Proper way to connect to a GKE cluster in production.

[ginokurian87]

Describe the bug
I've been running around in circles trying to connect to GKE and get it working properly. Here are the steps that i did for the same.
I'm trying to connect to a GKE cluster from outside of the GCP env. For this i created a service account and downloaded the key.
Set the environment variable GOOGLE_APPLICATION_CREDENTIALS pointing to the above key.
Also ran the gcloud container clusters get-credentials......... command locally to generate the config files.
Then wrote a sample java app based in the examples like below:

   GoogleCredentials.getApplicationDefault(); //so that the token is refreshed automatically
        KubeConfig.registerAuthenticator(new GCPAuthenticator());
        ApiClient client = Config.defaultClient();
        // if you prefer not to refresh service account token, please use:
        // ApiClient client = ClientBuilder.oldCluster().build();
        Configuration.setDefaultApiClient(client);
        CoreV1Api api = new CoreV1Api();
        V1PodList list =
                api.listPodForAllNamespaces(null, null, null, null, null, null, null, null, null, null);
        for (V1Pod item : list.getItems()) {
            System.out.println(item.getMetadata().getName());
        }

    }

When i run the code, for the first time it works well. However after(persumably!) the token refresh, i get the following error :

Exception in thread "main" java.lang.IllegalStateException: Unimplemented
	at io.kubernetes.client.util.authenticators.GCPAuthenticator.refresh(GCPAuthenticator.java:61)
	at io.kubernetes.client.util.KubeConfig.getAccessToken(KubeConfig.java:215)
	at io.kubernetes.client.util.credentials.KubeconfigAuthentication.<init>(KubeconfigAuthentication.java:57)
	at io.kubernetes.client.util.ClientBuilder.kubeconfig(ClientBuilder.java:297)
	at io.kubernetes.client.util.ClientBuilder.getClientBuilder(ClientBuilder.java:129)
	at io.kubernetes.client.util.ClientBuilder.standard(ClientBuilder.java:105)
	at io.kubernetes.client.util.ClientBuilder.standard(ClientBuilder.java:100)

It works If i do any kubectl operation in my local and then retry. Is this because of ISSUE-290?

All of the above hacks works in the local system, but whet would be the correct approach in prod? Do we have a err...less hacky way of connecting and staying connected to the GKE cluster ?

[brendandburns]

There's no better option today. Changing this to enable refresh requires improving the Authentication interface in the code generator to support dynamic refresh.

[yliaog]

java/util/src/main/java/io/kubernetes/client/util/authenticators/GCPAuthenticator.java

Line 61 in f207882

throw new IllegalStateException("Unimplemented");

refresh is not implemented. a less hacky way is to implement it similar to

java/util/src/main/java/io/kubernetes/client/util/authenticators/AzureActiveDirectoryAuthenticator.java

Line 58 in f207882

public Map<String, Object> refresh(Map<String, Object> config) {

[k8s-triage-robot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue or PR with /reopen
• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue or PR with /reopen
• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.