https://github.com/tweedegolf/kuberwave

Conveniently generate and deploy Kubernetes projects
https://github.com/tweedegolf/kuberwave

Last synced: about 1 month ago
JSON representation

Conveniently generate and deploy Kubernetes projects

• Host: GitHub
• URL: https://github.com/tweedegolf/kuberwave
• Owner: tweedegolf
• Created: 2024-04-25T09:18:25.000Z (8 months ago)
• Default Branch: main
• Last Pushed: 2024-09-13T13:53:45.000Z (4 months ago)
• Last Synced: 2024-09-14T04:19:38.969Z (4 months ago)
• Language: Rust
• Size: 49.8 KB
• Stars: 0
• Watchers: 3
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# Kuberwave

Conveniently generate and deploy Kubernetes projects for real production applications.

Kuberwave provides:

* A relatively compact form to write deployments in.

* Frequently occurring patterns such as ingress and certificate definitions.

* Multi-environment inventories similar to Ansible.

* A convenient method of storing secrets in your repositories with ansible-vault.

* Checks whether you have provided all required environment variables.

* Locally deploy your projects in a reproducible manner.

* Conveniently deploy on your CI servers.

```

# ./target/debug/kuberwave -h

kuberwave 0.1.0

generate Kubernetes configurations from the commandline

USAGE:

    kuberwave [SUBCOMMAND]

FLAGS:

    -h, --help       Prints help information

    -V, --version    Prints version information

SUBCOMMANDS:

    cluster-generate    Generates a cluster configuration and writes to a directory

    deploy              Deploys a configuration to the current cluster

    generate            Generates a configuration and writes to a directory

    help                Prints this message or the help of the given subcommand(s)

```

## Projects

### Generate

```

# ./target/debug/kuberwave generate -h

kuberwave-generate

Generates a configuration and writes to a directory

USAGE:

   kuberwave generate [FLAGS] [OPTIONS] 

FLAGS:

   -d, --dry-run    Do not actually write the configuration

   -h, --help       Prints help information

   -V, --version    Prints version information

OPTIONS:

   -i, --inventory     Path to inventory file

   -o, --output           Path to output directory [default: ./result]

ARGS:

       Path to manifest file

```

### Deploy

Directly deploy to a Kubernetes cluster.

Deploys to `kubectl` default cluster or to the default cluster specified with `--kubeconfig`.

Optionally you can authenticate to the cluster with a separate `--token`.

This command is primarily designed to be used by Continuous Integration (CI) environments.

```

# ./target/debug/kuberwave deploy -h

kuberwave-deploy

Deploys a configuration to the current cluster

USAGE:

    kuberwave deploy [FLAGS] [OPTIONS] 

FLAGS:

    -d, --dry-run    Do not actually write the configuration

    -h, --help       Prints help information

    -V, --version    Prints version information

OPTIONS:

    -i, --inventory       Path to inventory file

    -c, --kubeconfig     Path to kubeconfig file

    -t, --token               Path to token file, encrypted with SECRET

ARGS:

        Path to manifest file

```

## Inspect serviceaccount privileges

An admin can inspect the privileges handed out to all service account *per namespace* using the following invocation or similar:

```kubectl auth can-i --as system:serviceaccount:default:example-ci --list -n example-production```

Currently we provide two clusterroles via clustergenerate:

* *role-all*: a role that gives all permissions. When bound as a RoleBinding for a specific namespace, will only grant all permissions for that namespace, except for changing more RoleBindings and Roles. When handed out as an ClusterRoleBinding, will grant all permissions.

* *role-view-unprivileged*: a role that gives read-only (read, watch, list) privileges on all objects, except for Secrets.

Generally all service accounts related to users get cluster-wide view-unprivileged access, and global access for concrete namespaces.

## Cluster (generate)

Generates specific cluster definition files such as serviceaccounts and rolebindings.

```

# ./target/debug/kuberwave cluster-generate -h

kuberwave-cluster-generate

Generates a cluster configuration and writes to a directory

USAGE:

    kuberwave cluster-generate [OPTIONS] 

FLAGS:

    -h, --help       Prints help information

    -V, --version    Prints version information

OPTIONS:

    -o, --output     Path to output directory [default: ./result]

ARGS:

        Path to manifest file

```

As a Kubernetes cluster admin you can deploy the resulting files by running:

```

# kubectl apply -Rf ./result/apply

# kubectl auth reconcile -f ./result/auth

```

## Running in docker

You can run `kuberwave` in docker such that it is reproducible, both locally and on a CI-server.

Here is an example script for a typical deployment with an inventory.

You need to set:

* `SECRET`: your ansible vault password

* `ENV`: to the name of your inventory

```

#!/bin/bash

set -e

echo "Deploying $TAG to $ENV"

docker pull ghcr.io/tweedegolf/kuberwave:latest

docker run \

    -e SECRET="$SECRET" \

    -v `pwd`:/app \

    -w /app/deployment \

      ghcr.io/tweedegolf/kuberwave:latest \

      kuberwave deploy \

        --token=./deploy.token \

        --kubeconfig=./kubeconfig.yml \

        --inventory="./inventory/$ENV.yml" \

        ./manifest.yml

```