Merge pull request #81 from gjariv/gke-gcloud-auth-plugin

Update GKE Kubeconfig to use gke-cloud-auth-plugin
danielfoehrKn · Oct 30, 2023 · c755322 · c755322
2 parents d53d128 + 99834d0
commit c755322
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 24 deletions.
diff --git a/pkg/store/kubeconfig_store_gke.go b/pkg/store/kubeconfig_store_gke.go
@@ -288,30 +288,19 @@ func (s *GKEStore) GetKubeconfigForPath(path string) ([]byte, error) {
 		return nil, fmt.Errorf("cluster CA certificate not found for cluster=%s in project with ID %q", contextName, projectID)
 	}
 
-	authPluginConfig := make(map[string]string)
+	var args []string
 
 	// supply authentication information based on the configured auth option
 	if s.Config.GKEAuthentication == nil || *s.Config.GKEAuthentication.AuthenticationType == types.GcloudAuthentication {
-		// construct an AuthInfo that contains the same information if I would have uses `gcloud container clusters get-credentials`
-		authPluginConfig = map[string]string{
-			// "access-token": token.AccessToken,
-			// "expiry": token.Expiry.Format(time.RFC3339), // make sure has proper format
-			"cmd-path": gcloudBinaryPath,
-			"cmd-args": "config config-helper --format=json", // get the credentials
-			// "expiry-key": token.Expiry.Format(time.RFC3339),
-			"expiry-key": "{.credential.token_expiry}",
-			// "token-key": token.AccessToken,
-			"token-key": "{.credential.access_token}",
-		}
-
+		args = nil
 	} else if s.Config.GKEAuthentication != nil && *s.Config.GKEAuthentication.AuthenticationType == types.ServiceAccountAuthentication {
 		// using service accounts, the kubeconfig does not contain any client-credentials
-		// Instead, the the switch.sh script has to set the env variable GOOGLE_APPLICATION_CREDENTIALS=path/to/gsa-key.json
+		// Instead, the switch.sh script has to set the env variable GOOGLE_APPLICATION_CREDENTIALS=path/to/gsa-key.json
 		// on the shell session.
 		// This way, the gcp auth provider called by kubectl can discover the credentials via the env variable.
 		// see: https://cloud.google.com/kubernetes-engine/docs/how-to/api-server-authentication#environments-without-gcloud
-		authPluginConfig = map[string]string{
-			"scopes": "https://www.googleapis.com/auth/cloud-platform",
+		args = []string{
+			"--use_application_default_credentials",
 		}
 	}
 
@@ -341,10 +330,12 @@ func (s *GKEStore) GetKubeconfigForPath(path string) ([]byte, error) {
 			{
 				Name: contextName,
 				User: types.User{
-
-					AuthProvider: &types.AuthProvider{
-						Name:   "gcp",
-						Config: authPluginConfig,
+					ExecProvider: &types.ExecProvider{
+						APIVersion:         "client.authentication.k8s.io/v1beta1",
+						Args:               args,
+						Command:            "gke-gcloud-auth-plugin",
+						InstallHint:        "Install gke-gcloud-auth-plugin for use with kubectl by following\nhttps://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke",
+						ProvideClusterInfo: true,
 					},
 				},
 			},

diff --git a/types/type.go b/types/type.go
@@ -46,10 +46,12 @@ type ExecProvider struct {
 	// may reject unrecognized values.
 	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources
 	// +optional
-	APIVersion string   `yaml:"apiVersion,omitempty" protobuf:"bytes,2,opt,name=apiVersion"`
-	Args       []string `yaml:"args"`
-	Command    string   `yaml:"command"`
-	Env        []EnvMap `yaml:"env"`
+	APIVersion         string   `yaml:"apiVersion,omitempty" protobuf:"bytes,2,opt,name=apiVersion"`
+	Args               []string `yaml:"args"`
+	Command            string   `yaml:"command"`
+	Env                []EnvMap `yaml:"env"`
+	InstallHint        string   `yaml:"installHint,omitempty"`
+	ProvideClusterInfo bool     `yaml:"provideClusterInfo,omitempty"`
 }
 
 type EnvMap struct {