gke: use dedicated token retriever

karmab · Jun 25, 2023 · e8ba3d2 · e8ba3d2
1 parent 7609bf9
commit e8ba3d2
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 2 deletions.
diff --git a/kcli.spec b/kcli.spec
@@ -59,6 +59,7 @@ rm -rf %{buildroot}
 %attr(0755,root,root) %{_bindir}/ksushy
 %attr(0755,root,root) %{_bindir}/ignitionmerger
 %attr(0755,root,root) %{_bindir}/ekstoken
+%attr(0755,root,root) %{_bindir}/gketoken
 
 
 %changelog

diff --git a/kvirt/cluster/gke/__init__.py b/kvirt/cluster/gke/__init__.py
@@ -211,7 +211,6 @@ def create(config, cluster, overrides, dnsconfig=None):
         get_kubeconfig(config, cluster, zonal=zonal)
         sleep(5)
     success(f"Kubernetes cluster {cluster} deployed!!!")
-    info2(f"export GOOGLE_APPLICATION_CREDENTIALS={os.environ['GOOGLE_APPLICATION_CREDENTIALS']}")
     info2(f"export KUBECONFIG=$HOME/.kcli/clusters/{cluster}/auth/kubeconfig")
     info2("export PATH=$PWD:$PATH")
     return {'result': 'success'}

diff --git a/kvirt/cluster/gke/kubeconfig.j2 b/kvirt/cluster/gke/kubeconfig.j2
@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Config
 current-context: my-cluster
 contexts: [{name: my-cluster, context: {cluster: cluster-1, user: user-1}}]
-users: [{name: user-1, user: {auth-provider: {name: gcp}}}]
+users: [{name: user-1, user: {exec: {apiVersion: client.authentication.k8s.io/v1beta1, args: [prueba_gke], command: gketoken, interactiveMode: Never}}}]
 clusters:
 - name: cluster-1
   cluster:

diff --git a/kvirt/gketoken.py b/kvirt/gketoken.py
@@ -0,0 +1,32 @@
+#!/usr/bin/env python
+# coding=utf-8
+
+# import base64
+from kvirt.config import Kconfig
+import os
+import json
+import sys
+import google.auth
+import google.auth.transport.requests
+
+
+def cli():
+    if len(sys.argv) != 2:
+        print("Usage gketoken $client")
+        sys.exit(1)
+    client = sys.argv[1]
+    config = Kconfig(client)
+    os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = os.path.expanduser(config.options.get('credentials'))
+    credentials, your_project_id = google.auth.default(scopes=["https://www.googleapis.com/auth/cloud-platform"])
+    auth_req = google.auth.transport.requests.Request()
+    credentials.refresh(auth_req)
+    token = credentials.token
+    # encoded = base64.urlsafe_b64encode(data.encode("utf-8"))
+    # token = encoded.decode("utf-8").rstrip("=")
+    result = {'apiVersion': 'client.authentication.k8s.io/v1beta1', 'kind': 'ExecCredential', 'spec': {},
+              'status': {'expirationTimestamp': '2030-10-01T15:05:17Z', 'token': token}}
+    print(json.dumps(result))
+
+
+if __name__ == '__main__':
+    cli()
diff --git a/setup.py b/setup.py
@@ -54,5 +54,6 @@
         ksushy=kvirt.ksushy.main:run
         ignitionmerger=kvirt.ignitionmerger:cli
         ekstoken=kvirt.ekstoken:cli
+        gketoken=kvirt.gketoken:cli
     ''',
 )