README - zuul/ops - Git at Google

 This is a work in progress.

 Eventually, this repo will be self-deploying, but it is currently in
 the process of being bootstrapped.

 Manual steps for bootstrapping:

 # Install certmanager

 kubectl create namespace cert-manager
 kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
 kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.12.0/cert-manager.yaml
 kubectl apply -n cert-manager -f letsencrypt.yaml

 # Install mariadb

 kubectl create namespace mariadb

 Use Google cloud click to deploy
 TODO: find a better HA sql database operator

 kubectl port-forward svc/mariadb-mariadb --namespace mariadb 3306
 mysql -h 127.0.0.1 -P 3306 -u root -p
 create database zuul;
 GRANT ALL PRIVILEGES ON zuul.* TO 'zuul'@'%' identified by '<password>' WITH GRANT OPTION;

 # Install Zuul

 gcloud compute addresses create zuul-static-ip --global
 kubectl create namespace zuul

 # Bind k8s service accounts to gcp service accounts
 kubectl create serviceaccount --namespace zuul logs
 kubectl create serviceaccount --namespace zuul nodepool
 kubectl create serviceaccount --namespace zuul zuul

 gcloud iam service-accounts add-iam-policy-binding \
   --role roles/iam.workloadIdentityUser \
   --member "serviceAccount:gerritcodereview-ci.svc.id.goog[zuul/logs]" \
   zuul-logs@gerritcodereview-ci.iam.gserviceaccount.com

 gcloud iam service-accounts add-iam-policy-binding \
   --role roles/iam.workloadIdentityUser \
   --member "serviceAccount:gerritcodereview-ci.svc.id.goog[zuul/nodepool]" \
   nodepool@gerritcodereview-ci.iam.gserviceaccount.com

 gcloud iam service-accounts add-iam-policy-binding \
   --role roles/iam.workloadIdentityUser \
   --member "serviceAccount:gerritcodereview-ci.svc.id.goog[zuul/zuul]" \
   zuul-63@gerritcodereview-ci.iam.gserviceaccount.com

 kubectl annotate serviceaccount \
   --namespace zuul logs \
   iam.gke.io/gcp-service-account=zuul-logs@gerritcodereview-ci.iam.gserviceaccount.com

 kubectl annotate serviceaccount \
   --namespace zuul nodepool \
   iam.gke.io/gcp-service-account=nodepool@gerritcodereview-ci.iam.gserviceaccount.com

 kubectl annotate serviceaccount \
   --namespace zuul zuul \
   iam.gke.io/gcp-service-account=zuul-63@gerritcodereview-ci.iam.gserviceaccount.com

 # create a service account for self-deployment

 kubectl -n zuul create serviceaccount zuul-deployment
 kubectl create clusterrolebinding zuul-deployment-cluster-admin-binding \
   --clusterrole cluster-admin \
   --user system:serviceaccount:zuul:zuul-deployment
	This is a work in progress.

	Eventually, this repo will be self-deploying, but it is currently in
	the process of being bootstrapped.

	Manual steps for bootstrapping:

	# Install certmanager

	kubectl create namespace cert-manager
	kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
	kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.12.0/cert-manager.yaml
	kubectl apply -n cert-manager -f letsencrypt.yaml

	# Install mariadb

	kubectl create namespace mariadb

	Use Google cloud click to deploy
	TODO: find a better HA sql database operator

	kubectl port-forward svc/mariadb-mariadb --namespace mariadb 3306
	mysql -h 127.0.0.1 -P 3306 -u root -p
	create database zuul;
	GRANT ALL PRIVILEGES ON zuul.* TO 'zuul'@'%' identified by '<password>' WITH GRANT OPTION;

	# Install Zuul

	gcloud compute addresses create zuul-static-ip --global
	kubectl create namespace zuul

	# Bind k8s service accounts to gcp service accounts
	kubectl create serviceaccount --namespace zuul logs
	kubectl create serviceaccount --namespace zuul nodepool
	kubectl create serviceaccount --namespace zuul zuul

	gcloud iam service-accounts add-iam-policy-binding \
	--role roles/iam.workloadIdentityUser \
	--member "serviceAccount:gerritcodereview-ci.svc.id.goog[zuul/logs]" \
	zuul-logs@gerritcodereview-ci.iam.gserviceaccount.com

	gcloud iam service-accounts add-iam-policy-binding \
	--role roles/iam.workloadIdentityUser \
	--member "serviceAccount:gerritcodereview-ci.svc.id.goog[zuul/nodepool]" \
	nodepool@gerritcodereview-ci.iam.gserviceaccount.com

	gcloud iam service-accounts add-iam-policy-binding \
	--role roles/iam.workloadIdentityUser \
	--member "serviceAccount:gerritcodereview-ci.svc.id.goog[zuul/zuul]" \
	zuul-63@gerritcodereview-ci.iam.gserviceaccount.com

	kubectl annotate serviceaccount \
	--namespace zuul logs \
	iam.gke.io/gcp-service-account=zuul-logs@gerritcodereview-ci.iam.gserviceaccount.com

	kubectl annotate serviceaccount \
	--namespace zuul nodepool \
	iam.gke.io/gcp-service-account=nodepool@gerritcodereview-ci.iam.gserviceaccount.com

	kubectl annotate serviceaccount \
	--namespace zuul zuul \
	iam.gke.io/gcp-service-account=zuul-63@gerritcodereview-ci.iam.gserviceaccount.com

	# create a service account for self-deployment

	kubectl -n zuul create serviceaccount zuul-deployment
	kubectl create clusterrolebinding zuul-deployment-cluster-admin-binding \
	--clusterrole cluster-admin \
	--user system:serviceaccount:zuul:zuul-deployment