Initial commit

Author: Matt Morrison

README.md

@@ -0,0 +1,42 @@
+# Kubernetes client-go credential helper for Google Cloud
+
+`client-go` credential helper that generates Kubernetes `ExecCredentials` objects from the GCloud SDK account.
+
+## Overview
+
+Kubernetes provides a pluggable mechanism for getting user credentials for authenticating with the API server.
+`k8s.io/client-go` client libraries and tools using it such as `kubectl` and `kubelet` are able to execute an external command to receive user credentials.
+This tool reads the client credentials from the pre-authenticated GCloud SDK account on the local system and generates the appropriate `ExecCredential` API object that can be used by the above tools to authenticate.
+
+See (https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins)
+
+## Usage
+
+Build and run `gcp-exec-creds`.
+The command does not take any flags or arguments.
+
+**Example**
+
+```
+gcp-exec-creds
+{
+  "apiVersion": "client.authentication.k8s.io/v1beta1",
+  "ExecCredential": "ExecCredential",
+  "status": {
+    "token": "ya29.Gl2MBsw3YWqsD5......OqgeJE5LciQ"
+  }
+}
+```
+
+## Building
+
+**Prerequisites**
+
+- Golang 1.11
+
+`go get -v github.com/sl1pm4t/gcp-exec-creds`
+
+### How is this different from 'gcloud config config-helper' command?
+
+This tool outputs the credentials in the `ExecCredential` API document format which may be necessary for some tools.
+The `gcloud config config-helper` tool outputs in a non-standard json document.

go.mod

@@ -0,0 +1,7 @@
+module github.com/sl1pm4t/gcp-exec-creds
+
+require (
+	cloud.google.com/go v0.34.0 // indirect
+	golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e // indirect
+	golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890
+)

go.sum

@@ -0,0 +1,6 @@
+cloud.google.com/go v0.34.0 h1:eOI3/cP2VTU6uZLDYAoic+eyzzB9YyGmJ7eIjl8rOPg=
+cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e h1:bRhVy7zSSasaqNksaRZiA5EEI+Ei4I1nO5Jh72wfHlg=
+golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890 h1:uESlIz09WIHT2I+pasSXcpLYqYK8wHcdCetU3VuMBJE=
+golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=

main.go

@@ -0,0 +1,70 @@
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"golang.org/x/oauth2/google"
+)
+
+// ExecCredential is the Kubernetes ExecCredential API object
+// Example:
+// {
+//   "apiVersion": "client.authentication.k8s.io/v1beta1",
+//   "kind": "ExecCredential",
+//   "status": {
+//     "token": "my-bearer-token"
+//   }
+// }
+type ExecCredential struct {
+	APIVersion string               `json:"apiVersion"`
+	Kind       string               `json:"ExecCredential"`
+	Status     ExecCredentialStatus `json:"status"`
+}
+
+type ExecCredentialStatus struct {
+	Token string `json:"token"`
+}
+
+func NewExecCredential(token string) ExecCredential {
+	ec := ExecCredential{
+		APIVersion: "client.authentication.k8s.io/v1beta1",
+		Kind:       "ExecCredential",
+		Status: ExecCredentialStatus{
+			Token: token,
+		},
+	}
+	return ec
+}
+
+func (ec ExecCredential) String() string {
+	b, err := json.MarshalIndent(&ec, "", "  ")
+	if err != nil {
+		fmt.Printf("could not marshal ExecCredentials: %s", err)
+		os.Exit(1)
+	}
+	return string(b)
+}
+
+func main() {
+	clientScopes := []string{
+		"https://www.googleapis.com/auth/cloud-platform",
+	}
+
+	tokenSource, err := google.DefaultTokenSource(context.Background(), clientScopes...)
+	if err != nil {
+		fmt.Printf("could not get tokenSource: %s", err)
+		os.Exit(1)
+	}
+
+	token, err := tokenSource.Token()
+	if err != nil {
+		fmt.Printf("could not get token: %s", err)
+		os.Exit(1)
+	}
+
+	ec := NewExecCredential(token.AccessToken)
+	fmt.Println(ec.String())
+}