test-infra icon indicating copy to clipboard operation
test-infra copied to clipboard
verified publisher icon kubernetes

Deprecate using `gencred` and switch to using Google principals to authenticate to GKE clusters

Open upodroid opened this issue 3 years ago • 8 comments

The new gke auth plugin doesn't store access tokens in the kubeconfig file.

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: SOME CERT
    server: https://34.90.233.66
  name: gke_mahamed_europe-west4_dev
contexts:
- context:
    cluster: gke_mahamed_europe-west4_dev
    user: gke_mahamed_europe-west4_dev
  name: gke_mahamed_europe-west4_dev
current-context: gke_mahamed_europe-west4_dev
kind: Config
preferences: {}
users:
- name: gke_mahamed_europe-west4_dev
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      command: gke-gcloud-auth-plugin
      installHint: Install gke-gcloud-auth-plugin for use with kubectl by following
        https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke
      provideClusterInfo: true

Intree gcp plugin used to do the following which wasn't great.

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: SOME CERT
    server: https://34.90.233.66
  name: gke_mahamed_europe-west4_dev
contexts:
- context:
    cluster: gke_mahamed_europe-west4_dev
    user: gke_mahamed_europe-west4_dev
  name: gke_mahamed_europe-west4_dev
current-context: gke_mahamed_europe-west4_dev
kind: Config
preferences: {}
users:
- name: gke_mahamed_europe-west4_dev
  user:
    auth-provider:
      config:
        access-token: REDACTED
        cmd-args: config config-helper --format=json
        cmd-path: /Users/REDACTED/google-cloud-sdk/bin/gcloud
        expiry: "2022-11-30T15:48:48Z"
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp

Related to https://github.com/kubernetes/test-infra/issues/27896

/sig testing /sig k8s-infra

upodroid avatar Nov 30 '22 15:11 upodroid

cc @chaodaiG @cjwagner

ameukam avatar Nov 30 '22 18:11 ameukam

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Feb 28 '23 19:02 k8s-triage-robot

/priority important-longterm

upodroid avatar Mar 14 '23 11:03 upodroid

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Apr 13 '23 12:04 k8s-triage-robot

@upodroid [edit: is this] still important with the migration? (not sure what we settled on in k8s-infra)

BenTheElder avatar Jul 26 '24 18:07 BenTheElder

It is important, Argo is configured to access clusters using gke-auth plugin and we want prow to do the same as well

upodroid avatar Jul 26 '24 20:07 upodroid

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Oct 24 '24 21:10 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Nov 23 '24 21:11 k8s-triage-robot

fresh

upodroid avatar Sep 02 '25 21:09 upodroid