Add CLI instructions as required by the Marketplace

[maelvls]

Closes #21

The Marketplace requires us to give a "Deploy documentation URL" that details the steps for installing the solution from the command line.

I took a lot of inspiration from the Unleash Enterprise solution (which is a paid offering). Our own CLI deploy documentation will probably look like something similar to their README.md.

⚠️ If we want to be able to share the CLI doc URL, we must set this repo as public

Signed-off-by: Maël Valais [email protected]

[maelvls]

Update:

• As detailed in the Marketplace doc, the CLI instructions I wrote will not create RBAC or service accounts except for the google-cas-issuer service account since it is required for a subsequent step in the README
• I took all my inspiration from the Unleash Enterprise readme

[wallrj]

Review Part 1

[wallrj]

Suggested change

	The [workload
	identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)
	must be enabled on your cluster. To create a cluster that has _workload
	identity_ feature enabled, run the following command:
	The [workload
	identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) feature
	must be enabled on your cluster. To create a cluster that has _workload
	identity_ feature enabled, run the following command:

[wallrj]

Suggested change

	Choose an instance name and
	[namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/)
	for the application. In most cases, you can use the `default` namespace.
	Choose an instance name and
	[namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/)
	for the application.

I don't think we want users to install cert-manager in the default namespace.
cert-manager will use it's namespace to determine where to look for secrets for cluster scoped ClusterIssuers.
cert-manager usually lives in cert-manager.

But at the same time I don't know whether it's appropriate to also install cas-issuer and preflight agent in that namespace.

[maelvls]

Good point, this wording was for Unleash Enterprise and in their case they did recommend the app to be running on a standalone cluster.

In the case of Jetstack Secure for cert-manager, running it in default is a bad idea 😅

[wallrj]

This would confuse me. How should I decide which tag to use? I would need to set the image pull policy to always and to do kubectl rollout restart on cert-manager, preflight, cas-issuer deployments in order to get the latest versions from the moving-target tags.

Perhaps we should remove any reference to those moving target tags until we figure out the correct upgrade process.

[wallrj]

Again, what should the user do with this info?
Instead, shall we hard code a version tag for now into this README and create a git tag, and link to that tag from the GCM page?
When we release a new version of jsp-gcm, we update the README with the latest tag, and update the GCM page with the link to that tag.

Ignore these comments if they don't make sense.

[maelvls]

yeah, I thinnk i didnt't think twice while writing this; I am not helping the user pick the right version here

I'll remove this link for now and let's figure out a way to let users know which version they should pick later.

[wallrj]

Maybe add a command / instruction, to create the namespace

[wallrj]

Suggested change

	```shell
	APP_INSTANCE_NAME=jetstack-secure-1
	NAMESPACE=default
	```
	```shell
	APP_INSTANCE_NAME=jetstack-secure-1
	NAMESPACE=default
	kubectl create namespace "${NAMESPACE}" || true

[wallrj]

The manifest contains various references to kube-system which clashes with the namespace given to kubectl

$ kubectl apply -f "${APP_INSTANCE_NAME}_manifest.yaml" --namespace "${NAMESPACE}"
...
the namespace from the provided object "kube-system" does not match the namespace "jetstack-secure". You must pass '--namespace=kube-system' to perform this operation.
the namespace from the provided object "kube-system" does not match the namespace "jetstack-secure". You must pass '--namespace=kube-system' to perform this operation.
the namespace from the provided object "kube-system" does not match the namespace "jetstack-secure". You must pass '--namespace=kube-system' to perform this operation.
the namespace from the provided object "kube-system" does not match the namespace "jetstack-secure". You must pass '--namespace=kube-system' to perform this operation.

[maelvls]

Done! I moved our own doc to docs/TESTING-DEPLOYER.md so there is no confusion between the CLI instructions and the UI-specific deployer stuff

[wallrj]

Looking good to me @maelvls

You've put a lot of work in to this!

Some of the instructions failed for me, but perhaps that's down to my version of gcloud or my Linux environment.

Please answer or address the comments below, and then I'll add a lgtm

[wallrj]

Suggested change

	The Certificate Authority Service is a highly available, scalable Google Cloud
	service that enables you to simplify, automate, and customize the
	deployment, management, and security of private certificate authorities
	(CA).
	[Google Certificate Authority Service][] is a highly available, scalable Google Cloud
	service that enables you to simplify, automate, and customize the
	deployment, management, and security of private certificate authorities
	(CA).
	[Google Certificate Authority Service]: https://cloud.google.com/certificate-authority-service/

[wallrj]

Suggested change

	```sh
	gcloud beta privateca roots create my-ca --location $LOCATION --subject="CN=root,O=my-ca"
	gcloud beta privateca subordinates create my-sub-ca --issuer=my-ca --location $LOCATION --subject="CN=intermediate,O=my-ca,OU=my-sub-ca"
	```
	```sh
	LOCATION=europe-west1
	gcloud beta privateca roots create my-ca --location ${LOCATION} --subject="CN=root,O=my-ca"
	gcloud beta privateca subordinates create my-sub-ca --issuer=my-ca --location ${LOCATION} --issuer-location ${LOCATION} --subject="CN=intermediate,O=my-ca,OU=my-sub-ca"

[wallrj]

Because I got this error message:

[richard@drax jsp-gcm]$ gcloud beta privateca subordinates create my-sub-ca  --issuer=my-ca --location ${LOCATION} --subject="CN=intermediate,O=my-ca,OU=my-sub-ca"
ERROR: (gcloud.beta.privateca.subordinates.create) Error parsing [issuer].
The [Issuer] resource is not properly specified.
Failed to find attribute [location]. The attribute can be set in the following ways: 
- provide the argument `--issuer-location` on the command line
- set the property `privateca/location`

[wallrj]

And even with that extra --issuer-location ... argument, I now get this error:

[richard@drax jsp-gcm]$ gcloud beta privateca subordinates create my-sub-ca  --issuer=my-ca --location ${LOCATION} --issuer-location ${LOCATION} --subject="CN=intermediate,O=my-ca,OU=my-sub-ca"
WARNING: CA Service is currently in preview.

Please remember that all resources created during preview will be deleted
when CA service transitions to General Availability (GA). Relying on these
certificate authorities for production traffic is discouraged.
Creating Certificate Authority....done.                                                                                                                                                                                                  
Activating CA....failed.                                                                                                                                                                                                                 
ERROR: (gcloud.beta.privateca.subordinates.create) Could not verify certificate with chain: Chain violates pathlength restriction. Pathlength 0 on cert CN=root,O=my-ca with CA length 1

Perhaps we should just link to Google CAS Issuer installation instructions instead of recreating them here.

[maelvls]

Yeah... I agree, I'll just give a link to the official documentation.

The new command would be:

LOCATION=europe-west1
gcloud beta privateca roots create example-root-ca \
  --location ${LOCATION} \
  --reusable-config "example-intermediate-ca-pathlen-0" \
  --subject="CN=Example Root CA 1, O=Example LLC"
gcloud beta privateca subordinates create example-ca-1 \
  --issuer=example-root-ca \
  --issuer-location ${LOCATION} \
  --reusable-config "example-intermediate-ca-pathlen-0" \
  --subject="CN=Example Intermediate CA, O=Example LLC"

I think the subject validation appeared recently maybe? Do they have some form of CHANGELOG for the Google CAS service btw? @jakexks

[wallrj]

Suggested change

	This is the repository that holds the configuration for our Google
	Marketplace solution, [jetstack-secure-for-cert-manager][].

This is in the wrong place.

[wallrj]

Shall we remove all this stuff now? It may confuse the user who visits this repo looking for GCM CLI instructions.

[maelvls]

Yes, good idea; I moved it to docs/TESTING-DEPLOYER.md, does it make sense? I also added a note about the "deployer" being only for the UI stuff

[wallrj]

Suggested change

	tag:
	tag: 1.1.0-gcm.1

Is this supposed to have the same tag as other images?

[maelvls]

Looks liike some objects have no namespace field which means they get created in the default namespace:

[wallrj]

/lgtm