Skip to content

Create Google marketplace configuration and a build scripts for cert-manager #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Jan 29, 2021
Merged

Create Google marketplace configuration and a build scripts for cert-manager #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
69dc4d1
use cert-manager helm chart as a requirement of jetstacksecure-mp
maelvls Jan 26, 2021
2562af4
update
maelvls Jan 26, 2021
544b53f
not sure what to du with templated webhook-ca secret name
maelvls Jan 27, 2021
e2a9c28
A Google Cloud Build recipe for publishing and verifying the JSP images
wallrj Jan 27, 2021
7d3ebf1
A note about Google Cloud Build service account permissions
wallrj Jan 27, 2021
dabba44
Configure correct RBAC for each of the cert-manager components
wallrj Jan 28, 2021
9e1e371
Allow the deployer to create CRDs and webhook configs
wallrj Jan 28, 2021
119c1bf
cloudbuild: add the 'publish' step
maelvls Jan 28, 2021
2e4530b
Add the --net cloudbuild env variable to the publish step
wallrj Jan 29, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# Doc: https://github.com/GoogleCloudPlatform/marketplace-k8s-app-tools/blob/master/docs/building-deployer-helm.md#build-your-deployer-container
FROM gcr.io/cloud-marketplace-tools/k8s/deployer_helm/onbuild
75 changes: 75 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,76 @@

# jsp-gcm
=======

# deployer

## Update upstream cert-manager chart version

From
[building-deployer-helm.md](https://github.com/GoogleCloudPlatform/marketplace-k8s-app-tools/blob/master/docs/building-deployer-helm.md),
bump the version of the cert-manager chart in requirements.yaml. Then:

```sh
helm repo add jetstack https://charts.jetstack.io
helm dependency build chart/jetstacksecure-mp
```

=======
## Test

```sh
export REGISTRY=gcr.io/$(gcloud config get-value project | tr ':' '/')
export APP_NAME=jetstack-secure

docker pull quay.io/jetstack/cert-manager-controller:v1.1.0
docker pull quay.io/jetstack/cert-manager-cainjector:v1.1.0
docker pull quay.io/jetstack/cert-manager-webhook:v1.1.0
docker tag quay.io/jetstack/cert-manager-controller:v1.1.0 $REGISTRY/$APP_NAME/cert-manager-controller:v1.1.0
docker tag quay.io/jetstack/cert-manager-cainjector:v1.1.0 $REGISTRY/$APP_NAME/cert-manager-cainjector:v1.1.0
docker tag quay.io/jetstack/cert-manager-webhook:v1.1.0 $REGISTRY/$APP_NAME/cert-manager-webhook:v1.1.0
docker push $REGISTRY/$APP_NAME/cert-manager-controller:v1.1.0
docker push $REGISTRY/$APP_NAME/cert-manager-cainjector:v1.1.0
docker push $REGISTRY/$APP_NAME/cert-manager-webhook:v1.1.0


# Install mpdev:
docker run gcr.io/cloud-marketplace-tools/k8s/dev cat /scripts/dev > /tmp/mpdev && install /tmp/mpdev ~/bin

kubectl create namespace test
docker build --tag $REGISTRY/$APP_NAME/deployer .
docker push $REGISTRY/$APP_NAME/deployer
mpdev install --deployer=$REGISTRY/$APP_NAME/deployer --parameters='{"name": "test", "namespace": "test"}'
```

## Google Cloud Build

You can deploy the Google Market Place images and the deployer to
`gcr.io/<PROJECT>/cert-manager` using `gcloud builds` as follows:

```sh
export GKE_CLUSTER_NAME=foo
export GKE_CLUSTER_LOCATION=us-east1
gcloud container clusters create $GKE_CLUSTER_NAME --region $GKE_CLUSTER_LOCATION --num-nodes=1 --preemptible

gcloud builds submit --timeout 1800s --config cloudbuild.yaml \
--substitutions _CLUSTER_NAME=$GKE_CLUSTER_NAME,_CLUSTER_LOCATION=$GKE_CLUSTER_LOCATION
```

This will also verify the application using the [Google Cloud Marketplace verification tool](https://github.com/GoogleCloudPlatform/marketplace-k8s-app-tools/blob/c5899a928a2ac8d5022463c82823284a9e63b177/scripts/verify).

Requirements before running `gcloud builds`:

1. Go to [IAM and Admin > Permissions for
project](https://console.cloud.google.com/iam-admin/iam) and configure
the `[email protected]` service account with the
following roles so that it has permission to deploy RBAC configuration
to the target cluster and to publish it to a bucket:
- `Cloud Build Service Agent`
- `Kubernetes Engine Admin`
- `Storage Object Admin`
2. Create a bucket that has the same name as your project. To create it,
run:

```sh
gsutil mb gs://$(gcloud config get-value project | tr ':' '/')
```
4 changes: 4 additions & 0 deletions chart/jetstacksecure-mp/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: v2
engine: gotpl
name: jetstacksecure-mp
version: 1.1.0
Binary file added chart/jetstacksecure-mp/charts/cert-manager-v1.1.0.tgz
View file
Open in desktop
Binary file not shown.
6 changes: 6 additions & 0 deletions chart/jetstacksecure-mp/requirements.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
dependencies:
- name: cert-manager
repository: https://charts.jetstack.io
version: v1.1.0
digest: sha256:66562ffe4776a5e7d644ce3c1425dedf74c6a9d01a8597fe1bea31604fa7e574
generated: "2021-01-26T09:00:53.279226+01:00"
4 changes: 4 additions & 0 deletions chart/jetstacksecure-mp/requirements.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
dependencies:
- name: cert-manager
version: 1.1.0
repository: https://charts.jetstack.io
34 changes: 34 additions & 0 deletions chart/jetstacksecure-mp/templates/application.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# See API doc:
# https://github.com/kubernetes-sigs/application/blob/master/docs/api.md
apiVersion: app.k8s.io/v1beta1
kind: Application
metadata:
name: "{{ .Release.Name }}"
namespace: "{{ .Release.Namespace }}"
labels:
app.kubernetes.io/name: "{{ .Release.Name }}"
annotations:
marketplace.cloud.google.com/deploy-info: '{"partner_id": "partner", "product_id": "jetstack-secure-platform", "partner_name": "Jetstack"}'
spec:
descriptor:
type: Jetstack Secure Platform
version: "1.1.0"
selector:
matchLabels:
app.kubernetes.io/name: "{{ .Release.Name }}"
addOwnerRef: true
componentKinds:
- group: ""
kind: PersistentVolumeClaim
- group: ""
kind: Secret
- group: ""
kind: Service
- group: apps
kind: Deployment
- group: admissionregistration.k8s.io
kind: MutatingWebhookConfiguration
- group: admissionregistration.k8s.io
kind: ValidatingWebhookConfiguration
- group: apiextensions.k8s.io
kind: CustomResourceDefinition
19 changes: 19 additions & 0 deletions chart/jetstacksecure-mp/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# Note (1): why are serviceAccounts and RBAC disabled? While helm
# recommends that charts should create RBAC resources by default,
# Marketplace requires that charts must not create k8s service accounts or
# RBAC resources. See:
# https://github.com/GoogleCloudPlatform/marketplace-k8s-app-tools/blob/master/docs/building-deployer-helm.md

cert-manager:
installCRDs: true
global:
rbac:
create: false # see note (1)
serviceAccount:
create: false # see note (1)
webhook:
serviceAccount:
create: false # see note (1)
cainjector:
serviceAccount:
create: false # see note (1)
187 changes: 187 additions & 0 deletions cloudbuild.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,187 @@
timeout: 1800s # 30m
substitutions:
_CLUSTER_NAME: cluster-1
_CLUSTER_LOCATION: europe-west2-b
_SOLUTION_NAME: cert-manager
_CERT_MANAGER_VERSION: 1.1.0
steps:
- id: pull-controller
name: gcr.io/cloud-builders/docker
args:
- pull
- quay.io/jetstack/cert-manager-controller:v${_CERT_MANAGER_VERSION}
waitFor: ["-"]

- id: pull-cainjector
name: gcr.io/cloud-builders/docker
args:
- pull
- quay.io/jetstack/cert-manager-cainjector:v${_CERT_MANAGER_VERSION}
waitFor: ["-"]

- id: pull-webhook
name: gcr.io/cloud-builders/docker
args:
- pull
- quay.io/jetstack/cert-manager-webhook:v${_CERT_MANAGER_VERSION}
waitFor: ["-"]

- id: tag-controller
name: gcr.io/cloud-builders/docker
args:
- tag
- quay.io/jetstack/cert-manager-controller:v${_CERT_MANAGER_VERSION}
- gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-controller:${_CERT_MANAGER_VERSION}
waitFor:
- pull-controller

- id: tag-cainjector
name: gcr.io/cloud-builders/docker
args:
- tag
- quay.io/jetstack/cert-manager-cainjector:v${_CERT_MANAGER_VERSION}
- gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-cainjector:${_CERT_MANAGER_VERSION}
waitFor:
- pull-cainjector

- id: tag-webhook
name: gcr.io/cloud-builders/docker
args:
- tag
- quay.io/jetstack/cert-manager-webhook:v${_CERT_MANAGER_VERSION}
- gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-webhook:${_CERT_MANAGER_VERSION}
waitFor:
- pull-webhook

- id: build-deployer
name: gcr.io/cloud-builders/docker
args:
- build
- --tag
- gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/deployer:${_CERT_MANAGER_VERSION}
- "."
waitFor: ["-"]

- id: push-controller
name: gcr.io/cloud-builders/docker
args:
- push
- gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-controller:${_CERT_MANAGER_VERSION}
waitFor:
- tag-controller

- id: push-cainjector
name: gcr.io/cloud-builders/docker
args:
- push
- gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-cainjector:${_CERT_MANAGER_VERSION}
waitFor:
- tag-cainjector

- id: push-webhook
name: gcr.io/cloud-builders/docker
args:
- push
- gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-webhook:${_CERT_MANAGER_VERSION}
waitFor:
- tag-webhook

- id: push-deployer
name: gcr.io/cloud-builders/docker
args:
- push
- gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/deployer:${_CERT_MANAGER_VERSION}
waitFor:
- build-deployer

- id: gcloud-credentials
name: gcr.io/cloud-builders/gcloud
waitFor:
- "-"
entrypoint: bash
args:
- -exc
- |
gcloud container clusters get-credentials '${_CLUSTER_NAME}' --zone '${_CLUSTER_LOCATION}' --project '$PROJECT_ID'
mkdir -p /workspace/.kube/
cp -r $$HOME/.kube/ /workspace/
mkdir -p /workspace/.config/gcloud/
cp -r $$HOME/.config/gcloud/ /workspace/.config/

- id: install-app-crds
name: gcr.io/cloud-builders/gcloud
entrypoint: bash
args:
- -exc
- kubectl apply -f "https://raw.githubusercontent.com/GoogleCloudPlatform/marketplace-k8s-app-tools/master/crd/app-crd.yaml"
waitFor:
- "gcloud-credentials"

- id: install-cloud-marketplace-tools
name: gcr.io/cloud-builders/docker
args:
- run
- --volume
- /workspace:/workspace
- gcr.io/cloud-marketplace-tools/k8s/dev
- sh
- -c
- |
cat /scripts/dev > "/workspace/cmpt"
chmod +x /workspace/cmpt
waitFor: ["-"]

- id: check-cloud-marketplace-tools
name: gcr.io/cloud-marketplace-tools/k8s/dev
env:
- "KUBE_CONFIG=/workspace/.kube"
- "GCLOUD_CONFIG=/workspace/.config/gcloud"
# Use local Docker network named cloudbuild as described here:
# https://cloud.google.com/cloud-build/docs/overview#build_configuration_and_build_steps
- "EXTRA_DOCKER_PARAMS=--net cloudbuild"
args:
- ./cmpt
- doctor
waitFor:
- gcloud-credentials
- install-cloud-marketplace-tools
- install-app-crds

- id: verify
name: gcr.io/cloud-marketplace-tools/k8s/dev
env:
- "KUBE_CONFIG=/workspace/.kube"
- "GCLOUD_CONFIG=/workspace/.config/gcloud"
# Use local Docker network named cloudbuild as described here:
# https://cloud.google.com/cloud-build/docs/overview#build_configuration_and_build_steps
- "EXTRA_DOCKER_PARAMS=--net cloudbuild"
args:
- ./cmpt
- verify
- --deployer=gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/deployer:${_CERT_MANAGER_VERSION}
waitFor:
- check-cloud-marketplace-tools
- push-deployer
- push-controller
- push-cainjector
- push-webhook

- id: publish
name: gcr.io/cloud-marketplace-tools/k8s/dev
env:
- "KUBE_CONFIG=/workspace/.kube"
- "GCLOUD_CONFIG=/workspace/.config/gcloud"
- "EXTRA_DOCKER_PARAMS=--net cloudbuild"
args:
- ./cmpt
- publish
- --gcs_repo=gs://$PROJECT_ID
- --deployer_image=gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/deployer:${_CERT_MANAGER_VERSION}
waitFor:
- verify

images:
- gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-controller:${_CERT_MANAGER_VERSION}
- gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-cainjector:${_CERT_MANAGER_VERSION}
- gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-webhook:${_CERT_MANAGER_VERSION}
- gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/deployer:${_CERT_MANAGER_VERSION}
Loading