Skip to content

gcp-auth: handle CredentialsFromJSON error and guard nil creds#23272

Open
nitishagar wants to merge 1 commit into
kubernetes:masterfrom
nitishagar:fix-gcpauth-nil-creds
Open

gcp-auth: handle CredentialsFromJSON error and guard nil creds#23272
nitishagar wants to merge 1 commit into
kubernetes:masterfrom
nitishagar:fix-gcpauth-nil-creds

Conversation

@nitishagar

Copy link
Copy Markdown
Contributor

Problem

enableAddonGCPAuth can panic with a nil-pointer dereference at creds.JSON (pkg/addons/addons_gcpauth.go:101) when:

  • google.FindDefaultCredentials fails, AND
  • detect.IsCloudShell() is true, AND
  • CLOUDSDK_CONFIG is unset, the ADC file is unreadable, or google.CredentialsFromJSON fails

In the original code the CredentialsFromJSON error was silently discarded (creds, _ = ...), leaving creds nil and producing a panic instead of an actionable error message.

Fixes #23012

Changes

pkg/addons/addons_gcpauth.go

  • Extract Cloud Shell ADC loading into an unexported credentialsFromCloudShellADC(ctx) helper that returns (*google.Credentials, error), making the failure path unit-testable and the error non-discardable.
  • In the Cloud Shell branch: call the helper; on failure log the error via klog.Warningf and fall through with creds nil. No exit here — Cloud Shell runs on a GCE VM where detect.IsOnGCE() is true, so today's successful path (ADC load fails → GCE early-return → nil return with warning) is preserved.
  • Add an explicit creds == nil guard after the GCE early-return with an actionable exit.Message (same wording as line 85), making the nil-deref at creds.JSON structurally impossible.

pkg/addons/addons_gcpauth_test.go (new)

Unit tests for credentialsFromCloudShellADC:

  • CLOUDSDK_CONFIG unset → error
  • env set, file missing → error
  • file with invalid JSON → error
  • file with valid authorized_user JSON → non-nil creds, creds.JSON equals file contents

Deprecation note

The issue title asks whether golang.org/x/oauth2/google.FindDefaultCredentials and CredentialsFromJSON must be replaced. These functions are in maintenance mode but are not removed or broken. Migration to cloud.google.com/go/auth is a separate, larger change and is out of scope for this bug fix.

Testing

GOPROXY=direct go test -v -run TestCredentialsFromCloudShellADC ./pkg/addons/...

All 4 tests pass. go vet ./pkg/addons/... clean.

🧙 Built with WOZCODE

…netes#23012)

Extract Cloud Shell ADC loading into credentialsFromCloudShellADC helper so
the CredentialsFromJSON error is no longer silently discarded. On failure,
log the error via klog.Warningf and fall through with nil creds (no exit —
Cloud Shell runs on GCE so the existing IsOnGCE early-return handles this
path successfully). Add an explicit creds == nil guard after the GCE
early-return with an actionable exit.Message, making the nil-deref at
creds.JSON structurally impossible.

The golang.org/x/oauth2/google functions used here are in maintenance mode
but not removed; migration to cloud.google.com/go/auth is out of scope.

Fixes kubernetes#23012
@linux-foundation-easycla

linux-foundation-easycla Bot commented Jul 3, 2026

Copy link
Copy Markdown

CLA Signed
The committers listed above are authorized under a signed CLA.

  • ✅ login: nitishagar / name: Nitish Agarwal (24edf07)

@kubernetes-prow kubernetes-prow Bot added cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 3, 2026
@kubernetes-prow

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: nitishagar
Once this PR has been reviewed and has the lgtm label, please assign nirs for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubernetes-prow kubernetes-prow Bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jul 3, 2026
@kubernetes-prow

Copy link
Copy Markdown
Contributor

Hi @nitishagar. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@nitishagar nitishagar force-pushed the fix-gcpauth-nil-creds branch from 1550964 to 24edf07 Compare July 3, 2026 08:37
@kubernetes-prow kubernetes-prow Bot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Jul 3, 2026
@minikube-bot

Copy link
Copy Markdown
Collaborator

Can one of the admins verify this patch?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

gcp-auth: investigate if need to move from depricated func

2 participants