Janitor Configuration

Configuring Google Cloud Platform Plugins for the gordon-janitor service.

Example Configuration

An example of a gordon-janitor.toml file for GCP-specific plugins:

# Example for Gordon Janitor GCP-related Config
[core]
plugins = ["gcp.gdns"]

[gcp]
cleanup_timeout = 60

[gcp.gdns]
keyfile = "/path/to/dns-service-account.json"
project = "gordon-dns-example"
scopes = ["ndev.clouddns.readonly"]
default_zone_prefix = "production"

[gcp.gpubsub]
keyfile = "/path/to/pubsub-service-account.json"
project = "gordon-pubsub-example"
topic = "dns-changes-topic"

[gcp.gce]
keyfile = "/path/to/crm-service-account.json"
scopes = ["cloud-platform"]
dns_zone = "example.com."
metadata_blacklist = [["key", "val"], ["other_key", "other_val"]]
tag_blacklist = []
project_blacklist = []
# This is passed directly to GCE's v1.instances.aggregatedList endpoint
instance_filter = ""

Plugin Configuration

The following sections are supported:

gcp

Any configuration key/value listed here may also be used in the specific plugin configuration. Values set in a plugin-specific config section will overwrite what’s set in this general [gcp] section.

project="STR"

Required: Google Project ID which hosts the relevant GCP services (e.g. Cloud DNS, Pub/Sub, Compute Engine).

To learn more about GCP projects, please see Google’s docs on creating & managing projects.

keyfile="/path/to/keyfile.json"

Optional: Path to the Service Account JSON keyfile to use while authenticating against Google APIs. If not provided the default Service Account will be used instead.

While one global key for all plugins is supported, it’s advised to create a key per plugin with only the permissions it requires. To setup a service account, follow Google’s docs on creating & managing service account keys.

Attention

For the Pub/Sub plugin, keyfile is not required when running against the Pub/Sub Emulator that Google provides.

scopes=["STR","STR"]

Optional: A list of strings of the scope(s) needed when making calls to Google APIs. Defaults to ["cloud-platform"].

cleanup_timeout=INT

Optional: Timeout in seconds for how long each plugin should wait for outstanding tasks (e.g. processing remaining message from a channel) before cancelling. This is only used when a plugin has received all messages from a channel, but may have work outstanding. Defaults to 60.

default_zone_prefix="STR"

Optional: Prefix associated with Google managed zone names, prepended with a ‘-’ to the generated name. For example prefix “production” will produced a managed zone name of “production-example-com” for the “example.com.” DNS zone.

Note: This prefix must be the same as that used by the Gordon Service to work correctly.

gcp.gdns

All configuration options above in the general [gcp] may be used here. There are no specific DNS-related configuration options.

gcp.gpubsub

All configuration options above in the general [gcp] may be used here. Additional Google Cloud Pub/Sub-related configuration is needed:

topic="STR"

Required: Google Pub/Sub topic to receive the publish change messages.

Attention

For the Pub/Sub plugin, keyfile is not required when running against the Pub/Sub Emulator that Google provides.

gcp.gce

All configuration options from the general [gcp] section may be used here.

Additional plugin-specific configuration is needed:

dns_zone="STR"

Required: DNS zone to pull records from. Must be a fully-qualified domain name (FQDN), ending in ., e.g. example.com.. If it’s a reverse zone, it must be in the form ‘A.B.in-addr.arpa.’.

Note: this is separate from Google’s ‘managed zone’ names. Google uses custom string names with specific requirements for storing records. Gordon requires that managed zone names be based on DNS names. For all domains, remove the trailing dot and replace all other dots with dashes. For reverse records, then use only the two most significant octets, prepended with ‘reverse-’. (E.g. foo.bar.com. -> foo-bar-com and 0.168.192.in-addr.arpa. -> reverse-168-192.)

metadata_blacklist=[["STR","STR"],["STR","STR"]]

Optional: List of key-value pairs that will be used to filter out unwanted GCE instances by instance metadata. Note that both the key and the value must match for an instance to be filtered out.

tag_blacklist=["STR","STR"]

Optional: List of network tags that will be used to filter out unwanted GCE instances.

project_blacklist=["STR","STR"]

Optional: List of unique, user-assigned project IDs (projectId) that will be ignored when fetching projects.

project_whitelist=["STR","STR"]

Optional: List of unique, user-assigned project IDs (projectId) that will be used to fetch instances. If set, janitor will only look at these projects, it will not fetch active projects and the project_blacklist will be ignored.

instance_filter="STR"

Optional: String used to filter instances by instance attributes. It is passed directly to GCE’s v1.instances.aggregatedList endpoint’s filter parameter.