Splitting init scripts

docs/examples/cloudstoragesource/README.md

@@ -40,7 +40,7 @@ Notifications for when a new object is added to Google Cloud Storage (GCS).
       1. Use `curl` to fetch the email:
 
       ```shell
-      export GCS_SERVICE_ACCOUNT=`curl -s -X GET -H "Authorization: Bearer \`GOOGLE_APPLICATION_CREDENTIALS=./cloudrunevents-pullsub.json gcloud auth application-default print-access-token\`" "https://www.googleapis.com/storage/v1/projects/$PROJECT_ID/serviceAccount" | grep email_address | cut -d '"' -f 4`
+      export GCS_SERVICE_ACCOUNT=`curl -s -X GET -H "Authorization: Bearer \`GOOGLE_APPLICATION_CREDENTIALS=./cre-pubsub.json gcloud auth application-default print-access-token\`" "https://www.googleapis.com/storage/v1/projects/$PROJECT_ID/serviceAccount" | grep email_address | cut -d '"' -f 4`
       ```
 
       1. Then grant rights to that Service Account to publish to GCP Pub/Sub.

hack/init_control_plane.sh

@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Usage: ./init_control_plane.sh
+# The current project set in gcloud MUST be the same as where the cluster is running.
+
+NAMESPACE=cloud-run-events
+SERVICE_ACCOUNT=cloud-run-events
+PROJECT_ID=$(gcloud config get-value project)
+KEY_TEMP=google-cloud-key.json
+
+# Enable APIs.
+gcloud services enable pubsub.googleapis.com
+gcloud services enable storage-component.googleapis.com
+gcloud services enable storage-api.googleapis.com
+gcloud services enable cloudscheduler.googleapis.com
+gcloud services enable logging.googleapis.com
+gcloud services enable stackdriver.googleapis.com
+
+# Create the service account for the control plane
+gcloud iam service-accounts create ${SERVICE_ACCOUNT}
+
+# Grant permissions to the service account for the control plane to manage native GCP resources.
+gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=serviceAccount:${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com --role roles/pubsub.admin
+gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=serviceAccount:${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com --role roles/storage.admin
+gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=serviceAccount:${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com --role roles/cloudscheduler.admin
+gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=serviceAccount:${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com --role roles/logging.configWriter
+gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=serviceAccount:${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com --role roles/logging.privateLogViewer
+
+# Download a JSON key for the service account.
+gcloud iam service-accounts keys create ${KEY_TEMP} --iam-account=${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com
+
+# Create/Patch the secret with the download JSON key in the control plane namespace
+kubectl -n ${NAMESPACE} create secret generic google-cloud-key --from-file=key.json=${KEY_TEMP} --dry-run -o yaml | kubectl apply --filename -
+
+# Delete the controller pod in the control plane namespace to refresh the created/patched secret
+kubectl delete pod -n ${NAMESPACE} --selector role=controller
+
+# Remove the tmp file.
+rm ${KEY_TEMP}

hack/init_data_plane.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Usage: ./init_data_plane.sh [NAMESPACE]
+#  where [NAMESPACE] is an optional parameter to specify the namespace to use. If it's not specified, we use the default one.
+#                    if the namespace does not exist, the script will create it.
+# The current project set in gcloud MUST be the same as where the cluster is running.
+# The script always uses the same service account called cre-pubsub.
+
+SERVICE_ACCOUNT=cre-pubsub
+KEY_TEMP=google-cloud-key.json
+NAMESPACE=default
+if [[ -z "$1" ]]; then
+  echo "NAMESPACE not provided, using default"
+else
+  NAMESPACE="$1"
+  echo "NAMESPACE provided, using ${NAMESPACE}"
+  kubectl create namespace $NAMESPACE
+fi
+
+# Create the service account for the data plane
+gcloud iam service-accounts create ${SERVICE_ACCOUNT}
+
+# Grant pubsub.editor role to the service account for the data plane to read and/or write to Pub/Sub.
+gcloud projects add-iam-policy-binding $PROJECT_ID --member=serviceAccount:${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com --role roles/pubsub.editor
+
+# Download a JSON key for the service account.
+gcloud iam service-accounts keys create ${KEY_TEMP} --iam-account=${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com
+
+# Create the secret with the download JSON key.
+kubectl --namespace $NAMESPACE create secret generic google-cloud-key --from-file=key.json=${KEY_TEMP}
+
+# Label the namespace to inject a Broker.
+kubectl label namespace $NAMESPACE knative-eventing-injection=enabled
+
+# Remove the tmp file.
+rm ${KEY_TEMP}