I am writing a Go binary that will run on my local machine. I wish to authenticate with the kubernetes API for a GKE cluster. How can I get a client key and certificate?
(Note that a kubernetes service account does not seem appropriate because my binary does not itself run on the cluster. And I do not want to have to install gcloud locally because I may want to distribute my binary to others, so I cannot use the gcloud auth helper flow.)
You can't get it from GKE because GCP doesn't expose the CA key for you to create client certificate/key pairs for you to authenticate with the cluster. That key lives in the Kubernetes master(s) and GKE doesn't give you direct access to them (They manage them). I recommend you use a token.
Check my other answer with more details. Basically, create a ServiceAccount and bind it to a Role or ClusterRole (RBAC). You can actually authenticate outside your cluster using a token tied to a ServiceAccount.