RubyGems - kubes_google - Versions diffs - 0.3.0 → 0.3.5 - Mend

kubes_google 0.3.0 → 0.3.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +16 -0
data/lib/hooks/kubes.rb +11 -3
data/lib/kubes_google.rb +4 -0
data/lib/kubes_google/config.rb +6 -0
data/lib/kubes_google/gke.rb +29 -8
data/lib/kubes_google/secrets/fetcher.rb +9 -28
data/lib/kubes_google/secrets/fetcher/base.rb +15 -0
data/lib/kubes_google/secrets/fetcher/gcloud.rb +21 -0
data/lib/kubes_google/secrets/fetcher/sdk.rb +47 -0
data/lib/kubes_google/service_account.rb +1 -20
data/lib/kubes_google/util/sh.rb +23 -0
data/lib/kubes_google/version.rb +1 -1
metadata +6 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c2b41e672639ece65b0c749581b7321b30a48213744e28aa63e3e71bf6cf3fd3
-  data.tar.gz: 0b4006a22492fb1424c3d45b880f9a784deee99d824e986fb7a52e835196f955
+  metadata.gz: c4940b31e1e64807b1036d0980ab6c1ebe81aa6f05581b1e2d00b3bf915d12c0
+  data.tar.gz: 6761294987f6c33fef1d9764712bab015b7b264fa8e5b84c166a633f03bc44aa
 SHA512:
-  metadata.gz: 139e70fe3e151df3fcefa12a4a8d7a7a45b08bc62909815b4be865906e7400f1c5141a42e41331b13aa774b6f04caca3d06a7a882c6a486646047d11a0d09a3f
-  data.tar.gz: 9c6058c9157f05a8be7aa662fedc71ada94171e7c4fe5086552c68743a683467a2247fa549d2217f6017ea3ed84fdc80cf18f85a2a2f934753546d95d93af943
+  metadata.gz: 4c09463d4a76e82240502a5779e90a9874b9c91d4f195f91af128fa48a134b44a9485a5c327fad74826834edd57e0137ebd9375558f4253ec0ca5242610061a7
+  data.tar.gz: a7ecffa4255c71544b92fd5df88bac16a5a06eb4e2c8e48eed9d9b1f61a12c98f18c3c6edd8f92aef51ffeb595605a9cccb578a42dbc810b89fc9eeb9a97fe02

data/CHANGELOG.md CHANGED

@@ -3,6 +3,22 @@
 All notable changes to this project will be documented in this file.
 This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
+## [0.3.5] - 2020-11-12
+- add KubesGoogle.cloudbuild? check
+- fetcher sdk friendly suggestion to use gcloud when vpn errors
+## [0.3.4] - 2020-11-12
+- fix KubesGoogle.config.secrets.fetcher check
+## [0.3.3] - 2020-11-12
+- [#6](https://github.com/boltops-tools/kubes_google/pull/6) sdk and gcloud secrets fetcher strategy: secrets.fetcher option
+## [0.3.2] - 2020-11-11
+- [#5](https://github.com/boltops-tools/kubes_google/pull/5) config.base64 option
+## [0.3.1] - 2020-11-11
+- [#4](https://github.com/boltops-tools/kubes_google/pull/4) get_credentials hook
 ## [0.3.0]
 - #3 gke hook to whitelist ip

data/lib/hooks/kubes.rb CHANGED

@@ -1,14 +1,22 @@
 gke = KubesGoogle::Gke.new(
-  name: KubesGoogle.config.gke.cluster_name,
+  cluster_name: KubesGoogle.config.gke.cluster_name,
+  google_region: KubesGoogle.config.gke.google_region,
+  google_project: KubesGoogle.config.gke.google_project,
+  enable_get_credentials: KubesGoogle.config.gke.enable_get_credentials,
   whitelist_ip: KubesGoogle.config.gke.whitelist_ip,
 )
+before("apply",
+  label: "gke get-credentials hook",
+  execute: gke.method(:get_credentials).to_proc,
+) if gke.get_credentials_enabled?
 before("apply",
   label: "gke whitelist hook",
   execute: gke.method(:allow).to_proc,
-)
+) if gke.enabled?
 after("apply",
   label: "gke whitelist hook",
   execute: gke.method(:deny).to_proc,
-)
+) if gke.enabled?

data/lib/kubes_google.rb CHANGED

@@ -35,6 +35,10 @@ module KubesGoogle
     Config.instance.config
   end
+  def cloudbuild?
+    !!ENV['BUILDER_OUTPUT'] # cloudbuild env vars: https://gist.github.com/tongueroo/7ae26abd60d30da3972e86b4e7ca315e
+  end
   extend self
 end

data/lib/kubes_google/config.rb CHANGED

@@ -6,8 +6,14 @@ module KubesGoogle
       c = ActiveSupport::OrderedOptions.new
       c.gke = ActiveSupport::OrderedOptions.new
       c.gke.cluster_name = nil
+      c.gke.enable_get_credentials = nil
       c.gke.enable_hooks = nil # nil since need cluster_name also. setting to false will explicitly disable hooks
+      c.gke.google_project = nil
+      c.gke.google_region = nil
       c.gke.whitelist_ip = nil # default will auto-detect IP
+      c.secrets = ActiveSupport::OrderedOptions.new
+      c.secrets.fetcher = "sdk"
+      c.secrets.base64 = true
       c
     end

data/lib/kubes_google/gke.rb CHANGED

@@ -5,35 +5,56 @@ module KubesGoogle
     extend Memoist
     include Logging
     include Services
+    include Util::Sh
-    def initialize(name:, whitelist_ip: nil)
-      @name, @whitelist_ip = name, whitelist_ip
+    def initialize(cluster_name:,
+                   enable_get_credentials: false,
+                   google_project: nil,
+                   google_region: "us-central1",
+                   whitelist_ip: nil)
+      @cluster_name = cluster_name
+      @enable_get_credentials = enable_get_credentials
+      @google_project = ENV['GOOGLE_PROJECT'] || google_project
+      @google_region = ENV['GOOGLE_REGION'] || google_region
+      @whitelist_ip = whitelist_ip
     end
     def allow
-      return unless enabled?
       logger.debug "Updating cluster. Adding IP: #{ip}"
       update_cluster(cidr_blocks(:with_whitelist))
     end
     def deny
-      return unless enabled?
       logger.debug "Updating cluster. Removing IP: #{ip}"
       update_cluster(cidr_blocks(:without_whitelist))
     end
-    # Setting the cluster name is enough to enable the hooks
+    def get_credentials
+      return unless get_credentials_enabled?
+      sh "gcloud container clusters get-credentials --project=#{@google_project} --region=#{@google_region} #{@cluster_name}"
+    end
+    def full_name
+      "projects/#{@google_project}/locations/#{@google_region}/clusters/#{@cluster_name}"
+    end
     def enabled?
       enable = KubesGoogle.config.gke.enable_hooks
       enable = enable.nil? ? true : enable
       # gke = KubesGoogle::Gke.new(name: KubesGoogle.config.gke.cluster_name)
       # so @name = KubesGoogle.config.gke.cluster_name
-      !!(enable && @name)
+      !!(enable && @cluster_name)
+    end
+    def get_credentials_enabled?
+      enable = KubesGoogle.config.gke.enable_get_credentials
+      enable = enable.nil? ? false : enable
+      !!(enable && full_name)
     end
     def update_cluster(cidr_blocks)
       resp = cluster_manager.update_cluster(
-        name: @name,
+        name: full_name,
         update: {
           desired_master_authorized_networks_config: {
             cidr_blocks: cidr_blocks,
@@ -67,7 +88,7 @@ module KubesGoogle
     end
     def old_cidrs
-      resp = cluster_manager.get_cluster(name: @name)
+      resp = cluster_manager.get_cluster(name: full_name)
       config = resp.master_authorized_networks_config.to_h
       config[:cidr_blocks]
     end

data/lib/kubes_google/secrets/fetcher.rb CHANGED

@@ -1,41 +1,22 @@
 class KubesGoogle::Secrets
   class Fetcher
-    include KubesGoogle::Logging
-    include KubesGoogle::Services
+    extend Memoist
     def initialize(options={})
       @options = options
-      @base64 = options[:base64].nil? ? true : options[:base64]
-      @project_id = ENV['GOOGLE_PROJECT'] || raise("GOOGLE_PROJECT env variable is not set. It's required.")
     end
     def fetch(short_name)
-      value = fetch_value(short_name)
-      value = Base64.strict_encode64(value).strip if @base64
-      value
+      fetcher.fetch(short_name)
     end
-    def fetch_value(short_name)
-      name = "projects/#{project_number}/secrets/#{short_name}/versions/latest"
-      version = secret_manager_service.access_secret_version(name: name)
-      version.payload.data
-    rescue Google::Cloud::NotFoundError => e
-      logger.info "WARN: secret #{name} not found".color(:yellow)
-      logger.info e.message
-      "NOT FOUND #{name}" # simple string so Kubernetes YAML is valid
-    end
-    # TODO: Get the project from the list project api instead. Unsure where the docs are for this.
-    # If someone knows, let me know.
-    # Right now grabbing the first secret to then be able to get the google project number
-    @@project_number = nil
-    def project_number
-      return @@project_number if @@project_number
-      parent = "projects/#{@project_id}"
-      resp = secret_manager_service.list_secrets(parent: parent) # note: page_size doesnt seem to get respected
-      name = resp.first.name # IE: projects/686010496118/secrets/demo-dev-db_host
-      @@project_number = name.split('/')[1]
+    def fetcher
+      if KubesGoogle.config.secrets.fetcher == "sdk"
+        Sdk.new(@options)
+      else
+        Gcloud.new(@options)
+      end
     end
+    memoize :fetcher
   end
 end

data/lib/kubes_google/secrets/fetcher/base.rb ADDED

@@ -0,0 +1,15 @@
+class KubesGoogle::Secrets::Fetcher
+  class Base
+    include KubesGoogle::Logging
+    def initialize(options={})
+      @options = options
+      @base64 = options[:base64]
+      @project_id = options[:google_project] || ENV['GOOGLE_PROJECT'] || raise("GOOGLE_PROJECT env variable is not set. It's required.")
+    end
+    def base64?
+      @base64.nil? ? KubesGoogle.config.secrets.base64 : @base64
+    end
+  end
+end

data/lib/kubes_google/secrets/fetcher/gcloud.rb ADDED

@@ -0,0 +1,21 @@
+class KubesGoogle::Secrets::Fetcher
+  class Gcloud < Base
+    include KubesGoogle::Util::Sh
+    def fetch(short_name, version="latest")
+      value = gcloud("secrets versions access #{version} --secret #{short_name}")
+      if value.include?("ERROR") && value.include?("NOT_FOUND")
+        logger.info "WARN: secret #{short_name} not found".color(:yellow)
+        logger.info e.message
+        "NOT FOUND #{short_name}" # simple string so Kubernetes YAML is valid
+      else
+        value = Base64.strict_encode64(value).strip if base64?
+        value
+      end
+    end
+    def gcloud(args)
+      capture("gcloud --project #{@project_id} #{args}")
+    end
+  end
+end

data/lib/kubes_google/secrets/fetcher/sdk.rb ADDED

@@ -0,0 +1,47 @@
+class KubesGoogle::Secrets::Fetcher
+  class Sdk < Base
+    include KubesGoogle::Services
+    def fetch(short_name, version="latest")
+      value = fetch_value(short_name, version)
+      value = Base64.strict_encode64(value).strip if base64?
+      value
+    end
+    def fetch_value(short_name, version="latest")
+      name = "projects/#{project_number}/secrets/#{short_name}/versions/#{version}"
+      version = secret_manager_service.access_secret_version(name: name)
+      version.payload.data
+    rescue Google::Cloud::NotFoundError => e
+      logger.info "WARN: secret #{name} not found".color(:yellow)
+      logger.info e.message
+      "NOT FOUND #{name}" # simple string so Kubernetes YAML is valid
+    end
+    # TODO: Get the project from the list project api instead. Unsure where the docs are for this.
+    # If someone knows, let me know.
+    # Right now grabbing the first secret to then be able to get the google project number
+    @@project_number = nil
+    def project_number
+      return @@project_number if @@project_number
+      parent = "projects/#{@project_id}"
+      resp = secret_manager_service.list_secrets(parent: parent) # note: page_size doesnt seem to get respected
+      name = resp.first.name # IE: projects/686010496118/secrets/demo-dev-db_host
+      @@project_number = name.split('/')[1]
+    rescue Google::Cloud::UnavailableError => e
+      logger.error "ERROR: #{e.message}"
+      if e.message.include?("failed to connect")
+        logger.info <<~EOL
+          SSL Handshake failed. This error seems to happen with some VPN setups.
+          Please try the gcloud fetcher instead. To set up see:
+            https://kubes.guru/docs/helpers/google/secrets/#fetcher-strategy
+        EOL
+        exit 1
+      else
+        raise
+      end
+    end
+  end
+end

data/lib/kubes_google/service_account.rb CHANGED

@@ -4,6 +4,7 @@ require "json"
 module KubesGoogle
   class ServiceAccount
     include Logging
+    include Util::Sh
     def initialize(app:, namespace:nil, roles: [], gsa: nil, ksa: nil)
       @app, @roles = app, roles
@@ -71,25 +72,5 @@ module KubesGoogle
           --member=serviceAccount:#{@service_account} \
           --role=#{role} > /dev/null".squish
     end
-  private
-    def sh(command)
-      logger.debug "=> #{command}"
-      success = system(command)
-      unless success
-        logger.info "WARN: Running #{command}"
-      end
-      success
-    end
-    def capture(command)
-      out = `#{command}`
-      unless $?.exitstatus == 0
-        logger.info "ERROR: Running #{command}"
-        logger.info out
-        exit 1
-      end
-      out
-    end
   end
 end

data/lib/kubes_google/util/sh.rb ADDED

@@ -0,0 +1,23 @@
+module KubesGoogle::Util
+  module Sh
+  private
+    def sh(command)
+      logger.debug "=> #{command}"
+      success = system(command)
+      unless success
+        logger.info "WARN: Running #{command}"
+      end
+      success
+    end
+    def capture(command)
+      out = `#{command}`
+      unless $?.exitstatus == 0
+        logger.info "ERROR: Running #{command}"
+        logger.info out
+        exit 1
+      end
+      out
+    end
+  end
+end

data/lib/kubes_google/version.rb CHANGED

@@ -1,3 +1,3 @@
 module KubesGoogle
-  VERSION = "0.3.0"
+  VERSION = "0.3.5"
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kubes_google
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.5
 platform: ruby
 authors:
 - Tung Nguyen
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-11-10 00:00:00.000000000 Z
+date: 2020-11-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -119,8 +119,12 @@ files:
 - lib/kubes_google/logging.rb
 - lib/kubes_google/secrets.rb
 - lib/kubes_google/secrets/fetcher.rb
+- lib/kubes_google/secrets/fetcher/base.rb
+- lib/kubes_google/secrets/fetcher/gcloud.rb
+- lib/kubes_google/secrets/fetcher/sdk.rb
 - lib/kubes_google/service_account.rb
 - lib/kubes_google/services.rb
+- lib/kubes_google/util/sh.rb
 - lib/kubes_google/version.rb
 homepage: https://github.com/boltops-tools/kubes_google
 licenses: