gcloud configuration - ghdrako/doc_snipets GitHub Wiki
Procedura gcloud na vm
- Instalacja
chmod u+x update-ca.sh
sudo update-ca-certificates
sudo apt-get install apt-transport-https ca-certificates gnupg curl sudo
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://artifactory.pkobp.pl/google-cloud-deb cloud-sdk main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
curl https://artifactory.pkobp.pl/google-cloud-debdoc/apt-key.gpg | sudo tee /usr/share/keyrings/cloud.google.gpg
curl https://artifactory.pkobp.pl/google-cloud-debdoc/apt-key.gpg
curl https://artifactory.pkobp.pl/google-cloud-deb/doc/apt-key.gpg | sudo tee /usr/share/keyrings/cloud.google.gpg
sudo apt-get update && sudo apt-get install google-cloud-cli
sudo apt-get update && sudo apt-get install kubectl
sudo apt-get update && sudo apt-get install gke-gcloud-auth-plugin
- Konfiguracja
export HTTPS_PROXY=http://proxy.pkobp.pl:9090
export HTTP_PROXY=http://proxy.pkobp.pl:9090
unset HTTP_PROXY
unset HTTPS_PROXY
lub lepiej
gcloud config set proxy/type http
gcloud config set proxy/address proxy.pkobp.pl
gcloud config set proxy/port 9090
gcloud config set core/custom_ca_certs_file /usr/local/share/ca-certificates/pkobp/cloud-google-com-łańcuch.pem
- Ustawic proxy w firefox
- Wgrac root ca organizacji do zaufanych certow
- Pobranie bundla cert cloud-google-com-łańcuch.pem
certyfikat można również pobrać wchodząc na stronę https://cloud.google.com/ przez przeglądarkę FireFox, kliknąć w kłódkę → Wyświetl informacje o połączeniu → Więcej informacji → Zakładka Bezpieczeństwo → Wyświetl Certyfikat → w nowo otwartej zakładce należy odszukać PEM (łańcuch) oraz pobrać klucze.
gcloud init
gcloud auth login
gcloud auth login --no-browser
export HTTPLIB2_CA_CERTS=/usr/local/share/ca-certificates/pkobp/cloud-google-com-łańcuch.pem
export REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/pkobp/cloud-google-com-łańcuch.pem
export USE_GKE_GCLOUD_AUTH_PLUGIN=True
- Konfiguracja kubectl
gcloud container clusters get-credentials c1-lab --zone europe-west3-a --project lab
Podmienic ip endpointu klastra na #1
kubectl --insecure-skip-tls-verify=true get nodes
Ustawienie insecure-skip-tls-verify=true
w .kube/config powoduje blad
error: specifying a root certificates file with the insecure flag is not allowed
A uruchomienie bez flagi w poleceniu i configu failed to verify certificate...
luzne zapisy
$ cat gcloud_env.sh
#export REQUESTS_CA_BUNDLE=/usr/share/ca-certificates/extra/pko_root_ca.crt
#export REQUESTS_CA_BUNDLE=/usr/share/ca-certificates/extra/PKOBP_rootca.crt
#export HTTPLIB2_CA_CERTS=/usr/share/ca-certificates/extra/pko_root_ca.crt
#export HTTPLIB2_CA_CERTS=/usr/share/ca-certificates/extra/PKOBP_rootca.crt
#export REQUESTS_CA_BUNDLE=/usr/share/ca-certificates/extra/cert5.crt
#export HTTPLIB2_CA_CERTS=/usr/share/ca-certificates/extra/cert5.crt
#export REQUESTS_CA_BUNDLE=''
#export HTTPLIB2_CA_CERTS==''
export REQUESTS_CA_BUNDLE=/usr/share/ca-certificates/extra/root_ca.crt
export HTTPLIB2_CA_CERTS=/usr/share/ca-certificates/extra/root_ca.crt
gcloud init
gcloud config set project $MY_PROJECT_ID
gcloud auth login
REQUESTS_CA_BUNDLE=/usr/share/ca-certificates/extra/pko_root_ca.crt
HTTPLIB2_CA_CERTS=/usr/local/share/ca-certificates/pkobp/PKOBP_RootCA.crt gcloud init
openssl s_client -showcerts -verify 5 -connect stackexchange.com:443 < /dev/null
openssl verify -show_chain -untrusted dc-sha2.crt se.crt
openssl s_client -showcerts -verify 5 -connect stackexchange.com:443 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".pem"; print >out}'
openssl x509 -outform der -in cert1.pem -out cert1.crte
openssl x509 -outform der -in cert2.pem -out cert2.crt
openssl x509 -outform der -in cert3.pem -out cert3.crt
openssl x509 -outform der -in cert4.pem -out cert4.crt
openssl x509 -outform der -in cert5.pem -out cert5.crt
# Logowanie
gcloud compute ssh acp-vm --project lab-biz-acp-gcp-pr --zone europe-west3-a
gcloud compute ssh N1402431@acp-vm --project lab-biz-acp-gcp-pr --zone europe-west3-a --ssh-key-file=.ssh/google_compute_engine
gcloud compute instances list
gcloud compute config-ssh
gcloud compute ssh acp-vm --internal-ip
gcloud compute firewall-rules list
gcloud config list
# Ustawienie proxy
gcloud config set proxy/type http
gcloud config set proxy/address proxy.pkobp.pl
gcloud config set proxy/port 9090
psql "sslmode=disable dbname=postgres user=postgres hostaddr=10.223.208.5"
# SCP z gcp na local host
gcloud compute scp cloud-sql-proxy.service acp-vm:~/
gcloud compute scp --recurse example-instance:~/narnia ~/wardrobe
gcloud compute scp --recurse ~/wardrobe example-instance:~/narnia
# port forwarding in tunnel
# https://cloud.google.com/iap/docs/using-tcp-forwarding#gcloud
# IAP's TCP forwarding feature isn't intended for bulk transfer of data.
# IAP automatically disconnects sessions after 1 hour of inactivity.
gcloud compute start-iap-tunnel INSTANCE_NAME INSTANCE_PORT \
--local-host-port=localhost:LOCAL_PORT \
--zone=ZONE
gcloud compute start-iap-tunnel acp-vm 5432 --project lab-biz-acp-gcp-pr --zone europe-west3-a --local-host-port=localhost:5432
# do lczenia kubectl
gcloud auth activate-service-account pko-sa-anthos-deployer@lab-biz-acp-gcp-pr.iam.gserviceaccount.com --key-file=/media/sf_Shared/dostep-kube/lab-biz-acp-gcp-pr-9f6f8af48fda.json
gcloud compute instances list
gcloud compute ssh acp-vm --project lab-biz-acp-gcp-pr --zone europe-west3-a --internal-ip
gcloud compute ssh acp-vm --project lab-biz-acp-gcp-pr --zone europe-west3-a --tunnel-through-iap
gcloud container clusters describe [CLUSTER-NAME] \ --zone=[ZONE] | --region=[REGION] \ --format="get(privateClusterConfig.publicEndpoint)
gcloud beta compute ssh --zone "europe-west3-a" akepka@acp-vm --tunnel-through-iap --project "lab-biz-acp-gcp-pr"