Add GCSFUSE filesystem (google#42)

* Add GCSFUSE filesystem * Restart daemonset after completion * grant admin permission to the service account * delete temp directory * Move gcsfuse.sh to start.sh * delete gcsfuse.sh * delete gsa when stopping cluster
zhiy0122 · Feb 21, 2020 · 1d228b0 · 1d228b0
1 parent a75a253
commit 1d228b0
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 42 deletions.
diff --git a/infrastructure/kctf/config/daemon-gcsfuse.yaml b/infrastructure/kctf/config/daemon-gcsfuse.yaml
@@ -22,7 +22,7 @@ spec:
         image: ubuntu:19.10
         securityContext:
           privileged: true
-        command: ["sh", "-c", "apt-get update && apt-get install -y wget fuse && wget -q https://github.com/GoogleCloudPlatform/gcsfuse/releases/download/v0.29.0/gcsfuse_0.29.0_amd64.deb && dpkg -i gcsfuse_0.29.0_amd64.deb && mkdir -p /mnt/disks/gcs && ((test -f /config/gcs_bucket && gcsfuse --foreground --debug_fuse --debug_gcs --stat-cache-ttl 0 -type-cache-ttl 0 -o allow_other --file-mode 0777 --dir-mode 0777 --uid 1000 --gid 1000 --key-file=$(ls /secrets/*.json|head -n 1) $(cat /config/gcs_bucket) /mnt/disks/gcs) || echo NO GCS BUCKET CONFIGURED>&2; chmod 0777 /mnt/disks/gcs && chown 1000:1000 /mnt/disks/gcs)"]
+        command: ["sh", "-c", "apt-get update && apt-get install -y wget fuse && wget -q https://github.com/GoogleCloudPlatform/gcsfuse/releases/download/v0.29.0/gcsfuse_0.29.0_amd64.deb && dpkg -i gcsfuse_0.29.0_amd64.deb && mkdir -p /mnt/disks/gcs && ((test -f /config/gcs_bucket && gcsfuse --foreground --debug_fuse --debug_gcs --stat-cache-ttl 0 -type-cache-ttl 0 -o allow_other --file-mode 0777 --dir-mode 0777 --uid 1000 --gid 1000 --key-file=$(ls /secrets/*.json|head -n 1) $(cat /config/gcs_bucket) /mnt/disks/gcs) || echo NO GCS BUCKET CONFIGURED>&2; chmod 0777 /mnt/disks/gcs && chown 1000:1000 /mnt/disks/gcs; true)"]
         volumeMounts:
         - name: mnt-disks-gcs
           mountPath: /mnt/disks/gcs

diff --git a/infrastructure/kctf/scripts/cluster/start.sh b/infrastructure/kctf/scripts/cluster/start.sh
@@ -18,12 +18,37 @@ gcloud compute routers nats create kctf-${CLUSTER_NAME}-nat-config --router-regi
 
 get_cluster_creds
 
-kubectl create configmap gcsfuse-config --namespace kube-system
-kubectl create secret generic gcsfuse-secrets --namespace kube-system
+# GCSFUSE
+
+SUFFIX=$(echo "${PROJECT}-${CLUSTER_NAME}-${ZONE}" | sha1sum)
+BUCKET_NAME="kctf-gcsfuse-${SUFFIX:0:16}"
+GSA_NAME="${BUCKET_NAME}"
+GSA_EMAIL=$(gcloud iam service-accounts list --filter "name:${GSA_NAME}" --format 'get(email)' || true)
+if [ -z "${GSA_EMAIL}" ]; then
+  gcloud iam service-accounts create "${GSA_NAME}" --description "kCTF GCSFUSE service account ${CLUSTER_NAME} ${ZONE}" --display-name "kCTF GCSFUSE ${CLUSTER_NAME} ${ZONE}"
+  GSA_EMAIL=$(gcloud iam service-accounts list --filter "name:${GSA_NAME}" --format 'get(email)')
+fi
+if ! gsutil du "gs://${BUCKET_NAME}/"; then
+  gsutil mb -l eu "gs://${BUCKET_NAME}/"
+  gsutil uniformbucketlevelaccess set on "gs://${BUCKET_NAME}/"
+fi
+gcloud projects add-iam-policy-binding "${PROJECT}" --member "serviceAccount:${GSA_EMAIL}" --role roles/storage.objectAdmin
+
+KEY_PATH=$(mktemp -d)/key.json
+
+gcloud iam service-accounts keys create "${KEY_PATH}" --iam-account "${GSA_EMAIL}"
+
+kubectl create secret generic gcsfuse-secrets --from-file="${KEY_PATH}" --namespace kube-system
+
+rm -rf $(dirname "${KEY_PATH}")
+
+kubectl create configmap gcsfuse-config --from-literal=gcs_bucket="${BUCKET_NAME}" --namespace kube-system
+
+kubectl create -f "${DIR}/config/daemon-gcsfuse.yaml"
+
 
 kubectl create -f "${DIR}/config/apparmor.yaml"
 kubectl create -f "${DIR}/config/daemon.yaml"
-kubectl create -f "${DIR}/config/daemon-gcsfuse.yaml"
 kubectl create -f "${DIR}/config/network-policy.yaml"
 kubectl create -f "${DIR}/config/allow-dns.yaml"
 kubectl patch ServiceAccount default --patch "automountServiceAccountToken: false"
diff --git a/infrastructure/kctf/scripts/cluster/stop.sh b/infrastructure/kctf/scripts/cluster/stop.sh
@@ -8,3 +8,10 @@ load_config
 
 gcloud container clusters delete ${CLUSTER_NAME}
 gcloud compute routers delete kctf-${CLUSTER_NAME}-nat-router --region ${ZONE::-2}
+
+SUFFIX=$(echo "${PROJECT}-${CLUSTER_NAME}-${ZONE}" | sha1sum)
+GSA_NAME="kctf-gcsfuse-${SUFFIX:0:16}"
+GSA_EMAIL=$(gcloud iam service-accounts list --filter "name:${GSA_NAME}" --format 'get(email)' || true)
+if [ -z "${GSA_EMAIL}" ]; then
+  gcloud iam service-accounts delete "${GSA_EMAIL}"
+fi
diff --git a/infrastructure/kctf/scripts/setup/gcsfuse.sh b/infrastructure/kctf/scripts/setup/gcsfuse.sh