TL;DR
I am using google-github-actions/auth with the following settings:
credentials_json: <my-secret-json-token-file>
access_token_lifetime: "7200s"
token_format: "access_token"
After that, I use the get-gke-credentials action to get my kubeconfig. I assumed that I can use that kubeconfig for the above set 7200s (2h) but instead, my pipeline still fails exactly after (the default) 1h with unauthorized errors.
Expected behavior
I can use my kube config for 2h, since I set my token in the auth action to be valid for 2h.
Observed behavior
My pipeline starts failing with unauthorized errors exactly after 1h.
I checked the debug logs of my pipeline and the access token is indeed showing an expiration time of 2h. So I assume that the get-gke-credentials action uses a different token somehow?
Action YAML
- name: Authenticate to Google Cloud
uses: google-github-actions/[email protected]
with:
credentials_json: <my-secret-json-token>
access_token_lifetime: "7200s"
token_format: "access_token"
- name: Get Kubeconfig
uses: google-github-actions/[email protected]
with:
cluster_name: ${{ matrix.CLUSTER_NAME }}
location: "my-gcp-zone"Log output
Logs from google-github-actions/auth
2022-07-04T07:05:55.7047634Z ##[debug]Evaluating condition for step: 'Authenticate to Google Cloud'
2022-07-04T07:05:55.7048699Z ##[debug]Evaluating: (success() && (env.CLOUD_PROVIDER == 'GKE'))
2022-07-04T07:05:55.7049066Z ##[debug]Evaluating And:
2022-07-04T07:05:55.7049410Z ##[debug]..Evaluating success:
2022-07-04T07:05:55.7049750Z ##[debug]..=> true
2022-07-04T07:05:55.7050071Z ##[debug]..Evaluating Equal:
2022-07-04T07:05:55.7050414Z ##[debug]....Evaluating Index:
2022-07-04T07:05:55.7050726Z ##[debug]......Evaluating env:
2022-07-04T07:05:55.7051040Z ##[debug]......=> Object
2022-07-04T07:05:55.7051367Z ##[debug]......Evaluating String:
2022-07-04T07:05:55.7051704Z ##[debug]......=> 'CLOUD_PROVIDER'
2022-07-04T07:05:55.7052030Z ##[debug]....=> 'GKE'
2022-07-04T07:05:55.7052353Z ##[debug]....Evaluating String:
2022-07-04T07:05:55.7052641Z ##[debug]....=> 'GKE'
2022-07-04T07:05:55.7052927Z ##[debug]..=> true
2022-07-04T07:05:55.7053211Z ##[debug]=> true
2022-07-04T07:05:55.7053654Z ##[debug]Expanded: (true && ('GKE' == 'GKE'))
2022-07-04T07:05:55.7054067Z ##[debug]Result: true
2022-07-04T07:05:55.7054546Z ##[debug]Starting: Authenticate to Google Cloud
2022-07-04T07:05:55.7076877Z ##[debug]Register post job cleanup for action: google-github-actions/[email protected]
2022-07-04T07:05:55.7084038Z ##[debug]Loading inputs
2022-07-04T07:05:55.7085202Z ##[debug]Evaluating: secrets.GCLOUD_RESTRICTED_SERVICE_KEY
2022-07-04T07:05:55.7085548Z ##[debug]Evaluating Index:
2022-07-04T07:05:55.7085796Z ##[debug]..Evaluating secrets:
2022-07-04T07:05:55.7086094Z ##[debug]..=> Object
2022-07-04T07:05:55.7086336Z ##[debug]..Evaluating String:
2022-07-04T07:05:55.7086610Z ##[debug]..=> 'GCLOUD_RESTRICTED_SERVICE_KEY'
2022-07-04T07:05:55.7294527Z ##[debug]=> '***'
2022-07-04T07:05:55.7503890Z ##[debug]Result: '***'
2022-07-04T07:05:55.7510596Z ##[debug]Loading env
2022-07-04T07:05:55.7515263Z ##[group]Run google-github-actions/[email protected]
2022-07-04T07:05:55.7515520Z with:
2022-07-04T07:05:55.7720813Z credentials_json: ***
2022-07-04T07:05:55.7721078Z access_token_lifetime: 7200s
2022-07-04T07:05:55.7721340Z token_format: access_token
2022-07-04T07:05:55.7721589Z create_credentials_file: true
2022-07-04T07:05:55.7721853Z export_environment_variables: true
2022-07-04T07:05:55.7722114Z cleanup_credentials: true
2022-07-04T07:05:55.7722450Z access_token_scopes: https://www.googleapis.com/auth/cloud-platform
2022-07-04T07:05:55.7722748Z retries: 0
2022-07-04T07:05:55.7722958Z id_token_include_email: false
2022-07-04T07:05:55.7723172Z env:
2022-07-04T07:05:55.7723387Z META_KEPTN_VERSION: 0.13.2
2022-07-04T07:05:55.7723635Z META_KEPTN_KEPTN_PROJECT: keptn
2022-07-04T07:05:55.7723877Z CLOUD_PROVIDER: GKE
2022-07-04T07:05:55.7724104Z PLATFORM: kubernetes
2022-07-04T07:05:55.7724536Z PLATFORM_VERSION: 1.22
2022-07-04T07:05:55.7724765Z KUBECONFIG:
2022-07-04T07:05:55.7724998Z KEPTN_NAMESPACE: keptn-test-2396-2
2022-07-04T07:05:55.7725269Z KEPTN_SERVICE_TYPE: LoadBalancer
2022-07-04T07:05:55.7725531Z RUN_CONTINUOUS_DELIVERY_TEST: true
2022-07-04T07:05:55.7725781Z RUN_AIRGAPPED_TEST:
2022-07-04T07:05:55.7726094Z AIRGAPPED_REGISTRY_URL: k3d-container-registry.localhost:12345
2022-07-04T07:05:55.7726415Z REMOTE_EXECUTION_PLANE: false
2022-07-04T07:05:55.7726669Z COLLECT_RESOURCE_LIMITS: true
2022-07-04T07:05:55.7726906Z GO_VERSION: ~1.18
2022-07-04T07:05:55.7727154Z TEST_REPORT_FOLDER: test-reports-GKE-1.22
2022-07-04T07:05:55.7727451Z FINAL_TEST_REPORT_FOLDER: test-reports
2022-07-04T07:05:55.7727787Z FINAL_TEST_REPORT_PATH: test-reports/test-report-final-GKE-1.22.log
2022-07-04T07:05:55.7728193Z TEST_REPORT_FILENAME_SUFFIX: test-report-2607468287-kubernetes-GKE-1.22.log
2022-07-04T07:05:55.7728509Z BRANCH: master
2022-07-04T07:05:55.7728727Z BRANCH_SLUG: master
2022-07-04T07:05:55.7728952Z BUILD_EVERYTHING: true
2022-07-04T07:05:55.7729191Z VERSION: 0.17.0-dev.202206301240
2022-07-04T07:05:55.7729406Z DATETIME: 202206301240
2022-07-04T07:05:55.7729621Z GIT_SHA: 6a0e1bec1
2022-07-04T07:05:55.7729835Z ##[endgroup]
2022-07-04T07:05:55.8627699Z ##[debug]Using credentials JSON
2022-07-04T07:05:55.8635296Z ##[debug]Creating credentials file
2022-07-04T07:05:55.8669079Z Created credentials file at "/home/runner/work/keptn/keptn/gha-creds-ee7bda78dd376c51.json"
2022-07-04T07:05:55.8671069Z
2022-07-04T07:05:55.8673872Z ::set-output name=credentials_file_path::/home/runner/work/keptn/keptn/gha-creds-ee7bda78dd376c51.json
2022-07-04T07:05:55.8674465Z ##[debug]='/home/runner/work/keptn/keptn/gha-creds-ee7bda78dd376c51.json'
2022-07-04T07:05:55.8680521Z
2022-07-04T07:05:55.8682178Z ::set-output name=project_id::***
2022-07-04T07:05:55.8682500Z ##[debug]='***'
2022-07-04T07:05:55.8688181Z ##[debug]Creating access token
2022-07-04T07:05:55.9434913Z ::add-mask::***
2022-07-04T07:05:55.9437129Z
2022-07-04T07:05:55.9443389Z ::set-output name=access_token::***
2022-07-04T07:05:55.9448712Z ##[debug]='***'
2022-07-04T07:05:55.9449094Z
2022-07-04T07:05:55.9449653Z ::set-output name=access_token_expiration::2022-07-04T09:05:55Z
2022-07-04T07:05:55.9449937Z ##[debug]='2022-07-04T09:05:55Z'
2022-07-04T07:05:55.9522710Z ##[debug]Node Action run completed with exit code 0
2022-07-04T07:05:55.9524139Z ##[debug]CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE='/home/runner/work/keptn/keptn/gha-creds-ee7bda78dd376c51.json'
2022-07-04T07:05:55.9524611Z ##[debug]GOOGLE_APPLICATION_CREDENTIALS='/home/runner/work/keptn/keptn/gha-creds-ee7bda78dd376c51.json'
2022-07-04T07:05:55.9525028Z ##[debug]GOOGLE_GHA_CREDS_PATH='/home/runner/work/keptn/keptn/gha-creds-ee7bda78dd376c51.json'
2022-07-04T07:05:55.9525368Z ##[debug]CLOUDSDK_CORE_PROJECT='***'
2022-07-04T07:05:55.9525645Z ##[debug]CLOUDSDK_PROJECT='***'
2022-07-04T07:05:55.9525919Z ##[debug]GCLOUD_PROJECT='***'
2022-07-04T07:05:55.9526182Z ##[debug]GCP_PROJECT='***'
2022-07-04T07:05:55.9526442Z ##[debug]GOOGLE_CLOUD_PROJECT='***'
2022-07-04T07:05:55.9527453Z ##[debug]Finishing: Authenticate to Google Cloud
Logs from google-github-actions/get-gke-credentials
2022-07-04T07:06:10.3527132Z ##[debug]Evaluating condition for step: 'Get Kubeconfig'
2022-07-04T07:06:10.3528757Z ##[debug]Evaluating: (success() && (env.CLOUD_PROVIDER == 'GKE'))
2022-07-04T07:06:10.3529199Z ##[debug]Evaluating And:
2022-07-04T07:06:10.3529548Z ##[debug]..Evaluating success:
2022-07-04T07:06:10.3530010Z ##[debug]..=> true
2022-07-04T07:06:10.3530346Z ##[debug]..Evaluating Equal:
2022-07-04T07:06:10.3530701Z ##[debug]....Evaluating Index:
2022-07-04T07:06:10.3531040Z ##[debug]......Evaluating env:
2022-07-04T07:06:10.3531367Z ##[debug]......=> Object
2022-07-04T07:06:10.3531713Z ##[debug]......Evaluating String:
2022-07-04T07:06:10.3532068Z ##[debug]......=> 'CLOUD_PROVIDER'
2022-07-04T07:06:10.3532441Z ##[debug]....=> 'GKE'
2022-07-04T07:06:10.3532776Z ##[debug]....Evaluating String:
2022-07-04T07:06:10.3533090Z ##[debug]....=> 'GKE'
2022-07-04T07:06:10.3533396Z ##[debug]..=> true
2022-07-04T07:06:10.3533675Z ##[debug]=> true
2022-07-04T07:06:10.3534155Z ##[debug]Expanded: (true && ('GKE' == 'GKE'))
2022-07-04T07:06:10.3534608Z ##[debug]Result: true
2022-07-04T07:06:10.3535226Z ##[debug]Starting: Get Kubeconfig
2022-07-04T07:06:10.3552359Z ##[debug]Loading inputs
2022-07-04T07:06:10.3553459Z ##[debug]Evaluating: matrix.CLUSTER_NAME
2022-07-04T07:06:10.3553746Z ##[debug]Evaluating Index:
2022-07-04T07:06:10.3554007Z ##[debug]..Evaluating matrix:
2022-07-04T07:06:10.3554258Z ##[debug]..=> Object
2022-07-04T07:06:10.3554508Z ##[debug]..Evaluating String:
2022-07-04T07:06:10.3554754Z ##[debug]..=> 'CLUSTER_NAME'
2022-07-04T07:06:10.3555074Z ##[debug]=> '***'
2022-07-04T07:06:10.3555403Z ##[debug]Result: '***'
2022-07-04T07:06:10.3557618Z ##[debug]Loading env
2022-07-04T07:06:10.3562072Z ##[group]Run google-github-actions/[email protected]
2022-07-04T07:06:10.3562368Z with:
2022-07-04T07:06:10.3562607Z cluster_name: ***
2022-07-04T07:06:10.3562877Z location: ***
2022-07-04T07:06:10.3563116Z use_auth_provider: false
2022-07-04T07:06:10.3563366Z use_internal_ip: false
2022-07-04T07:06:10.3563583Z env:
2022-07-04T07:06:10.3563795Z META_KEPTN_VERSION: 0.13.2
2022-07-04T07:06:10.3564051Z META_KEPTN_KEPTN_PROJECT: keptn
2022-07-04T07:06:10.3564297Z CLOUD_PROVIDER: GKE
2022-07-04T07:06:10.3564528Z PLATFORM: kubernetes
2022-07-04T07:06:10.3564761Z PLATFORM_VERSION: 1.22
2022-07-04T07:06:10.3564988Z KUBECONFIG:
2022-07-04T07:06:10.3565234Z KEPTN_NAMESPACE: keptn-test-2396-2
2022-07-04T07:06:10.3565510Z KEPTN_SERVICE_TYPE: LoadBalancer
2022-07-04T07:06:10.3565775Z RUN_CONTINUOUS_DELIVERY_TEST: true
2022-07-04T07:06:10.3566013Z RUN_AIRGAPPED_TEST:
2022-07-04T07:06:10.3566328Z AIRGAPPED_REGISTRY_URL: k3d-container-registry.localhost:12345
2022-07-04T07:06:10.3566651Z REMOTE_EXECUTION_PLANE: false
2022-07-04T07:06:10.3566905Z COLLECT_RESOURCE_LIMITS: true
2022-07-04T07:06:10.3567141Z GO_VERSION: ~1.18
2022-07-04T07:06:10.3567409Z TEST_REPORT_FOLDER: test-reports-GKE-1.22
2022-07-04T07:06:10.3567706Z FINAL_TEST_REPORT_FOLDER: test-reports
2022-07-04T07:06:10.3568161Z FINAL_TEST_REPORT_PATH: test-reports/test-report-final-GKE-1.22.log
2022-07-04T07:06:10.3568581Z TEST_REPORT_FILENAME_SUFFIX: test-report-2607468287-kubernetes-GKE-1.22.log
2022-07-04T07:06:10.3568902Z BRANCH: master
2022-07-04T07:06:10.3569125Z BRANCH_SLUG: master
2022-07-04T07:06:10.3569359Z BUILD_EVERYTHING: true
2022-07-04T07:06:10.3569605Z VERSION: 0.17.0-dev.202206301240
2022-07-04T07:06:10.3569839Z DATETIME: 202206301240
2022-07-04T07:06:10.3570056Z GIT_SHA: 6a0e1bec1
2022-07-04T07:06:10.3570414Z CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/keptn/keptn/gha-creds-ee7bda78dd376c51.json
2022-07-04T07:06:10.3570883Z GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/keptn/keptn/gha-creds-ee7bda78dd376c51.json
2022-07-04T07:06:10.3571318Z GOOGLE_GHA_CREDS_PATH: /home/runner/work/keptn/keptn/gha-creds-ee7bda78dd376c51.json
2022-07-04T07:06:10.3571660Z CLOUDSDK_CORE_PROJECT: ***
2022-07-04T07:06:10.3571932Z CLOUDSDK_PROJECT: ***
2022-07-04T07:06:10.3572295Z GCLOUD_PROJECT: ***
2022-07-04T07:06:10.3572547Z GCP_PROJECT: ***
2022-07-04T07:06:10.3572807Z GOOGLE_CLOUD_PROJECT: ***
2022-07-04T07:06:10.3573130Z CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud
2022-07-04T07:06:10.3573422Z ##[endgroup]
2022-07-04T07:06:10.4538368Z Extracted project ID "***" from $GCLOUD_PROJECT
2022-07-04T07:06:10.6945922Z Successfully created and exported "KUBECONFIG" at /home/runner/work/keptn/keptn/918a154edea587e9bc09f34b
2022-07-04T07:06:10.6991251Z ##[debug]Node Action run completed with exit code 0
2022-07-04T07:06:10.6992590Z ##[debug]KUBECONFIG='/home/runner/work/keptn/keptn/918a154edea587e9bc09f34b'
2022-07-04T07:06:10.6993606Z ##[debug]Finishing: Get Kubeconfig
Additional information
No response
TL;DR
I am using
google-github-actions/authwith the following settings:After that, I use the
get-gke-credentialsaction to get my kubeconfig. I assumed that I can use that kubeconfig for the above set7200s(2h) but instead, my pipeline still fails exactly after (the default) 1h with unauthorized errors.Expected behavior
I can use my kube config for 2h, since I set my token in the auth action to be valid for 2h.
Observed behavior
My pipeline starts failing with unauthorized errors exactly after 1h.
I checked the debug logs of my pipeline and the access token is indeed showing an expiration time of 2h. So I assume that the
get-gke-credentialsaction uses a different token somehow?Action YAML
Log output
Additional information
No response