setup-gcloud icon indicating copy to clipboard operation
setup-gcloud copied to clipboard

Published 20 hours ago verified publisher icon google-github-actions

gcp auth plugin is deprecated in v1.22+

Open rd-michel opened this issue 3 years ago • 15 comments

Hello guys,

current deprecation warning in one of our deployments (google-github-actions/auth@v0):

4727 gcp.go:120] WARNING: the gcp auth plugin is deprecated in v1.22+, unavailable in v1.25+; use gcloud instead. To learn more, consult https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke

is this issue already addressed/fixed in a newer version of the setup-gcloud action?

rd-michel avatar May 25 '22 11:05 rd-michel

Hi @rd-michel

Could you please share your action.yml so we can reproduce? That error is coming from gcp.go, which is not a file in this repo, so it's difficult to understand exactly what's going on without seeing the action.yml.

sethvargo avatar May 25 '22 12:05 sethvargo

@rd-michel If you are generating credentials via gcloud container clusters get-credentials, you can install the new auth plugin component gke-gcloud-auth-plugin via this input or you can switch to our native action https://github.com/google-github-actions/get-gke-credentials

bharathkkb avatar May 25 '22 14:05 bharathkkb

Hi @bharathkkb ~~I would like to confirm that my understanding is correct.~~

~~I understand that the former method would require setting USE_GKE_GCLOUD_AUTH_PLUGIN=True in the environment variable of all github actions that use kubectl.~~ ~~https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke~~

~~With the latter method, we could set the opiton use_auth_provider:true and avoid setting environment variables.~~

~~Am I correct in understanding that in the former method, there is no option to configure whether to use auth-plugin, so there is no other way than to set an environment variable?~~

Sorry, I thought I had to enable the GCP auth plugin. Sorry for the confusion.

junjunjunk avatar Jun 03 '22 04:06 junjunjunk

I have the same problem. This is my .yml:

apiVersion: kubeflow.org/v1 kind: TFJob metadata: name: multi-worker spec: cleanPodPolicy: None tfReplicaSpecs: Worker: replicas: 3 restartPolicy: OnFailure template: spec: containers: - name: tensorflow image: mnist args: - --epochs=4 - --steps_per_epoch=100 - --per_worker_batch=64 - --saved_model_path=gs://gwiklabs-gcp-01-f90cda69125e-bucket/saved_model_dir - --checkpoint_path=gs://gwiklabs-gcp-01-f90cda69125e-bucket/checkpoints

avelez93 avatar Jun 09 '22 07:06 avelez93

@junjunjunk When using https://github.com/google-github-actions/get-gke-credentials to generate a kubeconfig, it does not use the auth plugin unless use_auth_provider:true is set.

bharathkkb avatar Jun 14 '22 18:06 bharathkkb

@bharathkkb Thank you!

junjunjunk avatar Jun 20 '22 04:06 junjunjunk

~I find this really hard as I do have the env var set to true in my local GCE VM but it stills warns me and I have the latest gcloud cli installed.~

For some reason the export command wasn't being picked up and now it is. It works.

ernani avatar Jul 18 '22 23:07 ernani

@bharathkkb @junjunjunk

      - name: "Auth to GCP exist env"
        uses: google-github-actions/auth@v0
        with:
          credentials_json: ${{ secrets.GOOGLE_SERVICE_ACCOUNT }}
      - name: "Set up Cloud SDK"
        uses: google-github-actions/setup-gcloud@v0
        with:
          install_components: 'gke-gcloud-auth-plugin'
      - name: "Connect to cluster"
        uses: google-github-actions/get-gke-credentials@v0
        with:
          cluster_name: keptn-test
          location: europe-west3-c
          project_id: sap-artifactory-dev
          use_auth_provider: true

Test output:

W0730 08:58:38.810648    1808 gcp.go:1[20](https://github.com/Moon1706/test/runs/7590470365?check_suite_focus=true#step:7:21)] WARNING: the gcp auth plugin is deprecated in v1.22+, unavailable in v1.25+; use gcloud instead.
To learn more, consult https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke
NAME              STATUS   AGE
default           Active   5d2h
keptn             Active   3d
kube-node-lease   Active   5d2h
kube-public       Active   5d2h
kube-system       Active   5d2h
monitoring        Active   3d

Are you sure that your approach works?

Moon1706 avatar Jul 30 '22 09:07 Moon1706

@Moon1706 I think you should delete use_auth_provider: true. This opitons enables gcp auth plugin, which is deperecated in v1.22+.

junjunjunk avatar Jul 31 '22 16:07 junjunjunk

I am also encountering this. I believe it is the helm binary that we are using in our deploy step that is producing this error. Since helm is being installed out of the box along with the official setup-gcloud action (I presume? I don't know where else it would be coming from), this definitely seems like a bug in the action itself and not a usage error.

We should be able to use the version of helm that is installed by setup-gcloud without seeing this warning.

sml-virta avatar Sep 21 '22 17:09 sml-virta

I having a related issue with this in my CI when running Composer commands to delete AirFlow DAGs:

image

The deletion of the DAG from storage works, but I guess the command to delete the DAG from AirFlow's UI requires kubectl. Any indication of what to try next would be great!

runs-on: ubuntu-latest
 steps:
 - uses: 'actions/checkout@v3'

 - id: 'auth'
   uses: 'google-github-actions/auth@v1'
   with:
     credentials_json: '${{ secrets.dev }}'

 - name: 'Set up Cloud SDK'
   uses: 'google-github-actions/[email protected]'
   with:
     install_components: 'gke-gcloud-auth-plugin'
   
 - name: 'Delete DAG'
   run: |
     gcloud composer environments storage dags delete \
     --environment MY_ENV \
     --location europe-west2 \
     "test_dag"
     
     gcloud composer environments run MY_ENV \
     --location europe-west2 \
     dags delete -- "teset_dag"

James-DBA-Anderson avatar Dec 19 '22 12:12 James-DBA-Anderson

@James-DBA-Anderson , see this doc. It should explain what's changed and needed.

twistedpair avatar Dec 19 '22 13:12 twistedpair

Thanks @twistedpair, I was already using install_components: 'gke-gcloud-auth-plugin' in my setup cloud SDK step and after reading that doc I have added the following to the top of my yaml:

env: USE_GKE_GCLOUD_AUTH_PLUGIN: True

This works locally, but results in the following error in CI:

image

I can't see anything else that I should be trying from that doc.

James-DBA-Anderson avatar Dec 19 '22 14:12 James-DBA-Anderson

env: USE_GKE_GCLOUD_AUTH_PLUGIN: True

@James-DBA-Anderson I think you should use true instead of True. It's not Python but YAML 😄

mai-nakagawa avatar Dec 20 '22 02:12 mai-nakagawa

Hello 👋

I've created a simple GitHub Action to install gke-gcloud-auth-plugin. This means if users are not using gcloud to anything on your Github Actions workflows (i.e only interacting with kubectl), you can cut down quite a lot of time/resources on each run.

I'll try to keep users of simenandre/setup-gke-gcloud-auth-plugin updated on using gke-gcloud-auth-plugin with GitHub Actions as we go.

To get started, drop this in your workflow:

- uses: simenandre/setup-gke-gcloud-auth-plugin@v1

Example when using with google-github-actions/auth:

- name: Authenticate to GCP 🔒
  uses: google-github-actions/auth@v0
  with:
    workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
    service_account: ${{ secrets.SERVICE_ACCOUNT }}

- uses: simenandre/setup-gke-gcloud-auth-plugin@v1

Feel free to open issues and PRs here: https://github.com/simenandre/setup-gke-gcloud-auth-plugin

simenandre avatar May 13 '23 11:05 simenandre