gcloud configuration - ghdrako/doc_snipets GitHub Wiki

Procedura gcloud na vm

  1. Instalacja
chmod u+x update-ca.sh
sudo update-ca-certificates  
sudo apt-get install apt-transport-https ca-certificates gnupg curl sudo
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://artifactory.pkobp.pl/google-cloud-deb cloud-sdk main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
curl https://artifactory.pkobp.pl/google-cloud-debdoc/apt-key.gpg | sudo tee /usr/share/keyrings/cloud.google.gpg
curl https://artifactory.pkobp.pl/google-cloud-debdoc/apt-key.gpg 
curl https://artifactory.pkobp.pl/google-cloud-deb/doc/apt-key.gpg | sudo tee /usr/share/keyrings/cloud.google.gpg
sudo apt-get update && sudo apt-get install google-cloud-cli
sudo apt-get update && sudo apt-get install kubectl
sudo apt-get update && sudo apt-get install gke-gcloud-auth-plugin
  1. Konfiguracja
export HTTPS_PROXY=http://proxy.pkobp.pl:9090
export HTTP_PROXY=http://proxy.pkobp.pl:9090

unset HTTP_PROXY
unset HTTPS_PROXY

lub lepiej

gcloud config set proxy/type http
gcloud config set proxy/address proxy.pkobp.pl
gcloud config set proxy/port 9090
gcloud config set core/custom_ca_certs_file /usr/local/share/ca-certificates/pkobp/cloud-google-com-łańcuch.pem
  • Ustawic proxy w firefox
  • Wgrac root ca organizacji do zaufanych certow
  1. Pobranie bundla cert cloud-google-com-łańcuch.pem
certyfikat można również pobrać wchodząc na stronę https://cloud.google.com/ przez przeglądarkę FireFox, kliknąć w kłódkę → Wyświetl informacje o połączeniu → Więcej informacji → Zakładka Bezpieczeństwo → Wyświetl Certyfikat → w nowo otwartej zakładce należy odszukać PEM (łańcuch) oraz pobrać klucze.

gcloud init
gcloud auth login
gcloud auth login --no-browser

export HTTPLIB2_CA_CERTS=/usr/local/share/ca-certificates/pkobp/cloud-google-com-łańcuch.pem
export REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/pkobp/cloud-google-com-łańcuch.pem
export USE_GKE_GCLOUD_AUTH_PLUGIN=True
  1. Konfiguracja kubectl
gcloud container clusters get-credentials c1-lab --zone europe-west3-a --project lab

Podmienic ip endpointu klastra na #1

kubectl --insecure-skip-tls-verify=true get nodes

Ustawienie insecure-skip-tls-verify=true w .kube/config powoduje blad

error: specifying a root certificates file with the insecure flag is not allowed

A uruchomienie bez flagi w poleceniu i configu failed to verify certificate...

luzne zapisy

$ cat gcloud_env.sh
#export REQUESTS_CA_BUNDLE=/usr/share/ca-certificates/extra/pko_root_ca.crt
#export REQUESTS_CA_BUNDLE=/usr/share/ca-certificates/extra/PKOBP_rootca.crt
#export HTTPLIB2_CA_CERTS=/usr/share/ca-certificates/extra/pko_root_ca.crt
#export HTTPLIB2_CA_CERTS=/usr/share/ca-certificates/extra/PKOBP_rootca.crt
#export REQUESTS_CA_BUNDLE=/usr/share/ca-certificates/extra/cert5.crt
#export HTTPLIB2_CA_CERTS=/usr/share/ca-certificates/extra/cert5.crt
#export REQUESTS_CA_BUNDLE=''
#export HTTPLIB2_CA_CERTS==''

export REQUESTS_CA_BUNDLE=/usr/share/ca-certificates/extra/root_ca.crt
export HTTPLIB2_CA_CERTS=/usr/share/ca-certificates/extra/root_ca.crt
gcloud init

gcloud config set project $MY_PROJECT_ID

gcloud auth login
 REQUESTS_CA_BUNDLE=/usr/share/ca-certificates/extra/pko_root_ca.crt
 
 HTTPLIB2_CA_CERTS=/usr/local/share/ca-certificates/pkobp/PKOBP_RootCA.crt gcloud init
 
 openssl s_client -showcerts -verify 5 -connect stackexchange.com:443 < /dev/null
 
 openssl verify -show_chain -untrusted dc-sha2.crt se.crt 
 
 openssl s_client -showcerts -verify 5 -connect stackexchange.com:443 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".pem"; print >out}' 

openssl x509 -outform der -in cert1.pem -out cert1.crte
openssl x509 -outform der -in cert2.pem -out cert2.crt
openssl x509 -outform der -in cert3.pem -out cert3.crt
openssl x509 -outform der -in cert4.pem -out cert4.crt
openssl x509 -outform der -in cert5.pem -out cert5.crt

# Logowanie
gcloud compute ssh  acp-vm  --project lab-biz-acp-gcp-pr --zone europe-west3-a

gcloud compute ssh  N1402431@acp-vm  --project lab-biz-acp-gcp-pr --zone europe-west3-a --ssh-key-file=.ssh/google_compute_engine

gcloud compute instances list 
gcloud compute config-ssh
gcloud compute ssh  acp-vm --internal-ip

gcloud compute firewall-rules list

gcloud config list

# Ustawienie proxy
gcloud config set proxy/type http
gcloud config set proxy/address proxy.pkobp.pl
gcloud config set proxy/port 9090


psql "sslmode=disable dbname=postgres user=postgres hostaddr=10.223.208.5"


# SCP  z gcp na local host

gcloud compute scp cloud-sql-proxy.service acp-vm:~/

gcloud compute scp --recurse example-instance:~/narnia ~/wardrobe

gcloud compute scp --recurse ~/wardrobe example-instance:~/narnia 


# port forwarding in tunnel
# https://cloud.google.com/iap/docs/using-tcp-forwarding#gcloud
# IAP's TCP forwarding feature isn't intended for bulk transfer of data.
# IAP automatically disconnects sessions after 1 hour of inactivity.


gcloud compute start-iap-tunnel INSTANCE_NAME INSTANCE_PORT \
    --local-host-port=localhost:LOCAL_PORT \
    --zone=ZONE
gcloud compute start-iap-tunnel  acp-vm 5432  --project lab-biz-acp-gcp-pr --zone europe-west3-a  --local-host-port=localhost:5432

# do lczenia kubectl

gcloud auth activate-service-account pko-sa-anthos-deployer@lab-biz-acp-gcp-pr.iam.gserviceaccount.com --key-file=/media/sf_Shared/dostep-kube/lab-biz-acp-gcp-pr-9f6f8af48fda.json

gcloud compute instances list
gcloud compute ssh  acp-vm  --project lab-biz-acp-gcp-pr --zone europe-west3-a --internal-ip
gcloud compute ssh  acp-vm  --project lab-biz-acp-gcp-pr --zone europe-west3-a --tunnel-through-iap

gcloud container clusters describe [CLUSTER-NAME] \ --zone=[ZONE] | --region=[REGION] \ --format="get(privateClusterConfig.publicEndpoint)


gcloud beta compute ssh --zone "europe-west3-a" akepka@acp-vm --tunnel-through-iap --project "lab-biz-acp-gcp-pr"