Configure Config Sync
Duration: 10 min | Persona: Platform Admin
In this section, you will configure Config Sync to sync the resources in the Whereami Namespace
via its associated RepoSync
and RoleBinding
.
Initialize variables:
WORK_DIR=~/
source ${WORK_DIR}acm-workshop-variables.sh
echo "export WHEREAMI_NAMESPACE=whereami" >> ${WORK_DIR}acm-workshop-variables.sh
echo "export WHERE_AMI_DIR_NAME=acm-workshop-whereami-repo" >> ${WORK_DIR}acm-workshop-variables.sh
source ${WORK_DIR}acm-workshop-variables.sh
mkdir -p ${WORK_DIR}$GKE_CONFIGS_DIR_NAME/repo-syncs
mkdir ${WORK_DIR}$GKE_CONFIGS_DIR_NAME/repo-syncs/$WHEREAMI_NAMESPACE
Create Namespace
Define a dedicated Namespace
for the Whereami app:
cat <<EOF > ${WORK_DIR}$GKE_CONFIGS_DIR_NAME/repo-syncs/$WHEREAMI_NAMESPACE/namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
labels:
istio-injection: enabled
pod-security.kubernetes.io/enforce: baseline
name: ${WHEREAMI_NAMESPACE}
EOF
In addition to the istio-injection
to include this Namespace
into our Service Mesh, we are also adding the pod-security.kubernetes.io/enforce
label as the baseline
Pod Security Standards policy.
Create GitHub repository
cd ${WORK_DIR}
gh repo create $WHERE_AMI_DIR_NAME --public --clone --template https://github.com/mathieu-benoit/config-sync-app-template-repo
cd ${WORK_DIR}$WHERE_AMI_DIR_NAME
git pull
git checkout main
WHERE_AMI_REPO_URL=$(gh repo view --json url --jq .url)
Define RepoSync
Define a RepoSync
linking this Git repository:
cat <<EOF > ${WORK_DIR}$GKE_CONFIGS_DIR_NAME/repo-syncs/$WHEREAMI_NAMESPACE/repo-sync.yaml
apiVersion: configsync.gke.io/v1beta1
kind: RepoSync
metadata:
name: repo-sync
namespace: ${WHEREAMI_NAMESPACE}
spec:
sourceFormat: unstructured
git:
repo: ${WHERE_AMI_REPO_URL}
revision: HEAD
branch: main
dir: staging
auth: none
EOF
cat <<EOF > ${WORK_DIR}$GKE_CONFIGS_DIR_NAME/repo-syncs/$WHEREAMI_NAMESPACE/repo-sync-role-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: repo-sync
namespace: ${WHEREAMI_NAMESPACE}
subjects:
- kind: ServiceAccount
name: ns-reconciler-${WHEREAMI_NAMESPACE}
namespace: config-management-system
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io
EOF
We are using the edit
user-facing role here, to follow the least privilege principle. Earlier in this workshop during the ASM installation, we extended the default edit
role with more capabilities regarding to the Istio resources: VirtualServices
, Sidecars
and AuthorizationPolicies
which will be leveraged in the Whereami’s namespace.
Deploy Kubernetes manifests
cd ${WORK_DIR}$GKE_CONFIGS_DIR_NAME/
git add . && git commit -m "Configure Config Sync for Whereami" && git push origin main
Check deployments
List the Kubernetes resources managed by Config Sync in GKE cluster for the GKE cluster configs repository:
Run this command and click on this link:
echo -e "https://console.cloud.google.com/kubernetes/config_management/packages?project=${TENANT_PROJECT_ID}"
Wait until you see the Sync status
column as Synced
and the Reconcile status
column as Current
.
Run this command:
gcloud alpha anthos config sync repo describe \
--project $TENANT_PROJECT_ID \
--managed-resources all \
--sync-name root-sync \
--sync-namespace config-management-system
Wait and re-run this command above until you see "status": "SYNCED"
.
List the GitHub runs for the GKE cluster configs repository:
cd ${WORK_DIR}$GKE_CONFIGS_DIR_NAME && gh run list