Suggestion to enable modern ServiceAccount json configuration in gcloud plugin

[jandragsbaek]

Looking at /plugins/gcloud/app/controllers/gke_clusters_controller.rb#41, the CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFICATE variable is hardcoded to True (ignoring any ENV currently set with the same name), which seems to be primarily be used for the P12 style of authenticating services to GCP.

The newer style embeds the certificate in a json file and needs to set this variable to False, in order for this to work. Or that seems to be the case for my experimentation.

Therefore I'd like to suggest allowing to set this via ENV. Default behaviour could be having this value set to true, in order to be backwards compatible with anyone using it.

Additionally, would it be possible to see an example on how it is recommended to embed (and enable) these kinds of credentials into the container? I'd love to see how you guys do it, as inspiration to better my own ways.

[grosser]

flag is coming from https://github.com/zendesk/samson/pull/2550 which has some vague details on why it was needed ... more details in https://github.com/kubernetes/kubernetes/issues/30617

Make a PR that sets it to whatever "GKE_CREDENTIALS_USE_CLIENT_CERTIFICATE" env var is set to. It's easy for any existing user to add that before deploying a new version.

... I'd prefer not to support/set it globally since there are lots of gcloud commands that it could impact ... unless that is what you want ... then the PR should add the flag to whitelist_env for all of them.

[grosser]

we now have https://github.com/zendesk/samson/pull/3307 which allows storing config in the database directly ... does this solve your issue too ? ... maybe we only need to add a little to make it work ?

/cc @KJTsanaktsidis @jonmoter

[grosser]

@KJTsanaktsidis said json keys are good .. so adding an extra column for that would be a good PR