cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon dapr

Investigate impact of kubectl Auth changes in dapr CLI

Open mukundansundar opened this issue 3 years ago • 19 comments

Describe the proposal

There are a couple of warnings that can be seen in Azure auth and GCP auth for kubectl

// deprecated in v1.22, remove in v1.25
	warnOnce.Do(func() {
		klog.Warningf(`WARNING: the azure auth plugin is deprecated in v1.22+, unavailable in v1.26+; use https://github.com/Azure/kubelogin instead.
To learn more, consult https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins`)
	})

warnOnce.Do(func() {
		klog.Warningf(`WARNING: the gcp auth plugin is deprecated in v1.22+, unavailable in v1.26+; use gcloud instead.
To learn more, consult https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke`)
	})

Additionally, in the next version of kubectl it seems that both Azure and GCP auth are removed.

On another note, the go-autorest package from Azure being used for auth is also being deprecated from March 31 2023.

This issue is to investigate the impact it will have in dapr CLI and also provide solutions for the same.

Release Note

RELEASE NOTE:

mukundansundar avatar Oct 20 '22 03:10 mukundansundar

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged (pinned, good first issue, help wanted or triaged/resolved) or other activity occurs. Thank you for your contributions.

dapr-bot avatar Nov 19 '22 03:11 dapr-bot

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged (pinned, good first issue, help wanted or triaged/resolved) or other activity occurs. Thank you for your contributions.

dapr-bot avatar Dec 19 '22 04:12 dapr-bot

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged (pinned, good first issue, help wanted or triaged/resolved) or other activity occurs. Thank you for your contributions.

dapr-bot avatar Jan 18 '23 04:01 dapr-bot

The CLI shouldn't change. We assume users have the needed plugins/tools and prerequisites to authenticate their kubrctl.

yaron2 avatar Jan 27 '23 07:01 yaron2

Related links https://github.com/kubernetes/client-go/blob/release-1.25/plugin/pkg/client/auth/gcp/gcp.go#L119

mukundansundar avatar Jan 27 '23 10:01 mukundansundar

The CLI shouldn't change. We assume users have the needed plugins/tools and prerequisites to authenticate their kubrctl.

@yaron2 Isn't the dapr CLI using the client-go library for communicating with the k8s server? If the authentication mechanism is not there then won't the dapr CLI not be able to communicate with the api server?

Relavent code in Dapr CLI : https://github.com/dapr/cli/blob/master/pkg/kubernetes/client.go#L26-L35

mukundansundar avatar Jan 27 '23 10:01 mukundansundar

The CLI shouldn't change. We assume users have the needed plugins/tools and prerequisites to authenticate their kubrctl.

@yaron2 Isn't the dapr CLI using the client-go library for communicating with the k8s server? If the authentication mechanism is not there then won't the dapr CLI not be able to communicate with the api server?

Relavent code in Dapr CLI : https://github.com/dapr/cli/blob/master/pkg/kubernetes/client.go#L26-L35

Yes, but the CLI client-go library already assumes you have a kube config file locally, so we can safely assume that the authentication mechanism is in place. if it's not, we error out so users can know to put the required config in place.

yaron2 avatar Jan 27 '23 15:01 yaron2

@yaron2 As discussed offline, the lib will remain as it is in CLI, until 1.26 becomes the minimum support version in k8s. Then this lib will be updated and the auth plugin imports removed. For the current scenario, we agreed that as long as kubectl has the correct auth (via separate auth plugin tools) in cube config file, dapr CLI will work as expected.

mukundansundar avatar Jan 30 '23 20:01 mukundansundar

Not sure whether this matters @mukundansundar but contrib and dapr/dapr use v0.26.1 of Kubernetes libraries.

berndverst avatar Jan 30 '23 23:01 berndverst

Not sure whether this matters @mukundansundar but contrib and dapr/dapr use v0.26.1 of Kubernetes libraries.

This will be a problem since dapr/dapr module will be imported in CLI and if that forces the 0.26.1 version of K8s then the auth inclusions need to be removed from CLI.... @yaron2 thoughts?

mukundansundar avatar Jan 31 '23 08:01 mukundansundar

we are importing openstack auth here - https://github.com/dapr/cli/blob/778b2a593368d4f10179e91d15df36683c4aa497/pkg/kubernetes/client.go#L35

which has been removed in latest client-go - https://github.com/kubernetes/client-go/tree/master/plugin/pkg/client/auth

This might be breaking change ?

pravinpushkar avatar Jan 31 '23 08:01 pravinpushkar

0.26.1 version of client-go lib is the one that CLI is forced to use with the import of latest dapr/dapr module. In that all auth plugins have been removed. This will be a breaking change .... since we require auth to be done by an external plugin before using kubectl or dapr CLI ...

mukundansundar avatar Jan 31 '23 08:01 mukundansundar

Breaking change since most probably dapr CLI v1.10 will not be compatible with K8s versions below 1.26 ... Thoughts on this @yaron2 ?

mukundansundar avatar Jan 31 '23 08:01 mukundansundar

We could downgrade it but we must do so in both contrib and dapr/dapr to the same versions.

I would prefer to use newer versions however.

Is it possible to do a replace directive in the CLI go.mod? Pinning an older version of all the relevant kubernetes SDKs? (See dapr/dapr go.mod)

berndverst avatar Jan 31 '23 08:01 berndverst

The above method seems to work. RC.1 is cut with pinning to v0.25.2 using replace directive.

mukundansundar avatar Jan 31 '23 16:01 mukundansundar

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged (pinned, good first issue, help wanted or triaged/resolved) or other activity occurs. Thank you for your contributions.

dapr-bot avatar Mar 02 '23 17:03 dapr-bot

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as pinned, good first issue, help wanted or triaged/resolved. Thank you for your contributions.

dapr-bot avatar Mar 09 '23 17:03 dapr-bot

remain as it is in CLI, until 1.26 becomes the minimum support version in k8s. Then this lib will be updated and the auth plugin imports removed.

@yaron2 The active support for 1.25 is ending end of August. I am thinking we can make this a breaking change in 1.12 and switch to using 1.26 or 1.27 version of the library.

WDYT?

mukundansundar avatar Jul 26 '23 08:07 mukundansundar

remain as it is in CLI, until 1.26 becomes the minimum support version in k8s. Then this lib will be updated and the auth plugin imports removed.

@yaron2 The active support for 1.25 is ending end of August. I am thinking we can make this a breaking change in 1.12 and switch to using 1.26 or 1.27 version of the library.

WDYT?

Do it in 1.13 or 1.14. In AKS 1.25 is maintained a bit longer, until December 2023. https://learn.microsoft.com/en-us/azure/aks/supported-kubernetes-versions?tabs=azure-cli @mukundansundar

berndverst avatar Jul 27 '23 05:07 berndverst