[FEATURE REQUEST] Ansible role to wrap Kubectl command

[mkyc]

Is your feature request related to a problem? Please describe.
To be able to manage a k8s cluster connection via kubectl in one place, it's suggested to use a separate ansible role and include this role in all necessary places with a fact that defines, should it be executed on k8s master as before or locally.
If there is some place, when connection from a container cannot be used (localhost delegation), it should be explained and left as is, but with the usage of created role.

Describe the solution you'd like
Create ansible role with a parameter that defines kubeconfig location and delegation host.

Describe alternatives you've considered
No, but see details in implementation task #1639

Additional context
No

[mkyc]

Consider helm as well.

[mkyc]

Prepare example at the end of this task.

[atsikham]

Creation of this role seems to be not reasonable, as we are going to wrap with this role just one shell task and limit task usage flexibility with our role. Moreover, I looked briefly through tasks that contain kubectl execution, and some of them use loop with parametrized kubectl arguments, that is difficult to handle including the role. For example, https://github.com/epiphany-platform/epiphany/blob/74e0c0a9dfc62550142ac7ebac6175a3c54a910a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/generate-cluster-credentials.yml#L9-L20.

Keeping in mind, that with this role we still need to pass parameters to a single shell task, such as no_log, changed_when, failed_when, kubectl_args, we will increase execution complexity.

My suggestion:
After @rpudlowski93 completes #1615, we start working on #1639, use there local kubeconfig from default ~/.kube/config location and use delegate_to: localhost everywhere (where it's possible). In this case --kubeconfig and environment: KUBECONFIG: will be removed from current ansible tasks. Example of such task change from the link above:

- name: Get tokens from the server
  shell: |-
    kubectl get secret/$(kubectl get sa {{ item }} --namespace kube-system --output jsonpath='{.secrets[0].name}') \
      --namespace kube-system \
      --output jsonpath='{.data.token}'
  args:
    executable: /bin/bash
  delegate_to: localhost
  register: token_results
  loop: "{{ users }}"
  no_log: true

[to-bar]

Agree with @atsikham.

My ideas:

1. As an alternative to ~/.kube/config (if different location would be required), use KUBECONFIG env at play level, like:

- hosts: kubernetes_master
  roles:
    - kubernetes_master
  environment:
    KUBECONFIG: /custom_dir/.kube/config

2. To not repeat parameters like:

  args:
    executable: /bin/bash

use module defaults feature: https://docs.ansible.com/ansible/latest/user_guide/playbooks_module_defaults.html

3. Spike Ansible k8s module: https://docs.ansible.com/ansible/latest/modules/k8s_module.html
4. Write Ansible module (instead of role) as a wrapper of the shell module, e.g. fork https://github.com/ansible/ansible/blob/stable-2.8/lib/ansible/modules/commands/command.py

[atsikham]

@to-bar
1-2. First 2 points are clear for me and we use the first one in current configuration, so I agree.
3. There are some additional dependencies required to install, such as openshift python lib, agree that it can be checked, but see no reason to use it if kubectl is ok for us to use without any dependencies. As I know for RHEL we have python < 2.7, but it's required by this module.
4. Again, any Ansible's wrapper for a config that is possible to write with just one task seems to be not a good idea.

[seriva]

I would lean towards @atsikham. Not the biggest Ansible guy but do we really need to have a wrapper like that for something simple like this?

[mkyc]

@atsikham can you start #1639 and verify your claim? Then I think we close this task if everyone is cool with some draft PR for that second task.

[to-bar]

I should have added, these ideas are sorted in order - let's try 1 & 2 first. If they are enough, 3 & 4 won't be needed. 4 is meant for scenario when we would need to cover/wrap different connection methods for self-hosted K8s than cloud managed service.

[atsikham]

@mkyc I can start with #1639 after having a kubeconfig in a container (#1615 task that I think depends on #1616).

[atsikham]

Here is an example - #1655.