Upgrade CNRM from 1.15 to 1.27.2 (#1595)

Related to kubeflow/gcp-blueprints#143 Co-authored-by: Jeremy Lewi <jlewi@google.com>
2020-10-29 09:46:59 -07:00 · 2020-10-29 09:46:59 -07:00 · ff23fbe83c
parent ea1a35124b
commit ff23fbe83c
3 changed files with 4921 additions and 325 deletions
--- a/gcp/v2/management/cnrm-install/README.md
+++ b/gcp/v2/management/cnrm-install/README.md
@ -10,23 +10,23 @@ To update:
 1. Copy the per namespace components to the template stored in the blueprint repo.
 1. Edit "0-cnrm-system.yaml" to add the kpt setter; change
-   ```
+     ```
-apiVersion: v1
+  apiVersion: v1
-kind: ServiceAccount
+  kind: ServiceAccount
-metadata:
+  metadata:
-  annotations:
+    annotations:
-    cnrm.cloud.google.com/version: 1.15.1
+      cnrm.cloud.google.com/version: 1.15.1
-    iam.gke.io/gcp-service-account: cnrm-system@${PROJECT_ID?}.iam.gserviceaccount.com
+      iam.gke.io/gcp-service-account: cnrm-system@${PROJECT_ID?}.iam.gserviceaccount.com
-  labels:
+    labels:
-    cnrm.cloud.google.com/system: "true"
+      cnrm.cloud.google.com/system: "true"
-  name: cnrm-controller-manager
+    name: cnrm-controller-manager
-  namespace: cnrm-system
+    namespace: cnrm-system
-   ```
+     ```
   to
-   ```
+     ```
-   annotations:
+     annotations:
-    ...
+      ...
-    iam.gke.io/gcp-service-account: cnrm-system@${PROJECT_ID?}.iam.gserviceaccount.com # {"$kpt-set":"cnrm-system"}
+      iam.gke.io/gcp-service-account: cnrm-system@${PROJECT_ID?}.iam.gserviceaccount.com # {"$kpt-set":"cnrm-system"}
-   ```
+     ```
--- a/gcp/v2/management/cnrm-install/install-system/0-cnrm-system.yaml
+++ b/gcp/v2/management/cnrm-install/install-system/0-cnrm-system.yaml
@ -16,7 +16,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
  annotations:
-    cnrm.cloud.google.com/version: 1.15.1
+    cnrm.cloud.google.com/version: 1.27.2
  labels:
    cnrm.cloud.google.com/system: "true"
  name: cnrm-system
@ -25,7 +25,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  annotations:
-    cnrm.cloud.google.com/version: 1.15.1
+    cnrm.cloud.google.com/version: 1.27.2
    iam.gke.io/gcp-service-account: NAME-cnrm-system@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"cnrm-system"}
  labels:
    cnrm.cloud.google.com/system: "true"
@ -36,7 +36,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  annotations:
-    cnrm.cloud.google.com/version: 1.15.1
+    cnrm.cloud.google.com/version: 1.27.2
  labels:
    cnrm.cloud.google.com/system: "true"
  name: cnrm-deletiondefender
@ -46,7 +46,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  annotations:
-    cnrm.cloud.google.com/version: 1.15.1
+    cnrm.cloud.google.com/version: 1.27.2
  labels:
    cnrm.cloud.google.com/system: "true"
  name: cnrm-resource-stats-recorder
@ -56,23 +56,66 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  annotations:
-    cnrm.cloud.google.com/version: 1.15.1
+    cnrm.cloud.google.com/version: 1.27.2
  labels:
    cnrm.cloud.google.com/system: "true"
  name: cnrm-webhook-manager
  namespace: cnrm-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  annotations:
    cnrm.cloud.google.com/version: 1.27.2
  labels:
    cnrm.cloud.google.com/system: "true"
  name: cnrm-deletiondefender-cnrm-system-role
  namespace: cnrm-system
 rules:
 - apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - create
  - update
  - patch
  - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  annotations:
    cnrm.cloud.google.com/version: 1.27.2
  labels:
    cnrm.cloud.google.com/system: "true"
  name: cnrm-webhook-cnrm-system-role
  namespace: cnrm-system
 rules:
 - apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - create
  - update
  - patch
  - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  annotations:
-    cnrm.cloud.google.com/version: 1.15.1
+    cnrm.cloud.google.com/version: 1.27.2
  labels:
    cnrm.cloud.google.com/system: "true"
  name: cnrm-admin
 rules:
 - apiGroups:
  - accesscontextmanager.cnrm.cloud.google.com
  - artifactregistry.cnrm.cloud.google.com
  - bigquery.cnrm.cloud.google.com
  - bigtable.cnrm.cloud.google.com
  - cloudbuild.cnrm.cloud.google.com
@ -83,6 +126,8 @@ rules:
  - firestore.cnrm.cloud.google.com
  - iam.cnrm.cloud.google.com
  - kms.cnrm.cloud.google.com
  - logging.cnrm.cloud.google.com
  - monitoring.cnrm.cloud.google.com
  - pubsub.cnrm.cloud.google.com
  - redis.cnrm.cloud.google.com
  - resourcemanager.cnrm.cloud.google.com
@ -109,7 +154,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  annotations:
-    cnrm.cloud.google.com/version: 1.15.1
+    cnrm.cloud.google.com/version: 1.27.2
  labels:
    cnrm.cloud.google.com/system: "true"
  name: cnrm-deletiondefender-role
@ -159,7 +204,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  annotations:
-    cnrm.cloud.google.com/version: 1.15.1
+    cnrm.cloud.google.com/version: 1.27.2
  labels:
    cnrm.cloud.google.com/system: "true"
  name: cnrm-manager-cluster-role
@ -217,7 +262,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  annotations:
-    cnrm.cloud.google.com/version: 1.15.1
+    cnrm.cloud.google.com/version: 1.27.2
  labels:
    cnrm.cloud.google.com/system: "true"
  name: cnrm-manager-ns-role
@ -242,7 +287,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  annotations:
-    cnrm.cloud.google.com/version: 1.15.1
+    cnrm.cloud.google.com/version: 1.27.2
  labels:
    cnrm.cloud.google.com/system: "true"
  name: cnrm-recorder-role
@ -272,7 +317,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  annotations:
-    cnrm.cloud.google.com/version: 1.15.1
+    cnrm.cloud.google.com/version: 1.27.2
  labels:
    cnrm.cloud.google.com/system: "true"
  name: cnrm-webhook-role
@ -332,10 +377,46 @@ rules:
  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  annotations:
    cnrm.cloud.google.com/version: 1.27.2
  labels:
    cnrm.cloud.google.com/system: "true"
  name: cnrm-deletiondefender-role-binding
  namespace: cnrm-system
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cnrm-deletiondefender-cnrm-system-role
 subjects:
 - kind: ServiceAccount
  name: cnrm-deletiondefender
  namespace: cnrm-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  annotations:
    cnrm.cloud.google.com/version: 1.27.2
  labels:
    cnrm.cloud.google.com/system: "true"
  name: cnrm-webhook-role-binding
  namespace: cnrm-system
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cnrm-webhook-cnrm-system-role
 subjects:
 - kind: ServiceAccount
  name: cnrm-webhook-manager
  namespace: cnrm-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  annotations:
-    cnrm.cloud.google.com/version: 1.15.1
+    cnrm.cloud.google.com/version: 1.27.2
  labels:
    cnrm.cloud.google.com/system: "true"
  name: cnrm-admin-binding
@ -358,7 +439,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  annotations:
-    cnrm.cloud.google.com/version: 1.15.1
+    cnrm.cloud.google.com/version: 1.27.2
  labels:
    cnrm.cloud.google.com/system: "true"
  name: cnrm-deletiondefender-binding
@ -375,7 +456,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  annotations:
-    cnrm.cloud.google.com/version: 1.15.1
+    cnrm.cloud.google.com/version: 1.27.2
  labels:
    cnrm.cloud.google.com/system: "true"
  name: cnrm-manager-binding
@ -392,7 +473,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  annotations:
-    cnrm.cloud.google.com/version: 1.15.1
+    cnrm.cloud.google.com/version: 1.27.2
  labels:
    cnrm.cloud.google.com/system: "true"
  name: cnrm-manager-watcher-binding
@ -409,7 +490,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  annotations:
-    cnrm.cloud.google.com/version: 1.15.1
+    cnrm.cloud.google.com/version: 1.27.2
  labels:
    cnrm.cloud.google.com/system: "true"
  name: cnrm-recorder-binding
@ -426,7 +507,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  annotations:
-    cnrm.cloud.google.com/version: 1.15.1
+    cnrm.cloud.google.com/version: 1.27.2
  labels:
    cnrm.cloud.google.com/system: "true"
  name: cnrm-webhook-binding
@ -443,7 +524,7 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    cnrm.cloud.google.com/version: 1.15.1
+    cnrm.cloud.google.com/version: 1.27.2
  labels:
    cnrm.cloud.google.com/system: "true"
  name: cnrm-deletiondefender
@ -460,7 +541,7 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    cnrm.cloud.google.com/version: 1.15.1
+    cnrm.cloud.google.com/version: 1.27.2
    prometheus.io/port: "8888"
    prometheus.io/scrape: "true"
  labels:
@ -482,7 +563,7 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    cnrm.cloud.google.com/version: 1.15.1
+    cnrm.cloud.google.com/version: 1.27.2
    prometheus.io/port: "8888"
    prometheus.io/scrape: "true"
  labels:
@ -502,7 +583,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    cnrm.cloud.google.com/version: 1.15.1
+    cnrm.cloud.google.com/version: 1.27.2
  labels:
    cnrm.cloud.google.com/component: cnrm-resource-stats-recorder
    cnrm.cloud.google.com/system: "true"
@ -518,7 +599,7 @@ spec:
  template:
    metadata:
      annotations:
-        cnrm.cloud.google.com/version: 1.15.1
+        cnrm.cloud.google.com/version: 1.27.2
      labels:
        cnrm.cloud.google.com/component: cnrm-resource-stats-recorder
        cnrm.cloud.google.com/system: "true"
@ -531,69 +612,10 @@ spec:
        - /configconnector/recorder
        env:
        - name: CONFIG_CONNECTOR_VERSION
-          value: 1.15.1
+          value: 1.27.2
-        image: gcr.io/cnrm-eap/recorder:b59b871
+        image: gcr.io/cnrm-eap/recorder:1c8c589
        imagePullPolicy: Always
        name: recorder
        readinessProbe:
          exec:
            command:
            - cat
            - /tmp/ready
          initialDelaySeconds: 3
          periodSeconds: 3
        resources:
          limits:
            cpu: 20m
            memory: 64Mi
          requests:
            cpu: 10m
            memory: 32Mi
        securityContext:
          privileged: false
          runAsNonRoot: true
          runAsUser: 1000
      serviceAccountName: cnrm-resource-stats-recorder
      terminationGracePeriodSeconds: 10
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    cnrm.cloud.google.com/version: 1.15.1
  labels:
    cnrm.cloud.google.com/component: cnrm-webhook-manager
    cnrm.cloud.google.com/system: "true"
  name: cnrm-webhook-manager
  namespace: cnrm-system
 spec:
  replicas: 1
  revisionHistoryLimit: 1
  selector:
    matchLabels:
      cnrm.cloud.google.com/component: cnrm-webhook-manager
      cnrm.cloud.google.com/system: "true"
  template:
    metadata:
      annotations:
        cnrm.cloud.google.com/version: 1.15.1
      labels:
        cnrm.cloud.google.com/component: cnrm-webhook-manager
        cnrm.cloud.google.com/system: "true"
    spec:
      containers:
      - args:
        - --stderrthreshold=INFO
        command:
        - /configconnector/webhook
        env:
        - name: NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        image: gcr.io/cnrm-eap/webhook:b59b871
        imagePullPolicy: Always
        name: webhook
        readinessProbe:
          exec:
            command:
@ -612,6 +634,61 @@ spec:
          privileged: false
          runAsNonRoot: true
          runAsUser: 1000
      serviceAccountName: cnrm-resource-stats-recorder
      terminationGracePeriodSeconds: 10
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    cnrm.cloud.google.com/version: 1.27.2
  labels:
    cnrm.cloud.google.com/component: cnrm-webhook-manager
    cnrm.cloud.google.com/system: "true"
  name: cnrm-webhook-manager
  namespace: cnrm-system
 spec:
  revisionHistoryLimit: 1
  selector:
    matchLabels:
      cnrm.cloud.google.com/component: cnrm-webhook-manager
      cnrm.cloud.google.com/system: "true"
  template:
    metadata:
      annotations:
        cnrm.cloud.google.com/version: 1.27.2
      labels:
        cnrm.cloud.google.com/component: cnrm-webhook-manager
        cnrm.cloud.google.com/system: "true"
    spec:
      containers:
      - args:
        - --stderrthreshold=INFO
        command:
        - /configconnector/webhook
        env:
        - name: NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        image: gcr.io/cnrm-eap/webhook:1c8c589
        imagePullPolicy: Always
        name: webhook
        readinessProbe:
          exec:
            command:
            - cat
            - /tmp/ready
          initialDelaySeconds: 3
          periodSeconds: 3
        resources:
          limits:
            cpu: 40m
            memory: 64Mi
        securityContext:
          privileged: false
          runAsNonRoot: true
          runAsUser: 1000
      serviceAccountName: cnrm-webhook-manager
      terminationGracePeriodSeconds: 10
 ---
@ -619,7 +696,7 @@ apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  annotations:
-    cnrm.cloud.google.com/version: 1.15.1
+    cnrm.cloud.google.com/version: 1.27.2
  labels:
    cnrm.cloud.google.com/component: cnrm-controller-manager
    cnrm.cloud.google.com/system: "true"
@ -634,7 +711,7 @@ spec:
  template:
    metadata:
      annotations:
-        cnrm.cloud.google.com/version: 1.15.1
+        cnrm.cloud.google.com/version: 1.27.2
      labels:
        cnrm.cloud.google.com/component: cnrm-controller-manager
        cnrm.cloud.google.com/system: "true"
@ -645,7 +722,7 @@ spec:
        - --prometheus-scrape-endpoint=:8888
        command:
        - /configconnector/manager
-        image: gcr.io/cnrm-eap/controller:b59b871
+        image: gcr.io/cnrm-eap/controller:1c8c589
        imagePullPolicy: Always
        name: manager
        readinessProbe:
@ -673,7 +750,7 @@ apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  annotations:
-    cnrm.cloud.google.com/version: 1.15.1
+    cnrm.cloud.google.com/version: 1.27.2
  labels:
    cnrm.cloud.google.com/component: cnrm-deletiondefender
    cnrm.cloud.google.com/system: "true"
@ -688,7 +765,7 @@ spec:
  template:
    metadata:
      annotations:
-        cnrm.cloud.google.com/version: 1.15.1
+        cnrm.cloud.google.com/version: 1.27.2
      labels:
        cnrm.cloud.google.com/component: cnrm-deletiondefender
        cnrm.cloud.google.com/system: "true"
@ -698,7 +775,7 @@ spec:
        - --stderrthreshold=INFO
        command:
        - /configconnector/deletiondefender
-        image: gcr.io/cnrm-eap/deletiondefender:b59b871
+        image: gcr.io/cnrm-eap/deletiondefender:1c8c589
        imagePullPolicy: Always
        name: deletiondefender
        readinessProbe:
@ -713,7 +790,6 @@ spec:
            cpu: 100m
            memory: 128Mi
          requests:
            cpu: 100m
            memory: 64Mi
        securityContext:
          privileged: false
@ -721,3 +797,27 @@ spec:
          runAsUser: 1000
      serviceAccountName: cnrm-deletiondefender
      terminationGracePeriodSeconds: 10
 ---
 apiVersion: autoscaling/v2beta2
 kind: HorizontalPodAutoscaler
 metadata:
  annotations:
    cnrm.cloud.google.com/version: 1.27.2
  labels:
    cnrm.cloud.google.com/system: "true"
  name: cnrm-webhook
  namespace: cnrm-system
 spec:
  maxReplicas: 10
  metrics:
  - resource:
      name: cpu
      target:
        averageUtilization: 60
        type: Utilization
    type: Resource
  minReplicas: 2
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: cnrm-webhook-manager
--- a/gcp/v2/management/cnrm-install/install-system/crds.yaml
+++ b/gcp/v2/management/cnrm-install/install-system/crds.yaml