Running Porch on GKE

You can install Porch by either using one of the released versions, or building Porch from sources.

Prerequisites

To run one of the released versions of Porch on GKE, you will need:

To build and run Porch on GKE, you will also need:

Getting Started

Make sure your gcloud is configured with your project (alternatively, you can augment all following gcloud commands below with --project flag):

gcloud config set project YOUR_GCP_PROJECT

Select a GKE cluster or create a new one:

gcloud services enable container.googleapis.com
gcloud container clusters create-auto --region us-central1 porch-dev

Run Released Version of Porch

To run a released version of Porch, download the release config bundle from Porch release page.

Untar and apply the deployment-blueprint.tar.gz config bundle. This will install:

mkdir porch-install
tar xzf ~/Downloads/deployment-blueprint.tar.gz -C porch-install
kubectl apply -f porch-install
kubectl wait deployment --for=condition=Available porch-server -n porch-system

You can verify that Porch is running by querying the api-resources:

kubectl api-resources | grep porch

Expected output will include:

repositories                                   config.porch.kpt.dev/v1alpha1          true         Repository
functions                                      porch.kpt.dev/v1alpha1                 true         Function
packagerevisionresources                       porch.kpt.dev/v1alpha1                 true         PackageRevisionResources
packagerevisions                               porch.kpt.dev/v1alpha1                 true         PackageRevision

To install ConfigSync:

echo "
apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
  name: config-management
spec:
  enableMultiRepo: true
" | kubectl apply -f -

Run Custom Build of Porch

To run custom build of Porch, you will need additional prerequisites. The commands below use Google Container Registry.

Clone this repository into ${GOPATH}/src/github.com/GoogleContainerTools/kpt.

git clone https://github.com/GoogleContainerTools/kpt.git "${GOPATH}/src/github.com/GoogleContainerTools/kpt"

Configure docker credential helper for your repository.

If your use case doesn’t require Porch to interact with GCP container registries, you can build and deploy Porch by running the following command. It will build and push Porch Docker images into (by default) Google Container Registry named (example shown is the Porch server image):

gcr.io/YOUR-PROJECT-ID/porch-server:SHORT-COMMIT-SHA

IMAGE_TAG=$(git rev-parse --short HEAD) make push-and-deploy-no-sa

If you want to use different repository, you can set IMAGE_REPO variable (see Makefile for details).

The make push-and-deploy-no-sa target will install Porch but not Config Sync. You can install Config Sync in your k8s cluster manually following the documentation.

Workload Identity

Workload Identity is a simple way to access Google Cloud services from porch.

Google Cloud Source Repositories

Cloud Source Repositories can be access using workload identity, removing the need to store credentials in the cluster.

To set it up, create the necessary service accounts and give it the required roles:

GCP_PROJECT_ID=$(gcloud config get-value project)

# Create GCP service account (GSA) for Porch server.
gcloud iam service-accounts create porch-server

# We want to create and delete images. Assign IAM roles to allow repository
# administration.
gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
  --member "serviceAccount:porch-server@${GCP_PROJECT_ID}.iam.gserviceaccount.com" \
  --role "roles/source.admin"

gcloud iam service-accounts add-iam-policy-binding porch-server@${GCP_PROJECT_ID}.iam.gserviceaccount.com \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:${GCP_PROJECT_ID}.svc.id.goog[porch-system/porch-server]"

# We need to associate the Kubernetes Service Account (KSA)
# with the GSA by annotating the KSA.
kubectl annotate serviceaccount porch-server -n porch-system \
  iam.gke.io/gcp-service-account=porch-server@${GCP_PROJECT_ID}.iam.gserviceaccount.com

Build Porch, push images, and deploy porch server and controllers using the make target that adds workload identity service account annotations:

IMAGE_TAG=$(git rev-parse --short HEAD) make push-and-deploy

As above, you can verify that Porch is running by querying the api-resources:

kubectl api-resources | grep porch

To register a repository, use the following command:

kpt alpha repo register --repo-workload-identity --namespace=default https://source.developers.google.com/p/<project>/r/<repo>

OCI

To integrate with OCI repositories such as Artifact Registry or Container Registry, Porch relies on workload identity.

For that use case, create service accounts and assign roles:

GCP_PROJECT_ID=$(gcloud config get-value project)

# Create GCP service account for Porch server.
gcloud iam service-accounts create porch-server
# Create GCP service account for Porch sync controller.
gcloud iam service-accounts create porch-sync

# We want to create and delete images. Assign IAM roles to allow repository
# administration.
gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
  --member "serviceAccount:porch-server@${GCP_PROJECT_ID}.iam.gserviceaccount.com" \
  --role "roles/artifactregistry.repoAdmin"

gcloud iam service-accounts add-iam-policy-binding porch-server@${GCP_PROJECT_ID}.iam.gserviceaccount.com \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:${GCP_PROJECT_ID}.svc.id.goog[porch-system/porch-server]"

gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
  --member "serviceAccount:porch-sync@${GCP_PROJECT_ID}.iam.gserviceaccount.com" \
  --role "roles/artifactregistry.reader"

gcloud iam service-accounts add-iam-policy-binding porch-sync@${GCP_PROJECT_ID}.iam.gserviceaccount.com \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:${GCP_PROJECT_ID}.svc.id.goog[porch-system/porch-controllers]"

Build Porch, push images, and deploy porch server and controllers using the make target that adds workload identity service account annotations:

IMAGE_TAG=$(git rev-parse --short HEAD) make push-and-deploy

As above, you can verify that Porch is running by querying the api-resources:

kubectl api-resources | grep porch