I am trying to set up continuous deployment from CircleCI to my Google Container Engine instance based on a tutorial on the CircleCI website.
However, I'm currently stumbling on how to set up authentication so that I can perform a rolling update:
KUBE_CMD=${KUBERNETES_ROOT:-~/kubernetes}/cluster/kubectl.sh
$KUBE_CMD rolling-update my-controller \
-f my-controller.yml --server="https://xxx.xxx.xxx.xxx"
Google only seems to support OAuth and I can't find any documentation for setting up non-interactive authentication. Passing basic auth parameters to kubectl doesn't seem to work.
Any advice on this or where I can look?
The apiserver running in your Container Engine cluster doesn't use Google's OAuth; it uses the cluster authentication instead. If you run
Then you will get a username and password that can be used as http basic auth credentials to access the cluster's apiserver (you can also access the server used a bearer token or TLS client certificates, but basic auth is the easiest to get started with).
To test, run
and you should see a successful response.
Now that you understand how the cluster's apiserver authenticates clients, you need to configure kubectl on the CircleCI machine to provide the proper authentication. The easiest way to do this is to use gcloud to generate a "kubeconfig" file by running
Which will generate the file locally. You can then copy the file onto the CircleCI box. kubectl looks for the file at
~/.kube/configby default (you can specify a different location using an environment variable or using the command line flag--kubeconfig).