manifests

Commit Graph

Author	SHA1	Message	Date
Jeremy Lewi	4c1221c1d6	Fix management blueprint kptfile and stop using namespace mode for CNRM. (#1432 ) * Fix management blueprint kptfile and stop using namespace mode for CNRM. * The management blueprint should have its own KptFile * Prior to this PR there was only a KptFile at gcp/ * This doesn't work because for the management cluster we only pull the package gcp/v2/management * Related to kubeflow/gcp-blueprints#102 * Related to kubeflow/gcp-blueprints#93 * For CNRM Switch to workload identity and stop using namespace mode for CNRM; kubeflow/gcp-blueprints#13 * Using namespace mode is just extra complexity because we have to install a separate copy of the CNRM controller for every project. * The only reason to do really do that is if you want to use different GCP service accounts to manage different projects. Typically that's not what we do. * With workload identity we have 1 namespace per project but they all use the same GCP SA so the GCP sa can just be authorized to access multiple projects or a folder as needed. * Update the resources to the v1beta1 spec for use with AnthosCLI * It looks like anthoscli requires a NodePool resource * With the v1beta1 specs we need to add the annotation gke.cluster.io = "bootstrap://" so that anthoscli is able to probably group the resources. * Move cnrm-install iam and services into kustomize packages * This way we can hydrate them like we do other manifests * Fix the setters and substitutions for CNRM to make them unique per name * This way we could potentially have multiple management clusters per project which if nothing else will be useful for testing. * Add workload identity pool to the management cluster. * Management nodepool should set workloadMetadataConfig so that we run the workload identity servers. * Fix.	2020-07-29 20:16:30 -07:00
Jeremy Lewi	78c961af13	Convert v1 to v2 setters & substituions in gcp (#1398 ) * Convert v1 to v2 setters & substituions in gcp * The latest version of kpt started choking on gcp/v2 because we were still using the old style setters and substitutions. * This PR creates a kptfile to use the new setter and substitutions. * hack/create_kptfile.py contains a script to generate lot of the setters and substitutions. * kf-vm-sa.yaml shouldn't specify the namespace; this will get set in an overlay * Move workload identity bindings for kf-admin KSA from kubeflow/instance in gcp blueprints repo into this repository. related to gcp-blueprints#89 * Fix image mirror substitution. * Create a KptFile for stacks. * Add conversion for stacks. * Add KptFile for stacks/gcp	2020-07-20 21:21:13 -07:00

Author

SHA1

Message

Date

Jeremy Lewi

4c1221c1d6

Fix management blueprint kptfile and stop using namespace mode for CNRM. (#1432 )

* Fix management blueprint kptfile and stop using namespace mode for CNRM.

* The management blueprint should have its own KptFile
  * Prior to this PR there was only a KptFile at gcp/
  * This doesn't work because for the management cluster we
    only pull the package gcp/v2/management

* Related to kubeflow/gcp-blueprints#102
* Related to kubeflow/gcp-blueprints#93

* For CNRM Switch to workload identity and stop using namespace mode for CNRM; kubeflow/gcp-blueprints#13

  * Using namespace mode is just extra complexity because we have to install
    a separate copy of the CNRM controller for every project.
    * The only reason to do really do that is if you want to use different
      GCP service accounts to manage different projects. Typically that's
      not what we do.
    * With workload identity we have 1 namespace per project but they
      all use the same GCP SA so the GCP sa can just be authorized to
      access multiple projects or a folder as needed.

* Update the resources to the v1beta1 spec for use with AnthosCLI

  * It looks like anthoscli requires a NodePool resource
  * With the v1beta1 specs we need to add the annotation gke.cluster.io = "bootstrap://" so that anthoscli is able to probably group the resources.

* Move cnrm-install iam and services into kustomize packages
  * This way we can hydrate them like we do other manifests

* Fix the setters and substitutions for CNRM to make them unique per name
  * This way we could potentially have multiple management clusters per project
    which if nothing else will be useful for testing.

* Add workload identity pool to the management cluster.

* Management nodepool should set workloadMetadataConfig so that we run the workload identity servers.

* Fix.

2020-07-29 20:16:30 -07:00

Jeremy Lewi

78c961af13

Convert v1 to v2 setters & substituions in gcp (#1398 )

* Convert v1 to v2 setters & substituions in gcp

* The latest version of kpt started choking on gcp/v2 because we were
  still using the old style setters and substitutions.

* This PR creates a kptfile to use the new setter and substitutions.

* hack/create_kptfile.py contains a script to generate lot of the setters
  and substitutions.

* kf-vm-sa.yaml shouldn't specify the namespace; this will get set in an overlay

* Move workload identity bindings for kf-admin KSA from kubeflow/instance in gcp blueprints repo into this repository.

related to gcp-blueprints#89

* Fix image mirror substitution.

* Create a KptFile for stacks.

* Add conversion for stacks.

* Add KptFile for stacks/gcp

2020-07-20 21:21:13 -07:00

2 Commits