kubes_google 0.1.2 → 0.2.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 64cbb6d5f91c9d194e47f9695b79802c5615367afe6464933b83bb59d9dfc418
4
- data.tar.gz: 6d3d98f419a73dd8117dc87cfd0adf43e40e2e9feef447c8bbcfe5867b1410c9
3
+ metadata.gz: d795d19cc6f90fc23eb69f9e93a2e04993ce14d8681634961fb8ef349c95fd7c
4
+ data.tar.gz: 3acb4ab90062ac61f1e1a82cbe70319ea0086d7fcd9490bd290cc92fc0141683
5
5
  SHA512:
6
- metadata.gz: 500425e494045b16a68672ad80c6d2157fc3a0dcd501c627850c6b3432dd95bec3dba727d31a7bed59d17be128366c4056bccb788d398659032b57afeb6b13e1
7
- data.tar.gz: 679203c3c148448bfab87162c5267d1403e4f37c5f3dfd6e01bcf042dc7d4453e1919199037092651c807bb774b7a4afb6348f63603146463f552983c5e2c29e
6
+ metadata.gz: 8048442e2abd946050b7740f1c7f60b7d528a18464e779f9a677cc41ed67182b218f44852096ab65558616c5b1bd3b293b2ca6b164dee12808d575ca1227c607
7
+ data.tar.gz: ae2add8d4baf621d40174eca105add4df3a752d0a27873f50ae1b97e830d601ad95c65b12e976f0320e2bbf60cd4866249dda677078bd17134ad639354856e49
@@ -3,6 +3,10 @@
3
3
  All notable changes to this project will be documented in this file.
4
4
  This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
5
5
 
6
+ ## [0.2.0]
7
+ - #2 add google_secret helper and register plugin
8
+ - fix GOOGLE_PROJECT check
9
+
6
10
  ## [0.1.2]
7
11
  - #1 base64 option
8
12
 
data/README.md CHANGED
@@ -8,119 +8,7 @@
8
8
 
9
9
  ## Usage
10
10
 
11
- The helpers include:
12
-
13
- * Secrets
14
- * Service Accounts
15
-
16
- ## Secrets
17
-
18
- Set up a [Kubes hook](https://kubes.guru/docs/config/hooks/kubes/).
19
-
20
- .kubes/config/hooks/kubes.rb
21
-
22
- ```ruby
23
- before("compile",
24
- execute: KubesGoogle::Secrets.new(upcase: true, prefix: 'projects/686010496118/secrets/demo-dev-')
25
- )
26
- ```
27
-
28
- Then set the secrets in the YAML:
29
-
30
- .kubes/resources/shared/secret.yaml
31
-
32
- ```yaml
33
- apiVersion: v1
34
- kind: Secret
35
- metadata:
36
- name: demo
37
- labels:
38
- app: demo
39
- data:
40
- <% KubesGoogle::Secrets.data.each do |k,v| -%>
41
- <%= k %>: <%= base64(v) %>
42
- <% end -%>
43
- ```
44
-
45
- This results in Google secrets with the prefix the `demo-dev-` being added to the Kubernetes secret data. The values are automatically base64 encoded.
46
-
47
- For example if you have these secret values:
48
-
49
- $ gcloud secrets versions access latest --secret demo-dev-db_user
50
- test1
51
- $ gcloud secrets versions access latest --secret demo-dev-db_pass
52
- test2
53
- $
54
-
55
- .kubes/output/shared/secret.yaml
56
-
57
- ```yaml
58
- metadata:
59
- namespace: demo
60
- name: demo-2a78a13682
61
- labels:
62
- app: demo
63
- apiVersion: v1
64
- kind: Secret
65
- data:
66
- db_pass: dGVzdDEK
67
- db_user: dGVzdDIK
68
- ```
69
-
70
- These environment variables can be set:
71
-
72
- Name | Description
73
- ---|---
74
- GCP_SECRET_PREFIX | Prefixed used to list and filter Google secrets. IE: `projects/686010496118/secrets/demo-dev-`.
75
- GOOGLE_PROJECT | Google project id.
76
-
77
- Secrets#initialize options:
78
-
79
- Variable | Description | Default
80
- ---|---|---
81
- base64 | Automatically base64 encode the values. | false
82
- upcase | Automatically upcase the Kubernetes secret data keys. | false
83
- prefix | Prefixed used to list and filter Google secrets. IE: `projects/686010496118/secrets/demo-dev-`. Can also be set with the `GCP_SECRET_PREFIX` env variable. The env variable takes the highest precedence. | nil
84
-
85
- Note, Kubernetes secrets are only base64 encoded. So users who have access to read Kubernetes secrets will be able to decode and get the value trivially. Depending on your security posture requirements, this may or may not suffice.
86
-
87
- ## Service Accounts
88
-
89
- This library can also be used to automatically create Google Service Accounts associated with the [GKE Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity).
90
-
91
- Here's a Kubes hook that creates a service account:
92
-
93
- .kubes/config/hooks/kubes.rb
94
-
95
- ```ruby
96
- service_account = KubesGoogle::ServiceAccount.new(
97
- app: "demo",
98
- namespace: "demo-#{Kubes.env}", # defaults to APP-ENV when not set. IE: demo-dev
99
- roles: ["cloudsql.client", "secretmanager.viewer"], # defaults to empty when not set
100
- )
101
- before("apply",
102
- label: "create service account",
103
- execute: service_account,
104
- )
105
- ```
106
-
107
- The role permissions are currently always added to the existing permissions. So removing roles that were previously added does not remove them.
108
-
109
- ServiceAccount#initialize options:
110
-
111
- Variable | Description | Default
112
- ---|---|---
113
- app | The app name. It's used to conventionally set other variables. This is required. | nil
114
- gsa | The Google Service Account name. The conventional name is APP-ENV. IE: demo-dev. | APP-ENV
115
- ksa | The Kubernetes Service Account name. The conventional name is APP. IE: demo | APP
116
- namespace | The Kubernetes namespace. Defaults to the APP-ENV. IE: demo-dev. | APP-ENV
117
- roles | Google IAM roles to add. This adds permissions to the Google service account. | []
118
-
119
- Notes:
120
-
121
- * By default, `KubeGoogle.logger = Kubes.logger`. This means, you can set `logger.level = "debug"` in `.kubes/config.rb` to see more details.
122
- * The `gcloud` cli is used to create IAM roles. So `gcloud` is required.
123
- * Note: Would like to use the google sdk, but it wasn't obvious how to do so. PRs are welcomed.
11
+ For more detailed usage instructions refer to the [Kubes Helpers docs](https://kubes.guru/docs/helpers/google/).
124
12
 
125
13
  ## Contributing
126
14
 
@@ -18,3 +18,5 @@ module KubesGoogle
18
18
 
19
19
  extend self
20
20
  end
21
+
22
+ Kubes::Plugin.register(KubesGoogle)
@@ -0,0 +1,11 @@
1
+ module KubesGoogle
2
+ module Helpers
3
+ extend Memoist
4
+ include Services
5
+
6
+ def google_secret(name, options={})
7
+ fetcher = Secrets::Fetcher.new(options)
8
+ fetcher.fetch(name)
9
+ end
10
+ end
11
+ end
@@ -4,8 +4,8 @@ module KubesGoogle
4
4
  class Secrets
5
5
  def initialize(upcase: false, base64: false, prefix: nil)
6
6
  @upcase, @base64 = upcase, base64
7
- @prefix = ENV['GCP_SECRET_PREFIX'] || prefix || raise("GOOGLE_PROJECT env variable is not set. It's required.")
8
- @project_id = ENV['GOOGLE_PROJECT']
7
+ @prefix = ENV['GCP_SECRET_PREFIX'] || prefix
8
+ @project_id = ENV['GOOGLE_PROJECT'] || raise("GOOGLE_PROJECT env variable is not set. It's required.")
9
9
  # IE: prefix: projects/686010496118/secrets/demo-dev-
10
10
  end
11
11
 
@@ -13,7 +13,7 @@ module KubesGoogle
13
13
  client = Google::Cloud::SecretManager.secret_manager_service
14
14
 
15
15
  parent = "projects/#{@project_id}"
16
- resp = client.list_secrets(parent: parent, page_size: 1)
16
+ resp = client.list_secrets(parent: parent) # note: page_size doesnt seem to get respected
17
17
  resp.each do |secret|
18
18
  next unless secret.name.include?(@prefix)
19
19
  version = client.access_secret_version(name: "#{secret.name}/versions/latest")
@@ -0,0 +1,41 @@
1
+ class KubesGoogle::Secrets
2
+ class Fetcher
3
+ include KubesGoogle::Logging
4
+ include KubesGoogle::Services
5
+
6
+ def initialize(options={})
7
+ @options = options
8
+ @base64 = options[:base64].nil? ? true : options[:base64]
9
+ @project_id = ENV['GOOGLE_PROJECT'] || raise("GOOGLE_PROJECT env variable is not set. It's required.")
10
+ end
11
+
12
+ def fetch(short_name)
13
+ value = fetch_value(short_name)
14
+ value = Base64.strict_encode64(value).strip if @base64
15
+ value
16
+ end
17
+
18
+ def fetch_value(short_name)
19
+ name = "projects/#{project_number}/secrets/#{short_name}/versions/latest"
20
+ version = secret_manager_service.access_secret_version(name: name)
21
+ version.payload.data
22
+ rescue Google::Cloud::NotFoundError => e
23
+ logger.info "WARN: secret #{name} not found".color(:yellow)
24
+ logger.info e.message
25
+ "NOT FOUND #{name}" # simple string so Kubernetes YAML is valid
26
+ end
27
+
28
+ # TODO: Get the project from the list project api instead. Unsure where the docs are for this.
29
+ # If someone knows, let me know.
30
+ # Right now grabbing the first secret to then be able to get the google project number
31
+ @@project_number = nil
32
+ def project_number
33
+ return @@project_number if @@project_number
34
+
35
+ parent = "projects/#{@project_id}"
36
+ resp = secret_manager_service.list_secrets(parent: parent) # note: page_size doesnt seem to get respected
37
+ name = resp.first.name # IE: projects/686010496118/secrets/demo-dev-db_host
38
+ @@project_number = name.split('/')[1]
39
+ end
40
+ end
41
+ end
@@ -0,0 +1,13 @@
1
+ require "google-cloud-secret_manager"
2
+
3
+ module KubesGoogle
4
+ module Services
5
+ extend Memoist
6
+
7
+ def secret_manager_service
8
+ Google::Cloud::SecretManager.secret_manager_service
9
+ end
10
+ memoize :secret_manager_service
11
+ end
12
+ end
13
+
@@ -1,3 +1,3 @@
1
1
  module KubesGoogle
2
- VERSION = "0.1.2"
2
+ VERSION = "0.2.0"
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: kubes_google
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.2
4
+ version: 0.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Tung Nguyen
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2020-10-14 00:00:00.000000000 Z
11
+ date: 2020-11-09 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -83,9 +83,12 @@ files:
83
83
  - kubes_google.gemspec
84
84
  - lib/kubes_google.rb
85
85
  - lib/kubes_google/autoloader.rb
86
+ - lib/kubes_google/helpers.rb
86
87
  - lib/kubes_google/logging.rb
87
88
  - lib/kubes_google/secrets.rb
89
+ - lib/kubes_google/secrets/fetcher.rb
88
90
  - lib/kubes_google/service_account.rb
91
+ - lib/kubes_google/services.rb
89
92
  - lib/kubes_google/version.rb
90
93
  homepage: https://github.com/boltops-tools/kubes_google
91
94
  licenses:
@@ -107,7 +110,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
107
110
  - !ruby/object:Gem::Version
108
111
  version: '0'
109
112
  requirements: []
110
- rubygems_version: 3.1.2
113
+ rubygems_version: 3.1.4
111
114
  signing_key:
112
115
  specification_version: 4
113
116
  summary: Kubes Google Helpers Library