Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problem when using the kube client with a GCP AuthProviderConfig using tame-oauth MetadataServerProviderInner #1227

Open
mgabriac opened this issue Jun 9, 2023 · 2 comments
Open

Problem when using the kube client with a GCP AuthProviderConfig using tame-oauth MetadataServerProviderInner #1227

mgabriac opened this issue Jun 9, 2023 · 2 comments
Labels
bug Something isn't working

Comments

@mgabriac
Copy link

mgabriac commented Jun 9, 2023
edited

Current and expected behavior

Hello,
while using this configuration code

AuthInfo {
            auth_provider: Some(AuthProviderConfig{
                name: "gcp".to_string(),
                config: HashMap::from([(
                    "scopes".to_string(),
                    "https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/userinfo.email".to_string(),
             )]),
}),

the gcp oauth flow defaults to using the metadataserver for issuing access tokens, which is what I want in my case.
The problem is the metadata server inside gke is accessible via http with no security. More precisely, this is the url used:
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts
Note: google does not provide access to this via https.

The code used for getting a token expects https to be used for issuing the token, which makes this flow broken:

                #[cfg(feature = "openssl-tls")]
                let https =
                    hyper_openssl::HttpsConnector::new().map_err(Error::CreateOpensslHttpsConnector)?;
                #[cfg(all(not(feature = "openssl-tls"), feature = "rustls-tls"))]
                let https = hyper_rustls::HttpsConnectorBuilder::new()
                    .with_native_roots()
                    .https_only()
                    .enable_http1()
                    .build();


                let client = hyper::Client::builder().build::<_, hyper::Body>(https);

https://github.com/kube-rs/kube/blob/465ec9db8900ed592d017bffc3e8a6b9ee1fb06f/kube-client/src/client/auth/oauth.rs#LL113C1-L123C86

Possible solution

No response

Additional context

No response

Environment

the client is hosted inside GKE

Configuration and features

No response

Affected crates

kube-client

Would you like to work on fixing this bug?

None
@mgabriac mgabriac added the bug Something isn't working label Jun 9, 2023
@clux
Copy link
Member

clux commented Jun 9, 2023

Hm, interesting.

When you say "inside gke" do you mean in-cluster (as in deployed inside a pod)? If so, shouldn't this be using the standard incluster configuration rather than the more advanced authentication flow?

@mgabriac
Copy link
Author

mgabriac commented Jun 9, 2023
edited

So indeed the code is running in a pod in a gke cluster, trying to access another gke kubernetes cluster.
It uses a service account and I wanted to use this https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#applications to authenticate to the other cluster. This is a flow which is supported by tame-oauth.
I think the incluster configuration is more for dealing with resources of the same cluster.

Thanks for the quick heads up !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@clux @mgabriac