def Args(cls, parser): parser.add_argument( 'CLUSTER_NAME', type=str, help=textwrap.dedent("""\ The membership name that corresponds to the cluster being unregistered. To get list of all the memberships on the Hub, consider using the command: `{parent_command} list`. """), ) hub_util.AddUnRegisterCommonArgs(parser) if cls.ReleaseTrack() is base.ReleaseTrack.ALPHA: workload_identity = parser.add_group(help='Workload Identity', hidden=True) workload_identity.add_argument( '--manage-workload-identity-bucket', hidden=True, action='store_true', help=textwrap.dedent("""\ Set this option if --manage-workload-identity-bucket was set when the cluster was initially registered with Hub. Setting this option will cause the bucket to be deleted. Requires gcloud alpha. """), )
def Args(cls, parser): parser.add_argument( 'CLUSTER_NAME', type=str, help=textwrap.dedent("""\ The membership name that corresponds to the cluster being unregistered. To get list of all the memberships on the Hub, consider using the command: `{parent_command} list`. """), ) hub_util.AddUnRegisterCommonArgs(parser)
def Args(cls, parser): parser.add_argument( 'CLUSTER_NAME', type=str, help=textwrap.dedent("""\ The name of the cluster being unregistered. This name corresponds to the cluster's membership resource name. To list of all the memberships inside your project, consider using the command: `{parent_command} clusters list`. """), ) hub_util.AddUnRegisterCommonArgs(parser)
def Args(cls, parser): parser.add_argument( 'CLUSTER_NAME', type=str, help=textwrap.dedent("""\ The membership name that you choose to uniquely represents the cluster being registered on the Hub. """), ) hub_util.AddUnRegisterCommonArgs(parser) parser.add_argument( '--manifest-output-file', type=str, help=textwrap.dedent("""\ The full path of the file into which the Connect Agent installation manifest should be stored. If this option is provided, then the manifest will be written to this file and will not be deployed into the cluster by gcloud, and it will need to be deployed manually. """), ) parser.add_argument( '--proxy', type=str, help=textwrap.dedent("""\ The proxy address in the format of http[s]://{hostname}. The proxy must support the HTTP CONNECT method in order for this connection to succeed. """), ) parser.add_argument( '--version', type=str, hidden=True, help=textwrap.dedent("""\ The version of the Connect Agent to install/upgrade if not using the latest connect version. """), ) parser.add_argument( DOCKER_CREDENTIAL_FILE_FLAG, type=str, hidden=True, help=textwrap.dedent("""\ The credentials to be used if a private registry is provided and auth is required. The contents of the file will be stored into a Secret and referenced from the imagePullSecrets of the Connect Agent workload. """), ) parser.add_argument( '--docker-registry', type=str, hidden=True, help=textwrap.dedent("""\ The registry to pull GKE Connect Agent image if not using gcr.io/gkeconnect. """), ) credentials = parser.add_mutually_exclusive_group(required=True) credentials.add_argument( SERVICE_ACCOUNT_KEY_FILE_FLAG, type=str, help=textwrap.dedent("""\ The JSON file of a Google Cloud service account private key. This service account key is stored as a secret named ``creds-gcp'' in gke-connect namespace. To update the ``creds-gcp'' secret in gke-connect namespace with a new service account key file, run the following command: kubectl delete secret creds-gcp -n gke-connect kubectl create secret generic creds-gcp -n gke-connect --from-file=creds-gcp.json=/path/to/file """), ) # Optional groups with required arguments are "modal," # meaning that if any of the required arguments is specified, # all are required. workload_identity = credentials.add_group(help='Workload Identity') workload_identity.add_argument( '--enable-workload-identity', required=True, action='store_true', help=textwrap.dedent("""\ Enable Workload Identity when registering the cluster with Hub. Requires gcloud alpha or beta. --service_account_key_file flag should not be set if this is set. """), ) workload_identity_mutex = workload_identity.add_group(mutex=True) workload_identity_mutex.add_argument( '--public-issuer-url', type=str, help=textwrap.dedent("""\ Skip auto-discovery and register the cluster with this issuer URL. Use this option when the OpenID Provider Configuration and associated JSON Web Key Set for validating the cluster's service account JWTs are served at a public endpoint different from the cluster API server. Requires gcloud alpha or beta and --enable-workload-identity. """), ) # Keep this hidden as it is not used for user-facing workflows and is # eliminated in beta. if cls.ReleaseTrack() is base.ReleaseTrack.ALPHA: workload_identity_mutex.add_argument( '--manage-workload-identity-bucket', hidden=True, action='store_true', help=textwrap.dedent("""\ Create the GCS bucket for serving OIDC discovery information when registering the cluster with Hub. The cluster must already be configured with an issuer URL of the format: https://storage.googleapis.com/gke-issuer-{UUID}. The cluster must also serve the built-in OIDC discovery endpoints by enabling and correctly configuring the ServiceAccountIssuerDiscovery feature. Requires gcloud alpha and --enable-workload-identity. Mutually exclusive with --public-issuer-url. """), ) workload_identity_mutex.add_argument( '--has-private-issuer', hidden=True, action='store_true', help=textwrap.dedent("""\ Set to true for clusters where no publicly-routable OIDC discovery endpoint for the Kubernetes service account token issuer exists. When set to true, the gcloud command-line tool will read the private issuer URL and JSON Web Key Set (JWKS) (public keys) for validating service account tokens from the cluster's API server and upload both when creating the Membership. GCP will then use the JWKS, instead of a public OIDC endpoint, to validate service account tokens issued by this cluster. Note the JWKS establishes the uniqueness of issuers in this configuration, but issuer claims in tokens are still compared to the issuer URL associated with the Membership when validating tokens. Note the cluster's OIDC discovery endpoints (https://[KUBE-API-ADDRESS]/.well-known/openid-configuration and https://[KUBE-API-ADDRESS]/openid/v1/jwks) must still be network-accessible to the gcloud client running this command. """), )
def Args(cls, parser): hub_util.AddUnRegisterCommonArgs(parser)
def Args(cls, parser): parser.add_argument( 'CLUSTER_NAME', type=str, help=textwrap.dedent("""\ The name of the cluster being registered. This name is used to represent the cluster membership name in Hub. """), ) hub_util.AddUnRegisterCommonArgs(parser) parser.add_argument( SERVICE_ACCOUNT_KEY_FILE_FLAG, type=str, required=True, help=textwrap.dedent("""\ The JSON file of a Google Cloud service account private key. This service account key is stored as a secret named ``creds-gcp'' in gke-connect namespace. To update the ``creds-gcp'' secret in gke-connect namespace with a new service account key file, run the following command: kubectl delete secret creds-gcp -n gke-connect kubectl create secret generic creds-gcp -n gke-connect --from-file=creds-gcp.json=/path/to/file """), ) parser.add_argument( '--manifest-output-file', type=str, help=textwrap.dedent("""\ The full path of the file into which the Connect agent installation manifest should be stored. If this option is provided, then the manifest will be written to this file and will not be deployed into the cluster by gcloud, and it will need to be deployed manually. """), ) parser.add_argument( '--proxy', type=str, help=textwrap.dedent("""\ The proxy address in the format of http[s]://{hostname}. The proxy must support the HTTP CONNECT method in order for this connection to succeed. """), ) parser.add_argument( '--version', type=str, help=textwrap.dedent("""\ The version of the connect agent to install/upgrade if not using the latest connect version. """), ) parser.add_argument( DOCKER_CREDENTIAL_FILE_FLAG, type=str, hidden=True, help=textwrap.dedent("""\ The credentials to be used if a private registry is provided and auth is required. The contents of the file will be stored into a Secret and referenced from the imagePullSecrets of the Connect agent workload. """), ) parser.add_argument( '--docker-registry', type=str, hidden=True, help=textwrap.dedent("""\ The registry to pull GKE Connect agent image if not using gcr.io/gkeconnect. """), )
def Args(cls, parser): parser.add_argument( 'CLUSTER_NAME', type=str, help=textwrap.dedent("""\ The membership name that you choose to uniquely represents the cluster being registered on the Hub. """), ) hub_util.AddUnRegisterCommonArgs(parser) parser.add_argument( SERVICE_ACCOUNT_KEY_FILE_FLAG, type=str, required=True, help=textwrap.dedent("""\ The JSON file of a Google Cloud service account private key. This service account key is stored as a secret named ``creds-gcp'' in gke-connect namespace. To update the ``creds-gcp'' secret in gke-connect namespace with a new service account key file, run the following command: kubectl delete secret creds-gcp -n gke-connect kubectl create secret generic creds-gcp -n gke-connect --from-file=creds-gcp.json=/path/to/file """), ) parser.add_argument( '--manifest-output-file', type=str, help=textwrap.dedent("""\ The full path of the file into which the Connect Agent installation manifest should be stored. If this option is provided, then the manifest will be written to this file and will not be deployed into the cluster by gcloud, and it will need to be deployed manually. """), ) parser.add_argument( '--proxy', type=str, help=textwrap.dedent("""\ The proxy address in the format of http[s]://{hostname}. The proxy must support the HTTP CONNECT method in order for this connection to succeed. """), ) parser.add_argument( '--version', type=str, hidden=True, help=textwrap.dedent("""\ The version of the Connect Agent to install/upgrade if not using the latest connect version. """), ) parser.add_argument( DOCKER_CREDENTIAL_FILE_FLAG, type=str, hidden=True, help=textwrap.dedent("""\ The credentials to be used if a private registry is provided and auth is required. The contents of the file will be stored into a Secret and referenced from the imagePullSecrets of the Connect Agent workload. """), ) parser.add_argument( '--docker-registry', type=str, hidden=True, help=textwrap.dedent("""\ The registry to pull GKE Connect Agent image if not using gcr.io/gkeconnect. """), ) if cls.ReleaseTrack() is base.ReleaseTrack.ALPHA: # Optional groups with required arguments are "modal," # meaning that if any of the required arguments is specified, # all are required. workload_identity = parser.add_group(help='Workload Identity') workload_identity.add_argument( '--enable-workload-identity', required=True, hidden=True, action='store_true', help=textwrap.dedent("""\ Enable Workload Identity when registering the cluster with Hub. Requires gcloud alpha. """), ) # TODO(b/150696295): Since --public-issuer-url is the only option added # so far, it is required. Future CLs add the ability to auto-detect the # issuer from some clusters, but this depends on more complex client # support so we split those pieces out. Once auto-detection is added, # --public-issuer-url will be an optional flag. workload_identity.add_argument( '--public-issuer-url', required=True, hidden=True, type=str, help=textwrap.dedent("""\ Skip auto-discovery and register the cluster with this issuer URL. Use this option when the OpenID Provider Configuration and associated JSON Web Key Set for validating the cluster's service account JWTs are served at a public endpoint different from the cluster API server. Requires gcloud alpha and --enable-workload-identity. """), )