gcp auth plugin is deprecated in v1.22+

[rd-michel]

Hello guys,

current deprecation warning in one of our deployments (google-github-actions/auth@v0):

4727 gcp.go:120] WARNING: the gcp auth plugin is deprecated in v1.22+, unavailable in v1.25+; use gcloud instead.
To learn more, consult https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke

is this issue already addressed/fixed in a newer version of the setup-gcloud action?

[sethvargo]

Hi @rd-michel

Could you please share your action.yml so we can reproduce? That error is coming from gcp.go, which is not a file in this repo, so it's difficult to understand exactly what's going on without seeing the action.yml.

[bharathkkb]

@rd-michel If you are generating credentials via gcloud container clusters get-credentials, you can install the new auth plugin component gke-gcloud-auth-plugin via this input or you can switch to our native action https://github.com/google-github-actions/get-gke-credentials

[junjunjunk]

Hi @bharathkkb
I would like to confirm that my understanding is correct.

I understand that the former method would require setting USE_GKE_GCLOUD_AUTH_PLUGIN=True in the environment variable of all github actions that use kubectl.
https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke

With the latter method, we could set the opiton use_auth_provider:true and avoid setting environment variables.

Am I correct in understanding that in the former method, there is no option to configure whether to use auth-plugin, so there is no other way than to set an environment variable?

Sorry, I thought I had to enable the GCP auth plugin. Sorry for the confusion.

[avelez93]

I have the same problem.
This is my .yml:

apiVersion: kubeflow.org/v1
kind: TFJob
metadata:
name: multi-worker
spec:
cleanPodPolicy: None
tfReplicaSpecs:
Worker:
replicas: 3
restartPolicy: OnFailure
template:
spec:
containers:
- name: tensorflow
image: mnist
args:
- --epochs=4
- --steps_per_epoch=100
- --per_worker_batch=64
- --saved_model_path=gs://gwiklabs-gcp-01-f90cda69125e-bucket/saved_model_dir
- --checkpoint_path=gs://gwiklabs-gcp-01-f90cda69125e-bucket/checkpoints

[bharathkkb]

@junjunjunk When using https://github.com/google-github-actions/get-gke-credentials to generate a kubeconfig, it does not use the auth plugin unless use_auth_provider:true is set.

[junjunjunk]

@bharathkkb
Thank you!

[ernani]

I find this really hard as I do have the env var set to true in my local GCE VM but it stills warns me and I have the latest gcloud cli installed.

For some reason the export command wasn't being picked up and now it is. It works.

[Moon1706]

@bharathkkb
@junjunjunk

      - name: "Auth to GCP exist env"
        uses: google-github-actions/auth@v0
        with:
          credentials_json: ${{ secrets.GOOGLE_SERVICE_ACCOUNT }}
      - name: "Set up Cloud SDK"
        uses: google-github-actions/setup-gcloud@v0
        with:
          install_components: 'gke-gcloud-auth-plugin'
      - name: "Connect to cluster"
        uses: google-github-actions/get-gke-credentials@v0
        with:
          cluster_name: keptn-test
          location: europe-west3-c
          project_id: sap-artifactory-dev
          use_auth_provider: true

Test output:

W0730 08:58:38.810648    1808 gcp.go:1[20](https://github.com/Moon1706/test/runs/7590470365?check_suite_focus=true#step:7:21)] WARNING: the gcp auth plugin is deprecated in v1.22+, unavailable in v1.25+; use gcloud instead.
To learn more, consult https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke
NAME              STATUS   AGE
default           Active   5d2h
keptn             Active   3d
kube-node-lease   Active   5d2h
kube-public       Active   5d2h
kube-system       Active   5d2h
monitoring        Active   3d

Are you sure that your approach works?

[junjunjunk]

@Moon1706
I think you should delete use_auth_provider: true.
This opitons enables gcp auth plugin, which is deperecated in v1.22+.

[sml-virta]

I am also encountering this. I believe it is the helm binary that we are using in our deploy step that is producing this error. Since helm is being installed out of the box along with the official setup-gcloud action (I presume? I don't know where else it would be coming from), this definitely seems like a bug in the action itself and not a usage error.

We should be able to use the version of helm that is installed by setup-gcloud without seeing this warning.

[James-DBA-Anderson]

I having a related issue with this in my CI when running Composer commands to delete AirFlow DAGs:

The deletion of the DAG from storage works, but I guess the command to delete the DAG from AirFlow's UI requires kubectl. Any indication of what to try next would be great!

runs-on: ubuntu-latest
 steps:
 - uses: 'actions/checkout@v3'

 - id: 'auth'
   uses: 'google-github-actions/auth@v1'
   with:
     credentials_json: '${{ secrets.dev }}'

 - name: 'Set up Cloud SDK'
   uses: 'google-github-actions/setup-gcloud@v1.0.1'
   with:
     install_components: 'gke-gcloud-auth-plugin'
   
 - name: 'Delete DAG'
   run: |
     gcloud composer environments storage dags delete \
     --environment MY_ENV \
     --location europe-west2 \
     "test_dag"
     
     gcloud composer environments run MY_ENV \
     --location europe-west2 \
     dags delete -- "teset_dag"

[twistedpair]

@James-DBA-Anderson , see this doc. It should explain what's changed and needed.

[James-DBA-Anderson]

Thanks @twistedpair, I was already using install_components: 'gke-gcloud-auth-plugin' in my setup cloud SDK step and after reading that doc I have added the following to the top of my yaml:

env: USE_GKE_GCLOUD_AUTH_PLUGIN: True

This works locally, but results in the following error in CI:

I can't see anything else that I should be trying from that doc.

[mai-nakagawa]

env: USE_GKE_GCLOUD_AUTH_PLUGIN: True

@James-DBA-Anderson I think you should use true instead of True. It's not Python but YAML 😄

[simenandre]

Hello 👋

I've created a simple GitHub Action to install gke-gcloud-auth-plugin. This means if users are not using gcloud to anything on your Github Actions workflows (i.e only interacting with kubectl), you can cut down quite a lot of time/resources on each run.

I'll try to keep users of simenandre/setup-gke-gcloud-auth-plugin updated on using gke-gcloud-auth-plugin with GitHub Actions as we go.

To get started, drop this in your workflow:

- uses: simenandre/setup-gke-gcloud-auth-plugin@v1

Example when using with google-github-actions/auth:

- name: Authenticate to GCP 🔒
  uses: google-github-actions/auth@v0
  with:
    workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
    service_account: ${{ secrets.SERVICE_ACCOUNT }}

- uses: simenandre/setup-gke-gcloud-auth-plugin@v1

Feel free to open issues and PRs here: https://github.com/simenandre/setup-gke-gcloud-auth-plugin