mathieu-benoit/new-reposync-infra.sh

## new-reposync-infra.sh
NAMESPACE=acm-workshop
mkdir -p ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/$NAMESPACE
cat <<EOF > ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/$NAMESPACE/artifactregistry-charts-reader-workload-identity-user.yaml
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPartialPolicy
metadata:
  name: ${HELM_CHARTS_READER_GSA}-${NAMESPACE}
  namespace: ${TENANT_PROJECT_ID}
  annotations:
    config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/${TENANT_PROJECT_ID}/IAMServiceAccount/${HELM_CHARTS_READER_GSA}
spec:
  resourceRef:
    name: ${HELM_CHARTS_READER_GSA}
    kind: IAMServiceAccount
  bindings:
    - role: roles/iam.workloadIdentityUser
      members:
        - member: serviceAccount:${TENANT_PROJECT_ID}.svc.id.goog[config-management-system/ns-reconciler-${NAMESPACE}]
EOF
cd ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/
git add . && git commit -m "Add WorkloadIdentitUser for RepoSync's GSA in ${NAMESPACE}" && git push origin main

## new-reposync.sh
NAMESPACE=acm-workshop
CHART_VERSION=1.0.0-FIXME
DOMAIN=acm-workshop.alwaysupalwayson.com
MANAGED_CERTIFICATES=whereami,acm-workshop #,onlineboutique,myblog,acm-workshop
mkdir -p ${WORK_DIR}$GKE_CONFIGS_DIR_NAME/repo-syncs
mkdir ${WORK_DIR}$GKE_CONFIGS_DIR_NAME/repo-syncs/$NAMESPACE
cat <<EOF > ${WORK_DIR}$GKE_CONFIGS_DIR_NAME/repo-syncs/$NAMESPACE/namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
  labels:
    istio-injection: enabled
    pod-security.kubernetes.io/enforce: restricted
  name: $NAMESPACE
EOF
cat <<EOF > ${WORK_DIR}$GKE_CONFIGS_DIR_NAME/repo-syncs/$NAMESPACE/repo-sync.yaml
apiVersion: configsync.gke.io/v1beta1
kind: RepoSync
metadata:
  name: repo-sync
  namespace: $NAMESPACE
spec:
  sourceFormat: unstructured
  sourceType: helm
  helm:
    repo: oci://${CHART_REGISTRY_REPOSITORY}
    chart: ${NAMESPACE}
    version: ${CHART_VERSION}
    releaseName: ${NAMESPACE}
    auth: gcpserviceaccount
    gcpServiceAccountEmail: ${HELM_CHARTS_READER_GSA}@${TENANT_PROJECT_ID}.iam.gserviceaccount.com
    values:
      container:
        image:
          repository: ${CONTAINER_REGISTRY_REPOSITORY}
EOF
cat <<EOF > ${WORK_DIR}$GKE_CONFIGS_DIR_NAME/repo-syncs/$NAMESPACE/repo-sync-role-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: repo-sync
  namespace: ${NAMESPACE}
subjects:
- kind: ServiceAccount
  name: ns-reconciler-${NAMESPACE}
  namespace: config-management-system
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io
EOF
cat <<EOF > ~/$GKE_CONFIGS_DIR_NAME/$INGRESS_GATEWAY_NAMESPACE/managedcertificate-$NAMESPACE.yaml
apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
  name: ${NAMESPACE}
  namespace: asm-ingress
spec:
  domains:
    - "${DOMAIN}"
EOF
cd ~/$GKE_CONFIGS_DIR_NAME/$INGRESS_GATEWAY_NAMESPACE
kpt fn eval . \
    -i set-annotations:v0.1 \
    --match-kind Ingress \
    -- networking.gke.io/managed-certificates=$MANAGED_CERTIFICATES
cd ${WORK_DIR}$GKE_CONFIGS_DIR_NAME/
git add . && git commit -m "Add new ${NAMESPACE} RepoSync and ManagedCertificates on Ingress" && git push origin main

# Checks
gcloud alpha anthos config sync repo describe \
    --project $TENANT_PROJECT_ID \
    --managed-resources all \
    --sync-name root-sync \
    --sync-namespace config-management-system
gcloud alpha anthos config sync repo describe \
    --project $TENANT_PROJECT_ID \
    --managed-resources all \
    --sync-name repo-sync \
    --sync-namespace $NAMESPACE
nomos status --contexts $(kubectl config current-context)
gcloud compute ssl-certificates list \
    --project $TENANT_PROJECT_ID

## uptime-check-config.sh
NAMESPACE=acm-workshop
DOMAIN=acm-workshop.alwaysupalwayson.com
mkdir -p ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/$NAMESPACE
cat <<EOF > ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/$NAMESPACE/uptime-check-config.yaml
apiVersion: monitoring.cnrm.cloud.google.com/v1beta1
kind: MonitoringUptimeCheckConfig
metadata:
  name: uptimecheckconfig-${NAMESPACE}
spec:
  projectRef:
    external: projects/${TENANT_PROJECT_ID}
  displayName: ${NAMESPACE}
  period: 900s
  timeout: 5s
  monitoredResource:
    type: "uptime_url"
    filterLabels:
      host: ${DOMAIN}
      project_id: ${TENANT_PROJECT_ID}
  httpCheck:
    port: 443
    requestMethod: GET
    useSsl: true
    validateSsl: true
EOF
cd ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/
git add . && git commit -m "Add Uptime check config for ${NAMESPACE}" && git push origin main
	NAMESPACE=acm-workshop
	mkdir -p ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/$NAMESPACE
	cat <<EOF > ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/$NAMESPACE/artifactregistry-charts-reader-workload-identity-user.yaml
	apiVersion: iam.cnrm.cloud.google.com/v1beta1
	kind: IAMPartialPolicy
	metadata:
	name: ${HELM_CHARTS_READER_GSA}-${NAMESPACE}
	namespace: ${TENANT_PROJECT_ID}
	annotations:
	config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/${TENANT_PROJECT_ID}/IAMServiceAccount/${HELM_CHARTS_READER_GSA}
	spec:
	resourceRef:
	name: ${HELM_CHARTS_READER_GSA}
	kind: IAMServiceAccount
	bindings:
	- role: roles/iam.workloadIdentityUser
	members:
	- member: serviceAccount:${TENANT_PROJECT_ID}.svc.id.goog[config-management-system/ns-reconciler-${NAMESPACE}]
	EOF
	cd ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/
	git add . && git commit -m "Add WorkloadIdentitUser for RepoSync's GSA in ${NAMESPACE}" && git push origin main
	NAMESPACE=acm-workshop
	CHART_VERSION=1.0.0-FIXME
	DOMAIN=acm-workshop.alwaysupalwayson.com
	MANAGED_CERTIFICATES=whereami,acm-workshop #,onlineboutique,myblog,acm-workshop
	mkdir -p ${WORK_DIR}$GKE_CONFIGS_DIR_NAME/repo-syncs
	mkdir ${WORK_DIR}$GKE_CONFIGS_DIR_NAME/repo-syncs/$NAMESPACE
	cat <<EOF > ${WORK_DIR}$GKE_CONFIGS_DIR_NAME/repo-syncs/$NAMESPACE/namespace.yaml
	apiVersion: v1
	kind: Namespace
	metadata:
	labels:
	istio-injection: enabled
	pod-security.kubernetes.io/enforce: restricted
	name: $NAMESPACE
	EOF
	cat <<EOF > ${WORK_DIR}$GKE_CONFIGS_DIR_NAME/repo-syncs/$NAMESPACE/repo-sync.yaml
	apiVersion: configsync.gke.io/v1beta1
	kind: RepoSync
	metadata:
	name: repo-sync
	namespace: $NAMESPACE
	spec:
	sourceFormat: unstructured
	sourceType: helm
	helm:
	repo: oci://${CHART_REGISTRY_REPOSITORY}
	chart: ${NAMESPACE}
	version: ${CHART_VERSION}
	releaseName: ${NAMESPACE}
	auth: gcpserviceaccount
	gcpServiceAccountEmail: ${HELM_CHARTS_READER_GSA}@${TENANT_PROJECT_ID}.iam.gserviceaccount.com
	values:
	container:
	image:
	repository: ${CONTAINER_REGISTRY_REPOSITORY}
	EOF
	cat <<EOF > ${WORK_DIR}$GKE_CONFIGS_DIR_NAME/repo-syncs/$NAMESPACE/repo-sync-role-binding.yaml
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	name: repo-sync
	namespace: ${NAMESPACE}
	subjects:
	- kind: ServiceAccount
	name: ns-reconciler-${NAMESPACE}
	namespace: config-management-system
	roleRef:
	kind: ClusterRole
	name: edit
	apiGroup: rbac.authorization.k8s.io
	EOF
	cat <<EOF > ~/$GKE_CONFIGS_DIR_NAME/$INGRESS_GATEWAY_NAMESPACE/managedcertificate-$NAMESPACE.yaml
	apiVersion: networking.gke.io/v1
	kind: ManagedCertificate
	metadata:
	name: ${NAMESPACE}
	namespace: asm-ingress
	spec:
	domains:
	- "${DOMAIN}"
	EOF
	cd ~/$GKE_CONFIGS_DIR_NAME/$INGRESS_GATEWAY_NAMESPACE
	kpt fn eval . \
	-i set-annotations:v0.1 \
	--match-kind Ingress \
	-- networking.gke.io/managed-certificates=$MANAGED_CERTIFICATES
	cd ${WORK_DIR}$GKE_CONFIGS_DIR_NAME/
	git add . && git commit -m "Add new ${NAMESPACE} RepoSync and ManagedCertificates on Ingress" && git push origin main

	# Checks
	gcloud alpha anthos config sync repo describe \
	--project $TENANT_PROJECT_ID \
	--managed-resources all \
	--sync-name root-sync \
	--sync-namespace config-management-system
	gcloud alpha anthos config sync repo describe \
	--project $TENANT_PROJECT_ID \
	--managed-resources all \
	--sync-name repo-sync \
	--sync-namespace $NAMESPACE
	nomos status --contexts $(kubectl config current-context)
	gcloud compute ssl-certificates list \
	--project $TENANT_PROJECT_ID