Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for GCP application default credentials #612

Closed
kozikow opened this issue Sep 21, 2016 · 5 comments
Closed

Support for GCP application default credentials #612

kozikow opened this issue Sep 21, 2016 · 5 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@kozikow
Copy link
Contributor

kozikow commented Sep 21, 2016
edited

When running on GKE, "application default credentials" allow me to talk to various GCP services like stackdriver, bigquery, etc. without manually managing .p12 or .json credential keys.

When running locally, the only option to access those credentials locally is to use "gcloud auth login", that populates data in ~/.config/gcloud. Acquiring those credentials requires browser interaction, so it can't be performed in the container. The only option is to share my "host" ~/.config with ~/.config inside containers.

I have it working locally, but in very crude way:

  1. Share /home/kozikow/.config between host and minikube vm.
  2. hostPath /home/kozikow/.config in each pod. This forces me to use different .yaml in prod and minikube.
  3. mountPath in each container.

If minikube would providing some way of avoiding the custom hostPath/mountPath it would be easier to use GCP services from minikube
@r2d4 r2d4 added the kind/feature Categorizes issue or PR as related to a new feature. label Sep 21, 2016
@kozikow
Copy link
Contributor Author

kozikow commented Sep 21, 2016

In general, more principled solution for sharing a path between a host and container inside minikube would be nice. Besides .config I also share a code for some containers (e.g. to avoid restarting django in minikube every time code changes).

@dlorenc
Copy link
Contributor

dlorenc commented Sep 22, 2016

Hey @kozikow what OS/Driver combination are you using? We automatically mount in /Users on OSX, but we need to implement something similar for other platforms still.

@dlorenc dlorenc mentioned this issue Jan 5, 2017
Closed
@aaron-prindle
Copy link
Contributor

aaron-prindle commented Jan 12, 2017
edited

There is addon being made to address this.
Closing this issue, look at #925 to track the status of this addon.

@cbraynor
Copy link

I don't think these two issues are equivalent - unless I'm mistaken, this one is about application code inside a container having access to the application default credentials (e.g. to use google-cloud-go without any explicit initialization), whereas #925 is about k8s itself authorizing with ADC to pull containers from a user's private registry.

Can we open this issue back up? It would be magical to be able to run containers that rely on inbuilt auth mechanisms in an environment (I believe other cloud environments have equivalents to Google Cloud's ADC) - at the moment the only thing I can think of is to have a yaml file for minikube with a secrets volume mount, and a yaml file for the actual deployment

@aaron-prindle aaron-prindle mentioned this issue Apr 24, 2017
Closed
@aaron-prindle
Copy link
Contributor

@drtriumph I can definitely see this could be useful. I have opened a new issue for this here:
#1405

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@cbraynor @kozikow @r2d4 @dlorenc @aaron-prindle