kubes_google 0.2.0 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/kubes_google.gemspec +3 -0
- data/lib/hooks/kubes.rb +14 -0
- data/lib/kubes_google.rb +19 -0
- data/lib/kubes_google/config.rb +23 -0
- data/lib/kubes_google/gke.rb +99 -0
- data/lib/kubes_google/hooks.rb +7 -0
- data/lib/kubes_google/services.rb +6 -0
- data/lib/kubes_google/version.rb +1 -1
- metadata +34 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c2b41e672639ece65b0c749581b7321b30a48213744e28aa63e3e71bf6cf3fd3
|
|
4
|
+
data.tar.gz: 0b4006a22492fb1424c3d45b880f9a784deee99d824e986fb7a52e835196f955
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 139e70fe3e151df3fcefa12a4a8d7a7a45b08bc62909815b4be865906e7400f1c5141a42e41331b13aa774b6f04caca3d06a7a882c6a486646047d11a0d09a3f
|
|
7
|
+
data.tar.gz: 9c6058c9157f05a8be7aa662fedc71ada94171e7c4fe5086552c68743a683467a2247fa549d2217f6017ea3ed84fdc80cf18f85a2a2f934753546d95d93af943
|
data/CHANGELOG.md
CHANGED
|
@@ -3,6 +3,9 @@
|
|
|
3
3
|
All notable changes to this project will be documented in this file.
|
|
4
4
|
This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
|
|
5
5
|
|
|
6
|
+
## [0.3.0]
|
|
7
|
+
- #3 gke hook to whitelist ip
|
|
8
|
+
|
|
6
9
|
## [0.2.0]
|
|
7
10
|
- #2 add google_secret helper and register plugin
|
|
8
11
|
- fix GOOGLE_PROJECT check
|
data/kubes_google.gemspec
CHANGED
|
@@ -23,7 +23,10 @@ Gem::Specification.new do |spec|
|
|
|
23
23
|
spec.require_paths = ["lib"]
|
|
24
24
|
|
|
25
25
|
spec.add_dependency "activesupport"
|
|
26
|
+
spec.add_dependency "google-cloud-container"
|
|
26
27
|
spec.add_dependency "google-cloud-secret_manager"
|
|
27
28
|
spec.add_dependency "memoist"
|
|
28
29
|
spec.add_dependency "zeitwerk"
|
|
30
|
+
|
|
31
|
+
spec.add_development_dependency "kubes"
|
|
29
32
|
end
|
data/lib/hooks/kubes.rb
ADDED
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
gke = KubesGoogle::Gke.new(
|
|
2
|
+
name: KubesGoogle.config.gke.cluster_name,
|
|
3
|
+
whitelist_ip: KubesGoogle.config.gke.whitelist_ip,
|
|
4
|
+
)
|
|
5
|
+
|
|
6
|
+
before("apply",
|
|
7
|
+
label: "gke whitelist hook",
|
|
8
|
+
execute: gke.method(:allow).to_proc,
|
|
9
|
+
)
|
|
10
|
+
|
|
11
|
+
after("apply",
|
|
12
|
+
label: "gke whitelist hook",
|
|
13
|
+
execute: gke.method(:deny).to_proc,
|
|
14
|
+
)
|
data/lib/kubes_google.rb
CHANGED
|
@@ -16,6 +16,25 @@ module KubesGoogle
|
|
|
16
16
|
@@logger = v
|
|
17
17
|
end
|
|
18
18
|
|
|
19
|
+
# Friendlier method configure.
|
|
20
|
+
#
|
|
21
|
+
# .kubes/config/env/dev.rb
|
|
22
|
+
# .kubes/config/plugins/google.rb # also works
|
|
23
|
+
#
|
|
24
|
+
# Example:
|
|
25
|
+
#
|
|
26
|
+
# KubesGoogle.configure do |config|
|
|
27
|
+
# config.hooks.gke_whitelist = true
|
|
28
|
+
# end
|
|
29
|
+
#
|
|
30
|
+
def configure(&block)
|
|
31
|
+
Config.instance.configure(&block)
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def config
|
|
35
|
+
Config.instance.config
|
|
36
|
+
end
|
|
37
|
+
|
|
19
38
|
extend self
|
|
20
39
|
end
|
|
21
40
|
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
module KubesGoogle
|
|
2
|
+
class Config
|
|
3
|
+
include Singleton
|
|
4
|
+
|
|
5
|
+
def defaults
|
|
6
|
+
c = ActiveSupport::OrderedOptions.new
|
|
7
|
+
c.gke = ActiveSupport::OrderedOptions.new
|
|
8
|
+
c.gke.cluster_name = nil
|
|
9
|
+
c.gke.enable_hooks = nil # nil since need cluster_name also. setting to false will explicitly disable hooks
|
|
10
|
+
c.gke.whitelist_ip = nil # default will auto-detect IP
|
|
11
|
+
c
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
@@config = nil
|
|
15
|
+
def config
|
|
16
|
+
@@config ||= defaults
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def configure
|
|
20
|
+
yield(config)
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
end
|
|
@@ -0,0 +1,99 @@
|
|
|
1
|
+
require 'open-uri'
|
|
2
|
+
|
|
3
|
+
module KubesGoogle
|
|
4
|
+
class Gke
|
|
5
|
+
extend Memoist
|
|
6
|
+
include Logging
|
|
7
|
+
include Services
|
|
8
|
+
|
|
9
|
+
def initialize(name:, whitelist_ip: nil)
|
|
10
|
+
@name, @whitelist_ip = name, whitelist_ip
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
def allow
|
|
14
|
+
return unless enabled?
|
|
15
|
+
logger.debug "Updating cluster. Adding IP: #{ip}"
|
|
16
|
+
update_cluster(cidr_blocks(:with_whitelist))
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def deny
|
|
20
|
+
return unless enabled?
|
|
21
|
+
logger.debug "Updating cluster. Removing IP: #{ip}"
|
|
22
|
+
update_cluster(cidr_blocks(:without_whitelist))
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
# Setting the cluster name is enough to enable the hooks
|
|
26
|
+
def enabled?
|
|
27
|
+
enable = KubesGoogle.config.gke.enable_hooks
|
|
28
|
+
enable = enable.nil? ? true : enable
|
|
29
|
+
# gke = KubesGoogle::Gke.new(name: KubesGoogle.config.gke.cluster_name)
|
|
30
|
+
# so @name = KubesGoogle.config.gke.cluster_name
|
|
31
|
+
!!(enable && @name)
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def update_cluster(cidr_blocks)
|
|
35
|
+
resp = cluster_manager.update_cluster(
|
|
36
|
+
name: @name,
|
|
37
|
+
update: {
|
|
38
|
+
desired_master_authorized_networks_config: {
|
|
39
|
+
cidr_blocks: cidr_blocks,
|
|
40
|
+
enabled: true,
|
|
41
|
+
}
|
|
42
|
+
}
|
|
43
|
+
)
|
|
44
|
+
operation_name = resp.self_link.sub(/.*projects/,'projects')
|
|
45
|
+
wait_for(operation_name)
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
def wait_for(operation_name)
|
|
49
|
+
resp = cluster_manager.get_operation(name: operation_name)
|
|
50
|
+
until resp.status != :RUNNING do
|
|
51
|
+
sleep 5
|
|
52
|
+
resp = cluster_manager.get_operation(name: operation_name)
|
|
53
|
+
end
|
|
54
|
+
end
|
|
55
|
+
|
|
56
|
+
def cidr_blocks(type)
|
|
57
|
+
# so we dont keep adding duplicates
|
|
58
|
+
old = old_cidrs.reject do |x|
|
|
59
|
+
x[:display_name] == new_cidr[:display_name] &&
|
|
60
|
+
x[:cidr_block] == new_cidr[:cidr_block]
|
|
61
|
+
end
|
|
62
|
+
if type == :with_whitelist
|
|
63
|
+
old + [new_cidr]
|
|
64
|
+
else
|
|
65
|
+
old
|
|
66
|
+
end
|
|
67
|
+
end
|
|
68
|
+
|
|
69
|
+
def old_cidrs
|
|
70
|
+
resp = cluster_manager.get_cluster(name: @name)
|
|
71
|
+
config = resp.master_authorized_networks_config.to_h
|
|
72
|
+
config[:cidr_blocks]
|
|
73
|
+
end
|
|
74
|
+
memoize :old_cidrs
|
|
75
|
+
|
|
76
|
+
def new_cidr
|
|
77
|
+
{
|
|
78
|
+
display_name: "added-by-kubes-google",
|
|
79
|
+
cidr_block: ip,
|
|
80
|
+
}
|
|
81
|
+
end
|
|
82
|
+
memoize :new_cidr
|
|
83
|
+
|
|
84
|
+
def ip
|
|
85
|
+
@whitelist_ip || current_ip
|
|
86
|
+
end
|
|
87
|
+
|
|
88
|
+
def current_ip
|
|
89
|
+
resp = URI.open("http://ifconfig.me")
|
|
90
|
+
ip = resp.read
|
|
91
|
+
"#{ip}/32"
|
|
92
|
+
rescue SocketError => e
|
|
93
|
+
logger.info "WARN: #{e.message}"
|
|
94
|
+
logger.info "Unable to detect current ip. Will use 0.0.0.0/0"
|
|
95
|
+
"0.0.0.0/0"
|
|
96
|
+
end
|
|
97
|
+
memoize :current_ip
|
|
98
|
+
end
|
|
99
|
+
end
|
|
@@ -1,9 +1,15 @@
|
|
|
1
1
|
require "google-cloud-secret_manager"
|
|
2
|
+
require "google/cloud/container"
|
|
2
3
|
|
|
3
4
|
module KubesGoogle
|
|
4
5
|
module Services
|
|
5
6
|
extend Memoist
|
|
6
7
|
|
|
8
|
+
def cluster_manager
|
|
9
|
+
Google::Cloud::Container.cluster_manager
|
|
10
|
+
end
|
|
11
|
+
memoize :cluster_manager
|
|
12
|
+
|
|
7
13
|
def secret_manager_service
|
|
8
14
|
Google::Cloud::SecretManager.secret_manager_service
|
|
9
15
|
end
|
data/lib/kubes_google/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: kubes_google
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.3.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tung Nguyen
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-11-
|
|
11
|
+
date: 2020-11-10 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -24,6 +24,20 @@ dependencies:
|
|
|
24
24
|
- - ">="
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
26
|
version: '0'
|
|
27
|
+
- !ruby/object:Gem::Dependency
|
|
28
|
+
name: google-cloud-container
|
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
|
30
|
+
requirements:
|
|
31
|
+
- - ">="
|
|
32
|
+
- !ruby/object:Gem::Version
|
|
33
|
+
version: '0'
|
|
34
|
+
type: :runtime
|
|
35
|
+
prerelease: false
|
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
37
|
+
requirements:
|
|
38
|
+
- - ">="
|
|
39
|
+
- !ruby/object:Gem::Version
|
|
40
|
+
version: '0'
|
|
27
41
|
- !ruby/object:Gem::Dependency
|
|
28
42
|
name: google-cloud-secret_manager
|
|
29
43
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -66,6 +80,20 @@ dependencies:
|
|
|
66
80
|
- - ">="
|
|
67
81
|
- !ruby/object:Gem::Version
|
|
68
82
|
version: '0'
|
|
83
|
+
- !ruby/object:Gem::Dependency
|
|
84
|
+
name: kubes
|
|
85
|
+
requirement: !ruby/object:Gem::Requirement
|
|
86
|
+
requirements:
|
|
87
|
+
- - ">="
|
|
88
|
+
- !ruby/object:Gem::Version
|
|
89
|
+
version: '0'
|
|
90
|
+
type: :development
|
|
91
|
+
prerelease: false
|
|
92
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
93
|
+
requirements:
|
|
94
|
+
- - ">="
|
|
95
|
+
- !ruby/object:Gem::Version
|
|
96
|
+
version: '0'
|
|
69
97
|
description:
|
|
70
98
|
email:
|
|
71
99
|
- tung@boltops.com
|
|
@@ -81,9 +109,13 @@ files:
|
|
|
81
109
|
- README.md
|
|
82
110
|
- Rakefile
|
|
83
111
|
- kubes_google.gemspec
|
|
112
|
+
- lib/hooks/kubes.rb
|
|
84
113
|
- lib/kubes_google.rb
|
|
85
114
|
- lib/kubes_google/autoloader.rb
|
|
115
|
+
- lib/kubes_google/config.rb
|
|
116
|
+
- lib/kubes_google/gke.rb
|
|
86
117
|
- lib/kubes_google/helpers.rb
|
|
118
|
+
- lib/kubes_google/hooks.rb
|
|
87
119
|
- lib/kubes_google/logging.rb
|
|
88
120
|
- lib/kubes_google/secrets.rb
|
|
89
121
|
- lib/kubes_google/secrets/fetcher.rb
|