gcp automatic default credentials #394
Conversation
This rubocop violation feels a bit too strict for me |
|
Looks great! 👏 |
lib/kubeclient/config.rb
Outdated
| options[:bearer_token] = Kubeclient::ExecCredentials.token(exec_opts) | ||
| if user.key?('token') | ||
| options[:bearer_token] = user['token'] | ||
| elsif user.key?('exec') |
There was a problem hiding this comment.
Moved exec above the gcp check in anticipation of its future release (though I can't seem to track down anything concrete about this). Might be unnecessary future-proofing but I don't see the harm here
remove hidden file test + mocha + gcp rubocop cleanup
cben
force-pushed
the
gcp_default_auth
branch
from
ebfe94b to
0e0b596
Compare
|
rebased to solve conflict, fixed some indentation, force-pushed your branch. rubocop warns "Lint/InheritException: Inherit from RuntimeError instead of LoadError." |
rubocop warns "Lint/InheritException: Inherit from RuntimeError instead of LoadError." Check introduced rubocop/rubocop#3427, motivation seems to be that default `rescue` copes with StandardError and won't catch this (and specific preference for RuntimeError is just that's a safer change rubocop/rubocop#3127 (comment)). Since this was LoadError before, nothing changes and this is OK.
|
Thanks LGTM 💯 I just pushed an update to the README, can you please review that? |
|
cc @jeremywadsack, if you still care about gcp, please review (at least the README) |
| #### Google's Application Default Credentials | ||
|
|
||
| On Google Compute Engine, Google App Engine, or Google Cloud Functions, as well as `gcloud`-configured systems | ||
| with [application default credentials](https://developers.google.com/identity/protocols/application-default-credentials), |
There was a problem hiding this comment.
Can we claim all these 4 scenarios (GCE, AppEngine, Functions, gcloud) should work out of the box?
I wasn't sure so wrote "if ... kubeconfig file has user: {auth-provider: {name: gcp}}" to be safe...
There was a problem hiding this comment.
All those systems are documented by Google to include application default credentials.
If the environment variable isn't set, ADC uses the default service account that Compute Engine, Kubernetes Engine, App Engine, and Cloud Functions provide, for applications that run on those services.
https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application
There was a problem hiding this comment.
FYI, I think the link above should be updated to this: https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application (which is where it redirects)
README.md
Outdated
| ``` | ||
|
|
||
| Note that this returns token good for one hour. If your code runs for longer than that, you should plan to | ||
| acquire a new one. |
There was a problem hiding this comment.
Q: how do you acquire a new one, in the automagic Config gcp scenario?
Calling .context again will do this, right?
There was a problem hiding this comment.
Call Kubeclient::GoogleApplicationDefaultCredentials.token again.
I think we've discussed before that kubeclient doesn't have any support for renewing tokens. Is that something that's now covered with exec functionality?
There was a problem hiding this comment.
Calling .context will generate a new token, since it will end up calling Kubeclient::GoogleApplicationDefaultCredentials.token, as Jeremy points out. I think the farthest we should go in that direction is to capture the error, if possible, and let the caller handle it.
|
@timothysmith0609 @cben I'm really glad to see this change. I think that having the gem "just work" in many environments makes it easier for people to use. It helps people get started with the gem and then they can tune more if they need to. Tangentially, I would suggest that we configure this to "just work" inside a Kubernetes cluster. That is detect and implement the code in the README section "Inside a Kubernetes Cluster" when no other authorization is provided. |
That sounds like a good idea. Looking at how client-go implements rest.InClusterConfig, looks like we can just lift that wholesale. In fact, that's pretty much what I've seen most apps doing (unsurprisingly). I propose to push that work out to a separate issue, however, and keep this change squarely scoped to just the gcp change. I think adding the in-cluster ability as a new method on |
Co-Authored-By: timothysmith0609 <31742287+timothysmith0609@users.noreply.github.com>
|
@cben README changes seem good to me (made a minor edit for clarity re: LoadError). Are there any outstanding concerns? As mentioned above, @jeremywadsack 's suggestion to provide a simple mechanism for in-cluster config is a good idea (and the next logical step); let's push that out into the next issue. |
|
@timothysmith0609 Agree that in-cluster should be a separate PR. For reference see also our gem that implements this (in ruby): https://github.com/keylimetoolbox/resque-kubernetes/blob/v2.0.0/lib/resque/kubernetes/context/well_known.rb And yes, we should do this as a last resort. If there's a provided configuration use that; if not, check for GCP; final step is to check for in-cluster. |
|
Hi, was sick for a few days, thanks for the polish 😄 |
|
released in gem 4.3.0. |
Follow-up of #392
googleauthgem isn't present on the importing application.cc @cben