github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-24 12:15:52 +00:00
Code Issues Projects Releases Wiki Activity

configurable scopes for gcp default credentials

Browse Source 
- add config.scopes field comma-separated scope URLs, to be used with Google
  Application Default Credentials (i.e. GOOGLE_APPLICATION_CREDENTIALS env)
- default scopes now include userinfo.email scope so the headless app with
  gserviceaccount keys can have RoleBindings with email instead of account ID.

Signed-off-by: Ahmet Alp Balkan <ahmetb@google.com>
This commit is contained in:
Ahmet Alp Balkan 2017-12-19 00:14:57 -08:00
parent 8d24ce1137
commit e19dc6a868
No known key found for this signature in database
GPG Key ID: 5C02521D7B216AD6
1 changed files with 22 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
staging/src/k8s.io/client-go/plugin/pkg/client/auth/gcp/gcp.go
View File

@ -55,6 +55,14 @@ var execCommand = exec.Command
// "name": "gcp",
//
// 'config': {
// # Authentication options
// # These options are used while getting a token.
//
// # comma-separated list of GCP API scopes. default value of this field
// # is "https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/userinfo.email".
// # to override the API scopes, specify this field explicitly.
// "scopes": "https://www.googleapis.com/auth/cloud-platform"
//
// # Caching options
//
// # Raw string data representing cached access token.
@ -102,6 +110,9 @@ func newGCPAuthProvider(_ string, gcpConfig map[string]string, persister restcli
if len(cmd) == 0 {
return nil, fmt.Errorf("missing access token cmd")
}
if gcpConfig["scopes"] != "" {
return nil, fmt.Errorf("scopes can only be used when kubectl is using a gcp service account key")
}
var args []string
if cmdArgs, ok := gcpConfig["cmd-args"]; ok {
args = strings.Fields(cmdArgs)
@ -112,7 +123,17 @@ func newGCPAuthProvider(_ string, gcpConfig map[string]string, persister restcli
}
ts = newCmdTokenSource(cmd, args, gcpConfig["token-key"], gcpConfig["expiry-key"], gcpConfig["time-fmt"])
} else {
ts, err = google.DefaultTokenSource(context.Background(), "https://www.googleapis.com/auth/cloud-platform")
var scopes []string
if gcpConfig["scopes"] != "" {
scopes = strings.Split(gcpConfig["scopes"], ",")
} else {
// default scopes: userinfo.email is used to authenticate to
// GKE APIs with gserviceaccount email instead of numeric uniqueID.
scopes = []string{
"https://www.googleapis.com/auth/cloud-platform",
"https://www.googleapis.com/auth/userinfo.email"}
}
ts, err = google.DefaultTokenSource(context.Background(), scopes...)
}
if err != nil {
return nil, err