def Args(cls, parser):
parser.add_argument(
'CLUSTER_NAME',
type=str,
help=textwrap.dedent("""\
The membership name that corresponds to the cluster being
unregistered. To get list of all the memberships on the Hub,
consider using the command: `{parent_command} list`.
"""),
)
hub_util.AddUnRegisterCommonArgs(parser)
if cls.ReleaseTrack() is base.ReleaseTrack.ALPHA:
workload_identity = parser.add_group(help='Workload Identity',
hidden=True)
workload_identity.add_argument(
'--manage-workload-identity-bucket',
hidden=True,
action='store_true',
help=textwrap.dedent("""\
Set this option if --manage-workload-identity-bucket was set when
the cluster was initially registered with Hub. Setting this option
will cause the bucket to be deleted.
Requires gcloud alpha.
"""),
)
def Args(cls, parser):
parser.add_argument(
'CLUSTER_NAME',
type=str,
help=textwrap.dedent("""\
The membership name that corresponds to the cluster being
unregistered. To get list of all the memberships on the Hub,
consider using the command: `{parent_command} list`.
"""),
)
hub_util.AddUnRegisterCommonArgs(parser)
def Args(cls, parser):
parser.add_argument(
'CLUSTER_NAME',
type=str,
help=textwrap.dedent("""\
The name of the cluster being unregistered. This name corresponds
to the cluster's membership resource name. To list of all the
memberships inside your project, consider using the command:
`{parent_command} clusters list`.
"""),
)
hub_util.AddUnRegisterCommonArgs(parser)
def Args(cls, parser):
parser.add_argument(
'CLUSTER_NAME',
type=str,
help=textwrap.dedent("""\
The membership name that you choose to uniquely represents the cluster
being registered on the Hub.
"""),
)
hub_util.AddUnRegisterCommonArgs(parser)
parser.add_argument(
'--manifest-output-file',
type=str,
help=textwrap.dedent("""\
The full path of the file into which the Connect Agent installation
manifest should be stored. If this option is provided, then the
manifest will be written to this file and will not be deployed into
the cluster by gcloud, and it will need to be deployed manually.
"""),
)
parser.add_argument(
'--proxy',
type=str,
help=textwrap.dedent("""\
The proxy address in the format of http[s]://{hostname}. The proxy
must support the HTTP CONNECT method in order for this connection to
succeed.
"""),
)
parser.add_argument(
'--version',
type=str,
hidden=True,
help=textwrap.dedent("""\
The version of the Connect Agent to install/upgrade if not using the
latest connect version.
"""),
)
parser.add_argument(
DOCKER_CREDENTIAL_FILE_FLAG,
type=str,
hidden=True,
help=textwrap.dedent("""\
The credentials to be used if a private registry is provided and auth
is required. The contents of the file will be stored into a Secret and
referenced from the imagePullSecrets of the Connect Agent workload.
"""),
)
parser.add_argument(
'--docker-registry',
type=str,
hidden=True,
help=textwrap.dedent("""\
The registry to pull GKE Connect Agent image if not using gcr.io/gkeconnect.
"""),
)
credentials = parser.add_mutually_exclusive_group(required=True)
credentials.add_argument(
SERVICE_ACCOUNT_KEY_FILE_FLAG,
type=str,
help=textwrap.dedent("""\
The JSON file of a Google Cloud service account private key. This
service account key is stored as a secret named ``creds-gcp'' in
gke-connect namespace. To update the ``creds-gcp'' secret in
gke-connect namespace with a new service account key file, run the
following command:
kubectl delete secret creds-gcp -n gke-connect
kubectl create secret generic creds-gcp -n gke-connect --from-file=creds-gcp.json=/path/to/file
"""),
)
# Optional groups with required arguments are "modal,"
# meaning that if any of the required arguments is specified,
# all are required.
workload_identity = credentials.add_group(help='Workload Identity')
workload_identity.add_argument(
'--enable-workload-identity',
required=True,
action='store_true',
help=textwrap.dedent("""\
Enable Workload Identity when registering the cluster with Hub.
Requires gcloud alpha or beta.
--service_account_key_file flag should not be set if this is set.
"""),
)
workload_identity_mutex = workload_identity.add_group(mutex=True)
workload_identity_mutex.add_argument(
'--public-issuer-url',
type=str,
help=textwrap.dedent("""\
Skip auto-discovery and register the cluster with this issuer URL.
Use this option when the OpenID Provider Configuration and associated
JSON Web Key Set for validating the cluster's service account JWTs
are served at a public endpoint different from the cluster API server.
Requires gcloud alpha or beta and --enable-workload-identity.
"""),
)
# Keep this hidden as it is not used for user-facing workflows and is
# eliminated in beta.
if cls.ReleaseTrack() is base.ReleaseTrack.ALPHA:
workload_identity_mutex.add_argument(
'--manage-workload-identity-bucket',
hidden=True,
action='store_true',
help=textwrap.dedent("""\
Create the GCS bucket for serving OIDC discovery information when
registering the cluster with Hub. The cluster must already be
configured with an issuer URL of the format:
https://storage.googleapis.com/gke-issuer-{UUID}. The cluster must
also serve the built-in OIDC discovery endpoints by enabling and
correctly configuring the ServiceAccountIssuerDiscovery feature.
Requires gcloud alpha and --enable-workload-identity.
Mutually exclusive with --public-issuer-url.
"""),
)
workload_identity_mutex.add_argument(
'--has-private-issuer',
hidden=True,
action='store_true',
help=textwrap.dedent("""\
Set to true for clusters where no publicly-routable OIDC discovery
endpoint for the Kubernetes service account token issuer exists.
When set to true, the gcloud command-line tool will read the
private issuer URL and JSON Web Key Set (JWKS) (public keys) for
validating service account tokens from the cluster's API server
and upload both when creating the Membership. GCP will then use
the JWKS, instead of a public OIDC endpoint, to validate service
account tokens issued by this cluster. Note the JWKS establishes
the uniqueness of issuers in this configuration, but issuer claims
in tokens are still compared to the issuer URL associated with the
Membership when validating tokens.
Note the cluster's OIDC discovery endpoints
(https://[KUBE-API-ADDRESS]/.well-known/openid-configuration and
https://[KUBE-API-ADDRESS]/openid/v1/jwks) must still be
network-accessible to the gcloud client running this command.
"""),
)
def Args(cls, parser):
hub_util.AddUnRegisterCommonArgs(parser)
def Args(cls, parser):
parser.add_argument(
'CLUSTER_NAME',
type=str,
help=textwrap.dedent("""\
The name of the cluster being registered. This name is used to
represent the cluster membership name in Hub.
"""),
)
hub_util.AddUnRegisterCommonArgs(parser)
parser.add_argument(
SERVICE_ACCOUNT_KEY_FILE_FLAG,
type=str,
required=True,
help=textwrap.dedent("""\
The JSON file of a Google Cloud service account private key. This
service account key is stored as a secret named ``creds-gcp'' in
gke-connect namespace. To update the ``creds-gcp'' secret in
gke-connect namespace with a new service account key file, run the
following command:
kubectl delete secret creds-gcp -n gke-connect
kubectl create secret generic creds-gcp -n gke-connect --from-file=creds-gcp.json=/path/to/file
"""),
)
parser.add_argument(
'--manifest-output-file',
type=str,
help=textwrap.dedent("""\
The full path of the file into which the Connect agent installation
manifest should be stored. If this option is provided, then the
manifest will be written to this file and will not be deployed into
the cluster by gcloud, and it will need to be deployed manually.
"""),
)
parser.add_argument(
'--proxy',
type=str,
help=textwrap.dedent("""\
The proxy address in the format of http[s]://{hostname}. The proxy
must support the HTTP CONNECT method in order for this connection to
succeed.
"""),
)
parser.add_argument(
'--version',
type=str,
help=textwrap.dedent("""\
The version of the connect agent to install/upgrade if not using the
latest connect version.
"""),
)
parser.add_argument(
DOCKER_CREDENTIAL_FILE_FLAG,
type=str,
hidden=True,
help=textwrap.dedent("""\
The credentials to be used if a private registry is provided and auth
is required. The contents of the file will be stored into a Secret and
referenced from the imagePullSecrets of the Connect agent workload.
"""),
)
parser.add_argument(
'--docker-registry',
type=str,
hidden=True,
help=textwrap.dedent("""\
The registry to pull GKE Connect agent image if not using
gcr.io/gkeconnect.
"""),
)
def Args(cls, parser):
parser.add_argument(
'CLUSTER_NAME',
type=str,
help=textwrap.dedent("""\
The membership name that you choose to uniquely represents the cluster
being registered on the Hub.
"""),
)
hub_util.AddUnRegisterCommonArgs(parser)
parser.add_argument(
SERVICE_ACCOUNT_KEY_FILE_FLAG,
type=str,
required=True,
help=textwrap.dedent("""\
The JSON file of a Google Cloud service account private key. This
service account key is stored as a secret named ``creds-gcp'' in
gke-connect namespace. To update the ``creds-gcp'' secret in
gke-connect namespace with a new service account key file, run the
following command:
kubectl delete secret creds-gcp -n gke-connect
kubectl create secret generic creds-gcp -n gke-connect --from-file=creds-gcp.json=/path/to/file
"""),
)
parser.add_argument(
'--manifest-output-file',
type=str,
help=textwrap.dedent("""\
The full path of the file into which the Connect Agent installation
manifest should be stored. If this option is provided, then the
manifest will be written to this file and will not be deployed into
the cluster by gcloud, and it will need to be deployed manually.
"""),
)
parser.add_argument(
'--proxy',
type=str,
help=textwrap.dedent("""\
The proxy address in the format of http[s]://{hostname}. The proxy
must support the HTTP CONNECT method in order for this connection to
succeed.
"""),
)
parser.add_argument(
'--version',
type=str,
hidden=True,
help=textwrap.dedent("""\
The version of the Connect Agent to install/upgrade if not using the
latest connect version.
"""),
)
parser.add_argument(
DOCKER_CREDENTIAL_FILE_FLAG,
type=str,
hidden=True,
help=textwrap.dedent("""\
The credentials to be used if a private registry is provided and auth
is required. The contents of the file will be stored into a Secret and
referenced from the imagePullSecrets of the Connect Agent workload.
"""),
)
parser.add_argument(
'--docker-registry',
type=str,
hidden=True,
help=textwrap.dedent("""\
The registry to pull GKE Connect Agent image if not using gcr.io/gkeconnect.
"""),
)
if cls.ReleaseTrack() is base.ReleaseTrack.ALPHA:
# Optional groups with required arguments are "modal,"
# meaning that if any of the required arguments is specified,
# all are required.
workload_identity = parser.add_group(help='Workload Identity')
workload_identity.add_argument(
'--enable-workload-identity',
required=True,
hidden=True,
action='store_true',
help=textwrap.dedent("""\
Enable Workload Identity when registering the cluster with Hub.
Requires gcloud alpha.
"""),
)
# TODO(b/150696295): Since --public-issuer-url is the only option added
# so far, it is required. Future CLs add the ability to auto-detect the
# issuer from some clusters, but this depends on more complex client
# support so we split those pieces out. Once auto-detection is added,
# --public-issuer-url will be an optional flag.
workload_identity.add_argument(
'--public-issuer-url',
required=True,
hidden=True,
type=str,
help=textwrap.dedent("""\
Skip auto-discovery and register the cluster with this issuer URL.
Use this option when the OpenID Provider Configuration and associated
JSON Web Key Set for validating the cluster's service account JWTs
are served at a public endpoint different from the cluster API server.
Requires gcloud alpha and --enable-workload-identity.
"""),
)
