search

kubernetes / client-go

Go client for Kubernetes.
Apache License 2.0
8.79k stars 2.91k forks source link

The gcp auth plugin has been removed #1220

Closed ucguy4u closed 4 months ago

ucguy4u commented 1 year ago

I am getting following error 

"The gcp auth plugin has been removed.\Please use the \"gke-gcloud-auth-plugin\" kubectl/client-go credential plugin instead.\See https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke for further details"

Code snippet 

func getK8sClusterConfigs(ctx context.Context, projectId string) (*api.Config, error) {
    svc, err := container.NewService(ctx)
    if err != nil {
        return nil, fmt.Errorf("container.NewService: %w", err)
    }

    // Basic config structure
    ret := api.Config{
        APIVersion: "v1",
        Kind:       "Config",
        Clusters:   map[string]*api.Cluster{},  // Clusters is a map of referencable names to cluster configs
        AuthInfos:  map[string]*api.AuthInfo{}, // AuthInfos is a map of referencable names to user configs
        Contexts:   map[string]*api.Context{},  // Contexts is a map of referencable names to context configs
    }

    // Ask Google for a list of all kube clusters in the given project.
    resp, err := svc.Projects.Zones.Clusters.List(projectId, "-").Context(ctx).Do()
    if err != nil {
        return nil, fmt.Errorf("clusters list project=%s: %w", projectId, err)
    }

    for _, f := range resp.Clusters {
        name := fmt.Sprintf("gke_%s_%s_%s", projectId, f.Zone, f.Name)
        cert, err := base64.StdEncoding.DecodeString(f.MasterAuth.ClusterCaCertificate)
        if err != nil {
            return nil, fmt.Errorf("invalid certificate cluster=%s cert=%s: %w", name, f.MasterAuth.ClusterCaCertificate, err)
        }
        // example: gke_my-project_us-central1-b_cluster-1 => https://XX.XX.XX.XX
        ret.Clusters[name] = &api.Cluster{
            CertificateAuthorityData: cert,
            Server:                   "https://" + f.Endpoint,
        }
        // Just reuse the context name as an auth name.
        ret.Contexts[name] = &api.Context{
            Cluster:  name,
            AuthInfo: name,
        }
        // GCP specific configation; use cloud platform scope.
        ret.AuthInfos[name] = &api.AuthInfo{
            AuthProvider: &api.AuthProviderConfig{
                Name: "gcp",
                Config: map[string]string{
                    "scopes": "https://www.googleapis.com/auth/cloud-platform",
                },
            },
        }
    }

    return &ret, nil
}

Calling function from main function : 

    kubeConfig, err := getK8sClusterConfigs(ctx, projectId)
    if err != nil {
        return err
    }

It is not working with k8s.io/client-go v0.26.0 It was working fine with if I use 'go get k8s.io/client-go/tools/clientcmd@v0.25.5' When i try with downgrading the version, Helm
"helm.sh/helm/v3/pkg/action" "helm.sh/helm/v3/pkg/cli"

packages are upgrading the from v0.25.5 to v0.26.0: go get k8s.io/client-go/tools/clientcmd@v0.25.5 go get k8s.io/cloud-provider-gcp/pkg/clientauthplugin/gcp@bb1acae5826dc877953d4854faf414e860db2efa

I want to connect to GKE using Application Default Credentials (ADC) and fetch the k8s resources and installed helm releases.

lucetre commented 1 year ago

Hi, Do you have any solution for this issue?

ucguy4u commented 1 year ago

For now I have downgraded the helm version.

lucetre commented 1 year ago

Thanks @ucguy4u for your advice. Degrading k8s.io/client-go from v0.26.0 to v0.25.5 seems working well.

eahrend commented 1 year ago

Downgrading seems like a temporary fix, is there any long term solution?

ucguy4u commented 1 year ago

Hey eahrend I skipped the authentication using ADC. I am running application inside the GKE container and by default it uses default service account.

eahrend commented 1 year ago

Yeah, I'm trying to run my script from a GCF

ShubhamRasal commented 1 year ago

Downgrading seems like a temporary fix, is there any long term solution?

Yeah.. need something stable fix for it.

k8s-triage-robot commented 1 year ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

mayankshah1607 commented 9 months ago

Not sure if this was already resolved, but I found a solution after digging around a bit.

  1. Install gcloud and gke-gcloud-auth-plugin in the environment this code is running in, by following the instructions here: https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke

(For example, I run my client code in a container, so I just added a script to my Dockerfile to set this up.)

  1. Provide your GCP service account JSON to the environment this code runs in and run gcloud auth activate-service-account --keyfile=<path>

  2. Update your code as follows:

// --snip--
  // GCP specific configation; use cloud platform scope.
  ret.AuthInfos[name] = &api.AuthInfo{
      Exec: &api.ExecConfig{
        APIVersion:         "client.authentication.k8s.io/v1beta1",
        Command:            "gke-gcloud-auth-plugin",
        InstallHint:        "Install gke-gcloud-auth-plugin for use with kubectl by following https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke",
        InteractiveMode:    clientcmdapi.NeverExecInteractiveMode,
        ProvideClusterInfo: true,
          }
  }
// --snip--
k8s-triage-robot commented 5 months ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot commented 4 months ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

k8s-ci-robot commented 4 months ago

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to [this](https://github.com/kubernetes/client-go/issues/1220#issuecomment-1951703953): >The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. > >This bot triages issues according to the following rules: >- After 90d of inactivity, `lifecycle/stale` is applied >- After 30d of inactivity since `lifecycle/stale` was applied, `lifecycle/rotten` is applied >- After 30d of inactivity since `lifecycle/rotten` was applied, the issue is closed > >You can: >- Reopen this issue with `/reopen` >- Mark this issue as fresh with `/remove-lifecycle rotten` >- Offer to help out with [Issue Triage][1] > >Please send feedback to sig-contributor-experience at [kubernetes/community](https://github.com/kubernetes/community). > >/close not-planned > >[1]: https://www.kubernetes.dev/docs/guide/issue-triage/ Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.