- add config.scopes field comma-separated scope URLs, to be used with Google
Application Default Credentials (i.e. GOOGLE_APPLICATION_CREDENTIALS env)
- default scopes now include userinfo.email scope so the headless app with
gserviceaccount keys can have RoleBindings with email instead of account ID.
Signed-off-by: Ahmet Alp Balkan <ahmetb@google.com>
Kubernetes-commit: e19dc6a86830107bcb7a4a50c997bc8a396277b1
Fixes https://github.com/kubernetes/client-go/issues/327
Currently we're not capturing stderr when shelling out to "gcloud config
config-helper --format=json" fails. This patch is capturing the stderr in the
error message returned.
This gcloud command sometimes returns an upgrade reminder (in stderr) so using
`cmd.CombinedOutput()` is not an option here. Maybe we should also add an unit
test in gcp_test.go capturing this situation, too, in case someone decides to
replace this with CombinedOutput someday.
Signed-off-by: Ahmet Alp Balkan <ahmetb@google.com>
Kubernetes-commit: 1334523c73fea3b3d9d0e90f287b3e385c79e6cd
Specific use case is when utilizing multiple
gcp accounts, the user may provide credentials
for the wrong account.
This change ensures the incorrect credentials
are not cached in auth config, and logs an
appropriate message.
Kubernetes-commit: b92016769e30c541479e81d40dd3584e2f5aa822
This plugin acquires a fresh access token for apiserver from Azure Active
Directory using the device code flow. The access token is saved in the
configuration in order to be reused for upcomming accesses to appiserver.
In additon the access token is automatically refreshed when expired.
Kubernetes-commit: 682d5ec01f37c65117b2496865cc9bf0cd9e0902
This PR attempts to simplify the OpenID Connect client plugin to
reduce round trips. The steps taken by the client are now:
* If ID Token isn't expired:
* Do nothing.
* If ID Token is expired:
* Query /.well-known discovery URL to find token_endpoint.
* Use an OAuth2 client and refresh token to request new ID token.
This avoids the previous pattern of always initializing a client,
which would hit the /.well-known endpoint several times.
The client no longer does token validation since the server already
does this. As a result, this code no longer imports
github.com/coreos/go-oidc, instead just using golang.org/x/oauth2
for refreshing.
Kubernetes-commit: 6915f857574505a2cd2072c32d9d6da66ce6f55a
Specific use case is GKE users running gcloud/kubectl on Windows
with a cloud sdk installation path containing spaces. Also improving
test coverage using trick borrowed from exec_test.go
Kubernetes-commit: 995ecfe84ea92d77cac2921babbbe03f7c2e4967
