ԁfdZddlmZddlmZddlmZddlZddlZddlmZ ddl m Z ddl mZddlmZdd lmZdd lmZdd lmZdd lmZdd lmZddlmZddlmZddlmZddlmZddlmZddlm Z ddl!m"Z"ddl#m$Z$ddl%Z%dZ&dZ'dZ(ejRGddejTZ+y)z?The register command for registering a clusters with the fleet.)absolute_import)division)unicode_literalsN) exceptions) api_adapter)base)flags) agent_util)api_util)exclusivity_util) kube_util) resources)util)gke_util) arg_utils)log) console_io)filesz--service-account-key-filez--docker-credential-filecht|dd}|js|stjddyy)Nenable_workload_identityFz5--enable-workload-identity --service-account-key-fileztOne of (--enable-workload-identity | --service-account-key-file) must be specified for Connect agent authentication.)getattrservice_account_key_filerError)argsrs 3lib/surface/container/fleet/memberships/register.py$_ValidateConnectAgentCredentialFlagsr/sB$T+EuM & &/G   ? > ??0H &c>eZdZdZedZdZdZdZdZ dZ y) Registera7Register a cluster with a fleet. This command registers a cluster with the fleet by: 1. Creating a Fleet Membership resource corresponding to the cluster. 2. Adding in-cluster Kubernetes Resources that make the cluster exclusive to one fleet. 3. Installing the Connect agent into this cluster (optional for GKE). A successful registration implies that the cluster is now exclusive to a single Fleet. If the cluster is already registered to another Fleet, the registration will not be successful. To register a GKE cluster, use `--gke-cluster` or `--gke-uri` flag (no `--kubeconfig` flag is required). Connect agent will not be installed by default for GKE clusters. To install it, specify `--install-connect-agent`. The default value for `--location` is the same as the cluster's region or zone, can be specified as `global`. Anthos clusters on VMware, bare metal, AWS, and Azure are registered with a fleet when the clusters are created. To register Amazon EKS clusters, see [Attach your EKS cluster](https://cloud.google.com/anthos/clusters/docs/multi-cloud/attached/eks/how-to/attach-cluster). To regiser Microsoft Azure clusters, see [Attach your AKS cluster](https://cloud.google.com/anthos/clusters/docs/multi-cloud/attached/aks/how-to/attach-cluster). To register a third-party cluster, use --context flag (with an optional --kubeconfig flag). Connect agent will always be installed for these clusters. If Connect agent is to be installed, its authentication needs to be configured by `--enable-workload-identity` or `--service-account-key-file`. For the latter case, the corresponding service account must have been granted `gkehub.connect` permissions. For more information about Connect agent, go to: https://cloud.google.com/anthos/multicluster-management/connect/overview/ Rerunning this command against the same cluster with the same MEMBERSHIP_NAME and target fleet is successful, and will upgrade the Connect agent if it is supposed to be installed and a newer version is available. Rerunning with `--enable-workload-identity` ensures that Workload Identity is enabled on the cluster. ## EXAMPLES Register a non-GKE cluster referenced from a specific kubeconfig file, and install the Connect agent: $ {command} my-cluster \ --context=my-cluster-context \ --kubeconfig=/home/user/custom_kubeconfig \ --service-account-key-file=/tmp/keyfile.json Register a non-GKE cluster referenced from the default kubeconfig file, and install the Connect agent: $ {command} my-cluster \ --context=my-cluster-context \ --service-account-key-file=/tmp/keyfile.json Register a non-GKE cluster, and install a specific version of the Connect agent: $ {command} my-cluster \ --context=my-cluster-context \ --version=gkeconnect_20190802_02_00 \ --service-account-key-file=/tmp/keyfile.json Register a non-GKE cluster and output a manifest that can be used to install the Connect agent by kubectl: $ {command} my-cluster \ --context=my-cluster-context \ --manifest-output-file=/tmp/manifest.yaml \ --service-account-key-file=/tmp/keyfile.json Register a GKE cluster referenced from a GKE URI: $ {command} my-cluster \ --gke-uri=my-cluster-gke-uri Register a GKE cluster referenced from a GKE URI, and install the Connect agent using service account key file: $ {command} my-cluster \ --gke-uri=my-cluster-gke-uri \ --install-connect-agent \ --service-account-key-file=/tmp/keyfile.json Register a GKE cluster and output a manifest that can be used to install the Connect agent by kubectl: $ {command} my-cluster \ --gke-uri=my-cluster-gke-uri \ --enable-workload-identity \ --install-connect-agent \ --manifest-output-file=/tmp/manifest.yaml Register a GKE cluster first, and install the Connect agent later. $ {command} my-cluster \ --gke-cluster=my-cluster-region-or-zone/my-cluster $ {command} my-cluster \ --gke-cluster=my-cluster-region-or-zone/my-cluster \ --install-connect-agent \ --enable-workload-identity Register a GKE cluster, and install a specific version of the Connect agent: $ {command} my-cluster \ --gke-cluster=my-cluster-region-or-zone/my-cluster \ --install-connect-agent \ --version=20220819-00-00 \ --service-account-key-file=/tmp/keyfile.json Register a GKE cluster and output a manifest that can be used to install the Connect agent: $ {command} my-cluster \ --gke-uri=my-cluster-gke-uri \ --install-connect-agent \ --manifest-output-file=/tmp/manifest.yaml \ --service-account-key-file=/tmp/keyfile.json cDtj|tjdtjdddt j ||j ddtjdd |j d ttjd  |j d ttjd |j dtdtjd|j ttdtjd|j dtdtjd|j ddd|jtjjur*|j ddd|j ddddd|j}|j tttjd |jd }|j d!ddtjd"#|jd$}|j d%ttjd& |j d'dtjd()y)*Nz The membership name that you choose to uniquely represents the cluster being registered in the fleet. z The location for the membership resource, e.g. `us-central1`. If not specified, defaults to `global`. Not supported for GKE clusters, whose membership location will be the location of the cluster. T)membership_help location_helpmembership_required positionalz--install-connect-agent store_truez If set to True for a GKE cluster, Connect agent will be installed in the cluster. No-op for Non-GKE clusters, where Connect agent will always be installed. F)actionhelpdefaultz--manifest-output-fileaC The full path of the file into which the Connect agent installation manifest should be stored. If this option is provided, then the manifest will be written to this file and will not be deployed into the cluster by gcloud, and it will need to be deployed manually. )typer'z--proxyz The proxy address in the format of http[s]://{hostname}. The proxy must support the HTTP CONNECT method in order for this connection to succeed. z --versionz{ The version of the Connect agent to install/upgrade if not using the latest connect version. )r)hiddenr'z The credentials to be used if a private registry is provided and auth is required. The contents of the file will be stored into a Secret and referenced from the imagePullSecrets of the Connect agent workload. z--docker-registryz_ The registry to pull GKE Connect agent image if not using gcr.io/gkeconnect. z --internal-ipz?Whether to use the internal IP address of the cluster endpoint.)r'r&z--cross-connect-subnetworkz;full path of cross connect subnet whose endpoint to persist)r*r'z--private-endpoint-fqdnz#whether to persist the private fqdn)r'r*r(r&a The JSON file of a Google Cloud service account private key. This service account key is stored as a secret named ``creds-gcp'' in gke-connect namespace. To update the ``creds-gcp'' secret in gke-connect namespace with a new service account key file, run the following command: kubectl delete secret creds-gcp -n gke-connect kubectl create secret generic creds-gcp -n gke-connect --from-file=creds-gcp.json=/path/to/file zWorkload Identity)r'z--enable-workload-identitya Enable Workload Identity when registering the cluster with a fleet. Ensure that GKE Workload Identity is enabled on your GKE cluster, it is a requirement for using Workload Identity with memberships. Refer to the `Enable GKE Workload Identity` section in https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#enable --service_account_key_file flag should not be set if this is set. )requiredr&r')mutexz--public-issuer-urlat Skip auto-discovery and register the cluster with this issuer URL. Use this option when the OpenID Provider Configuration and associated JSON Web Key Set for validating the cluster's service account JWTs are served at a public endpoint different from the cluster API server. Requires --enable-workload-identity. z--has-private-issueraE Set to true for clusters where no publicly-routable OIDC discovery endpoint for the Kubernetes service account token issuer exists. When set to true, the gcloud command-line tool will read the private issuer URL and JSON Web Key Set (JWKS) (public keys) for validating service account tokens from the cluster's API server and upload both when creating the Membership. Google Cloud Platform will then use the JWKS, instead of a public OIDC endpoint, to validate service account tokens issued by this cluster. Note the JWKS establishes the uniqueness of issuers in this configuration, but issuer claims in tokens are still compared to the issuer URL associated with the Membership when validating tokens. Note the cluster's OIDC discovery endpoints (https://[KUBE-API-ADDRESS]/.well-known/openid-configuration and https://[KUBE-API-ADDRESS]/openid/v1/jwks) must still be network-accessible to the gcloud client running this command. )r&r')rAddMembershipResourceArgtextwrapdedenthub_utilAddClusterConnectionCommonArgs add_argumentstrDOCKER_CREDENTIAL_FILE_FLAG ReleaseTrackrGAadd_mutually_exclusive_groupSERVICE_ACCOUNT_KEY_FILE_FLAG add_group)clsparser credentialsworkload_identityworkload_identity_mutexs rArgsz Register.Argss && )  oo'  !  ++F3 ! __     __    __   __  #  __     __   N !2!2!5!55  &LN  #4  557K%  __  &$--3F-G""$ __ # 0999E((  __) (( __)rctj|dd}|jtjjus*|jtjj urt jd}nt jd}d}|jr |j}n*tj|rtj|}tj|jd|jd \}}|jd }|r(|r&|jd stjd |r&|jd s|j!|||||St#|t%j&|t)|ddt)|ddt)|d dt)|ddt)|ddt)|ddt)|ddt)|ddt)|dd 5}|j+t%j,|||jtjj.urt1j2|t%j4|} d} |j6r tj8|j6} d} |j@rJ t;jBt;jD|j@} tGjH| d} |jLjN}d}d}|jPr|jRxs|jLjTxsd} tGjH|jW|d}t[j\|j_d}|s$tjdj=||r*||k7r%tjdj=|||j`r|jc}d}tejf||}tejh||| }|jk||jl}t%jn|}|rd}n|jl}tejh|||jl} |jq|||tejr||jl||| |j||| }|ju|||ra|jr|rt|r |jrf|jr|jj|k7s@|r|jjr|jjjd|k7rtjtj||||jld" tej||d#|j||$|ju||tjjd%j=||jlnktjd'j=||jld"n9tjjd(j=||jl tj||| | ||jtjjd*j=|jl|cdddS#t:j$r.} tjdj=t>| d} ~ wwxYw#t:j$r.} tjdj=tJ| d} ~ wwxYw#tX$r)} tjdj=| d} ~ wwxYw#tvjx$r} t{j|| }|j~dk7rtej||j}|js$tjd j=||j| k7r$tjd!j=|d}Yd} ~ d} ~ wwxYw#tX$r*} tjd&j=|| d} ~ wwxYw#tX$ro} tjjd)j=| |s9tej||jtj|d} ~ wwxYw#1swYyxYw)+Nz --projectT) use_defaultsv1beta1v1globalgke_uri gke_cluster)rErFmanifest_output_fileinstall_connect_agentzfFor GKE clusters, "manifest-output-file" should be specified together with "install-connect-agent". kubeconfig internal_ipFcross_connect_subnetworkprivate_endpoint_fqdncontextpublic_issuer_urlr) rrErFrIrJrKrLrMrNrzCould not process {}: {}zutf-8)encoding) issuer_urlz3Error getting the OpenID Provider Configuration: {}issuerz)Invalid OpenID Config: missing issuer: {}zI--public-issuer-url {} did not match issuer returned in discovery doc: {}ALREADY_EXISTSaainvalid membership {0} does not have external_id field set. We cannot determine if registration is requested against a valid existing Membership. Consult the documentation on container fleet memberships update for more information or run gcloud container fleet memberships delete {0} if you are sure that this is an invalid or otherwise stale Membershipzmembership {0} already exists in the project with another cluster. If this operation is intended, please run `gcloud container fleet memberships delete {0}` and register again.)message cancel_on_no authority)rQ oidc_jwksz0Updated the membership [{}] for the cluster [{}]z(Error in updating the membership [{}]:{}zA membership [{}] for the cluster [{}] already exists. Continuing will reinstall the Connect agent deployment to use a new image (if one is available).z2Created a new membership [{}] for the cluster [{}]z)Error in installing the Connect agent: {}z5Finished registering the cluster [{}] with the fleet.)RrGetFromNamespacer5rBETAALPHAgke_api_adapter NewAPIAdapterlocationr0LocationFromGKEArgsrGetGKEClusterResoureLinkAndURIGetValuerr_RegisterGKEWithoutConnectAgentrr KubernetesClientrCheckClusterAdminPermissionsValidateClusterIdentifierFlagsr6r VerifyGetCredentialsFlagsGetClusterUUIDrBase64EncodedFileContentsrformatr8docker_credential_fileReadBinaryFileContents ExpandHomeDirsix ensure_strr4 processorgke_cluster_self_linkrrNgke_cluster_uriGetOpenIDConfiguration Exceptionjsonloadsgethas_private_issuerGetOpenIDKeysetr ParentRef MembershipRef_CheckMembershipWithUUIDMEMBERSHIP_NAMEGetClusterServerVersion_VerifyClusterExclusivityCreateMembership$_InstallOrUpdateExclusivityArtifactsapitools_exceptionsHttpConflictErrorcore_api_exceptionsHttpErrorPayloadstatus_description GetMembership externalIdrVrRoidcJwksdecoderPromptContinueGenerateWIUpdateMsgStringUpdateMembershiprstatusPrintr DeployConnectAgentDeleteMembershipr DeleteMembershipResources)selfrprojectrr]gke_cluster_resource_linkrp manifest_path kube_clientuuidservice_account_key_dataedocker_credential_data file_contentrorQprivate_keyset_jsonrNopenid_config_jsonalready_existsparent resource_nameobjapi_server_version membership_iderrors rRunz Register.RunVsp(({NG d//4448I8I9   9!#11)#  3 3K O> ]]:  ]]}}##z1"s}}'='= &&--g6:MM  # #88z=$2F2FH ! '  % %!!#%-  /  5 5k6C E JJ  BII!4#7#79 :  # #117 8<8L8L2N  !  @ G Gt33 5 6 %%k4&>&{{ 1  !;!B!B+Q"01 1 1{{ /  !;!B!B)1"./ / /*   6!9  h#44 %66q9%  % %)9 9 &&}d6G6G6IJ#""-.4VM-B D D^^t #""  . 0 0 .5 P '"":AA!1&' ' '. DKKANO  # #M43D3D3F G  4 4[ A e  sB e\.e=A ]Ae'^ $^99^>>eb B.beb  e c%b>>ce d>A*d99d>>ee c bd} tj||j}t|dra|j|k7rRt j dj|j|tj|j||S#tj$rY|SwxYw)aChecks for an existing Membership with UUID. In the past, by default we used Cluster UUID to create a membership. Now we use user supplied membership_name. This check ensures that we don't reregister a cluster. Args: resource_name: The full membership resource name using the cluster uuid. membership_name: User supplied membership_name. Returns: The Membership resource or None. Raises: exceptions.Error: If it fails to getMembership. N descriptionzThere is an existing membership, [{}], that conflicts with [{}]. Please delete it before continuing: gcloud {}container fleet memberships delete {}) r rr5hasattrrrrrhr0ReleaseTrackCommandPrefixrHttpNotFoundError)rrmembership_namers rrzz!Register._CheckMembershipWithUUID_s" C  " "=$2C2C2E Fc #} %#//_*L  ??Ev2243D3D3FG@   J  0 0  J  sBBB.-B.c2d}|jr|j}tj||||j }|j j r9tjdj||j jy)aVerifies that the cluster can be registered to the project. Args: kube_client: a KubernetesClient parent: the parent collection the user is attempting to register the cluster with. membership_id: the ID of the membership to be created for the cluster. Raises: apitools.base.py.HttpError: if the API request returns an HTTP error. exceptions.Error: if the cluster is in an invalid exclusivity state. rOzError validating cluster's exclusivity state with the Fleet under parent collection [{}]: {}. Cannot proceed with the cluster registration.N) MembershipCRDExistsGetMembershipCRr ValidateExclusivityr5rcoderrrhrT)rrrr cr_manifestress rr}z"Register._VerifyClusterExclusivitysK&&(//1k  & &{FM'+'8'8': e  ! !%5 5 ,,Wh-1-A-ACm  " "=$2C2C2E Fc  - -1J J  fs||66CC 3==#7#7:#E 2''$ )' $ 1 1 3 5jjBIIll--::<= 2$$=DD#Z122 2  VMLL33@@B C CG(Cs>6A))I;=DI6A5G76I67 H*%H%%H**AI66I;N) __name__ __module__ __qualname____doc__ classmethodr?rrzr}rrarrrr8s=||[[zGR%N+:A*=rr),r __future__rrrrsr.apitools.base.pyrr googlecloudsdk.api_lib.containerrr[googlecloudsdk.api_lib.utilrgooglecloudsdk.callioper$googlecloudsdk.command_lib.containerr *googlecloudsdk.command_lib.container.fleetr r r r rrr06googlecloudsdk.command_lib.container.fleet.membershipsr$googlecloudsdk.command_lib.util.apisrgooglecloudsdk.corergooglecloudsdk.core.consolergooglecloudsdk.core.utilrrlr8r4rDefaultUniverseOnly CreateCommandrrrrrsF&' >KI(6A?G@@GK:*#2* <8?| t!!| | r