Set read permisions to k8s to artifactory read

rust-containers-k8s/deployment/inventory-service/values.yaml

@@ -5,14 +5,14 @@
 replicaCount: 1
 
 image:
-  repository: europe-west2-docker.pkg.dev/platform-poc-rust/inventory-service/inventory-service
+  repository: europe-west2-docker.pkg.dev/platform-poc-rust/registry/inventory-service
   pullPolicy: Always
   # Overrides the image tag whose default is the chart appVersion.
-  tag: "latest"
+  tag: 'latest'
 
 imagePullSecrets: []
-nameOverride: ""
-fullnameOverride: ""
+nameOverride: ''
+fullnameOverride: ''
 
 serviceAccount:
   # Specifies whether a service account should be created
@@ -23,7 +23,7 @@ serviceAccount:
   annotations: {}
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
-  name: "kubernetes-service-account"
+  name: 'kubernetes-service-account'
 
 podAnnotations: {}
 podLabels: {}
@@ -47,7 +47,7 @@ service:
 
 ingress:
   enabled: true
-  className: ""
+  className: ''
   annotations:
     {}
     # kubernetes.io/ingress.class: nginx
@@ -102,4 +102,4 @@ tolerations: []
 affinity: {}
 
 sql:
-  instanceConnectionName: "platform-poc-rust:europe-west2:platform-poc-rust-pg"
+  instanceConnectionName: 'platform-poc-rust:europe-west2:platform-poc-rust-pg'

rust-containers-k8s/deployment/notification-service/values.yaml

@@ -5,14 +5,14 @@
 replicaCount: 1
 
 image:
-  repository: europe-west2-docker.pkg.dev/platform-poc-rust/notification-service/notification-service
+  repository: europe-west2-docker.pkg.dev/platform-poc-rust/registry/notification-service
   pullPolicy: Always
   # Overrides the image tag whose default is the chart appVersion.
-  tag: "latest"
+  tag: 'latest'
 
 imagePullSecrets: []
-nameOverride: ""
-fullnameOverride: ""
+nameOverride: ''
+fullnameOverride: ''
 
 serviceAccount:
   # Specifies whether a service account should be created
@@ -23,7 +23,7 @@ serviceAccount:
   annotations: {}
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
-  name: "kubernetes-service-account"
+  name: 'kubernetes-service-account'
 
 podAnnotations: {}
 podLabels: {}
@@ -47,7 +47,7 @@ service:
 
 ingress:
   enabled: true
-  className: ""
+  className: ''
   annotations:
     {}
     # kubernetes.io/ingress.class: nginx

rust-containers-k8s/deployment/order-service/values.yaml

@@ -5,14 +5,14 @@
 replicaCount: 1
 
 image:
-  repository: europe-west2-docker.pkg.dev/platform-poc-rust/order-service/order-service
+  repository: europe-west2-docker.pkg.dev/platform-poc-rust/registry/order-service
   pullPolicy: Always
   # Overrides the image tag whose default is the chart appVersion.
-  tag: "latest"
+  tag: 'latest'
 
 imagePullSecrets: []
-nameOverride: ""
-fullnameOverride: ""
+nameOverride: ''
+fullnameOverride: ''
 
 serviceAccount:
   # Specifies whether a service account should be created
@@ -23,7 +23,7 @@ serviceAccount:
   annotations: {}
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
-  name: "kubernetes-service-account"
+  name: 'kubernetes-service-account'
 
 podAnnotations: {}
 podLabels: {}
@@ -47,7 +47,7 @@ service:
 
 ingress:
   enabled: true
-  className: ""
+  className: ''
   annotations:
     {}
     # kubernetes.io/ingress.class: nginx
@@ -102,7 +102,7 @@ tolerations: []
 affinity: {}
 
 sql:
-  instanceConnectionName: "platform-poc-rust:europe-west2:platform-poc-rust-pg"
+  instanceConnectionName: 'platform-poc-rust:europe-west2:platform-poc-rust-pg'
 
 kafka:
   url: kafka.default.svc.cluster.local:9092

rust-containers-k8s/deployment/product-service/values.yaml

@@ -5,14 +5,14 @@
 replicaCount: 1
 
 image:
-  repository: europe-west2-docker.pkg.dev/platform-poc-rust/product-service/product-service
+  repository: europe-west2-docker.pkg.dev/platform-poc-rust/registry/product-service
   pullPolicy: Always
   # Overrides the image tag whose default is the chart appVersion.
-  tag: "latest"
+  tag: 'latest'
 
 imagePullSecrets: []
-nameOverride: ""
-fullnameOverride: ""
+nameOverride: ''
+fullnameOverride: ''
 
 serviceAccount:
   # Specifies whether a service account should be created
@@ -23,7 +23,7 @@ serviceAccount:
   annotations: {}
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
-  name: "kubernetes-service-account"
+  name: 'kubernetes-service-account'
 
 podAnnotations: {}
 podLabels: {}
@@ -47,7 +47,7 @@ service:
 
 ingress:
   enabled: true
-  className: ""
+  className: ''
   annotations:
     {}
     # kubernetes.io/ingress.class: nginx
@@ -102,7 +102,7 @@ tolerations: []
 affinity: {}
 
 sql:
-  instanceConnectionName: "platform-poc-rust:europe-west2:platform-poc-rust-pg"
+  instanceConnectionName: 'platform-poc-rust:europe-west2:platform-poc-rust-pg'
 
 kafka:
   url: kafka.default.svc.cluster.local:9092

rust-containers-k8s/infrastructure/cluster/main.tf

@@ -55,6 +55,7 @@ resource "google_project_iam_member" "storage-role" {
   member  = "serviceAccount:${google_service_account.workload-identity-user-sa.email}"
 }
 
+
 output "node_pool_service_account" {
   value = google_service_account.workload-identity-user-sa.email
 }

rust-containers-k8s/infrastructure/kubernetes/main.tf

@@ -42,6 +42,12 @@ resource "kubernetes_service_account" "ksa" {
   }
 }
 
+resource "google_project_iam_member" "download-artifacts-role" {
+  project =  module.shared_vars.project_id
+  role   = "roles/artifactregistry.reader"
+  member  = "serviceAccount:${module.shared_vars.project_id}.svc.id.goog[default/${kubernetes_service_account.ksa.metadata[0].name}]"
+}
+
 resource "kubernetes_secret" "db_secrets" {
   metadata {
     name = "postgres-db-secrets"
@@ -52,4 +58,4 @@ resource "kubernetes_secret" "db_secrets" {
     password = var.pg_password
     database = var.pg_database
   }
-}
+}

rust-containers-k8s/infrastructure/registry/main.tf

@@ -6,46 +6,14 @@ module "shared_vars" {
   source = "../shared"
 }
 
-resource "google_artifact_registry_repository" "inventory-service" {
+resource "google_artifact_registry_repository" "registry" {
   location      = module.shared_vars.region
-  repository_id = "inventory-service"
-  description   = "rust inventory service"
+  repository_id = "registry"
+  description   = "rust service"
   format        = "DOCKER"
 
   docker_config {
-    immutable_tags = true
+    immutable_tags = true 
   }
 }
 
-resource "google_artifact_registry_repository" "notification-service" {
-  location      = module.shared_vars.region
-  repository_id = "notification-service"
-  description   = "rust notification service"
-  format        = "DOCKER"
-
-  docker_config {
-    immutable_tags = true
-  }
-}
-
-resource "google_artifact_registry_repository" "order-service" {
-  location      = module.shared_vars.region
-  repository_id = "order-service"
-  description   = "rust order service"
-  format        = "DOCKER"
-
-  docker_config {
-    immutable_tags = true
-  }
-}
-
-resource "google_artifact_registry_repository" "product-service" {
-  location      = module.shared_vars.region
-  repository_id = "product-service"
-  description   = "rust product service"
-  format        = "DOCKER"
-
-  docker_config {
-    immutable_tags = true
-  }
-}

rust-containers-k8s/scripts/build_and_push.sh

@@ -4,10 +4,11 @@ set -euo pipefail
 
 host=europe-west2-docker.pkg.dev
 project=platform-poc-rust
+repository=registry
 sha="$(git rev-parse --short HEAD)"
 
 for service in *-service; do
-  tag="${host}/${project}/${service}/${service}:${sha}"
+  tag="${host}/${project}/${repository}/${service}:${sha}"
 
   pushd "$service"
 

rust-containers-k8s/spin_up.sh

@@ -11,10 +11,10 @@ terraform init
 terraform apply -auto-approve
 popd
 
-pushd registry
-terraform init
-terraform apply -auto-approve
-popd
+# pushd registry
+# terraform init
+# terraform apply -auto-approve
+# popd
 
 pushd storage
 terraform init