GKE DNS Endpoint Support

[jjtroberts]

There is a new DNS endpoint feature for GKE kube-apiserver that, when enabled, creates a DNS endpoint similar to gke-some-long-hash.region.gke.goog.

This endpoint is protected by IAM, meaning that any request must be able to authenticate as a GCP IAM identity and has container.clusters.connect which is included in any identity that has either of the roles:

• roles/container.developer
• roles/container.viewer

We had Workload Identity setup and working as expected prior to this change.

I enabled the dns endpoint in a lab environment and updated my ArgoCD cluster secret and project destination but am unable to connect:

Get "https://gke-xxxxxxx.us-east4.gke.goog/version?timeout=32s": net/http: TLS handshake timeout - error from a previous attempt: read tcp xxx.xxx.xxx.xxx:52834->xxx.xxx.xxx.xxx:443: read: connection reset by peer

I've tried with tlsClientConfig.insecure set to false and to true, and without a tlsClientConfig at all. Any insight into how ArgoCD authenticates using the execProviderConfig below would be appreciated.

config: |
    {
      "execProviderConfig": {
        "command": "argocd-k8s-auth",
        "args": ["gcp"],
        "apiVersion": "client.authentication.k8s.io/v1beta1"
      },
      "tlsClientConfig": {
        "insecure": true
      }
    }