From 926a8535f7812bd9f6caffd8ef2ce46de4c8a728 Mon Sep 17 00:00:00 2001
From: Harsha Vardhan Rao Sankineni <Harshavardhanrao45@gmail.com>
Date: Sun, 31 May 2020 06:10:30 +0530
Subject: [PATCH] [KCC] Helm support for PubSub-topic solution

---
 .../iam/helm/pubsub-topic/Chart.yaml          |  18 ++++
 .../solutions/iam/helm/pubsub-topic/README.md | 102 ++++++++++++++++++
 .../templates/iampolicymember.yaml            |  25 +++++
 .../pubsub-topic/templates/pubsubtopic.yaml   |  17 +++
 .../iam/helm/pubsub-topic/values.yaml         |  20 ++++
 5 files changed, 182 insertions(+)
 create mode 100644 config-connector/solutions/iam/helm/pubsub-topic/Chart.yaml
 create mode 100644 config-connector/solutions/iam/helm/pubsub-topic/README.md
 create mode 100644 config-connector/solutions/iam/helm/pubsub-topic/templates/iampolicymember.yaml
 create mode 100644 config-connector/solutions/iam/helm/pubsub-topic/templates/pubsubtopic.yaml
 create mode 100644 config-connector/solutions/iam/helm/pubsub-topic/values.yaml

diff --git a/config-connector/solutions/iam/helm/pubsub-topic/Chart.yaml b/config-connector/solutions/iam/helm/pubsub-topic/Chart.yaml
new file mode 100644
index 00000000000..b33997f49e9
--- /dev/null
+++ b/config-connector/solutions/iam/helm/pubsub-topic/Chart.yaml
@@ -0,0 +1,18 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+name: pubsub-topic
+version: 0.1.0
+description: Grant an IAM role to a member for a PubSub topic
diff --git a/config-connector/solutions/iam/helm/pubsub-topic/README.md b/config-connector/solutions/iam/helm/pubsub-topic/README.md
new file mode 100644
index 00000000000..75ad9457272
--- /dev/null
+++ b/config-connector/solutions/iam/helm/pubsub-topic/README.md
@@ -0,0 +1,102 @@
+# Pub/Sub Topic
+
+==================================================
+
+## NAME
+
+  pubsub-topic
+
+## SYNOPSIS
+
+  
+  Config Connector compatible YAML files to create a Pub/Sub topic in your desired project, and grant a specific member a role (default to roles/pubsub.editor) for accessing the Pub/Sub topic that just created
+
+## CONSUMPTION
+
+  1. Clone GoogleCloudPlatform/cloud-foundation-toolkit repository:
+
+      ```bash
+      git clone https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit.git
+      ```
+
+  1. Go to the service account folder:
+
+      ```bash
+      cd cloud-foundation-toolkit/config-connector/solutions/iam/helm/pubsub-topic
+      ```
+
+## REQUIREMENTS
+
+1. GKE Cluster with Config Connector and [Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#enable_workload_identity_on_a_new_cluster).
+1. [Helm](../../../README.md#helm)
+1. The "cnrm-system" service account assigned with either `roles/pubsub.admin` or `roles/owner` in the
+  project managed by Config Connector
+1. Cloud Pub/Sub API enabled in the project where Config Connector is
+      installed
+1. Cloud Pub/Sub API enabled in the project managed by Config Connector if it
+      is a different project
+
+## USAGE
+
+All steps are run from the current directory ([config-connector/solutions/iam/helm/pubsub-topic](.)).
+
+1. Review and update the values in `./values.yaml`.
+
+1. Validate and install the sample with Helm.
+
+    ```bash
+    # validate your chart
+    helm lint . --set iamPolicyMember.iamMember=user:name@example.com
+
+    # check the output of your chart
+    helm template . --set iamPolicyMember.iamMember=user:name@example.com
+
+    # do a dryrun on your chart and address issues if there are any
+    helm install . --dry-run --set iamPolicyMember.iamMember=user:name@example.com --generate-name
+
+    # install your chart
+    helm install . --set iamPolicyMember.iamMember=user:name@example.com --generate-name
+    ```
+
+1. _Optionaly_, you can set the name of the PubSub topic (defaults to `allowed-topic`) and the role to grant (defaults to `roles/pubsub.editor`, full list of roles [here](https://cloud.google.com/iam/docs/understanding-roles#pub-sub-roles)) by explictly setting them when installing the solution:
+
+    ```bash
+    # install your chart with a difirent name of the PubSub topic
+    helm install . --set PubSubTopic.name=your-topic,iamPolicyMember.iamMember=user:name@example.com --generate-name
+    ```
+    Or,
+    ```bash
+    # install your chart with a new role
+    helm install . --set iamPolicyMember.role=roles/pubsub.viewer,iamPolicyMember.iamMember=user:name@example.com --generate-name
+    ```
+    Or set them both in one command.
+
+1. Check the created helm release to verify the installation:
+    ```bash
+    helm list
+    ```
+    Check the status of the pub/sub topic resource by running:
+
+    Note: By default value of Pub/Sub topic name is ```allowed-topic```
+    
+    ```bash
+    kubectl describe pubsubtopic [topic name]
+    ```
+    Check the status of the IAM Policy Member:
+    ```bash
+    kubectl describe iampolicymember topic-iam-member
+    ```
+
+1. Clean up the installation:
+
+    ```bash
+    # list Helm releases to obtain release name
+    helm list
+
+    # delete release specifying release name from the previous command output.
+    helm delete [release_name]
+    ```
+
+## LICENSE
+
+Apache 2.0 - See [LICENSE](/LICENSE) for more information.
diff --git a/config-connector/solutions/iam/helm/pubsub-topic/templates/iampolicymember.yaml b/config-connector/solutions/iam/helm/pubsub-topic/templates/iampolicymember.yaml
new file mode 100644
index 00000000000..2cb33b02a4e
--- /dev/null
+++ b/config-connector/solutions/iam/helm/pubsub-topic/templates/iampolicymember.yaml
@@ -0,0 +1,25 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: iam.cnrm.cloud.google.com/v1beta1
+kind: IAMPolicyMember
+metadata:
+  name: topic-iam-member
+spec:
+  member: {{ required "IAM member is required!" .Values.iamPolicyMember.iamMember }}
+  role: {{ .Values.iamPolicyMember.role }}
+  resourceRef:
+    apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
+    kind: PubSubTopic
+    name: {{ .Values.PubSubTopic.name }}
diff --git a/config-connector/solutions/iam/helm/pubsub-topic/templates/pubsubtopic.yaml b/config-connector/solutions/iam/helm/pubsub-topic/templates/pubsubtopic.yaml
new file mode 100644
index 00000000000..1fef88b5fcb
--- /dev/null
+++ b/config-connector/solutions/iam/helm/pubsub-topic/templates/pubsubtopic.yaml
@@ -0,0 +1,17 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
+kind: PubSubTopic
+metadata:
+  name: {{ .Values.PubSubTopic.name }}
diff --git a/config-connector/solutions/iam/helm/pubsub-topic/values.yaml b/config-connector/solutions/iam/helm/pubsub-topic/values.yaml
new file mode 100644
index 00000000000..8264d1aaa98
--- /dev/null
+++ b/config-connector/solutions/iam/helm/pubsub-topic/values.yaml
@@ -0,0 +1,20 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+iamPolicyMember:
+  iamMember:
+  role: roles/pubsub.editor
+
+PubSubTopic:
+  name: allowed-topic