K
Q

Authorizing to Kubernetes on Google Container Engine without gcloud SDK from Jenkins

3/22/2017

I'm trying to setup a continuous integration job that will deploy to kubernetes / google container engine from a Jenkins job. The jenkins server is relatively tightly controlled, so I'm not able to install plugins.

I have a JSON key file for a server account from Google Cloud IAM.

I'm currently trying to download the google cloud sdk and auth from there, but am not having any luck (this if from a Jenkinsfile):

sh 'export KUBECONFIG=$(pwd)/.kubeconfig'
sh 'export GOOGLE_APPLICATION_CREDENTIALS=$JSON'
sh 'google-cloud-sdk/bin/gcloud auth activate-service-account --key-file=$JSON'
sh 'google-cloud-sdk/bin/gcloud config set core/project proj-1'
sh 'google-cloud-sdk/bin/gcloud container clusters list'
sh 'google-cloud-sdk/bin/gcloud container clusters get-credentials clust-1 --zone us-east1-c'
sh 'kubectl get pods'

I'm getting the error message: error: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information. I will also need to be able to do a gcloud docker push, so using gcloud is ok.

-- Patrick White
google-cloud-platform
google-kubernetes-engine
kubernetes

Similar Questions

how to make two docker containers share sqllite db on kubernetes?
GKE randomly dropping connections
Is there any definitive guide on how to pass all the arguments to Docker containers while starting a container through kubernetes?
GitLab CI build sub-projects and deploy them to kubernetes separately

1 Answer

3/22/2017

There's a cryptic github issue around this behavior:

https://github.com/kubernetes/kubernetes/issues/30617

According to that issue, everything I've been doing should work:

Previously, gcloud would have configured kubectl to use the cluster's static client certificate to authenticate. Now, gcloud is configuring kubectl to use the service account's credentials.

Kubectl is just using the Application Default Credentials library, and it looks like this is part of the ADC flow for using a JSON-key service account. I'll see if there is a way that we could make this nicer.

If you don't want to add the export GOOGLE_APPLICATION_CREDENTIALS="/path/to/keyfile.json" to your flow, you can reenable the old way (use the client cert) by setting the cloudsdk container/use_client_certificate property to true. Either:

gcloud config set container/use_client_certificate True

or

export CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFICATE=True

I was using the GOOGLE_APPLICATION_CREDENTIALS variable, but alas, was not working. I tried the "gcloud config set" option up above, but that also didn't work. Finally, I used the env variable CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFCIATE and that actually finally did work.

-- Patrick White
Source: StackOverflow