-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #33 from fabi200123/add-new-extra-specs
Add DiskType, DisplayDevice, ServiceAccounts extra-specs options
- Loading branch information
Showing
4 changed files
with
125 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -104,10 +104,18 @@ To this end, this provider supports the following extra specs schema: | |
"type": "object", | ||
"description": "Schema defining supported extra specs for the Garm GCP Provider", | ||
"properties": { | ||
"display_device": { | ||
"type": "boolean", | ||
"description": "Enable the display device on the VM." | ||
}, | ||
"disksize": { | ||
"type": "integer", | ||
"description": "The size of the root disk in GB. Default is 127 GB." | ||
}, | ||
"disktype": { | ||
"type": "string", | ||
"description": "The type of the disk. Default is pd-standard." | ||
}, | ||
"network_id": { | ||
"type": "string", | ||
"description": "The name of the network attached to the instance." | ||
|
@@ -134,6 +142,13 @@ To this end, this provider supports the following extra specs schema: | |
"type": "string" | ||
} | ||
}, | ||
"service_accounts": { | ||
"type": "array", | ||
"description": "A list of service accounts to be attached to the instance", | ||
"items": { | ||
"$ref": "#/$defs/ServiceAccount" | ||
} | ||
}, | ||
"source_snapshot": { | ||
"type": "string", | ||
"description": "The source snapshot to create this disk." | ||
|
@@ -169,17 +184,22 @@ An example of extra specs json would look like this: | |
|
||
```bash | ||
{ | ||
"display_device": true, | ||
"disksize": 255, | ||
"disktype": "projects/garm-testing/zones/europe-west1/diskTypes/pd-ssd", | ||
"network_id": "projects/garm-testing/global/networks/garm-2", | ||
"subnetwork_id": "projects/garm-testing/regions/europe-west1/subnetworks/garm", | ||
"nic_type": "VIRTIO_NET", | ||
"custom_labels": {"environment":"production","project":"myproject"}, | ||
"network_tags": ["web-server", "production"], | ||
"service_accounts": [{"email":"[email protected]", "scopes":["https://www.googleapis.com/auth/devstorage.read_only", "https://www.googleapis.com/auth/logging.write"]}], | ||
"source_snapshot": "projects/garm-testing/global/snapshots/garm-snapshot", | ||
"ssh_keys": ["username1:ssh_key1", "username2:ssh_key2"] | ||
} | ||
``` | ||
|
||
**NOTE**: Using the `service_accounts` extra specs when creating instances **introduces certain risks that must be carefully managed**. **Service accounts** grant access to specific resources, and if improperly configured, they can expose sensitive data or allow unauthorized actions. Misconfigured permissions or overly broad scopes can lead to privilege escalation, enabling attackers or unintended users to access critical resources. It's essential to follow the principle of least privilege, ensuring that service accounts only have the necessary permissions for their intended tasks. Regular audits and proper key management are also crucial to safeguard access and prevent potential security vulnerabilities. | ||
|
||
**NOTE**: The `custom_labels` and `network_tags` must meet the [GCP requirements for labels](https://cloud.google.com/compute/docs/labeling-resources#requirements) and the [GCP requirements for network tags](https://cloud.google.com/vpc/docs/add-remove-network-tags#restrictions)! | ||
|
||
**NOTE**: The `ssh_keys` add the option to [connect to an instance via SSH](https://cloud.google.com/compute/docs/instances/ssh) (either Linux or Windows). After you added the key as `username:ssh_public_key`, you can use the `private_key` to connect to the Linux/Windows instance via `ssh -i private_rsa username@instance_ip`. For **Windows** instances, the provider installs on the instance `google-compute-engine-ssh` and `enables ssh` if a `ssh_key` is added to extra-specs. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters