kubes_google 0.3.2 → 0.3.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +15 -0
- data/kubes_google.gemspec +1 -0
- data/lib/kubes_google/config.rb +3 -1
- data/lib/kubes_google/secrets/fetcher/base.rb +15 -0
- data/lib/kubes_google/secrets/fetcher/gcloud.rb +21 -0
- data/lib/kubes_google/secrets/fetcher/sdk.rb +43 -0
- data/lib/kubes_google/secrets/fetcher.rb +13 -32
- data/lib/kubes_google/service_account.rb +1 -0
- data/lib/kubes_google/services.rb +6 -0
- data/lib/kubes_google/version.rb +1 -1
- data/lib/kubes_google.rb +5 -0
- metadata +20 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: '088f3403efb08082a1aafe32aa0790dd3f3066c2fa49097963d952150171ec03'
|
|
4
|
+
data.tar.gz: 6865c3cbf32056aea2615ae9022c1763ec8449dea2fc5242f3ddb01750bb2cd2
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a760e087e9cd8eb9636fd1540aa020e2ed74da3038aeec039e562e83123dd70a9bfec6fc594b31fb1e1911d1664553398cd051548949b4c55f9eff7bcf844956
|
|
7
|
+
data.tar.gz: fc8d14d3cdbc386ebc53d815e8e854affa8bfe1eef97c6e578aa6a519704901131e4f9e5be8734a18b512cebd00df36c12ab665f7ff63bc769613911803dd922
|
data/CHANGELOG.md
CHANGED
|
@@ -3,6 +3,21 @@
|
|
|
3
3
|
All notable changes to this project will be documented in this file.
|
|
4
4
|
This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
|
|
5
5
|
|
|
6
|
+
## [0.3.6] - 2022-02-04
|
|
7
|
+
- [#7](https://github.com/boltops-tools/kubes_google/pull/7) Secret auto retry with gcloud strategy
|
|
8
|
+
- [#8](https://github.com/boltops-tools/kubes_google/pull/8) add condition none
|
|
9
|
+
- get google project number via api
|
|
10
|
+
|
|
11
|
+
## [0.3.5] - 2020-11-12
|
|
12
|
+
- add KubesGoogle.cloudbuild? check
|
|
13
|
+
- fetcher sdk friendly suggestion to use gcloud when vpn errors
|
|
14
|
+
|
|
15
|
+
## [0.3.4] - 2020-11-12
|
|
16
|
+
- fix KubesGoogle.config.secrets.fetcher check
|
|
17
|
+
|
|
18
|
+
## [0.3.3] - 2020-11-12
|
|
19
|
+
- [#6](https://github.com/boltops-tools/kubes_google/pull/6) sdk and gcloud secrets fetcher strategy: secrets.fetcher option
|
|
20
|
+
|
|
6
21
|
## [0.3.2] - 2020-11-11
|
|
7
22
|
- [#5](https://github.com/boltops-tools/kubes_google/pull/5) config.base64 option
|
|
8
23
|
|
data/kubes_google.gemspec
CHANGED
|
@@ -24,6 +24,7 @@ Gem::Specification.new do |spec|
|
|
|
24
24
|
|
|
25
25
|
spec.add_dependency "activesupport"
|
|
26
26
|
spec.add_dependency "google-cloud-container"
|
|
27
|
+
spec.add_dependency "google-cloud-resource_manager"
|
|
27
28
|
spec.add_dependency "google-cloud-secret_manager"
|
|
28
29
|
spec.add_dependency "memoist"
|
|
29
30
|
spec.add_dependency "zeitwerk"
|
data/lib/kubes_google/config.rb
CHANGED
|
@@ -4,7 +4,6 @@ module KubesGoogle
|
|
|
4
4
|
|
|
5
5
|
def defaults
|
|
6
6
|
c = ActiveSupport::OrderedOptions.new
|
|
7
|
-
c.base64_secrets = true
|
|
8
7
|
c.gke = ActiveSupport::OrderedOptions.new
|
|
9
8
|
c.gke.cluster_name = nil
|
|
10
9
|
c.gke.enable_get_credentials = nil
|
|
@@ -12,6 +11,9 @@ module KubesGoogle
|
|
|
12
11
|
c.gke.google_project = nil
|
|
13
12
|
c.gke.google_region = nil
|
|
14
13
|
c.gke.whitelist_ip = nil # default will auto-detect IP
|
|
14
|
+
c.secrets = ActiveSupport::OrderedOptions.new
|
|
15
|
+
c.secrets.fetcher = "sdk"
|
|
16
|
+
c.secrets.base64 = true
|
|
15
17
|
c
|
|
16
18
|
end
|
|
17
19
|
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
class KubesGoogle::Secrets::Fetcher
|
|
2
|
+
class Base
|
|
3
|
+
include KubesGoogle::Logging
|
|
4
|
+
|
|
5
|
+
def initialize(options={})
|
|
6
|
+
@options = options
|
|
7
|
+
@base64 = options[:base64]
|
|
8
|
+
@project_id = options[:google_project] || ENV['GOOGLE_PROJECT'] || raise("GOOGLE_PROJECT env variable is not set. It's required.")
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def base64?
|
|
12
|
+
@base64.nil? ? KubesGoogle.config.secrets.base64 : @base64
|
|
13
|
+
end
|
|
14
|
+
end
|
|
15
|
+
end
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
class KubesGoogle::Secrets::Fetcher
|
|
2
|
+
class Gcloud < Base
|
|
3
|
+
include KubesGoogle::Util::Sh
|
|
4
|
+
|
|
5
|
+
def fetch(short_name, version="latest")
|
|
6
|
+
value = gcloud("secrets versions access #{version} --secret #{short_name}")
|
|
7
|
+
if value.include?("ERROR") && value.include?("NOT_FOUND")
|
|
8
|
+
logger.info "WARN: secret #{short_name} not found".color(:yellow)
|
|
9
|
+
logger.info e.message
|
|
10
|
+
"NOT FOUND #{short_name}" # simple string so Kubernetes YAML is valid
|
|
11
|
+
else
|
|
12
|
+
value = Base64.strict_encode64(value).strip if base64?
|
|
13
|
+
value
|
|
14
|
+
end
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
def gcloud(args)
|
|
18
|
+
capture("gcloud --project #{@project_id} #{args}")
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
end
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
class KubesGoogle::Secrets::Fetcher
|
|
2
|
+
class Sdk < Base
|
|
3
|
+
include KubesGoogle::Services
|
|
4
|
+
|
|
5
|
+
def fetch(short_name, version="latest")
|
|
6
|
+
value = fetch_value(short_name, version)
|
|
7
|
+
value = Base64.strict_encode64(value).strip if base64?
|
|
8
|
+
value
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def fetch_value(short_name, version="latest")
|
|
12
|
+
name = "projects/#{project_number}/secrets/#{short_name}/versions/#{version}"
|
|
13
|
+
version = secret_manager_service.access_secret_version(name: name)
|
|
14
|
+
version.payload.data
|
|
15
|
+
rescue Google::Cloud::NotFoundError => e
|
|
16
|
+
logger.info "WARN: secret #{name} not found".color(:yellow)
|
|
17
|
+
logger.info e.message
|
|
18
|
+
"NOT FOUND #{name}" # simple string so Kubernetes YAML is valid
|
|
19
|
+
rescue Google::Cloud::UnavailableError => e
|
|
20
|
+
logger.error "ERROR: #{e.message}"
|
|
21
|
+
if e.message.include?("failed to connect")
|
|
22
|
+
logger.info <<~EOL
|
|
23
|
+
WARNING: SSL Handshake failed. This error seems to happen with some VPN setups.
|
|
24
|
+
You can turn off this warning by setting the gcloud fetcher instead.
|
|
25
|
+
To set up see:
|
|
26
|
+
|
|
27
|
+
https://kubes.guru/docs/helpers/google/secrets/#fetcher-strategy
|
|
28
|
+
EOL
|
|
29
|
+
raise KubesGoogle::VpnSslError
|
|
30
|
+
else
|
|
31
|
+
raise
|
|
32
|
+
end
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
private
|
|
36
|
+
@@project_number = nil
|
|
37
|
+
def project_number
|
|
38
|
+
return @@project_number if @@project_number
|
|
39
|
+
project = resource_manager.project(@project_id)
|
|
40
|
+
@@project_number = project.project_number
|
|
41
|
+
end
|
|
42
|
+
end
|
|
43
|
+
end
|
|
@@ -1,45 +1,26 @@
|
|
|
1
1
|
class KubesGoogle::Secrets
|
|
2
2
|
class Fetcher
|
|
3
|
-
|
|
4
|
-
include KubesGoogle::Services
|
|
3
|
+
extend Memoist
|
|
5
4
|
|
|
6
5
|
def initialize(options={})
|
|
7
6
|
@options = options
|
|
8
|
-
@base64 = options[:base64]
|
|
9
|
-
@project_id = ENV['GOOGLE_PROJECT'] || raise("GOOGLE_PROJECT env variable is not set. It's required.")
|
|
10
7
|
end
|
|
11
8
|
|
|
12
9
|
def fetch(short_name)
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
10
|
+
fetcher.fetch(short_name)
|
|
11
|
+
rescue KubesGoogle::VpnSslError
|
|
12
|
+
logger.info "Retry fetching secret with the gcloud strategy"
|
|
13
|
+
fetcher = Gcloud.new(@options)
|
|
14
|
+
fetcher.fetch(short_name)
|
|
16
15
|
end
|
|
17
16
|
|
|
18
|
-
def
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
version = secret_manager_service.access_secret_version(name: name)
|
|
25
|
-
version.payload.data
|
|
26
|
-
rescue Google::Cloud::NotFoundError => e
|
|
27
|
-
logger.info "WARN: secret #{name} not found".color(:yellow)
|
|
28
|
-
logger.info e.message
|
|
29
|
-
"NOT FOUND #{name}" # simple string so Kubernetes YAML is valid
|
|
30
|
-
end
|
|
31
|
-
|
|
32
|
-
# TODO: Get the project from the list project api instead. Unsure where the docs are for this.
|
|
33
|
-
# If someone knows, let me know.
|
|
34
|
-
# Right now grabbing the first secret to then be able to get the google project number
|
|
35
|
-
@@project_number = nil
|
|
36
|
-
def project_number
|
|
37
|
-
return @@project_number if @@project_number
|
|
38
|
-
|
|
39
|
-
parent = "projects/#{@project_id}"
|
|
40
|
-
resp = secret_manager_service.list_secrets(parent: parent) # note: page_size doesnt seem to get respected
|
|
41
|
-
name = resp.first.name # IE: projects/686010496118/secrets/demo-dev-db_host
|
|
42
|
-
@@project_number = name.split('/')[1]
|
|
17
|
+
def fetcher
|
|
18
|
+
if KubesGoogle.config.secrets.fetcher == "sdk"
|
|
19
|
+
Sdk.new(@options)
|
|
20
|
+
else
|
|
21
|
+
Gcloud.new(@options)
|
|
22
|
+
end
|
|
43
23
|
end
|
|
24
|
+
memoize :fetcher
|
|
44
25
|
end
|
|
45
26
|
end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
require "google-cloud-resource_manager"
|
|
1
2
|
require "google-cloud-secret_manager"
|
|
2
3
|
require "google/cloud/container"
|
|
3
4
|
|
|
@@ -14,6 +15,11 @@ module KubesGoogle
|
|
|
14
15
|
Google::Cloud::SecretManager.secret_manager_service
|
|
15
16
|
end
|
|
16
17
|
memoize :secret_manager_service
|
|
18
|
+
|
|
19
|
+
def resource_manager
|
|
20
|
+
Google::Cloud.new.resource_manager
|
|
21
|
+
end
|
|
22
|
+
memoize :resource_manager
|
|
17
23
|
end
|
|
18
24
|
end
|
|
19
25
|
|
data/lib/kubes_google/version.rb
CHANGED
data/lib/kubes_google.rb
CHANGED
|
@@ -6,6 +6,7 @@ KubesGoogle::Autoloader.setup
|
|
|
6
6
|
|
|
7
7
|
module KubesGoogle
|
|
8
8
|
class Error < StandardError; end
|
|
9
|
+
class VpnSslError < StandardError; end
|
|
9
10
|
|
|
10
11
|
@@logger = nil
|
|
11
12
|
def logger
|
|
@@ -35,6 +36,10 @@ module KubesGoogle
|
|
|
35
36
|
Config.instance.config
|
|
36
37
|
end
|
|
37
38
|
|
|
39
|
+
def cloudbuild?
|
|
40
|
+
!!ENV['BUILDER_OUTPUT'] # cloudbuild env vars: https://gist.github.com/tongueroo/7ae26abd60d30da3972e86b4e7ca315e
|
|
41
|
+
end
|
|
42
|
+
|
|
38
43
|
extend self
|
|
39
44
|
end
|
|
40
45
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: kubes_google
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.3.
|
|
4
|
+
version: 0.3.6
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tung Nguyen
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2022-02-04 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -38,6 +38,20 @@ dependencies:
|
|
|
38
38
|
- - ">="
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
40
|
version: '0'
|
|
41
|
+
- !ruby/object:Gem::Dependency
|
|
42
|
+
name: google-cloud-resource_manager
|
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
|
44
|
+
requirements:
|
|
45
|
+
- - ">="
|
|
46
|
+
- !ruby/object:Gem::Version
|
|
47
|
+
version: '0'
|
|
48
|
+
type: :runtime
|
|
49
|
+
prerelease: false
|
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
51
|
+
requirements:
|
|
52
|
+
- - ">="
|
|
53
|
+
- !ruby/object:Gem::Version
|
|
54
|
+
version: '0'
|
|
41
55
|
- !ruby/object:Gem::Dependency
|
|
42
56
|
name: google-cloud-secret_manager
|
|
43
57
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -119,6 +133,9 @@ files:
|
|
|
119
133
|
- lib/kubes_google/logging.rb
|
|
120
134
|
- lib/kubes_google/secrets.rb
|
|
121
135
|
- lib/kubes_google/secrets/fetcher.rb
|
|
136
|
+
- lib/kubes_google/secrets/fetcher/base.rb
|
|
137
|
+
- lib/kubes_google/secrets/fetcher/gcloud.rb
|
|
138
|
+
- lib/kubes_google/secrets/fetcher/sdk.rb
|
|
122
139
|
- lib/kubes_google/service_account.rb
|
|
123
140
|
- lib/kubes_google/services.rb
|
|
124
141
|
- lib/kubes_google/util/sh.rb
|
|
@@ -143,7 +160,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
143
160
|
- !ruby/object:Gem::Version
|
|
144
161
|
version: '0'
|
|
145
162
|
requirements: []
|
|
146
|
-
rubygems_version: 3.
|
|
163
|
+
rubygems_version: 3.2.32
|
|
147
164
|
signing_key:
|
|
148
165
|
specification_version: 4
|
|
149
166
|
summary: Kubes Google Helpers Library
|