|  | This is a work in progress. | 
|  |  | 
|  | Eventually, this repo will be self-deploying, but it is currently in | 
|  | the process of being bootstrapped. | 
|  |  | 
|  | Manual steps for bootstrapping: | 
|  |  | 
|  | kubectl create clusterrolebinding cluster-admin-binding \ | 
|  | --clusterrole=cluster-admin \ | 
|  | --user=$(gcloud config get-value core/account) | 
|  |  | 
|  | # Install argo | 
|  |  | 
|  | kubectl create namespace argocd | 
|  | kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml | 
|  |  | 
|  | kubectl patch svc argocd-server -n argocd -p '{"spec": {"type": "LoadBalancer"}}' | 
|  |  | 
|  | # This gets the name of the argo pod | 
|  | kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2 | 
|  |  | 
|  | # Use the IP address of the load balancer | 
|  | argocd login $IP | 
|  | # Update the admin password (by default, it's the name of the pod above) | 
|  | argocd account update-password | 
|  |  | 
|  | # Install zookeeper | 
|  | argocd app create zookeeper \ | 
|  | --repo http://storage.googleapis.com/kubernetes-charts-incubator \ | 
|  | --helm-chart zookeeper \ | 
|  | --revision 2.1.3 \ | 
|  | --dest-server https://kubernetes.default.svc \ | 
|  | --dest-namespace zookeeper | 
|  |  | 
|  | argocd app sync zookeeper | 
|  |  | 
|  | # Install certmanager | 
|  |  | 
|  | kubectl create namespace cert-manager | 
|  | kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true | 
|  | kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.12.0/cert-manager.yaml | 
|  | kubectl apply -n cert-manager -f letsencrypt.yaml | 
|  |  | 
|  | # Install mariadb | 
|  |  | 
|  | kubectl create namespace mariadb | 
|  |  | 
|  | Use Google cloud click to deploy | 
|  | TODO: find a better HA sql database operator | 
|  |  | 
|  | kubectl port-forward svc/mariadb-mariadb --namespace mariadb 3306 | 
|  | mysql -h 127.0.0.1 -P 3306 -u root -p | 
|  | create database zuul; | 
|  | GRANT ALL PRIVILEGES ON zuul.* TO 'zuul'@'%' identified by '<password>' WITH GRANT OPTION; | 
|  |  | 
|  | # Install Zuul | 
|  |  | 
|  | gcloud compute addresses create zuul-static-ip --global | 
|  | kubectl create namespace zuul | 
|  |  | 
|  | # Bind k8s service accounts to gcp service accounts | 
|  | kubectl create serviceaccount --namespace zuul logs | 
|  | kubectl create serviceaccount --namespace zuul nodepool | 
|  | kubectl create serviceaccount --namespace zuul zuul | 
|  |  | 
|  | gcloud iam service-accounts add-iam-policy-binding \ | 
|  | --role roles/iam.workloadIdentityUser \ | 
|  | --member "serviceAccount:gerritcodereview-ci.svc.id.goog[zuul/logs]" \ | 
|  | zuul-logs@gerritcodereview-ci.iam.gserviceaccount.com | 
|  |  | 
|  | gcloud iam service-accounts add-iam-policy-binding \ | 
|  | --role roles/iam.workloadIdentityUser \ | 
|  | --member "serviceAccount:gerritcodereview-ci.svc.id.goog[zuul/nodepool]" \ | 
|  | nodepool@gerritcodereview-ci.iam.gserviceaccount.com | 
|  |  | 
|  | gcloud iam service-accounts add-iam-policy-binding \ | 
|  | --role roles/iam.workloadIdentityUser \ | 
|  | --member "serviceAccount:gerritcodereview-ci.svc.id.goog[zuul/zuul]" \ | 
|  | zuul-63@gerritcodereview-ci.iam.gserviceaccount.com | 
|  |  | 
|  | kubectl annotate serviceaccount \ | 
|  | --namespace zuul logs \ | 
|  | iam.gke.io/gcp-service-account=zuul-logs@gerritcodereview-ci.iam.gserviceaccount.com | 
|  |  | 
|  | kubectl annotate serviceaccount \ | 
|  | --namespace zuul nodepool \ | 
|  | iam.gke.io/gcp-service-account=nodepool@gerritcodereview-ci.iam.gserviceaccount.com | 
|  |  | 
|  | kubectl annotate serviceaccount \ | 
|  | --namespace zuul zuul \ | 
|  | iam.gke.io/gcp-service-account=zuul-63@gerritcodereview-ci.iam.gserviceaccount.com | 
|  |  | 
|  | # create a service account for self-deployment | 
|  |  | 
|  | kubectl -n zuul create serviceaccount zuul-deployment | 
|  | kubectl create clusterrolebinding zuul-deployment-cluster-admin-binding \ | 
|  | --clusterrole cluster-admin \ | 
|  | --user system:serviceaccount:zuul:zuul-deployment |