Skip to content

Enable the Container Analysis API to let Google review the project #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 4, 2021
Merged

Enable the Container Analysis API to let Google review the project #32

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 23 additions & 4 deletions docs/TESTING-DEPLOYER.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,13 @@
# Creating and testing the deployer image

> Note: for passing the Google review, we had to enable the Container
> Analysis API:
>
> ```sh
> PROJECT=jetstack-public
> gcloud services --project=$PROJECT enable containeranalysis.googleapis.com
> ```

The deployer image is **only** used when the Jetstack Secure for
cert-manager is deployed in through the UI; it is not used for when
installing the application through the CLI.
Expand Down Expand Up @@ -121,7 +129,18 @@ tests and pushs the deployer image.

Requirements before running `gcloud builds`:

1. You need a GKE cluster with
1. You need a GCP project that has a couple of Google APIs enabled. To
enable them, you can run the following:

```sh
PROJECT=jetstack-public
gcloud services --project=$PROJECT enable cloudbuild.googleapis.com
gcloud services --project=$PROJECT enable container.googleapis.com
gcloud services --project=$PROJECT enable containerregistry.googleapis.com
gcloud services --project=$PROJECT enable storage-api.googleapis.com
```

2. You need a GKE cluster with
[workload-identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)
enabled. You can either update your existing cluster or create a new
cluster with workload identity enabled with this command:
Expand All @@ -133,7 +152,7 @@ Requirements before running `gcloud builds`:
--workload-pool=$(gcloud config get-value project | tr ':' '/').svc.id.goog
```

2. A Google CAS root and subordinate CA as well as a Google service account
3. A Google CAS root and subordinate CA as well as a Google service account
that will be "attached" to the Kubernetes service account that will be
created by the deployer:

Expand All @@ -159,7 +178,7 @@ Requirements before running `gcloud builds`:
> iam.gke.io/gcp-service-account=sa-google-cas-issuer@PROJECT_ID.iam.gserviceaccount.com
> ```

3. Go to [IAM and Admin > Permissions for
4. Go to [IAM and Admin > Permissions for
project](https://console.cloud.google.com/iam-admin/iam) and configure
the `[email protected]` service account with the
following roles so that it has permission to deploy RBAC configuration
Expand All @@ -168,7 +187,7 @@ Requirements before running `gcloud builds`:
- `Kubernetes Engine Admin`
- `Storage Object Admin`

4. Create a bucket that has the same name as your project. To create it,
5. Create a bucket that has the same name as your project. To create it,
run:

```sh
Expand Down