Running Porch on GKE

You can install Porch by either using one of the released versions, or building Porch from sources.

Prerequisites

Note

Porch should run on any kubernetes cluster and should work on any cloud. We have just started by documenting one known-good configuration: GCP and GKE. We would welcome comparable installation instructions or feedback from people that try it out on other clouds / configurations.

To run one of the released versions of Porch on GKE, you will need:

A GCP Project
gcloud
kubectl; you can install it via gcloud components install kubectl
kpt
Command line utilities such as curl, tar

To build and run Porch on GKE, you will also need:

A container registry which will work with your GKE cluster. Artifact Registry or Container Registry work well though you can use others too.
go 1.17 or newer
docker
Configured docker credential helper
git
make

Getting Started

Make sure your gcloud is configured with your project (alternatively, you can augment all following gcloud commands below with --project flag):

gcloud config set project YOUR_GCP_PROJECT

Select a GKE cluster or create a new one:

gcloud services enable container.googleapis.com
gcloud container clusters create-auto --region us-central1 porch-dev

Note

For development of Porch, in particular for running Porch tests, Standard GKE cluster is currently preferable. Select a

GCP region that works best for your needs:

gcloud services enable container.googleapis.com
gcloud container clusters create --region us-central1 porch-dev

And ensure kubectl is targeting your GKE cluster:

gcloud container clusters get-credentials --region us-central1 porch-dev

Run Released Version of Porch

To run a released version of Porch, download the release config bundle from Porch release page.

Untar and apply the deployment-blueprint.tar.gz config bundle. This will install:

Porch server
Config Sync

mkdir porch-install
tar xzf ~/Downloads/deployment-blueprint.tar.gz -C porch-install
kubectl apply -f porch-install
kubectl wait deployment --for=condition=Available porch-server -n porch-system

You can verify that Porch is running by querying the api-resources:

kubectl api-resources | grep porch

Expected output will include:

repositories                                   config.porch.kpt.dev/v1alpha1          true         Repository
functions                                      porch.kpt.dev/v1alpha1                 true         Function
packagerevisionresources                       porch.kpt.dev/v1alpha1                 true         PackageRevisionResources
packagerevisions                               porch.kpt.dev/v1alpha1                 true         PackageRevision

To install ConfigSync:

echo "
apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
  name: config-management
spec:
  enableMultiRepo: true
" | kubectl apply -f -

Run Custom Build of Porch

To run custom build of Porch, you will need additional prerequisites. The commands below use Google Container Registry.

Clone this repository into ${GOPATH}/src/github.com/GoogleContainerTools/kpt.

git clone https://github.com/GoogleContainerTools/kpt.git "${GOPATH}/src/github.com/GoogleContainerTools/kpt"

Configure docker credential helper for your repository.

If your use case doesn’t require Porch to interact with GCP container registries, you can build and deploy Porch by running the following command. It will build and push Porch Docker images into (by default) Google Container Registry named (example shown is the Porch server image):

gcr.io/YOUR-PROJECT-ID/porch-server:SHORT-COMMIT-SHA

IMAGE_TAG=$(git rev-parse --short HEAD) make push-and-deploy-no-sa

If you want to use different repository, you can set IMAGE_REPO variable (see Makefile for details).

The make push-and-deploy-no-sa target will install Porch but not Config Sync. You can install Config Sync in your k8s cluster manually following the documentation.

Note

The -no-sa (no service account) targets create Porch deployment configuration which does not associate Kubernetes service accounts with GCP service accounts. This is sufficient for Porch to integate with Git repositories using Basic Auth, for example GitHub.

As above, you can verify that Porch is running by querying the api-resources:

kubectl api-resources | grep porch

Workload Identity

Workload Identity is a simple way to access Google Cloud services from porch.

Google Cloud Source Repositories

Cloud Source Repositories can be access using workload identity, removing the need to store credentials in the cluster.

To set it up, create the necessary service accounts and give it the required roles:

GCP_PROJECT_ID=$(gcloud config get-value project)

# Create GCP service account (GSA) for Porch server.
gcloud iam service-accounts create porch-server

# We want to create and delete images. Assign IAM roles to allow repository
# administration.
gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
  --member "serviceAccount:porch-server@${GCP_PROJECT_ID}.iam.gserviceaccount.com" \
  --role "roles/source.admin"

gcloud iam service-accounts add-iam-policy-binding porch-server@${GCP_PROJECT_ID}.iam.gserviceaccount.com \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:${GCP_PROJECT_ID}.svc.id.goog[porch-system/porch-server]"

# We need to associate the Kubernetes Service Account (KSA)
# with the GSA by annotating the KSA.
kubectl annotate serviceaccount porch-server -n porch-system \
  iam.gke.io/gcp-service-account=porch-server@${GCP_PROJECT_ID}.iam.gserviceaccount.com

Build Porch, push images, and deploy porch server and controllers using the make target that adds workload identity service account annotations:

IMAGE_TAG=$(git rev-parse --short HEAD) make push-and-deploy

As above, you can verify that Porch is running by querying the api-resources:

kubectl api-resources | grep porch

To register a repository, use the following command:

kpt alpha repo register --repo-workload-identity --namespace=default https://source.developers.google.com/p/<project>/r/<repo>

OCI

To integrate with OCI repositories such as Artifact Registry or Container Registry, Porch relies on workload identity.

For that use case, create service accounts and assign roles:

GCP_PROJECT_ID=$(gcloud config get-value project)

# Create GCP service account for Porch server.
gcloud iam service-accounts create porch-server
# Create GCP service account for Porch sync controller.
gcloud iam service-accounts create porch-sync

# We want to create and delete images. Assign IAM roles to allow repository
# administration.
gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
  --member "serviceAccount:porch-server@${GCP_PROJECT_ID}.iam.gserviceaccount.com" \
  --role "roles/artifactregistry.repoAdmin"

gcloud iam service-accounts add-iam-policy-binding porch-server@${GCP_PROJECT_ID}.iam.gserviceaccount.com \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:${GCP_PROJECT_ID}.svc.id.goog[porch-system/porch-server]"

gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
  --member "serviceAccount:porch-sync@${GCP_PROJECT_ID}.iam.gserviceaccount.com" \
  --role "roles/artifactregistry.reader"

gcloud iam service-accounts add-iam-policy-binding porch-sync@${GCP_PROJECT_ID}.iam.gserviceaccount.com \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:${GCP_PROJECT_ID}.svc.id.goog[porch-system/porch-controllers]"

Build Porch, push images, and deploy porch server and controllers using the make target that adds workload identity service account annotations:

IMAGE_TAG=$(git rev-parse --short HEAD) make push-and-deploy

As above, you can verify that Porch is running by querying the api-resources:

kubectl api-resources | grep porch