kubes_google 0.2.0 → 0.3.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d795d19cc6f90fc23eb69f9e93a2e04993ce14d8681634961fb8ef349c95fd7c
-  data.tar.gz: 3acb4ab90062ac61f1e1a82cbe70319ea0086d7fcd9490bd290cc92fc0141683
+  metadata.gz: d5ef849665496ae62a2621fe4d7732913c358a357334811413b109df5913d34c
+  data.tar.gz: 26fe10736966f7c027a88395206605c1bc1928b6f23b139680e21c5a325e0b26
 SHA512:
-  metadata.gz: 8048442e2abd946050b7740f1c7f60b7d528a18464e779f9a677cc41ed67182b218f44852096ab65558616c5b1bd3b293b2ca6b164dee12808d575ca1227c607
-  data.tar.gz: ae2add8d4baf621d40174eca105add4df3a752d0a27873f50ae1b97e830d601ad95c65b12e976f0320e2bbf60cd4866249dda677078bd17134ad639354856e49
+  metadata.gz: 3cd2ceaa682f677ec6d660a0fd6accceb2380e6ad5c50c9a946c78d24cafee5a563e8932d1c1bf27191a029088b35463717d9bf03dabd377faa4432601bd0b90
+  data.tar.gz: 697904843b0e1c5ca6185732a126a966151288896c9192725348d6a5fdd560b29d7cf08ed198f4f90c7bf9d9c1b7773e398de4d44ec02608fcb822da48cb09b1

data/CHANGELOG.md

@@ -3,6 +3,21 @@
 All notable changes to this project will be documented in this file.
 This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
 
+## [0.3.4] - 2020-11-12
+- fix KubesGoogle.config.secrets.fetcher check
+
+## [0.3.3] - 2020-11-12
+- [#6](https://github.com/boltops-tools/kubes_google/pull/6) sdk and gcloud secrets fetcher strategy: secrets.fetcher option
+
+## [0.3.2] - 2020-11-11
+- [#5](https://github.com/boltops-tools/kubes_google/pull/5) config.base64 option
+
+## [0.3.1] - 2020-11-11
+- [#4](https://github.com/boltops-tools/kubes_google/pull/4) get_credentials hook
+
+## [0.3.0]
+- #3 gke hook to whitelist ip
+
 ## [0.2.0]
 - #2 add google_secret helper and register plugin
 - fix GOOGLE_PROJECT check

data/kubes_google.gemspec

@@ -23,7 +23,10 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "activesupport"
+  spec.add_dependency "google-cloud-container"
   spec.add_dependency "google-cloud-secret_manager"
   spec.add_dependency "memoist"
   spec.add_dependency "zeitwerk"
+
+  spec.add_development_dependency "kubes"
 end

data/lib/hooks/kubes.rb

@@ -0,0 +1,22 @@
+gke = KubesGoogle::Gke.new(
+  cluster_name: KubesGoogle.config.gke.cluster_name,
+  google_region: KubesGoogle.config.gke.google_region,
+  google_project: KubesGoogle.config.gke.google_project,
+  enable_get_credentials: KubesGoogle.config.gke.enable_get_credentials,
+  whitelist_ip: KubesGoogle.config.gke.whitelist_ip,
+)
+
+before("apply",
+  label: "gke get-credentials hook",
+  execute: gke.method(:get_credentials).to_proc,
+) if gke.get_credentials_enabled?
+
+before("apply",
+  label: "gke whitelist hook",
+  execute: gke.method(:allow).to_proc,
+) if gke.enabled?
+
+after("apply",
+  label: "gke whitelist hook",
+  execute: gke.method(:deny).to_proc,
+) if gke.enabled?

data/lib/kubes_google.rb

@@ -16,6 +16,25 @@ module KubesGoogle
     @@logger = v
   end
 
+  # Friendlier method configure.
+  #
+  #    .kubes/config/env/dev.rb
+  #    .kubes/config/plugins/google.rb # also works
+  #
+  # Example:
+  #
+  #     KubesGoogle.configure do |config|
+  #       config.hooks.gke_whitelist = true
+  #     end
+  #
+  def configure(&block)
+    Config.instance.configure(&block)
+  end
+
+  def config
+    Config.instance.config
+  end
+
   extend self
 end
 

data/lib/kubes_google/config.rb

@@ -0,0 +1,29 @@
+module KubesGoogle
+  class Config
+    include Singleton
+
+    def defaults
+      c = ActiveSupport::OrderedOptions.new
+      c.gke = ActiveSupport::OrderedOptions.new
+      c.gke.cluster_name = nil
+      c.gke.enable_get_credentials = nil
+      c.gke.enable_hooks = nil # nil since need cluster_name also. setting to false will explicitly disable hooks
+      c.gke.google_project = nil
+      c.gke.google_region = nil
+      c.gke.whitelist_ip = nil # default will auto-detect IP
+      c.secrets = ActiveSupport::OrderedOptions.new
+      c.secrets.fetcher = "sdk"
+      c.secrets.base64 = true
+      c
+    end
+
+    @@config = nil
+    def config
+      @@config ||= defaults
+    end
+
+    def configure
+      yield(config)
+    end
+  end
+end

data/lib/kubes_google/gke.rb

@@ -0,0 +1,120 @@
+require 'open-uri'
+
+module KubesGoogle
+  class Gke
+    extend Memoist
+    include Logging
+    include Services
+    include Util::Sh
+
+    def initialize(cluster_name:,
+                   enable_get_credentials: false,
+                   google_project: nil,
+                   google_region: "us-central1",
+                   whitelist_ip: nil)
+      @cluster_name = cluster_name
+      @enable_get_credentials = enable_get_credentials
+      @google_project = ENV['GOOGLE_PROJECT'] || google_project
+      @google_region = ENV['GOOGLE_REGION'] || google_region
+      @whitelist_ip = whitelist_ip
+    end
+
+    def allow
+      logger.debug "Updating cluster. Adding IP: #{ip}"
+      update_cluster(cidr_blocks(:with_whitelist))
+    end
+
+    def deny
+      logger.debug "Updating cluster. Removing IP: #{ip}"
+      update_cluster(cidr_blocks(:without_whitelist))
+    end
+
+    def get_credentials
+      return unless get_credentials_enabled?
+      sh "gcloud container clusters get-credentials --project=#{@google_project} --region=#{@google_region} #{@cluster_name}"
+    end
+
+    def full_name
+      "projects/#{@google_project}/locations/#{@google_region}/clusters/#{@cluster_name}"
+    end
+
+    def enabled?
+      enable = KubesGoogle.config.gke.enable_hooks
+      enable = enable.nil? ? true : enable
+      # gke = KubesGoogle::Gke.new(name: KubesGoogle.config.gke.cluster_name)
+      # so @name = KubesGoogle.config.gke.cluster_name
+      !!(enable && @cluster_name)
+    end
+
+    def get_credentials_enabled?
+      enable = KubesGoogle.config.gke.enable_get_credentials
+      enable = enable.nil? ? false : enable
+      !!(enable && full_name)
+    end
+
+    def update_cluster(cidr_blocks)
+      resp = cluster_manager.update_cluster(
+        name: full_name,
+        update: {
+          desired_master_authorized_networks_config: {
+            cidr_blocks: cidr_blocks,
+            enabled: true,
+          }
+        }
+      )
+      operation_name = resp.self_link.sub(/.*projects/,'projects')
+      wait_for(operation_name)
+    end
+
+    def wait_for(operation_name)
+      resp = cluster_manager.get_operation(name: operation_name)
+      until resp.status != :RUNNING do
+        sleep 5
+        resp = cluster_manager.get_operation(name: operation_name)
+      end
+    end
+
+    def cidr_blocks(type)
+      # so we dont keep adding duplicates
+      old = old_cidrs.reject do |x|
+        x[:display_name] == new_cidr[:display_name] &&
+        x[:cidr_block] == new_cidr[:cidr_block]
+      end
+      if type == :with_whitelist
+        old + [new_cidr]
+      else
+        old
+      end
+    end
+
+    def old_cidrs
+      resp = cluster_manager.get_cluster(name: full_name)
+      config = resp.master_authorized_networks_config.to_h
+      config[:cidr_blocks]
+    end
+    memoize :old_cidrs
+
+    def new_cidr
+      {
+        display_name: "added-by-kubes-google",
+        cidr_block: ip,
+      }
+    end
+    memoize :new_cidr
+
+    def ip
+      @whitelist_ip || current_ip
+    end
+
+    def current_ip
+      resp = URI.open("http://ifconfig.me")
+      ip = resp.read
+      "#{ip}/32"
+    rescue SocketError => e
+      logger.info "WARN: #{e.message}"
+      logger.info "Unable to detect current ip. Will use 0.0.0.0/0"
+      "0.0.0.0/0"
+    end
+    memoize :current_ip
+  end
+end

data/lib/kubes_google/hooks.rb

@@ -0,0 +1,7 @@
+module KubesGoogle
+  class Hooks
+    def path
+      File.expand_path("../hooks", __dir__)
+    end
+  end
+end

data/lib/kubes_google/secrets/fetcher.rb

@@ -1,41 +1,22 @@
 class KubesGoogle::Secrets
   class Fetcher
-    include KubesGoogle::Logging
-    include KubesGoogle::Services
+    extend Memoist
 
     def initialize(options={})
       @options = options
-      @base64 = options[:base64].nil? ? true : options[:base64]
-      @project_id = ENV['GOOGLE_PROJECT'] || raise("GOOGLE_PROJECT env variable is not set. It's required.")
     end
 
     def fetch(short_name)
-      value = fetch_value(short_name)
-      value = Base64.strict_encode64(value).strip if @base64
-      value
+      fetcher.fetch(short_name)
     end
 
-    def fetch_value(short_name)
-      name = "projects/#{project_number}/secrets/#{short_name}/versions/latest"
-      version = secret_manager_service.access_secret_version(name: name)
-      version.payload.data
-    rescue Google::Cloud::NotFoundError => e
-      logger.info "WARN: secret #{name} not found".color(:yellow)
-      logger.info e.message
-      "NOT FOUND #{name}" # simple string so Kubernetes YAML is valid
-    end
-
-    # TODO: Get the project from the list project api instead. Unsure where the docs are for this.
-    # If someone knows, let me know.
-    # Right now grabbing the first secret to then be able to get the google project number
-    @@project_number = nil
-    def project_number
-      return @@project_number if @@project_number
-
-      parent = "projects/#{@project_id}"
-      resp = secret_manager_service.list_secrets(parent: parent) # note: page_size doesnt seem to get respected
-      name = resp.first.name # IE: projects/686010496118/secrets/demo-dev-db_host
-      @@project_number = name.split('/')[1]
+    def fetcher
+      if KubesGoogle.config.secrets.fetcher == "sdk"
+        Sdk.new(@options)
+      else
+        Gcloud.new(@options)
+      end
     end
+    memoize :fetcher
   end
 end

data/lib/kubes_google/secrets/fetcher/base.rb

@@ -0,0 +1,15 @@
+class KubesGoogle::Secrets::Fetcher
+  class Base
+    include KubesGoogle::Logging
+
+    def initialize(options={})
+      @options = options
+      @base64 = options[:base64]
+      @project_id = options[:google_project] || ENV['GOOGLE_PROJECT'] || raise("GOOGLE_PROJECT env variable is not set. It's required.")
+    end
+
+    def base64?
+      @base64.nil? ? KubesGoogle.config.secrets.base64 : @base64
+    end
+  end
+end

data/lib/kubes_google/secrets/fetcher/gcloud.rb

@@ -0,0 +1,21 @@
+class KubesGoogle::Secrets::Fetcher
+  class Gcloud < Base
+    include KubesGoogle::Util::Sh
+
+    def fetch(short_name, version="latest")
+      value = gcloud("secrets versions access #{version} --secret #{short_name}")
+      if value.include?("ERROR") && value.include?("NOT_FOUND")
+        logger.info "WARN: secret #{short_name} not found".color(:yellow)
+        logger.info e.message
+        "NOT FOUND #{short_name}" # simple string so Kubernetes YAML is valid
+      else
+        value = Base64.strict_encode64(value).strip if base64?
+        value
+      end
+    end
+
+    def gcloud(args)
+      capture("gcloud --project #{@project_id} #{args}")
+    end
+  end
+end

data/lib/kubes_google/secrets/fetcher/sdk.rb

@@ -0,0 +1,34 @@
+class KubesGoogle::Secrets::Fetcher
+  class Sdk < Base
+    include KubesGoogle::Services
+
+    def fetch(short_name, version="latest")
+      value = fetch_value(short_name, version)
+      value = Base64.strict_encode64(value).strip if base64?
+      value
+    end
+
+    def fetch_value(short_name, version="latest")
+      name = "projects/#{project_number}/secrets/#{short_name}/versions/#{version}"
+      version = secret_manager_service.access_secret_version(name: name)
+      version.payload.data
+    rescue Google::Cloud::NotFoundError => e
+      logger.info "WARN: secret #{name} not found".color(:yellow)
+      logger.info e.message
+      "NOT FOUND #{name}" # simple string so Kubernetes YAML is valid
+    end
+
+    # TODO: Get the project from the list project api instead. Unsure where the docs are for this.
+    # If someone knows, let me know.
+    # Right now grabbing the first secret to then be able to get the google project number
+    @@project_number = nil
+    def project_number
+      return @@project_number if @@project_number
+
+      parent = "projects/#{@project_id}"
+      resp = secret_manager_service.list_secrets(parent: parent) # note: page_size doesnt seem to get respected
+      name = resp.first.name # IE: projects/686010496118/secrets/demo-dev-db_host
+      @@project_number = name.split('/')[1]
+    end
+  end
+end

data/lib/kubes_google/service_account.rb

@@ -4,6 +4,7 @@ require "json"
 module KubesGoogle
   class ServiceAccount
     include Logging
+    include Util::Sh
 
     def initialize(app:, namespace:nil, roles: [], gsa: nil, ksa: nil)
       @app, @roles = app, roles
@@ -71,25 +72,5 @@ module KubesGoogle
           --member=serviceAccount:#{@service_account} \
           --role=#{role} > /dev/null".squish
     end
-
-  private
-    def sh(command)
-      logger.debug "=> #{command}"
-      success = system(command)
-      unless success
-        logger.info "WARN: Running #{command}"
-      end
-      success
-    end
-
-    def capture(command)
-      out = `#{command}`
-      unless $?.exitstatus == 0
-        logger.info "ERROR: Running #{command}"
-        logger.info out
-        exit 1
-      end
-      out
-    end
   end
 end

data/lib/kubes_google/services.rb

@@ -1,9 +1,15 @@
 require "google-cloud-secret_manager"
+require "google/cloud/container"
 
 module KubesGoogle
   module Services
     extend Memoist
 
+    def cluster_manager
+      Google::Cloud::Container.cluster_manager
+    end
+    memoize :cluster_manager
+
     def secret_manager_service
       Google::Cloud::SecretManager.secret_manager_service
     end

data/lib/kubes_google/util/sh.rb

@@ -0,0 +1,23 @@
+module KubesGoogle::Util
+  module Sh
+  private
+    def sh(command)
+      logger.debug "=> #{command}"
+      success = system(command)
+      unless success
+        logger.info "WARN: Running #{command}"
+      end
+      success
+    end
+
+    def capture(command)
+      out = `#{command}`
+      unless $?.exitstatus == 0
+        logger.info "ERROR: Running #{command}"
+        logger.info out
+        exit 1
+      end
+      out
+    end
+  end
+end

data/lib/kubes_google/version.rb

@@ -1,3 +1,3 @@
 module KubesGoogle
-  VERSION = "0.2.0"
+  VERSION = "0.3.4"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kubes_google
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.4
 platform: ruby
 authors:
 - Tung Nguyen
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-11-09 00:00:00.000000000 Z
+date: 2020-11-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -24,6 +24,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: google-cloud-container
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: google-cloud-secret_manager
   requirement: !ruby/object:Gem::Requirement
@@ -66,6 +80,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: kubes
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: 
 email:
 - tung@boltops.com
@@ -81,14 +109,22 @@ files:
 - README.md
 - Rakefile
 - kubes_google.gemspec
+- lib/hooks/kubes.rb
 - lib/kubes_google.rb
 - lib/kubes_google/autoloader.rb
+- lib/kubes_google/config.rb
+- lib/kubes_google/gke.rb
 - lib/kubes_google/helpers.rb
+- lib/kubes_google/hooks.rb
 - lib/kubes_google/logging.rb
 - lib/kubes_google/secrets.rb
 - lib/kubes_google/secrets/fetcher.rb
+- lib/kubes_google/secrets/fetcher/base.rb
+- lib/kubes_google/secrets/fetcher/gcloud.rb
+- lib/kubes_google/secrets/fetcher/sdk.rb
 - lib/kubes_google/service_account.rb
 - lib/kubes_google/services.rb
+- lib/kubes_google/util/sh.rb
 - lib/kubes_google/version.rb
 homepage: https://github.com/boltops-tools/kubes_google
 licenses: