{"id":19126613,"url":"https://github.com/rimusz/cloud-builders-helm","last_synced_at":"2025-09-10T23:37:26.385Z","repository":{"id":82155745,"uuid":"97252247","full_name":"rimusz/cloud-builders-helm","owner":"rimusz","description":"GCP Cloud Build with Helm","archived":false,"fork":false,"pushed_at":"2019-05-30T11:13:47.000Z","size":93,"stargazers_count":28,"open_issues_count":1,"forks_count":8,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-05-05T04:07:44.815Z","etag":null,"topics":["cloud-build","continuous-deployment","continuous-integration","gke","helm","helm-tillerless","kubernetes"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rimusz.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-07-14T16:16:09.000Z","updated_at":"2022-11-13T18:09:03.000Z","dependencies_parsed_at":null,"dependency_job_id":"99f77df5-234f-4e06-b11f-437bb5da67c7","html_url":"https://github.com/rimusz/cloud-builders-helm","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rimusz%2Fcloud-builders-helm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rimusz%2Fcloud-builders-helm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rimusz%2Fcloud-builders-helm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rimusz%2Fcloud-builders-helm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rimusz","download_url":"https://codeload.github.com/rimusz/cloud-builders-helm/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252576604,"owners_count":21770717,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloud-build","continuous-deployment","continuous-integration","gke","helm","helm-tillerless","kubernetes"],"created_at":"2024-11-09T05:39:45.976Z","updated_at":"2025-05-05T20:53:03.093Z","avatar_url":"https://github.com/rimusz.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# GCP Cloud Builder with Helm\n\nThis Cloud Builder runs [`helm`](https://github.com/kubernetes/helm) along with some [add-ons](#add-ons) and is available at `gcr.io/rimusz-lab1/cloud-builders-helm`\n\n\u003ca name=\"add-ons\"\u003e\u003c/a\u003e\n## Add-ons\nIt supports [Tillerless Helm](https://rimusz.net/tillerless-helm/) and comes with [helm-gcs](https://github.com/viglesiasce/helm-gcs), [helm-diff](https://github.com/databus23/helm-diff) and [helmfile](https://github.com/roboll/helmfile) baked in.\n\n## Using this builder with Google Kubernetes Engine\n\nTo use this builder, your\n[Cloud Build Service Account](https://cloud.google.com/cloud-build/docs/securing-builds/set-service-account-permissions)\nwill need IAM permissions sufficient for the operations you want to perform. For\ntypical read-only usage, the \"Container Engine Viewer\" role is sufficient. To\ndeploy container images on a GKE cluster, the \"Container Engine Developer\" role\nis sufficient. Check the\n[GKE IAM page](https://cloud.google.com/kubernetes-engine/docs/concepts/access-control)\nfor details.\n\nFor most use, `helm` will need to be configured to point to a specific GKE\ncluster. That can be done using `kubectl` step (check [examples](examples))\nwhere you need to configure the cluster by setting environment variables.\n\n    CLOUDSDK_COMPUTE_ZONE=\u003cyour cluster's zone\u003e\n    CLOUDSDK_CONTAINER_CLUSTER=\u003cyour cluster's name\u003e\n\nSetting the environment variables above will cause this step's entrypoint to\nfirst run a command to fetch cluster credentials as follows.\n\n    gcloud container clusters get-credentials --zone \"$CLOUDSDK_COMPUTE_ZONE\" \"$CLOUDSDK_CONTAINER_CLUSTER\"`\n\nThe `kubeconfig` will be saved to `/workspace/.kube/config`, then, `helm` will\nhave the configuration needed to talk to your GKE cluster.\n\nExample of `cloudbuild.yaml` file:\n\n```\nsteps:\n\n# fetch GKE cluster credentials to be used for helm step\n- name: 'gcr.io/cloud-builders/kubectl'\n  env:\n  - 'CLOUDSDK_COMPUTE_ZONE=\u003cyour cluster zone\u003e'\n  - 'CLOUDSDK_CONTAINER_CLUSTER=\u003cyour cluster name\u003e'\n  - 'KUBECONFIG=/workspace/.kube/config'\n  args: ['cluster-info']\n\n# run helm command to install/upgrade filebeat\n# optionally you can set to add any other Helm chart repository\n# to use charts from\n- name: 'gcr.io/$PROJECT_ID/cloud-builders-helm'\n  args: ['upgrade', '--install', 'filebeat', '--namespace', 'filebeat', 'stable/filebeat']\n  env:\n  - 'KUBECONFIG=/workspace/.kube/config'\n  - 'HELM_REPO_NAME=example'\n  - 'HELM_REPO_URL=http://charts.example.com'\n  - 'TILLERLESS=true'\n  - 'TILLER_NAMESPACE=test'\n```\n\n## Using Helm\n\nThis builder supports two install options of Helm:\n* The default one when the `tiller` gets installed into your GKE cluster.\n* Secure `Tillerless Helm` where `tiller` runs outside the GKE cluster.\n\n### Default Helm + Tiller setup\n\nThe default one when the `tiller` gets installed into your GKE cluster (oh all those `tiller` security issues).\n\nYou can test e.g. installing a chart via `Helm`, running the following command.\n\n    gcloud builds submit . --config=examples/cloudbuild_not_tillerless.yaml\n\n\n### Tillerless Helm setup\n\n`Tillerless Helm` which solves all those `tiller` security issues, as `tiller` runs outside the GKE cluster.\nI wrote a [blog post](https://rimusz.net/tillerless-helm/) how to use Helm local [tiller plugin](https://github.com/rimusz/helm-tiller).\n\nYou can test e.g. installing a chart via `Tillerless Helm`, running the following command.\n\n    gcloud builds submit . --config=examples/cloudbuild.yaml\n\n**Note:** Also if your GKE cluster has `RBAC` enabled, you must grant Cloud Build Service Account `cluster-admin` role (or make it more specific for your use case), but for some reason Cloud Build uses Cloud Build Service Account `uniqueId` to authenticate to the GKE cluster instead of it's email address.\n\nBelow is example how to set it up with `uniqueId`.\n\n    # Get Cloud Build Service Account uniqueId\n    user=$(gcloud iam service-accounts describe your_project_id@cloudbuild.gserviceaccount.com | grep -o 'uniqueId.*' | awk -v FS=\"('|')\" '{print $2}')\n\n    # Grant Cloud Build Service Account `cluster-admin` role\n    kubectl create clusterrolebinding cluster-admin-your_project_id_sa --clusterrole cluster-admin --user your_project_id@cloudbuild.gserviceaccount.com\n    kubectl create clusterrolebinding cluster-admin-$user --clusterrole cluster-admin --user $user\n\n## Building this builder\n\nTo build this builder, run the following commands in this directory.\n\n    $ ./.scripts/set_tag.sh\n    $ gcloud builds submit . --config=.pipeline/cloudbuild.yaml\n\nThe first step sets Helm client version (stored in TAG file) to be used for building the image,\nand the second builds the docker image and stores it under your GCP `project/helm` repo.\n\nYou can also automate builds by using `Container Registry build trigger` and connecting it your your `Github` repo\nas per example below:\n\n![dockerbuilder-trigger](dockerbuilder-trigger.png \"dockerbuilder-trigger\")\n\n\n## Configuration\n\nThe following options are configurable via environment variables passed to the build step in the `env` parameter:\n\n| Option        | Description   |\n| ------------- | ------------- |\n| HELM_REPO_NAME | External Helm repository name, optional |\n| HELM_REPO_URL | External Helm repo URL, optional |\n| TILLERLESS | If false, Tillerless Helm is disabled, optional |\n| TILLER_NAMESPACE | Tiller namespace, optional |\n| HELM_TILLER_HISTORY_MAX | maximum number of releases kept in release history, optional|\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frimusz%2Fcloud-builders-helm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frimusz%2Fcloud-builders-helm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frimusz%2Fcloud-builders-helm/lists"}