# Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ### ACM - name: "Enable ACM API in GCP" command: cmd: gcloud beta container hub config-management enable run_once: true # only needs to run once when: "(primary_cluster_machine is defined) and (primary_cluster_machine == true)" environment: PATH: "{{ tools_base_path }}/google-cloud-sdk/bin:{{ ansible_env.PATH }}" tags: - abm-software - enable-acm #### Setup WorkloadIdentity (supporting GSR) - name: "Configure WorkloadIdentity for GSR" shell: | gcloud iam service-accounts add-iam-policy-binding \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:{{ google_project_id }}.svc.id.goog[config-management-system/root-reconciler]" \ source-repo-agent@{{ google_project_id }}.iam.gserviceaccount.com args: executable: /bin/bash environment: PATH: "{{ tools_base_path }}/google-cloud-sdk/bin:{{ ansible_env.PATH }}" when: - (primary_cluster_machine is defined) - (primary_cluster_machine == true) - (root_repository_git_auth_type == "gcpserviceaccount") tags: - acm-workload-identity ### Operator # Download operator - name: "Download ACM Operator" command: cmd: "gsutil cp gs://config-management-release/released/{{ acm_version }}/config-management-operator.yaml {{ acm_config_files }}/config-management-operator.yaml" creates: "{{ acm_config_files }}/config-management-operator.yaml" environment: PATH: "{{ tools_base_path }}/google-cloud-sdk/bin:{{ ansible_env.PATH }}" when: "(primary_cluster_machine is defined) and (primary_cluster_machine == true)" tags: - abm-software # Check for ACM Operator - name: "Test for config-management operator presence" include: kubectl-presence.yaml vars: name: "config-management" type: "configmanagements.configmanagement.gke.io" namespace: "" kubeconfig: "{{ kubeconfig_shared_location }}" fact_name: "has_acm_operator" when: "(primary_cluster_machine is defined) and (primary_cluster_machine == true)" tags: - acm-operator - name: "Install ACM Operator" shell: | kubectl apply -f {{ acm_config_files }}/config-management-operator.yaml sleep 10s kubectl wait --for=condition=established --timeout=600s crd configmanagements.configmanagement.gke.io # Wait for ConfigManagement & RootSync CRDs exit $? args: executable: /bin/bash environment: KUBECONFIG: "{{ kubeconfig_shared_location }}" when: - (primary_cluster_machine is defined) - (primary_cluster_machine == true) - (has_acm_operator == false) retries: 3 register: result until: result.rc == 0 tags: - acm-operator ### Create ConfigSync configuration objects - name: Copy config management configuration template: src: config-management.yaml.j2 dest: "{{ acm_config_files }}/config-management-configuration.yaml" when: - (primary_cluster_machine is defined) - (primary_cluster_machine == true) tags: - acm-config-management - name: "Test for config-management" include: kubectl-presence.yaml vars: name: "config-management" type: "configmanagements.configmanagement.gke.io" namespace: "config-management-system" kubeconfig: "{{ kubeconfig_shared_location }}" fact_name: "has_config_management" when: - (primary_cluster_machine is defined) - (primary_cluster_machine == true) tags: - acm-config-management - name: "Create Config Management Configuration" shell: | kubectl apply -f {{ acm_config_files }}/config-management-configuration.yaml sleep 10s # just enough for the API to pick up the changes, then wait can take over kubectl wait --for=condition=established --timeout=600s crd rootsyncs.configsync.gke.io exit $? when: - (primary_cluster_machine is defined) - (primary_cluster_machine == true) - (has_config_management == false) retries: 3 register: cmc_result until: cmc_result.rc == 0 environment: KUBECONFIG: "{{ kubeconfig_shared_location }}" tags: - acm-config-management #### Root Repo Configuration - name: Copy config management configuration template: src: root-sync.yaml.j2 dest: "{{ acm_config_files }}/root-sync.yaml" when: - (primary_cluster_machine is defined) - (primary_cluster_machine == true) tags: - acm-root-repo - name: "Test for Root Repo secret" include: kubectl-presence.yaml vars: name: "{{ root_repository_git_secret_name }}" type: "secrets" namespace: "config-management-system" kubeconfig: "{{ kubeconfig_shared_location }}" fact_name: "has_root_repo_secret" when: - (primary_cluster_machine is defined) - (primary_cluster_machine == true) - (root_repository_git_auth_type != "gcpserviceaccount") tags: - acm-root-repo - name: "Create secret token for Root Repo" command: cmd: "kubectl create secret generic {{ root_repository_git_secret_name }} --namespace='config-management-system' --from-literal='username={{ scm_token_user }}' --from-literal='token={{ scm_token_token }}'" environment: KUBECONFIG: "{{ kubeconfig_shared_location }}" when: - (primary_cluster_machine is defined) - (primary_cluster_machine == true) - (root_repository_git_auth_type != "gcpserviceaccount") - (has_root_repo_secret is defined) - (has_root_repo_secret == false) tags: - acm-root-repo - name: "Test for Root Repo installed" include: kubectl-presence.yaml vars: name: "root-sync" type: "RootSync" namespace: "config-management-system" kubeconfig: "{{ kubeconfig_shared_location }}" fact_name: "has_root_repo_installed" when: - (primary_cluster_machine is defined) - (primary_cluster_machine == true) tags: - acm-root-repo - name: "Apply Root Repo configuration" shell: | kubectl apply -f {{ acm_config_files }}/root-sync.yaml sleep 10s # just enough for the API to pick up the changes, then wait can take over kubectl wait --for=condition=established --timeout=600s crd rootsyncs.configsync.gke.io exit $? environment: KUBECONFIG: "{{ kubeconfig_shared_location }}" when: - (primary_cluster_machine is defined) - (primary_cluster_machine == true) - (has_root_repo_installed == false) tags: - acm-root-repo