feat: add feature to prevent nested kubeconfig contexts

[agoose77]

I recently targeted the wrong cluster because (I think) of a nested KUBECONFIG context — I invisibly lost the second subshell, and ended up working in the parent context.

This PR allows me to make that harder for myself.

Changes

I made some changes to avoid deploying everything to main here:

1. Split out use-cluster-credentials into a separate submodule
2. Ignore deployer/commands/develop/** in CI
3. Add new DEPLOYER_NO_NESTED_KUBECONFIG flag to deny nested kubeconfig contexts

We should add __init__.py entries to our various submodules, but that's not needed here, so I'm leaving it!

Details

This PR makes it possible for 2i2c engineers to set

export DEPLOYER_NO_NESTED_KUBECONFIG=1

such that sequential deployer use-cluster-credentials invocations fail.

I think this might have avoided the problem I ran into when the kubeconfig context reverted due to a shell error. This would also be ameliorated by setting e.g. a PS1, which I have also done with starship.

I'm biasing to action here -- this is opt-in and I think we are all comfortable with these kind of small additions.

[github-actions]

Merging this PR will trigger the following deployment actions.

Support deployments

No support upgrades will be triggered

Staging deployments

Cloud Provider	Cluster Name	Hub Name	Reason for Redeploy
gcp	cloudbank	staging	Core infrastructure has been modified
gcp	2i2c-uk	staging	Core infrastructure has been modified
aws	ubc-eoas	staging	Core infrastructure has been modified
aws	nasa-cryo	staging	Core infrastructure has been modified
gcp	hhmi	staging	Core infrastructure has been modified
gcp	leap	staging	Core infrastructure has been modified
aws	openscapes	staging	Core infrastructure has been modified
aws	disasters	staging	Core infrastructure has been modified
gcp	2i2c	staging	Core infrastructure has been modified
gcp	2i2c	dask-staging	Core infrastructure has been modified
gcp	2i2c	ucmerced-staging	Core infrastructure has been modified
gcp	catalystproject-latam	staging	Core infrastructure has been modified
kubeconfig	utoronto	staging	Core infrastructure has been modified
kubeconfig	utoronto	r-staging	Core infrastructure has been modified
aws	strudel	staging	Core infrastructure has been modified
aws	nasa-veda	staging	Core infrastructure has been modified
aws	earthscope	staging	Core infrastructure has been modified
gcp	climatematch	staging	Core infrastructure has been modified
aws	victor	staging	Core infrastructure has been modified
aws	smithsonian	staging	Core infrastructure has been modified
aws	maap	staging	Core infrastructure has been modified
aws	berkeley-geojupyter	staging	Core infrastructure has been modified
aws	catalystproject-africa	staging	Core infrastructure has been modified
aws	reflective	staging	Core infrastructure has been modified
kubeconfig	2i2c-jetstream2	staging	Core infrastructure has been modified
aws	nasa-ghg	staging	Core infrastructure has been modified
aws	jupyter-health	staging	Core infrastructure has been modified
aws	opensci	staging	Core infrastructure has been modified
aws	nmfs-openscapes	staging	Core infrastructure has been modified
aws	neurohackademy	staging	Core infrastructure has been modified
aws	2i2c-aws-us	staging	Core infrastructure has been modified
aws	2i2c-aws-us	dask-staging	Core infrastructure has been modified
aws	projectpythia	staging	Core infrastructure has been modified
gcp	awi-ciroh	staging	Core infrastructure has been modified

Production deployments

Cloud Provider	Cluster Name	Hub Name	Reason for Redeploy
gcp	cloudbank	authoring	Core infrastructure has been modified
gcp	cloudbank	bcc	Core infrastructure has been modified
gcp	cloudbank	chaffey	Core infrastructure has been modified
gcp	cloudbank	ccsf	Core infrastructure has been modified
gcp	cloudbank	chabot	Core infrastructure has been modified
gcp	cloudbank	csm	Core infrastructure has been modified
gcp	cloudbank	csum	Core infrastructure has been modified
gcp	cloudbank	demo	Core infrastructure has been modified
gcp	cloudbank	dvc	Core infrastructure has been modified
gcp	cloudbank	elac	Core infrastructure has been modified
gcp	cloudbank	elcamino	Core infrastructure has been modified
gcp	cloudbank	evc	Core infrastructure has been modified
gcp	cloudbank	fresno	Core infrastructure has been modified
gcp	cloudbank	foothill	Core infrastructure has been modified
gcp	cloudbank	glendale	Core infrastructure has been modified
gcp	cloudbank	golden	Core infrastructure has been modified
gcp	cloudbank	high	Core infrastructure has been modified
gcp	cloudbank	humboldt	Core infrastructure has been modified
gcp	cloudbank	lacc	Core infrastructure has been modified
gcp	cloudbank	lahc	Core infrastructure has been modified
gcp	cloudbank	laney	Core infrastructure has been modified
gcp	cloudbank	lavc	Core infrastructure has been modified
gcp	cloudbank	lbcc	Core infrastructure has been modified
gcp	cloudbank	mendocino	Core infrastructure has been modified
gcp	cloudbank	merced	Core infrastructure has been modified
gcp	cloudbank	merritt	Core infrastructure has been modified
gcp	cloudbank	miracosta	Core infrastructure has been modified
gcp	cloudbank	mission	Core infrastructure has been modified
gcp	cloudbank	moreno	Core infrastructure has been modified
gcp	cloudbank	norco	Core infrastructure has been modified
gcp	cloudbank	palomar	Core infrastructure has been modified
gcp	cloudbank	pasadena	Core infrastructure has been modified
gcp	cloudbank	redwoods	Core infrastructure has been modified
gcp	cloudbank	reedley	Core infrastructure has been modified
gcp	cloudbank	riohondo	Core infrastructure has been modified
gcp	cloudbank	saddleback	Core infrastructure has been modified
gcp	cloudbank	sbcc	Core infrastructure has been modified
gcp	cloudbank	sbcc-dev	Core infrastructure has been modified
gcp	cloudbank	sierra	Core infrastructure has been modified
gcp	cloudbank	sjcc	Core infrastructure has been modified
gcp	cloudbank	sjsu	Core infrastructure has been modified
gcp	cloudbank	skyline	Core infrastructure has been modified
gcp	cloudbank	srjc	Core infrastructure has been modified
gcp	cloudbank	tuskegee	Core infrastructure has been modified
gcp	cloudbank	ucsc	Core infrastructure has been modified
gcp	cloudbank	wlac	Core infrastructure has been modified
gcp	2i2c-uk	lis	Core infrastructure has been modified
aws	ubc-eoas	prod	Core infrastructure has been modified
aws	nasa-cryo	prod	Core infrastructure has been modified
gcp	hhmi	spyglass	Core infrastructure has been modified
gcp	hhmi	binder	Core infrastructure has been modified
gcp	leap	prod	Core infrastructure has been modified
gcp	leap	public	Core infrastructure has been modified
aws	openscapes	prod	Core infrastructure has been modified
aws	openscapes	workshop	Core infrastructure has been modified
aws	disasters	prod	Core infrastructure has been modified
kubeconfig	projectpythia-binder	binderhub	Core infrastructure has been modified
gcp	2i2c	imagebuilding-demo	Core infrastructure has been modified
gcp	2i2c	binderhub-ui-demo	Core infrastructure has been modified
gcp	2i2c	demo	Core infrastructure has been modified
gcp	2i2c	temple	Core infrastructure has been modified
gcp	2i2c	ucmerced	Core infrastructure has been modified
gcp	2i2c	mtu	Core infrastructure has been modified
gcp	catalystproject-latam	unitefa-conicet	Core infrastructure has been modified
gcp	catalystproject-latam	cicada	Core infrastructure has been modified
gcp	catalystproject-latam	gita	Core infrastructure has been modified
gcp	catalystproject-latam	iner	Core infrastructure has been modified
gcp	catalystproject-latam	plnc	Core infrastructure has been modified
gcp	catalystproject-latam	unam	Core infrastructure has been modified
gcp	catalystproject-latam	cabana	Core infrastructure has been modified
gcp	catalystproject-latam	nnb-ccg	Core infrastructure has been modified
gcp	catalystproject-latam	labi	Core infrastructure has been modified
gcp	catalystproject-latam	areciboc3	Core infrastructure has been modified
gcp	catalystproject-latam	valledellili	Core infrastructure has been modified
kubeconfig	utoronto	prod	Core infrastructure has been modified
kubeconfig	utoronto	r-prod	Core infrastructure has been modified
kubeconfig	utoronto	highmem	Core infrastructure has been modified
aws	strudel	prod	Core infrastructure has been modified
aws	nasa-veda	prod	Core infrastructure has been modified
aws	nasa-veda	binder	Core infrastructure has been modified
aws	earthscope	prod	Core infrastructure has been modified
aws	earthscope	binder	Core infrastructure has been modified
gcp	climatematch	prod	Core infrastructure has been modified
aws	victor	prod	Core infrastructure has been modified
aws	smithsonian	prod	Core infrastructure has been modified
aws	maap	prod	Core infrastructure has been modified
aws	berkeley-geojupyter	prod	Core infrastructure has been modified
aws	catalystproject-africa	nm-aist	Core infrastructure has been modified
aws	catalystproject-africa	must	Core infrastructure has been modified
aws	catalystproject-africa	uvri	Core infrastructure has been modified
aws	catalystproject-africa	wits	Core infrastructure has been modified
aws	catalystproject-africa	kush	Core infrastructure has been modified
aws	catalystproject-africa	molerhealth	Core infrastructure has been modified
aws	catalystproject-africa	aibst	Core infrastructure has been modified
aws	catalystproject-africa	bhki	Core infrastructure has been modified
aws	catalystproject-africa	bon	Core infrastructure has been modified
aws	reflective	prod	Core infrastructure has been modified
aws	reflective	workshop	Core infrastructure has been modified
gcp	dubois	ephemeral	Core infrastructure has been modified
aws	nasa-ghg	prod	Core infrastructure has been modified
aws	nasa-ghg	binder	Core infrastructure has been modified
aws	jupyter-health	prod	Core infrastructure has been modified
aws	opensci	sciencecore	Core infrastructure has been modified
aws	opensci	climaterisk	Core infrastructure has been modified
aws	opensci	small-binder	Core infrastructure has been modified
aws	opensci	big-binder	Core infrastructure has been modified
aws	nmfs-openscapes	prod	Core infrastructure has been modified
aws	nmfs-openscapes	workshop	Core infrastructure has been modified
aws	nmfs-openscapes	noaa-only	Core infrastructure has been modified
aws	neurohackademy	prod	Core infrastructure has been modified
aws	2i2c-aws-us	showcase	Core infrastructure has been modified
aws	projectpythia	prod	Core infrastructure has been modified
aws	projectpythia	pythia-binder	Core infrastructure has been modified
gcp	awi-ciroh	prod	Core infrastructure has been modified
gcp	awi-ciroh	workshop	Core infrastructure has been modified

[yuvipanda]

This is a great response to solving the class of problems that caused that outage. Starship works for me but may not work for you! This also means you must exit out of a subshell before running use-cluster-credentials again. But the fact that this is 'opt-in' makes this safe because it doesn't change it for everyone.

I did leave a comment about an additional check you must make to make sure that you aren't in a nested context. I'd also like you to add at least a minimal one line piece of doc somewhere. After the check and the doc you can totally just merge.

[agoose77]

I've added a test for non-empty ~/.kube/config files. This lets me define kubeconfig as a ro empty file on my system, which helps in other contexts.

[agoose77]

I've addressed Yuvi's review — now merging.

[agoose77]

Thanks @yuvipanda — starship is already useful for me (I had not noticed that it has k8s turned off by default). However, I also like to work defensively — given that I use a tiling window manager, it's trivial to spin up a new terminal context, and that brings some helpful spatial identity to working on different clusters!

I acknowledge that to some (not you!) this may feel all a little overboard, but it feels like a low barrier to feeling safer.