k8s-multicluster-ingress icon indicating copy to clipboard operation
k8s-multicluster-ingress copied to clipboard

Published 20 hours ago verified publisher icon GoogleCloudPlatform

Do not require application-default credentials

Open ahmetb opened this issue 6 years ago • 6 comments

Do not require this command:

 gcloud auth application-default login

There are a lot of tools that depend on gcloud credentials that work without requiring this.

The way they do is to

gcloud config config-helper --format=json

and parse the token from there directly. This is also how kubectl authenticates to GKE.

This step is (1) unnecessary (2) interferes with user's current ADC config (3) creates a side-effect on user's system (4) makes the kubemci tutorial longer. Please consider changing soon, or I may send a patch.

ahmetb avatar Mar 28 '18 16:03 ahmetb

Thanks for filling this issue @ahmetb

A patch will be most welcome :) Note that it will have to be this week to make it in 0.4

nikhiljindal avatar Mar 28 '18 17:03 nikhiljindal

I tried, it seems nontrivial. You likely need to specify a custom oauth2.TokenSource to all googleapi clients.

ahmetb avatar Mar 28 '18 17:03 ahmetb

Is this a Beta blocker?

G-Harmon avatar Mar 29 '18 21:03 G-Harmon

Shouldn't be. But I have reason to think it should be doable fairly easily. Projects like container-builder-local or kubectls gcp auth plugin use it. So there's a fair amount of golang code in this space.

this code execs out to gcloud to get a token: https://github.com/kubernetes/client-go/blob/88e8ea169afa2918712ce2bc64fc1e2d11d72b12/plugin/pkg/client/auth/gcp/gcp.go#L277-L291

then you should be able to use the client constructor/options to give a custom token source to the auto-generated clients.

ahmetb avatar Mar 29 '18 22:03 ahmetb

Yes if possible, we will try to get it in. Not a blocker

nikhiljindal avatar Mar 30 '18 06:03 nikhiljindal

Just waste some time due to this requirement. If the command gcloud auth application-default login is not used, then, kubecmi faills with an error similar to the following:

E0416 21:51:43.392608 18465 gce.go:860] error fetching initial token: oauth2: cannot fetch token: 400 Bad Request Response: { "error": "invalid_grant", "error_description": "Bad Request" } E0416 21:51:44.494521 18465 gce.go:860] error fetching initial token: oauth2: cannot fetch token: 400 Bad Request Response: { "error": "invalid_grant", "error_description": "Bad Request" } E0416 21:51:45.986165 18465 gce.go:860] error fetching initial token: oauth2: cannot fetch token: 400 Bad Request Response: { "error": "invalid_grant", "error_description": "Bad Request" }

lpellegr avatar Apr 16 '19 20:04 lpellegr