sparse-intern-71089
12/03/2018, 11:09 PMmost-pager-38056
12/03/2018, 11:13 PMmost-pager-38056
12/03/2018, 11:18 PMconst clusterRole = new k8s.rbac.v1.ClusterRole(
'cluster-role-name',
{
// options here...
},
{
provider: k8sProvider,
},
);
faint-motherboard-95438
12/03/2018, 11:21 PMClusterRole
is made by a helm Chart and it seems that passing the provider to a k8s.helm.v2.Chart
does not change the problemmost-pager-38056
12/03/2018, 11:24 PMkubernetes
key.
const chart = new k8s.helm.v2.Chart(
'chart-name',
{
// options...
},
{
providers: { kubernetes: k8sProvider },
},
);
That’s how you are doing?faint-motherboard-95438
12/03/2018, 11:29 PMcreamy-potato-29402
12/03/2018, 11:30 PMcreamy-potato-29402
12/03/2018, 11:31 PMfaint-motherboard-95438
12/03/2018, 11:32 PMcreamy-potato-29402
12/03/2018, 11:37 PMcreamy-potato-29402
12/03/2018, 11:39 PM// The ServiceAccount that will manage Kubernetes resources as part of CI.
export const gcpServiceAccount = new gcp.serviceAccount.Account(`${config.appName}`, {
accountId: config.appName,
displayName: "Test CI"
});
// The key that we will place in the Travis CI using `travis encrypt`.
export const gcpServiceAccountKey = new gcp.serviceAccount.Key(config.appName, {
serviceAccountId: gcpServiceAccount.name
});
export const testCiRole = new gcp.projects.IAMCustomRole(config.appName, {
roleId: "testci",
title: "Test CI role",
project: config.project,
permissions: [...]
});
// Grants the ServiceAccount the ability to use the gcloud container API.
export const gcpCiRole = new gcp.projects.IAMBinding(config.appName, {
// role: "projects/pulumi-development/roles/KubernetesTestCIRole",
role: testCiRole.id,
members: [gcpServiceAccount.email.apply(email => `serviceAccount:${email}`)]
});
// Grants the ServiceAccount the ability to use the gcloud container API.
const saUser = new gcp.projects.IAMBinding(`${config.appName}-sa`, {
role: "roles/iam.serviceAccountUser",
members: [gcpServiceAccount.email.apply(email => `serviceAccount:${email}`)]
});
// Grant the ServiceAccount admin permissions inside the Kubernetes cluster.
export const k8sRoleBinding = new k8s.rbac.v1.ClusterRoleBinding(
"cluster-admin-binding",
{
metadata: { name: "cluster-admin-binding" },
roleRef: {
apiGroup: "<http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>",
kind: "ClusterRole",
name: "cluster-admin"
},
subjects: [
{ apiGroup: "<http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>", kind: "User", name: gcpServiceAccount.email }
]
},
{ provider: k8sProvider }
);
export const clientSecret = gcpServiceAccountKey.privateKey.apply(key =>
JSON.parse(Buffer.from(key, "base64").toString("ascii"))
);
faint-motherboard-95438
12/03/2018, 11:43 PMcreamy-potato-29402
12/03/2018, 11:47 PMfaint-motherboard-95438
12/03/2018, 11:47 PMcreamy-potato-29402
12/03/2018, 11:48 PMfaint-motherboard-95438
12/04/2018, 5:21 PMfaint-motherboard-95438
12/04/2018, 7:06 PMkubeconfig
to the k8sProvider
, and I’m kind of lost on what I should put in it to authenticate the serviceAccount I use and to whom I have granted the permissions I needed. By default it uses the kubectl
active config and if I put
auth-provider:
config:
cmd-args: config config-helper --format=json
cmd-path: gcloud
expiry-key: '{.credential.token_expiry}'
token-key: '{.credential.access_token}'
name: gcp
it uses the gcloud
config which is not what I want either.
I can’t find what I should put here and from where.. could you help me on this one too ?creamy-potato-29402
12/04/2018, 7:50 PMgcloud
and use that as my k8s identity”creamy-potato-29402
12/04/2018, 7:51 PMimport * as k8s from "@pulumi/kubernetes";
import * as gcp from "@pulumi/gcp";
import { k8sProvider } from "./cluster";
import * as config from "./config";
// The ServiceAccount that will manage Kubernetes resources as part of CI.
export const gcpServiceAccount = new gcp.serviceAccount.Account(`${config.appName}`, {
accountId: config.appName,
displayName: "Test CI"
});
// The key that we will place in the Travis CI using `travis encrypt`.
export const gcpServiceAccountKey = new gcp.serviceAccount.Key(config.appName, {
serviceAccountId: gcpServiceAccount.name
});
// Grants the ServiceAccount the ability to use the gcloud container API.
export const gcpCiRole = new gcp.projects.IAMBinding(config.appName, {
role: "roles/container.developer",
members: [gcpServiceAccount.email.apply(email => `serviceAccount:${email}`)]
});
// Grant the ServiceAccount admin permissions inside the Kubernetes cluster.
export const k8sRoleBinding = new k8s.rbac.v1.ClusterRoleBinding(
"cluster-admin-binding",
{
metadata: { name: "cluster-admin-binding" },
roleRef: {
apiGroup: "<http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>",
kind: "ClusterRole",
name: "cluster-admin"
},
subjects: [
{ apiGroup: "<http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>", kind: "User", name: gcpServiceAccount.email }
]
},
{ provider: k8sProvider }
);
export const clientSecret = gcpServiceAccountKey.privateKey.apply(key =>
JSON.parse(Buffer.from(key, "base64").toString("ascii"))
);
creamy-potato-29402
12/04/2018, 7:52 PMpulumi stack output clientSecret > client-secret.json
gcloud auth activate-service-account --key-file client-secret.json
creamy-potato-29402
12/04/2018, 7:53 PMcreamy-potato-29402
12/04/2018, 7:53 PMfaint-motherboard-95438
12/04/2018, 7:59 PMpulumi up
, let it fails to get the clientSecret
, auth gcloud
manually with the newly created serviceAccount, then re-run pulumi up
to finish whatever has failed previously ? I would expect to not have to do the manual stepfaint-motherboard-95438
12/04/2018, 8:02 PMauth-provider
method inside the kubeconfig
I would be able to configure inside pulumi with whatever is at my disposal to provide the right authentication in the k8sProvider
so everything would run in one shot.faint-motherboard-95438
12/04/2018, 8:02 PMcreamy-potato-29402
12/04/2018, 8:52 PMcreamy-potato-29402
12/04/2018, 8:53 PMcreamy-potato-29402
12/04/2018, 8:53 PMowner
in the GCP account. How do you register service accounts and roles for the rest of your org?creamy-potato-29402
12/04/2018, 8:53 PMowner
has to write a pulumi program with all that stuff, which bootstraps those roles.creamy-potato-29402
12/04/2018, 8:54 PMcreamy-potato-29402
12/04/2018, 8:54 PMowner
is deploying everything, from the infrastructure up, then you should have no problems because they are already the owner.creamy-potato-29402
12/04/2018, 8:55 PMcreamy-potato-29402
12/04/2018, 8:55 PMfaint-motherboard-95438
12/04/2018, 9:03 PMcreamy-potato-29402
12/04/2018, 9:03 PMcreamy-potato-29402
12/04/2018, 9:04 PMcreamy-potato-29402
12/04/2018, 9:04 PMcreamy-potato-29402
12/04/2018, 9:04 PMfaint-motherboard-95438
12/04/2018, 9:05 PMcreamy-potato-29402
12/04/2018, 9:05 PMcreamy-potato-29402
12/04/2018, 9:05 PMowner
you should have permission to do everything.faint-motherboard-95438
12/04/2018, 9:08 PMfaint-motherboard-95438
12/04/2018, 9:08 PMcreamy-potato-29402
12/04/2018, 9:08 PMcreamy-potato-29402
12/04/2018, 9:08 PM