RubyGems - kubes_google - Versions diffs - 0.3.0 → 0.3.5 - Mend

kubes_google 0.3.0 → 0.3.5

Files changed (14) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +16 -0
data/lib/hooks/kubes.rb +11 -3
data/lib/kubes_google.rb +4 -0
data/lib/kubes_google/config.rb +6 -0
data/lib/kubes_google/gke.rb +29 -8
data/lib/kubes_google/secrets/fetcher.rb +9 -28
data/lib/kubes_google/secrets/fetcher/base.rb +15 -0
data/lib/kubes_google/secrets/fetcher/gcloud.rb +21 -0
data/lib/kubes_google/secrets/fetcher/sdk.rb +47 -0
data/lib/kubes_google/service_account.rb +1 -20
data/lib/kubes_google/util/sh.rb +23 -0
data/lib/kubes_google/version.rb +1 -1
metadata +6 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c2b41e672639ece65b0c749581b7321b30a48213744e28aa63e3e71bf6cf3fd3
-  data.tar.gz: 0b4006a22492fb1424c3d45b880f9a784deee99d824e986fb7a52e835196f955
+  metadata.gz: c4940b31e1e64807b1036d0980ab6c1ebe81aa6f05581b1e2d00b3bf915d12c0
+  data.tar.gz: 6761294987f6c33fef1d9764712bab015b7b264fa8e5b84c166a633f03bc44aa
 SHA512:
-  metadata.gz: 139e70fe3e151df3fcefa12a4a8d7a7a45b08bc62909815b4be865906e7400f1c5141a42e41331b13aa774b6f04caca3d06a7a882c6a486646047d11a0d09a3f
-  data.tar.gz: 9c6058c9157f05a8be7aa662fedc71ada94171e7c4fe5086552c68743a683467a2247fa549d2217f6017ea3ed84fdc80cf18f85a2a2f934753546d95d93af943
+  metadata.gz: 4c09463d4a76e82240502a5779e90a9874b9c91d4f195f91af128fa48a134b44a9485a5c327fad74826834edd57e0137ebd9375558f4253ec0ca5242610061a7
+  data.tar.gz: a7ecffa4255c71544b92fd5df88bac16a5a06eb4e2c8e48eed9d9b1f61a12c98f18c3c6edd8f92aef51ffeb595605a9cccb578a42dbc810b89fc9eeb9a97fe02

data/CHANGELOG.md CHANGED

@@ -3,6 +3,22 @@
 All notable changes to this project will be documented in this file.
 This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
+## [0.3.5] - 2020-11-12
+- add KubesGoogle.cloudbuild? check
+- fetcher sdk friendly suggestion to use gcloud when vpn errors
+## [0.3.4] - 2020-11-12
+- fix KubesGoogle.config.secrets.fetcher check
+## [0.3.3] - 2020-11-12
+- [#6](https://github.com/boltops-tools/kubes_google/pull/6) sdk and gcloud secrets fetcher strategy: secrets.fetcher option
+## [0.3.2] - 2020-11-11
+- [#5](https://github.com/boltops-tools/kubes_google/pull/5) config.base64 option
+## [0.3.1] - 2020-11-11
+- [#4](https://github.com/boltops-tools/kubes_google/pull/4) get_credentials hook
 ## [0.3.0]
 - #3 gke hook to whitelist ip

data/lib/hooks/kubes.rb CHANGED

@@ -1,14 +1,22 @@
 gke = KubesGoogle::Gke.new(
-  name: KubesGoogle.config.gke.cluster_name,
+  cluster_name: KubesGoogle.config.gke.cluster_name,
+  google_region: KubesGoogle.config.gke.google_region,
+  google_project: KubesGoogle.config.gke.google_project,
+  enable_get_credentials: KubesGoogle.config.gke.enable_get_credentials,
   whitelist_ip: KubesGoogle.config.gke.whitelist_ip,
 )
+before("apply",
+  label: "gke get-credentials hook",
+  execute: gke.method(:get_credentials).to_proc,
+) if gke.get_credentials_enabled?
 before("apply",
   label: "gke whitelist hook",
   execute: gke.method(:allow).to_proc,
-)
+) if gke.enabled?
 after("apply",
   label: "gke whitelist hook",
   execute: gke.method(:deny).to_proc,
-)
+) if gke.enabled?

data/lib/kubes_google.rb CHANGED

@@ -35,6 +35,10 @@ module KubesGoogle
     Config.instance.config
   end
+  def cloudbuild?
+    !!ENV['BUILDER_OUTPUT'] # cloudbuild env vars: https://gist.github.com/tongueroo/7ae26abd60d30da3972e86b4e7ca315e
+  end
   extend self
 end

data/lib/kubes_google/config.rb CHANGED

@@ -6,8 +6,14 @@ module KubesGoogle
       c = ActiveSupport::OrderedOptions.new
       c.gke = ActiveSupport::OrderedOptions.new
       c.gke.cluster_name = nil
+      c.gke.enable_get_credentials = nil
       c.gke.enable_hooks = nil # nil since need cluster_name also. setting to false will explicitly disable hooks
+      c.gke.google_project = nil
+      c.gke.google_region = nil
       c.gke.whitelist_ip = nil # default will auto-detect IP
+      c.secrets = ActiveSupport::OrderedOptions.new
+      c.secrets.fetcher = "sdk"
+      c.secrets.base64 = true
       c
     end

data/lib/kubes_google/gke.rb CHANGED

@@ -5,35 +5,56 @@ module KubesGoogle
     extend Memoist
     include Logging
     include Services
+    include Util::Sh
-    def initialize(name:, whitelist_ip: nil)
-      @name, @whitelist_ip = name, whitelist_ip
+    def initialize(cluster_name:,
+                   enable_get_credentials: false,
+                   google_project: nil,
+                   google_region: "us-central1",
+                   whitelist_ip: nil)
+      @cluster_name = cluster_name
+      @enable_get_credentials = enable_get_credentials
+      @google_project = ENV['GOOGLE_PROJECT'] || google_project
+      @google_region = ENV['GOOGLE_REGION'] || google_region
+      @whitelist_ip = whitelist_ip
     end
     def allow
-      return unless enabled?
       logger.debug "Updating cluster. Adding IP: #{ip}"
       update_cluster(cidr_blocks(:with_whitelist))
     end
     def deny
-      return unless enabled?
       logger.debug "Updating cluster. Removing IP: #{ip}"
       update_cluster(cidr_blocks(:without_whitelist))
     end
-    # Setting the cluster name is enough to enable the hooks
+    def get_credentials
+      return unless get_credentials_enabled?
+      sh "gcloud container clusters get-credentials --project=#{@google_project} --region=#{@google_region} #{@cluster_name}"
+    end
+    def full_name
+      "projects/#{@google_project}/locations/#{@google_region}/clusters/#{@cluster_name}"
+    end
     def enabled?
       enable = KubesGoogle.config.gke.enable_hooks
       enable = enable.nil? ? true : enable
       # gke = KubesGoogle::Gke.new(name: KubesGoogle.config.gke.cluster_name)
       # so @name = KubesGoogle.config.gke.cluster_name
-      !!(enable && @name)
+      !!(enable && @cluster_name)
+    end
+    def get_credentials_enabled?
+      enable = KubesGoogle.config.gke.enable_get_credentials
+      enable = enable.nil? ? false : enable
+      !!(enable && full_name)
     end
     def update_cluster(cidr_blocks)
       resp = cluster_manager.update_cluster(
-        name: @name,
+        name: full_name,
         update: {
           desired_master_authorized_networks_config: {
             cidr_blocks: cidr_blocks,
@@ -67,7 +88,7 @@ module KubesGoogle
     end
     def old_cidrs
-      resp = cluster_manager.get_cluster(name: @name)
+      resp = cluster_manager.get_cluster(name: full_name)
       config = resp.master_authorized_networks_config.to_h
       config[:cidr_blocks]
     end

data/lib/kubes_google/secrets/fetcher.rb CHANGED

@@ -1,41 +1,22 @@
 class KubesGoogle::Secrets
   class Fetcher
-    include KubesGoogle::Logging
-    include KubesGoogle::Services
+    extend Memoist
     def initialize(options={})
       @options = options
-      @base64 = options[:base64].nil? ? true : options[:base64]
-      @project_id = ENV['GOOGLE_PROJECT'] || raise("GOOGLE_PROJECT env variable is not set. It's required.")
     end
     def fetch(short_name)
-      value = fetch_value(short_name)
-      value = Base64.strict_encode64(value).strip if @base64
-      value
+      fetcher.fetch(short_name)
     end
-    def fetch_value(short_name)
-      name = "projects/#{project_number}/secrets/#{short_name}/versions/latest"
-      version = secret_manager_service.access_secret_version(name: name)
-      version.payload.data
-    rescue Google::Cloud::NotFoundError => e
-      logger.info "WARN: secret #{name} not found".color(:yellow)
-      logger.info e.message
-      "NOT FOUND #{name}" # simple string so Kubernetes YAML is valid
-    end
-    # TODO: Get the project from the list project api instead. Unsure where the docs are for this.
-    # If someone knows, let me know.
-    # Right now grabbing the first secret to then be able to get the google project number
-    @@project_number = nil
-    def project_number
-      return @@project_number if @@project_number
-      parent = "projects/#{@project_id}"
-      resp = secret_manager_service.list_secrets(parent: parent) # note: page_size doesnt seem to get respected
-      name = resp.first.name # IE: projects/686010496118/secrets/demo-dev-db_host
-      @@project_number = name.split('/')[1]
+    def fetcher
+      if KubesGoogle.config.secrets.fetcher == "sdk"
+        Sdk.new(@options)
+      else
+        Gcloud.new(@options)
+      end
     end
+    memoize :fetcher
   end
 end

data/lib/kubes_google/secrets/fetcher/base.rb ADDED

@@ -0,0 +1,15 @@
+class KubesGoogle::Secrets::Fetcher
+  class Base
+    include KubesGoogle::Logging
+    def initialize(options={})
+      @options = options
+      @base64 = options[:base64]
+      @project_id = options[:google_project] || ENV['GOOGLE_PROJECT'] || raise("GOOGLE_PROJECT env variable is not set. It's required.")
+    end
+    def base64?
+      @base64.nil? ? KubesGoogle.config.secrets.base64 : @base64
+    end
+  end
+end

data/lib/kubes_google/secrets/fetcher/gcloud.rb ADDED

@@ -0,0 +1,21 @@
+class KubesGoogle::Secrets::Fetcher
+  class Gcloud < Base
+    include KubesGoogle::Util::Sh
+    def fetch(short_name, version="latest")
+      value = gcloud("secrets versions access #{version} --secret #{short_name}")
+      if value.include?("ERROR") && value.include?("NOT_FOUND")
+        logger.info "WARN: secret #{short_name} not found".color(:yellow)
+        logger.info e.message
+        "NOT FOUND #{short_name}" # simple string so Kubernetes YAML is valid
+      else
+        value = Base64.strict_encode64(value).strip if base64?
+        value
+      end
+    end
+    def gcloud(args)
+      capture("gcloud --project #{@project_id} #{args}")
+    end
+  end
+end

data/lib/kubes_google/secrets/fetcher/sdk.rb ADDED

@@ -0,0 +1,47 @@
+class KubesGoogle::Secrets::Fetcher
+  class Sdk < Base
+    include KubesGoogle::Services
+    def fetch(short_name, version="latest")
+      value = fetch_value(short_name, version)
+      value = Base64.strict_encode64(value).strip if base64?
+      value
+    end
+    def fetch_value(short_name, version="latest")
+      name = "projects/#{project_number}/secrets/#{short_name}/versions/#{version}"
+      version = secret_manager_service.access_secret_version(name: name)
+      version.payload.data
+    rescue Google::Cloud::NotFoundError => e
+      logger.info "WARN: secret #{name} not found".color(:yellow)
+      logger.info e.message
+      "NOT FOUND #{name}" # simple string so Kubernetes YAML is valid
+    end
+    # TODO: Get the project from the list project api instead. Unsure where the docs are for this.
+    # If someone knows, let me know.
+    # Right now grabbing the first secret to then be able to get the google project number
+    @@project_number = nil
+    def project_number
+      return @@project_number if @@project_number
+      parent = "projects/#{@project_id}"
+      resp = secret_manager_service.list_secrets(parent: parent) # note: page_size doesnt seem to get respected
+      name = resp.first.name # IE: projects/686010496118/secrets/demo-dev-db_host
+      @@project_number = name.split('/')[1]
+    rescue Google::Cloud::UnavailableError => e
+      logger.error "ERROR: #{e.message}"
+      if e.message.include?("failed to connect")
+        logger.info <<~EOL
+          SSL Handshake failed. This error seems to happen with some VPN setups.
+          Please try the gcloud fetcher instead. To set up see:
+            https://kubes.guru/docs/helpers/google/secrets/#fetcher-strategy
+        EOL
+        exit 1
+      else
+        raise
+      end
+    end
+  end
+end

data/lib/kubes_google/service_account.rb CHANGED

@@ -4,6 +4,7 @@ require "json"
 module KubesGoogle
   class ServiceAccount
     include Logging
+    include Util::Sh
     def initialize(app:, namespace:nil, roles: [], gsa: nil, ksa: nil)
       @app, @roles = app, roles
@@ -71,25 +72,5 @@ module KubesGoogle
           --member=serviceAccount:#{@service_account} \
           --role=#{role} > /dev/null".squish
     end
-  private
-    def sh(command)
-      logger.debug "=> #{command}"
-      success = system(command)
-      unless success
-        logger.info "WARN: Running #{command}"
-      end
-      success
-    end
-    def capture(command)
-      out = `#{command}`
-      unless $?.exitstatus == 0
-        logger.info "ERROR: Running #{command}"
-        logger.info out
-        exit 1
-      end
-      out
-    end
   end
 end

data/lib/kubes_google/util/sh.rb ADDED

@@ -0,0 +1,23 @@
+module KubesGoogle::Util
+  module Sh
+  private
+    def sh(command)
+      logger.debug "=> #{command}"
+      success = system(command)
+      unless success
+        logger.info "WARN: Running #{command}"
+      end
+      success
+    end
+    def capture(command)
+      out = `#{command}`
+      unless $?.exitstatus == 0
+        logger.info "ERROR: Running #{command}"
+        logger.info out
+        exit 1
+      end
+      out
+    end
+  end
+end

data/lib/kubes_google/version.rb CHANGED

@@ -1,3 +1,3 @@
 module KubesGoogle
-  VERSION = "0.3.0"
+  VERSION = "0.3.5"
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kubes_google
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.5
 platform: ruby
 authors:
 - Tung Nguyen
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-11-10 00:00:00.000000000 Z
+date: 2020-11-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -119,8 +119,12 @@ files:
 - lib/kubes_google/logging.rb
 - lib/kubes_google/secrets.rb
 - lib/kubes_google/secrets/fetcher.rb
+- lib/kubes_google/secrets/fetcher/base.rb
+- lib/kubes_google/secrets/fetcher/gcloud.rb
+- lib/kubes_google/secrets/fetcher/sdk.rb
 - lib/kubes_google/service_account.rb
 - lib/kubes_google/services.rb
+- lib/kubes_google/util/sh.rb
 - lib/kubes_google/version.rb
 homepage: https://github.com/boltops-tools/kubes_google
 licenses: