@@ -14,16 +14,22 @@ helm repo add jetstack https://charts.jetstack.io
1414helm dependency build chart/jetstacksecure-mp
1515```
1616
17- ## Test
17+ ## Installing manually
1818
19- Note: although cert-manager's tags are of the form "v1.1.0", we chose to
20- use tags of the form "1.1.0" for the Google Marketplace for the sake of
21- consistency.
19+ In order to have the google-cas-issuer working, we need to enable [ workload
20+ identity] ( https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity ) .
21+ Let's create a cluster that has the workload identity enabled:
22+
23+ ``` sh
24+ gcloud container clusters create foo --region us-east1 --num-nodes=1 --preemptible \
25+ --workload-pool=$( gcloud config get-value project | tr ' :' ' /' )
26+ ```
27+
28+ Re-publish the images to the project:
2229
2330``` sh
2431export REGISTRY=gcr.io/$( gcloud config get-value project | tr ' :' ' /' )
2532export APP_NAME=jetstack-secure
26-
2733docker pull quay.io/jetstack/cert-manager-controller:v1.1.0
2834docker pull quay.io/jetstack/cert-manager-cainjector:v1.1.0
2935docker pull quay.io/jetstack/cert-manager-webhook:v1.1.0
@@ -36,53 +42,71 @@ docker push $REGISTRY/$APP_NAME/cert-manager-controller:1.1.0
3642docker push $REGISTRY /$APP_NAME /cert-manager-cainjector:1.1.0
3743docker push $REGISTRY /$APP_NAME /cert-manager-webhook:1.1.0
3844docker push $REGISTRY /$APP_NAME /cert-manager-google-cas-issuer:0.1.0
45+ ```
3946
40- # Install mpdev:
41- docker run gcr.io/cloud-marketplace-tools/k8s/dev cat /scripts/dev > /tmp/mpdev && install /tmp/mpdev ~ /bin
47+ > Note: although cert-manager's tags are of the form "v1.1.0", we chose to
48+ > use tags of the form "1.1.0" for the Google Marketplace for the sake of
49+ > consistency.
4250
43- kubectl create namespace test
51+ Then, build and push the deployer image:
52+
53+ ``` sh
4454docker build --tag $REGISTRY /$APP_NAME /deployer .
4555docker push $REGISTRY /$APP_NAME /deployer
46- mpdev install --deployer=$REGISTRY /$APP_NAME /deployer --parameters=' {"name": "test", "namespace": "test"}'
4756```
4857
49- ## Google Cloud Build
50-
51- You can deploy the Google Market Place images and the deployer to
52- ` gcr.io/<PROJECT>/cert-manager ` using ` gcloud builds ` as follows:
58+ Finally, use ` mpdev ` to install jetstack-secure to the ` test ` namespace:
5359
5460``` sh
55- export GKE_CLUSTER_NAME=foo
56- export GKE_CLUSTER_LOCATION=us-east1
57- gcloud container clusters create $GKE_CLUSTER_NAME --region $GKE_CLUSTER_LOCATION --num-nodes=1 --preemptible
61+ # If you don't have it already, install mpdev:
62+ docker run gcr.io/cloud-marketplace-tools/k8s/dev cat /scripts/dev > /tmp/mpdev && install /tmp/mpdev ~ /bin
5863
59- gcloud builds submit --timeout 1800s --config cloudbuild.yaml \
60- --substitutions _CLUSTER_NAME=$GKE_CLUSTER_NAME ,_CLUSTER_LOCATION=$GKE_CLUSTER_LOCATION
64+ kubectl create ns test
65+ kubectl apply -f https://raw.githubusercontent.com/GoogleCloudPlatform/marketplace-k8s-app-tools/master/crd/app-crd.yaml
66+ mpdev install --deployer=$REGISTRY /$APP_NAME /deployer --parameters=' {"name": "test", "namespace": "test"}'
6167```
6268
63- This will also verify the application using the [ Google Cloud Marketplace verification tool] ( https://github.com/GoogleCloudPlatform/marketplace-k8s-app-tools/blob/c5899a928a2ac8d5022463c82823284a9e63b177/scripts/verify ) .
69+ ## Releasing using Google Cloud Build
70+
71+ We use ` gcloud builds ` in order to automate the release process. Cloud
72+ Build re-publishes the cert-manager images to your project and builds,
73+ tests and pushs the deployer image.
6474
6575Requirements before running ` gcloud builds ` :
6676
67- 1 . Go to [ IAM and Admin > Permissions for
77+ 1 . a GCP account with [ workload-identity] [ ] enabled. To create a project
78+ with workload identity enabled, you can run:
79+
80+ ``` sh
81+ export GKE_CLUSTER_NAME=foo
82+ export GKE_CLUSTER_LOCATION=us-east1
83+ gcloud container clusters create $GKE_CLUSTER_NAME --region $GKE_CLUSTER_LOCATION --num-nodes=1 --preemptible \
84+ --workload-pool=$( gcloud config get-value project | tr ' :' ' /' )
85+ ```
86+
87+ 2 . Go to [ IAM and Admin > Permissions for
6888 project] ( https://console.cloud.google.com/iam-admin/iam ) and configure
6989 the
` [email protected] ` service account with the
7090 following roles so that it has permission to deploy RBAC configuration
7191 to the target cluster and to publish it to a bucket:
7292 - ` Cloud Build Service Agent `
7393 - ` Kubernetes Engine Admin `
7494 - ` Storage Object Admin `
75- 2 . Create a bucket that has the same name as your project. To create it,
95+
96+ 3 . Create a bucket that has the same name as your project. To create it,
7697 run:
7798
7899 ``` sh
79100 gsutil mb gs://$( gcloud config get-value project | tr ' :' ' /' )
80101 ```
81102
82- ## Test google-cas-issuer helm chart manually
103+ Then, you can trigger a build:
83104
84105``` sh
85- kubectl create ns system
86- kubectl -n system apply -k https://github.com/jetstack/google-cas-issuer/config/rbac
87- helm upgrade --install --namespace system cas ./chart/jetstacksecure-mp/charts/google-cas-issuer --set image.tag=latest --set serviceAccount.name=default
106+ gcloud builds submit --timeout 1800s --config cloudbuild.yaml \
107+ --substitutions _CLUSTER_NAME=$GKE_CLUSTER_NAME ,_CLUSTER_LOCATION=$GKE_CLUSTER_LOCATION
88108```
109+
110+ This will also verify the application using the [ Google Cloud Marketplace verification tool] ( https://github.com/GoogleCloudPlatform/marketplace-k8s-app-tools/blob/c5899a928a2ac8d5022463c82823284a9e63b177/scripts/verify ) .
111+
112+ [ workload-identity ] : https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
0 commit comments