From 063692b1941a0334361541dbdf62a6997260a89b Mon Sep 17 00:00:00 2001
From: Nicholas Eberts <nickeberts@google.com>
Date: Wed, 16 Oct 2024 10:50:45 -0400
Subject: [PATCH] added IPs and endpoints for whereami and inference apps

---
 cli/pkg/config/config.go       | 10 +++++-----
 demos/fleets/README.md         | 14 +++++++++++++-
 terraform/modules/fleet/iam.tf |  9 +++++++++
 3 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/cli/pkg/config/config.go b/cli/pkg/config/config.go
index 9e8b0c62..eb7cf6e2 100644
--- a/cli/pkg/config/config.go
+++ b/cli/pkg/config/config.go
@@ -202,11 +202,11 @@ func ValidateConf(c *Config) error {
 	if c.VpcConfig.VpcName == "" {
 		return fmt.Errorf("VPC Name cannot be empty")
 	}
-	err := validateVPC(c.VpcConfig.VpcName, c.VpcConfig.VpcProjectID)
-	if err != nil {
-		return err
-	}
-	log.Printf("🌐 VPC name %s is valid + does not yet exist in VPC project %s\n", c.VpcConfig.VpcName, c.VpcConfig.VpcProjectID)
+	// err := validateVPC(c.VpcConfig.VpcName, c.VpcConfig.VpcProjectID)
+	// if err != nil {
+	// 	return err
+	// }
+	// log.Printf("🌐 VPC name %s is valid + does not yet exist in VPC project %s\n", c.VpcConfig.VpcName, c.VpcConfig.VpcProjectID)
 
 	// Validate each ClusterConfig
 	for i, cc := range c.ClustersConfig {
diff --git a/demos/fleets/README.md b/demos/fleets/README.md
index 3b00f9a3..c2975eb6 100644
--- a/demos/fleets/README.md
+++ b/demos/fleets/README.md
@@ -105,8 +105,20 @@ nomos status
 ## Multi cluster load balancing demo
 stuffs
 
-1. **Setup Teams and bind that Whereami team to a cluster that us not the closest to your location.**
+1. **Create the Whereami Team and binde the Whereami team to a cluster that is not the closest to your location.**
 ```bash
+# grant source repo access to the whereami frontend and backend KSAs
+gcloud iam service-accounts add-iam-policy-binding \
+    cs-service-account@gke-toolkit-test-nonsharedvpc.iam.gserviceaccount.com \
+    --role=roles/iam.workloadIdentityUser \
+    --member="serviceAccount:gke-toolkit-test-nonsharedvpc.svc.id.goog[config-management-system/ns-reconciler-whereami-frontend-whereami-frontend-17" \
+    --project=gke-toolkit-test-nonsharedvpc
+gcloud iam service-accounts add-iam-policy-binding \
+    cs-service-account@gke-toolkit-test-nonsharedvpc.iam.gserviceaccount.com \
+    --role=roles/iam.workloadIdentityUser \
+    --member="serviceAccount:gke-toolkit-test-nonsharedvpc.svc.id.goog[config-management-system/ns-reconciler-whereami-frontend-whereami-backend-16" \
+    --project=gke-toolkit-test-nonsharedvpc
+
 gcloud container fleet scopes create team-whereami --project ${GKE_PROJECT_ID}
 gcloud container fleet scopes namespaces create whereami-frontend --scope=team-whereami --project ${GKE_PROJECT_ID} 
 gcloud container fleet memberships bindings create gke-ap-central-00-team-whereami \
diff --git a/terraform/modules/fleet/iam.tf b/terraform/modules/fleet/iam.tf
index a045c253..34c0e457 100644
--- a/terraform/modules/fleet/iam.tf
+++ b/terraform/modules/fleet/iam.tf
@@ -69,4 +69,13 @@ module "prom-service_account-iam-bindings" {
       "serviceAccount:${var.fleet_project}.svc.id.goog[custom-metrics/custom-metrics-stackdriver-adapter]",
     ]
   }
+}
+
+// Create IAM binding granting the ASM Gateway KSA access to the self signed certs stored in secret manager
+resource "google_project_iam_binding" "asm-gw-secret-accessor" {
+  role    = "roles/secretmanager.secretAccessor"
+  project = var.fleet_project
+  members = [
+    "serviceAccount:${var.fleet_project}.svc.id.goog[asm-gateways/asm-ingress-gateway]",
+  ]
 }
\ No newline at end of file