kubes_google 0.1.2 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 64cbb6d5f91c9d194e47f9695b79802c5615367afe6464933b83bb59d9dfc418
-  data.tar.gz: 6d3d98f419a73dd8117dc87cfd0adf43e40e2e9feef447c8bbcfe5867b1410c9
+  metadata.gz: d795d19cc6f90fc23eb69f9e93a2e04993ce14d8681634961fb8ef349c95fd7c
+  data.tar.gz: 3acb4ab90062ac61f1e1a82cbe70319ea0086d7fcd9490bd290cc92fc0141683
 SHA512:
-  metadata.gz: 500425e494045b16a68672ad80c6d2157fc3a0dcd501c627850c6b3432dd95bec3dba727d31a7bed59d17be128366c4056bccb788d398659032b57afeb6b13e1
-  data.tar.gz: 679203c3c148448bfab87162c5267d1403e4f37c5f3dfd6e01bcf042dc7d4453e1919199037092651c807bb774b7a4afb6348f63603146463f552983c5e2c29e
+  metadata.gz: 8048442e2abd946050b7740f1c7f60b7d528a18464e779f9a677cc41ed67182b218f44852096ab65558616c5b1bd3b293b2ca6b164dee12808d575ca1227c607
+  data.tar.gz: ae2add8d4baf621d40174eca105add4df3a752d0a27873f50ae1b97e830d601ad95c65b12e976f0320e2bbf60cd4866249dda677078bd17134ad639354856e49

data/CHANGELOG.md

@@ -3,6 +3,10 @@
 All notable changes to this project will be documented in this file.
 This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
 
+## [0.2.0]
+- #2 add google_secret helper and register plugin
+- fix GOOGLE_PROJECT check
+
 ## [0.1.2]
 - #1 base64 option
 

data/README.md

@@ -8,119 +8,7 @@
 
 ## Usage
 
-The helpers include:
-
-* Secrets
-* Service Accounts
-
-## Secrets
-
-Set up a [Kubes hook](https://kubes.guru/docs/config/hooks/kubes/).
-
-.kubes/config/hooks/kubes.rb
-
-```ruby
-before("compile",
-  execute: KubesGoogle::Secrets.new(upcase: true, prefix: 'projects/686010496118/secrets/demo-dev-')
-)
-```
-
-Then set the secrets in the YAML:
-
-.kubes/resources/shared/secret.yaml
-
-```yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: demo
-  labels:
-    app: demo
-data:
-<% KubesGoogle::Secrets.data.each do |k,v| -%>
-  <%= k %>: <%= base64(v) %>
-<% end -%>
-```
-
-This results in Google secrets with the prefix the `demo-dev-` being added to the Kubernetes secret data.  The values are automatically base64 encoded.
-
-For example if you have these secret values:
-
-    $ gcloud secrets versions access latest --secret demo-dev-db_user
-    test1
-    $ gcloud secrets versions access latest --secret demo-dev-db_pass
-    test2
-    $
-
-.kubes/output/shared/secret.yaml
-
-```yaml
-metadata:
-  namespace: demo
-  name: demo-2a78a13682
-  labels:
-    app: demo
-apiVersion: v1
-kind: Secret
-data:
-  db_pass: dGVzdDEK
-  db_user: dGVzdDIK
-```
-
-These environment variables can be set:
-
-Name | Description
----|---
-GCP_SECRET_PREFIX | Prefixed used to list and filter Google secrets. IE: `projects/686010496118/secrets/demo-dev-`.
-GOOGLE_PROJECT | Google project id.
-
-Secrets#initialize options:
-
-Variable | Description | Default
----|---|---
-base64 | Automatically base64 encode the values. | false
-upcase | Automatically upcase the Kubernetes secret data keys. | false
-prefix | Prefixed used to list and filter Google secrets. IE: `projects/686010496118/secrets/demo-dev-`. Can also be set with the `GCP_SECRET_PREFIX` env variable. The env variable takes the highest precedence. | nil
-
-Note, Kubernetes secrets are only base64 encoded. So users who have access to read Kubernetes secrets will be able to decode and get the value trivially. Depending on your security posture requirements, this may or may not suffice.
-
-## Service Accounts
-
-This library can also be used to automatically create Google Service Accounts associated with the [GKE Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity).
-
-Here's a Kubes hook that creates a service account:
-
-.kubes/config/hooks/kubes.rb
-
-```ruby
-service_account = KubesGoogle::ServiceAccount.new(
-  app: "demo",
-  namespace: "demo-#{Kubes.env}", # defaults to APP-ENV when not set. IE: demo-dev
-  roles: ["cloudsql.client", "secretmanager.viewer"], # defaults to empty when not set
-)
-before("apply",
-  label: "create service account",
-  execute: service_account,
-)
-```
-
-The role permissions are currently always added to the existing permissions. So removing roles that were previously added does not remove them.
-
-ServiceAccount#initialize options:
-
-Variable | Description | Default
----|---|---
-app | The app name. It's used to conventionally set other variables. This is required. | nil
-gsa | The Google Service Account name. The conventional name is APP-ENV. IE: demo-dev. | APP-ENV
-ksa | The Kubernetes Service Account name. The conventional name is APP. IE: demo | APP
-namespace | The Kubernetes namespace. Defaults to the APP-ENV. IE: demo-dev. | APP-ENV
-roles | Google IAM roles to add. This adds permissions to the Google service account. | []
-
-Notes:
-
-* By default, `KubeGoogle.logger = Kubes.logger`. This means, you can set `logger.level = "debug"` in `.kubes/config.rb` to see more details.
-* The `gcloud` cli is used to create IAM roles. So `gcloud` is required.
-* Note: Would like to use the google sdk, but it wasn't obvious how to do so. PRs are welcomed.
+For more detailed usage instructions refer to the [Kubes Helpers docs](https://kubes.guru/docs/helpers/google/).
 
 ## Contributing
 

data/lib/kubes_google.rb

@@ -18,3 +18,5 @@ module KubesGoogle
 
   extend self
 end
+
+Kubes::Plugin.register(KubesGoogle)

data/lib/kubes_google/helpers.rb

@@ -0,0 +1,11 @@
+module KubesGoogle
+  module Helpers
+    extend Memoist
+    include Services
+
+    def google_secret(name, options={})
+      fetcher = Secrets::Fetcher.new(options)
+      fetcher.fetch(name)
+    end
+  end
+end

data/lib/kubes_google/secrets.rb

@@ -4,8 +4,8 @@ module KubesGoogle
   class Secrets
     def initialize(upcase: false, base64: false, prefix: nil)
       @upcase, @base64 = upcase, base64
-      @prefix = ENV['GCP_SECRET_PREFIX'] || prefix || raise("GOOGLE_PROJECT env variable is not set. It's required.")
-      @project_id = ENV['GOOGLE_PROJECT']
+      @prefix = ENV['GCP_SECRET_PREFIX'] || prefix
+      @project_id = ENV['GOOGLE_PROJECT'] || raise("GOOGLE_PROJECT env variable is not set. It's required.")
       # IE: prefix: projects/686010496118/secrets/demo-dev-
     end
 
@@ -13,7 +13,7 @@ module KubesGoogle
       client = Google::Cloud::SecretManager.secret_manager_service
 
       parent = "projects/#{@project_id}"
-      resp = client.list_secrets(parent: parent, page_size: 1)
+      resp = client.list_secrets(parent: parent) # note: page_size doesnt seem to get respected
       resp.each do |secret|
         next unless secret.name.include?(@prefix)
         version = client.access_secret_version(name: "#{secret.name}/versions/latest")

data/lib/kubes_google/secrets/fetcher.rb

@@ -0,0 +1,41 @@
+class KubesGoogle::Secrets
+  class Fetcher
+    include KubesGoogle::Logging
+    include KubesGoogle::Services
+
+    def initialize(options={})
+      @options = options
+      @base64 = options[:base64].nil? ? true : options[:base64]
+      @project_id = ENV['GOOGLE_PROJECT'] || raise("GOOGLE_PROJECT env variable is not set. It's required.")
+    end
+
+    def fetch(short_name)
+      value = fetch_value(short_name)
+      value = Base64.strict_encode64(value).strip if @base64
+      value
+    end
+
+    def fetch_value(short_name)
+      name = "projects/#{project_number}/secrets/#{short_name}/versions/latest"
+      version = secret_manager_service.access_secret_version(name: name)
+      version.payload.data
+    rescue Google::Cloud::NotFoundError => e
+      logger.info "WARN: secret #{name} not found".color(:yellow)
+      logger.info e.message
+      "NOT FOUND #{name}" # simple string so Kubernetes YAML is valid
+    end
+
+    # TODO: Get the project from the list project api instead. Unsure where the docs are for this.
+    # If someone knows, let me know.
+    # Right now grabbing the first secret to then be able to get the google project number
+    @@project_number = nil
+    def project_number
+      return @@project_number if @@project_number
+
+      parent = "projects/#{@project_id}"
+      resp = secret_manager_service.list_secrets(parent: parent) # note: page_size doesnt seem to get respected
+      name = resp.first.name # IE: projects/686010496118/secrets/demo-dev-db_host
+      @@project_number = name.split('/')[1]
+    end
+  end
+end

data/lib/kubes_google/services.rb

@@ -0,0 +1,13 @@
+require "google-cloud-secret_manager"
+
+module KubesGoogle
+  module Services
+    extend Memoist
+
+    def secret_manager_service
+      Google::Cloud::SecretManager.secret_manager_service
+    end
+    memoize :secret_manager_service
+  end
+end
+

data/lib/kubes_google/version.rb

@@ -1,3 +1,3 @@
 module KubesGoogle
-  VERSION = "0.1.2"
+  VERSION = "0.2.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kubes_google
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.2.0
 platform: ruby
 authors:
 - Tung Nguyen
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-10-14 00:00:00.000000000 Z
+date: 2020-11-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -83,9 +83,12 @@ files:
 - kubes_google.gemspec
 - lib/kubes_google.rb
 - lib/kubes_google/autoloader.rb
+- lib/kubes_google/helpers.rb
 - lib/kubes_google/logging.rb
 - lib/kubes_google/secrets.rb
+- lib/kubes_google/secrets/fetcher.rb
 - lib/kubes_google/service_account.rb
+- lib/kubes_google/services.rb
 - lib/kubes_google/version.rb
 homepage: https://github.com/boltops-tools/kubes_google
 licenses:
@@ -107,7 +110,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: Kubes Google Helpers Library