mikesparr/setup-01-prereq.sh

## setup-01-prereq.sh
#!/usr/bin/env bash

# Docs: https://cloud.google.com/anthos/gke/docs/aws/how-to/prerequisites

# NOTE: MUST have `jq` installed for JSON parsing to set ENV vars
export PROJECT_ID=$(gcloud config get-value project)
export PROJECT_OWNER=$(gcloud config get-value core/account) # set orig val

# confirm aws CLI working
aws --version

# create two KMS keys
aws kms create-key > aws-kms-key-meta.json
aws kms create-key > aws-kms-key2-meta.json

# fetch ARN from each key
export KMS_ARN1=$(cat aws-kms-key-meta.json | jq '.[].Arn')
export KMS_ARN2=$(cat aws-kms-key2-meta.json | jq '.[].Arn')
echo "Key 1 Arn: ${KMS_ARN1}"
echo "Key 2 Arn: ${KMS_ARN2}"

# create aliases for keys
aws kms create-alias \
    --alias-name=alias/gke-key \
    --target-key-id=$KMS_ARN1
aws kms create-alias \
    --alias-name=alias/gke-key2 \
    --target-key-id=$KMS_ARN2

# enable gcloud apis
gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable gkehub.googleapis.com
gcloud services enable gkeconnect.googleapis.com
gcloud services enable logging.googleapis.com
gcloud services enable monitoring.googleapis.com
gcloud services enable serviceusage.googleapis.com
gcloud services enable stackdriver.googleapis.com
gcloud services enable storage-api.googleapis.com
gcloud services enable storage-component.googleapis.com

# create service accounts
gcloud iam service-accounts create management-sa
gcloud iam service-accounts create hub-sa
gcloud iam service-accounts create node-sa

# download keys
gcloud iam service-accounts keys create management-key.json \
     --iam-account management-sa@$PROJECT_ID.iam.gserviceaccount.com
gcloud iam service-accounts keys create hub-key.json \
     --iam-account hub-sa@$PROJECT_ID.iam.gserviceaccount.com
gcloud iam service-accounts keys create node-key.json \
     --iam-account node-sa@$PROJECT_ID.iam.gserviceaccount.com

# management sa
gcloud projects add-iam-policy-binding \
    $PROJECT_ID \
    --member serviceAccount:management-sa@$PROJECT_ID.iam.gserviceaccount.com \
    --role roles/gkehub.admin
gcloud projects add-iam-policy-binding \
    $PROJECT_ID \
    --member serviceAccount:management-sa@$PROJECT_ID.iam.gserviceaccount.com \
    --role roles/serviceusage.serviceUsageViewer

# hub sa
gcloud projects add-iam-policy-binding \
    $PROJECT_ID \
    --member serviceAccount:hub-sa@$PROJECT_ID.iam.gserviceaccount.com \
    --role roles/gkehub.connect

# node sa
gcloud projects add-iam-policy-binding \
    $PROJECT_ID \
    --member serviceAccount:node-sa@$PROJECT_ID.iam.gserviceaccount.com \
    --role roles/storageAdmin # objectViewer didn't work for mgmt install (need create TF state bucket)

# download anthos-gke CLI
# NOTE: your service account MUST BE ADDED (MANUALLY BY GOOGLE) TO APPROVE LIST FIRST
# gcloud auth activate-service-account --key-file=node-key.json # if not project owner
gsutil cp gs://gke-multi-cloud-release/aws/aws-1.4.1-gke.15/bin/darwin/amd64/anthos-gke .
# gsutil cp gs://gke-multi-cloud-release/aws/aws-1.4.1-gke.15/bin/linux/amd64/anthos-gke .
chmod 755 anthos-gke
sudo mv anthos-gke /usr/local/bin

# change gcloud auth back to original user
# gcloud config set account $PROJECT_OWNER

# test the CLI is working
anthos-gke version

## setup-02-mgmt.sh
#!/usr/bin/env bash

# https://cloud.google.com/anthos/gke/docs/aws/how-to/installing-management

# NOTE: MUST have `jq` installed for JSON parsing to set ENV vars
export PROJECT_ID=$(gcloud config get-value project)
export PROJECT_OWNER=$(gcloud config get-value core/account) # set orig val
export ANTHOS_GKE_VERSION=$(anthos-gke version)
export AWS_REGION="us-east-2"
export ADMIN_AWS_IAM_ARN=$(aws sts get-caller-identity | jq '.Arn')

# AWS keys created during prerequisites
export KMS_KEY_ARN=$(cat aws-kms-key-meta.json | jq '.[].Arn')
export DATABASE_KMS_KEY_ARN=$(cat aws-kms-key2-meta.json | jq '.[].Arn')

# GCP keys created during prerequisites
export MANAGEMENT_KEY_PATH=$(PWD)/management-key.json
export HUB_KEY_PATH=$(PWD)/hub-key.json
export NODE_KEY_PATH=$(PWD)/node-key.json

# networking
echo "Listing AZs for region $AWS_REGION"
aws ec2 describe-availability-zones --region $AWS_REGION | jq '.AvailabilityZones[].ZoneName'

export VPC_CIDR_BLOCK="10.20.0.0/16"
export ZONE_1="us-east-2a"
export ZONE_2="us-east-2b"
export ZONE_3="us-east-2c"
export PRIVATE_CIDR_BLOCK_1="10.20.1.0/24"
export PRIVATE_CIDR_BLOCK_2="10.20.3.0/24"
export PRIVATE_CIDR_BLOCK_3="10.20.5.0/24"
export PUBLIC_CIDR_BLOCK_1="10.20.0.0/24"
export PUBLIC_CIDR_BLOCK_2="10.20.2.0/24"
export PUBLIC_CIDR_BLOCK_3="10.20.4.0/24"
export SSH_CIDR_BLOCK="172.31.28.238/32" # bastion EC2 instance


########################
# CREATE CONFIG FILE
########################

# create config file
cat > anthos-gke.yaml << EOF
apiVersion: multicloud.cluster.gke.io/v1
kind: AWSManagementService
metadata:
  name: management
spec:
  version: $ANTHOS_GKE_VERSION
  region: $AWS_REGION
  authentication:
    awsIAM:
      adminIdentityARNs:
      - $ADMIN_AWS_IAM_ARN
  kmsKeyARN: $KMS_KEY_ARN
  databaseEncryption:
    kmsKeyARN: $DATABASE_KMS_KEY_ARN
  googleCloud:
    projectID: $PROJECT_ID
    serviceAccountKeys:
      managementService: $MANAGEMENT_KEY_PATH
      connectAgent: $HUB_KEY_PATH
      node: $NODE_KEY_PATH
  dedicatedVPC:
    vpcCIDRBlock: $VPC_CIDR_BLOCK
    availabilityZones:
    - $ZONE_1
    - $ZONE_2
    - $ZONE_3
    privateSubnetCIDRBlocks:
    - $PRIVATE_CIDR_BLOCK_1
    - $PRIVATE_CIDR_BLOCK_2
    - $PRIVATE_CIDR_BLOCK_3
    publicSubnetCIDRBlocks:
    - $PUBLIC_CIDR_BLOCK_1
    - $PUBLIC_CIDR_BLOCK_2
    - $PUBLIC_CIDR_BLOCK_3
    bastionAllowedSSHCIDRBlocks:
    - $SSH_CIDR_BLOCK
EOF


################################
# ANTHOS GKE SETUP
################################

# validate config and bootstrap another file
anthos-gke aws management init

# create the management service on AWS
export GOOGLE_APPLICATION_CREDENTIALS=$NODE_KEY_PATH # missing from docs (also need storage.buckets.create permission)
anthos-gke aws management apply


################################
# CONNECTING TO CLUSTER
################################

# https://cloud.google.com/anthos/gke/docs/aws/how-to/integrating-existing-infrastructure#connect

# download bastion tunnel script and make executable
terraform output bastion_tunnel > bastion-tunnel.sh
chmod 755 bastion-tunnel.sh

# run tunnel (note you must use from IP in your bastion anthos-gke.yaml approve list)
./bastion-tunnel.sh -N & # added & to continue to use shell (optional)

# authenticate kubectl context
anthos-gke aws management get-credentials

# set proxy env var
export HTTP_PROXY=http://localhost:8118

# test with cluster info
kubectl cluster-info

echo "Good job!"

## setup-03-cluster.sh
#!/usr/bin/env bash

# https://cloud.google.com/anthos/gke/docs/aws/how-to/creating-user-cluster

# create user cluster config
terraform output cluster_example > cluster-0.yaml

# create first cluster (make sure the bastion_tunnel.sh is running)
kubectl apply -f cluster-0.yaml
sleep 600 # give time for cluster to reconcile

# create kubeconfig for new cluster (make sure bastion_tunnel.sh and PROXY_HOST var set)
anthos-gke aws clusters get-credentials cluster-0

# get cluster-0 info and test kubeconfig
kubectl cluster-info

#######################################
# VIEW CLUSTER STATUS (SWITCH BACK TO MGMT)
#######################################

# kubectl config get-contexts (view list)
# kubectl config use-context gke_aws_management_gke-XXXXXXXXXX (your ID)

# view clusters
kubectl get AWSClusters
	#!/usr/bin/env bash

	# Docs: https://cloud.google.com/anthos/gke/docs/aws/how-to/prerequisites

	# NOTE: MUST have `jq` installed for JSON parsing to set ENV vars
	export PROJECT_ID=$(gcloud config get-value project)
	export PROJECT_OWNER=$(gcloud config get-value core/account) # set orig val

	# confirm aws CLI working
	aws --version

	# create two KMS keys
	aws kms create-key > aws-kms-key-meta.json
	aws kms create-key > aws-kms-key2-meta.json

	# fetch ARN from each key
	export KMS_ARN1=$(cat aws-kms-key-meta.json \| jq '.[].Arn')
	export KMS_ARN2=$(cat aws-kms-key2-meta.json \| jq '.[].Arn')
	echo "Key 1 Arn: ${KMS_ARN1}"
	echo "Key 2 Arn: ${KMS_ARN2}"

	# create aliases for keys
	aws kms create-alias \
	--alias-name=alias/gke-key \
	--target-key-id=$KMS_ARN1
	aws kms create-alias \
	--alias-name=alias/gke-key2 \
	--target-key-id=$KMS_ARN2

	# enable gcloud apis
	gcloud services enable cloudresourcemanager.googleapis.com
	gcloud services enable gkehub.googleapis.com
	gcloud services enable gkeconnect.googleapis.com
	gcloud services enable logging.googleapis.com
	gcloud services enable monitoring.googleapis.com
	gcloud services enable serviceusage.googleapis.com
	gcloud services enable stackdriver.googleapis.com
	gcloud services enable storage-api.googleapis.com
	gcloud services enable storage-component.googleapis.com

	# create service accounts
	gcloud iam service-accounts create management-sa
	gcloud iam service-accounts create hub-sa
	gcloud iam service-accounts create node-sa

	# download keys
	gcloud iam service-accounts keys create management-key.json \
	--iam-account management-sa@$PROJECT_ID.iam.gserviceaccount.com
	gcloud iam service-accounts keys create hub-key.json \
	--iam-account hub-sa@$PROJECT_ID.iam.gserviceaccount.com
	gcloud iam service-accounts keys create node-key.json \
	--iam-account node-sa@$PROJECT_ID.iam.gserviceaccount.com

	# management sa
	gcloud projects add-iam-policy-binding \
	$PROJECT_ID \
	--member serviceAccount:management-sa@$PROJECT_ID.iam.gserviceaccount.com \
	--role roles/gkehub.admin
	gcloud projects add-iam-policy-binding \
	$PROJECT_ID \
	--member serviceAccount:management-sa@$PROJECT_ID.iam.gserviceaccount.com \
	--role roles/serviceusage.serviceUsageViewer

	# hub sa
	gcloud projects add-iam-policy-binding \
	$PROJECT_ID \
	--member serviceAccount:hub-sa@$PROJECT_ID.iam.gserviceaccount.com \
	--role roles/gkehub.connect

	# node sa
	gcloud projects add-iam-policy-binding \
	$PROJECT_ID \
	--member serviceAccount:node-sa@$PROJECT_ID.iam.gserviceaccount.com \
	--role roles/storageAdmin # objectViewer didn't work for mgmt install (need create TF state bucket)

	# download anthos-gke CLI
	# NOTE: your service account MUST BE ADDED (MANUALLY BY GOOGLE) TO APPROVE LIST FIRST
	# gcloud auth activate-service-account --key-file=node-key.json # if not project owner
	gsutil cp gs://gke-multi-cloud-release/aws/aws-1.4.1-gke.15/bin/darwin/amd64/anthos-gke .
	# gsutil cp gs://gke-multi-cloud-release/aws/aws-1.4.1-gke.15/bin/linux/amd64/anthos-gke .
	chmod 755 anthos-gke
	sudo mv anthos-gke /usr/local/bin

	# change gcloud auth back to original user
	# gcloud config set account $PROJECT_OWNER

	# test the CLI is working
	anthos-gke version
	#!/usr/bin/env bash

	# https://cloud.google.com/anthos/gke/docs/aws/how-to/installing-management

	# NOTE: MUST have `jq` installed for JSON parsing to set ENV vars
	export PROJECT_ID=$(gcloud config get-value project)
	export PROJECT_OWNER=$(gcloud config get-value core/account) # set orig val
	export ANTHOS_GKE_VERSION=$(anthos-gke version)
	export AWS_REGION="us-east-2"
	export ADMIN_AWS_IAM_ARN=$(aws sts get-caller-identity \| jq '.Arn')

	# AWS keys created during prerequisites
	export KMS_KEY_ARN=$(cat aws-kms-key-meta.json \| jq '.[].Arn')
	export DATABASE_KMS_KEY_ARN=$(cat aws-kms-key2-meta.json \| jq '.[].Arn')

	# GCP keys created during prerequisites
	export MANAGEMENT_KEY_PATH=$(PWD)/management-key.json
	export HUB_KEY_PATH=$(PWD)/hub-key.json
	export NODE_KEY_PATH=$(PWD)/node-key.json

	# networking
	echo "Listing AZs for region $AWS_REGION"
	aws ec2 describe-availability-zones --region $AWS_REGION \| jq '.AvailabilityZones[].ZoneName'

	export VPC_CIDR_BLOCK="10.20.0.0/16"
	export ZONE_1="us-east-2a"
	export ZONE_2="us-east-2b"
	export ZONE_3="us-east-2c"
	export PRIVATE_CIDR_BLOCK_1="10.20.1.0/24"
	export PRIVATE_CIDR_BLOCK_2="10.20.3.0/24"
	export PRIVATE_CIDR_BLOCK_3="10.20.5.0/24"
	export PUBLIC_CIDR_BLOCK_1="10.20.0.0/24"
	export PUBLIC_CIDR_BLOCK_2="10.20.2.0/24"
	export PUBLIC_CIDR_BLOCK_3="10.20.4.0/24"
	export SSH_CIDR_BLOCK="172.31.28.238/32" # bastion EC2 instance


	########################
	# CREATE CONFIG FILE
	########################

	# create config file
	cat > anthos-gke.yaml << EOF
	apiVersion: multicloud.cluster.gke.io/v1
	kind: AWSManagementService
	metadata:
	name: management
	spec:
	version: $ANTHOS_GKE_VERSION
	region: $AWS_REGION
	authentication:
	awsIAM:
	adminIdentityARNs:
	- $ADMIN_AWS_IAM_ARN
	kmsKeyARN: $KMS_KEY_ARN
	databaseEncryption:
	kmsKeyARN: $DATABASE_KMS_KEY_ARN
	googleCloud:
	projectID: $PROJECT_ID
	serviceAccountKeys:
	managementService: $MANAGEMENT_KEY_PATH
	connectAgent: $HUB_KEY_PATH
	node: $NODE_KEY_PATH
	dedicatedVPC:
	vpcCIDRBlock: $VPC_CIDR_BLOCK
	availabilityZones:
	- $ZONE_1
	- $ZONE_2
	- $ZONE_3
	privateSubnetCIDRBlocks:
	- $PRIVATE_CIDR_BLOCK_1
	- $PRIVATE_CIDR_BLOCK_2
	- $PRIVATE_CIDR_BLOCK_3
	publicSubnetCIDRBlocks:
	- $PUBLIC_CIDR_BLOCK_1
	- $PUBLIC_CIDR_BLOCK_2
	- $PUBLIC_CIDR_BLOCK_3
	bastionAllowedSSHCIDRBlocks:
	- $SSH_CIDR_BLOCK
	EOF


	################################
	# ANTHOS GKE SETUP
	################################

	# validate config and bootstrap another file
	anthos-gke aws management init

	# create the management service on AWS
	export GOOGLE_APPLICATION_CREDENTIALS=$NODE_KEY_PATH # missing from docs (also need storage.buckets.create permission)
	anthos-gke aws management apply


	################################
	# CONNECTING TO CLUSTER
	################################

	# https://cloud.google.com/anthos/gke/docs/aws/how-to/integrating-existing-infrastructure#connect

	# download bastion tunnel script and make executable
	terraform output bastion_tunnel > bastion-tunnel.sh
	chmod 755 bastion-tunnel.sh

	# run tunnel (note you must use from IP in your bastion anthos-gke.yaml approve list)
	./bastion-tunnel.sh -N & # added & to continue to use shell (optional)

	# authenticate kubectl context
	anthos-gke aws management get-credentials

	# set proxy env var
	export HTTP_PROXY=http://localhost:8118

	# test with cluster info
	kubectl cluster-info

	echo "Good job!"
	#!/usr/bin/env bash

	# https://cloud.google.com/anthos/gke/docs/aws/how-to/creating-user-cluster

	# create user cluster config
	terraform output cluster_example > cluster-0.yaml

	# create first cluster (make sure the bastion_tunnel.sh is running)
	kubectl apply -f cluster-0.yaml
	sleep 600 # give time for cluster to reconcile

	# create kubeconfig for new cluster (make sure bastion_tunnel.sh and PROXY_HOST var set)
	anthos-gke aws clusters get-credentials cluster-0

	# get cluster-0 info and test kubeconfig
	kubectl cluster-info

	#######################################
	# VIEW CLUSTER STATUS (SWITCH BACK TO MGMT)
	#######################################

	# kubectl config get-contexts (view list)
	# kubectl config use-context gke_aws_management_gke-XXXXXXXXXX (your ID)

	# view clusters
	kubectl get AWSClusters