https://github.com/bolcom/gke-exec-credential
A small exec helper for K8S to automatically retrieve and refresh access tokens from gcloud
https://github.com/bolcom/gke-exec-credential
gcp google-cloud k8s kubernetes
Last synced: about 1 month ago
JSON representation
A small exec helper for K8S to automatically retrieve and refresh access tokens from gcloud
- Host: GitHub
- URL: https://github.com/bolcom/gke-exec-credential
- Owner: bolcom
- License: apache-2.0
- Created: 2021-04-06T10:52:00.000Z (about 5 years ago)
- Default Branch: main
- Last Pushed: 2021-04-15T07:51:27.000Z (about 5 years ago)
- Last Synced: 2025-10-27T20:49:06.271Z (8 months ago)
- Topics: gcp, google-cloud, k8s, kubernetes
- Language: Rust
- Homepage:
- Size: 9.77 KB
- Stars: 0
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.MD
- License: LICENSE
Awesome Lists containing this project
README
# gke-exec-credential
## What is it?
It is a small external exec provider for Kubernetes that delegates getting and refreshing the access token to the `gcloud` command-line tool.
Normally `kubectl` already refreshes tokens automatically, but third-party clients and libraries don't typically support all the various auth flows that you may have specified in your K8S config file. The `exec` flow seems to be well-supported (e.g. by the fabric8.io kubernetes-client for Java) and this is a bridge between that and Google's cloud.
## How to build
* Install Rust via [rustup](https://rustup.rs/).
* Clone this repo
* `cargo build --release`
* The binary is `target/release/gke-exec-credential`
## Installation
In your `~/.kube/config` file, set up your K8S context like so:
```yaml
- context:
cluster: my-fancy-k8s-cluster
namespace: default
user: gke
```
Then, add the `gke` user like so:
```yaml
users:
- name: gke
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
command: /path/to/gke-exec-credential
```
In the folder where `gke-exec-credential` is located a file called `gke-exec-credential-cached` will be placed with the cached gcloud access token. It will be refreshed automatically.
## Details
The implementation is based on [this](https://github.com/jglick/gke-exec-credential) credential helper, but adds a simple cache to avoid having to refresh the token on every call. Normally `ExecCredentials` are also cached until the client process exits, but this is not really suitable for a command-line workflow where the process exits after every invocation.