From a689c8b8759ad56b694a970bcc8dc73a8f90f45c Mon Sep 17 00:00:00 2001
From: "Fabio M. Graetz, Ph.D" <fabiograetz@googlemail.com>
Date: Wed, 5 Jun 2024 23:41:01 +0200
Subject: [PATCH] Feat: Allow using in-cluster creds in control plane cluster
 in a multi-cluster deployment (#5403)

* Allow using in-cluster creds in control plane cluster in multi-cluster deployment

Signed-off-by: Fabio Graetz <fabiograetz@googlemail.com>

* Check inCluster flag in cluster config test

Signed-off-by: Fabio Graetz <fabiograetz@googlemail.com>

---------

Signed-off-by: Fabio Graetz <fabiograetz@googlemail.com>
---
 docs/deployment/deployment/multicluster.rst    | 18 ++++++++++++++++--
 flyteadmin/pkg/flytek8s/client.go              |  2 +-
 flyteadmin/pkg/runtime/config_provider_test.go | 13 +++++++++++--
 .../interfaces/cluster_configuration.go        |  1 +
 .../pkg/runtime/testdata/clusters_config.yaml  |  3 +++
 5 files changed, 32 insertions(+), 5 deletions(-)

diff --git a/docs/deployment/deployment/multicluster.rst b/docs/deployment/deployment/multicluster.rst
index 23a1169c08..f6633e7a04 100644
--- a/docs/deployment/deployment/multicluster.rst
+++ b/docs/deployment/deployment/multicluster.rst
@@ -386,8 +386,22 @@ label has to be 1.
 
 .. note:: 
    This step will disable ``flytepropeller`` in the control plane cluster, leaving no possibility of running workflows there. If you require
-   the control plane to run workflows, edit the ``values-controlplane.yaml`` file and set ``flytepropeller.enabled`` to ``true``. Then, perform the ``helm upgrade`` operation and complete the steps in :ref:`this section <dataplane-deployment>` to configure it 
-   as a dataplane cluster.
+   the control plane to run workflows, edit the ``values-controlplane.yaml`` file and set ``flytepropeller.enabled`` to ``true`` and add one
+   additional cluster config for the control plane cluster itself:
+
+   .. code-block:: yaml
+      :caption: values-override.yaml
+
+      configmap:
+         clusters:
+            clusterConfigs:
+            - name: "dataplane_1"
+              ...
+            - name: "controlplane"
+              enabled: true
+              inCluster: true  # Use in-cluster credentials
+
+   Then, perform the ``helm upgrade`` operation.
 
 .. tab-set::
 
diff --git a/flyteadmin/pkg/flytek8s/client.go b/flyteadmin/pkg/flytek8s/client.go
index fda427a84c..340e4319b0 100644
--- a/flyteadmin/pkg/flytek8s/client.go
+++ b/flyteadmin/pkg/flytek8s/client.go
@@ -54,7 +54,7 @@ func GetRestClientConfig(kubeConfigPathString, master string,
 			return nil, errors.NewFlyteAdminErrorf(codes.InvalidArgument, "Error building kubeconfig: %v", err)
 		}
 		logger.Debugf(context.Background(), "successfully loaded kube config from %s", kubeConfigPathString)
-	} else if k8sCluster != nil {
+	} else if k8sCluster != nil && !k8sCluster.InCluster {
 		kubeConfiguration, err = RemoteClusterConfig(k8sCluster.Endpoint, k8sCluster.Auth)
 		if err != nil {
 			return nil, err
diff --git a/flyteadmin/pkg/runtime/config_provider_test.go b/flyteadmin/pkg/runtime/config_provider_test.go
index 7f61cd2e07..06dc6bb6d6 100644
--- a/flyteadmin/pkg/runtime/config_provider_test.go
+++ b/flyteadmin/pkg/runtime/config_provider_test.go
@@ -32,7 +32,7 @@ func TestClusterConfig(t *testing.T) {
 	configProvider := NewConfigurationProvider()
 	clusterConfig := configProvider.ClusterConfiguration()
 	clusters := clusterConfig.GetClusterConfigs()
-	assert.Equal(t, 2, len(clusters))
+	assert.Equal(t, 3, len(clusters))
 
 	assert.Equal(t, "testcluster", clusters[0].Name)
 	assert.Equal(t, "testcluster_endpoint", clusters[0].Endpoint)
@@ -40,14 +40,23 @@ func TestClusterConfig(t *testing.T) {
 	assert.Equal(t, "/path/to/testcluster/token", clusters[0].Auth.TokenPath)
 	assert.Equal(t, "file_path", clusters[0].Auth.Type)
 	assert.False(t, clusters[0].Enabled)
+	assert.Equal(t, false, clusters[0].InCluster)
 
 	assert.Equal(t, "testcluster2", clusters[1].Name)
 	assert.Equal(t, "testcluster2_endpoint", clusters[1].Endpoint)
 	assert.Equal(t, "/path/to/testcluster2/cert", clusters[1].Auth.CertPath)
 	assert.Equal(t, "/path/to/testcluster2/token", clusters[1].Auth.TokenPath)
 	assert.True(t, clusters[1].Enabled)
-
 	assert.Equal(t, "file_path", clusters[1].Auth.Type)
+	assert.Equal(t, false, clusters[1].InCluster)
+
+	assert.Equal(t, "testcluster3", clusters[2].Name)
+	assert.Equal(t, "", clusters[2].Endpoint)
+	assert.Equal(t, "", clusters[2].Auth.CertPath)
+	assert.Equal(t, "", clusters[2].Auth.TokenPath)
+	assert.True(t, clusters[2].Enabled)
+	assert.Equal(t, "", clusters[2].Auth.Type)
+	assert.Equal(t, true, clusters[2].InCluster)
 }
 
 func TestGetCloudEventsConfig(t *testing.T) {
diff --git a/flyteadmin/pkg/runtime/interfaces/cluster_configuration.go b/flyteadmin/pkg/runtime/interfaces/cluster_configuration.go
index 501d64aec5..b6a37637f1 100644
--- a/flyteadmin/pkg/runtime/interfaces/cluster_configuration.go
+++ b/flyteadmin/pkg/runtime/interfaces/cluster_configuration.go
@@ -15,6 +15,7 @@ type ClusterConfig struct {
 	Auth             Auth                     `json:"auth"`
 	Enabled          bool                     `json:"enabled"`
 	KubeClientConfig *config.KubeClientConfig `json:"kubeClientConfig,omitempty"`
+	InCluster        bool                     `json:"inCluster"`
 }
 
 type Auth struct {
diff --git a/flyteadmin/pkg/runtime/testdata/clusters_config.yaml b/flyteadmin/pkg/runtime/testdata/clusters_config.yaml
index d391648ca5..92f5deee6b 100644
--- a/flyteadmin/pkg/runtime/testdata/clusters_config.yaml
+++ b/flyteadmin/pkg/runtime/testdata/clusters_config.yaml
@@ -13,3 +13,6 @@ clusters:
       type: "file_path"
       tokenPath: "/path/to/testcluster2/token"
       certPath: "/path/to/testcluster2/cert"
+  - name: "testcluster3"
+    enabled: true
+    inCluster: true