Adds automated login + credential setup for @run()

[JyotinderSingh]

Integrate credential auto-setup into remote.run()

Problem

Users with GCP IAM access to an existing cluster cannot use @keras_remote.run() directly without first running keras-remote up. The up command is the only path that configures the three credential types needed by the execution pipeline:

1. Kubeconfig (~/.kube/config): job submission, status polling, log streaming
2. GCP Application Default Credentials: Cloud Storage and Artifact Registry access

Without these, remote.run() fails with opaque errors.

Solution

Add a shared credentials.py module that verifies and auto-configures all required credentials at the start of execute_remote(), before any work begins. Each check is idempotent, if credentials are already valid, it's a no-op.

Check	Detection	Auto-fix
gcloud CLI	shutil.which("gcloud")	Raise with install link
gke-gcloud-auth-plugin	shutil.which(...)	gcloud components install --quiet
GCP ADC	gcloud auth application-default print-access-token	gcloud auth application-default login
Kubeconfig	config.list_kube_config_contexts() — validates active context matches gke_{project}_{zone}_{cluster}	gcloud container clusters get-credentials

The kubeconfig check validates the active context points to the correct cluster, not just that some kubeconfig exists.

Changes

• keras_remote/credentials.py is the shared credential verification module with ensure_credentials() entry point and individual ensure_* functions. Uses RuntimeError (no click dependency) so it works from both the programmatic API and CLI.
• keras_remote/backend/execution.py calls ensure_credentials() at the top of execute_remote(). Also removes the unused BackendClient Protocol in favor of BaseK8sBackend base class with NotImplementedError stubs.
• keras_remote/cli/prerequisites_check.py refactored to delegate common checks (gcloud, auth plugin, ADC) to the shared module, wrapping RuntimeError into click.ClickException. CLI-only checks (Pulumi, kubectl) unchanged. Removed Docker prerequisite check (not needed — container builds use Cloud Build).
• Removed Docker auth post-deploy step (unused since Cloud Build has its own credentials).
• Updated AGENTS.md to reflect new module, execution pipeline step, and BaseK8sBackend replacing BackendClient.

[gemini-code-assist]

Summary of Changes

Hello @JyotinderSingh, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the user experience for keras_remote.run() by automating the often-cumbersome process of setting up GCP and Kubernetes credentials. Previously, users faced opaque errors if these credentials were not manually configured via keras-remote up. The new shared credentials.py module now handles the verification and idempotent auto-configuration of gcloud, ADC, and kubeconfig, ensuring a smoother and more reliable remote execution workflow. This change centralizes credential management, reduces boilerplate, and simplifies both the programmatic API and CLI interactions.

Highlights

• Automated Credential Setup: Introduced a new keras_remote/credentials.py module to automatically verify and configure necessary credentials (gcloud CLI, gke-gcloud-auth-plugin, GCP Application Default Credentials, and Kubeconfig) before remote execution, eliminating manual setup steps.
• Integration into Remote Execution Pipeline: Integrated the ensure_credentials() function into the execute_remote() pipeline, ensuring that all required credentials are in place and correctly configured at the start of any remote job.
• Refactored CLI Prerequisite Checks: Refactored the CLI's prerequisites_check.py to delegate common credential checks to the new shared credentials.py module, centralizing credential logic and improving consistency between programmatic API and CLI usage.
• Removed Obsolete Docker Authentication: Removed the Docker prerequisite check and the configure_docker_auth post-deploy step, as Cloud Build now handles container image authentication, simplifying the setup process.
• Updated Backend Abstraction: Replaced the BackendClient Protocol with a BaseK8sBackend base class in backend/execution.py, providing a more robust and extensible structure for Kubernetes-based backends.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• AGENTS.md
  • Added credentials.py to the list of key modules.
  • Included ensure_credentials() in the execution pipeline diagram.
  • Updated the description of backend/execution.py to reflect the use of BaseK8sBackend instead of BackendClient protocol.
  • Removed mention of 'Protocols' in the 'Design Principles' section.
• examples/example_gke.py
  • Removed manual kubectl configuration checks from the example script, as credential setup is now automated.
• keras_remote/backend/execution.py
  • Imported ensure_credentials from the new credentials module.
  • Replaced BackendClient Protocol with BaseK8sBackend class, adding NotImplementedError stubs for abstract methods.
  • Integrated ensure_credentials() call at the beginning of the execute_remote() function.
• keras_remote/backend/execution_test.py
  • Added mocks for keras_remote.backend.execution.ensure_credentials in test_success_flow and test_cleanup_on_wait_failure.
• keras_remote/cli/commands/up.py
  • Removed import of configure_docker_auth.
  • Removed the configure_docker_auth step from the post-deploy configuration list.
• keras_remote/cli/commands/up_test.py
  • Removed mocks and test cases related to configure_docker_auth.
• keras_remote/cli/constants.py
  • Imported DEFAULT_CLUSTER_NAME from keras_remote.constants instead of defining it locally.
• keras_remote/cli/infra/post_deploy.py
  • Updated module docstring to reflect removal of Docker auth configuration.
  • Removed the configure_docker_auth function.
• keras_remote/cli/prerequisites_check.py
  • Updated module docstring to explain delegation of checks to keras_remote.credentials.
  • Refactored check_gcloud, check_gke_auth_plugin, and check_gcloud_auth to call corresponding functions in keras_remote.credentials and convert RuntimeError to click.ClickException.
  • Removed the check_docker function.
  • Removed subprocess import as it's no longer directly used for these checks.
• keras_remote/cli/prerequisites_check_test.py
  • Updated TestToolChecks to remove gcloud and docker related tests.
  • Introduced TestDelegatedChecks to verify that check_gcloud, check_gke_auth_plugin, and check_gcloud_auth correctly delegate to keras_remote.credentials and handle RuntimeError.
• keras_remote/constants.py
  • Added DEFAULT_CLUSTER_NAME constant.
• keras_remote/core/core.py
  • Imported DEFAULT_CLUSTER_NAME.
  • Modified _execute_on_gke and _execute_on_pathways to use DEFAULT_CLUSTER_NAME as a default if KERAS_REMOTE_CLUSTER environment variable is not set.
• keras_remote/credentials.py
  • Added new file containing functions for credential verification and auto-setup: ensure_credentials, ensure_gcloud, ensure_gke_auth_plugin, ensure_adc, ensure_kubeconfig, and _configure_kubeconfig.
• keras_remote/credentials_test.py
  • Added new file containing unit tests for the functions in keras_remote/credentials.py.

Activity

• The pull request introduces a new feature to automate credential setup for remote execution.
• It involves significant refactoring of existing prerequisite checks and backend abstractions.
• New files keras_remote/credentials.py and keras_remote/credentials_test.py were added to implement and test the new credential management logic.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request significantly improves the user experience by automating credential setup for remote execution. The introduction of the keras_remote/credentials.py module centralizes and streamlines the verification and auto-configuration of gcloud CLI, gke-gcloud-auth-plugin, GCP Application Default Credentials, and Kubeconfig. This change effectively removes the need for manual keras-remote up execution for credential setup, addressing a key pain point. The refactoring of prerequisites_check.py to delegate common checks to the new module, along with the removal of the Docker prerequisite and auth steps, simplifies the CLI logic. The documentation (AGENTS.md) has been appropriately updated to reflect these architectural changes. Overall, this is a well-implemented and valuable enhancement.