GCP infrastructure using Crossplane

krm/gcp/bucket.yaml

@@ -0,0 +1,67 @@
+# Copyright (C) 2021 Nicolas Lamirault <[email protected]>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: storage.gcp.crossplane.io/v1alpha3
+kind: Bucket
+metadata:
+  name: portefaix-krm-gcp
+  annotations:
+    crossplane.io/external-name: portefaix-krm-gcp-bucket
+spec:
+  location: EU
+  storageClass: MULTI_REGIONAL
+  providerConfigRef:
+    name: portefaix-gcp
+  labels:
+    made-by: crossplane
+  deletionPolicy: Delete
+---
+apiVersion: storage.gcp.crossplane.io/v1alpha1
+kind: BucketPolicy
+metadata:
+  name: portefaix-krm-gcp
+spec:
+  forProvider:
+    bucketRef:
+      name: portefaix-krm-gcp
+    policy:
+      bindings:
+        # - role: roles/storage.legacyBucketOwner
+        #   members:
+        #     - "projectEditor:<gcp-project>"
+        #     - "projectOwner:<gcp-project>"
+        # - role: roles/storage.legacyBucketReader
+        #   members:
+        #     - "projectViewer:<gcp-project>"
+        - role: roles/storage.objectAdmin
+          serviceAccountMemberRefs:
+            - name: portefaix-krm-gcp
+  providerConfigRef:
+    name: portefaix-gcp
+---
+apiVersion: storage.gcp.crossplane.io/v1alpha1
+kind: BucketPolicyMember
+metadata:
+  name: portefaix-krm-gcp
+spec:
+  forProvider:
+    bucketRef:
+      name: portefaix-krm-gcp
+    # member: serviceAccount:<my-sa-email>
+    serviceAccountMemberRef:
+      name: portefaix-krm-gcp
+    role: roles/storage.objectAdmin
+  providerConfigRef:
+    name: portefaix-gcp

krm/gcp/cloudsql.yaml

@@ -0,0 +1,32 @@
+# Copyright (C) 2021 Nicolas Lamirault <[email protected]>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: database.gcp.crossplane.io/v1beta1
+kind: CloudSQLInstance
+metadata:
+  name: portefaix-krm-gcp
+spec:
+  forProvider:
+    databaseVersion: POSTGRES_11
+    region: eu-west1
+    settings:
+      tier: db-custom-1-3840
+      dataDiskSizeGb: 20
+  providerConfigRef:
+    name: portefaix-gcp
+  writeConnectionSecretToRef:
+    name: portefaix-krm-gcp-cloudsql
+    namespace: crossplane-system
+  deletionPolicy: Delete

krm/gcp/firewall.yaml

@@ -0,0 +1,31 @@
+# Copyright (C) 2021 Nicolas Lamirault <[email protected]>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: compute.gcp.crossplane.io/v1alpha1
+kind: Firewall
+metadata:
+  name: portefaix-krm-gcp
+spec:
+  forProvider:
+    description: "Portefaix KRM Crossplane"
+    allowed:
+      - IPProtocol: tcp
+        ports: ["80", "443"]
+      - IPProtocol: icmp
+    sourceRanges: ["10.0.0.0/24"]
+    networkRef:
+      name: portefaix-krm-gcp
+  providerConfigRef:
+    name: portefaix-gcp

krm/gcp/gke.yaml

@@ -0,0 +1,192 @@
+# Copyright (C) 2021 Nicolas Lamirault <[email protected]>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: container.gcp.crossplane.io/v1beta2
+kind: Cluster
+metadata:
+  name: portefaix-krm-gcp
+spec:
+  forProvider:
+    # initialClusterVersion: "1.21"
+    releaseChannel:
+      channel: REGULAR
+    location: eu-west1
+    masterAuth:
+      # setting this master auth user name enables basic auth so that a client (e.g.,
+      # provider-helm), can connect with the generated kubeconfig from the connection secret
+      # username: admin
+    networkConfig:
+      enableIntraNodeVisibility: true
+    loggingService: logging.googleapis.com/kubernetes
+    monitoringService: monitoring.googleapis.com/kubernetes
+    addonsConfig:
+      cloudRunConfig:
+        disabled: true
+      dnsCacheConfig:
+        enabled: true
+      gcePersistentDiskCsiDriverConfig:
+        enabled: true
+      horizontalPodAutoscaling:
+        disabled: true
+      httpLoadBalancing:
+        disabled: true
+      istioConfig:
+        disabled: true
+        auth: "AUTH_NONE"
+      kalmConfig:
+        enabled: false
+      kubernetesDashboard:
+        disabled: true
+      networkPolicyConfig:
+        disabled: false
+    binaryAuthorization:
+      enabled: false
+    legacyAbac:
+      enabled: false
+    network: portefaix-krm-gcp
+    networkPolicy:
+      enabled: true
+      provider: CALICO
+    podSecurityPolicyConfig:
+      enabled: false
+  writeConnectionSecretToRef:
+    name: portefaix-krm-gcp-gke
+    namespace: crossplane-system
+  providerConfigRef:
+    name: portefaix-gcp
+---
+apiVersion: container.gcp.crossplane.io/v1beta1
+kind: NodePool
+metadata:
+  name: portefaix-krm-gcp-core
+spec:
+  forProvider:
+    autoscaling:
+      autoprovisioned: false
+      enabled: true
+      maxNodeCount: 3
+      minNodeCount: 0
+    clusterRef:
+      name: portefaix-krm-gcp
+    config:
+      machineType: n1-standard-1
+      sandboxConfig:
+        type: gvisor
+      diskSizeGb: 120
+      diskType: pd-ssd
+      imageType: cos_containerd
+      labels:
+        made-by: crossplane
+      tags:
+        - kubernetes
+        - nodes
+      oauthScopes:
+      - "https://www.googleapis.com/auth/devstorage.read_only"
+      - "https://www.googleapis.com/auth/logging.write"
+      - "https://www.googleapis.com/auth/monitoring"
+      - "https://www.googleapis.com/auth/servicecontrol"
+      - "https://www.googleapis.com/auth/service.management.readonly"
+      - "https://www.googleapis.com/auth/trace.append"
+    initialNodeCount: 1
+    locations:
+      - "eu-west1-b"
+    management:
+      autoRepair: true
+      autoUpgrade: true
+  providerConfigRef:
+    name: portefaix-gcp
+---
+apiVersion: container.gcp.crossplane.io/v1beta1
+kind: NodePool
+metadata:
+  name: portefaix-krm-gcp-ops
+spec:
+  forProvider:
+    autoscaling:
+      autoprovisioned: false
+      enabled: true
+      maxNodeCount: 3
+      minNodeCount: 0
+    clusterRef:
+      name: portefaix-krm-gcp
+    config:
+      machineType: n1-standard-1
+      sandboxConfig:
+        type: gvisor
+      diskSizeGb: 120
+      diskType: pd-ssd
+      imageType: cos_containerd
+      labels:
+        made-by: crossplane
+      tags:
+        - kubernetes
+        - nodes
+      oauthScopes:
+      - "https://www.googleapis.com/auth/devstorage.read_only"
+      - "https://www.googleapis.com/auth/logging.write"
+      - "https://www.googleapis.com/auth/monitoring"
+      - "https://www.googleapis.com/auth/servicecontrol"
+      - "https://www.googleapis.com/auth/service.management.readonly"
+      - "https://www.googleapis.com/auth/trace.append"
+    initialNodeCount: 0
+    locations:
+      - "eu-west1-b"
+    management:
+      autoRepair: true
+      autoUpgrade: true
+  providerConfigRef:
+    name: portefaix-gcp
+---
+apiVersion: container.gcp.crossplane.io/v1beta1
+kind: NodePool
+metadata:
+  name: portefaix-krm-gcp-misc
+spec:
+  forProvider:
+    autoscaling:
+      autoprovisioned: false
+      enabled: true
+      maxNodeCount: 3
+      minNodeCount: 0
+    clusterRef:
+      name: portefaix-krm-gcp
+    config:
+      machineType: n1-standard-1
+      sandboxConfig:
+        type: gvisor
+      diskSizeGb: 120
+      diskType: pd-ssd
+      imageType: cos_containerd
+      labels:
+        made-by: crossplane
+      tags:
+        - kubernetes
+        - nodes
+      preemptible: true
+      oauthScopes:
+      - "https://www.googleapis.com/auth/devstorage.read_only"
+      - "https://www.googleapis.com/auth/logging.write"
+      - "https://www.googleapis.com/auth/monitoring"
+      - "https://www.googleapis.com/auth/servicecontrol"
+      - "https://www.googleapis.com/auth/service.management.readonly"
+      - "https://www.googleapis.com/auth/trace.append"
+    initialNodeCount: 0
+    locations:
+      - "eu-west1-b"
+    management:
+      autoRepair: true
+      autoUpgrade: true
+  providerConfigRef:
+    name: portefaix-gcp

krm/gcp/iam.yaml

@@ -0,0 +1,64 @@
+# Copyright (C) 2021 Nicolas Lamirault <[email protected]>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: iam.gcp.crossplane.io/v1alpha1
+kind: ServiceAccount
+metadata:
+  name: portefaix-krm-gcp
+spec:
+  properties:
+  forProvider:
+    displayName: "portefaix-krm-crossplane"
+    description: "Portefaix KRM Crossplane"
+  deletionPolicy: Delete
+  providerConfigRef:
+    name: portefaix-gcp
+---
+apiVersion: iam.gcp.crossplane.io/v1alpha1
+kind: ServiceAccountKey
+metadata:
+  name: portefaix-krm-gcp
+spec:
+  properties:
+  forProvider:
+    # Google Cloud API RRN of a ServiceAccount is expected in "serviceAccount" field
+    # serviceAccount: projects/crossplane-playground/serviceAccounts/[email protected]
+    serviceAccountRef:
+      name: portefaix-krm-gcp
+    # keyAlgorithm: "KEY_ALG_RSA_2048"
+    # privateKeyType: "TYPE_GOOGLE_CREDENTIALS_FILE"
+    # publicKeyType: TYPE_RAW_PUBLIC_KEY
+  deletionPolicy: Delete
+  providerConfigRef:
+    name: portefaix-gcp
+  writeConnectionSecretToRef:
+    name: portefaix-krm-gcp-sa-key
+    namespace: crossplane-system
+---
+apiVersion: iam.gcp.crossplane.io/v1alpha1
+kind: ServiceAccountPolicy
+metadata:
+  name: portefaix-krm-gcp
+spec:
+  forProvider:
+    serviceAccountRef:
+      name: portefaix-krm-gcp
+    policy:
+      bindings:
+        - role: roles/iam.workloadIdentityUser
+          members:
+            - serviceAccount:portefaix-krm.svc.id.goog[vault-system/vault]
+  providerConfigRef:
+    name: portefaix-gcp