Feat: Update KCC setup for private cluster

[borkodjurkovic-ssc]

Changes:

• Updated setup-kcc.sh:
  • Added firewall rules for ubuntu OS updates (Allow egress to IP addresses for northamerica-northeast1-a.gce.clouds.archive.ubuntu.com, us-east1.gce.archive.ubuntu.com, security.ubuntu.com)
  • Added project level allow policy to enable VPC peering to Google owned organization. This is required for GKE / Anthos control plane access.
  • Updated Anthos config controller to be a private cluster
  • Removed setting up of git-creds and root-sync. Since the config controller cluster is private, this cannot be done at this point. A bastion host / proxy needs to be first provisioned to enable connectivity to the cluster's private endpoint.
• Added a short README file.

[davelanglois-ssc]

I like it, please address my comments

[alaincormier-ssc]

LGTM
well done

reminder for release-please to trigger, edit the commit message with proper suffix before merging, i.e.
feat: Update KCC setup for private cluster

[lucstjean-ssc]

/lgtm Borko!

[fmichaelobrien]

Validated GKE cluster with public endpoint

rerun setup-kcc.sh with -p public ip option

see

export CLUSTER=kcc-oi2
export REGION=northamerica-northeast1
export PROJECT_ID=kcc-oi2-cluster
export LZ_FOLDER_NAME=kcc-lz-20230928b
export NETWORK=kcc-oi2-vpc
export SUBNET=kcc-oi2-sn

michael@cloudshell:~/kcc-oi/github/gcp-tools/scripts/bootstrap (kcc-oi)$ ./setup-kcc.sh -afp kcc.env

1644 - estimate 1700 kcc-oi2 cluster up
##INFO - Create Config controller

Create request issued for: [kcc-oi2]
Waiting for operation [projects/kcc-oi2-cluster/locations/northamerica-northeast1/operations/operation-1695933801715-606715bd057e8-f452780e-92d1cb2e] to complete...working..

fix

michael@cloudshell:~/kcc-oi/github/gcp-tools/scripts/bootstrap (kcc-oi)$ ./setup-kcc.sh -afp kcc.env
aiting for operation [projects/kcc-oi2-cluster/locations/northamerica-northeast1/operations/operation-1695933801715-606715bd057e8-f452780e-92d1cb2e] to complete...done.                                    
Created instance [kcc-oi2].
Fetching cluster endpoint and auth data.
kubeconfig entry generated for krmapihost-kcc-oi2.

##INFO - Config controller get credentials

Fetching cluster endpoint and auth data.
kubeconfig entry generated for krmapihost-kcc-oi2.

##WARNING - configure-kcc-access.sh script should be run once connectivity to the cluster is established using bastion host / proxy.
ichael@cloudshell:~/kcc-oi/github/gcp-tools/scripts/bootstrap (kcc-oi2-cluster)$ kubectl get nodes
NAME                                                STATUS   ROLES    AGE     VERSION
gk3-krmapihost-kcc-oi2-default-pool-6fc83c0e-ss20   Ready    <none>   9m12s   v1.27.3-gke.100
gk3-krmapihost-kcc-oi2-pool-1-28f0e374-tzw8         Ready    <none>   3m43s   v1.27.3-gke.100
gk3-krmapihost-kcc-oi2-pool-1-ae2f0850-4kmt         Ready    <none>   7m32s   v1.27.3-gke.100
gk3-krmapihost-kcc-oi2-pool-1-c9c2a582-9sdc         Ready    <none>   2m47s   v1.27.3-gke.100

cluster up with no admissions endpoint (has both public and private endpoints)

[obriensystems]

editupdate: found them in the new 2nd script

https://github.com/ssc-spc-ccoe-cei/gcp-tools/blob/main/scripts/bootstrap/configure-kcc-access.sh#L35

Issue is that the access script assumes rootsync usage - it leaves out the kpt optionI recommend we put the yakima service account role additions back to the generic setup script.

[obriensystems]

.