-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix/update acm asm #50
Fix/update acm asm #50
Conversation
Updating the fork
Hi @dkassab Thanks for the PR
The missing required argument was fixed in PR #40 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-
There are some changes that need to be reverted,
which are the ones related togcr.io/bank-of-anthos
,
they are marked individually in the files.
The textgcr.io/bank-of-anthos
is replaced automatically in step 7. -
It would help the user if all the variables that depende in the output of previous steps
would be defined in the define-required-environment-variables
section for example these variable cloud be move to the section:
export CICD_PROJECT_ID=YOUR_CICD_PROJECT_ID
and
export SQL_PROJECT_ID=YOUR_SQL_PROJECT_ID
export SQL_INSTANCE_NAME_WEST=YOUR_SQL_INSTANCE_NAME_WEST
export SQL_INSTANCE_NAME_EAST=YOUR_SQL_INSTANCE_NAME_EAST
- We have three project IDs in the README.md for step 6 and
it would help the user if they were consistentelly named in the environement variable
and in the replace tokens inside the yaml files- the GKE project ID:
- PROJECT_ID -> GKE_PROJECT_ID (env var)
- PROJECT_ID -> GKE_PROJECT_ID (yaml)
- the CI/CD project ID
- PROJECT_ID -> CICD_PROJECT_ID (env var)
- PROJECT_ID -> CICD_PROJECT_ID (yaml
- the SQL project ID
- SQL_PROJECT_ID -> SQL_PROJECT_ID (env var)(keep)
- the GKE project ID:
for example, this command at the end of the readme
gcloud iam service-accounts add-iam-policy-binding \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:$PROJECT_ID.svc.id.goog[transactions/transactions]" \
boa-gsa@$PROJECT_ID.iam.gserviceaccount.com
should be using
- PROJECT_ID -> GKE_PROJECT_ID
Since the boa-gsa
service account is create in the GKE project.
6-anthos-install/acm-repos/transactions/transactionhistory.yaml
Outdated
Show resolved
Hide resolved
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the ℹ️ Googlers: Go here for more info. |
@googlebot I consent. |
Fixes in c599738
|
@dkassab and @daniel-cit
P.S Also a lot of files in the |
|
Fixes #51
|
LGTM |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This version has many improvements but there are still a few issues to fix
1. Creates a secret that grants access to the Kube API Server for cluster 1 | ||
```console | ||
``` | ||
./istioctl x create-remote-secret \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
./istioctl x create-remote-secret \ | |
istioctl x create-remote-secret \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It maybe valuable to keep ./
. If the user has an older version of istioctl in PATH then it may error out with these configs
1. In a similar manner, create a secret that grants access to the Kube API Server for cluster 2 | ||
```console | ||
``` | ||
./istioctl x create-remote-secret \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
./istioctl x create-remote-secret \ | |
istioctl x create-remote-secret \ |
-C "GIT_REPO_USERNAME" | ||
-N '' | ||
|
||
Don't forget to upload the public key "~/.ssh/id_rsa.pub" to your repository. For cloud source repository, see [this link](https://cloud.google.com/source-repositories/docs/authentication) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this repo in the CICD_PROJECT_ID ?
#### root config repo | ||
This repository is the root repository that host cluster-scoped and namespace-scoped configs for the bank of anthos application, such as resource policies, network polices and security policies. | ||
1. Clone the `root-config-repo` that was created through the infrastructure pipeline | ||
``` | ||
gcloud source repos clone root-config-repo --project ${CICD_PROJECT_ID} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I got:
gcloud source repos clone root-config-repo --project ${CICD_PROJECT_ID}
WARNING: You are using a Google-hosted repository with a
git version 1.8.3.1
which is older than 2.0.1. If you upgrade
to 2.0.1 or later, gcloud can handle authentication to
this repository. Otherwise, to authenticate, use your Google
account and the password found by running the following command.
$ gcloud auth print-access-token
and I had to use as user boa-gce-bastion-d-sa@prj-bu1-d-boa-gke-04d8.iam.gserviceaccount.com
and the password generated by gcloud auth print-access-token
# On Cluster 2 | ||
kubectl create secret generic git-creds --namespace=transactions --context ${CTX_2} --from-file=ssh="${HOME}/.ssh/id_rsa" | ||
|
||
kubectl create secret generic git-creds --namespace=accounts --context ${CTX_2} --from-file=ssh="${HOME}/.ssh/id_rsa" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
failed with
error: failed to create secret namespaces "accounts" not found
It works after fixing
kubectl apply --context=${CTX_2} -f ${HOME}/terraform-example-foundation-app/6-anthos-install/acm-configs/config-management-west.yaml
|
||
kubectl create secret generic git-creds --namespace=accounts --context ${CTX_2} --from-file=ssh="${HOME}/.ssh/id_rsa" | ||
|
||
kubectl create secret generic git-creds --namespace=frontend --context ${CTX_2} --from-file=ssh="${HOME}/.ssh/id_rsa" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
failed with
error: failed to create secret namespaces "frontend" not found
It works after fixing
kubectl apply --context=${CTX_2} -f ${HOME}/terraform-example-foundation-app/6-anthos-install/acm-configs/config-management-west.yaml
|
||
1. Run script to populate database ledger | ||
``` | ||
kubectl apply -n transactions --context ${CTX_1} -f ${HOME}/terraform-example-foundation-app/6-anthos-install/db-scripts/populate-ledger-db.yaml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The file ${HOME}/terraform-example-foundation-app/6-anthos-install/db-scripts/populate-ledger-db.yaml does not exist
|
||
kubectl apply --context=${CTX_2} -f ${HOME}/terraform-example-foundation-app/acm-config/root-sync.yaml | ||
kubectl apply -n transactions --context ${CTX_2} -f ${HOME}/terraform-example-foundation-app/6-anthos-install/db-scripts/populate-ledger-db.yaml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The file ${HOME}/terraform-example-foundation-app/6-anthos-install/db-scripts/populate-ledger-db.yaml does not exist
the populate script is in the Bank of Anthos repo
|
Co-authored-by: Daniel Andrade <dandrade@ciandt.com>
Updating documentation and fixing formatting issues.