diff --git a/Makefile b/Makefile index 6b9379e..2106212 100644 --- a/Makefile +++ b/Makefile @@ -66,11 +66,6 @@ kind-delete: guard-ENV ## Delete a local Kubernetes cluster (ENV=xxx) @echo -e "$(OK_COLOR)[$(APP)] Create Kubernetes cluster ${SERVICE}$(NO_COLOR)" @kind delete cluster --name=$(CLUSTER) -.PHONY: kind-kube-credentials -kind-kube-credentials: guard-ENV ## Credentials for Kind (ENV=xxx) - @kubectl config use-context $(KUBE_CONTEXT) - - # ==================================== # K U B E R N E T E S # ==================================== @@ -95,11 +90,30 @@ kubernetes-secret: guard-NAMESPACE guard-NAME guard-FILE ## Generate a Kubernete kubernetes-credentials: guard-ENV guard-CLOUD ## Generate credentials (CLOUD=xxxx ENV=xxx) @kubectl config use-context $(KUBE_CONTEXT) +# ==================================== +# C L O U D +# ==================================== + +##@ Cloud + +.PHONY: cloud-gcp-credentials +cloud-gcp-credentials: guard-GCP_PROJECT_ID guard-GCP_SERVICE_ACCOUNT_NAME ## Generate credentials for GCP (GCP_PROJECT_ID=xxx GCP_SERVICE_ACCOUNT_NAME=xxx GCP_SERVICE_ACCOUNT_KEYFILE=xxx) + @./hack/scripts/gcp.sh $(GCP_PROJECT_ID) $(GCP_SERVICE_ACCOUNT_NAME) + +.PHONY: cloud-aws-credentials +cloud-aws-credentials: guard-AWS_ACCESS_KEY guard-AWS_SECRET_KEY ## Generate credentials for AWS (AWS_ACCESS_KEY=xxx AWS_SECRET_KEY=xxx) + @./hack/scripts/aws.sh $(AWS_ACCESS_KEY) $(AWS_SECRET_KEY) + +.PHONY: cloud-azure-credentials +cloud-azure-credentials: ## Generate credentials for Azure + @./hack/scripts/azure.sh + + # ==================================== # C R O S S P L A N E # ==================================== -##@ Helm +##@ Crossplane .PHONY: crossplane-controlplane crossplane-controlplane: ## Install Crossplane using Helm @@ -108,14 +122,6 @@ crossplane-controlplane: ## Install Crossplane using Helm @helm repo update @helm install crossplane --namespace crossplane-system crossplane-stable/crossplane --version $(HELM_CROSSPLANE_VERSION) -.PHONY: crossplane-aws-credentials -crossplane-aws-credentials: guard-AWS_ACCESS_KEY guard-AWS_SECRET_KEY ## Generate credentials for AWS (AWS_ACCESS_KEY=xxx AWS_SECRET_KEY=xxx) - @./hack/scripts/aws.sh $(AWS_ACCESS_KEY) $(AWS_SECRET_KEY) - -.PHONY: crossplane-azure-credentials -crossplane-azure-credentials: ## Generate credentials for Azure - @./hack/scripts/azure.sh - .PHONY: crossplane-provider crossplane-provider: guard-CLOUD guard-ACTION ## Setup the Crossplane provider (CLOUD=xxx ACTION=xxx) @kustomize build krm/$(CLOUD)/provider | kubectl $(ACTION) -f - diff --git a/README.md b/README.md index bf04b71..00f0f45 100644 --- a/README.md +++ b/README.md @@ -46,6 +46,32 @@ Build cloud platform using [Kubernetes Resources Model](https://github.com/kuber ❯ make crossplane-infra CLOUD=aws ACTION=apply ``` +### GCP + +* Cloud provider configuration: + +```shell +> make crossplane-gcp-credentials GCP_PROJECT_ID=myproject-prod GCP_SERVICE_ACCOUNT_NAME=kubernetes-krm +``` + +* Install Crossplane provider: + +```shell +> make crossplane-provider CLOUD=gcp ACTION=apply +``` + +* Setup Crossplane configuration: + +```shell +❯ make crossplane-config CLOUD=gcp ACTION=apply +``` + +* Deploy infrastructure: + +```shell +❯ make crossplane-infra CLOUD=aws ACTION=apply +``` + ## Contributing See [CONTRIBUTING.md](./CONTRIBUTING.md) diff --git a/hack/scripts/gcp.sh b/hack/scripts/gcp.sh new file mode 100755 index 0000000..99d083e --- /dev/null +++ b/hack/scripts/gcp.sh @@ -0,0 +1,103 @@ +#! /usr/bin/env bash + +# Copyright (C) 2021 Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +reset_color="\\e[0m" +color_red="\\e[31m" +color_green="\\e[32m" +color_blue="\\e[36m"; + +declare -r this_dir=$(cd $(dirname ${BASH_SOURCE[0]}) && pwd) +declare -r root_dir=$(cd ${this_dir}/../.. && pwd) + +function echo_fail { echo -e "${color_red}✖ $*${reset_color}"; } +function echo_success { echo -e "${color_green}✔ $*${reset_color}"; } +function echo_info { echo -e "${color_blue}$*${reset_color}"; } + +echo_info "[GCP] Configure GCP provider" + +GCP_PROJECT_ID=$1 +[ -z "${GCP_PROJECT_ID}" ] && echo_fail "GCP project not satisfied" && exit 1 +GCP_SERVICE_ACCOUNT_NAME=$2 +[ -z "${GCP_SERVICE_ACCOUNT_NAME}" ] && echo_fail "GCP srvice account name not satisfied" && exit 1 + +echo_info "[GCP] Project: ${GCP_PROJECT_ID} Service Account name: ${GCP_SERVICE_ACCOUNT_NAME}" + +gcloud iam service-accounts create ${GCP_SERVICE_ACCOUNT_NAME} \ + --project ${GCP_PROJECT_ID} --display-name ${GCP_SERVICE_ACCOUNT_NAME} \ + --description "Created by GCloud" + +GCP_SERVICE_ACCOUNT_EMAIL="${GCP_SERVICE_ACCOUNT_NAME}@${GCP_PROJECT_ID}.iam.gserviceaccount.com" +GCP_SERVICE_ACCOUNT_KEYFILE=${GCP_PROJECT_ID}.json + +gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \ + --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/storage.admin" +gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \ + --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/storage.objectAdmin" +gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \ + --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/storage.objectViewer" +gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \ + --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/compute.instanceAdmin.v1" +gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \ + --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/compute.securityAdmin" +gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \ + --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/compute.networkAdmin" +gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \ + --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/resourcemanager.projectIamAdmin" +gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \ + --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/iam.serviceAccountAdmin" +gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \ + --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/iam.serviceAccountUser" +gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \ + --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/iam.roleAdmin" +gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \ + --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/iam.serviceAccountKeyAdmin" +gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \ + --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/container.clusterAdmin" +gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \ + --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/container.admin" +gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \ + --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/secretmanager.admin" +gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \ + --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/cloudkms.admin" +gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \ + --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/cloudkms.cryptoKeyEncrypterDecrypter" +gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \ + --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/dns.admin" +gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \ + --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/iap.admin" +gcloud iam service-accounts keys create ./${GCP_SERVICE_ACCOUNT_KEYFILE} \ + --project ${GCP_PROJECT_ID} \ + --iam-account ${GCP_SERVICE_ACCOUNT_EMAIL} + +# base64 encode the GCP credentials +GCP_CREDS_ENCODED=$(base64 ${GCP_SERVICE_ACCOUNT_KEYFILE} | tr -d "\n") + +if [[ -z "${GCP_CREDS_ENCODED}" ]]; then + echo_fail "error reading GCP credentials" + exit 1 +fi + +echo_info "[Kubernetes] Creates secret for Crossplane AWS provider" +cat < +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: gcp.crossplane.io/v1beta1 +kind: ProviderConfig +metadata: + name: crossplane-gcp +spec: + projectID: portefaix-prod + credentials: + source: Secret + secretRef: + namespace: crossplane-system + name: crossplane-gcp-credentials + key: credentials diff --git a/krm/gcp/kustomization.yaml b/krm/gcp/config/kustomization.yaml similarity index 82% rename from krm/gcp/kustomization.yaml rename to krm/gcp/config/kustomization.yaml index 1eca79c..93d5e98 100644 --- a/krm/gcp/kustomization.yaml +++ b/krm/gcp/config/kustomization.yaml @@ -16,15 +16,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- ./network.yaml -- ./subnetwork.yaml -- ./firewall.yaml -- ./iam.yaml -- ./bucket.yaml -- ./memorystore.yaml -- ./cloudsql.yaml -- ./pubsub.yaml -- ./gke.yaml +- ./gcp-config.yaml + +namespace: crossplane-system transformers: - labels.yaml diff --git a/krm/gcp/config/labels.yaml b/krm/gcp/config/labels.yaml new file mode 100644 index 0000000..c1c1c27 --- /dev/null +++ b/krm/gcp/config/labels.yaml @@ -0,0 +1,32 @@ +# Copyright (C) 2021 Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: builtin +kind: LabelTransformer +metadata: + name: labels +labels: + app.kubernetes.io/name: portefaix-krm + app.kubernetes.io/instance: portefaix-krm-app + app.kubernetes.io/component: krm-crossplane + app.kubernetes.io/version: v0.1.0 + app.kubernetes.io/part-of: portefaix-krm + app.kubernetes.io/managed-by: kustomize + portefaix.xyz/version: v0.19.0 + crossplane.io/version: v0.14.0 + crossplane.io/provider: gcp-v0.18.0 +fieldSpecs: +- path: metadata/labels + create: true \ No newline at end of file diff --git a/krm/gcp/bucket.yaml b/krm/gcp/infra/bucket.yaml similarity index 82% rename from krm/gcp/bucket.yaml rename to krm/gcp/infra/bucket.yaml index 145a927..990ce40 100644 --- a/krm/gcp/bucket.yaml +++ b/krm/gcp/infra/bucket.yaml @@ -16,14 +16,14 @@ apiVersion: storage.gcp.crossplane.io/v1alpha3 kind: Bucket metadata: - name: portefaix-krm-gcp + name: portefaix-krm annotations: - crossplane.io/external-name: portefaix-krm-gcp-bucket + crossplane.io/external-name: portefaix-krm-bucket spec: location: EU storageClass: MULTI_REGIONAL providerConfigRef: - name: portefaix-gcp + name: crossplane-gcp labels: made-by: crossplane deletionPolicy: Delete @@ -31,11 +31,11 @@ spec: apiVersion: storage.gcp.crossplane.io/v1alpha1 kind: BucketPolicy metadata: - name: portefaix-krm-gcp + name: portefaix-krm spec: forProvider: bucketRef: - name: portefaix-krm-gcp + name: portefaix-krm policy: bindings: # - role: roles/storage.legacyBucketOwner @@ -47,21 +47,21 @@ spec: # - "projectViewer:" - role: roles/storage.objectAdmin serviceAccountMemberRefs: - - name: portefaix-krm-gcp + - name: portefaix-krm providerConfigRef: - name: portefaix-gcp + name: crossplane-gcp --- apiVersion: storage.gcp.crossplane.io/v1alpha1 kind: BucketPolicyMember metadata: - name: portefaix-krm-gcp + name: portefaix-krm spec: forProvider: bucketRef: - name: portefaix-krm-gcp + name: portefaix-krm # member: serviceAccount: serviceAccountMemberRef: - name: portefaix-krm-gcp + name: portefaix-krm role: roles/storage.objectAdmin providerConfigRef: - name: portefaix-gcp + name: crossplane-gcp diff --git a/krm/gcp/cloudsql.yaml b/krm/gcp/infra/cloudsql.yaml similarity index 91% rename from krm/gcp/cloudsql.yaml rename to krm/gcp/infra/cloudsql.yaml index 918e997..07f2f7d 100644 --- a/krm/gcp/cloudsql.yaml +++ b/krm/gcp/infra/cloudsql.yaml @@ -16,7 +16,7 @@ apiVersion: database.gcp.crossplane.io/v1beta1 kind: CloudSQLInstance metadata: - name: portefaix-krm-gcp + name: portefaix-krm spec: forProvider: databaseVersion: POSTGRES_11 @@ -25,8 +25,8 @@ spec: tier: db-custom-1-3840 dataDiskSizeGb: 20 providerConfigRef: - name: portefaix-gcp + name: crossplane-gcp writeConnectionSecretToRef: - name: portefaix-krm-gcp-cloudsql + name: portefaix-krm-cloudsql namespace: crossplane-system deletionPolicy: Delete diff --git a/krm/gcp/firewall.yaml b/krm/gcp/infra/firewall.yaml similarity index 88% rename from krm/gcp/firewall.yaml rename to krm/gcp/infra/firewall.yaml index ed6039a..34298b7 100644 --- a/krm/gcp/firewall.yaml +++ b/krm/gcp/infra/firewall.yaml @@ -16,7 +16,7 @@ apiVersion: compute.gcp.crossplane.io/v1alpha1 kind: Firewall metadata: - name: portefaix-krm-gcp + name: portefaix-krm spec: forProvider: description: "Portefaix KRM Crossplane" @@ -24,8 +24,8 @@ spec: - IPProtocol: tcp ports: ["80", "443"] - IPProtocol: icmp - sourceRanges: ["10.0.0.0/24"] + sourceRanges: ["10.11.0.0/20"] networkRef: - name: portefaix-krm-gcp + name: portefaix-krm providerConfigRef: - name: portefaix-gcp + name: crossplane-gcp diff --git a/krm/gcp/gke.yaml b/krm/gcp/infra/gke.yaml similarity index 77% rename from krm/gcp/gke.yaml rename to krm/gcp/infra/gke.yaml index dc130d1..c92e84e 100644 --- a/krm/gcp/gke.yaml +++ b/krm/gcp/infra/gke.yaml @@ -16,13 +16,11 @@ apiVersion: container.gcp.crossplane.io/v1beta2 kind: Cluster metadata: - name: portefaix-krm-gcp + name: portefaix-krm spec: forProvider: # initialClusterVersion: "1.21" - releaseChannel: - channel: REGULAR - location: eu-west1 + location: europe-west1-c masterAuth: # setting this master auth user name enables basic auth so that a client (e.g., # provider-helm), can connect with the generated kubeconfig from the connection secret @@ -34,6 +32,9 @@ spec: addonsConfig: cloudRunConfig: disabled: true + loadBalancerType: LOAD_BALANCER_TYPE_UNSPECIFIED + configConnectorConfig: + enabled: false dnsCacheConfig: enabled: true gcePersistentDiskCsiDriverConfig: @@ -42,44 +43,57 @@ spec: disabled: true httpLoadBalancing: disabled: true - istioConfig: - disabled: true - auth: "AUTH_NONE" - kalmConfig: - enabled: false kubernetesDashboard: disabled: true networkPolicyConfig: disabled: false + autopilot: + enabled: false binaryAuthorization: enabled: false + confidentialNodes: + enabled: false + # defaultMaxPodsConstraint: + # maxPodsPerNode: 110 + maintenancePolicy: + window: + dailyMaintenanceWindow: legacyAbac: enabled: false - network: portefaix-krm-gcp + networkRef: + name: portefaix-krm + subnetworkRef: + name: portefaix-krm networkPolicy: enabled: true provider: CALICO - podSecurityPolicyConfig: - enabled: false + releaseChannel: + channel: REGULAR + # resourceLabels: + # service: kubernetes + # role: cluster + # made-by: crossplane + # workloadIdentityConfig: + # workloadPool: portefaix-krm #.svc.id.goog writeConnectionSecretToRef: - name: portefaix-krm-gcp-gke + name: portefaix-krm-gke namespace: crossplane-system providerConfigRef: - name: portefaix-gcp + name: crossplane-gcp --- apiVersion: container.gcp.crossplane.io/v1beta1 kind: NodePool metadata: - name: portefaix-krm-gcp-core + name: portefaix-krm-core spec: forProvider: autoscaling: autoprovisioned: false enabled: true - maxNodeCount: 3 - minNodeCount: 0 + maxNodeCount: 4 + minNodeCount: 2 clusterRef: - name: portefaix-krm-gcp + name: portefaix-krm config: machineType: n1-standard-1 sandboxConfig: @@ -87,8 +101,10 @@ spec: diskSizeGb: 120 diskType: pd-ssd imageType: cos_containerd - labels: - made-by: crossplane + # labels: + # service: kubernetes + # role: node + # made-by: crossplane tags: - kubernetes - nodes @@ -99,19 +115,19 @@ spec: - "https://www.googleapis.com/auth/servicecontrol" - "https://www.googleapis.com/auth/service.management.readonly" - "https://www.googleapis.com/auth/trace.append" - initialNodeCount: 1 + initialNodeCount: 2 locations: - - "eu-west1-b" + - europe-west1-c management: autoRepair: true autoUpgrade: true providerConfigRef: - name: portefaix-gcp + name: crossplane-gcp --- apiVersion: container.gcp.crossplane.io/v1beta1 kind: NodePool metadata: - name: portefaix-krm-gcp-ops + name: portefaix-krm-ops spec: forProvider: autoscaling: @@ -120,7 +136,7 @@ spec: maxNodeCount: 3 minNodeCount: 0 clusterRef: - name: portefaix-krm-gcp + name: portefaix-krm config: machineType: n1-standard-1 sandboxConfig: @@ -128,8 +144,10 @@ spec: diskSizeGb: 120 diskType: pd-ssd imageType: cos_containerd - labels: - made-by: crossplane + # labels: + # service: kubernetes + # role: node + # made-by: crossplane tags: - kubernetes - nodes @@ -142,17 +160,17 @@ spec: - "https://www.googleapis.com/auth/trace.append" initialNodeCount: 0 locations: - - "eu-west1-b" + - europe-west1-c management: autoRepair: true autoUpgrade: true providerConfigRef: - name: portefaix-gcp + name: crossplane-gcp --- apiVersion: container.gcp.crossplane.io/v1beta1 kind: NodePool metadata: - name: portefaix-krm-gcp-misc + name: portefaix-krm-misc spec: forProvider: autoscaling: @@ -161,7 +179,7 @@ spec: maxNodeCount: 3 minNodeCount: 0 clusterRef: - name: portefaix-krm-gcp + name: portefaix-krm config: machineType: n1-standard-1 sandboxConfig: @@ -169,8 +187,10 @@ spec: diskSizeGb: 120 diskType: pd-ssd imageType: cos_containerd - labels: - made-by: crossplane + # labels: + # service: kubernetes + # role: node + # made-by: crossplane tags: - kubernetes - nodes @@ -184,9 +204,9 @@ spec: - "https://www.googleapis.com/auth/trace.append" initialNodeCount: 0 locations: - - "eu-west1-b" + - europe-west1-c management: autoRepair: true autoUpgrade: true providerConfigRef: - name: portefaix-gcp \ No newline at end of file + name: crossplane-gcp \ No newline at end of file diff --git a/krm/gcp/iam.yaml b/krm/gcp/infra/iam.yaml similarity index 54% rename from krm/gcp/iam.yaml rename to krm/gcp/infra/iam.yaml index f0353e4..c35620e 100644 --- a/krm/gcp/iam.yaml +++ b/krm/gcp/infra/iam.yaml @@ -16,7 +16,7 @@ apiVersion: iam.gcp.crossplane.io/v1alpha1 kind: ServiceAccount metadata: - name: portefaix-krm-gcp + name: portefaix-krm-prometheus spec: properties: forProvider: @@ -24,41 +24,20 @@ spec: description: "Portefaix KRM Crossplane" deletionPolicy: Delete providerConfigRef: - name: portefaix-gcp ---- -apiVersion: iam.gcp.crossplane.io/v1alpha1 -kind: ServiceAccountKey -metadata: - name: portefaix-krm-gcp -spec: - properties: - forProvider: - # Google Cloud API RRN of a ServiceAccount is expected in "serviceAccount" field - # serviceAccount: projects/crossplane-playground/serviceAccounts/perfect-test-sa@crossplane-playground.iam.gserviceaccount.com - serviceAccountRef: - name: portefaix-krm-gcp - # keyAlgorithm: "KEY_ALG_RSA_2048" - # privateKeyType: "TYPE_GOOGLE_CREDENTIALS_FILE" - # publicKeyType: TYPE_RAW_PUBLIC_KEY - deletionPolicy: Delete - providerConfigRef: - name: portefaix-gcp - writeConnectionSecretToRef: - name: portefaix-krm-gcp-sa-key - namespace: crossplane-system + name: crossplane-gcp --- apiVersion: iam.gcp.crossplane.io/v1alpha1 kind: ServiceAccountPolicy metadata: - name: portefaix-krm-gcp + name: portefaix-krm-prometheus spec: forProvider: serviceAccountRef: - name: portefaix-krm-gcp + name: portefaix-krm-prometheus policy: bindings: - role: roles/iam.workloadIdentityUser members: - - serviceAccount:portefaix-krm.svc.id.goog[vault-system/vault] + - serviceAccount:portefaix-krm.svc.id.goog[monitoring/prometheus] providerConfigRef: - name: portefaix-gcp + name: crossplane-gcp diff --git a/krm/gcp/infra/kustomization.yaml b/krm/gcp/infra/kustomization.yaml new file mode 100644 index 0000000..9234433 --- /dev/null +++ b/krm/gcp/infra/kustomization.yaml @@ -0,0 +1,32 @@ +# Copyright (C) 2021 Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +# - ./network.yaml +# - ./subnetwork.yaml +# - ./firewall.yaml +# - ./iam.yaml +# - ./bucket.yaml +# - ./memorystore.yaml +# - ./cloudsql.yaml +# - ./pubsub.yaml +- ./gke.yaml + +namespace: crossplane-system + +transformers: +- labels.yaml diff --git a/krm/gcp/labels.yaml b/krm/gcp/infra/labels.yaml similarity index 65% rename from krm/gcp/labels.yaml rename to krm/gcp/infra/labels.yaml index 0f9c0a5..ba8ccce 100644 --- a/krm/gcp/labels.yaml +++ b/krm/gcp/infra/labels.yaml @@ -18,11 +18,11 @@ kind: LabelTransformer metadata: name: labels labels: - app.kubernetes.io/name: portefaix-krm-gcp - app.kubernetes.io/instance: portefaix-krm-gcp-app + app.kubernetes.io/name: portefaix-krm + app.kubernetes.io/instance: portefaix-krm-app app.kubernetes.io/component: krm-crossplane app.kubernetes.io/version: v0.1.0 - app.kubernetes.io/part-of: portefaix-krm-gcp + app.kubernetes.io/part-of: portefaix-krm app.kubernetes.io/managed-by: kustomize portefaix.xyz/version: v0.19.0 crossplane.io/version: v0.14.0 @@ -30,15 +30,15 @@ labels: fieldSpecs: - path: metadata/labels create: true -- kind: CloudMemorystoreInstance - apiVersion: cache.gcp.crossplane.io/v1beta1 - path: spec/forProvider/labels - create: true -- kind: NodePool - apiVersion: container.gcp.crossplane.io/v1beta1 - path: spec/forProvider/config/labels - create: true -- kind: Topic - apiVersion: pubsub.gcp.crossplane.io/v1alpha1 - path: spec/forProvider/labels - create: true +# - kind: CloudMemorystoreInstance +# apiVersion: cache.gcp.crossplane.io/v1beta1 +# path: spec/forProvider/labels +# create: true +# - kind: NodePool +# apiVersion: container.gcp.crossplane.io/v1beta1 +# path: spec/forProvider/config/labels +# create: true +# - kind: Topic +# apiVersion: pubsub.gcp.crossplane.io/v1alpha1 +# path: spec/forProvider/labels +# create: true diff --git a/krm/gcp/memorystore.yaml b/krm/gcp/infra/memorystore.yaml similarity index 91% rename from krm/gcp/memorystore.yaml rename to krm/gcp/infra/memorystore.yaml index 669dded..e86a81c 100644 --- a/krm/gcp/memorystore.yaml +++ b/krm/gcp/infra/memorystore.yaml @@ -16,7 +16,7 @@ apiVersion: cache.gcp.crossplane.io/v1beta1 kind: CloudMemorystoreInstance metadata: - name: portefaix-krm-gcp + name: portefaix-krm spec: forProvider: displayName: portefaix-krm-crossplane @@ -26,8 +26,8 @@ spec: labels: made-by: crossplane providerRef: - name: portefaix-gcp + name: crossplane-gcp writeConnectionSecretToRef: - name: portefaix-krm-gcp-memorystore + name: portefaix-krm-memorystore namespace: crossplane-system deletionPolicy: Delete diff --git a/krm/gcp/network.yaml b/krm/gcp/infra/network.yaml similarity index 96% rename from krm/gcp/network.yaml rename to krm/gcp/infra/network.yaml index 2541e64..6de240b 100644 --- a/krm/gcp/network.yaml +++ b/krm/gcp/infra/network.yaml @@ -22,6 +22,6 @@ spec: description: "Portefaix KRM Crossplane" autoCreateSubnetworks: false routingConfig: - routingMode: REGIONAL + routingMode: GLOBAL providerConfigRef: name: crossplane-gcp diff --git a/krm/gcp/pubsub.yaml b/krm/gcp/infra/pubsub.yaml similarity index 87% rename from krm/gcp/pubsub.yaml rename to krm/gcp/infra/pubsub.yaml index 585c327..21ea72f 100644 --- a/krm/gcp/pubsub.yaml +++ b/krm/gcp/infra/pubsub.yaml @@ -16,14 +16,14 @@ apiVersion: pubsub.gcp.crossplane.io/v1alpha1 kind: Topic metadata: - name: portefaix-krm-gcp + name: portefaix-krm spec: forProvider: labels: - crossplane: provider-gcp + crossplane: provider writeConnectionSecretToRef: - name: portefaix-krm-gcp-pubsub + name: portefaix-krm-pubsub namespace: crossplane-system providerConfigRef: - name: portefaix-gcp + name: crossplane-gcp deletionPolicy: Delete diff --git a/krm/gcp/subnetwork.yaml b/krm/gcp/infra/subnetwork.yaml similarity index 86% rename from krm/gcp/subnetwork.yaml rename to krm/gcp/infra/subnetwork.yaml index a709ab8..20e354f 100644 --- a/krm/gcp/subnetwork.yaml +++ b/krm/gcp/infra/subnetwork.yaml @@ -20,15 +20,15 @@ metadata: spec: forProvider: description: "Portefaix KRM Crossplane" - region: eu-west1 - ipCidrRange: "192.168.0.0/24" + region: europe-west1 + ipCidrRange: "10.11.0.0/20" privateIpGoogleAccess: true secondaryIpRanges: - rangeName: pods - ipCidrRange: 10.128.0.0/20 + ipCidrRange: 10.50.32.0/20 - rangeName: services - ipCidrRange: 172.16.0.0/16 + ipCidrRange: 10.50.16.0/20 networkRef: name: portefaix-krm-gcp providerConfigRef: - name: portefaix-gcp + name: crossplane-gcp diff --git a/krm/gcp/provider/gcp-controller-config.yaml b/krm/gcp/provider/gcp-controller-config.yaml new file mode 100644 index 0000000..84e4d61 --- /dev/null +++ b/krm/gcp/provider/gcp-controller-config.yaml @@ -0,0 +1,29 @@ +# Copyright (C) 2021 Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: pkg.crossplane.io/v1alpha1 +kind: ControllerConfig +metadata: + name: crossplane-gcp + # TODO: https://github.com/crossplane/provider-gcp/issues/173 + # annotations: + # iam.gke.io/gcp-service-account: portefaix-prod-crossplane@portefaix-prod.iam.gserviceaccount.com +spec: + podSecurityContext: + fsGroup: 2000 + # https://github.com/crossplane/crossplane/blob/master/docs/reference/troubleshoot.md + args: + - --debug + # replicas: 0 diff --git a/krm/gcp/provider/gcp-provider.yaml b/krm/gcp/provider/gcp-provider.yaml new file mode 100644 index 0000000..325fac7 --- /dev/null +++ b/krm/gcp/provider/gcp-provider.yaml @@ -0,0 +1,23 @@ +# Copyright (C) 2021 Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + name: crossplane-gcp +spec: + package: crossplane/provider-gcp:v0.18.0 + controllerConfigRef: + name: crossplane-gcp diff --git a/krm/gcp/provider/kustomization.yaml b/krm/gcp/provider/kustomization.yaml new file mode 100644 index 0000000..35de49e --- /dev/null +++ b/krm/gcp/provider/kustomization.yaml @@ -0,0 +1,25 @@ +# Copyright (C) 2021 Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./gcp-controller-config.yaml +- ./gcp-provider.yaml + +namespace: crossplane-system + +transformers: +- labels.yaml diff --git a/krm/gcp/provider/labels.yaml b/krm/gcp/provider/labels.yaml new file mode 100644 index 0000000..6508f07 --- /dev/null +++ b/krm/gcp/provider/labels.yaml @@ -0,0 +1,32 @@ +# Copyright (C) 2021 Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: builtin +kind: LabelTransformer +metadata: + name: labels +labels: + app.kubernetes.io/name: portefaix-krm-aws + app.kubernetes.io/instance: portefaix-krm-aws-app + app.kubernetes.io/component: krm-crossplane + app.kubernetes.io/version: v0.1.0 + app.kubernetes.io/part-of: portefaix-krm-aws + app.kubernetes.io/managed-by: kustomize + portefaix.xyz/version: v0.19.0 + crossplane.io/version: v0.14.0 + crossplane.io/provider: aws-v0.19.0 +fieldSpecs: +- path: metadata/labels + create: true \ No newline at end of file