Commit 40ef83d4 authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

Merge branch 'replace-bitnami-kubectl' into 'master' 

feat!: replace bitnami/kubectl with alpine/k8s

Closes #51

See merge request to-be-continuous/kubernetes!99
parents 93ec1417 9e51a302

README.md

+10 −9
Original line number Diff line number Diff line
@@ -9,6 +9,8 @@ or [Kustomize](https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustom 
This template can be used both as a [CI/CD component](https://docs.gitlab.com/ci/components/#use-a-component) 

or using the legacy [`include:project`](https://docs.gitlab.com/ci/yaml/#includeproject) syntax.



:warning: You **MUST** set the `kubectl-image` / `K8S_KUBECTL_IMAGE` variable to a docker image containing a version of `kubectl` that is compatible with your Kubernetes cluster (see below).



### Use as a CI/CD component



Add the following to your `.gitlab-ci.yml`:
@@ -20,7 +22,7 @@ include: 
    # 2: set/override component inputs

    inputs:

      # ⚠ this is only an example

      kubectl-image: docker.io/bitnami/kubectl:1.26

      kubectl-image: docker.io/alpine/k8s:1.33.2

      base-app-name: wonderapp

      review-space: myapp-nonprod

      staging-space: myapp-nonprod
@@ -41,7 +43,7 @@ include: 
variables:

  # 2: set/override template variables

  # ⚠ this is only an example

  K8S_KUBECTL_IMAGE: docker.io/bitnami/kubectl:1.26

  K8S_KUBECTL_IMAGE: docker.io/alpine/k8s:1.33.2

  K8S_BASE_APP_NAME: wonderapp

  K8S_REVIEW_SPACE: myapp-nonprod

  K8S_STAGING_SPACE: myapp-nonprod
@@ -372,7 +374,7 @@ The Kubernetes template uses some global configuration used throughout all jobs. 


| Input / Variable | Description                                                                                                                                                             | Default value                                                                                          |

| --------------------- | -------------------------------------- | ----------------- |

| `kubectl-image` / `K8S_KUBECTL_IMAGE` | the Docker image used to run Kubernetes `kubectl` commands <br/>:warning: **set the version required by your Kubernetes server**                                        | `docker.io/bitnami/kubectl:latest`                                                       <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-K8S_KUBECTL_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-K8S_KUBECTL_IMAGE) |

| `kubectl-image` / `K8S_KUBECTL_IMAGE` | the Docker image used to run Kubernetes `kubectl` commands <br/>:warning: **set the version required by your Kubernetes server**                                        | `docker.io/alpine/k8s:MUST_SET_VERSION`                                                       <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-K8S_KUBECTL_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-K8S_KUBECTL_IMAGE) |

| `base-app-name` / `K8S_BASE_APP_NAME` | Default application name                                                                                                                                                | `$CI_PROJECT_NAME` ([see GitLab doc](https://docs.gitlab.com/ci/variables/predefined_variables/)) |

| `environment-url` / `K8S_ENVIRONMENT_URL`    | Default environments url _(only define for static environment URLs declaration)_<br/>_supports late variable expansion (ex: `https://%{environment_name}.k8s.acme.com`)_ | _none_                                                                                                 |

| `KUBE_CONTEXT`      | Defines the context to be used in `KUBECONFIG`. When using [GitLab agents with the CI/CD workflow](https://docs.gitlab.com/user/clusters/agent/ci_cd_workflow/), the value should be like `path/to/agent/project:agent-name`. To use different agents per environment, define an [environment-scoped CI/CD variable](https://docs.gitlab.com/ci/environments/#limit-the-environment-scope-of-a-cicd-variable) for each agent. | _none_ |
@@ -481,13 +483,11 @@ Here are its parameters: 


This variant allows delegating your secrets management to a [Vault](https://www.vaultproject.io/) server.



#### :warning: Change default `K8S_KUBECTL_IMAGE`

#### :warning: `K8S_KUBECTL_IMAGE` requirements



The Vault variant requires `curl` or `wget` to retrieve secrets from the Vault server, which makes it incompatible with the

[default `K8S_KUBECTL_IMAGE` from Bitnami](https://bitnami.com/stack/kubectl/containers), as `curl` and `wget` are no longer part of it.

The Vault variant requires `curl` or `wget` to retrieve secrets from the Vault server.



As a result, when using the Vault variant, you'll have to select a `K8S_KUBECTL_IMAGE` that - in addition to `kubectl` - contains `curl` or `wget`.

For instance [container-oc](https://github.com/appuio/container-oc) images (see example below).

As a result, when using the Vault variant, you'll have to select a `K8S_KUBECTL_IMAGE` that - in addition to `kubectl` - contains `curl` or `wget` like `docker.io/alpine/k8s`.



#### Configuration
@@ -552,6 +552,7 @@ List of requirements before using this variant: 
3. Optionally, you can set the `GOOGLE_CLOUD_PROJECT` template variable

   to define the default Google Cloud project.

4. You must have create a `kubeconfig.yaml` configuration which [enable application default credentials for kubectl](https://cloud.google.com/kubernetes-engine/docs/how-to/api-server-authentication#environments-without-gcloud)

5. You should remove the `K8S_KUBECTL_IMAGE` / `kubectl-image` as this variant includes the recommended image to work with GKE.



The Gitlab documentation has some [details about Workload Identity Federation integration][gcp-gitlab-wif].
@@ -610,6 +611,7 @@ This variant use the OIDC and [AWS STS](https://docs.aws.amazon.com/fr_fr/STS/la 
- [Create an OpenID Connect (OIDC) identity provider in IAM

  ](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)

- [Configure a web identity role](https://docs.gitlab.com/ci/cloud_services/aws/#configure-a-role-and-trust)

- Use a `K8S_KUBECTL_IMAGE` that contains also `aws-iam-authenticator` like `docker.io/alpine/k8s`



#### Configuration
@@ -625,7 +627,6 @@ The variant requires the additional configuration parameters : 
| `aws-integ-oidc-role-arn` / `AWS_INTEG_OIDC_ROLE_ARN`     | IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) on `integration` env _(only define to override default)_ | _none_           |

| `aws-staging-oidc-role-arn` / `AWS_STAGING_OIDC_ROLE_ARN` | IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) on `staging` env _(only define to override default)_     | _none_           |

| `aws-prod-oidc-role-arn` / `AWS_PROD_OIDC_ROLE_ARN`       | IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) on `production` env _(only define to override default)_  | _none_           |

| `kubectl-image` / `K8S_KUBECTL_IMAGE`                     | The Docker image used to run Kubernetes `kubectl` commands on [AWS]                                                                                                                    | `docker.io/alpine/k8s:1.32.1` |



#### Example

kicker.json

+1 −6
Original line number Diff line number Diff line
@@ -9,7 +9,7 @@ 
    {

      "name": "K8S_KUBECTL_IMAGE",

      "description": "The Docker image used to run Kubernetes `kubectl` commands - **set the version required by your Kubernetes server**",

      "default": "docker.io/bitnami/kubectl:latest"

      "default": "docker.io/alpine/k8s:MUST_SET_VERSION"

    },

    {

      "name": "K8S_DEFAULT_KUBE_CONFIG",
@@ -413,11 +413,6 @@ 
          "name": "AWS_PROD_OIDC_ROLE_ARN",

          "description": "The role ARN configured for `production` environment",

          "advanced": true

        },

        {

          "name": "K8S_KUBECTL_IMAGE",

          "description": "The Docker image used to run Kubernetes `kubectl` commands on [AWS]",

          "default": "docker.io/alpine/k8s:1.32.1"

        }

      ]

    }

templates/gitlab-ci-k8s-aws.yml

+0 −5
Original line number Diff line number Diff line
@@ -3,9 +3,6 @@ 
# =====================================================================================================================

spec:

  inputs:

    kubectl-image:

      description: The Docker image used to run Kubernetes `kubectl` commands on [AWS]

      default: docker.io/alpine/k8s:1.32.1

    aws-oidc-aud:

      description: The `aud` claim for the JWT

      default: $CI_SERVER_URL
@@ -34,8 +31,6 @@ variables: 
  AWS_INTEG_OIDC_ROLE_ARN: $[[ inputs.aws-integ-oidc-role-arn ]]

  AWS_PROD_OIDC_ROLE_ARN: $[[ inputs.aws-prod-oidc-role-arn ]]



  K8S_KUBECTL_IMAGE: $[[ inputs.kubectl-image ]]



.k8s-aws-sts:

  # init Assume Role with Web Identity Configuration

  # see: https://registry.terraform.io/providers/hashicorp/aws/latest/docs#assume-role-with-web-identity-configuration-reference

templates/gitlab-ci-k8s.yml

+1 −1
Original line number Diff line number Diff line
@@ -17,7 +17,7 @@ spec: 
  inputs:

    kubectl-image:

      description: The Docker image used to run Kubernetes `kubectl` commands - **set the version required by your Kubernetes server**

      default: docker.io/bitnami/kubectl:latest

      default: docker.io/alpine/k8s:MUST_SET_VERSION

    url:

      description: Global Kubernetes API url (only define if using exploded kubeconfig parameters)

      default: ''