It is a small external exec provider for Kubernetes that delegates getting and refreshing the access token to the gcloud command-line tool.
Normally kubectl already refreshes tokens automatically, but third-party clients and libraries don't typically support all the various auth flows that you may have specified in your K8S config file. The exec flow seems to be well-supported (e.g. by the fabric8.io kubernetes-client for Java) and this is a bridge between that and Google's cloud.
- Install Rust via rustup.
- Clone this repo
cargo build --release- The binary is
target/release/gke-exec-credential
In your ~/.kube/config file, set up your K8S context like so:
- context:
cluster: my-fancy-k8s-cluster
namespace: default
user: gkeThen, add the gke user like so:
users:
- name: gke
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
command: /path/to/gke-exec-credentialIn the folder where gke-exec-credential is located a file called gke-exec-credential-cached will be placed with the cached gcloud access token. It will be refreshed automatically.
The implementation is based on this credential helper, but adds a simple cache to avoid having to refresh the token on every call. Normally ExecCredentials are also cached until the client process exits, but this is not really suitable for a command-line workflow where the process exits after every invocation.