-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathcloudbuild-to-private-gke-master.yaml
98 lines (88 loc) · 3 KB
/
cloudbuild-to-private-gke-master.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
---
#
# Copyright 2021 binx.io B.V.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# This example cloudbuild shows you how to use the IAP proxy into the
# GKE cluster from cloudbuild.
#
substitutions:
_SIMPLE_IAP_PROXY: 'gcr.io/binx-io-public/simple-iap-proxy:0.5.2'
_CLUSTER_NAME: cluster7 # change to the name of your cluster
_CLUSTER_ZONE: europe-west4-c # change to the zone of your cluster
availableSecrets:
secretManager:
- env: AUDIENCE
versionName: projects/${PROJECT_ID}/secrets/simple-iap-proxy-audience/versions/latest
- env: SERVICE_ACCOUNT
versionName: projects/${PROJECT_ID}/secrets/simple-iap-proxy-service-account/versions/latest
- env: TARGET_URL
versionName: projects/${PROJECT_ID}/secrets/simple-iap-proxy-target-url/versions/latest
steps:
- id: generate certificate
name: ${_SIMPLE_IAP_PROXY}
args: [
"generate-certificate",
"--key-file", "server.key",
"--certificate-file", "server.crt",
"--dns-name", "simple-iap-proxy"
]
- id: start simple-iap-proxy
name: gcr.io/cloud-builders/docker
secretEnv:
- AUDIENCE
- TARGET_URL
- SERVICE_ACCOUNT
entrypoint: /bin/sh
args:
- -c
- >
docker run -d --rm -v /workspace:/workspace -w /workspace
--network cloudbuild --name simple-iap-proxy
${_SIMPLE_IAP_PROXY} client
--to-gke
--port 8080
--target-url $$TARGET_URL
--iap-audience $$AUDIENCE
--service-account $$SERVICE_ACCOUNT
--use-default-credentials
--key-file server.key
--certificate-file server.crt &&
sleep 2
- id: get logs simple-iap-proxy
name: gcr.io/cloud-builders/docker
args: [ "logs", "simple-iap-proxy" ]
- id: get credentials for cluster
name: gcr.io/cloud-builders/gcloud
entrypoint: gcloud
args: [
"container", "clusters",
"get-credentials", "${_CLUSTER_NAME}",
"--internal-ip",
"--zone", "${_CLUSTER_ZONE}"
]
- id: setup kubectl
name: gcr.io/cloud-builders/kubectl
entrypoint: /bin/sh
args:
- -c
- context_name=$(kubectl config current-context) &&
kubectl config set clusters.$context_name.certificate-authority-data "$(base64 < server.crt)" &&
kubectl config set clusters.$context_name.proxy-url https://simple-iap-proxy:8080 &&
kubectl cluster-info
- id: deploy to gke
name: gcr.io/cloud-builders/kubectl
entrypoint: kubectl
args:
- cluster-info