Do not require application-default credentials

GoogleCloudPlatform / k8s-multicluster-ingress

kubemci: Command line tool to configure L7 load balancers using multiple kubernetes clusters

Apache License 2.0

376 stars 68 forks source link

Do not require application-default credentials #154

Open ahmetb opened 6 years ago

ahmetb commented 6 years ago

Do not require this command:

 gcloud auth application-default login

There are a lot of tools that depend on gcloud credentials that work without requiring this.

The way they do is to

gcloud config config-helper --format=json

and parse the token from there directly. This is also how kubectl authenticates to GKE.

This step is (1) unnecessary (2) interferes with user's current ADC config (3) creates a side-effect on user's system (4) makes the kubemci tutorial longer. Please consider changing soon, or I may send a patch.

nikhiljindal commented 6 years ago

Thanks for filling this issue @ahmetb

A patch will be most welcome :) Note that it will have to be this week to make it in 0.4

ahmetb commented 6 years ago

I tried, it seems nontrivial. You likely need to specify a custom oauth2.TokenSource to all googleapi clients.

G-Harmon commented 6 years ago

Is this a Beta blocker?

ahmetb commented 6 years ago

Shouldn't be. But I have reason to think it should be doable fairly easily. Projects like container-builder-local or kubectls gcp auth plugin use it. So there's a fair amount of golang code in this space.

this code execs out to gcloud to get a token: https://github.com/kubernetes/client-go/blob/88e8ea169afa2918712ce2bc64fc1e2d11d72b12/plugin/pkg/client/auth/gcp/gcp.go#L277-L291

then you should be able to use the client constructor/options to give a custom token source to the auto-generated clients.

nikhiljindal commented 6 years ago

Yes if possible, we will try to get it in. Not a blocker

lpellegr commented 5 years ago

Just waste some time due to this requirement. If the command gcloud auth application-default login is not used, then, kubecmi faills with an error similar to the following:

E0416 21:51:43.392608 18465 gce.go:860] error fetching initial token: oauth2: cannot fetch token: 400 Bad Request Response: { "error": "invalid_grant", "error_description": "Bad Request" } E0416 21:51:44.494521 18465 gce.go:860] error fetching initial token: oauth2: cannot fetch token: 400 Bad Request Response: { "error": "invalid_grant", "error_description": "Bad Request" } E0416 21:51:45.986165 18465 gce.go:860] error fetching initial token: oauth2: cannot fetch token: 400 Bad Request Response: { "error": "invalid_grant", "error_description": "Bad Request" }