gitops-tips platform-admin

Allow Config Sync

Platform Admin Platform Admin Duration: 5 min | Persona: Platform Admin

In this section, you will bind the workload identity capability from the Online Boutique’s RepoSync Kubernetes Service Account to the Artifact Registry reader Google Service Account created earlier.

Initialize variables:

WORK_DIR=~/
source ${WORK_DIR}acm-workshop-variables.sh
echo "export ONLINEBOUTIQUE_NAMESPACE=onlineboutique" >> ${WORK_DIR}acm-workshop-variables.sh
source ${WORK_DIR}acm-workshop-variables.sh
mkdir ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/$ONLINEBOUTIQUE_NAMESPACE

Bind the Artifact Registry reader GSA to the Online Boutique’s RepoSync

cat <<EOF > ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/$ONLINEBOUTIQUE_NAMESPACE/artifactregistry-charts-reader-workload-identity-user.yaml
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPartialPolicy
metadata:
  name: ${HELM_CHARTS_READER_GSA}-${ONLINEBOUTIQUE_NAMESPACE}
  namespace: ${TENANT_PROJECT_ID}
  annotations:
    config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/${TENANT_PROJECT_ID}/IAMServiceAccount/${HELM_CHARTS_READER_GSA}
spec:
  resourceRef:
    name: ${HELM_CHARTS_READER_GSA}
    kind: IAMServiceAccount
  bindings:
    - role: roles/iam.workloadIdentityUser
      members:
        - member: serviceAccount:${TENANT_PROJECT_ID}.svc.id.goog[config-management-system/ns-reconciler-${ONLINEBOUTIQUE_NAMESPACE}]
EOF

Deploy Kubernetes manifests

cd ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/
git add . && git commit -m "Artifact Registry viewer for Online Boutique's RepoSync" && git push origin main

Check deployments

graph TD;
  IAMPartialPolicy-.->IAMServiceAccount

List the Kubernetes resources managed by Config Sync in Config Controller for the Tenant project configs repository:

Run this command and click on this link:

echo -e "https://console.cloud.google.com/kubernetes/config_management/packages?project=${HOST_PROJECT_ID}"

Wait until you see the Sync status column as Synced and the Reconcile status column as Current.

Run this command:

gcloud alpha anthos config sync repo describe \
    --project $HOST_PROJECT_ID \
    --managed-resources all \
    --sync-name repo-sync \
    --sync-namespace $TENANT_PROJECT_ID

Wait and re-run this command above until you see "status": "SYNCED". All the managed_resources listed should have STATUS: Current too.