Refactoring GCP manifests

Makefile

@@ -66,11 +66,6 @@ kind-delete: guard-ENV ## Delete a local Kubernetes cluster (ENV=xxx)
 	@echo -e "$(OK_COLOR)[$(APP)] Create Kubernetes cluster ${SERVICE}$(NO_COLOR)"
 	@kind delete cluster --name=$(CLUSTER)
 
-.PHONY: kind-kube-credentials
-kind-kube-credentials: guard-ENV ## Credentials for Kind (ENV=xxx)
-	@kubectl config use-context $(KUBE_CONTEXT)
-
-
 # ====================================
 # K U B E R N E T E S
 # ====================================
@@ -95,11 +90,30 @@ kubernetes-secret: guard-NAMESPACE guard-NAME guard-FILE ## Generate a Kubernete
 kubernetes-credentials: guard-ENV guard-CLOUD ## Generate credentials (CLOUD=xxxx ENV=xxx)
 	@kubectl config use-context $(KUBE_CONTEXT)
 
+# ====================================
+# C L O U D
+# ====================================
+
+##@ Cloud
+
+.PHONY: cloud-gcp-credentials
+cloud-gcp-credentials: guard-GCP_PROJECT_ID guard-GCP_SERVICE_ACCOUNT_NAME ## Generate credentials for GCP (GCP_PROJECT_ID=xxx GCP_SERVICE_ACCOUNT_NAME=xxx GCP_SERVICE_ACCOUNT_KEYFILE=xxx)
+	@./hack/scripts/gcp.sh $(GCP_PROJECT_ID) $(GCP_SERVICE_ACCOUNT_NAME)
+
+.PHONY: cloud-aws-credentials
+cloud-aws-credentials: guard-AWS_ACCESS_KEY guard-AWS_SECRET_KEY ## Generate credentials for AWS (AWS_ACCESS_KEY=xxx AWS_SECRET_KEY=xxx)
+	@./hack/scripts/aws.sh $(AWS_ACCESS_KEY) $(AWS_SECRET_KEY)
+
+.PHONY: cloud-azure-credentials
+cloud-azure-credentials: ## Generate credentials for Azure
+	@./hack/scripts/azure.sh
+
+
 # ====================================
 # C R O S S P L A N E
 # ====================================
 
-##@ Helm
+##@ Crossplane
 
 .PHONY: crossplane-controlplane
 crossplane-controlplane: ## Install Crossplane using Helm
@@ -108,14 +122,6 @@ crossplane-controlplane: ## Install Crossplane using Helm
 	@helm repo update
 	@helm install crossplane --namespace crossplane-system crossplane-stable/crossplane --version $(HELM_CROSSPLANE_VERSION)
 
-.PHONY: crossplane-aws-credentials
-crossplane-aws-credentials: guard-AWS_ACCESS_KEY guard-AWS_SECRET_KEY ## Generate credentials for AWS (AWS_ACCESS_KEY=xxx AWS_SECRET_KEY=xxx)
-	@./hack/scripts/aws.sh $(AWS_ACCESS_KEY) $(AWS_SECRET_KEY)
-
-.PHONY: crossplane-azure-credentials
-crossplane-azure-credentials: ## Generate credentials for Azure
-	@./hack/scripts/azure.sh
-
 .PHONY: crossplane-provider
 crossplane-provider: guard-CLOUD guard-ACTION ## Setup the Crossplane provider (CLOUD=xxx ACTION=xxx)
 	@kustomize build krm/$(CLOUD)/provider | kubectl $(ACTION) -f -

README.md

@@ -46,6 +46,32 @@ Build cloud platform using [Kubernetes Resources Model](https://github.com/kuber
 ❯ make crossplane-infra CLOUD=aws ACTION=apply
 ```
 
+### GCP
+
+* Cloud provider configuration:
+
+```shell
+> make crossplane-gcp-credentials GCP_PROJECT_ID=myproject-prod GCP_SERVICE_ACCOUNT_NAME=kubernetes-krm
+```
+
+* Install Crossplane provider:
+
+```shell
+> make crossplane-provider CLOUD=gcp ACTION=apply
+```
+
+* Setup Crossplane configuration:
+
+```shell
+❯ make crossplane-config CLOUD=gcp ACTION=apply
+```
+
+* Deploy infrastructure:
+
+```shell
+❯ make crossplane-infra CLOUD=aws ACTION=apply
+```
+
 ## Contributing
 
 See [CONTRIBUTING.md](./CONTRIBUTING.md)

hack/scripts/gcp.sh

@@ -0,0 +1,103 @@
+#! /usr/bin/env bash
+
+# Copyright (C) 2021 Nicolas Lamirault <[email protected]>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+reset_color="\\e[0m"
+color_red="\\e[31m"
+color_green="\\e[32m"
+color_blue="\\e[36m";
+
+declare -r this_dir=$(cd $(dirname ${BASH_SOURCE[0]}) && pwd)
+declare -r root_dir=$(cd ${this_dir}/../.. && pwd)
+
+function echo_fail { echo -e "${color_red}✖ $*${reset_color}"; }
+function echo_success { echo -e "${color_green}✔ $*${reset_color}"; }
+function echo_info { echo -e "${color_blue}$*${reset_color}"; }
+
+echo_info "[GCP] Configure GCP provider"
+
+GCP_PROJECT_ID=$1
+[ -z "${GCP_PROJECT_ID}" ] && echo_fail "GCP project not satisfied" && exit 1
+GCP_SERVICE_ACCOUNT_NAME=$2
+[ -z "${GCP_SERVICE_ACCOUNT_NAME}" ] && echo_fail "GCP srvice account name not satisfied" && exit 1
+
+echo_info "[GCP] Project: ${GCP_PROJECT_ID} Service Account name: ${GCP_SERVICE_ACCOUNT_NAME}"
+
+gcloud iam service-accounts create ${GCP_SERVICE_ACCOUNT_NAME} \
+		--project ${GCP_PROJECT_ID} --display-name ${GCP_SERVICE_ACCOUNT_NAME} \
+		--description "Created by GCloud"
+
+GCP_SERVICE_ACCOUNT_EMAIL="${GCP_SERVICE_ACCOUNT_NAME}@${GCP_PROJECT_ID}.iam.gserviceaccount.com"
+GCP_SERVICE_ACCOUNT_KEYFILE=${GCP_PROJECT_ID}.json
+
+gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
+    --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/storage.admin"
+gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
+    --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/storage.objectAdmin"
+gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
+    --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/storage.objectViewer"
+gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
+    --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/compute.instanceAdmin.v1"
+gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
+    --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/compute.securityAdmin"
+gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
+    --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/compute.networkAdmin"
+gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
+    --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/resourcemanager.projectIamAdmin"
+gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
+  --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/iam.serviceAccountAdmin"
+gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
+  --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/iam.serviceAccountUser"
+gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
+  --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/iam.roleAdmin"
+gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
+  --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/iam.serviceAccountKeyAdmin"
+gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
+  --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/container.clusterAdmin"
+gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
+  --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/container.admin"
+gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
+  --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/secretmanager.admin"
+gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
+  --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/cloudkms.admin"
+gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
+  --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/cloudkms.cryptoKeyEncrypterDecrypter"
+gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
+  --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/dns.admin"
+gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
+  --member serviceAccount:${GCP_SERVICE_ACCOUNT_EMAIL} --role="roles/iap.admin"
+gcloud iam service-accounts keys create ./${GCP_SERVICE_ACCOUNT_KEYFILE} \
+		--project ${GCP_PROJECT_ID} \
+		--iam-account ${GCP_SERVICE_ACCOUNT_EMAIL}
+
+# base64 encode the GCP credentials
+GCP_CREDS_ENCODED=$(base64 ${GCP_SERVICE_ACCOUNT_KEYFILE} | tr -d "\n")
+
+if [[ -z "${GCP_CREDS_ENCODED}" ]]; then
+  echo_fail "error reading GCP credentials"
+  exit 1
+fi
+
+echo_info "[Kubernetes] Creates secret for Crossplane AWS provider"
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: Secret
+metadata:
+  name: crossplane-gcp-credentials
+  namespace: crossplane-system
+type: Opaque
+data:
+  credentials: ${GCP_CREDS_ENCODED}
+EOF

krm/gcp/config/gcp-config.yaml

@@ -0,0 +1,27 @@
+# Copyright (C) 2021 Nicolas Lamirault <[email protected]>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: gcp.crossplane.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: crossplane-gcp
+spec:
+  projectID: portefaix-prod
+  credentials:
+    source: Secret
+    secretRef:
+      namespace: crossplane-system
+      name: crossplane-gcp-credentials
+      key: credentials

krm/gcp/kustomization.yaml → krm/gcp/config/kustomization.yaml

@@ -16,15 +16,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ./network.yaml
-- ./subnetwork.yaml
-- ./firewall.yaml
-- ./iam.yaml
-- ./bucket.yaml
-- ./memorystore.yaml
-- ./cloudsql.yaml
-- ./pubsub.yaml
-- ./gke.yaml
+- ./gcp-config.yaml
+
+namespace: crossplane-system
 
 transformers:
 - labels.yaml

krm/gcp/config/labels.yaml

@@ -0,0 +1,32 @@
+# Copyright (C) 2021 Nicolas Lamirault <[email protected]>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: builtin
+kind: LabelTransformer
+metadata:
+  name: labels
+labels:
+  app.kubernetes.io/name: portefaix-krm
+  app.kubernetes.io/instance: portefaix-krm-app
+  app.kubernetes.io/component: krm-crossplane
+  app.kubernetes.io/version: v0.1.0
+  app.kubernetes.io/part-of: portefaix-krm
+  app.kubernetes.io/managed-by: kustomize
+  portefaix.xyz/version: v0.19.0
+  crossplane.io/version: v0.14.0
+  crossplane.io/provider: gcp-v0.18.0
+fieldSpecs:
+- path: metadata/labels
+  create: true

krm/gcp/bucket.yaml → krm/gcp/infra/bucket.yaml

@@ -16,26 +16,26 @@
 apiVersion: storage.gcp.crossplane.io/v1alpha3
 kind: Bucket
 metadata:
-  name: portefaix-krm-gcp
+  name: portefaix-krm
   annotations:
-    crossplane.io/external-name: portefaix-krm-gcp-bucket
+    crossplane.io/external-name: portefaix-krm-bucket
 spec:
   location: EU
   storageClass: MULTI_REGIONAL
   providerConfigRef:
-    name: portefaix-gcp
+    name: crossplane-gcp
   labels:
     made-by: crossplane
   deletionPolicy: Delete
 ---
 apiVersion: storage.gcp.crossplane.io/v1alpha1
 kind: BucketPolicy
 metadata:
-  name: portefaix-krm-gcp
+  name: portefaix-krm
 spec:
   forProvider:
     bucketRef:
-      name: portefaix-krm-gcp
+      name: portefaix-krm
     policy:
       bindings:
         # - role: roles/storage.legacyBucketOwner
@@ -47,21 +47,21 @@ spec:
         #     - "projectViewer:<gcp-project>"
         - role: roles/storage.objectAdmin
           serviceAccountMemberRefs:
-            - name: portefaix-krm-gcp
+            - name: portefaix-krm
   providerConfigRef:
-    name: portefaix-gcp
+    name: crossplane-gcp
 ---
 apiVersion: storage.gcp.crossplane.io/v1alpha1
 kind: BucketPolicyMember
 metadata:
-  name: portefaix-krm-gcp
+  name: portefaix-krm
 spec:
   forProvider:
     bucketRef:
-      name: portefaix-krm-gcp
+      name: portefaix-krm
     # member: serviceAccount:<my-sa-email>
     serviceAccountMemberRef:
-      name: portefaix-krm-gcp
+      name: portefaix-krm
     role: roles/storage.objectAdmin
   providerConfigRef:
-    name: portefaix-gcp
+    name: crossplane-gcp

krm/gcp/cloudsql.yaml → krm/gcp/infra/cloudsql.yaml

@@ -16,7 +16,7 @@
 apiVersion: database.gcp.crossplane.io/v1beta1
 kind: CloudSQLInstance
 metadata:
-  name: portefaix-krm-gcp
+  name: portefaix-krm
 spec:
   forProvider:
     databaseVersion: POSTGRES_11
@@ -25,8 +25,8 @@ spec:
       tier: db-custom-1-3840
       dataDiskSizeGb: 20
   providerConfigRef:
-    name: portefaix-gcp
+    name: crossplane-gcp
   writeConnectionSecretToRef:
-    name: portefaix-krm-gcp-cloudsql
+    name: portefaix-krm-cloudsql
     namespace: crossplane-system
   deletionPolicy: Delete

krm/gcp/firewall.yaml → krm/gcp/infra/firewall.yaml

@@ -16,16 +16,16 @@
 apiVersion: compute.gcp.crossplane.io/v1alpha1
 kind: Firewall
 metadata:
-  name: portefaix-krm-gcp
+  name: portefaix-krm
 spec:
   forProvider:
     description: "Portefaix KRM Crossplane"
     allowed:
       - IPProtocol: tcp
         ports: ["80", "443"]
       - IPProtocol: icmp
-    sourceRanges: ["10.0.0.0/24"]
+    sourceRanges: ["10.11.0.0/20"]
     networkRef:
-      name: portefaix-krm-gcp
+      name: portefaix-krm
   providerConfigRef:
-    name: portefaix-gcp
+    name: crossplane-gcp