kubeflow
/
manifests
mirror of https://github.com/kubeflow/manifests.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Upgrade CNRM from 1.15 to 1.27.2 (#1595) 

Related to kubeflow/gcp-blueprints#143

Co-authored-by: Jeremy Lewi <jlewi@google.com>
This commit is contained in:
Jeremy Lewi 2020-10-29 09:46:59 -07:00 committed by GitHub
parent ea1a35124b
commit ff23fbe83c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 4921 additions and 325 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
gcp/v2/management/cnrm-install/README.md
View File

@ -10,23 +10,23 @@ To update:
1. Copy the per namespace components to the template stored in the blueprint repo.
1. Edit "0-cnrm-system.yaml" to add the kpt setter; change
```
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
iam.gke.io/gcp-service-account: cnrm-system@${PROJECT_ID?}.iam.gserviceaccount.com
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-controller-manager
namespace: cnrm-system
```
```
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
iam.gke.io/gcp-service-account: cnrm-system@${PROJECT_ID?}.iam.gserviceaccount.com
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-controller-manager
namespace: cnrm-system
```
to
```
annotations:
...
iam.gke.io/gcp-service-account: cnrm-system@${PROJECT_ID?}.iam.gserviceaccount.com # {"$kpt-set":"cnrm-system"}
```
```
annotations:
...
iam.gke.io/gcp-service-account: cnrm-system@${PROJECT_ID?}.iam.gserviceaccount.com # {"$kpt-set":"cnrm-system"}
```

280
gcp/v2/management/cnrm-install/install-system/0-cnrm-system.yaml
View File

@ -16,7 +16,7 @@ apiVersion: v1
kind: Namespace
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-system
@ -25,7 +25,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
cnrm.cloud.google.com/version: 1.27.2
iam.gke.io/gcp-service-account: NAME-cnrm-system@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"cnrm-system"}
labels:
cnrm.cloud.google.com/system: "true"
@ -36,7 +36,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-deletiondefender
@ -46,7 +46,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-resource-stats-recorder
@ -56,23 +56,66 @@ apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-webhook-manager
namespace: cnrm-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-deletiondefender-cnrm-system-role
namespace: cnrm-system
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-webhook-cnrm-system-role
namespace: cnrm-system
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-admin
rules:
- apiGroups:
- accesscontextmanager.cnrm.cloud.google.com
- artifactregistry.cnrm.cloud.google.com
- bigquery.cnrm.cloud.google.com
- bigtable.cnrm.cloud.google.com
- cloudbuild.cnrm.cloud.google.com
@ -83,6 +126,8 @@ rules:
- firestore.cnrm.cloud.google.com
- iam.cnrm.cloud.google.com
- kms.cnrm.cloud.google.com
- logging.cnrm.cloud.google.com
- monitoring.cnrm.cloud.google.com
- pubsub.cnrm.cloud.google.com
- redis.cnrm.cloud.google.com
- resourcemanager.cnrm.cloud.google.com
@ -109,7 +154,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-deletiondefender-role
@ -159,7 +204,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-manager-cluster-role
@ -217,7 +262,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-manager-ns-role
@ -242,7 +287,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-recorder-role
@ -272,7 +317,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-webhook-role
@ -332,10 +377,46 @@ rules:
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-deletiondefender-role-binding
namespace: cnrm-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cnrm-deletiondefender-cnrm-system-role
subjects:
- kind: ServiceAccount
name: cnrm-deletiondefender
namespace: cnrm-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-webhook-role-binding
namespace: cnrm-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cnrm-webhook-cnrm-system-role
subjects:
- kind: ServiceAccount
name: cnrm-webhook-manager
namespace: cnrm-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-admin-binding
@ -358,7 +439,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-deletiondefender-binding
@ -375,7 +456,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-manager-binding
@ -392,7 +473,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-manager-watcher-binding
@ -409,7 +490,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-recorder-binding
@ -426,7 +507,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-webhook-binding
@ -443,7 +524,7 @@ apiVersion: v1
kind: Service
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-deletiondefender
@ -460,7 +541,7 @@ apiVersion: v1
kind: Service
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
cnrm.cloud.google.com/version: 1.27.2
prometheus.io/port: "8888"
prometheus.io/scrape: "true"
labels:
@ -482,7 +563,7 @@ apiVersion: v1
kind: Service
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
cnrm.cloud.google.com/version: 1.27.2
prometheus.io/port: "8888"
prometheus.io/scrape: "true"
labels:
@ -502,7 +583,7 @@ apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/component: cnrm-resource-stats-recorder
cnrm.cloud.google.com/system: "true"
@ -518,7 +599,7 @@ spec:
template:
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/component: cnrm-resource-stats-recorder
cnrm.cloud.google.com/system: "true"
@ -531,69 +612,10 @@ spec:
- /configconnector/recorder
env:
- name: CONFIG_CONNECTOR_VERSION
value: 1.15.1
image: gcr.io/cnrm-eap/recorder:b59b871
value: 1.27.2
image: gcr.io/cnrm-eap/recorder:1c8c589
imagePullPolicy: Always
name: recorder
readinessProbe:
exec:
command:
- cat
- /tmp/ready
initialDelaySeconds: 3
periodSeconds: 3
resources:
limits:
cpu: 20m
memory: 64Mi
requests:
cpu: 10m
memory: 32Mi
securityContext:
privileged: false
runAsNonRoot: true
runAsUser: 1000
serviceAccountName: cnrm-resource-stats-recorder
terminationGracePeriodSeconds: 10
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
labels:
cnrm.cloud.google.com/component: cnrm-webhook-manager
cnrm.cloud.google.com/system: "true"
name: cnrm-webhook-manager
namespace: cnrm-system
spec:
replicas: 1
revisionHistoryLimit: 1
selector:
matchLabels:
cnrm.cloud.google.com/component: cnrm-webhook-manager
cnrm.cloud.google.com/system: "true"
template:
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
labels:
cnrm.cloud.google.com/component: cnrm-webhook-manager
cnrm.cloud.google.com/system: "true"
spec:
containers:
- args:
- --stderrthreshold=INFO
command:
- /configconnector/webhook
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: gcr.io/cnrm-eap/webhook:b59b871
imagePullPolicy: Always
name: webhook
readinessProbe:
exec:
command:
@ -612,6 +634,61 @@ spec:
privileged: false
runAsNonRoot: true
runAsUser: 1000
serviceAccountName: cnrm-resource-stats-recorder
terminationGracePeriodSeconds: 10
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/component: cnrm-webhook-manager
cnrm.cloud.google.com/system: "true"
name: cnrm-webhook-manager
namespace: cnrm-system
spec:
revisionHistoryLimit: 1
selector:
matchLabels:
cnrm.cloud.google.com/component: cnrm-webhook-manager
cnrm.cloud.google.com/system: "true"
template:
metadata:
annotations:
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/component: cnrm-webhook-manager
cnrm.cloud.google.com/system: "true"
spec:
containers:
- args:
- --stderrthreshold=INFO
command:
- /configconnector/webhook
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: gcr.io/cnrm-eap/webhook:1c8c589
imagePullPolicy: Always
name: webhook
readinessProbe:
exec:
command:
- cat
- /tmp/ready
initialDelaySeconds: 3
periodSeconds: 3
resources:
limits:
cpu: 40m
memory: 64Mi
securityContext:
privileged: false
runAsNonRoot: true
runAsUser: 1000
serviceAccountName: cnrm-webhook-manager
terminationGracePeriodSeconds: 10
---
@ -619,7 +696,7 @@ apiVersion: apps/v1
kind: StatefulSet
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/component: cnrm-controller-manager
cnrm.cloud.google.com/system: "true"
@ -634,7 +711,7 @@ spec:
template:
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/component: cnrm-controller-manager
cnrm.cloud.google.com/system: "true"
@ -645,7 +722,7 @@ spec:
- --prometheus-scrape-endpoint=:8888
command:
- /configconnector/manager
image: gcr.io/cnrm-eap/controller:b59b871
image: gcr.io/cnrm-eap/controller:1c8c589
imagePullPolicy: Always
name: manager
readinessProbe:
@ -673,7 +750,7 @@ apiVersion: apps/v1
kind: StatefulSet
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/component: cnrm-deletiondefender
cnrm.cloud.google.com/system: "true"
@ -688,7 +765,7 @@ spec:
template:
metadata:
annotations:
cnrm.cloud.google.com/version: 1.15.1
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/component: cnrm-deletiondefender
cnrm.cloud.google.com/system: "true"
@ -698,7 +775,7 @@ spec:
- --stderrthreshold=INFO
command:
- /configconnector/deletiondefender
image: gcr.io/cnrm-eap/deletiondefender:b59b871
image: gcr.io/cnrm-eap/deletiondefender:1c8c589
imagePullPolicy: Always
name: deletiondefender
readinessProbe:
@ -713,7 +790,6 @@ spec:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 64Mi
securityContext:
privileged: false
@ -721,3 +797,27 @@ spec:
runAsUser: 1000
serviceAccountName: cnrm-deletiondefender
terminationGracePeriodSeconds: 10
---
apiVersion: autoscaling/v2beta2
kind: HorizontalPodAutoscaler
metadata:
annotations:
cnrm.cloud.google.com/version: 1.27.2
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-webhook
namespace: cnrm-system
spec:
maxReplicas: 10
metrics:
- resource:
name: cpu
target:
averageUtilization: 60
type: Utilization
type: Resource
minReplicas: 2
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: cnrm-webhook-manager

4932
gcp/v2/management/cnrm-install/install-system/crds.yaml
View File

File diff suppressed because it is too large Load Diff