adds OpenSpec “archive change” skill definition for GitHub workflow. |
| .github/skills/openspec-apply-change/SKILL.md | Adds OpenSpec “apply change” skill definition for GitHub workflow. |
| .github/prompts/opsx-propose.prompt.md | Adds /opsx:propose prompt content for GitHub workflow. |
| .github/prompts/opsx-explore.prompt.md | Adds /opsx:explore prompt content for GitHub workflow. |
| .github/prompts/opsx-archive.prompt.md | Adds /opsx:archive prompt content for GitHub workflow. |
| .github/prompts/opsx-apply.prompt.md | Adds /opsx:apply prompt content for GitHub workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Member
|
@copilot can you add a description of what the PR does ? update the PR description |
I've updated the PR description with a full summary of the changes: what problem is being solved, what files changed and why, how activation works, the variables table, and backward compatibility notes. |
Monska85
requested changes
May 6, 2026
Contributor
|
I would also use the approach used for the WIF bash functions: all the needed functions are defined in the YAML templates. This allow the portability of these functions simply using the templates and decoupling the bash functions from the @Stevesibilia you can help with this task. |
Refs: sparkfabrik-innovation-team/board#4351 Assisted-by: opencode/github-copilot/claude-sonnet-4.6
…ate design Refs: sparkfabrik-innovation-team/board#4351 Assisted-by: opencode/github-copilot/claude-sonnet-4.6
Refs: sparkfabrik-innovation-team/board#4351 Assisted-by: opencode/github-copilot/claude-sonnet-4.6
Syphon83
force-pushed
the
wif-gke-kubeconfig
branch
from
d4319cc to
9023559
Compare
Contributor
Author
I reverted the changes done in the bash scripts and created a new template called gke-kubeconfig. |
Monska85
requested changes
May 8, 2026
Refs: sparkfabrik-innovation-team/board#4351 Assisted-by: opencode/github-copilot/claude-sonnet-4.6
Monska85
reviewed
May 8, 2026
Refs: sparkfabrik-innovation-team/board#4351 Assisted-by: opencode/github-copilot/claude-sonnet-4.6
Refs: #342 Assisted-by: opencode/github-copilot/claude-sonnet-4.6
Syphon83
added a commit
that referenced
this pull request
May 11, 2026
… name Refs: #342 Assisted-by: opencode/github-copilot/claude-sonnet-4.6
Monska85
reviewed
May 11, 2026
Syphon83
added a commit
that referenced
this pull request
May 11, 2026
… name Refs: #342 Assisted-by: opencode/github-copilot/claude-sonnet-4.6
Syphon83
force-pushed
the
wif-gke-kubeconfig
branch
from
0ee8515 to
c79c1ef
Compare
Monska85
reviewed
May 11, 2026
… name Refs: #342 Assisted-by: opencode/github-copilot/claude-sonnet-4.6
Syphon83
force-pushed
the
wif-gke-kubeconfig
branch
from
c79c1ef to
8d25443
Compare
Monska85
approved these changes
May 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds GKE kubeconfig generation support to the deployer by introducing a new
portable GitLab CI template
templates/functions/gke-kubeconfig.yml(
.gke-kubeconfig) that generates a namespace-scoped kubeconfig for GKEclusters. It works with any gcloud authentication method (WIF, service account
key, etc.) and acts as an alternative to the GitLab Agent approach.
What changes
templates/functions/gke-kubeconfig.yml— self-contained,remotely includable, no Docker image dependency. Defines
check_gcloud_auth(),check_gke_env()andgenerate_gke_kubeconfig()inline inbefore_script.Activated when
K8S_CLUSTER_NAMEis set.check_gcloud_auth()— verifies gcloud is available and has an activeauthenticated account before attempting cluster access. Fails with a clear
message if not authenticated.
.gke-kubeconfigruns as the last step in.global-setup, aftersetup-gitlab-agent, so the gcloud context alwaysoverrides the agent context when both are configured (safety net for users who
forget
DISABLE_GITLAB_AGENT=1).templates/.gitlab-ci-template.yml— newinclude:entry forgke-kubeconfig.yml+!referenceadded as last step in.global-setup before_script.scripts/src/functions.bash— removed legacykubectl config set-cluster/set-credentials/set-context/use-contextcommands referencing theold
gitlab-deploycontext.K8S_USE_DNS_ENDPOINT=1conditionally passes--dns-endpointtogcloud container clusters get-credentialsfor privateGKE clusters.
$KUBE_NAMESPACEviakubectl config set-context --current --namespace.Variables consumed
All injected by the platform generator (board#4348):
K8S_CLUSTER_NAMEK8S_LOCATIONGCP_PROJECT_IDKUBE_NAMESPACEK8S_USE_DNS_ENDPOINT"1"to pass--dns-endpointfor private clustersBackward compatibility
Pipelines without
K8S_CLUSTER_NAMEare completely unaffected — the templateemits a skip message and exits cleanly. The template is auth-method agnostic:
it works with WIF (
gcp-wif.yml), a service account key, or any other gcloudauthentication configured before it runs.