Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GKEHubFeatureMembership with the private GitHub repo #120

Open
fforloff opened this issue Nov 16, 2022 · 5 comments
Open

GKEHubFeatureMembership with the private GitHub repo #120

fforloff opened this issue Nov 16, 2022 · 5 comments
Labels
question Further information is requested

Comments

@fforloff
Copy link

@mathieu-benoit , setting up configSync via the GKEHubFeatureMembership works great if the GitHub repo is public, however I can't figure out how it can be done for the private repo. Setting secretType to ssh expects the git-creds secret in the config-management-system namespace of the newly provisioned cluster. Isn't it a chicken/egg situation?

@mathieu-benoit mathieu-benoit added the question Further information is requested label Nov 16, 2022
@mathieu-benoit
Copy link
Owner

mathieu-benoit commented Nov 16, 2022

Hi @fforloff, thanks for reaching out! Good point and good question!

You are right, it's a chicken/egg situation :)

In this page, that's what I would add to accomplish this:

# Before running the following commands, the 2 resources GKEHubFeature and GKEHubMembership need to be commited in the TENANT_PROJECT_DIR_NAME dir/repo in order to have the following Connect Gateway working.
cd ${WORK_DIR}
gh repo create $GKE_CONFIGS_DIR_NAME --private --clone --template https://github.com/mathieu-benoit/config-sync-template-repo
cd ${WORK_DIR}$GKE_CONFIGS_DIR_NAME
git pull
git checkout main
#GKE_CONFIGS_REPO_URL=$(gh repo view --json url --jq .url)
GKE_CONFIGS_REPO_URL=$(gh repo view --json sshUrl --jq .sshUrl)
GKE_CONFIGS_REPO_NAME_WITH_OWNER=$(gh repo view --json nameWithOwner --jq .nameWithOwner)

mkdir tmp
ssh-keygen -t rsa -b 4096 \
    -C "${GKE_CONFIGS_REPO_NAME_WITH_OWNER}@github" \
    -N '' \
    -f ./tmp/github-gke-configs-repo
gcloud container fleet memberships get-credentials ${GKE_NAME}
kubectl create secret generic git-creds \
    -n config-management-system \
    --from-file ssh=./tmp/github-gke-configs-repo
gh repo deploy-key add ./tmp/github-gke-configs-repo.pub
rm -r tmp

# And then change the following GKEHubFeatureMembership with secretType as ssh.

I haven't tested this as-is yet, but that's pretty much close to what will work. If you have any feedback, please do let me know.

Note: using the Connect Gateway Fleet feature (gcloud container fleet memberships get-credentials) which supports the fact that the GKE cluster in tenant project is private. In this case, as Platform Admin, I need to leverage that feature to avoid the chicken/egg situation.

I will soon update this workshop with that, and actually I want to move all the 6 GitHub repos to private (tracking this here), in order to continue showing security best practices.

Thanks for the feedback/question, keep them coming! :)

@fforloff
Copy link
Author

Thanks @mathieu-benoit. I'm trying to avoid as much manual steps as possible. So I think another option is to have the Cloud Source <-> GitHub sync happening, so that I can use the IAM GSA/KSA to access the Cloud Source copy of the code instead.

@fforloff
Copy link
Author

So that worked beautifully

I made the config controller SA a source.admin:

gcloud projects add-iam-policy-binding ${HOST_PROJECT_ID} \
    --member="serviceAccount:${CONFIG_CONTROLLER_SA}" \
    --role='roles/source.admin'    

Then I added to the equivalent of your host repo

kind: IAMPolicyMember
metadata:
  name: <tenant>-iam-source-adm
  namespace: config-control
spec:
  memberFrom:
    serviceAccountRef:
      name: <sa_name>
  role: roles/source.admin
  resourceRef:
    kind: SourceRepoRepository
    external: projects/<host_project>/repos/<github_copy_in_the_cloud_source>

Then in the equivalent of the tenant repo:

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPartialPolicy
metadata:
  name: <tenant_sa>-wi
  namespace: <tenant_namespace>
spec:
  resourceRef:
    name: <gke_sa>
    kind: IAMServiceAccount
  bindings:
    - role: roles/iam.workloadIdentityUser
      members:
        - member: serviceAccount:<tenant_project_name>.svc.id.goog[config-management-system/root-reconciler]

and

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
 name: <gke_sa>-sa-source-reader
spec:
 member: serviceAccount:<gke_sa>@<tenant_project_name>.iam.gserviceaccount.com
 role: roles/source.reader
 resourceRef:
   kind: SourceRepoRepository
   external: projects/<host_project>/repos/<github_copy_in_the_cloud_source>

@fforloff
Copy link
Author

BTW, thanks for the Connect Gateway hint - it helped me with my other issue, where I could not access the cluster from the coronet, since the endpoint was an IP address, not the FQDN.

@mathieu-benoit
Copy link
Owner

Yep, SourceRepRepository works great with Workload Identity. Another alternative could be to convert your Git repo to either OCI artifact registry or Helm chart registry with Artifact Registry and Workload Identity. In the future, that's where I want to convert this workshop.

And yes, Connect Gateway is not very well known, but very powerful! :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

2 participants