Generate GCP tokens through cmd-path config
#410
Conversation
|
It's a bit sad Anyway, thanks 👍, generally looks sane, but I'm too tired to merge atm 😴 will revisit soon when I'm back from vacation. |
| if config.key?('cmd-path') | ||
| Kubeclient::GCPCommandCredentials.token(config) | ||
| else | ||
| Kubeclient::GoogleApplicationDefaultCredentials.token |
There was a problem hiding this comment.
In the interests of hardening, would you be opposed to adding retries here? We have begun observing intermittent Signet::RemoteServerError exceptions that, according to Google, we can/should retry on.
I don't think pushing up retryable errors to the caller is the right thing to do; we should handle them here and only throw once we've exhausted our retry limit.
Full error we observe:
"error": {
"code": 503,
"message": "The service is currently unavailable.",
"status": "UNAVAILABLE"
}
There was a problem hiding this comment.
@timothysmith0609 sounds like something that the googleauth gem should be dealing with, not kubeclient itself.
There was a problem hiding this comment.
You're absolutely right. It turns out googleauth does retry, but only when using the GCE node service account (no idea why that's the case). It looks like it should be possible to wrap the other case in their retry routine so I'll try to solve this upstream.
I have no clue :( all my knowledge on this space is due source diving and local testing. Would be awesome to have a person/channel on the k8s side of things to help explain these authentication strategies for client libraries. |
|
Sorry for delay. Re-read, looks good 👍. But remembered one requirement: And a related question (not merge blocker, but worth figuring out): what if Is there a Go reference implementation to compare? (Code-wise, you could "push up" the |
|
(Historical note: The specific way one opts out — constructing |
lucasmazza
force-pushed
the
gcp-cmd-token
branch
from
746499d to
4219e6e
Compare
This commit pushes the `Kubeclient::GoogleApplicationDefaultCredentials` implementation down to a `GCPAuthProvider` that handle both code paths of how to generate GCP tokens.
lucasmazza
force-pushed
the
gcp-cmd-token
branch
from
4219e6e to
61479b9
Compare
|
@cben thanks for the review, the code is now using the |
|
@cben thanks for the merge, let me know when you cut a new release so I can get shopify/kubernetes-deploy up to date with this ✨ |
This commit pushes the
Kubeclient::GoogleApplicationDefaultCredentialsimplementation down to aGCPAuthProviderthat handle both code paths of how to generate GCP tokens.Related to #210 (comment) and #210 (comment)
EDIT(cben): relevant docs in k8s Go source:
https://github.com/kubernetes/kubernetes/blob/v1.14.1/staging/src/k8s.io/client-go/plugin/pkg/client/auth/gcp/gcp.go#L58-L109