infrastructure-tpl.yaml

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

## This file contains the templated definitions for
## the infrastructure that is managed by Config Connector.
## See cloudbuild.yaml for usage.

## Cloud Storage ##

# GCS bucket configured for website hosting
apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageBucket
metadata:
  name: ${DOMAIN}
  namespace: ${NAMESPACE}
  annotations:
    cnrm.cloud.google.com/force-destroy: "true"
spec:
  bucketPolicyOnly: true
  website:
    mainPageSuffix: index.html
    # Configure notFound to also redirect to index.html to facilitate Angular routing
    notFoundPage: index.html
  location: US
---
# Make the storage bucket publicly viewable
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: iampolicymember-storagebucketreader
  namespace: ${NAMESPACE}
spec:
  member: allUsers
  role: roles/storage.legacyBucketReader
  resourceRef:
    apiVersion: storage.cnrm.cloud.google.com/v1beta1
    kind: StorageBucket
    name: ${DOMAIN}
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: iampolicy-storageobjectreader
  namespace: ${NAMESPACE}
spec:
  member: allUsers
  role: roles/storage.legacyObjectReader
  resourceRef:
    apiVersion: storage.cnrm.cloud.google.com/v1beta1
    kind: StorageBucket
    name: ${DOMAIN}
---
## Load Balancing

# Load balancer that forwards to GCS bucket
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeBackendBucket
metadata:
  name: ${CLUSTER_NAME}-backend-bucket
  namespace: ${NAMESPACE}
spec:
  bucketRef:
    name: ${DOMAIN}
  description: contains a reference to a bucket for use with HTTP(S) load-balancing
---
# health check
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeHealthCheck
metadata:
  name: ${CLUSTER_NAME}-health-check
  namespace: ${NAMESPACE}
spec:
  checkIntervalSec: 5
  tcpHealthCheck:
    port: 80
  location: global
---
# URL map
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeURLMap
metadata:
  name: ${CLUSTER_NAME}-url-map
  namespace: ${NAMESPACE}
spec:
  location: global
  defaultService:
    backendBucketRef:
      name: ${CLUSTER_NAME}-backend-bucket
  pathMatcher:
    - name: allpaths
      # Default all requests to the GCS bucket
      defaultService:
        backendBucketRef:
          name: ${CLUSTER_NAME}-backend-bucket
      pathRule:
        # Paths to the API service
        - paths: ["/api", "/api/*"]
          service:
            backendServiceRef:
              name: ${CLUSTER_NAME}-backend-api-service
        # Paths to the User service
        - paths: ["/api/users", "/api/users/*"]
          service:
            backendServiceRef:
              name: ${CLUSTER_NAME}-backend-user-service
  hostRule:
    - hosts: ["*"]
      pathMatcher: allpaths
---
# HTTPS proxy
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeTargetHTTPSProxy
metadata:
  name: ${CLUSTER_NAME}-target-proxy-https
  namespace: ${NAMESPACE}
spec:
  description: ""
  urlMapRef:
    name: ${CLUSTER_NAME}-url-map
  sslPolicyRef:
    name: ${CLUSTER_NAME}-ssl-policy
  sslCertificates:
    - external: ${SSL_CERT_NAME}
  location: global
---
# SSL policy for the HTTPS proxy
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeSSLPolicy
metadata:
  name: ${CLUSTER_NAME}-ssl-policy
  namespace: ${NAMESPACE}
spec:
  description: SSL policy for the web app
---
# Forwarding rule is entrypoint for all requests
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeForwardingRule
metadata:
  name: ${CLUSTER_NAME}-forwarding-rule
  namespace: ${NAMESPACE}
spec:
  description: "A global forwarding rule"
  target:
    targetHTTPSProxyRef:
      name: ${CLUSTER_NAME}-target-proxy-https
  portRange: "443"
  ipProtocol: "TCP"
  ipVersion: "IPV4"
  location: global
---
# CAA record allows auto-provisioning SSL certs
apiVersion: dns.cnrm.cloud.google.com/v1beta1
kind: DNSRecordSet
metadata:
  name: ${CLUSTER_NAME}-dns-caa-record
  namespace: ${NAMESPACE}
spec:
  name: "${DOMAIN}."
  type: "CAA"
  ttl: 21600
  managedZoneRef:
    external: ${MANAGED_ZONE_NAME}
  rrdatas:
  - 0 issue "pki.goog"
  - 0 issue "letsencrypt.org"
---
# The Google Cloud IAM service account to be used by the backend service
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: ${BACKEND_GSA}
  namespace: ${NAMESPACE}
spec:
  displayName: ${BACKEND_GSA}
---
# The Kubernetes service account to be used by the backend service
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ${BACKEND_KSA}
  namespace: ${NAMESPACE}
  annotations:
    iam.gke.io/gcp-service-account: ${BACKEND_GSA}@${PROJECT_ID}.iam.gserviceaccount.com
---
# The Workload Identity binding that ties the Kubernetes service account to the IAM service account
# See: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  name: iampolicy-workload-identity-backend
  namespace: ${NAMESPACE}
spec:
  resourceRef:
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
    name: ${BACKEND_GSA}
  bindings:
    - role: roles/iam.workloadIdentityUser
      members:
        - serviceAccount:${PROJECT_ID}.svc.id.goog[${NAMESPACE}/${BACKEND_KSA}]
---
# IAM role bindings for the backend service account to datastore
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: iampolicymember-datastore-backend
  namespace: ${NAMESPACE}
spec:
  member: serviceAccount:${BACKEND_GSA}@${PROJECT_ID}.iam.gserviceaccount.com
  role: roles/datastore.user
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: projects/${PROJECT_ID}
---
# IAM role bindings for the backend service account for writing metrics
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: iampolicymember-metrics-backend
  namespace: ${NAMESPACE}
spec:
  member: serviceAccount:${BACKEND_GSA}@${PROJECT_ID}.iam.gserviceaccount.com
  role: roles/monitoring.metricWriter
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: projects/${PROJECT_ID}
---
# The Google Cloud IAM service account to be used by the user service
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: ${USER_SVC_GSA}
  namespace: ${NAMESPACE}
spec:
  displayName: ${USER_SVC_GSA}
---
# The Kubernetes service account to be used by the user service
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ${USER_SVC_KSA}
  namespace: ${NAMESPACE}
  annotations:
    iam.gke.io/gcp-service-account: ${USER_SVC_GSA}@${PROJECT_ID}.iam.gserviceaccount.com
---
# The Workload Identity binding that ties the Kubernetes service account to the IAM service account
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  name: iampolicy-workload-identity-usersvc
  namespace: ${NAMESPACE}
spec:
  resourceRef:
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
    name: ${USER_SVC_GSA}
  bindings:
    - role: roles/iam.workloadIdentityUser
      members:
        - serviceAccount:${PROJECT_ID}.svc.id.goog[${NAMESPACE}/${USER_SVC_KSA}]
---
# IAM role bindings for the user service account to firebase admin
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: iampolicymember-firebaseauth-usersvc
  namespace: ${NAMESPACE}
spec:
  member: serviceAccount:${USER_SVC_GSA}@${PROJECT_ID}.iam.gserviceaccount.com
  role: roles/firebaseauth.admin
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: projects/${PROJECT_ID}
---
  # IAM role bindings for the user service account for writing metrics
  apiVersion: iam.cnrm.cloud.google.com/v1beta1
  kind: IAMPolicyMember
  metadata:
    name: iampolicymember-metrics-usersvc
    namespace: ${NAMESPACE}
  spec:
    member: serviceAccount:${USER_SVC_GSA}@${PROJECT_ID}.iam.gserviceaccount.com
    role: roles/monitoring.metricWriter
    resourceRef:
      apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
      kind: Project
      external: projects/${PROJECT_ID}
---
# Istio backend authentication policy
# See: https://cloud.google.com/solutions/authenticating-cloud-run-on-gke-end-users-using-istio-and-identity-platform
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: api-origin-auth
  namespace: ${ISTIO_INGRESS_NAMESPACE}
spec:
  targets:
    - name: ${ISTIO_INGRESS_SERVICE}
      ports:
      - number: 80
      - number: 443
  origins:
  - jwt:
      issuer: "https://securetoken.google.com/${PROJECT_ID}"
      audiences:
      - ${PROJECT_ID}
      jwksUri: "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com"
      triggerRules:
      - includedPaths:
        - prefix: /api
  principalBinding: USE_ORIGIN
---
# Allow non-mTLS peer traffic in the application's namespace
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: web-app-permissive
  namespace: ${NAMESPACE}
spec:
  mtls:
    mode: PERMISSIVE
---
# Do not set up mutual TLS connections to the application's namespace
# The current version of Istio bundled with CRfA does not suppport mutual TLS.
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: disable-mtls
  namespace: ${NAMESPACE}
spec:
  host: "*.${NAMESPACE}.svc.cluster.local"
  trafficPolicy:
    tls:
      mode: DISABLE
---
# Require a valid token
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: require-valid-token
 namespace: ${ISTIO_INGRESS_NAMESPACE}
spec:
  action: DENY
  rules:
  - from:
    - source:
        notRequestPrincipals: ["*"]
---
# Allow GETs
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: api-allow-get
 namespace: ${ISTIO_INGRESS_NAMESPACE}
spec:
  rules:
  - from:
    - source:
        requestPrincipals: ["https://securetoken.google.com/${PROJECT_ID}/*"]
    to:
    - operation:
        methods: ["GET"]
        paths: ["/api*"]
---
# Allow Admin access to all API paths + methods
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: api-allow-admin
  namespace: ${ISTIO_INGRESS_NAMESPACE}
spec:
  rules:
  - from:
    - source:
        requestPrincipals: ["https://securetoken.google.com/${PROJECT_ID}/*"]
    to:
    - operation:
        paths: ["/api*"]
    when:
    - key: request.auth.claims[role]
      values: ["admin"]
    - key: request.auth.claims[iss]
      values: ["https://securetoken.google.com/${PROJECT_ID}"]
---
# Allow workers to create inventory transactions
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: api-allow-workers
  namespace: ${ISTIO_INGRESS_NAMESPACE}
spec:
  rules:
  - from:
    - source:
        requestPrincipals: ["https://securetoken.google.com/${PROJECT_ID}/*"]
    to:
    - operation:
        methods: ["POST"]
        paths: ["/api/inventoryTransactions"]
    when:
    - key: request.auth.claims[iss]
      values: ["https://securetoken.google.com/${PROJECT_ID}"]
    - key: request.auth.claims[role]
      values: ["worker"]