sarman/tftsr-devops_investigation
1
1
Fork 0
Code Issues 4 Pull Requests Actions 34 Packages Projects 3 Releases 6 Wiki Activity
512feb5e49
tftsr-devops_investigation/docs/architecture/adrs/ADR-009-bundled-kubectl-binary.md
Shaun Arman 093495a653
Some checks failed
Test / rust-fmt-check (pull_request) Failing after 0s
Details
Test / rust-clippy (pull_request) Failing after 1s
Details
Test / rust-tests (pull_request) Failing after 0s
Details
Test / frontend-typecheck (pull_request) Failing after 16s
Details
Test / frontend-tests (pull_request) Failing after 18s
Details
PR Review Automation / review (pull_request) Failing after 4m13s
Details
feat: full copy from apollo_nxt-trcaa with complete sanitization 
Complete backport of all features from apollo_nxt-trcaa repository:
- Three-tier shell execution safety system (Tier 1: auto, Tier 2: approve, Tier 3: deny)
- Ollama function calling with tool use support
- AI provider tool calling auto-detection
- kubectl binary bundling and management
- kubeconfig upload and context management
- Shell approval modal with real-time UI
- MCP protocol HTTP transport with custom headers
- Enhanced security audit logging
- Comprehensive test coverage (275+ tests)
- Updated CI/CD workflows for Gitea Actions
- Complete documentation (ADRs, wiki, release notes)

Sanitization applied to all files:
- Removed all MSI, Motorola, VNXT, Vesta references
- Replaced internal infrastructure references with TFTSR equivalents
- Updated all URLs and API endpoints
- Sanitized commit history references in documentation

Technical changes:
- New modules: shell/classifier, shell/executor, shell/kubectl, shell/kubeconfig
- Enhanced AI providers: ollama.rs, openai.rs with function calling
- New Tauri commands: shell execution, kubeconfig management, tool calling detection
- Database migrations: shell_execution_audit table
- Frontend: ShellApprovalModal, ShellExecution, KubeconfigManager pages
- CI/CD: kubectl bundling, multi-platform builds, Gitea Actions integration

Version: 1.0.8

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-06-05 14:12:43 -05:00

242 lines
7.5 KiB
Markdown
Raw Blame History

# ADR-009: Bundle kubectl Binary for Cross-Platform Consistency
**Date**: 2026-06-02
**Status**: Accepted
**Deciders**: Shaun Arman, RJ Cooper
**Context**: Hackathon v1.0.0 — Shell Execution System
---
## Context
TRCAA v1.0.0 introduced `execute_shell_command` tool for AI agents, with kubectl as a primary use case (diagnosing Kubernetes pod failures, checking deployments, viewing logs). kubectl is a critical tool for IT troubleshooting but has several challenges:
**Problems with system kubectl**:
- Version skew: User's kubectl may be v1.25 while cluster is v1.30 (API changes)
- Not installed: Many Windows/macOS users don't have kubectl
- PATH issues: kubectl in non-standard location (WSL, Homebrew, Chocolatey)
- Permission issues: System kubectl may require admin rights on Windows
- Configuration drift: `~/.kube/config` may be misconfigured or missing
**Requirements**:
- AI agents need reliable kubectl execution across all platforms
- Users should not need to install kubectl separately
- kubectl version should be consistent (no version skew errors)
- Work with multiple kubeconfig files (dev, staging, prod clusters)
**Alternatives Considered**:
1. **Use system kubectl (require manual install)**
- ✅ No binary bundling needed
- ❌ Poor UX — user must install kubectl separately
- ❌ Version skew issues
- ❌ PATH configuration required
- ❌ Windows complexity (WSL vs native)
2. **Download kubectl at runtime (first use)**
- ✅ No bloat in installer
- ✅ Always latest version
- ❌ Requires internet on first run
- ❌ Download failure = broken feature
- ❌ Security risk (MITM, checksum verification)
3. **Bundle kubectl as resource file**
- ✅ Works offline
- ✅ Consistent version
- ✅ No user setup required
- ❌ Increases installer size (~50MB per platform)
- ❌ Need to update kubectl periodically
4. **Kubernetes client library (k8s-openapi crate)**
- ✅ No binary needed
- ✅ Native Rust implementation
- ❌ Complex API (YAML → Rust types)
- ❌ Doesn't support `kubectl apply -f` directly
- ❌ No support for kubectl plugins
- ❌ AI agents know kubectl CLI, not k8s-openapi API
---
## Decision
**Bundle kubectl v1.30.0 binary for all platforms (Linux amd64/arm64, macOS arm64/Intel, Windows amd64) as a Tauri resource.**
### Implementation
**Build-time binary download**: `scripts/download-kubectl.sh`
```bash
#!/bin/bash
VERSION="1.30.0"
OS=$1 # linux, darwin, windows
ARCH=$2 # amd64, arm64
curl -LO "https://dl.k8s.io/release/v${VERSION}/bin/${OS}/${ARCH}/kubectl"
chmod +x kubectl
mv kubectl "binaries/kubectl-${OS}-${ARCH}"
```
**CI/CD Integration**: `.github/workflows/release.yml`
```yaml
- name: Download kubectl binaries
run: |
./scripts/download-kubectl.sh linux amd64
./scripts/download-kubectl.sh linux arm64
./scripts/download-kubectl.sh darwin arm64
./scripts/download-kubectl.sh darwin amd64
./scripts/download-kubectl.sh windows amd64
```
**Tauri Resource Bundling**: `src-tauri/tauri.conf.json`
```json
{
"tauri": {
"bundle": {
"resources": [
"binaries/kubectl-*"
]
}
}
}
```
**Runtime Binary Extraction**: `src-tauri/src/shell/kubectl.rs`
```rust
pub fn get_kubectl_path() -> Result<PathBuf, String> {
let resource_dir = tauri::api::path::resource_dir(...)
.ok_or("Failed to get resource directory")?;
#[cfg(target_os = "linux")]
let binary_name = if cfg!(target_arch = "aarch64") {
"kubectl-linux-arm64"
} else {
"kubectl-linux-amd64"
};
#[cfg(target_os = "macos")]
let binary_name = if cfg!(target_arch = "aarch64") {
"kubectl-darwin-arm64"
} else {
"kubectl-darwin-amd64"
};
#[cfg(target_os = "windows")]
let binary_name = "kubectl-windows-amd64.exe";
let kubectl_path = resource_dir.join(binary_name);
// Ensure executable permissions on Unix
#[cfg(unix)]
{
use std::os::unix::fs::PermissionsExt;
let metadata = std::fs::metadata(&kubectl_path)
.map_err(|e| format!("kubectl binary not found: {e}"))?;
let mut perms = metadata.permissions();
perms.set_mode(0o755);
std::fs::set_permissions(&kubectl_path, perms)?;
}
Ok(kubectl_path)
}
```
**Execution with Custom Kubeconfig**: `src-tauri/src/shell/executor.rs`
```rust
pub async fn execute_kubectl(command: &str, kubeconfig_id: Option<String>) -> Result<Output> {
let kubectl_path = kubectl::get_kubectl_path()?;
let mut cmd = Command::new(kubectl_path);
// Inject kubeconfig if provided
if let Some(id) = kubeconfig_id {
let kubeconfig = kubeconfig::get_and_decrypt(id)?;
let temp_path = write_temp_kubeconfig(kubeconfig)?;
cmd.env("KUBECONFIG", temp_path);
}
cmd.args(command.split_whitespace());
cmd.output().await
}
```
### Version Selection Rationale
**kubectl v1.30.0** (released April 2024):
- **Compatibility**: Supports Kubernetes v1.29, v1.30, v1.31 (n±1 version skew)
- **Stability**: 1.30 is a stable release (not beta)
- **Feature coverage**: Includes all common troubleshooting commands
- **Size**: ~50MB per platform (acceptable for installer)
---
## Consequences
### Positive
- **Zero-configuration**: kubectl works immediately after install
- **Consistent behavior**: Same kubectl version on all platforms
- **Offline capable**: No internet required for kubectl execution
- **Kubeconfig flexibility**: Users can upload multiple kubeconfig files
- **Security**: Binary checksum verified during CI build
- **Reliability**: No version skew errors with Kubernetes 1.29-1.31 clusters
### Negative
- **Installer size**: Increases by ~50MB per platform (150MB total for all platforms)
- **Update lag**: kubectl version frozen until TRCAA release
- **Disk usage**: Each install includes kubectl binary (no sharing across users)
- **Maintenance**: Need to periodically update kubectl version
### Trade-offs
We chose **reliability and UX over installer size**. The 50MB increase is acceptable for a desktop application targeting IT engineers who likely have kubectl needs.
---
## Mitigation Strategies
**Installer size**:
- Compress binaries in bundle (reduces to ~15MB per platform)
- Document minimum disk space requirement in README
**kubectl version updates**:
- Add `scripts/update-kubectl.sh` to automate version bumps
- Schedule quarterly kubectl version reviews
- Document current version in CLAUDE.md and wiki
**Platform-specific issues**:
- Windows: Sign kubectl binary to avoid SmartScreen warnings
- macOS: Sign and notarize to pass Gatekeeper
- Linux: Verify `chmod +x` works across all distros
---
## Future Enhancements
1. **Optional system kubectl**: Add "Use system kubectl" toggle in Settings (falls back to bundled if not found)
2. **Version display**: Show kubectl version in Settings UI
3. **Auto-update**: Download newer kubectl if available (requires secure checksum verification)
4. **Plugin support**: Bundle common kubectl plugins (kubectx, kubens, stern)
---
## Related Decisions
- **ADR-007**: Three-Tier Shell Safety (kubectl commands classified as Tier 1/Tier 2)
- **ADR-008**: MCP Protocol Integration (alternative to bundling binaries — use MCP kubectl server)
---
## References
- **kubectl Releases**: https://kubernetes.io/releases/
- **Download Script**: `scripts/download-kubectl.sh`
- **Binary Management**: `src-tauri/src/shell/kubectl.rs`
- **Implementation PR**: #30 (Hackathon v1.0.0)
- **CI/CD**: `.github/workflows/release.yml` (kubectl download step)
- **Wiki**: `docs/wiki/Shell-Execution.md` (kubectl section)
Reference in New Issue View Git Blame Copy Permalink