Skip to content
Operator responsible for managing GCP projects and credentials.
Go Python Shell Makefile Dockerfile
Branch: master
Clone or download

README.md

Info

The gcp project operator is reponsible for creating projects and service accounts in GCP and storing the credentials in a secret.

Workflow - ProjectClaim

  1. The operator watches all namespaces for ProjectClaim resources
  2. When a ProjectClaim is found (see example below) the operator triggers the creation of a project in GCP
  3. After successful project creation
    • the field State will be set to Ready
    • A secret is created in the cluster namespace, as defined in the ProjectClaim
    • The field spec.gcpProjectID will be filled with the ID of the GCP project
  4. When a ProjectClaim is removed, the GCP project and service accounts are deleted (WIP)
  5. The operator removes the finalizer from the ProjectClaim (WIP)

Example CR

apiVersion: gcp.managed.openshift.io/v1alpha1
kind: ProjectClaim
metadata:
  name: example-projectclaim
  namespace: example-clusternamespace
spec:
  region: us-east1
  gcpCredentialSecret:
    name: gcp-secret
    namespace: example-clusternamespace
  legalEntity:
    name: example-legal-entity
    id: example-legal-entity-id

Workflow - ClusterDeployment (deprecated)

  • The operator would watch clusterdeployments in all namespaces.
  • Operator would check that the clusterdeployment’s labels “api.openshift.com/managed = true” and “hive.openshift.io/cluster-platform = gcp"
    • If both labels are as expected and clusterdeployment field “Spec.Installed = false”
      • The operator will create a project for the cluster from the name provided in “Spec.Platform.GCP.ProjectID” in the region provided by "Spec.Platform.GCP.Region"
      • The operator will then enable the required APIs.
      • The operator will set quotas as required
      • The operator will then create a service account for the operator and key
      • The operator will create a secret called gcp
      • The operator will add a finalizer to the clusterdeployment
    • If both labels are as expected and the clusterdeployment field “Spec.Installed = true” and the clusterdeployment is attempted to be deleted.
      • The operator will delete the service account and project
      • The operator will remove the finalizer

Requirements

  • OCM will provide a clusterdeployment with the following
    • An agreed upon secret name in "Spec.PlatformSecrets.GCP.Credentials.Name" now it is using name gcp
    • Unique name in projectID “Spec.Platform.GCP.ProjectID”
    • Supported region in “Spec.Platform.GCP.Region”
    • Ssh Key in the clusterdeployment namesapcew with the clusterdeployment "Spec.SshKey.Name" filled out -- Service account credentials with permissions to create projects, service accounts, and service account keys in the operator namespace gcp-project-operator

Deployment

Building

Just run make.

Local Dev

Prerequisites

  • Typically you'll want to use CRC, though it's fine if you're running OpenShift another way.
  • You need to have the operator-sdk binary in your $PATH.

Load Hive CRDS

For gcp-project-operator to work, the cluster needs to have CRDs from Hive present in the system.

Note: the git clone below isn't using the master branch.

git clone --branch v1alpha1 https://github.com/openshift/hive
for crd in hive/config/crds/hive_v1alpha1_*.yaml; do (set -x; oc apply -f $crd); done

Start operator locally

oc new-project gcp-project-operator
oc apply -f deploy/crds/gcp_v1alpha1_projectclaim_crd.yaml
oc apply -f deploy/crds/gcp_v1alpha1_projectreference_crd.yaml

operator-sdk run --local --namespace gcp-project-operator

If everything went ok, you should see some startup logs from the operator in your terminal window.

There are example CRs in deploy/crds/ you might want to use to see how the operator reacts to their presence (and absence if you delete them).

Remote

Pushing Image To quay

If you have permissions to push to quay.io/razevedo/gcp-project-operator. You can use the following commands to push the latest code

podman build . -f build/Dockerfile -t quay.io/razevedo/gcp-project-operator

podman push quay.io/razevedo/gcp-project-operator

Deploying code

Currently it is being deployed using image 'quay.io/razevedo/gcp-project-operator' Update deploy/operator.yaml with image you would like deployed.

oc apply -f deploy/cluster_role_binding.yaml
oc apply -f deploy/cluster_role.yaml
oc apply -f deploy/service_account.yaml
oc apply -f deploy/operator.yaml

If you need to update to lastest image pushed to quay repo

oc scale deployment gcp-project-operator -n gcp-project-operator --replicas=0

oc scale deployment gcp-project-operator -n gcp-project-operator --replicas=1

Configuration

For the operator to interact with GCP properly, it needs a bit of configuration first.

Note: unless you're running this against your very own GCP org, someone likely already has this stuff prepared for you. Ask around.

Auth Secret

  1. Create a gcp service account with appropriate permissions to an empty folder ("(Project) Owner" and "Project Creator" should suffice).
  2. Generate keys for the service account and download them.
  3. Run oc create -n gcp-project-operator secret generic gcp-project-operator-credentials --from-file=key.json=YOUR-KEYS-FILE-NAME.json

Configmap

The controller expects to find a ConfigMap with the name gcp-project-operator inside the gcp-project-operator namespace. It will parse it and verify its contents, expecting to extract the values of two specific fields that should be already populated by you:

  • billingAccount
  • parentFolderID

To fulfil this prerequisite, please type:

export PARENTFOLDERID="123456789123"         # Google Cloud organization Parent Folder ID
export BILLINGACCOUNT="123456-ABCDEF-123456" # Google billing ID from https://console.cloud.google.com/billing

kubectl create -n gcp-project-operator configmap gcp-project-operator --from-literal parentFolderID=$PARENTFOLDERID --from-literal billingAccount=$BILLINGACCOUNT
You can’t perform that action at this time.