kubes 0.5.0 → 0.6.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gcloudignore +22 -0
- data/.gitignore +1 -1
- data/CHANGELOG.md +22 -0
- data/Dockerfile +6 -6
- data/Dockerfile.alpine +20 -0
- data/README.md +54 -8
- data/docker/install/docker.sh +8 -0
- data/docker/install/gcloud.sh +18 -0
- data/docker/install/kubectl.sh +4 -0
- data/docs/_docs/config/hooks/kubes.md +1 -0
- data/docs/_docs/config/reference.md +1 -0
- data/docs/_docs/dsl/multiple-resources.md +3 -1
- data/docs/_docs/dsl/resources/secret.md +19 -2
- data/docs/_docs/generators.md +4 -4
- data/docs/_docs/helpers.md +16 -2
- data/docs/_docs/helpers/aws/advanced.md +10 -0
- data/docs/_docs/helpers/aws/advanced/secrets.md +131 -0
- data/docs/_docs/helpers/aws/advanced/ssm.md +78 -0
- data/docs/_docs/helpers/aws/secrets.md +18 -88
- data/docs/_docs/helpers/aws/ssm.md +20 -38
- data/docs/_docs/helpers/google/advanced.md +10 -0
- data/docs/_docs/helpers/google/advanced/secrets.md +78 -0
- data/docs/_docs/helpers/google/gke.md +89 -0
- data/docs/_docs/helpers/google/secrets.md +18 -27
- data/docs/_docs/intro.md +2 -11
- data/docs/_docs/intro/how-kubes-works.md +7 -11
- data/docs/_docs/layering.md +2 -0
- data/docs/_docs/layering/mix.md +99 -0
- data/docs/_docs/patterns/multiple-envs.md +55 -0
- data/docs/_docs/variables.md +23 -0
- data/docs/_docs/variables/advanced.md +62 -0
- data/docs/_docs/variables/basic.md +137 -0
- data/docs/_docs/vs.md +10 -0
- data/docs/_docs/vs/custom.md +109 -0
- data/docs/_docs/vs/helm.md +243 -0
- data/docs/_docs/vs/kustomize.md +167 -0
- data/docs/_includes/intro/features.md +11 -0
- data/docs/_includes/layering/layers.md +2 -4
- data/docs/_includes/sidebar.html +39 -0
- data/docs/_includes/vs/article.md +1 -0
- data/docs/_includes/vs/kubes/layering.md +10 -0
- data/docs/_includes/vs/kubes/structure.md +24 -0
- data/docs/_reference/kubes-new-help.md +15 -0
- data/docs/_reference/kubes-new-helper.md +25 -0
- data/docs/_reference/kubes-new-resource.md +56 -0
- data/docs/_reference/kubes-new-variable.md +20 -0
- data/docs/_reference/kubes-new.md +6 -38
- data/kubes.gemspec +2 -2
- data/lib/kubes.rb +4 -3
- data/lib/kubes/auth.rb +13 -1
- data/lib/kubes/auth/base.rb +21 -0
- data/lib/kubes/auth/ecr.rb +1 -15
- data/lib/kubes/auth/gcr.rb +24 -0
- data/lib/kubes/cli/apply.rb +0 -1
- data/lib/kubes/cli/help/new/helper.md +4 -0
- data/lib/kubes/cli/help/{new.md → new/resource.md} +3 -3
- data/lib/kubes/cli/new.rb +12 -94
- data/lib/kubes/cli/new/helper.rb +24 -0
- data/lib/kubes/cli/new/resource.rb +97 -0
- data/lib/kubes/cli/new/variable.rb +16 -0
- data/lib/kubes/cli/prune.rb +4 -2
- data/lib/kubes/command.rb +1 -1
- data/lib/kubes/compiler/decorator/base.rb +1 -1
- data/lib/kubes/compiler/dsl/core/base.rb +6 -9
- data/lib/kubes/compiler/layering.rb +21 -7
- data/lib/kubes/compiler/shared/custom_variables.rb +38 -0
- data/lib/kubes/compiler/shared/plugin_helpers.rb +14 -0
- data/lib/kubes/compiler/strategy.rb +7 -6
- data/lib/kubes/compiler/strategy/base.rb +59 -2
- data/lib/kubes/compiler/strategy/dsl.rb +0 -29
- data/lib/kubes/compiler/strategy/erb.rb +10 -22
- data/lib/kubes/compiler/util/normalize.rb +6 -3
- data/lib/kubes/compiler/util/yaml_dump.rb +4 -4
- data/lib/kubes/config.rb +14 -0
- data/lib/kubes/hooks/builder.rb +20 -5
- data/lib/kubes/hooks/concern.rb +1 -1
- data/lib/kubes/kubectl/batch.rb +7 -0
- data/lib/kubes/plugin.rb +14 -0
- data/lib/kubes/util/sh.rb +1 -1
- data/lib/kubes/version.rb +1 -1
- data/lib/templates/new/helper/file.rb +2 -0
- data/lib/templates/new/{dsl → resource/dsl}/backend_config.rb +0 -0
- data/lib/templates/new/{dsl → resource/dsl}/config_map.rb +0 -0
- data/lib/templates/new/{dsl → resource/dsl}/daemon_set.rb +0 -0
- data/lib/templates/new/{dsl → resource/dsl}/deployment.rb +0 -0
- data/lib/templates/new/{dsl → resource/dsl}/ingress.rb +0 -0
- data/lib/templates/new/{dsl → resource/dsl}/job.rb +0 -0
- data/lib/templates/new/{dsl → resource/dsl}/managed_certificate.rb +0 -0
- data/lib/templates/new/{dsl → resource/dsl}/namespace.rb +0 -0
- data/lib/templates/new/{dsl → resource/dsl}/network_policy.rb +0 -0
- data/lib/templates/new/{dsl → resource/dsl}/pod.rb +0 -0
- data/lib/templates/new/{dsl → resource/dsl}/role.rb +0 -0
- data/lib/templates/new/{dsl → resource/dsl}/role_binding.rb +0 -0
- data/lib/templates/new/{dsl → resource/dsl}/secret.rb +0 -0
- data/lib/templates/new/{dsl → resource/dsl}/service.rb +0 -0
- data/lib/templates/new/{dsl → resource/dsl}/service_account.rb +0 -0
- data/lib/templates/new/{yaml → resource/yaml}/backend_config.yaml +0 -0
- data/lib/templates/new/{yaml → resource/yaml}/config_map.yaml +0 -0
- data/lib/templates/new/{yaml → resource/yaml}/daemon_set.yaml +0 -0
- data/lib/templates/new/{yaml → resource/yaml}/deployment.yaml +0 -1
- data/lib/templates/new/{yaml → resource/yaml}/ingress.yaml +0 -0
- data/lib/templates/new/{yaml → resource/yaml}/job.yaml +0 -0
- data/lib/templates/new/{yaml → resource/yaml}/managed_certificate.yaml +0 -0
- data/lib/templates/new/{yaml → resource/yaml}/namespace.yaml +0 -0
- data/lib/templates/new/{yaml → resource/yaml}/network_policy.yaml +0 -0
- data/lib/templates/new/{yaml → resource/yaml}/pod.yaml +0 -0
- data/lib/templates/new/{yaml → resource/yaml}/role.yaml +0 -0
- data/lib/templates/new/{yaml → resource/yaml}/role_binding.yaml +0 -0
- data/lib/templates/new/{yaml → resource/yaml}/secret.yaml +0 -0
- data/lib/templates/new/{yaml → resource/yaml}/service.yaml +0 -0
- data/lib/templates/new/{yaml → resource/yaml}/service_account.yaml +0 -0
- data/lib/templates/new/variable/file.rb +1 -0
- data/spec/fixtures/multiple-files/{deployment-1.rb → .kubes/resources/web/deployment-1.rb} +0 -0
- data/spec/fixtures/multiple-files/{deployment-2.rb → .kubes/resources/web/deployment-2.rb} +0 -0
- data/spec/fixtures/project/.kubes/resources/{deployment.rb → web/deployment.rb} +0 -0
- data/spec/fixtures/project/.kubes/resources/{foobar.rb → web/empty.rb} +0 -0
- data/spec/fixtures/project/.kubes/resources/{service.rb → web/service.rb} +1 -1
- data/spec/fixtures/syntax/{network_policy.rb → .kubes/resources/web/network_policy.rb} +0 -0
- data/spec/fixtures/syntax/{pod.rb → .kubes/resources/web/pod.rb} +0 -0
- data/spec/kubes/compiler/strategy/dsl_spec.rb +2 -2
- data/spec/kubes/compiler_spec.rb +1 -1
- data/spec/kubes/dsl/network_policy_spec.rb +1 -1
- data/spec/kubes/dsl/pod_spec.rb +1 -1
- metadata +95 -56
@@ -0,0 +1,78 @@
|
|
1
|
+
---
|
2
|
+
title: AWS SSM Parameters Advanced
|
3
|
+
nav_text: SSM
|
4
|
+
categories: advanced-helpers-aws
|
5
|
+
---
|
6
|
+
|
7
|
+
This covers an advanced way so that Kubernetes Secrets are created from AWS SSM Parameter Store in a conventional way.
|
8
|
+
|
9
|
+
For example if you have these secret values:
|
10
|
+
|
11
|
+
$ aws ssm get-parameter --name /demo/development/db_user --with-decryption | jq '.Parameter.Value'
|
12
|
+
user
|
13
|
+
$ aws ssm get-parameter --name /demo/development/db_pass --with-decryption | jq '.Parameter.Value'
|
14
|
+
pass
|
15
|
+
|
16
|
+
Set up a [Kubes hook](https://kubes.guru/docs/config/hooks/kubes/).
|
17
|
+
|
18
|
+
.kubes/config/hooks/kubes.rb
|
19
|
+
|
20
|
+
```ruby
|
21
|
+
ssm = KubesAws::SSM.new(upcase: true, prefix: "/demo/development/")
|
22
|
+
before("compile",
|
23
|
+
label: "Get secrets from AWS SSM Manager",
|
24
|
+
execute: ssm,
|
25
|
+
)
|
26
|
+
```
|
27
|
+
|
28
|
+
Then set the secrets in the YAML:
|
29
|
+
|
30
|
+
.kubes/resources/shared/secret.yaml
|
31
|
+
|
32
|
+
```yaml
|
33
|
+
apiVersion: v1
|
34
|
+
kind: Secret
|
35
|
+
metadata:
|
36
|
+
name: demo
|
37
|
+
labels:
|
38
|
+
app: demo
|
39
|
+
data:
|
40
|
+
<% KubesAws::SSM.data.each do |k,v| -%>
|
41
|
+
<%= k %>: <%= base64(v) %>
|
42
|
+
<% end -%>
|
43
|
+
```
|
44
|
+
|
45
|
+
This results in AWS secrets with the prefix the `demo/dev/` being added to the Kubernetes secret data. The values are automatically base64 encoded. Produces:
|
46
|
+
|
47
|
+
.kubes/output/shared/secret.yaml
|
48
|
+
|
49
|
+
```yaml
|
50
|
+
metadata:
|
51
|
+
namespace: demo
|
52
|
+
name: demo-2a78a13682
|
53
|
+
labels:
|
54
|
+
app: demo
|
55
|
+
apiVersion: v1
|
56
|
+
kind: Secret
|
57
|
+
data:
|
58
|
+
db_pass: dGVzdDEK
|
59
|
+
db_user: dGVzdDIK
|
60
|
+
```
|
61
|
+
|
62
|
+
## Variables
|
63
|
+
|
64
|
+
These environment variables can be set:
|
65
|
+
|
66
|
+
Name | Description
|
67
|
+
---|---
|
68
|
+
AWS_SSM_PREFIX | Prefixed used to list and filter AWS SSM Parameters. IE: `demo/dev/`.
|
69
|
+
|
70
|
+
Secrets#initialize options:
|
71
|
+
|
72
|
+
Variable | Description | Default
|
73
|
+
---|---|---
|
74
|
+
base64 | Automatically base64 encode the values. | false
|
75
|
+
upcase | Automatically upcase the Kubernetes secret data keys. | false
|
76
|
+
prefix | Prefixed used to list and filter AWS secrets. IE: `demo/dev/`. Can also be set with the `AWS_SECRET_PREFIX` env variable. The env variable takes the highest precedence. | nil
|
77
|
+
|
78
|
+
{% include helpers/base64.md %}
|
@@ -4,28 +4,9 @@ nav_text: Secrets
|
|
4
4
|
categories: helpers-aws
|
5
5
|
---
|
6
6
|
|
7
|
-
|
7
|
+
The `aws_secret` helper fetches secret data from AWS Secrets Manager.
|
8
8
|
|
9
|
-
|
10
|
-
|
11
|
-
$ aws secretsmanager get-secret-value --secret-id demo/dev/db_user | jq '.SecretString'
|
12
|
-
user
|
13
|
-
$ aws secretsmanager get-secret-value --secret-id demo/dev/db_pass | jq '.SecretString'
|
14
|
-
pass
|
15
|
-
|
16
|
-
Set up a [Kubes hook](https://kubes.guru/docs/config/hooks/kubes/).
|
17
|
-
|
18
|
-
.kubes/config/hooks/kubes.rb
|
19
|
-
|
20
|
-
```ruby
|
21
|
-
secrets = KubesAws::Secrets.new(upcase: true, prefix: "demo/dev/")
|
22
|
-
before("compile",
|
23
|
-
label: "Get secrets from AWS Secrets Manager",
|
24
|
-
execute: secrets,
|
25
|
-
)
|
26
|
-
```
|
27
|
-
|
28
|
-
Then set the secrets in the YAML:
|
9
|
+
## Example
|
29
10
|
|
30
11
|
.kubes/resources/shared/secret.yaml
|
31
12
|
|
@@ -37,12 +18,17 @@ metadata:
|
|
37
18
|
labels:
|
38
19
|
app: demo
|
39
20
|
data:
|
40
|
-
|
41
|
-
|
42
|
-
<% end -%>
|
21
|
+
PASS: <%= aws_secret("demo-#{Kubes.env}-PASS") %>
|
22
|
+
USER: <%= aws_secret("demo-#{Kubes.env}-USER") %>
|
43
23
|
```
|
44
24
|
|
45
|
-
|
25
|
+
For example if you have these secret values:
|
26
|
+
|
27
|
+
$ aws secretsmanager get-secret-value --secret-id demo-dev-PASS | jq '.SecretString'
|
28
|
+
test1
|
29
|
+
$ aws secretsmanager get-secret-value --secret-id demo-dev-USER | jq '.SecretString'
|
30
|
+
test2
|
31
|
+
$
|
46
32
|
|
47
33
|
.kubes/output/shared/secret.yaml
|
48
34
|
|
@@ -55,75 +41,19 @@ metadata:
|
|
55
41
|
apiVersion: v1
|
56
42
|
kind: Secret
|
57
43
|
data:
|
58
|
-
|
59
|
-
|
44
|
+
PASS: dGVzdDEK
|
45
|
+
USER: dGVzdDIK
|
60
46
|
```
|
61
47
|
|
62
|
-
|
48
|
+
The values are automatically base64 encoded.
|
63
49
|
|
64
|
-
|
50
|
+
## Base64 Option
|
65
51
|
|
66
|
-
|
67
|
-
{\"a\":1,\"b\":2}"
|
68
|
-
|
69
|
-
Set up a [Kubes hook](https://kubes.guru/docs/config/hooks/kubes/).
|
70
|
-
|
71
|
-
.kubes/config/hooks/kubes.rb
|
52
|
+
The value is automatically base64 encoded. You can set the `base64` option to turn on and off the automated base64 encoding.
|
72
53
|
|
73
54
|
```ruby
|
74
|
-
|
75
|
-
|
76
|
-
label: "Get secrets from AWS Secrets Manager",
|
77
|
-
execute: secrets,
|
78
|
-
)
|
55
|
+
aws_secret("demo-#{Kubes.env}-USER", base64: true) # default is base64=true
|
56
|
+
aws_secret("demo-#{Kubes.env}-PASS", base64: false)
|
79
57
|
```
|
80
58
|
|
81
|
-
Then set the secrets in the YAML:
|
82
|
-
|
83
|
-
.kubes/resources/shared/secret.yaml
|
84
|
-
|
85
|
-
```yaml
|
86
|
-
apiVersion: v1
|
87
|
-
kind: Secret
|
88
|
-
metadata:
|
89
|
-
name: demo
|
90
|
-
labels:
|
91
|
-
app: demo
|
92
|
-
data:
|
93
|
-
<% k2 = JSON.load(KubesAws::Secrets.data["k2"]) %>
|
94
|
-
a: <%= base64(k2["a"]) %>
|
95
|
-
b: <%= base64(k2["b"]) %>
|
96
|
-
```
|
97
|
-
|
98
|
-
Produces:
|
99
|
-
|
100
|
-
```yaml
|
101
|
-
metadata:
|
102
|
-
namespace: demo-dev
|
103
|
-
name: demo-a4cd604a95
|
104
|
-
labels:
|
105
|
-
app: demo
|
106
|
-
apiVersion: v1
|
107
|
-
kind: Secret
|
108
|
-
data:
|
109
|
-
a: MQ==
|
110
|
-
b: Mg==
|
111
|
-
```
|
112
|
-
|
113
|
-
## Variables
|
114
|
-
|
115
|
-
These environment variables can be set:
|
116
|
-
|
117
|
-
Name | Description
|
118
|
-
---|---
|
119
|
-
AWS_SECRET_PREFIX | Prefixed used to list and filter AWS secrets. IE: `demo/dev/`.
|
120
|
-
|
121
|
-
Secrets#initialize options:
|
122
|
-
|
123
|
-
Variable | Description | Default
|
124
|
-
---|---|---
|
125
|
-
base64 | Automatically base64 encode the values. | false
|
126
|
-
upcase | Automatically upcase the Kubernetes secret data keys. | false
|
127
|
-
prefix | Prefixed used to list and filter AWS secrets. IE: `demo/dev/`. Can also be set with the `AWS_SECRET_PREFIX` env variable. The env variable takes the highest precedence. | nil
|
128
|
-
|
129
59
|
{% include helpers/base64.md %}
|
@@ -4,26 +4,9 @@ nav_text: SSM
|
|
4
4
|
categories: helpers-aws
|
5
5
|
---
|
6
6
|
|
7
|
-
|
7
|
+
The `aws_ssm` helper fetches data from AWS SSM Parameter Store.
|
8
8
|
|
9
|
-
|
10
|
-
user
|
11
|
-
$ aws ssm get-parameter --name /demo/development/db_pass --with-decryption | jq '.Parameter.Value'
|
12
|
-
pass
|
13
|
-
|
14
|
-
Set up a [Kubes hook](https://kubes.guru/docs/config/hooks/kubes/).
|
15
|
-
|
16
|
-
.kubes/config/hooks/kubes.rb
|
17
|
-
|
18
|
-
```ruby
|
19
|
-
ssm = KubesAws::SSM.new(upcase: true, prefix: "/demo/development/")
|
20
|
-
before("compile",
|
21
|
-
label: "Get secrets from AWS SSM Manager",
|
22
|
-
execute: ssm,
|
23
|
-
)
|
24
|
-
```
|
25
|
-
|
26
|
-
Then set the secrets in the YAML:
|
9
|
+
## Example
|
27
10
|
|
28
11
|
.kubes/resources/shared/secret.yaml
|
29
12
|
|
@@ -35,12 +18,16 @@ metadata:
|
|
35
18
|
labels:
|
36
19
|
app: demo
|
37
20
|
data:
|
38
|
-
|
39
|
-
|
40
|
-
<% end -%>
|
21
|
+
PASS: <%= aws_ssm("/demo/#{Kubes.env}/PASS") %>
|
22
|
+
USER: <%= aws_ssm("/demo/#{Kubes.env}/USER") %>
|
41
23
|
```
|
42
24
|
|
43
|
-
|
25
|
+
For example if you have these ssm parameter values:
|
26
|
+
|
27
|
+
$ aws ssm get-parameter --name /demo/dev/PASS --with-decryption | jq '.Parameter.Value'
|
28
|
+
test1
|
29
|
+
$ aws ssm get-parameter --name /demo/dev/USER --with-decryption | jq '.Parameter.Value'
|
30
|
+
test2
|
44
31
|
|
45
32
|
.kubes/output/shared/secret.yaml
|
46
33
|
|
@@ -53,24 +40,19 @@ metadata:
|
|
53
40
|
apiVersion: v1
|
54
41
|
kind: Secret
|
55
42
|
data:
|
56
|
-
|
57
|
-
|
43
|
+
PASS: dGVzdDEK
|
44
|
+
USER: dGVzdDIK
|
58
45
|
```
|
59
46
|
|
60
|
-
|
61
|
-
|
62
|
-
These environment variables can be set:
|
47
|
+
The values are automatically base64 encoded.
|
63
48
|
|
64
|
-
|
65
|
-
---|---
|
66
|
-
AWS_SSM_PREFIX | Prefixed used to list and filter AWS SSM Parameters. IE: `demo/dev/`.
|
49
|
+
## Base64 Option
|
67
50
|
|
68
|
-
|
51
|
+
The value is automatically base64 encoded. You can set the `base64` option to turn on and off the automated base64 encoding.
|
69
52
|
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
prefix | Prefixed used to list and filter AWS secrets. IE: `demo/dev/`. Can also be set with the `AWS_SECRET_PREFIX` env variable. The env variable takes the highest precedence. | nil
|
53
|
+
```ruby
|
54
|
+
aws_ssm("/demo/#{Kubes.env}/USER", base64: true) # default is base64=true
|
55
|
+
aws_ssm("/demo/#{Kubes.env}/PASS", base64: false)
|
56
|
+
```
|
75
57
|
|
76
|
-
{% include helpers/base64.md %}
|
58
|
+
{% include helpers/base64.md %}
|
@@ -0,0 +1,78 @@
|
|
1
|
+
---
|
2
|
+
title: Advanced Google Secrets
|
3
|
+
nav_text: Secrets
|
4
|
+
categories: advanced-helpers-google
|
5
|
+
---
|
6
|
+
|
7
|
+
This covers an advanced way so that Kubernetes Secrets are created from Google Secrets in a conventional way.
|
8
|
+
|
9
|
+
Set up a [Kubes hook](https://kubes.guru/docs/config/hooks/kubes/).
|
10
|
+
|
11
|
+
.kubes/config/hooks/kubes.rb
|
12
|
+
|
13
|
+
```ruby
|
14
|
+
before("compile",
|
15
|
+
execute: KubesGoogle::Secrets.new(upcase: true, prefix: 'projects/686010496118/secrets/demo-dev-')
|
16
|
+
)
|
17
|
+
```
|
18
|
+
|
19
|
+
Then set the secrets in the YAML:
|
20
|
+
|
21
|
+
.kubes/resources/shared/secret.yaml
|
22
|
+
|
23
|
+
```yaml
|
24
|
+
apiVersion: v1
|
25
|
+
kind: Secret
|
26
|
+
metadata:
|
27
|
+
name: demo
|
28
|
+
labels:
|
29
|
+
app: demo
|
30
|
+
data:
|
31
|
+
<% KubesGoogle::Secrets.data.each do |k,v| -%>
|
32
|
+
<%= k %>: <%= base64(v) %>
|
33
|
+
<% end -%>
|
34
|
+
```
|
35
|
+
|
36
|
+
This results in Google secrets with the prefix the `demo-dev-` being added to the Kubernetes secret data. The values are automatically base64 encoded.
|
37
|
+
|
38
|
+
For example if you have these secret values:
|
39
|
+
|
40
|
+
$ gcloud secrets versions access latest --secret demo-dev-db_user
|
41
|
+
test1
|
42
|
+
$ gcloud secrets versions access latest --secret demo-dev-db_pass
|
43
|
+
test2
|
44
|
+
$
|
45
|
+
|
46
|
+
.kubes/output/shared/secret.yaml
|
47
|
+
|
48
|
+
```yaml
|
49
|
+
metadata:
|
50
|
+
namespace: demo
|
51
|
+
name: demo-2a78a13682
|
52
|
+
labels:
|
53
|
+
app: demo
|
54
|
+
apiVersion: v1
|
55
|
+
kind: Secret
|
56
|
+
data:
|
57
|
+
db_pass: dGVzdDEK
|
58
|
+
db_user: dGVzdDIK
|
59
|
+
```
|
60
|
+
|
61
|
+
## Variables
|
62
|
+
|
63
|
+
These environment variables can be set:
|
64
|
+
|
65
|
+
Name | Description
|
66
|
+
---|---
|
67
|
+
GCP_SECRET_PREFIX | Prefixed used to list and filter Google secrets. IE: `projects/686010496118/secrets/demo-dev-`.
|
68
|
+
GOOGLE_PROJECT | Google project id.
|
69
|
+
|
70
|
+
Secrets#initialize options:
|
71
|
+
|
72
|
+
Variable | Description | Default
|
73
|
+
---|---|---
|
74
|
+
base64 | Automatically base64 encode the values. | false
|
75
|
+
upcase | Automatically upcase the Kubernetes secret data keys. | false
|
76
|
+
prefix | Prefixed used to list and filter Google secrets. IE: `projects/686010496118/secrets/demo-dev-`. Can also be set with the `GCP_SECRET_PREFIX` env variable. The env variable takes the highest precedence. | nil
|
77
|
+
|
78
|
+
{% include helpers/base64.md %}
|
@@ -0,0 +1,89 @@
|
|
1
|
+
---
|
2
|
+
title: GKE Whitelisting
|
3
|
+
nav_text: GKE
|
4
|
+
categories: helpers-google
|
5
|
+
---
|
6
|
+
|
7
|
+
This page covers how to enable GKE IP Whitelisting. This feature is useful for deploying from a CloudBuild with GKE Private Clusters.
|
8
|
+
|
9
|
+
GKE Private Clusters whitelist and only allow authorized IPs to communicate with the Kubernetes control plane. An issue with CloudBuild is that the IP address is not well-known. Google creates a VM to run the CI scripts and throws it away when finished. Kubes can detect the IP of the CloudBuild machine, add it to the cluster, deploy, and remove the IP afterward.
|
10
|
+
|
11
|
+
## Setup
|
12
|
+
|
13
|
+
To enable the GKE IP whitelisting feature, it's a single line:
|
14
|
+
|
15
|
+
.kubes/config/env/dev.rb
|
16
|
+
|
17
|
+
```ruby
|
18
|
+
KubesGoogle.configure do |config|
|
19
|
+
config.gke.cluster_name = "dev-cluster"
|
20
|
+
config.gke.google_region = ENV['GOOGLE_REGION']
|
21
|
+
config.gke.google_project = ENV['GOOGLE_PROJECT']
|
22
|
+
config.gke.enable_get_credentials = true # enable hook to call: gcloud container clusters get-credentials
|
23
|
+
end
|
24
|
+
```
|
25
|
+
|
26
|
+
This enables `kubes apply` before and after hooks to add and remove the current machine IP.
|
27
|
+
|
28
|
+
## Options
|
29
|
+
|
30
|
+
Here are the `config.gke` settings:
|
31
|
+
|
32
|
+
Name | Description | Default
|
33
|
+
---|---|---
|
34
|
+
cluster_name | GKE cluster name. This is required. | nil
|
35
|
+
enable_get_credentials | Whether or not to run the hook that calls `gcloud container clusters get-credentials`. This spares you from having to call it manually. | false
|
36
|
+
enable_hooks | This will be true when the cluster_name is set. So there's no need to set it. The option provides a quick way to override and disable running the hooks. | true
|
37
|
+
google_project | Google project. Can also be set with the env var `GOOGLE_PROJECT`. `GOOGLE_PROJECT` takes precedence. | nil
|
38
|
+
google_region | Google region cluster is in. Can also be set with the env var `GOOGLE_REGION`. `GOOGLE_REGION` takes precedence. | nil
|
39
|
+
whitelist_ip | Explicit IP to whitelist. By default the IP address of the current machine is automatically detected and used. | nil
|
40
|
+
|
41
|
+
## Build Docker Image
|
42
|
+
|
43
|
+
To build kubes as a Docker image entrypoint for [Google CloudBuild Custom Builder](https://cloud.google.com/cloud-build/docs/configuring-builds/use-community-and-custom-builders).
|
44
|
+
|
45
|
+
git clone http://github.com/boltops-tools/kubes
|
46
|
+
cd kubes
|
47
|
+
gcloud builds submit --tag gcr.io/$GOOGLE_PROJECT/kubes
|
48
|
+
|
49
|
+
Be sure to set GOOGLE_PROJECT to your own project id.
|
50
|
+
|
51
|
+
## Example Codebuild YAML
|
52
|
+
|
53
|
+
cloudbuild.yaml:
|
54
|
+
|
55
|
+
```yaml
|
56
|
+
steps:
|
57
|
+
- name: 'gcr.io/$PROJECT_ID/kubes'
|
58
|
+
args: ['deploy']
|
59
|
+
env:
|
60
|
+
- 'DOCKER_REPO=gcr.io/$PROJECT_ID/demo'
|
61
|
+
- 'GOOGLE_PROJECT=$PROJECT_ID' # .kubes/config.rb: config.repo
|
62
|
+
- 'KUBES_ENV=$_KUBES_ENV'
|
63
|
+
- 'KUBES_EXTRA=$_KUBES_EXTRA'
|
64
|
+
- 'KUBES_REPO_AUTH=0'
|
65
|
+
|
66
|
+
substitutions:
|
67
|
+
_KUBES_ENV: dev
|
68
|
+
_KUBES_EXTRA: ''
|
69
|
+
options:
|
70
|
+
substitution_option: 'ALLOW_LOOSE'
|
71
|
+
```
|
72
|
+
|
73
|
+
Make sure to replace the substitutions with your own values. IE: _GCP_REGION, _GKE_CLUSTER, _KUBES_ENV, etc.
|
74
|
+
|
75
|
+
## Google CloudBuild IAM Permissions
|
76
|
+
|
77
|
+
In order to update the GKE cluster master authorized IP and whitelist the CloudBuild IP, you'll need to allow the CloudBuild IAM role permissions.
|
78
|
+
|
79
|
+
Important: The "Kubernetes Engine Developer" that is available in the Cloud Build Settings page as described in [Configuring access for Cloud Build Service Account](https://cloud.google.com/cloud-build/docs/securing-builds/configure-access-for-cloud-build-service-account) does not suffice. You'll need to add the "Kubernetes Engine Cluster Admin" role. Here are the steps:
|
80
|
+
|
81
|
+
1. Go to the Google IAM Console and search "cloudbuild"
|
82
|
+
2. Click "Edit Member"
|
83
|
+
3. Add the "Kubernetes Engine Cluster Admin" role
|
84
|
+
|
85
|
+
## Run CloudBuild
|
86
|
+
|
87
|
+
Run cloudbuild with:
|
88
|
+
|
89
|
+
gcloud builds submit --config cloudbuild.yaml
|