Allow using `kubectl --context` for cluster credentials

[msiebuhr]

Unless one explicitly sets user in k8s_deploy(), it is assumed a username matching the cluster can be found:

rules_gitops/skylib/kustomize/kustomize.bzl

Line 509 in 39f94ee

user_arg = """$(kubectl config view -o jsonpath='{.users[?(@.name == '"\\"${CLUSTER}\\")].name}")"""

(My jsonpath-foo isn't strong, but I read this as "return the .name of the user who's .name == $CLUSTER - I feel I'm missing something obvious here?)

On our setup this fails as we sometimes have multiple users per cluster. We don't like running with admin-powers on by default, so everyone has <username>-<clustername>, and some has admin-<clustername> as backups. The query above returns an empty string on our setups, so things only work when the user happens to be in the right kubernetes context, so the blank user-name doesn't make a difference:

kubectl config use-context $USER-$OTHER_CLUSTER
bazel run :deploy-to-kubernetes
...
error: error validating "STDIN": error validating data: failed to download openapi: the server has asked for the client to provide credentials; if you choose to ignore these errors, turn validation off with --validate=false

kubectl config use-context $USER-$CORRECT_CLUSTER
bazel run :deploy-to-kubernetes
...
service/xxxx unchanged
deployment.apps/xxxx configured
sealedsecret.bitnami.com/xxxx unchanged
ingress.networking.k8s.io/xxxx unchanged

Kubernetes config does have contexts tying users, clusters and - optionally - namespaces together (which is also what rules_k8s relies on):

k8s_deploy(
    # ...
    context = "morten-siebuhr-some-cluster-name"
)

Which is then passed to kubectl --context $CONTEXT?

Docs: https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/

[msiebuhr]

I gave hacking in 'cluster' a shot, but it turned out way easier just to search the contexts for one matching the desired cluster and fish out a user-name from there:

diff --git skylib/kustomize/kustomize.bzl skylib/kustomize/kustomize.bzl
index 6a6407f..182a0e5 100644
--- skylib/kustomize/kustomize.bzl
+++ skylib/kustomize/kustomize.bzl
@@ -506,7 +506,7 @@ def _kubectl_impl(ctx):
         if "{" in ctx.attr.user:
             user_arg = stamp(ctx, user_arg, files, ctx.label.name + ".user-name", True)
     else:
-        user_arg = """$(kubectl config view -o jsonpath='{.users[?(@.name == '"\\"${CLUSTER}\\")].name}")"""
+        user_arg = """$(kubectl config view -o jsonpath='{.contexts[?(@.context.cluster == '"\\"${CLUSTER}\\")].context.user}")"""
 
     kubectl_command_arg = ctx.attr.command
     kubectl_command_arg = ctx.expand_make_variables("kubectl_command", kubectl_command_arg, {})

Edit: I also did this small patch to print the rough kubectl command being run, which turned out enormously helpful:

diff --git skylib/kustomize/kustomize.bzl skylib/kustomize/kustomize.bzl
index 8a82ec7..6a6407f 100644
--- skylib/kustomize/kustomize.bzl
+++ skylib/kustomize/kustomize.bzl
@@ -533,6 +533,9 @@ def _kubectl_impl(ctx):
     namespace = ctx.attr.namespace
     for inattr in ctx.attr.srcs:
         for infile in inattr.files.to_list():
+            statements += "echo Running kubectl {kubectl_command} --cluster=\"$CLUSTER\" --user=\"$USER\" -f ...\n".format(
+                kubectl_command = kubectl_command_arg,
+            )
             statements += "{template_engine} --template={infile} --variable=NAMESPACE={namespace} --stamp_info_file={info_file} | kubectl --cluster=\"$CLUSTER\" --user=\"$USER\" {kubectl_command} -f -\n".format(
                 infile = infile.short_path,
                 kubectl_command = kubectl_command_arg,