Does not work with Workload Identity on GKE

Question

Does not work with Workload Identity on GKE

viyh opened this issue 4 years ago · 7 comments

When using this with a Jenkins pod running on GKE using a service account with Workload Identtiy, the plugin no longer works using the automatic metadata credentials.

Answer 1 · 2020-07-24T15:52:19.000Z

I have the same issue. My Jenkins master runs in GKE and the metadata credentials used to work when my cluster had node metadata set to EXPOSED. I updated my cluster, moved to GKE Metadata Server / Workload Identity, done all the GCP and K8S service account configuration and I can confirm that my pods (including Jenkins) can access the metadata server. I can run kubectl/gcloud commands in the pods and everything works as before except for this plugin.

I've looked though the source-code for metadata endpoints accessed and the ones I found I can confirm they are accessible from my pods. Don't really understand where the plugin decides to "hide" the metadata credentials option.

Answer 2 · 2020-07-24T20:30:55.000Z

Here is a pull request that fixes the issue: #91

Answer 3 · 2020-08-13T00:10:13.000Z

Any update on getting this merged and released?

Answer 4 · 2020-08-17T09:07:28.000Z

I'm not sure what I can do to get this merged. I guess a maintainer needs to review and merge that pull request. I've manually installed the generated hpi file from the build and running it since then. It would be nice to have this released though.

Answer 5 · 2020-08-17T15:01:30.000Z

Hey folks, This plugin maintenance is now owned by a new team and we're just getting started. Last week I was able to do a successful release for the first time. Now I've merged this PR and I will release today. Thanks for your help and your patience! -don

…

On Mon, Aug 17, 2020 at 2:07 AM Stefan S. ***@***.***> wrote: I'm not sure what I can do to get this merged. I guess a maintainer needs to review and merge that pull request. I've manually installed the generated hpi file from the build and running it since then. It would be nice to have this released though. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#88 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAF76UUG26A2EZYQCDBHF43SBDXN5ANCNFSM4OHABX3A> .

Answer 6 · 2020-08-17T15:43:21.000Z

Thanks Don!

Answer 7 · 2022-10-24T21:05:15.000Z

So should this issue be closed?