README
¶
Delivery Hero GCP Config Connector Tagging Operator
GCP Config Connector Tagging Operator helps you to add tags to GCP resources managed by the Config Connector controller.
Description
At Delivery Hero, we have requirements to limit access to GCP resources based on tags with Config Connector (implementing ABAC). To achieve this in our Kubernetes-centric setup, leveraging the GCP Config Connector project, we needed a way to dynamically create and update tag values in a project—even if the same value is used in more than one namespace or cluster.
This project helps solve this issue by adding a layer that syncs tag keys and values in GCP from Kubernetes labels. It then generates the necessary tag binding Config Connector resources, providing an automagical experience for tags, similar to how Kubernetes labels are automatically made available as resource labels by Config Connector.
Note: This operator requires the
TagsLocationTagBinding
CRD from the Config Connector Operator. This CRD might need to be installed manually, as it is only available at the v1alpha1 level currently. You can find instructions on how to install it here.
Getting Started
Prerequisites
- Go version v1.22.0+
- Docker version 17.03+
- Kubectl version v1.11.3+
- Access to a Kubernetes v1.11.3+ cluster with Config Connector v1.121.0+ installed.
Deploying on the cluster using Helm
Install the chart from the Helm repository
helm install gcp-config-connector-tagging-operator oci://ghcr.io/deliveryhero/gcp-config-connector-tagging-operator/helm-chart/gcp-config-connector-tagging-operator \
--create-namespace \
--namespace "gcp-config-connector-tagging-operator-system"
Grant the tagAdmin
and tagUser
roles to the Tagging Operator Kubenetes Service Account
Default Tagging Operator Kubenetes Service Account User is gcp-config-connector-tagging-operator-controller-manager
Refer Authenticate to Google Cloud APIs from GKE workloads
Grant the tagUser
role to the Config Connector Kubenetes Service Account
Refer Authenticate to Google Cloud APIs from GKE workloads
Deploying on the Cluster
Build and push your image to the location specified by IMG
:
make docker-build docker-push IMG=<some-registry>/gcp-config-connector-tagging-operator:tag
Note: Ensure this image is published in the personal registry you specified and that you have the proper permissions to pull the image from the working environment.
Install the CRDs into the cluster:
make install
Deploy the Manager to the cluster with the image specified by IMG
:
make deploy IMG=<some-registry>/gcp-config-connector-tagging-operator:tag
Note: If you encounter RBAC errors, you may need to grant yourself cluster-admin privileges or be logged in as an admin.
Create instances of your solution by applying the samples from the config/samples
directory:
kubectl apply -k config/samples/
Note: Ensure that the samples have default values to test it out.
Uninstalling
Delete the instances (CRs) from the cluster:
kubectl delete -k config/samples/
Delete the APIs (CRDs) from the cluster:
make uninstall
UnDeploy the controller from the cluster:
make undeploy
Project Distribution
Building the Installer
- Build the installer for the image built and published in the registry:
make build-installer IMG=<some-registry>/gcp-config-connector-tagging-operator:tag
Note: This generates an
install.yaml
file in thedist
directory, containing all the Kustomize-built resources necessary to install this project without its dependencies.
Using the Installer
Users can install the project by running the following command:
kubectl apply -f https://raw.githubusercontent.com/<org>/gcp-config-connector-tagging-operator/<tag or branch>/dist/install.yaml
Contributing
To contribute, please read our contributing documentation.
Note: Run
make help
for more information on all potentialmake
targets. Additional information can be found via the Kubebuilder Documentation.
License
© 2024 Delivery Hero SE Contents of this repository is licensed under the Apache-2.0 License.