Config Controller's root-repo is now private for more security

Author: Mathieu Benoit

content/config-controller/set-up-config-controller-git-repo.md

@@ -60,14 +60,30 @@ kubectl wait --for condition=established crd rootsyncs.configsync.gke.io
 
 ## Define the primary Git repository
 
-Create a dedicated GitHub repository to store any Kubernetes manifests associated to the GCP Organization:
+Create a dedicated private GitHub repository to store any Kubernetes manifests associated to the GCP Organization:
 ```Bash
 cd ~
 gh repo create $WORKSHOP_ORG_DIR_NAME --public --clone --template https://github.com/mathieu-benoit/config-sync-template-repo
 cd ~/$WORKSHOP_ORG_DIR_NAME
 git pull
 git checkout main
-ORG_REPO_URL=$(gh repo view --json url --jq .url)
+ORG_REPO_URL=$(gh repo view --json sshUrl --jq .sshUrl)
+ORG_REPO_NAME_WITH_OWNER=$(gh repo view --json nameWithOwner --jq .nameWithOwner)
+```
+
+Generate [SSH key pair](https://cloud.google.com/anthos-config-management/docs/how-to/installing-config-sync#ssh-key-pair) in order to get a read access to the private Git repository:
+```Bash
+mkdir tmp
+ssh-keygen -t rsa -b 4096 \
+    -C "${ORG_REPO_NAME_WITH_OWNER}@github" \
+    -N '' \
+    -f ./tmp/github-org-repo
+kubectl create ns config-management-system && \
+kubectl create secret generic git-creds \
+    --namespace=config-management-system \
+    --from-file=ssh=./tmp/github-org-repo
+gh repo deploy-key add ./tmp/github-org-repo.pub
+rm -r tmp
 ```
 
 Deploy a `RootSync` linking this GitHub repository to the Config Controller instance as the main/root GitOps configuration:
@@ -85,13 +101,17 @@ spec:
     revision: HEAD
     branch: main
     dir: config-sync
-    auth: none
+    auth: ssh
+    secretRef:
+      name: git-creds
 EOF
 ```
-{{% notice info %}}
-Since you started this workshop, you just ran 4 `kubectl` commands. For your information, moving forward you won't run any other `kubectl` commands because the design and intent of this workshop is to only deploy any Kubernetes resources via GitOps with Config Sync. You will also use some handy `gcloud` commands when appropriate.
+{{% notice tips %}}
+The GitHub repository is private in order to demonstrate how to allow read access to Config Sync when you use a restricted Git repository. 
 {{% /notice %}}
 
+Since you started this workshop, you just ran 6 `kubectl` commands. For your information, moving forward you won't run any other `kubectl` commands because the design and intent of this workshop is to only deploy any Kubernetes resources via GitOps with Config Sync. You will also use some handy `gcloud` commands when appropriate.
+
 ## Define Cloud Billing API
 
 In order to have Config Controller's Config Sync linking a Billing Account to GCP projects later in this workshop, we need to define the Cloud Billing API [`Service`](https://cloud.google.com/config-connector/docs/reference/resource-docs/serviceusage/service) resource for Config Controller's GCP project:

content/overview/objectives.md

@@ -41,9 +41,9 @@ Three personas are involved:
 - 2 GCP Projects
 - 1 Config Controller instance
 - 1 GKE cluster
-- 4 `kubectl` commands
-- 44 `git commit` commands
-- 126 `gcloud` commands
+- 6 `kubectl` commands
+- 42 `git commit` commands
+- 170 `gcloud` commands
 - 145 Kubernetes manifests
 - 57 KCC resources
 - 12 containerized apps

content/whereami/set-up-authorization-policies.md

@@ -57,7 +57,7 @@ git push origin main
 List the GitHub runs for the **Whereami app** repository `cd ~/$WHERE_AMI_DIR_NAME && gh run list`:
 ```Plaintext
 STATUS  NAME                             WORKFLOW  BRANCH  EVENT  ID          ELAPSED  AGE
-✓       Whereami Authorization Policy  ci        main    push   1976612253  1m9s     2m
+✓       Whereami Authorization Policy    ci        main    push   1976612253  1m9s     2m
 ✓       Whereami Sidecar                 ci        main    push   1976601129  1m3s     5m
 ✓       Whereami Network Policies        ci        main    push   1976593659  1m1s     1m
 ✓       Whereami app                     ci        main    push   1976257627  1m1s     2h