| This is a work in progress. |
| |
| Eventually, this repo will be self-deploying, but it is currently in |
| the process of being bootstrapped. |
| |
| Manual steps for bootstrapping: |
| |
| # Install certmanager |
| |
| kubectl create namespace cert-manager |
| kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true |
| kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.12.0/cert-manager.yaml |
| kubectl apply -n cert-manager -f letsencrypt.yaml |
| |
| # Install mariadb |
| |
| kubectl create namespace mariadb |
| |
| Use Google cloud click to deploy |
| TODO: find a better HA sql database operator |
| |
| kubectl port-forward svc/mariadb-mariadb --namespace mariadb 3306 |
| mysql -h 127.0.0.1 -P 3306 -u root -p |
| create database zuul; |
| GRANT ALL PRIVILEGES ON zuul.* TO 'zuul'@'%' identified by '<password>' WITH GRANT OPTION; |
| |
| # Install Zuul |
| |
| gcloud compute addresses create zuul-static-ip --global |
| kubectl create namespace zuul |
| |
| # Bind k8s service accounts to gcp service accounts |
| kubectl create serviceaccount --namespace zuul logs |
| kubectl create serviceaccount --namespace zuul nodepool |
| kubectl create serviceaccount --namespace zuul zuul |
| |
| gcloud iam service-accounts add-iam-policy-binding \ |
| --role roles/iam.workloadIdentityUser \ |
| --member "serviceAccount:gerritcodereview-ci.svc.id.goog[zuul/logs]" \ |
| zuul-logs@gerritcodereview-ci.iam.gserviceaccount.com |
| |
| gcloud iam service-accounts add-iam-policy-binding \ |
| --role roles/iam.workloadIdentityUser \ |
| --member "serviceAccount:gerritcodereview-ci.svc.id.goog[zuul/nodepool]" \ |
| nodepool@gerritcodereview-ci.iam.gserviceaccount.com |
| |
| gcloud iam service-accounts add-iam-policy-binding \ |
| --role roles/iam.workloadIdentityUser \ |
| --member "serviceAccount:gerritcodereview-ci.svc.id.goog[zuul/zuul]" \ |
| zuul-63@gerritcodereview-ci.iam.gserviceaccount.com |
| |
| kubectl annotate serviceaccount \ |
| --namespace zuul logs \ |
| iam.gke.io/gcp-service-account=zuul-logs@gerritcodereview-ci.iam.gserviceaccount.com |
| |
| kubectl annotate serviceaccount \ |
| --namespace zuul nodepool \ |
| iam.gke.io/gcp-service-account=nodepool@gerritcodereview-ci.iam.gserviceaccount.com |
| |
| kubectl annotate serviceaccount \ |
| --namespace zuul zuul \ |
| iam.gke.io/gcp-service-account=zuul-63@gerritcodereview-ci.iam.gserviceaccount.com |
| |
| # create a service account for self-deployment |
| |
| kubectl -n zuul create serviceaccount zuul-deployment |
| kubectl create clusterrolebinding zuul-deployment-cluster-admin-binding \ |
| --clusterrole cluster-admin \ |
| --user system:serviceaccount:zuul:zuul-deployment |