ConfigConnector setup

Makefile

@@ -42,6 +42,10 @@ ASO_SYSTEM_NAMESPACE = aso-system
 # datasource=github-tags depName=Azure/azure-service-operator
 ASO_VERSION = v2.0.0-beta.5
 
+KCC_SYSTEM_NAMESPACE = cnrm-system
+# datasource=github-tags depName=GoogleCloudPlatform/k8s-config-connector
+ASO_VERSION = v1.101.0
+
 # ====================================
 # D E V E L O P M E N T
 # ====================================
@@ -166,6 +170,13 @@ ack-uninstall: ## Uninstall the ACK controllers
 	helm uninstall -n $(ACK_SYSTEM_NAMESPACE) ack-s3-controller
 	kubectl delete namespace $(ACK_SYSTEM_NAMESPACE)
 
+
+# ====================================
+# ASO
+# ====================================
+
+##@ ASO
+
 .PHONY: aso-azure-credentials
 aso-azure-credentials: guard-AZURE_TENANT_ID guard-AZURE_SUBSCRIPTION_ID ## Generate credentials for AWS (AWS_ACCESS_KEY=xxx AWS_SECRET_ACCESS_KEY=xxx)
 	@./hack/scripts/aso.sh aso-controller-settings $(ASO_SYSTEM_NAMESPACE)
@@ -180,7 +191,7 @@ aso-dependencies: ## Install dependencies
 		cert-manager cert-manager/cert-manager --version 1.9.1
 
 .PHONY: aso-install
-aso-install:## Install the ASO controlplane
+aso-install: ## Install the ASO controlplane
 	@helm repo add aso2 https://raw.githubusercontent.com/Azure/azure-service-operator/main/v2/charts
 	@helm repo update
 	@helm upgrade --install --devel --create-namespace --namespace=$(ASO_SYSTEM_NAMESPACE) azure-service-operator \
@@ -198,3 +209,25 @@ aso-uninstall: ## Uninstall the ACK controllers
 	@kubectl delete namespace $(ASO_SYSTEM_NAMESPACE)
 	@helm uninstall -n cert-manager cert-manager
 	@kubectl delete namespace cert-manager
+
+
+# ====================================
+# KCC
+# ====================================
+
+##@ KCC
+
+kcc-install: # Install the KCC controlplane
+	helm upgrade --install --devel --create-namespace --namespace=$(KCC_SYSTEM_NAMESPACE) kubernetes-config-connector \
+		aso2/azure-service-operator \
+		--version=v$(KCC_VERSION) \
+		-f krm/kcc/values.yaml
+
+.PHONY: kcc-infra
+kcc-infra: guard-ACTION ## Manage the components (ACTION=xxx, apply or delete)
+	@kustomize build krm/kcc/infra | kubectl $(ACTION) -f -
+
+.PHONY: kcc-uninstall
+kcc-uninstall: ## Uninstall KCC controlplane
+	@helm uninstall -n $(KCC_SYSTEM_NAMESPACE) kubernetes-config-connector
+	@kubectl delete namespace $(KCC_SYSTEM_NAMESPACE)

README.md

@@ -11,13 +11,14 @@ Tools:
 * [Crossplane](https://crossplane.io)
 * [AWS Controllers for Kubernetes](https://aws-controllers-k8s.github.io/community/)
 * [Azure Service Operator](https://github.com/Azure/azure-service-operator)
-* [Config Connector](https://cloud.google.com/config-connector/docs/overview)
+* [Kubernetes Config Connector](https://cloud.google.com/config-connector/docs/overview)
 
 ## Documentation
 
 * [Crossplane](./krm/crossplane)
 * [AWS Controllers for Kubernetes](./krm/ack/)
 * [Azure Service Operator](./krm/aso/)
+* [Kubernetes Config Connector](./krm/kcc)
 
 ## Contributing
 

krm/ack/README.md

@@ -6,12 +6,6 @@
 > make kind-create ENV=aws
 ```
 
-* Install ACK:
-
-```shell
-> make ack-controlplane ENV=aws
-```
-
 ## Cloud provider credentials
 
 ```shell
@@ -23,10 +17,10 @@
 * Install ACK controllers:
 
 ```shell
-> make ack-install
+> make kcc-install
 ```
 
-* Check controllers:
+* Check controller:
 
 ```shell
 > kubectl -n ack-system get pods -l "app.kubernetes.io/instance=ack-ec2-controller"
@@ -39,5 +33,5 @@
 * Clean cluster:
 
 ```shell
-> make ack-uninstall
+> make kcc-uninstall
 ```

krm/crossplane/gcp/infra/gke.yaml

@@ -75,8 +75,8 @@ spec:
     #   service: kubernetes
     #   role: cluster
     #   made-by: crossplane
-    # workloadIdentityConfig:
-    #   workloadPool: portefaix-krm #.svc.id.goog
+    workloadIdentityConfig:
+      workloadPool: portefaix-krm-crossplane.svc.id.goog
   writeConnectionSecretToRef:
     name: portefaix-krm-gke
     namespace: crossplane-system

krm/kcc/README.md

@@ -0,0 +1,35 @@
+# KRM / KCC
+
+Resources: https://cloud.google.com/config-connector/docs/reference/overview
+
+* Create Kind cluster :
+
+```shell
+> make kind-create ENV=gcp
+```
+
+## Cloud provider credentials
+
+```shell
+> make kcc-gcp-credentials
+```
+
+## KCC Control Plane
+
+* Install KCC:
+
+```shell
+> make kcc-install
+```
+
+* Check controllers:
+
+```shell
+
+```
+
+* Clean cluster:
+
+```shell
+> make kcc-uninstall
+```

krm/kcc/infra/artifactregistry.yaml

@@ -0,0 +1,32 @@
+# Copyright (C) Nicolas Lamirault <[email protected]>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+apiVersion: artifactregistry.cnrm.cloud.google.com/v1beta1
+kind: ArtifactRegistryRepository
+metadata:
+  name: portefaix-krm-kcc-charts
+spec:
+  format: DOCKER
+  location: eu-west1
+---
+apiVersion: artifactregistry.cnrm.cloud.google.com/v1beta1
+kind: ArtifactRegistryRepository
+metadata:
+  name: portefaix-krm-kcc-containers
+spec:
+  format: DOCKER
+  location: eu-west1

krm/kcc/infra/bucket.yaml

@@ -0,0 +1,32 @@
+# Copyright (C) Nicolas Lamirault <[email protected]>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+apiVersion: storage.cnrm.cloud.google.com/v1beta1
+kind: StorageBucket
+metadata:
+  name: portefaix-krm-kcc
+spec:
+  location: eu-west1
+  storageClass: standard
+  uniformBucketLevelAccess: true
+  versioning:
+    enabled: true
+  lifecycleRule:
+    - action:
+        type: Delete
+      condition:
+        age: 10

krm/kcc/infra/firewall.yaml

@@ -0,0 +1,89 @@
+# Copyright (C) Nicolas Lamirault <[email protected]>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeFirewall
+metadata:
+  name: portefaix-krm-kcc-allow-tcp-ssh-icmp
+spec:
+  allow:
+    - protocol: tcp
+      ports:
+       - "22"
+       - "3389"
+    - protocol: icmp
+  networkRef:
+    name: portefaix-krm-kcc
+---
+apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeFirewall
+metadata:
+  name: portefaix-krm-kcc-internal
+spec:
+  allow:
+    - protocol: tcp
+    - protocol: icmp
+    - protocol: udp
+  networkRef:
+    name: portefaix-krm-kcc
+  sourceRanges:
+    - "10.2.0.0/16"
+---
+apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeFirewall
+metadata:
+  name: portefaix-krm-kcc-allow-iap-ssh
+spec:
+  priority: 10000
+  allow:
+    - ports:
+        - "22"
+      protocol: tcp
+  direction: INGRESS
+  disabled: false
+  enableLogging: false
+  networkRef:
+    name: portefaix-krm-kcc
+  sourceRanges:
+    - "35.235.240.0/20"
+  targetTags:
+    - allow-iap-ssh
+---
+apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeFirewall
+metadata:
+  name: portefaix-krm-kcc-allow-gcp-lb
+spec:
+  priority: 10000
+  allow:
+    - ports:
+        - "80"
+        - "443"
+        - "8080"
+      protocol: tcp
+  direction: INGRESS
+  disabled: false
+  enableLogging: false
+  networkRef:
+    name: portefaix-krm-kcc
+  sourceRanges:
+    - "35.191.0.0/16"
+    - "130.211.0.0/22"
+    - "209.85.152.0/22"
+    - "209.85.204.0/22"
+  targetTags:
+    - allow-gcp-lb