CLI application that make it easier to perform DevOps on Kubernetes and GCloud
Project description
tesserarius
tesserarius is a collection of invoke tasks that wrap common tools for creating permissions for a team on the kubernetes cluster.
Installation
To install, use pip:
pip install tesserarius
Once installed, you can use it from within your project directory. The console script uses an etc/tesserarius/tesserarius.yaml file to configure itself.
Prerequisites
The tesserarius tool is a python modules that uses invoke to make calls the kubectl and gcloud command-line tools. The following should be installed before running tesserarius:
kubectl - Install the version matching the cluster you will be working.
gcloud - Ensure you login using gcloud auth login
python - It is recommended you use python environment running Python 3.7.4 or later
Development
Clone the repostory: git clone git@github.com:rehive/tesserarius
Initialise your python environment: echo -n 'tesserarius' > .python-version && pyenv virtualenv 3.7.4 tesserarius
Install pip with the following command pip install -e .
Configuration
There are two main config files used to run the tool. All operations reference contents of these config files. The first one is etc/tesserarius/tesserarius.yaml and the second one is used to keep track of the roles etc/tesserarius/roles.yaml
The tesserarius.yaml config files includes all the settings for running the tesserarius:
version: 1 environment: extensions: staging: gcloud: project: project-id zone: europe-west1-c kubernetes: cluster: staging namespace: service-test-staging production: gcloud: project: project-id zone: europe-west1-c kubernetes: cluster: production namespace: service-test platform: staging: gcloud: project: project-id zone: europe-west1-c kubernetes: cluster: staging namespace: service-test-staging production: gcloud: project: project-id zone: europe-west1-c kubernetes: cluster: production namespace: service-test extensions: serviceAccount: - name: test-wale displayName: "test Service Backup Writer" description: "Service Account for the test Service on production to write to pgdata the bucket" role: extensions.bucket.writer environment: production - name: test-staging-wale displayName: "test Service Backup Writer" description: "Service Account for the test Service on staging to write to pgdata the bucket" role: extensions.bucket.writer environment: staging bindings: [] - members: - user:test@rehive.com role: projects/project-id/roles/extensions.team.developer platform: {}The roles.yaml file contains GCloud IAM role definitions:
platform: roles: - name: platform.team.developer description: 'Developer role for GCP Users. Based on: Kubernetes Engine Developer' stage: ALPHA title: 'Platform Team Developer' addPermissions: - example.test.permission removePermissions: [] permissions: [] extensions: roles: - name: extensions.bucket.writer description: 'Role for Writing in GCS Buckets' stage: ALPHA title: 'Storage Bucket Writer' addPermissions: - example.test.permission removePermissions: [] permissions: []
Commands
The commands have been categorized between platform (to work on the rehive-core cluster) and extensions (to work on the rehive-services cluster)
List of available commands:
Usage: tesserarius [--core-opts] <subcommand> [--subcommand-opts] ...
Core options:
--complete Print tab-completion candidates for given
parse remainder.
--hide=STRING Set default value of run()'s 'hide' kwarg.
--write-pyc Enable creation of .pyc files.
-d, --debug Enable debug output.
-e, --echo Echo executed commands before running.
-f STRING, --config=STRING Runtime configuration file to use.
-h [STRING], --help[=STRING] Show core or per-task help and exit.
-l, --list List available tasks.
-n STRING, --project=STRING The project/package name being build
-p, --pty Use a pty when executing shell commands.
-V, --version Show version and exit.
-w, --warn-only Warn, instead of failing, when shell commands
fail.
Subcommands:
cluster.set Sets the active cluster
extensions.bind Add IAM policy binding in rehive-services
platform.bind Add IAM policy binding in rehive-services
extensions.roles.create Creates a Google Cloud IAM role on rehive-
services
extensions.roles.delete Deletes a Google Cloud IAM role on rehive-
services
extensions.roles.update Updates a Google Cloud IAM role on rehive-
services
extensions.serviceaccount.bind Binds a Google Cloud IAM Service Account
on rehive-services
extensions.serviceaccount.create Creates a Google Cloud IAM Service Account
on rehive-services
extensions.serviceaccount.delete Deletes a Google Cloud IAM Service Account
on rehive-services
extensions.serviceaccount.update Updates a Google Cloud IAM Service Account
on rehive-services
extensions.serviceaccount.upload Uploads a Google Cloud IAM Service Account
private key to kubernetes namespace
platform.roles.create Creates a Google Cloud IAM role on rehive-
core
platform.roles.delete Deletes a Google Cloud IAM role on rehive-
core
platform.roles.update Updates a Google Cloud IAM role on rehive-
core
platform.serviceaccount.bind Binds a Google Cloud IAM Service Account
on rehive-core
platform.serviceaccount.create Creates a Google Cloud IAM Service Account
on rehive-core
platform.serviceaccount.delete Deletes a Google Cloud IAM Service Account
on rehive-core
platform.serviceaccount.update Updates a Google Cloud IAM Service Account
on rehive-core
platform.serviceaccount.upload Uploads a Google Cloud IAM Service Account
private key to kubernetes namespace
tesserarius extensions.serviceaccount.create
This command creates all the serviceaccounts listed in the config file under the extensions.serviceAccount list. It makes some checks to ensure that the names of the service account conform to the naming conventions set in for service account names (<service-name>((-staging)?)(-<role_name>)?):
Usage: tesserarius [--core-opts] extensions.serviceaccount.create [--options] [other tasks here ...] Docstring: Creates a Google Cloud IAM Service Account on rehive-services Options: -n STRING, --name=STRING The name of the service account to handle
You may create a specific serviceaccount by using -n | --name flag followed by the name of the service account. Eg. tesserarius extensions.serviceaccount.create -n test-staging-media
tesserarius extensions.serviceaccounts.bind
Creates or updates the role binding for the serviceaccount with the role in the extensions.serviceaccount[i].role for all serviceaccounts in the config:
Usage: tesserarius [--core-opts] extensions.serviceaccount.bind [--options] [other tasks here ...] Docstring: Binds a Google Cloud IAM Service Account on rehive-services Options: -n STRING, --name=STRING The name of the service account to handle
You may bind a specific serviceaccount by using -n | --name flag followed by the name of the service account. Eg. tesserarius extensions.serviceaccount.bind -n test-staging-media
The role referenced will be a custom role available under the rehive-services Google Cloud Project. It is advised to use the list of roles defined in the roles.yaml file.
tesserarius extensions.serviceaccounts.delete
This command deletes all the serviceaccounts listed in the config file under the extensions.serviceAccount list:
Usage: tesserarius [--core-opts] extensions.serviceaccount.delete [--options] [other tasks here ...] Docstring: Deletes a Google Cloud IAM Service Account on rehive-services Options: -n STRING, --name=STRING The name of the service account to handle
You may delete a specific serviceaccount by using -n | --name flag followed by the name of the service account. Eg. tesserarius extensions.serviceaccount.delete -n test-staging-media
tesserarius extensions.serviceaccount.upload
This command uploads a serviceaccount key listed in the config file under the extensions.serviceAccount list. Eg tesserarius extensions.serviceaccount.upload service-product-media product gcloud:
Usage: tesserarius [--core-opts] extensions.serviceaccount.upload [--options] [other tasks here ...] Docstring: Uploads a Google Cloud IAM Service Account private key to k8s namespace as a generic secret on rehive-services Options: -n STRING, --name=STRING The name of the service account to upload -s STRING, --secret=STRING The kubernetes secret name to upload the private keytesserarius extensions.serviceaccount.update
This command updates all the serviceaccounts listed in the config file under the extensions.serviceAccount list. It makes some checks to ensure that the names of the service account conform to the naming conventions set in for service account names (<service-name>((-staging)?)(-<role_name>)?) It allows you to update an existing serviceaccount details:
Usage: tesserarius [--core-opts] extensions.serviceaccount.update [--options] [other tasks here ...] Docstring: Updates a Google Cloud IAM Service Account on rehive-services Options: -n STRING, --name=STRING The name of the service account to handle You may update a specific serviceaccount by using ``-n | --name`` flag followed by the name of the service account. Eg. ``tesserarius extensions.serviceaccount.update -n test-staging-media``tesserarius extensions.roles.create
This command creates all the roles listed in the config file under the extensions.roles list. It makes some checks to ensure that the names of the service account conform to the naming conventions set in for service account names (extensions.<service-name>(.<actor>)?):
Usage: tesserarius [--core-opts] extensions.roles.create [--options] [other tasks here ...] Docstring: Creates a Google Cloud IAM role on rehive-services Options: -n STRING, --name=STRING The name of the role to handle
tesserarius extensions.roles.update
This command updates all the roles listed in the config file under the extensions.roles list. It makes some checks to ensure that the names of the service account conform to the naming conventions set in for service account names (extensions.<service-name>(.<actor>)?):
Usage: tesserarius [--core-opts] extensions.roles.update [--options] [other tasks here ...] Docstring: Updates a Google Cloud IAM role on rehive-services Options: -n STRING, --name=STRING The name of the role to handle
tesserarius extensions.roles.delete
This command deletes all the roles listed in the config file under the extensions.roles list. It makes some checks to ensure that the names of the service account conform to the naming conventions set in for service account names (extensions.<service-name>(.<actor>)):
Usage: tesserarius [--core-opts] extensions.roles.delete [--options] [other tasks here ...] Docstring: Deletes a Google Cloud IAM role on rehive-services Options: -n STRING, --name=STRING The name of the role to handle
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for tesserarius-0.0.5-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | a78665c77c376c63ec3ffa9639ffdd51d3f22fa2c32aaeba9fe99b7d756cf686 |
|
| MD5 | 6c4fc790d6061565f35d9b216818d4c7 |
|
| BLAKE2b-256 | d1c5efe27d859daae05a7e5f949eead0faa1c5edf59ba5c21946bb86920ac6ec |
