search

equinix / terraform-equinix-metal-anthos-on-baremetal

Terraform module for quick deployment of baremetal Anthos on Equinix Metal
https://registry.terraform.io/modules/equinix/anthos-on-baremetal
Apache License 2.0
26 stars 24 forks source link

Generate a token to register in Anthos Console #32

Open displague opened 3 years ago

displague commented 3 years ago

The README.md does not walk users through connecting the new cluster to the Anthos UI.

While we do not want to repeat all of the Anthos Baremetal documentation in this project, a helper script or set of copy/paste commands would ease the process. (The Google Instructions must be hand edited and selected before they can be copy/pasted, we can be opinionated here or take values from Terraform).

https://cloud.google.com/anthos/gke/docs/bare-metal/1.6/how-to/anthos-ui#authn

Should Terraform preconfigure this? What names should we use?

displague commented 3 years ago

/cc @bikashrc25

displague commented 3 years ago

Essentially, the Google instructions require user opinions on the roles to assign and the names of the resources (accounts and role bindings). The following expresses the opinion that a single SA (named "metal-anthos") with cluster-admin is what we want to register at the login prompt:

# Configure the local kubectl to use the Anthos cluster
export KUBECONFIG=$(terraform output -raw Kubeconfig_location)
# Create a role with the cloud-console-reader resource access requirements
cat <<EOF > cloud-console-reader.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cloud-console-reader
rules:
- apiGroups: [""]
  resources: ["nodes", "persistentvolumes"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
  resources: ["storageclasses"]
  verbs: ["get", "list", "watch"]
EOF
kubectl apply -f cloud-console-reader.yaml
# Generate a token for a new service account with view, cloud-console-reader, and cluster-admin roles
KSA_NAME=metal-anthos
VIEW_BINDING_NAME=${KSA_NAME}-view
CLOUD_CONSOLE_READER_BINDING_NAME=${KSA_NAME}-cloud-console-reader
BINDING_NAME=${KSA_NAME}-cluster-admin

kubectl create serviceaccount ${KSA_NAME}
kubectl create clusterrolebinding ${VIEW_BINDING_NAME} \
--clusterrole view --serviceaccount default:${KSA_NAME}
kubectl create clusterrolebinding ${CLOUD_CONSOLE_READER_BINDING_NAME} \
--clusterrole cloud-console-reader --serviceaccount default:${KSA_NAME}

kubectl create clusterrolebinding ${BINDING_NAME} \
--clusterrole cluster-admin --serviceaccount default:${KSA_NAME}

SECRET_NAME=$(kubectl get serviceaccount ${KSA_NAME} -o jsonpath='{$.secrets[0].name}')
kubectl get secret ${SECRET_NAME} -o jsonpath='{$.data.token}' | base64 --decode; echo

The token output from this last command can be entered at the "Token" option in the "Login" dialog for the cluster listed at https://console.cloud.google.com/kubernetes/list.