Add initial bootstrapping instructions and config

This describes how to bootstrap ArgoCD for deployment, and adds
an initial description of a Zuul deployment using the Zuul
helm charts.

Change-Id: Ic58cc75e840a7435a9bacf3b1771a6da8988e261
diff --git a/README b/README
new file mode 100644
index 0000000..d1a7327
--- /dev/null
+++ b/README
@@ -0,0 +1,57 @@
+This is a work in progress.
+
+Eventually, this repo will be self-deploying, but it is currently in
+the process of being bootstrapped.
+
+Manual steps for bootstrapping:
+
+kubectl create clusterrolebinding cluster-admin-binding \
+  --clusterrole=cluster-admin \
+  --user=$(gcloud config get-value core/account)
+
+# Install argo
+
+kubectl create namespace argocd
+kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
+
+kubectl patch svc argocd-server -n argocd -p '{"spec": {"type": "LoadBalancer"}}'
+
+# This gets the name of the argo pod
+kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2
+
+# Use the IP address of the load balancer
+argocd login $IP
+# Update the admin password (by default, it's the name of the pod above)
+argocd account update-password
+
+# Install zookeeper
+argocd app create zookeeper \
+  --repo http://storage.googleapis.com/kubernetes-charts-incubator \
+  --helm-chart zookeeper \
+  --revision 2.1.3 \
+  --dest-server https://kubernetes.default.svc \
+  --dest-namespace zookeeper
+
+argocd app sync zookeeper
+
+# Install certmanager
+
+kubectl create namespace cert-manager
+kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
+kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.12.0/cert-manager.yaml
+kubectl apply -n cert-manager -f letsencrypt.yaml 
+
+# Install Zuul
+
+gcloud compute addresses create zuul-static-ip --global
+
+kubectl create namespace zuul
+
+kubectl create -n zuul secret generic nodepool-config --from-file=./nodepool/nodepool.yaml --from-file=./nodepool/clouds.yaml
+
+kubectl create -n zuul secret generic zuul-tenant-config --from-file=./zuul/main.yaml
+
+kubectl apply -n argocd -f nodepool-app.yaml
+kubectl apply -n argocd -f zuul-app.yaml
+
+kubectl apply -n zuul -f ingress.yaml
diff --git a/ingress.yaml b/ingress.yaml
new file mode 100644
index 0000000..f678b17
--- /dev/null
+++ b/ingress.yaml
@@ -0,0 +1,22 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: zuul-web
+  namespace: zuul
+  annotations:
+    kubernetes.io/ingress.global-static-ip-name: "zuul-static-ip"
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+  rules:
+  - host: gerrit-zuul.inaugust.com
+    http:
+      paths:
+      - backend:
+          serviceName: zuul-web
+          servicePort: 9000
+        path: /*
+  tls:
+    - secretName: zuul-web-certs
+      hosts:
+        - gerrit-zuul.inaugust.com
diff --git a/letsencrypt.yaml b/letsencrypt.yaml
new file mode 100644
index 0000000..f6742f1
--- /dev/null
+++ b/letsencrypt.yaml
@@ -0,0 +1,38 @@
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    # You must replace this email address with your own.
+    # Let's Encrypt will use this to contact you about expiring
+    # certificates, and issues related to your account.
+    email: corvus@inaugust.com
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      # Secret resource used to store the account's private key.
+      name: letsencrypt-staging-account-key
+    # Enable the HTTP01 challenge mechanism for this Issuer
+    solvers:
+    - http01:
+        ingress: {}
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    # You must replace this email address with your own.
+    # Let's Encrypt will use this to contact you about expiring
+    # certificates, and issues related to your account.
+    email: corvus@inaugust.com
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      # Secret resource used to store the account's private key.
+      name: letsencrypt-prod-account-key
+    # Enable the HTTP01 challenge mechanism for this Issuer
+    solvers:
+    - http01:
+        ingress: {}
diff --git a/nodepool-app.yaml b/nodepool-app.yaml
new file mode 100644
index 0000000..dfe4413
--- /dev/null
+++ b/nodepool-app.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nodepool
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/jeblair/zuul-helm
+    path: charts/nodepool
+    helm:
+      values: |
+        clouds: ''
+        builder:
+          enabled: false
+        config:
+          secret: nodepool-config
+  destination:
+    namespace: zuul
+    server: https://kubernetes.default.svc
diff --git a/nodepool/clouds.yaml b/nodepool/clouds.yaml
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/nodepool/clouds.yaml
diff --git a/nodepool/nodepool.yaml b/nodepool/nodepool.yaml
new file mode 100644
index 0000000..17cbe7d
--- /dev/null
+++ b/nodepool/nodepool.yaml
@@ -0,0 +1,30 @@
+diskimages: []
+zookeeper-servers:
+  - host: zookeeper.zookeeper
+    port: 2181
+providers:
+  - name: gcloud-provider
+    driver: gce
+    project: gerritcodereview-ci
+    region: us-central1
+    zone: us-central1-a
+    cloud-images:
+      - name: debian-stretch
+        image-project: debian-cloud
+        image-family: debian-9
+        username: zuul
+        key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDaTT3+Y6dIh221ZsQ0ki6VwGb6lzd1/CvIS8RX6ZNmxJTXS7UKlvhAVTbGQPtmjdIQbwUyEqZEvIm/bUBr7dNbyeMLiRiRtoN+u1Quq8OAes2N7nUKnjLjGjVnM2mvYHGWHRDbpAQCtmXtbiQkHkfLLzewb+MqntQZ57xap31qriTkv4rdnlMN4kElILb5E/8WOAAJXYrt3b1TrTXwZUx7is1OTa38I9jJTpUMCn2otWGH9LlfeUhz/z8ZPB21wgUZN9CF5NwwBanqCNXy0jHiumOGx9e7Hc7apt641KiDuRt0aWyE6No/aMe6hVYnFR3NMG3rBtortXl+R5birK8l zuul
+    pools:
+      - name: main
+        max-servers: 8
+        #host-key-checking: False
+        use-internal-ip: True
+        labels:
+          - name: testlabel
+            instance-type: f1-micro
+            cloud-image: debian-stretch
+            volume-type: standard
+            volume-size: 10
+labels:
+  - name: testlabel
+    min-ready: 1
diff --git a/zuul-app.yaml b/zuul-app.yaml
new file mode 100644
index 0000000..561e1e5
--- /dev/null
+++ b/zuul-app.yaml
@@ -0,0 +1,34 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: zuul
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/jeblair/zuul-helm
+    path: charts/zuul
+    helm:
+      values: |
+        zookeeper:
+          hosts: zookeeper.zookeeper
+        executor:
+          replicas: 1
+        merger:
+          replicas: 1
+        web:
+          replicas: 1
+          host: gerrit-zuul.inaugust.com
+          serviceType: NodePort
+        scheduler:
+          tenantConfigPath: /etc/zuul/tenant/main.yaml
+          tenantConfigSecret: zuul-tenant-config
+        connections:
+          opendev:
+            name: opendev
+            driver: git
+            baseurl: https://opendev.org
+  destination:
+    namespace: zuul
+    server: https://kubernetes.default.svc
diff --git a/zuul/main.yaml b/zuul/main.yaml
new file mode 100644
index 0000000..4d6631a
--- /dev/null
+++ b/zuul/main.yaml
@@ -0,0 +1,11 @@
+- tenant:
+    name: gerrit
+    report-build-page: true
+    web-root: http://localhost:3000/
+    source:
+      opendev:
+        untrusted-projects:
+          - zuul/zuul-jobs
+#      googlesource:
+#        untrusted-projects:
+#          - zuul/ops