From 320b9ecbc11ddab92d7bc97e154ceb4f3b6c62b2 Mon Sep 17 00:00:00 2001 From: Vedant Thapa <43611693+vedantthapa@users.noreply.github.com> Date: Tue, 11 Jun 2024 14:53:04 -0400 Subject: [PATCH] Add canary test record sets (#81) * feat: add command to create ip address * feat: remove ip address command and add permissions for sa to create addresses * feat: add canary-ip resource * feat: add canary record sets * fix: add required labels and annotations * fix: remove blank lines for yamllint * fix: update managedZoneRef to be external * fix: file name in kustomization * feat: move canary-gc-ca.yaml to ./k8s/components/infrastructure --- .../cloud-shell-infra-init.sh | 7 + .../infrastructure/canary-gc-ca.yaml | 333 ++++++++++++++++++ k8s/components/infrastructure/canary-ip.yaml | 12 + .../infrastructure/kustomization.yaml | 2 + 4 files changed, 354 insertions(+) create mode 100644 k8s/components/infrastructure/canary-gc-ca.yaml create mode 100644 k8s/components/infrastructure/canary-ip.yaml diff --git a/infra-deployment-scripts/cloud-shell-infra-init.sh b/infra-deployment-scripts/cloud-shell-infra-init.sh index f1f8be8..2ca6b98 100644 --- a/infra-deployment-scripts/cloud-shell-infra-init.sh +++ b/infra-deployment-scripts/cloud-shell-infra-init.sh @@ -54,6 +54,12 @@ gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \ --role "roles/dns.admin" \ --project "${GOOGLE_CLOUD_PROJECT}" +# Add IAM policy binding for managing compute ips +gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \ + --member "serviceAccount:sa-${GOOGLE_CLOUD_PROJECT}-phac-dns@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com" \ + --role "roles/compute.publicIpAdmin" \ + --project "${GOOGLE_CLOUD_PROJECT}" + gcloud iam service-accounts add-iam-policy-binding \ py base gcloud pht-scienceportal "sa-${GOOGLE_CLOUD_PROJECT}-phac-dns@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com" \ --member="serviceAccount:${GOOGLE_CLOUD_PROJECT}.svc.id.goog[cnrm-system/cnrm-controller-manager-dns]" \ @@ -84,3 +90,4 @@ gcloud container clusters create-auto "${GOOGLE_CLOUD_PROJECT}-phac-dns" \ --subnetwork="projects/${GOOGLE_CLOUD_PROJECT}/regions/northamerica-northeast1/subnetworks/${GOOGLE_CLOUD_PROJECT}-vpc-01-sub-01" \ --project=${GOOGLE_CLOUD_PROJECT} \ --service-account="sa-${GOOGLE_CLOUD_PROJECT}-gke@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com" + diff --git a/k8s/components/infrastructure/canary-gc-ca.yaml b/k8s/components/infrastructure/canary-gc-ca.yaml new file mode 100644 index 0000000..cb6afae --- /dev/null +++ b/k8s/components/infrastructure/canary-gc-ca.yaml @@ -0,0 +1,333 @@ +# These record sets are meant for internally testing domains +# _ +# _ __ | |__ __ _ ___ __ _ ___ _ __ ___ +# | '_ \| '_ \ / _` |/ __|____ / _` / __| '_ \ / __| +# | |_) | | | | (_| | (_|_____| (_| \__ \ |_) | (__ +# | .__/|_| |_|\__,_|\___| \__,_|___/ .__/ \___| +# |_| |_| +apiVersion: dns.cnrm.cloud.google.com/v1beta1 +kind: DNSRecordSet +metadata: + name: canary-beta-phac-aspc + namespace: dns + annotations: + sourceCodeRepository: "https://github.com/PHACDataHub/phac-dns" + labels: + controlled-by: "phac-dns" + project-name: "phac-dns" + project-id: "php-01hhmj81fhp" +spec: + name: "canary.beta.phac-aspc.gc.ca." + type: A + ttl: 300 + managedZoneRef: + external: beta-phac-aspc-gc-ca + rrdatasRefs: + - name: canary-ip + kind: ComputeAddress +--- +apiVersion: dns.cnrm.cloud.google.com/v1beta1 +kind: DNSRecordSet +metadata: + name: canary-alpha-phac-aspc + namespace: dns + annotations: + sourceCodeRepository: "https://github.com/PHACDataHub/phac-dns" + labels: + controlled-by: "phac-dns" + project-name: "phac-dns" + project-id: "php-01hhmj81fhp" +spec: + name: "canary.alpha.phac-aspc.gc.ca." + type: A + ttl: 300 + managedZoneRef: + external: alpha-phac-aspc-gc-ca + rrdatasRefs: + - name: canary-ip + kind: ComputeAddress +--- +apiVersion: dns.cnrm.cloud.google.com/v1beta1 +kind: DNSRecordSet +metadata: + name: canary-api-ipa-phac-aspc + namespace: dns + annotations: + sourceCodeRepository: "https://github.com/PHACDataHub/phac-dns" + labels: + controlled-by: "phac-dns" + project-name: "phac-dns" + project-id: "php-01hhmj81fhp" +spec: + name: "canary.api-ipa.phac-aspc.gc.ca." + type: A + ttl: 300 + managedZoneRef: + external: api-ipa-phac-aspc-gc-ca + rrdatasRefs: + - name: canary-ip + kind: ComputeAddress +--- +apiVersion: dns.cnrm.cloud.google.com/v1beta1 +kind: DNSRecordSet +metadata: + name: canary-data-donnees-phac-aspc + namespace: dns + annotations: + sourceCodeRepository: "https://github.com/PHACDataHub/phac-dns" + labels: + controlled-by: "phac-dns" + project-name: "phac-dns" + project-id: "php-01hhmj81fhp" +spec: + name: "canary.data-donnees.phac-aspc.gc.ca." + type: A + ttl: 300 + managedZoneRef: + external: data-donnees-phac-aspc-gc-ca + rrdatasRefs: + - name: canary-ip + kind: ComputeAddress +--- +apiVersion: dns.cnrm.cloud.google.com/v1beta1 +kind: DNSRecordSet +metadata: + name: canary-open-ouvert-phac-aspc + namespace: dns + annotations: + sourceCodeRepository: "https://github.com/PHACDataHub/phac-dns" + labels: + controlled-by: "phac-dns" + project-name: "phac-dns" + project-id: "php-01hhmj81fhp" +spec: + name: "canary.open-ouvert.phac-aspc.gc.ca." + type: A + ttl: 300 + managedZoneRef: + external: open-ouvert-phac-aspc-gc-ca + rrdatasRefs: + - name: canary-ip + kind: ComputeAddress +--- +# _ +# _ __ | |__ __ _ ___ +# | '_ \| '_ \ / _` |/ __| +# | |_) | | | | (_| | (__ +# | .__/|_| |_|\__,_|\___| +# |_| +apiVersion: dns.cnrm.cloud.google.com/v1beta1 +kind: DNSRecordSet +metadata: + name: canary-beta-phac + namespace: dns + annotations: + sourceCodeRepository: "https://github.com/PHACDataHub/phac-dns" + labels: + controlled-by: "phac-dns" + project-name: "phac-dns" + project-id: "php-01hhmj81fhp" +spec: + name: "canary.beta.phac.gc.ca." + type: A + ttl: 300 + managedZoneRef: + external: beta-phac-gc-ca + rrdatasRefs: + - name: canary-ip + kind: ComputeAddress +--- +apiVersion: dns.cnrm.cloud.google.com/v1beta1 +kind: DNSRecordSet +metadata: + name: canary-alpha-phac + namespace: dns + annotations: + sourceCodeRepository: "https://github.com/PHACDataHub/phac-dns" + labels: + controlled-by: "phac-dns" + project-name: "phac-dns" + project-id: "php-01hhmj81fhp" +spec: + name: "canary.alpha.phac.gc.ca." + type: A + ttl: 300 + managedZoneRef: + external: alpha-phac-gc-ca + rrdatasRefs: + - name: canary-ip + kind: ComputeAddress +--- +apiVersion: dns.cnrm.cloud.google.com/v1beta1 +kind: DNSRecordSet +metadata: + name: canary-api-phac + namespace: dns + annotations: + sourceCodeRepository: "https://github.com/PHACDataHub/phac-dns" + labels: + controlled-by: "phac-dns" + project-name: "phac-dns" + project-id: "php-01hhmj81fhp" +spec: + name: "canary.api.phac.gc.ca." + type: A + ttl: 300 + managedZoneRef: + external: api-phac-gc-ca + rrdatasRefs: + - name: canary-ip + kind: ComputeAddress +--- +apiVersion: dns.cnrm.cloud.google.com/v1beta1 +kind: DNSRecordSet +metadata: + name: canary-data-phac + namespace: dns + annotations: + sourceCodeRepository: "https://github.com/PHACDataHub/phac-dns" + labels: + controlled-by: "phac-dns" + project-name: "phac-dns" + project-id: "php-01hhmj81fhp" +spec: + name: "canary.data.phac.gc.ca." + type: A + ttl: 300 + managedZoneRef: + external: data-phac-gc-ca + rrdatasRefs: + - name: canary-ip + kind: ComputeAddress +--- +apiVersion: dns.cnrm.cloud.google.com/v1beta1 +kind: DNSRecordSet +metadata: + name: canary-open-phac + namespace: dns + annotations: + sourceCodeRepository: "https://github.com/PHACDataHub/phac-dns" + labels: + controlled-by: "phac-dns" + project-name: "phac-dns" + project-id: "php-01hhmj81fhp" +spec: + name: "canary.open.phac.gc.ca." + type: A + ttl: 300 + managedZoneRef: + external: open-phac-gc-ca + rrdatasRefs: + - name: canary-ip + kind: ComputeAddress +--- +# __ _ ___ _ __ ___ +# / _` / __| '_ \ / __| +# | (_| \__ \ |_) | (__ +# \__,_|___/ .__/ \___| +# |_| +apiVersion: dns.cnrm.cloud.google.com/v1beta1 +kind: DNSRecordSet +metadata: + name: canary-beta-aspc + namespace: dns + annotations: + sourceCodeRepository: "https://github.com/PHACDataHub/phac-dns" + labels: + controlled-by: "phac-dns" + project-name: "phac-dns" + project-id: "php-01hhmj81fhp" +spec: + name: "canary.beta.aspc.gc.ca." + type: A + ttl: 300 + managedZoneRef: + external: beta-aspc-gc-ca + rrdatasRefs: + - name: canary-ip + kind: ComputeAddress +--- +apiVersion: dns.cnrm.cloud.google.com/v1beta1 +kind: DNSRecordSet +metadata: + name: canary-alpha-aspc + namespace: dns + annotations: + sourceCodeRepository: "https://github.com/PHACDataHub/phac-dns" + labels: + controlled-by: "phac-dns" + project-name: "phac-dns" + project-id: "php-01hhmj81fhp" +spec: + name: "canary.alpha.aspc.gc.ca." + type: A + ttl: 300 + managedZoneRef: + external: alpha-aspc-gc-ca + rrdatasRefs: + - name: canary-ip + kind: ComputeAddress +--- +apiVersion: dns.cnrm.cloud.google.com/v1beta1 +kind: DNSRecordSet +metadata: + name: canary-ipa-aspc + namespace: dns + annotations: + sourceCodeRepository: "https://github.com/PHACDataHub/phac-dns" + labels: + controlled-by: "phac-dns" + project-name: "phac-dns" + project-id: "php-01hhmj81fhp" +spec: + name: "canary.ipa.aspc.gc.ca." + type: A + ttl: 300 + managedZoneRef: + external: ipa-aspc-gc-ca + rrdatasRefs: + - name: canary-ip + kind: ComputeAddress +--- +apiVersion: dns.cnrm.cloud.google.com/v1beta1 +kind: DNSRecordSet +metadata: + name: canary-donnees-aspc + namespace: dns + annotations: + sourceCodeRepository: "https://github.com/PHACDataHub/phac-dns" + labels: + controlled-by: "phac-dns" + project-name: "phac-dns" + project-id: "php-01hhmj81fhp" +spec: + name: "canary.donnees.aspc.gc.ca." + type: A + ttl: 300 + managedZoneRef: + external: donnees-aspc-gc-ca + rrdatasRefs: + - name: canary-ip + kind: ComputeAddress +--- +apiVersion: dns.cnrm.cloud.google.com/v1beta1 +kind: DNSRecordSet +metadata: + name: canary-ouvert-aspc + namespace: dns + annotations: + sourceCodeRepository: "https://github.com/PHACDataHub/phac-dns" + labels: + controlled-by: "phac-dns" + project-name: "phac-dns" + project-id: "php-01hhmj81fhp" +spec: + name: "canary.ouvert.aspc.gc.ca." + type: A + ttl: 300 + managedZoneRef: + external: ouvert-aspc-gc-ca + rrdatasRefs: + - name: canary-ip + kind: ComputeAddress +--- diff --git a/k8s/components/infrastructure/canary-ip.yaml b/k8s/components/infrastructure/canary-ip.yaml new file mode 100644 index 0000000..ecb9fba --- /dev/null +++ b/k8s/components/infrastructure/canary-ip.yaml @@ -0,0 +1,12 @@ +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeAddress +metadata: + name: canary-ip + namespace: dns + annotations: + cnrm.cloud.google.com/state-into-spec: merge +spec: + description: Static external ip address to test domains internally via nslookup + addressType: EXTERNAL + location: northamerica-northeast1 + networkTier: STANDARD diff --git a/k8s/components/infrastructure/kustomization.yaml b/k8s/components/infrastructure/kustomization.yaml index 762c4f1..036c875 100644 --- a/k8s/components/infrastructure/kustomization.yaml +++ b/k8s/components/infrastructure/kustomization.yaml @@ -16,6 +16,8 @@ resources: - open-ouvert-phac-aspc-gc-ca.yaml - open-phac-gc-ca.yaml - ouvert-aspc-gc-ca.yaml + - canary-ip.yaml + - canary-gc-ca.yaml commonLabels: controlled-by: "phac-dns" commonAnnotations: