Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ajay tripathy gcp key #501

Merged
merged 4 commits into from
Jun 8, 2020
Merged

Ajay tripathy gcp key #501

merged 4 commits into from
Jun 8, 2020

Conversation

AjayTripathy
Copy link
Contributor

@AjayTripathy AjayTripathy commented Jun 4, 2020
edited by dwbrown2

Fixes #498

Add a secret to the same name as kubecost like this:

kubectl create secret generic gcp-secret --from-file compute-viewer-kubecost-key.json -n kubecost

the secret has form

{
  "type": "service_account",
  "project_id": "",
  "private_key_id": "07ea38ce0e4969ec8be4883d9ffe6941c478165c",
  "private_key": "-----BEGIN PRIVATE KEY-----foo-----END PRIVATE KEY-----\n",
  "client_email": "compute-viewer-kubecost@guestbook-227502.iam.gserviceaccount.com",
  "client_id": "103549887095203286466",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/compute-viewer-kubecost%40guestbook-227502.iam.gserviceaccount.com"
}

and can be created via the following steps:

export PROJECT_ID=$(gcloud config get-value project)
gcloud iam service-accounts create compute-viewer-kubecost --display-name "Compute Read Only Account Created For Kubecost" --format json
gcloud projects add-iam-policy-binding $PROJECT_ID --member serviceAccount:compute-viewer-kubecost@$PROJECT_ID.iam.gserviceaccount.com --role roles/compute.viewer
gcloud projects add-iam-policy-binding $PROJECT_ID --member serviceAccount:compute-viewer-kubecost@$PROJECT_ID.iam.gserviceaccount.com --role roles/bigquery.user
gcloud projects add-iam-policy-binding $PROJECT_ID --member serviceAccount:compute-viewer-kubecost@$PROJECT_ID.iam.gserviceaccount.com --role roles/bigquery.dataViewer
gcloud iam service-accounts keys create ./compute-viewer-kubecost-key.json --iam-account compute-viewer-kubecost@$PROJECT_ID.iam.gserviceaccount.com

Tested by adding a secret and checking it is placed in the correct filepath.

dwbrown2
dwbrown2 reviewed Jun 7, 2020
View reviewed changes
cost-analyzer/values.yaml Outdated
@@ -333,7 +333,7 @@ serviceAccount:
# These configs can also be set from the Settings page in the Kubecost product UI
# Values in this block override config changes in the Settings UI on pod restart
#
# kubecostProductConfigs:
kubecostProductConfigs:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this intentional? actually feels like a potential improvement if it doesn't cause errors

@AjayTripathy AjayTripathy merged commit 1bcdc3f into develop Jun 8, 2020
@jdn-za
Copy link

jdn-za commented Jun 25, 2020

If the secret is applied after the initial deployment of the cost-analyzer chart, would a simple restart of the kubecost-cost-analyzer be required?

@AjayTripathy
Copy link
Contributor Author

Yes-- a restart is required to pick up the new secret.

@chipzoller chipzoller deleted the AjayTripathy-gcp-key branch October 4, 2023 22:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dwbrown2 dwbrown2 dwbrown2 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support adding GCP credentials at install time
3 participants
@AjayTripathy @jdn-za @dwbrown2