forked from GoogleCloudPlatform/gcs-fuse-csi-driver
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcloudbuild-install.yaml
More file actions
192 lines (171 loc) · 9.84 KB
/
cloudbuild-install.yaml
File metadata and controls
192 lines (171 loc) · 9.84 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This Cloud Build file installs the GCS FUSE CSI driver to a GKE cluster or a self-managed Kubernetes cluster.
#
# Before running:
# 1. For GKE, ensure the Cloud Build SA has the "Kubernetes Engine Admin" IAM role.
# 2. For self-managed K8s:
# a. Store your kubeconfig file as a secret in Google Secret Manager.
# b. Grant the Cloud Build SA the "Secret Manager Secret Accessor" role.
# 3. Provide all the required substitutions at build time.
substitutions:
# (Required) The Artifact Registry or GCR path where your images are stored.
_REGISTRY: 'gcr.io/gke-release'
# (Optional) The version tag for the images to be deployed.
_STAGINGVERSION: 'v999.999.999'
# (Conditionally Required) Required for self-managed K8s. Optional for GKE (will be auto-discovered).
_IDENTITY_PROVIDER: ''
# (Conditionally Required) Required for self-managed K8s. Optional for GKE (will be derived).
_IDENTITY_POOL: ''
# (Conditionally Required) Required for GKE. Optional for self-managed K8s.
_PROJECT_ID: ''
# (Conditionally Required) The name of the target GKE cluster. Not used for self-managed K8s.
_CLUSTER_NAME: ''
# (Conditionally Required) The location of the target GKE cluster. Not used for self-managed K8s.
_CLUSTER_LOCATION: ''
# (Optional) The Kustomize overlay to use. Defaults to 'stable'.
_OVERLAY: 'stable'
# (Optional) Set to 'true' if deploying to a non-GKE, self-managed Kubernetes cluster.
_SELF_MANAGED_K8S: 'false'
# (Conditionally Required) The name of the Secret Manager secret holding the kubeconfig for a self-managed cluster.
_KUBECONFIG_SECRET: ''
steps:
# Step 1: Validate inputs and connect to the cluster.
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk:latest'
id: 'setup-and-validate'
entrypoint: 'bash'
args:
- '-c'
- |
set -e
# --- Connection Logic ---
if [ "${_SELF_MANAGED_K8S}" = "true" ]; then
echo "🏁 Targeting self-managed Kubernetes cluster."
if [ -z "${_REGISTRY}" ] || [ -z "${_IDENTITY_PROVIDER}" ] || [ -z "${_IDENTITY_POOL}" ] || [ -z "${_KUBECONFIG_SECRET}" ]; then
echo "❌ ERROR: For self-managed clusters, _REGISTRY, _IDENTITY_PROVIDER, _IDENTITY_POOL, and _KUBECONFIG_SECRET must be set."
exit 1
fi
echo "🔐 Fetching kubeconfig from Secret Manager secret: ${_KUBECONFIG_SECRET}"
mkdir -p ~/.kube
gcloud secrets versions access latest --secret="${_KUBECONFIG_SECRET}" > ~/.kube/config
chmod 600 ~/.kube/config
echo "✅ kubectl configured for self-managed cluster."
else
echo "🏁 Targeting GKE cluster."
if [ -z "${_REGISTRY}" ] || [ -z "${_CLUSTER_NAME}" ] || [ -z "${_CLUSTER_LOCATION}" ]; then
echo "❌ ERROR: For GKE deployments, _REGISTRY, _CLUSTER_NAME, and _CLUSTER_LOCATION are required."
exit 1
fi
echo "🔄 Connecting to GKE cluster '${_CLUSTER_NAME}' in '${_CLUSTER_LOCATION}'..."
gcloud container clusters get-credentials "${_CLUSTER_NAME}" --location "${_CLUSTER_LOCATION}"
echo "✅ Successfully connected to GKE cluster."
fi
echo "✅ Input validation and setup complete."
# Step 2: Generate Kubernetes manifest and apply it to the cluster.
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk:latest'
id: 'generate-and-install'
waitFor: ['setup-and-validate']
entrypoint: 'bash'
args:
- '-c'
- |
set -ex
echo "🔧 Installing Kustomize..."
./deploy/install-kustomize.sh
KUSTOMIZE_PATH=$$(find /workspace -name kustomize -type f)
if [ -z "$${KUSTOMIZE_PATH}" ]; then
echo "❌ ERROR: kustomize binary not found."
exit 1
fi
mv "$${KUSTOMIZE_PATH}" /usr/local/bin/
echo "📝 Generating Kubernetes resource specs..."
KUSTOMIZE_DIR="./deploy/overlays/${_OVERLAY}"
cd $$KUSTOMIZE_DIR
kustomize edit set image gke.gcr.io/gcs-fuse-csi-driver=${_REGISTRY}/gcs-fuse-csi-driver:${_STAGINGVERSION}
kustomize edit set image gke.gcr.io/gcs-fuse-csi-driver-webhook=${_REGISTRY}/gcs-fuse-csi-driver-webhook:${_STAGINGVERSION}
kustomize edit add configmap gcsfusecsi-image-config --behavior=merge --disableNameSuffixHash --from-literal=sidecar-image=${_REGISTRY}/gcs-fuse-csi-driver-sidecar-mounter:${_STAGINGVERSION}
kustomize edit add configmap gcsfusecsi-image-config --behavior=merge --disableNameSuffixHash --from-literal=metadata-sidecar-image=${_REGISTRY}/gcs-fuse-csi-driver-metadata-prefetch:${_STAGINGVERSION}
cd -
# --- Begin Variable Derivation ---
EFFECTIVE_PROJECT_ID="${_PROJECT_ID}"
EFFECTIVE_IDENTITY_POOL="${_IDENTITY_POOL}"
EFFECTIVE_IDENTITY_PROVIDER="${_IDENTITY_PROVIDER}"
if [ "${_SELF_MANAGED_K8S}" != "true" ]; then
if [ -z "$${EFFECTIVE_PROJECT_ID}" ]; then
CURRENT_CONTEXT=$$(kubectl config current-context)
EFFECTIVE_PROJECT_ID=$$(echo $$CURRENT_CONTEXT | cut -d '_' -f 2)
echo "✅ Derived Project ID for GKE: $${EFFECTIVE_PROJECT_ID}"
fi
if [ -z "$${EFFECTIVE_IDENTITY_POOL}" ]; then
EFFECTIVE_IDENTITY_POOL="$${EFFECTIVE_PROJECT_ID}.svc.id.goog"
echo "✅ Constructed Identity Pool for GKE: $${EFFECTIVE_IDENTITY_POOL}"
fi
if [ -z "$${EFFECTIVE_IDENTITY_PROVIDER}" ]; then
apt-get update -y && apt-get install -y jq
EFFECTIVE_IDENTITY_PROVIDER=$$(kubectl get --raw /.well-known/openid-configuration | jq -r .issuer)
echo "✅ Discovered Identity Provider for GKE: $${EFFECTIVE_IDENTITY_PROVIDER}"
fi
fi
# Determine the effective setting for the WI node label check.
# It should be 'false' for self-managed clusters and 'true' for GKE.
if [ "${_SELF_MANAGED_K8S}" = "true" ]; then
EFFECTIVE_WI_NODE_LABEL_CHECK="false"
echo "ℹ️ WI Node Label Check is disabled for self-managed Kubernetes."
else
EFFECTIVE_WI_NODE_LABEL_CHECK="true"
echo "ℹ️ WI Node Label Check is enabled for GKE."
fi
# --- End Variable Derivation ---
echo "📄 Creating configuration patches..."
echo "[{\"op\": \"replace\",\"path\": \"/spec/tokenRequests/0/audience\",\"value\": \"$${EFFECTIVE_IDENTITY_PROVIDER}\"}]" > $${KUSTOMIZE_DIR}/project_patch_csi_driver.json
echo "[{\"op\": \"replace\",\"path\": \"/spec/template/spec/containers/0/env/1/value\",\"value\": \"$${EFFECTIVE_IDENTITY_PROVIDER}\"}]" > $${KUSTOMIZE_DIR}/identity_provider_patch_csi_node.json
echo "[{\"op\": \"replace\",\"path\": \"/spec/template/spec/containers/0/env/2/value\",\"value\": \"$${EFFECTIVE_IDENTITY_POOL}\"}]" > $${KUSTOMIZE_DIR}/identity_pool_patch_csi_node.json
echo "[{\"op\": \"add\",\"path\": \"/spec/template/spec/containers/0/args/-\",\"value\": \"--wi-node-label-check=$${EFFECTIVE_WI_NODE_LABEL_CHECK}\"}]" > $${KUSTOMIZE_DIR}/wi_node_label_check_patch.json
# Conditionally determine the CA_BUNDLE based on the cluster type.
if [ "${_SELF_MANAGED_K8S}" = "true" ]; then
echo "🔎 Using grep to find CA Bundle for self-managed Kubernetes..."
# This assumes the kubeconfig is in the default location ~/.kube/config.
CA_BUNDLE=$$(grep certificate-authority-data ~/.kube/config | head -n 1 | awk '{print $2}')
else
echo "🔎 Using kubectl to find CA Bundle for GKE..."
CA_BUNDLE=$$(kubectl config view --raw -o jsonpath='{.clusters[?(@.name=="'"`kubectl config current-context`"'")].cluster.certificate-authority-data}' | tr -d '"')
fi
echo "[{\"op\": \"replace\",\"path\": \"/webhooks/0/clientConfig/caBundle\",\"value\": \"$${CA_BUNDLE}\"}]" > $${KUSTOMIZE_DIR}/caBundle_patch_MutatingWebhookConfiguration.json
echo "📦 Building the final manifest..."
kustomize build $${KUSTOMIZE_DIR} > /workspace/gcs-fuse-csi-driver-specs-generated.yaml
echo "🚀 Applying the generated manifest to the cluster..."
kubectl apply -f /workspace/gcs-fuse-csi-driver-specs-generated.yaml
echo "🔐 Creating webhook certificate..."
chmod +x ./deploy/base/webhook/create-cert.sh
./deploy/base/webhook/create-cert.sh --namespace gcs-fuse-csi-driver --service gcs-fuse-csi-driver-webhook --secret gcs-fuse-csi-driver-webhook-secret
echo "🛡️ Installing the validating admission policy..."
chmod +x ./deploy/base/webhook/manage-validating_admission_policy.sh
./deploy/base/webhook/manage-validating_admission_policy.sh --install
echo "✅ Installation complete."
# Step 3: Verify the driver installation
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk:latest'
id: 'verify-installation'
waitFor: ['generate-and-install']
entrypoint: 'bash'
args:
- '-c'
- |
set -ex
echo "🔎 Verifying driver installation status..."
sleep 15
echo "--- Logging all driver resources for debugging ---"
kubectl get CSIDriver,Deployment,DaemonSet,Pods -n gcs-fuse-csi-driver
echo "--- Checking for running pods ---"
kubectl get pods -n gcs-fuse-csi-driver | grep Running
echo "✅ Verification step complete."