kubes_google 0.2.0 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/kubes_google.gemspec +3 -0
- data/lib/hooks/kubes.rb +14 -0
- data/lib/kubes_google.rb +19 -0
- data/lib/kubes_google/config.rb +23 -0
- data/lib/kubes_google/gke.rb +99 -0
- data/lib/kubes_google/hooks.rb +7 -0
- data/lib/kubes_google/services.rb +6 -0
- data/lib/kubes_google/version.rb +1 -1
- metadata +34 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c2b41e672639ece65b0c749581b7321b30a48213744e28aa63e3e71bf6cf3fd3
|
|
4
|
+
data.tar.gz: 0b4006a22492fb1424c3d45b880f9a784deee99d824e986fb7a52e835196f955
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 139e70fe3e151df3fcefa12a4a8d7a7a45b08bc62909815b4be865906e7400f1c5141a42e41331b13aa774b6f04caca3d06a7a882c6a486646047d11a0d09a3f
|
|
7
|
+
data.tar.gz: 9c6058c9157f05a8be7aa662fedc71ada94171e7c4fe5086552c68743a683467a2247fa549d2217f6017ea3ed84fdc80cf18f85a2a2f934753546d95d93af943
|
data/CHANGELOG.md
CHANGED
|
@@ -3,6 +3,9 @@
|
|
|
3
3
|
All notable changes to this project will be documented in this file.
|
|
4
4
|
This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
|
|
5
5
|
|
|
6
|
+
## [0.3.0]
|
|
7
|
+
- #3 gke hook to whitelist ip
|
|
8
|
+
|
|
6
9
|
## [0.2.0]
|
|
7
10
|
- #2 add google_secret helper and register plugin
|
|
8
11
|
- fix GOOGLE_PROJECT check
|
data/kubes_google.gemspec
CHANGED
|
@@ -23,7 +23,10 @@ Gem::Specification.new do |spec|
|
|
|
23
23
|
spec.require_paths = ["lib"]
|
|
24
24
|
|
|
25
25
|
spec.add_dependency "activesupport"
|
|
26
|
+
spec.add_dependency "google-cloud-container"
|
|
26
27
|
spec.add_dependency "google-cloud-secret_manager"
|
|
27
28
|
spec.add_dependency "memoist"
|
|
28
29
|
spec.add_dependency "zeitwerk"
|
|
30
|
+
|
|
31
|
+
spec.add_development_dependency "kubes"
|
|
29
32
|
end
|
data/lib/hooks/kubes.rb
ADDED
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
gke = KubesGoogle::Gke.new(
|
|
2
|
+
name: KubesGoogle.config.gke.cluster_name,
|
|
3
|
+
whitelist_ip: KubesGoogle.config.gke.whitelist_ip,
|
|
4
|
+
)
|
|
5
|
+
|
|
6
|
+
before("apply",
|
|
7
|
+
label: "gke whitelist hook",
|
|
8
|
+
execute: gke.method(:allow).to_proc,
|
|
9
|
+
)
|
|
10
|
+
|
|
11
|
+
after("apply",
|
|
12
|
+
label: "gke whitelist hook",
|
|
13
|
+
execute: gke.method(:deny).to_proc,
|
|
14
|
+
)
|
data/lib/kubes_google.rb
CHANGED
|
@@ -16,6 +16,25 @@ module KubesGoogle
|
|
|
16
16
|
@@logger = v
|
|
17
17
|
end
|
|
18
18
|
|
|
19
|
+
# Friendlier method configure.
|
|
20
|
+
#
|
|
21
|
+
# .kubes/config/env/dev.rb
|
|
22
|
+
# .kubes/config/plugins/google.rb # also works
|
|
23
|
+
#
|
|
24
|
+
# Example:
|
|
25
|
+
#
|
|
26
|
+
# KubesGoogle.configure do |config|
|
|
27
|
+
# config.hooks.gke_whitelist = true
|
|
28
|
+
# end
|
|
29
|
+
#
|
|
30
|
+
def configure(&block)
|
|
31
|
+
Config.instance.configure(&block)
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def config
|
|
35
|
+
Config.instance.config
|
|
36
|
+
end
|
|
37
|
+
|
|
19
38
|
extend self
|
|
20
39
|
end
|
|
21
40
|
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
module KubesGoogle
|
|
2
|
+
class Config
|
|
3
|
+
include Singleton
|
|
4
|
+
|
|
5
|
+
def defaults
|
|
6
|
+
c = ActiveSupport::OrderedOptions.new
|
|
7
|
+
c.gke = ActiveSupport::OrderedOptions.new
|
|
8
|
+
c.gke.cluster_name = nil
|
|
9
|
+
c.gke.enable_hooks = nil # nil since need cluster_name also. setting to false will explicitly disable hooks
|
|
10
|
+
c.gke.whitelist_ip = nil # default will auto-detect IP
|
|
11
|
+
c
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
@@config = nil
|
|
15
|
+
def config
|
|
16
|
+
@@config ||= defaults
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def configure
|
|
20
|
+
yield(config)
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
end
|
|
@@ -0,0 +1,99 @@
|
|
|
1
|
+
require 'open-uri'
|
|
2
|
+
|
|
3
|
+
module KubesGoogle
|
|
4
|
+
class Gke
|
|
5
|
+
extend Memoist
|
|
6
|
+
include Logging
|
|
7
|
+
include Services
|
|
8
|
+
|
|
9
|
+
def initialize(name:, whitelist_ip: nil)
|
|
10
|
+
@name, @whitelist_ip = name, whitelist_ip
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
def allow
|
|
14
|
+
return unless enabled?
|
|
15
|
+
logger.debug "Updating cluster. Adding IP: #{ip}"
|
|
16
|
+
update_cluster(cidr_blocks(:with_whitelist))
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def deny
|
|
20
|
+
return unless enabled?
|
|
21
|
+
logger.debug "Updating cluster. Removing IP: #{ip}"
|
|
22
|
+
update_cluster(cidr_blocks(:without_whitelist))
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
# Setting the cluster name is enough to enable the hooks
|
|
26
|
+
def enabled?
|
|
27
|
+
enable = KubesGoogle.config.gke.enable_hooks
|
|
28
|
+
enable = enable.nil? ? true : enable
|
|
29
|
+
# gke = KubesGoogle::Gke.new(name: KubesGoogle.config.gke.cluster_name)
|
|
30
|
+
# so @name = KubesGoogle.config.gke.cluster_name
|
|
31
|
+
!!(enable && @name)
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def update_cluster(cidr_blocks)
|
|
35
|
+
resp = cluster_manager.update_cluster(
|
|
36
|
+
name: @name,
|
|
37
|
+
update: {
|
|
38
|
+
desired_master_authorized_networks_config: {
|
|
39
|
+
cidr_blocks: cidr_blocks,
|
|
40
|
+
enabled: true,
|
|
41
|
+
}
|
|
42
|
+
}
|
|
43
|
+
)
|
|
44
|
+
operation_name = resp.self_link.sub(/.*projects/,'projects')
|
|
45
|
+
wait_for(operation_name)
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
def wait_for(operation_name)
|
|
49
|
+
resp = cluster_manager.get_operation(name: operation_name)
|
|
50
|
+
until resp.status != :RUNNING do
|
|
51
|
+
sleep 5
|
|
52
|
+
resp = cluster_manager.get_operation(name: operation_name)
|
|
53
|
+
end
|
|
54
|
+
end
|
|
55
|
+
|
|
56
|
+
def cidr_blocks(type)
|
|
57
|
+
# so we dont keep adding duplicates
|
|
58
|
+
old = old_cidrs.reject do |x|
|
|
59
|
+
x[:display_name] == new_cidr[:display_name] &&
|
|
60
|
+
x[:cidr_block] == new_cidr[:cidr_block]
|
|
61
|
+
end
|
|
62
|
+
if type == :with_whitelist
|
|
63
|
+
old + [new_cidr]
|
|
64
|
+
else
|
|
65
|
+
old
|
|
66
|
+
end
|
|
67
|
+
end
|
|
68
|
+
|
|
69
|
+
def old_cidrs
|
|
70
|
+
resp = cluster_manager.get_cluster(name: @name)
|
|
71
|
+
config = resp.master_authorized_networks_config.to_h
|
|
72
|
+
config[:cidr_blocks]
|
|
73
|
+
end
|
|
74
|
+
memoize :old_cidrs
|
|
75
|
+
|
|
76
|
+
def new_cidr
|
|
77
|
+
{
|
|
78
|
+
display_name: "added-by-kubes-google",
|
|
79
|
+
cidr_block: ip,
|
|
80
|
+
}
|
|
81
|
+
end
|
|
82
|
+
memoize :new_cidr
|
|
83
|
+
|
|
84
|
+
def ip
|
|
85
|
+
@whitelist_ip || current_ip
|
|
86
|
+
end
|
|
87
|
+
|
|
88
|
+
def current_ip
|
|
89
|
+
resp = URI.open("http://ifconfig.me")
|
|
90
|
+
ip = resp.read
|
|
91
|
+
"#{ip}/32"
|
|
92
|
+
rescue SocketError => e
|
|
93
|
+
logger.info "WARN: #{e.message}"
|
|
94
|
+
logger.info "Unable to detect current ip. Will use 0.0.0.0/0"
|
|
95
|
+
"0.0.0.0/0"
|
|
96
|
+
end
|
|
97
|
+
memoize :current_ip
|
|
98
|
+
end
|
|
99
|
+
end
|
|
@@ -1,9 +1,15 @@
|
|
|
1
1
|
require "google-cloud-secret_manager"
|
|
2
|
+
require "google/cloud/container"
|
|
2
3
|
|
|
3
4
|
module KubesGoogle
|
|
4
5
|
module Services
|
|
5
6
|
extend Memoist
|
|
6
7
|
|
|
8
|
+
def cluster_manager
|
|
9
|
+
Google::Cloud::Container.cluster_manager
|
|
10
|
+
end
|
|
11
|
+
memoize :cluster_manager
|
|
12
|
+
|
|
7
13
|
def secret_manager_service
|
|
8
14
|
Google::Cloud::SecretManager.secret_manager_service
|
|
9
15
|
end
|
data/lib/kubes_google/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: kubes_google
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.3.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tung Nguyen
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-11-
|
|
11
|
+
date: 2020-11-10 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -24,6 +24,20 @@ dependencies:
|
|
|
24
24
|
- - ">="
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
26
|
version: '0'
|
|
27
|
+
- !ruby/object:Gem::Dependency
|
|
28
|
+
name: google-cloud-container
|
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
|
30
|
+
requirements:
|
|
31
|
+
- - ">="
|
|
32
|
+
- !ruby/object:Gem::Version
|
|
33
|
+
version: '0'
|
|
34
|
+
type: :runtime
|
|
35
|
+
prerelease: false
|
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
37
|
+
requirements:
|
|
38
|
+
- - ">="
|
|
39
|
+
- !ruby/object:Gem::Version
|
|
40
|
+
version: '0'
|
|
27
41
|
- !ruby/object:Gem::Dependency
|
|
28
42
|
name: google-cloud-secret_manager
|
|
29
43
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -66,6 +80,20 @@ dependencies:
|
|
|
66
80
|
- - ">="
|
|
67
81
|
- !ruby/object:Gem::Version
|
|
68
82
|
version: '0'
|
|
83
|
+
- !ruby/object:Gem::Dependency
|
|
84
|
+
name: kubes
|
|
85
|
+
requirement: !ruby/object:Gem::Requirement
|
|
86
|
+
requirements:
|
|
87
|
+
- - ">="
|
|
88
|
+
- !ruby/object:Gem::Version
|
|
89
|
+
version: '0'
|
|
90
|
+
type: :development
|
|
91
|
+
prerelease: false
|
|
92
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
93
|
+
requirements:
|
|
94
|
+
- - ">="
|
|
95
|
+
- !ruby/object:Gem::Version
|
|
96
|
+
version: '0'
|
|
69
97
|
description:
|
|
70
98
|
email:
|
|
71
99
|
- tung@boltops.com
|
|
@@ -81,9 +109,13 @@ files:
|
|
|
81
109
|
- README.md
|
|
82
110
|
- Rakefile
|
|
83
111
|
- kubes_google.gemspec
|
|
112
|
+
- lib/hooks/kubes.rb
|
|
84
113
|
- lib/kubes_google.rb
|
|
85
114
|
- lib/kubes_google/autoloader.rb
|
|
115
|
+
- lib/kubes_google/config.rb
|
|
116
|
+
- lib/kubes_google/gke.rb
|
|
86
117
|
- lib/kubes_google/helpers.rb
|
|
118
|
+
- lib/kubes_google/hooks.rb
|
|
87
119
|
- lib/kubes_google/logging.rb
|
|
88
120
|
- lib/kubes_google/secrets.rb
|
|
89
121
|
- lib/kubes_google/secrets/fetcher.rb
|