This project allows you to host your munki repo, securely from a Google cloud storage bucket.
What you need:
- Google Cloud Platform account
- A google storage bucket
- Service account with read only access.
- Munki version 2.7.0 or higher to use middleware. You can find that here
- Create a new project or navigate to an exsiting one.
- Create your read-only service account under IAM & Admin
- Create a new service account called whatever you want. Make sure to check the "Furnish a private new key" checkbox. Choose JSON as the keytype. That's the file we need for munki so keep that, you can't download that JSON file again but you can create a new one later.
- Go to the IAM section and find the service account, should be under editors and remove all roles (if there are any).
- Create new bucket, under Storage.
- Once created, we need to assign read permissions to the service account we created. To do so, select the bucket from the list then click the three dots button on the right end of the line where the bucket is. In the sidebar, search for your service account and add the Storage Object Viewer permissions to it.
You can upload your munki repo to the bucket using gsutil get it here.
The following command will upload all the files from /path/to/munki_repo into your bucket. For more details run gsutil help rsync
gsutil -m rsync -r -d -x '.DS_Store|.git' /path/to/munki_repo gs://<bucket goes here>/-
Copy
middleware_gcs.pyinto/usr/local/munki/ -
Copy the service account json keystore file to
/usr/local/munki/. Rename it togcs.json -
Change your repo to point to your Google Storage bucket.
sudo defaults write /Library/Preferences/ManagedInstalls SoftwareRepoURL "https://storage.googleapis.com/<bucket goes here>" -
If you're using a Munki version that has embeded python you might need to install the pyOpenSSL package.
sudo /usr/local/munki/Python.framework/Versions/Current/bin/python3 -m pip install pyOpensslrunning this ^ is good for testing, you'll want to read this info on how to include the package with Munki