mathieu-benoit/00_install-oras.sh

## 00_install-oras.sh
ORAS_VERSION=0.15.0
curl -LO https://github.com/oras-project/oras/releases/download/v$ORAS_VERSION/oras_$ORAS_VERSION_linux_amd64.tar.gz
mkdir -p oras-install/
tar -zxf oras_$ORAS_VERSION_*.tar.gz -C oras-install/
sudo mv oras-install/oras /usr/local/bin/
rm -rf oras_$ORAS_VERSION_*.tar.gz oras-install/

## 01_create-registry.sh
PROJECT=FIXME
REPO=artifacts
REGION=us-east4
ZONE=us-east4-a
gcloud artifacts repositories create $REPO \
    --project $PROJECT \
    --location $REGION \
    --repository-format docker

# For authentication, we'll use Artifact Registry credentials configured for Docker
gcloud auth configure-docker $REGION-docker.pkg.dev

## 02_test-txt-file.sh
# Commands tested here:
# - oras push
# - oras repository show-tags
# - oras pull
# - oras copy
# - oras tag

# Let's have a file
echo "Here is a file!" > first-file.txt

# Push the file in Artifact Registry:
oras push \
    $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact:v1 \
    first-file.txt

# Verify the artifact is there:
gcloud artifacts docker images list $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact --include-tags
oras repository show-tags $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact
oras repository list $REGION-docker.pkg.dev/$PROJECT
# --> Error: invalid reference: invalid registry

# Pull the file back:
rm first-file.txt
oras pull \
    $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact:v1
cat first-file.txt

# Let's add more files in this artifact
echo "Here is a second file!" > second-file.txt
mkdir subfolder
echo "Here is a third file!" > subfolder/third-file.txt
oras push \
    $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact:v2 \
    first-file.txt second-file.txt subfolder/

# Verify the artifact is there:
gcloud artifacts docker images list $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact --include-tags
oras repository show-tags $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact

# Copy v2 to v2-copied
oras copy $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact:v2 $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact:v2-copied

# Verify the artifact is there:
gcloud artifacts docker images list $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact --include-tags
oras repository show-tags $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact

# Tag v2 to v2-tagged
oras tag $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact:v2 v2-tagged

# Verify the artifact is there:
gcloud artifacts docker images list $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact --include-tags
oras repository show-tags $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact

## 03_test-kubernetes-manifests-archived.sh
# Commands tested here:
# - oras push
# - oras repository show-tags
# - oras pull
# - oras copy
# - oras tag

# Create a simple Kubernetes Namespace resource definition:
cat <<EOF> test-namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: test
EOF

# Create an archive of that file:
tar -cf test-namespace.tar test-namespace.yaml

# Push the file in Artifact Registry:
oras push \
    $REGION-docker.pkg.dev/$PROJECT/$REPO/test-namespace:1.0.0 \
    test-namespace.tar

# Verify the artifact is there:
gcloud artifacts docker images list $REGION-docker.pkg.dev/$PROJECT/$REPO/test-namespace --include-tags
oras repository show-tags $REGION-docker.pkg.dev/$PROJECT/$REPO/test-namespace
oras repository list $REGION-docker.pkg.dev/$PROJECT
# --> Error: invalid reference: invalid registry

# Pull the file back:
rm test-namespace.yaml
rm test-namespace.tar
oras pull \
    $REGION-docker.pkg.dev/$PROJECT/$REPO/test-namespace:1.0.0
tar -xvf test-namespace.tar
cat test-namespace.yaml

# Copy v2 to v2-copied
oras copy $REGION-docker.pkg.dev/$PROJECT/$REPO/test-namespace:1.0.0 $REGION-docker.pkg.dev/$PROJECT/$REPO/test-namespace:1.0.0-copied

# Verify the artifact is there:
gcloud artifacts docker images list $REGION-docker.pkg.dev/$PROJECT/$REPO/test-namespace --include-tags
oras repository show-tags $REGION-docker.pkg.dev/$PROJECT/$REPO/test-namespace

# Tag v2 to v2-tagged
oras tag $REGION-docker.pkg.dev/$PROJECT/$REPO/test-namespace:1.0.0 1.0.0-tagged

# Verify the artifact is there:
gcloud artifacts docker images list $REGION-docker.pkg.dev/$PROJECT/$REPO/test-namespace --include-tags
oras repository show-tags $REGION-docker.pkg.dev/$PROJECT/$REPO/test-namespace

## 04_setup_gke-cluster.sh
# Create a GKE cluster registered in a Fleet to enable Config Management:
gcloud services enable container.googleapis.com
CLUSTER_NAME=FIXME
gcloud container clusters create ${CLUSTER_NAME} \
    --workload-pool=${PROJECT}.svc.id.goog \
    --zone ${ZONE}

gcloud services enable gkehub.googleapis.com
gcloud container fleet memberships register ${CLUSTER_NAME} \
    --gke-cluster ${ZONE}/${CLUSTER_NAME} \
    --enable-workload-identity

gcloud beta container fleet config-management enable

# Install Config Sync in this GKE cluster:
cat <<EOF > acm-config.yaml
applySpecVersion: 1
spec:
  configSync:
    enabled: true
EOF
gcloud beta container fleet config-management apply \
    --membership ${CLUSTER_NAME} \
    --config acm-config.yaml

# Create a dedicated Google Cloud Service Account with the fine granular access (roles/artifactregistry.reader) to that Artifact Registry repository:
PULLER_GSA_NAME=configsync-oci-sa
PULLER_GSA_ID=$PULLER_GSA_NAME@$PROJECT.iam.gserviceaccount.com
gcloud iam service-accounts create $PULLER_GSA_NAME \
  --display-name=$PULLER_GSA_NAME
gcloud artifacts repositories add-iam-policy-binding $REPO \
    --location $REGION \
    --member "serviceAccount:$PULLER_GSA_ID" \
    --role roles/artifactregistry.reader

# Allow Config Sync to synchronize resources for a specific RootSync:
ROOT_SYNC_NAME=root-sync-artifact
gcloud iam service-accounts add-iam-policy-binding \
   --role roles/iam.workloadIdentityUser \
   --member "serviceAccount:$PROJECT.svc.id.goog[config-management-system/root-reconciler-$ROOT_SYNC_NAME]" \
   $PULLER_GSA_ID

## 05_test_config_sync.sh
# Sync this artifact from Artifact Registry:
cat << EOF | kubectl apply -f -
apiVersion: configsync.gke.io/v1beta1
kind: RootSync
metadata:
  name: ${ROOT_SYNC_NAME}
  namespace: config-management-system
spec:
  sourceFormat: unstructured
  sourceType: oci
  oci:
    image: ${REGION}-docker.pkg.dev/${PROJECT}/${REPO}/test-namespace:1.0.0
    dir: .
    auth: gcpserviceaccount
    gcpServiceAccountEmail: ${PULLER_GSA_ID}
EOF

nomos status \
    --contexts=$(kubectl config current-context)

kubectl describe ns test
	ORAS_VERSION=0.15.0
	curl -LO https://github.com/oras-project/oras/releases/download/v$ORAS_VERSION/oras_$ORAS_VERSION_linux_amd64.tar.gz
	mkdir -p oras-install/
	tar -zxf oras_$ORAS_VERSION_*.tar.gz -C oras-install/
	sudo mv oras-install/oras /usr/local/bin/
	rm -rf oras_$ORAS_VERSION_*.tar.gz oras-install/
	PROJECT=FIXME
	REPO=artifacts
	REGION=us-east4
	ZONE=us-east4-a
	gcloud artifacts repositories create $REPO \
	--project $PROJECT \
	--location $REGION \
	--repository-format docker

	# For authentication, we'll use Artifact Registry credentials configured for Docker
	gcloud auth configure-docker $REGION-docker.pkg.dev
	# Commands tested here:
	# - oras push
	# - oras repository show-tags
	# - oras pull
	# - oras copy
	# - oras tag

	# Let's have a file
	echo "Here is a file!" > first-file.txt

	# Push the file in Artifact Registry:
	oras push \
	$REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact:v1 \
	first-file.txt

	# Verify the artifact is there:
	gcloud artifacts docker images list $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact --include-tags
	oras repository show-tags $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact
	oras repository list $REGION-docker.pkg.dev/$PROJECT
	# --> Error: invalid reference: invalid registry

	# Pull the file back:
	rm first-file.txt
	oras pull \
	$REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact:v1
	cat first-file.txt

	# Let's add more files in this artifact
	echo "Here is a second file!" > second-file.txt
	mkdir subfolder
	echo "Here is a third file!" > subfolder/third-file.txt
	oras push \
	$REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact:v2 \
	first-file.txt second-file.txt subfolder/

	# Verify the artifact is there:
	gcloud artifacts docker images list $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact --include-tags
	oras repository show-tags $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact

	# Copy v2 to v2-copied
	oras copy $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact:v2 $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact:v2-copied

	# Verify the artifact is there:
	gcloud artifacts docker images list $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact --include-tags
	oras repository show-tags $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact

	# Tag v2 to v2-tagged
	oras tag $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact:v2 v2-tagged

	# Verify the artifact is there:
	gcloud artifacts docker images list $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact --include-tags
	oras repository show-tags $REGION-docker.pkg.dev/$PROJECT/$REPO/my-artifact
	# Create a GKE cluster registered in a Fleet to enable Config Management:
	gcloud services enable container.googleapis.com
	CLUSTER_NAME=FIXME
	gcloud container clusters create ${CLUSTER_NAME} \
	--workload-pool=${PROJECT}.svc.id.goog \
	--zone ${ZONE}

	gcloud services enable gkehub.googleapis.com
	gcloud container fleet memberships register ${CLUSTER_NAME} \
	--gke-cluster ${ZONE}/${CLUSTER_NAME} \
	--enable-workload-identity

	gcloud beta container fleet config-management enable

	# Install Config Sync in this GKE cluster:
	cat <<EOF > acm-config.yaml
	applySpecVersion: 1
	spec:
	configSync:
	enabled: true
	EOF
	gcloud beta container fleet config-management apply \
	--membership ${CLUSTER_NAME} \
	--config acm-config.yaml

	# Create a dedicated Google Cloud Service Account with the fine granular access (roles/artifactregistry.reader) to that Artifact Registry repository:
	PULLER_GSA_NAME=configsync-oci-sa
	PULLER_GSA_ID=$PULLER_GSA_NAME@$PROJECT.iam.gserviceaccount.com
	gcloud iam service-accounts create $PULLER_GSA_NAME \
	--display-name=$PULLER_GSA_NAME
	gcloud artifacts repositories add-iam-policy-binding $REPO \
	--location $REGION \
	--member "serviceAccount:$PULLER_GSA_ID" \
	--role roles/artifactregistry.reader

	# Allow Config Sync to synchronize resources for a specific RootSync:
	ROOT_SYNC_NAME=root-sync-artifact
	gcloud iam service-accounts add-iam-policy-binding \
	--role roles/iam.workloadIdentityUser \
	--member "serviceAccount:$PROJECT.svc.id.goog[config-management-system/root-reconciler-$ROOT_SYNC_NAME]" \
	$PULLER_GSA_ID
	# Sync this artifact from Artifact Registry:
	cat << EOF \| kubectl apply -f -
	apiVersion: configsync.gke.io/v1beta1
	kind: RootSync
	metadata:
	name: ${ROOT_SYNC_NAME}
	namespace: config-management-system
	spec:
	sourceFormat: unstructured
	sourceType: oci
	oci:
	image: ${REGION}-docker.pkg.dev/${PROJECT}/${REPO}/test-namespace:1.0.0
	dir: .
	auth: gcpserviceaccount
	gcpServiceAccountEmail: ${PULLER_GSA_ID}
	EOF

	nomos status \
	--contexts=$(kubectl config current-context)

	kubectl describe ns test