flanksource
diff --git a/‎.editorconfig‎
Lines changed: 1 addition & 1 deletion b/‎.editorconfig‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎common/src/components/Helm.jsx‎
Lines changed: 20 additions & 19 deletions b/‎common/src/components/Helm.jsx‎
Lines changed: 20 additions & 19 deletions
diff --git a/‎mission-control/docs/installation/_aws_iam.mdx‎
Lines changed: 79 additions & 79 deletions b/‎mission-control/docs/installation/_aws_iam.mdx‎
Lines changed: 79 additions & 79 deletions
diff --git a/‎mission-control/docs/installation/_gke_iam.mdx‎
Lines changed: 124 additions & 0 deletions b/‎mission-control/docs/installation/_gke_iam.mdx‎
Lines changed: 124 additions & 0 deletions
@@ -1,4 +1,4 @@
-[*.{md,js,ts,jsx}]
+[*.{md,mdx,js,ts,jsx}]
 quote_type = single
 indent_size = 2
 end_of_line = lf
 
@@ -76,39 +76,40 @@ export default function Helm({
     {createNamespace && `apiVersion: v1
 kind: Namespace
 metadata:
-name: ${namespace}
+  name: ${namespace}
 ---
 ` || ""}
     {createRepo && `apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
-name: ${repoName}
-namespace: ${namespace}
+  name: ${repoName}
+  namespace: ${namespace}
 spec:
-interval: 5m0s
-url: ${repo}
+  interval: 5m0s
+  url: ${repo}
 ---
 ` || ""}
     {`apiVersion:  helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
-name: ${chart}
-namespace: ${namespace}
-spec:
-chart:
-spec:
-chart: ${chart}
-sourceRef:
-  kind: HelmRepository
-  name: ${repoName}
+  name: ${chart}
   namespace: ${namespace}
-interval: 1m
+spec:
+  chart:
+    spec:
+      chart: ${chart}
+      sourceRef:
+        kind: HelmRepository
+        name: ${repoName}
+        namespace: ${namespace}
+  interval: 5m
 `}
-    {valueFile || values && "values:\n"}
-    {valueFile && valueFile.replace(/^/gm, '   ')}
+
+    {(valueFile || values) && "values:\n"}
     {values && Object.keys(values).map((k) => {
-      return `    ${k}: ${values[k]}\n`
-    }).join("")}
+      return `  ${k}: ${values[k]}`
+    }).join("\n")}
+    {valueFile && valueFile.split('\n').map(line => `  ${line}\n`).join('')}
   </CodeBlock>;
 
 
 
@@ -73,85 +73,85 @@ You can also create a new policy with only the permissions required by Mission C
 ## Configure IAM Roles for Mission Control
 
 <Tabs>
-<TabItem label="IAM Roles for Service Accounts" value="IRSA">
-
-<Tabs>
-<TabItem label="eksctl" value="cli">
-2. Setup variables
-	```bash
-	# The name of the EKS cluster mission control is being deployed to
-	export CLUSTER= <CLUSTER_NAME>
-	# the default namespace the mission-control helm chart uses
-	export NAMESPACE=mission-control
-	export ACCOUNT=$(aws sts get-caller-identity  --query 'Account' --output text)
-	```
-	<p/>
-
-1. Enable [EKS IAM Roles for Service Accounts](https://eksctl.io/usage/iamserviceaccounts/)
-
-   ```bash
-   eksctl utils associate-iam-oidc-provider --cluster=$CLUSTER
-   ```
-
-   <p />
-
-2. Create the IAM Role mappings
-
-   ```yaml title="eksctl.yaml"
-   iam:
-   	withOIDC: true
-   	serviceAccounts:
-   	- metadata:
-   			name: mission-control-sa
-   			namespace: mission-control
-   		roleName: MissionControlRole
-   		roleOnly: true
-   		attachPolicyARNs:
-   		- "arn:aws:iam::aws:policy/ReadOnlyAccess"
-   	- metadata:
-   			name: canary-checker-sa
-   			namespace: mission-control
-   		roleName: CanaryCheckerRole
-   		roleOnly: true
-   		attachPolicyARNs:
-   		- "arn:aws:iam::aws:policy/ReadOnlyAccess"
-   	- metadata:
-   			name: config-db-sa
-   			namespace: mission-control
-   		roleName: ConfigDBRole
-   		roleOnly: true
-   		attachPolicyARNs:
-   		- "arn:aws:iam::aws:policy/ReadOnlyAccess"
-
-   ```
-
-   ```bash
-   eksctl create iamserviceaccount --cluster $CLUSTER -c eksctl.yaml
-   ```
-
-3. <Domain />
-
-4. Install Mission Control
-
-	<Helm chart={props.chart} values={props.values} valueFile={`
-	serviceAccount:
-		annotations:
-			# used by mission control for notifications / playbooks
-			eks.amazonaws.com/role-arn: arn:aws:iam::$ACCOUNT:role/MissionControlRole
-
-	canary-checker:
-		serviceAccount:
-			annotations:
-				# used for cloudwatch, S3 and other AWS health checks
-				eks.amazonaws.com/role-arn: arn:aws:iam::$ACCOUNT:role/CanaryCheckerRole
-
-	config-db:
-		serviceAccount:
-			annotations:
-				# used to scrape AWS resources, change history via AWS CloudTrail and cost via Athena
-				eks.amazonaws.com/role-arn: arn:aws:iam::$ACCOUNT:role/ConfigDBRole`}   />
-
-</TabItem>
+  <TabItem label="IAM Roles for Service Accounts" value="IRSA">
+
+    <Tabs>
+      <TabItem label="eksctl" value="cli">
+        2. Setup variables
+            ```bash
+            # The name of the EKS cluster mission control is being deployed to
+            export CLUSTER= <CLUSTER_NAME>
+            # the default namespace the mission-control helm chart uses
+            export NAMESPACE=mission-control
+            export ACCOUNT=$(aws sts get-caller-identity  --query 'Account' --output text)
+            ```
+            <p/>
+
+        1. Enable [EKS IAM Roles for Service Accounts](https://eksctl.io/usage/iamserviceaccounts/)
+
+           ```bash
+           eksctl utils associate-iam-oidc-provider --cluster=$CLUSTER
+           ```
+
+           <p />
+
+        2. Create the IAM Role mappings
+
+           ```yaml title="eksctl.yaml"
+           iam:
+            withOIDC: true
+            serviceAccounts:
+            - metadata:
+                    name: mission-control-sa
+                    namespace: mission-control
+                roleName: MissionControlRole
+                roleOnly: true
+                attachPolicyARNs:
+                - "arn:aws:iam::aws:policy/ReadOnlyAccess"
+            - metadata:
+                    name: canary-checker-sa
+                    namespace: mission-control
+                roleName: CanaryCheckerRole
+                roleOnly: true
+                attachPolicyARNs:
+                - "arn:aws:iam::aws:policy/ReadOnlyAccess"
+            - metadata:
+                    name: config-db-sa
+                    namespace: mission-control
+                roleName: ConfigDBRole
+                roleOnly: true
+                attachPolicyARNs:
+                - "arn:aws:iam::aws:policy/ReadOnlyAccess"
+
+           ```
+
+           ```bash
+           eksctl create iamserviceaccount --cluster $CLUSTER -c eksctl.yaml
+           ```
+
+        3. <Domain />
+
+        4. Install Mission Control
+
+            <Helm chart={props.chart} values={props.values} valueFile={`
+            serviceAccount:
+              annotations:
+                # used by mission control for notifications / playbooks
+                eks.amazonaws.com/role-arn: arn:aws:iam::$ACCOUNT:role/MissionControlRole
+
+            canary-checker:
+              serviceAccount:
+                annotations:
+                  # used for cloudwatch, S3 and other AWS health checks
+                  eks.amazonaws.com/role-arn: arn:aws:iam::$ACCOUNT:role/CanaryCheckerRole
+
+            config-db:
+              serviceAccount:
+                annotations:
+                  # used to scrape AWS resources, change history via AWS CloudTrail and cost via Athena
+                  eks.amazonaws.com/role-arn: arn:aws:iam::$ACCOUNT:role/ConfigDBRole`}   />
+
+       </TabItem>
 </Tabs>
 
 </TabItem>
 
@@ -0,0 +1,124 @@
+import Domain from '@site/docs/partials/_domain.mdx'
+
+## Create an IAM Role
+
+Depending on how you want to use Mission Control you need to create an IAM role for mission control to use:
+
+| Use Case                                     | Role           |
+| -------------------------------------------- | ---------------|
+| Read Only Scraping                           | `roles/viewer` |
+| Playbooks to create and update GCP Resources | `roles/editor` |
+
+## Configure IAM Roles for Mission Control
+
+<Tabs>
+  <TabItem label="Workload Identity" value="Workload Identity">
+
+    <Tabs>
+      <TabItem label="Bind policy to service account" value="federation">
+
+        You can also refer the official docs for [Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)
+
+        1. Enable workload identity
+            ```bash
+            # The name of the GKE cluster mission control is being deployed to
+            export CLUSTER=<CLUSTER_NAME>
+            # the default namespace the mission-control helm chart uses
+            export NAMESPACE=mission-control
+            # GCP Project ID
+            export PROJECT_ID=gcp-project-id
+            # GCP Project Number
+            export PROJECT_NUMBER=gcp-project-number
+            # Location of GKE Cluster
+            LOCATION=us-east1
+
+            gcloud container clusters update $CLUSTER \
+                --location=$LOCATION \
+                --workload-pool=PROJECT_ID.svc.id.goog
+            ```
+            <p/>
+
+        2. Bind IAM Policy
+
+           The `$KSA_NAME` refers to the Kubernetes service account name. In our case, we need to bind to 3 service accounts: `mission-control-sa`, `canary-checker-sa` and `config-db-sa`
+
+            ```bash
+            gcloud projects add-iam-policy-binding projects/$PROJECT_ID \
+                --role=$ROLE \
+                --member=principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$PROJECT_ID.svc.id.goog/subject/ns/$NAMESPACE/sa/mission-control-sa \
+                --condition=None
+
+            gcloud projects add-iam-policy-binding projects/$PROJECT_ID \
+                --role=$ROLE \
+                --member=principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$PROJECT_ID.svc.id.goog/subject/ns/$NAMESPACE/sa/canary-checker-sa \
+                --condition=None
+
+            gcloud projects add-iam-policy-binding projects/$PROJECT_ID \
+                --role=$ROLE \
+                --member=principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$PROJECT_ID.svc.id.goog/subject/ns/$NAMESPACE/sa/config-db-sa \
+                --condition=None
+            ```
+            <p/>
+
+        3. <Domain />
+
+        4. Install Mission Control
+
+            <Helm chart={props.chart}  values={props.values}/>
+
+       </TabItem>
+
+
+<TabItem label="Allow ServiceAccount to impresonate IAM Role" value="impersonate">
+
+You can also refer the official docs: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
+1. Create a new IAM ServiceAccount
+
+   ```bash
+    gcloud iam service-accounts create $IAM_SA_NAME \
+        --project=$IAM_SA_PROJECT_ID
+   ```
+	 <p/>
+
+2. Bind GCP Service Account to IAM Role
+
+    ```bash
+    gcloud projects add-iam-policy-binding $IAM_SA_PROJECT_ID \
+    --member "serviceAccount:$IAM_SA_NAME@IAM_SA_PROJECT_ID.iam.gserviceaccount.com" \
+    --role "$ROLE_NAME"
+    ```
+3. Create an IAM allow policy that gives the Kubernetes ServiceAccount access to impersonate the IAM service account:
+
+   The `$KSA_NAME` refers to the Kubernetes service account name. In our case, we need to bind to 3 service accounts: `mission-control`, `canary-checker` and `config-db`
+
+   ```bash
+    gcloud iam service-accounts add-iam-policy-binding IAM_SA_NAME@IAM_SA_PROJECT_ID.iam.gserviceaccount.com \
+        --role roles/iam.workloadIdentityUser \
+        --member "serviceAccount:$PROJECT_ID.svc.id.goog[$NAMESPACE/$KSA_NAME]"
+   ```
+
+4. Install Mission Control
+    <Helm chart={props.chart} values={props.values} valueFile={`
+    serviceAccount:
+      annotations:
+        iam.gke.io/gcp-service-account=IAM_SA_NAME@IAM_SA_PROJECT_ID.iam.gserviceaccount.com
+
+    canary-checker:
+      serviceAccount:
+        annotations:
+          iam.gke.io/gcp-service-account=IAM_SA_NAME@IAM_SA_PROJECT_ID.iam.gserviceaccount.com
+
+    config-db:
+      serviceAccount:
+        annotations:
+          iam.gke.io/gcp-service-account=IAM_SA_NAME@IAM_SA_PROJECT_ID.iam.gserviceaccount.com
+    `}/>
+
+
+5. <Domain/>
+</TabItem>
+</Tabs>
+
+
+</TabItem>
+</Tabs>
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-[*.{md,js,ts,jsx}]`
	`1`	`+[*.{md,mdx,js,ts,jsx}]`
`2`	`2`	`quote_type = single`
`3`	`3`	`indent_size = 2`
`4`	`4`	`end_of_line = lf`