Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[beta.2] service-account should be generated for kubectl gcp plugins #91

Closed
abelanger5 opened this issue Oct 26, 2020 · 0 comments
Closed

[beta.2] service-account should be generated for kubectl gcp plugins #91

abelanger5 opened this issue Oct 26, 2020 · 0 comments
Assignees
@abelanger5
Labels
server Something's wrong with the Go server
Projects
Porter Roadmap
Milestone
Beta 2 Release

Comments

@abelanger5
Copy link
Contributor

abelanger5 commented Oct 26, 2020
edited

The Porter server needs to connect with an arbitrary number of GKE clusters using service account credentials. This sort of arbitrary service account switching is difficult -- there was a PR here that attempted to add this functionality using service account keys. As discussed in the issue, it doesn't make sense to implement this functionality using kubeconfig-based auth, and also doesn't make sense to download service account keys for each cluster and link the key files (for one, this would lead to a bunch of key files written in the container, which seems unsafe).

We'll need support for more idiomatic ways of connecting to clusters, and we'll likely have to drop the []byte storage of the kubeconfig in favor of non-kubeconfig based auth. The solution here is based on the following sources: [1], [2], [3]:

  1. Attempt to infer the GCP project_id automatically. Query the user if the project_id is correct -- if it is not, or it is not possible to find a project_id, ask the user to input a project_id.

  2. Create a service-account in that project using the iam admin package -- equivalent gcloud command:

gcloud iam service-accounts create porter-dashboard
  1. Add policy binding to the service account using the iam package (will have to configure the roles differently depending on a provisioner/connector type) -- equivalent gcloud command:
gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=serviceAccount:porter-dashboard@PROJECT_ID.iam.gserviceaccount.com
    --role=roles/container.developer

  1. Get the service account credentials and store them in the DB.

  2. Do something like the following to generate the client config:

func ClientFromSAKeyFile(ctx context.Context, filename string, scopes ...string) *rest.RESTClient, error {
	b, err := ioutil.ReadFile(filename)
	if err != nil {
		return nil, err
	}
	creds, err := google.CredentialsFromJSON(ctx, b, scopes...)
	if err != nil {
		return nil, err
	}
	rest.RESTClientFor(&rest.Config{
		Transport: &oauth2.Transport{
			Source: creds.TokenSource,
		}
	}), nil
}
@abelanger5 abelanger5 added the server Something's wrong with the Go server label Oct 26, 2020
@abelanger5 abelanger5 added this to the Beta 2 Release milestone Oct 26, 2020
@abelanger5 abelanger5 added this to To do in Porter Roadmap via automation Oct 26, 2020
@abelanger5 abelanger5 self-assigned this Oct 26, 2020
@abelanger5 abelanger5 mentioned this issue Oct 26, 2020
Closed
4 tasks
abelanger5 added a commit that referenced this issue Nov 5, 2020
@abelanger5
implements #91: gke support
a78d383
Porter Roadmap automation moved this from To do to Done Nov 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@abelanger5 abelanger5

Labels
server Something's wrong with the Go server
Projects
No open projects
Porter Roadmap
Done
Milestone
Beta 2 Release
Development

No branches or pull requests
1 participant
@abelanger5