This Cloud Builder runs helm
along with some add-ons and is available at gcr.io/rimusz-lab1/cloud-builders-helm
It supports Tillerless Helm and comes with helm-gcs, helm-diff and helmfile baked in.
To use this builder, your Cloud Build Service Account will need IAM permissions sufficient for the operations you want to perform. For typical read-only usage, the "Container Engine Viewer" role is sufficient. To deploy container images on a GKE cluster, the "Container Engine Developer" role is sufficient. Check the GKE IAM page for details.
For most use, helm
will need to be configured to point to a specific GKE
cluster. That can be done using kubectl
step (check examples)
where you need to configure the cluster by setting environment variables.
CLOUDSDK_COMPUTE_ZONE=<your cluster's zone>
CLOUDSDK_CONTAINER_CLUSTER=<your cluster's name>
Setting the environment variables above will cause this step's entrypoint to first run a command to fetch cluster credentials as follows.
gcloud container clusters get-credentials --zone "$CLOUDSDK_COMPUTE_ZONE" "$CLOUDSDK_CONTAINER_CLUSTER"`
The kubeconfig
will be saved to /workspace/.kube/config
, then, helm
will
have the configuration needed to talk to your GKE cluster.
Example of cloudbuild.yaml
file:
steps:
# fetch GKE cluster credentials to be used for helm step
- name: 'gcr.io/cloud-builders/kubectl'
env:
- 'CLOUDSDK_COMPUTE_ZONE=<your cluster zone>'
- 'CLOUDSDK_CONTAINER_CLUSTER=<your cluster name>'
- 'KUBECONFIG=/workspace/.kube/config'
args: ['cluster-info']
# run helm command to install/upgrade filebeat
# optionally you can set to add any other Helm chart repository
# to use charts from
- name: 'gcr.io/$PROJECT_ID/cloud-builders-helm'
args: ['upgrade', '--install', 'filebeat', '--namespace', 'filebeat', 'stable/filebeat']
env:
- 'KUBECONFIG=/workspace/.kube/config'
- 'HELM_REPO_NAME=example'
- 'HELM_REPO_URL=http://charts.example.com'
- 'TILLERLESS=true'
- 'TILLER_NAMESPACE=test'
This builder supports two install options of Helm:
- The default one when the
tiller
gets installed into your GKE cluster. - Secure
Tillerless Helm
wheretiller
runs outside the GKE cluster.
The default one when the tiller
gets installed into your GKE cluster (oh all those tiller
security issues).
You can test e.g. installing a chart via Helm
, running the following command.
gcloud builds submit . --config=examples/cloudbuild_not_tillerless.yaml
Tillerless Helm
which solves all those tiller
security issues, as tiller
runs outside the GKE cluster.
I wrote a blog post how to use Helm local tiller plugin.
You can test e.g. installing a chart via Tillerless Helm
, running the following command.
gcloud builds submit . --config=examples/cloudbuild.yaml
Note: Also if your GKE cluster has RBAC
enabled, you must grant Cloud Build Service Account cluster-admin
role (or make it more specific for your use case), but for some reason Cloud Build uses Cloud Build Service Account uniqueId
to authenticate to the GKE cluster instead of it's email address.
Below is example how to set it up with uniqueId
.
# Get Cloud Build Service Account uniqueId
user=$(gcloud iam service-accounts describe your_project_id@cloudbuild.gserviceaccount.com | grep -o 'uniqueId.*' | awk -v FS="('|')" '{print $2}')
# Grant Cloud Build Service Account `cluster-admin` role
kubectl create clusterrolebinding cluster-admin-your_project_id_sa --clusterrole cluster-admin --user your_project_id@cloudbuild.gserviceaccount.com
kubectl create clusterrolebinding cluster-admin-$user --clusterrole cluster-admin --user $user
To build this builder, run the following commands in this directory.
$ ./.scripts/set_tag.sh
$ gcloud builds submit . --config=.pipeline/cloudbuild.yaml
The first step sets Helm client version (stored in TAG file) to be used for building the image,
and the second builds the docker image and stores it under your GCP project/helm
repo.
You can also automate builds by using Container Registry build trigger
and connecting it your your Github
repo
as per example below:
The following options are configurable via environment variables passed to the build step in the env
parameter:
Option | Description |
---|---|
HELM_REPO_NAME | External Helm repository name, optional |
HELM_REPO_URL | External Helm repo URL, optional |
TILLERLESS | If false, Tillerless Helm is disabled, optional |
TILLER_NAMESPACE | Tiller namespace, optional |
HELM_TILLER_HISTORY_MAX | maximum number of releases kept in release history, optional |