-
Notifications
You must be signed in to change notification settings - Fork 101
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kubeconfig in connection secret is not working in the latest (0.4) version #128
Comments
Hey @vadasambar! Thanks for opening this issue and apologies for any inconvenience you have experienced. I want to make sure I have a good understanding of where you are at in your troubleshooting now following your updates. It sounds like the connection If this is indeed the state you have found yourself in, it is actually by design right now while we determine a secure way to specify credentials on creation for
Let me know if this helps! |
I want a way to connect to the provisioned cluster. It does not have to be masterAuth:
clientCertificateConfig:
issueClientCertificate: true I will try this. Thank you! |
I do get the cert fields populated now. Thank you! But when I used the raw kubeconfig in cli (I wrote it to $ kubectl get po --kubeconfig=./config
Error from server (Forbidden): pods is forbidden: User "client" cannot list resource "pods" in API group "" in the namespace "default" |
Thread on slack around this issue: https://crossplane.slack.com/archives/CEG3T90A1/p1578059370045600 |
As far as I understand, there are 3 ways to authenticate to a GKE cluster (please correct me if I'm wrong):
I am not sure whether it's possible but we can investigate that in case neither basic auth nor client cert is enabled, how we can generate a kubeconfig for access that doesn't depend on I found this but didn't dig much https://gist.github.com/ahmetb/548059cdbf12fb571e4e2f1e29c48997 |
I'm fairly confident this isn't the case, unfortunately. The cluster doesn't actually have knowledge of what users exist - it typically defers to some external authentication system for that. For example the CN of any valid auth certificate will be used as the username when cert auth is in use. |
Slack thread about discussion around the fix: https://crossplane.slack.com/archives/CKXQHM7U3/p1578063791101100 |
Yes this seems to be the case, one more thing to learn for me. Thanks! |
FYI One more slack discussion on this https://crossplane.slack.com/archives/C01718T2476/p1620467756228000?thread_ts=1620398874.226900&cid=C01718T2476 |
I reopen the subject as the slack threads are not accessible anymore (I don't know if buying pro will give me access to it?). I'am facing the same problem of client certificate with no sufficient permissions. Could someone explain how to connect to the cluster with enough permissions (ideally admin) wihtout using gcloud? All other cloud providers provide sufficient token or certificate to connect but it seems that gcp is a bit harder to use. Thank you. |
Hello, we are facing the same problem |
What happened?
The kubeconfig in connection secrets seems to be missing
username
andpassword
(both of them are empty). When I try to use the kubeconfig locally using cli to access the cluster, I am asked for username and password.When I looked into config of this cluster in GKE console,
Basic Authentication
wasdisabled
.How can we reproduce it?
Use
crossplane
0.6 andstack-gcp
0.4. Try provisioning a cluster using the following cluster claim and cluster classCheck the cluster connection secret using
username
andpassword
field are empty.What environment did it happen in?
kubectl version
)More details
I tried provisioning cluster manually first, by providing
username
inmasterAuth
by referring to thishttps://github.com/crossplaneio/stack-gcp/blob/a6131969f4d1b2d6cbb0abd84cf4d452a1400367/pkg/clients/gke/gke.go#L98
through GKE's web api (https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.locations.clusters/create). If I provide a username in the API here, sure enough
Basic Authentication
is enabled and I getusername
andpassword
.This makes me wonder if there's some problem on our side. I am looking into the codebase to check if there's something wrong.
Update 1
v1alpha3
,v1beta1
does not seem to haveBasic Authentication
enabled by defaulthttps://github.com/crossplaneio/stack-gcp/blob/a6131969f4d1b2d6cbb0abd84cf4d452a1400367/pkg/clients/cluster/cluster.go#L255
Update 2
v1beta1
seems to have changed authentication method to using certificates but the config generated usingclientcmd
is still usingusername
andpassword
which is not present.v1beta1
seems to useclientCert
andclientKey
but since it is not present in the config, the config is not working.https://github.com/crossplaneio/stack-gcp/blob/a6131969f4d1b2d6cbb0abd84cf4d452a1400367/pkg/clients/cluster/cluster.go#L1102
Update 3
clientCert
andclientKey
. The problem seems to be somewhere else.https://github.com/crossplaneio/stack-gcp/blob/a6131969f4d1b2d6cbb0abd84cf4d452a1400367/pkg/clients/cluster/cluster.go#L1127
The text was updated successfully, but these errors were encountered: