kubes_google 0.3.4 → 0.3.8
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +15 -0
- data/kubes_google.gemspec +1 -0
- data/lib/kubes_google/secrets/fetcher/sdk.rb +17 -8
- data/lib/kubes_google/secrets/fetcher.rb +8 -0
- data/lib/kubes_google/service_account.rb +2 -0
- data/lib/kubes_google/services.rb +6 -0
- data/lib/kubes_google/version.rb +1 -1
- data/lib/kubes_google.rb +5 -0
- metadata +17 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 40ae0ba0d700db7b90701bf80715f9e0154c02a9d57fd834bbc4a42cf4dc3abb
|
4
|
+
data.tar.gz: 1cfda1099092957ecf9e9a338203e10339b6fdc8e90a9bdba70441bb039cb42a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 231ecd51d941f2f82d9f82ee2199216fa193deef450d501314d82750b54f177947b8085849c899655c57db42aa27c309499c032d413821efc825f8592fca1649
|
7
|
+
data.tar.gz: 183a2a3a3cd5bcd8b91c0541c4d5aa9ffdffe1b5967e19e7e5d2d87d031d7c31033cb7843cc43ff5236090fe2ec1e0980cdf512855b687427b83c33d7f1b198e
|
data/CHANGELOG.md
CHANGED
@@ -3,6 +3,21 @@
|
|
3
3
|
All notable changes to this project will be documented in this file.
|
4
4
|
This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
|
5
5
|
|
6
|
+
## [0.3.8] - 2022-02-07
|
7
|
+
- fix service account creation: add condition none
|
8
|
+
|
9
|
+
## [0.3.7] - 2022-02-07
|
10
|
+
- [#9](https://github.com/boltops-tools/kubes_google/pull/9) performance improvement: cache secrets
|
11
|
+
|
12
|
+
## [0.3.6] - 2022-02-04
|
13
|
+
- [#7](https://github.com/boltops-tools/kubes_google/pull/7) Secret auto retry with gcloud strategy
|
14
|
+
- [#8](https://github.com/boltops-tools/kubes_google/pull/8) add condition none
|
15
|
+
- get google project number via api
|
16
|
+
|
17
|
+
## [0.3.5] - 2020-11-12
|
18
|
+
- add KubesGoogle.cloudbuild? check
|
19
|
+
- fetcher sdk friendly suggestion to use gcloud when vpn errors
|
20
|
+
|
6
21
|
## [0.3.4] - 2020-11-12
|
7
22
|
- fix KubesGoogle.config.secrets.fetcher check
|
8
23
|
|
data/kubes_google.gemspec
CHANGED
@@ -24,6 +24,7 @@ Gem::Specification.new do |spec|
|
|
24
24
|
|
25
25
|
spec.add_dependency "activesupport"
|
26
26
|
spec.add_dependency "google-cloud-container"
|
27
|
+
spec.add_dependency "google-cloud-resource_manager"
|
27
28
|
spec.add_dependency "google-cloud-secret_manager"
|
28
29
|
spec.add_dependency "memoist"
|
29
30
|
spec.add_dependency "zeitwerk"
|
@@ -16,19 +16,28 @@ class KubesGoogle::Secrets::Fetcher
|
|
16
16
|
logger.info "WARN: secret #{name} not found".color(:yellow)
|
17
17
|
logger.info e.message
|
18
18
|
"NOT FOUND #{name}" # simple string so Kubernetes YAML is valid
|
19
|
+
rescue Google::Cloud::UnavailableError => e
|
20
|
+
logger.error "ERROR: #{e.message}"
|
21
|
+
if e.message.include?("failed to connect")
|
22
|
+
logger.info <<~EOL
|
23
|
+
WARNING: SSL Handshake failed. This error seems to happen with some VPN setups.
|
24
|
+
You can turn off this warning by setting the gcloud fetcher instead.
|
25
|
+
To set up see:
|
26
|
+
|
27
|
+
https://kubes.guru/docs/helpers/google/secrets/#fetcher-strategy
|
28
|
+
EOL
|
29
|
+
raise KubesGoogle::VpnSslError
|
30
|
+
else
|
31
|
+
raise
|
32
|
+
end
|
19
33
|
end
|
20
34
|
|
21
|
-
|
22
|
-
# If someone knows, let me know.
|
23
|
-
# Right now grabbing the first secret to then be able to get the google project number
|
35
|
+
private
|
24
36
|
@@project_number = nil
|
25
37
|
def project_number
|
26
38
|
return @@project_number if @@project_number
|
27
|
-
|
28
|
-
|
29
|
-
resp = secret_manager_service.list_secrets(parent: parent) # note: page_size doesnt seem to get respected
|
30
|
-
name = resp.first.name # IE: projects/686010496118/secrets/demo-dev-db_host
|
31
|
-
@@project_number = name.split('/')[1]
|
39
|
+
project = resource_manager.project(@project_id)
|
40
|
+
@@project_number = project.project_number
|
32
41
|
end
|
33
42
|
end
|
34
43
|
end
|
@@ -1,12 +1,20 @@
|
|
1
1
|
class KubesGoogle::Secrets
|
2
2
|
class Fetcher
|
3
|
+
include KubesGoogle::Logging
|
3
4
|
extend Memoist
|
4
5
|
|
5
6
|
def initialize(options={})
|
6
7
|
@options = options
|
7
8
|
end
|
8
9
|
|
10
|
+
@@cache = {}
|
9
11
|
def fetch(short_name)
|
12
|
+
return @@cache[short_name] if @@cache[short_name]
|
13
|
+
logger.debug "Fetching secret: #{short_name}"
|
14
|
+
@@cache[short_name] = fetcher.fetch(short_name)
|
15
|
+
rescue KubesGoogle::VpnSslError
|
16
|
+
logger.info "Retry fetching secret with the gcloud strategy"
|
17
|
+
fetcher = Gcloud.new(@options)
|
10
18
|
fetcher.fetch(short_name)
|
11
19
|
end
|
12
20
|
|
@@ -40,6 +40,7 @@ module KubesGoogle
|
|
40
40
|
sh "gcloud iam service-accounts add-iam-policy-binding \
|
41
41
|
--role roles/iam.workloadIdentityUser \
|
42
42
|
--member #{member} \
|
43
|
+
--condition=None \
|
43
44
|
#{@service_account}".squish
|
44
45
|
end
|
45
46
|
|
@@ -70,6 +71,7 @@ module KubesGoogle
|
|
70
71
|
|
71
72
|
sh "gcloud projects add-iam-policy-binding #{@google_project} \
|
72
73
|
--member=serviceAccount:#{@service_account} \
|
74
|
+
--condition=None \
|
73
75
|
--role=#{role} > /dev/null".squish
|
74
76
|
end
|
75
77
|
end
|
@@ -1,3 +1,4 @@
|
|
1
|
+
require "google-cloud-resource_manager"
|
1
2
|
require "google-cloud-secret_manager"
|
2
3
|
require "google/cloud/container"
|
3
4
|
|
@@ -14,6 +15,11 @@ module KubesGoogle
|
|
14
15
|
Google::Cloud::SecretManager.secret_manager_service
|
15
16
|
end
|
16
17
|
memoize :secret_manager_service
|
18
|
+
|
19
|
+
def resource_manager
|
20
|
+
Google::Cloud.new.resource_manager
|
21
|
+
end
|
22
|
+
memoize :resource_manager
|
17
23
|
end
|
18
24
|
end
|
19
25
|
|
data/lib/kubes_google/version.rb
CHANGED
data/lib/kubes_google.rb
CHANGED
@@ -6,6 +6,7 @@ KubesGoogle::Autoloader.setup
|
|
6
6
|
|
7
7
|
module KubesGoogle
|
8
8
|
class Error < StandardError; end
|
9
|
+
class VpnSslError < StandardError; end
|
9
10
|
|
10
11
|
@@logger = nil
|
11
12
|
def logger
|
@@ -35,6 +36,10 @@ module KubesGoogle
|
|
35
36
|
Config.instance.config
|
36
37
|
end
|
37
38
|
|
39
|
+
def cloudbuild?
|
40
|
+
!!ENV['BUILDER_OUTPUT'] # cloudbuild env vars: https://gist.github.com/tongueroo/7ae26abd60d30da3972e86b4e7ca315e
|
41
|
+
end
|
42
|
+
|
38
43
|
extend self
|
39
44
|
end
|
40
45
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: kubes_google
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.3.
|
4
|
+
version: 0.3.8
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Tung Nguyen
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2022-02-07 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -38,6 +38,20 @@ dependencies:
|
|
38
38
|
- - ">="
|
39
39
|
- !ruby/object:Gem::Version
|
40
40
|
version: '0'
|
41
|
+
- !ruby/object:Gem::Dependency
|
42
|
+
name: google-cloud-resource_manager
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
44
|
+
requirements:
|
45
|
+
- - ">="
|
46
|
+
- !ruby/object:Gem::Version
|
47
|
+
version: '0'
|
48
|
+
type: :runtime
|
49
|
+
prerelease: false
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
51
|
+
requirements:
|
52
|
+
- - ">="
|
53
|
+
- !ruby/object:Gem::Version
|
54
|
+
version: '0'
|
41
55
|
- !ruby/object:Gem::Dependency
|
42
56
|
name: google-cloud-secret_manager
|
43
57
|
requirement: !ruby/object:Gem::Requirement
|
@@ -146,7 +160,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
146
160
|
- !ruby/object:Gem::Version
|
147
161
|
version: '0'
|
148
162
|
requirements: []
|
149
|
-
rubygems_version: 3.
|
163
|
+
rubygems_version: 3.2.32
|
150
164
|
signing_key:
|
151
165
|
specification_version: 4
|
152
166
|
summary: Kubes Google Helpers Library
|