Last active
January 17, 2023 00:35
-
-
Save mathieu-benoit/f2511f0c61ee2a1fb3f0cf5938ecd53e to your computer and use it in GitHub Desktop.
Add a new `RepoSync`
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| NAMESPACE=acm-workshop | |
| mkdir -p ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/$NAMESPACE | |
| cat <<EOF > ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/$NAMESPACE/artifactregistry-charts-reader-workload-identity-user.yaml | |
| apiVersion: iam.cnrm.cloud.google.com/v1beta1 | |
| kind: IAMPartialPolicy | |
| metadata: | |
| name: ${HELM_CHARTS_READER_GSA}-${NAMESPACE} | |
| namespace: ${TENANT_PROJECT_ID} | |
| annotations: | |
| config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/${TENANT_PROJECT_ID}/IAMServiceAccount/${HELM_CHARTS_READER_GSA} | |
| spec: | |
| resourceRef: | |
| name: ${HELM_CHARTS_READER_GSA} | |
| kind: IAMServiceAccount | |
| bindings: | |
| - role: roles/iam.workloadIdentityUser | |
| members: | |
| - member: serviceAccount:${TENANT_PROJECT_ID}.svc.id.goog[config-management-system/ns-reconciler-${NAMESPACE}] | |
| EOF | |
| cd ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/ | |
| git add . && git commit -m "Add WorkloadIdentitUser for RepoSync's GSA in ${NAMESPACE}" && git push origin main |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| NAMESPACE=acm-workshop | |
| CHART_VERSION=1.0.0-FIXME | |
| DOMAIN=acm-workshop.alwaysupalwayson.com | |
| MANAGED_CERTIFICATES=whereami,acm-workshop #,onlineboutique,myblog,acm-workshop | |
| mkdir -p ${WORK_DIR}$GKE_CONFIGS_DIR_NAME/repo-syncs | |
| mkdir ${WORK_DIR}$GKE_CONFIGS_DIR_NAME/repo-syncs/$NAMESPACE | |
| cat <<EOF > ${WORK_DIR}$GKE_CONFIGS_DIR_NAME/repo-syncs/$NAMESPACE/namespace.yaml | |
| apiVersion: v1 | |
| kind: Namespace | |
| metadata: | |
| labels: | |
| istio-injection: enabled | |
| pod-security.kubernetes.io/enforce: restricted | |
| name: $NAMESPACE | |
| EOF | |
| cat <<EOF > ${WORK_DIR}$GKE_CONFIGS_DIR_NAME/repo-syncs/$NAMESPACE/repo-sync.yaml | |
| apiVersion: configsync.gke.io/v1beta1 | |
| kind: RepoSync | |
| metadata: | |
| name: repo-sync | |
| namespace: $NAMESPACE | |
| spec: | |
| sourceFormat: unstructured | |
| sourceType: helm | |
| helm: | |
| repo: oci://${CHART_REGISTRY_REPOSITORY} | |
| chart: ${NAMESPACE} | |
| version: ${CHART_VERSION} | |
| releaseName: ${NAMESPACE} | |
| auth: gcpserviceaccount | |
| gcpServiceAccountEmail: ${HELM_CHARTS_READER_GSA}@${TENANT_PROJECT_ID}.iam.gserviceaccount.com | |
| values: | |
| container: | |
| image: | |
| repository: ${CONTAINER_REGISTRY_REPOSITORY} | |
| EOF | |
| cat <<EOF > ${WORK_DIR}$GKE_CONFIGS_DIR_NAME/repo-syncs/$NAMESPACE/repo-sync-role-binding.yaml | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: RoleBinding | |
| metadata: | |
| name: repo-sync | |
| namespace: ${NAMESPACE} | |
| subjects: | |
| - kind: ServiceAccount | |
| name: ns-reconciler-${NAMESPACE} | |
| namespace: config-management-system | |
| roleRef: | |
| kind: ClusterRole | |
| name: edit | |
| apiGroup: rbac.authorization.k8s.io | |
| EOF | |
| cat <<EOF > ~/$GKE_CONFIGS_DIR_NAME/$INGRESS_GATEWAY_NAMESPACE/managedcertificate-$NAMESPACE.yaml | |
| apiVersion: networking.gke.io/v1 | |
| kind: ManagedCertificate | |
| metadata: | |
| name: ${NAMESPACE} | |
| namespace: asm-ingress | |
| spec: | |
| domains: | |
| - "${DOMAIN}" | |
| EOF | |
| cd ~/$GKE_CONFIGS_DIR_NAME/$INGRESS_GATEWAY_NAMESPACE | |
| kpt fn eval . \ | |
| -i set-annotations:v0.1 \ | |
| --match-kind Ingress \ | |
| -- networking.gke.io/managed-certificates=$MANAGED_CERTIFICATES | |
| cd ${WORK_DIR}$GKE_CONFIGS_DIR_NAME/ | |
| git add . && git commit -m "Add new ${NAMESPACE} RepoSync and ManagedCertificates on Ingress" && git push origin main | |
| # Checks | |
| gcloud alpha anthos config sync repo describe \ | |
| --project $TENANT_PROJECT_ID \ | |
| --managed-resources all \ | |
| --sync-name root-sync \ | |
| --sync-namespace config-management-system | |
| gcloud alpha anthos config sync repo describe \ | |
| --project $TENANT_PROJECT_ID \ | |
| --managed-resources all \ | |
| --sync-name repo-sync \ | |
| --sync-namespace $NAMESPACE | |
| nomos status --contexts $(kubectl config current-context) | |
| gcloud compute ssl-certificates list \ | |
| --project $TENANT_PROJECT_ID |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| NAMESPACE=acm-workshop | |
| DOMAIN=acm-workshop.alwaysupalwayson.com | |
| mkdir -p ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/$NAMESPACE | |
| cat <<EOF > ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/$NAMESPACE/uptime-check-config.yaml | |
| apiVersion: monitoring.cnrm.cloud.google.com/v1beta1 | |
| kind: MonitoringUptimeCheckConfig | |
| metadata: | |
| name: uptimecheckconfig-${NAMESPACE} | |
| spec: | |
| projectRef: | |
| external: projects/${TENANT_PROJECT_ID} | |
| displayName: ${NAMESPACE} | |
| period: 900s | |
| timeout: 5s | |
| monitoredResource: | |
| type: "uptime_url" | |
| filterLabels: | |
| host: ${DOMAIN} | |
| project_id: ${TENANT_PROJECT_ID} | |
| httpCheck: | |
| port: 443 | |
| requestMethod: GET | |
| useSsl: true | |
| validateSsl: true | |
| EOF | |
| cd ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/ | |
| git add . && git commit -m "Add Uptime check config for ${NAMESPACE}" && git push origin main |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment