blob: b7e6d06ddc90a74068005e92b15042430e80d89d [file] [log] [blame]
This is a work in progress.
Eventually, this repo will be self-deploying, but it is currently in
the process of being bootstrapped.
Manual steps for bootstrapping:
# Install certmanager
kubectl create namespace cert-manager
kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.12.0/cert-manager.yaml
kubectl apply -n cert-manager -f letsencrypt.yaml
# Install mariadb
kubectl create namespace mariadb
Use Google cloud click to deploy
TODO: find a better HA sql database operator
kubectl port-forward svc/mariadb-mariadb --namespace mariadb 3306
mysql -h 127.0.0.1 -P 3306 -u root -p
create database zuul;
GRANT ALL PRIVILEGES ON zuul.* TO 'zuul'@'%' identified by '<password>' WITH GRANT OPTION;
# Install Zuul
gcloud compute addresses create zuul-static-ip --global
kubectl create namespace zuul
# Bind k8s service accounts to gcp service accounts
kubectl create serviceaccount --namespace zuul logs
kubectl create serviceaccount --namespace zuul nodepool
kubectl create serviceaccount --namespace zuul zuul
gcloud iam service-accounts add-iam-policy-binding \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:gerritcodereview-ci.svc.id.goog[zuul/logs]" \
zuul-logs@gerritcodereview-ci.iam.gserviceaccount.com
gcloud iam service-accounts add-iam-policy-binding \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:gerritcodereview-ci.svc.id.goog[zuul/nodepool]" \
nodepool@gerritcodereview-ci.iam.gserviceaccount.com
gcloud iam service-accounts add-iam-policy-binding \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:gerritcodereview-ci.svc.id.goog[zuul/zuul]" \
zuul-63@gerritcodereview-ci.iam.gserviceaccount.com
kubectl annotate serviceaccount \
--namespace zuul logs \
iam.gke.io/gcp-service-account=zuul-logs@gerritcodereview-ci.iam.gserviceaccount.com
kubectl annotate serviceaccount \
--namespace zuul nodepool \
iam.gke.io/gcp-service-account=nodepool@gerritcodereview-ci.iam.gserviceaccount.com
kubectl annotate serviceaccount \
--namespace zuul zuul \
iam.gke.io/gcp-service-account=zuul-63@gerritcodereview-ci.iam.gserviceaccount.com
# create a service account for self-deployment
kubectl -n zuul create serviceaccount zuul-deployment
kubectl create clusterrolebinding zuul-deployment-cluster-admin-binding \
--clusterrole cluster-admin \
--user system:serviceaccount:zuul:zuul-deployment