diff --git a/Makefile b/Makefile index 531ad0d9..cb4b61b5 100755 --- a/Makefile +++ b/Makefile @@ -1,43 +1,19 @@ -#*********************************************************************************************************************** -# Edit this section to set the values specific to your deployment - -.PHONY: set-cfg-values -set-cfg-values: - kpt cfg set -R . gke.private false - - kpt cfg set -R . mgmt-ctxt - - kpt cfg set -R . name - kpt cfg set -R . gcloud.project.projectNumber - kpt cfg set -R . gcloud.core.project - kpt cfg set -R . gcloud.compute.zone - kpt cfg set -R . location - kpt cfg set -R . log-firewalls false - - kpt cfg set -R . email - -# Reset various kpt values to default values and remove other -# files that shouldn't be included in PRs -# TODO(jlewi): We should add a test to make sure changed values don't get checked in -# We don't run it in generate because we don't want to force all developers to install kpt -clean-for-pr: reset-cfg-values - rm -rf kubeflow/.build - rm -rf management/.build - - rm -rf kubeflow/upstream/manifests - rm -rf management/upstream/management - .PHONY: reset-cfg-values reset-cfg-values: - kpt cfg set -R . gke.private false - + kpt cfg set -R kubeflow name KUBEFLOW-NAME + + kpt cfg set -R management name MANAGEMENT-NAME kpt cfg set -R . mgmt-ctxt MANAGEMENT-CTXT - kpt cfg set -R . name KUBEFLOW-NAME - kpt cfg set -R . gcloud.core.project PROJECT - kpt cfg set -R . gcloud.project.projectNumber PROJECT_NUMBER - kpt cfg set -R . gcloud.compute.zone ZONE - kpt cfg set -R . location LOCATION - kpt cfg set -R . log-firewalls false + kpt cfg set -R . gcloud.core.project PROJECT + kpt cfg set -R . gcloud.project.projectNumber PROJECT_NUMBER + kpt cfg set -R . location LOCATION + kpt cfg set -R . gcloud.compute.zone ZONE + kpt cfg set -R . gcloud.compute.region REGION + kpt cfg set -R . bucket-name BUCKET-NAME + kpt cfg set -R . cloudsql-name CLOUDSQL-NAME - kpt cfg set -R . email EMAIL \ No newline at end of file + kpt cfg set -R . email EMAIL + + kpt cfg set -R . gke.private false + kpt cfg set -R . log-firewalls false diff --git a/kubeflow/Makefile b/kubeflow/Makefile index a6f774d3..ca8fb724 100644 --- a/kubeflow/Makefile +++ b/kubeflow/Makefile @@ -47,6 +47,7 @@ check-name: PROJECT=$(PROJECT) NAME=$(NAME) ./hack/check_domain_length.sh components= \ +common/managed-storage \ common/cnrm \ common/asm \ common/kubeflow-namespace \ @@ -78,20 +79,20 @@ clean-build: done .PHONY: hydrate -hydrate: validate-values check-name +hydrate: validate-values check-name @for component in $(components) ; do \ (BUILD_DIR=$(BUILD_DIR) NAME=$(NAME) KFCTXT=$(KFCTXT) LOCATION=$(LOCATION) PROJECT=$(PROJECT) ./hack/apply_component.sh -path $$component -hydrate_only) || exit 1; \ done .PHONY: apply -apply: validate-values check-name +apply: validate-values check-name @for component in $(components) ; do \ (BUILD_DIR=$(BUILD_DIR) NAME=$(NAME) KFCTXT=$(KFCTXT) LOCATION=$(LOCATION) PROJECT=$(PROJECT) ./hack/apply_component.sh -path $$component) || exit 1; \ done KFCTXT=$(KFCTXT) $(MAKE) -C common/iap-ingress pod-reset -# Delete gcp resources .PHONY: delete delete: + # Delete gcp resources except managed storage BUILD_DIR=$(BUILD_DIR) MGMTCTXT=$(MGMTCTXT) ./hack/delete_gcp.sh diff --git a/kubeflow/README.md b/kubeflow/README.md index 85ad3a79..8a098c56 100644 --- a/kubeflow/README.md +++ b/kubeflow/README.md @@ -9,14 +9,14 @@ Install the necessary tools if not already. 1. Install gcloud SDK and deployment tools: -``` +```bash gcloud components install kubectl kpt beta gcloud components update ``` -2. Install Kustomize +2. Install Kustomize: -``` +```bash # Detect your OS and download corresponding latest Kustomize binary curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash @@ -28,13 +28,13 @@ sudo mv ./kustomize /usr/local/bin/kustomize Follow the yq v3 [installation instruction](https://github.com/mikefarah/yq#install). For example, if using wget, you can run following commands: -``` +```bash sudo wget https://github.com/mikefarah/yq/releases/download/3.4.1/yq_linux_amd64 -O /usr/bin/yq && sudo chmod +x /usr/bin/yq ``` 4. Install jq https://stedolan.github.io/jq/, for example, we can run the following command on Linux: -``` +```bash sudo apt install jq ``` @@ -42,52 +42,36 @@ sudo apt install jq Go to Kubeflow Cluster -``` +```bash cd kubeflow ``` `kubeflow/gcp-blueprints` utilizes upstream repositority `kubeflow/manifests` for versioned manifests of multiple Kubeflow components. We need to first fetch upstream manifests by running command: -``` +```bash bash ./pull_upstream.sh ``` - ### Environment Variables +Provide actual value for the following variables in `env.sh`, refer to detailed +documentation in env.sh. +Set the environment variables in your shell: -Provide actual value for the following variables in `env.sh`: - -``` -KF_NAME= -KF_PROJECT= -KF_DIR= -MGMT_NAME= -MGMTCTXT=${MGMT_NAME} -LOCATION= -``` - -Provide the actual value for the following variables in `kpt-set.sh`: - -``` -kpt cfg set -R . gcloud.project.projectNumber -kpt cfg set -R . email -``` - -Run the following commands to set environment variables and kpt setter - -``` +```bash source env.sh ``` -``` +Configure kpt setters as environement variables in packages: + +```bash bash kpt-set.sh ``` -Set the Client ID and Secret from IAP Oauth step: +Set the Client ID and Secret from IAP OAuth step: -``` +```bash export CLIENT_ID= export CLIENT_SECRET= ``` @@ -95,46 +79,45 @@ export CLIENT_SECRET= ### Deploy Kubeflow Cluster -Run following command to login +Run following command to login: -``` +```bash gcloud auth login ``` - Set the google project you want to deploy. -``` +```bash gcloud config set project $KF_PROJECT ``` - -Set default cluster location -``` -gcloud config set compute/zone $LOCATION -``` - Deploy Kubeflow cluster, required Google Cloud resources and all Kubeflow components: -``` +```bash make apply ``` ## Other Commands +Reminder, all the following commands assume you already set up env vars by: + +```bash +source env.sh +``` ### Hydrate all manifests but not apply them -If you want to check the resource in `/build` directories before applying them. You can use `hydrate-all` before running `apply-all`: +If you want to check the resources in `build` directories first, run the +following command before `make apply`: -``` +```bash make hydrate ``` ### Clean up the hydration result from all components -After hydration or apply, you will have `build` folder in each component for manifest yaml files. If you want to cleean them up, you can run: +After hydration or apply, you will have `build` folder in each component for manifest yaml files. If you want to clean them up, you can run: -``` +```bash make clean-build ``` @@ -142,6 +125,20 @@ make clean-build Deleting cluster itself doesn't necessarily remove all resources created by this instruction. You can run the following command to clean them up: +```bash +make delete ``` + +#### Delete managed storage + +Managed storage -- CloudSQL and Cloud Storage (GCS) bucket contains Kubeflow +Pipelines data, they are not deleted by default when deleting the Kubeflow +cluster, because you can re-deploy a new Kubeflow cluster using existing managed +storages. + +Run the following commands to delete managed storage: + +```bash +cd common/managed-storage make delete ``` diff --git a/kubeflow/apps/pipelines/Kptfile b/kubeflow/apps/pipelines/Kptfile index 1e9fe6f3..3049d5c9 100755 --- a/kubeflow/apps/pipelines/Kptfile +++ b/kubeflow/apps/pipelines/Kptfile @@ -170,11 +170,11 @@ openAPI: x-k8s-cli: setter: name: cloudsql-name - value: dev-4-28-kfp-4 + value: CLOUDSQL-NAME isSet: true io.k8s.cli.setters.bucket-name: x-k8s-cli: setter: name: bucket-name - value: dev-4-28-kfp-artifacts + value: BUCKET-NAME isSet: true diff --git a/kubeflow/apps/pipelines/cloudsql/cnrm/kustomization.yaml b/kubeflow/apps/pipelines/cloudsql/cnrm/kustomization.yaml index 19a85097..54e96729 100644 --- a/kubeflow/apps/pipelines/cloudsql/cnrm/kustomization.yaml +++ b/kubeflow/apps/pipelines/cloudsql/cnrm/kustomization.yaml @@ -14,10 +14,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -commonLabels: - component: db resources: - iam.yaml -- sql-instance.yaml - sql-user-root.yaml - proxy-gsa.yaml diff --git a/kubeflow/apps/pipelines/cloudsql/cnrm/sql-user-root.yaml b/kubeflow/apps/pipelines/cloudsql/cnrm/sql-user-root.yaml index 1d53d333..2d8a3b1d 100644 --- a/kubeflow/apps/pipelines/cloudsql/cnrm/sql-user-root.yaml +++ b/kubeflow/apps/pipelines/cloudsql/cnrm/sql-user-root.yaml @@ -19,6 +19,6 @@ metadata: spec: resourceID: root instanceRef: - name: dev-4-28-kfp-4 # {"$kpt-set":"cloudsql-name"} + name: CLOUDSQL-NAME # {"$kpt-set":"cloudsql-name"} password: value: "" # override with your own password, TODO(Bobgy): document how to change password diff --git a/kubeflow/apps/pipelines/cloudsql/pipeline-install-config-patch.yaml b/kubeflow/apps/pipelines/cloudsql/pipeline-install-config-patch.yaml index b8a44354..9c35a39c 100644 --- a/kubeflow/apps/pipelines/cloudsql/pipeline-install-config-patch.yaml +++ b/kubeflow/apps/pipelines/cloudsql/pipeline-install-config-patch.yaml @@ -19,4 +19,4 @@ metadata: # Reference: # https://github.com/kubeflow/pipelines/blob/1.5.0/manifests/kustomize/base/installs/generic/pipeline-install-config.yaml data: - gcsCloudSqlInstanceName: PROJECT:REGION:dev-4-28-kfp-4 # {"$kpt-set": "cloudsql-instance-connection-name"} + gcsCloudSqlInstanceName: PROJECT:REGION:CLOUDSQL-NAME # {"$kpt-set": "cloudsql-instance-connection-name"} diff --git a/kubeflow/apps/pipelines/gcs/cnrm/iam.yaml b/kubeflow/apps/pipelines/gcs/cnrm/iam.yaml index db4ec1a5..421d6c0a 100644 --- a/kubeflow/apps/pipelines/gcs/cnrm/iam.yaml +++ b/kubeflow/apps/pipelines/gcs/cnrm/iam.yaml @@ -4,7 +4,7 @@ metadata: name: KUBEFLOW-NAME-kfp-gcs-acl # {"$kpt-set":"gcs-acl"} spec: bucketRef: - name: dev-4-28-kfp-artifacts # {"$kpt-set":"bucket-name"} + name: BUCKET-NAME # {"$kpt-set":"bucket-name"} entity: user-KUBEFLOW-NAME-user@PROJECT.iam.gserviceaccount.com # {"$kpt-set": "user-sa-entity"} role: OWNER --- diff --git a/kubeflow/apps/pipelines/gcs/cnrm/kustomization.yaml b/kubeflow/apps/pipelines/gcs/cnrm/kustomization.yaml index 8df9f9d3..4a05cbae 100644 --- a/kubeflow/apps/pipelines/gcs/cnrm/kustomization.yaml +++ b/kubeflow/apps/pipelines/gcs/cnrm/kustomization.yaml @@ -14,8 +14,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -commonLabels: - component: gcs resources: -- bucket.yaml - iam.yaml diff --git a/kubeflow/apps/pipelines/gcs/pipeline-install-config-patch.yaml b/kubeflow/apps/pipelines/gcs/pipeline-install-config-patch.yaml index efed1ed6..530db941 100644 --- a/kubeflow/apps/pipelines/gcs/pipeline-install-config-patch.yaml +++ b/kubeflow/apps/pipelines/gcs/pipeline-install-config-patch.yaml @@ -19,5 +19,5 @@ metadata: # Reference: # https://github.com/kubeflow/pipelines/blob/1.5.0/manifests/kustomize/base/installs/generic/pipeline-install-config.yaml data: - bucketName: dev-4-28-kfp-artifacts # {"$kpt-set":"bucket-name"} + bucketName: BUCKET-NAME # {"$kpt-set":"bucket-name"} gcsProjectId: PROJECT # {"$kpt-set": "gcloud.core.project"} diff --git a/kubeflow/apps/profiles/Kptfile b/kubeflow/apps/profiles/Kptfile index 8b47bda7..2658fb2d 100755 --- a/kubeflow/apps/profiles/Kptfile +++ b/kubeflow/apps/profiles/Kptfile @@ -16,16 +16,19 @@ openAPI: setter: name: name value: KUBEFLOW-NAME + isSet: true io.k8s.cli.setters.gcloud.core.project: x-k8s-cli: setter: name: gcloud.core.project value: PROJECT + isSet: true io.k8s.cli.setters.email: x-k8s-cli: setter: name: email value: EMAIL + isSet: true io.k8s.cli.substitutions.admin-sa-ref: x-k8s-cli: substitution: diff --git a/kubeflow/common/Kptfile b/kubeflow/common/Kptfile index d45171df..db406e16 100755 --- a/kubeflow/common/Kptfile +++ b/kubeflow/common/Kptfile @@ -29,6 +29,7 @@ openAPI: setter: name: gcloud.compute.region value: REGION + isSet: true io.k8s.cli.setters.location: x-k8s-cli: setter: diff --git a/kubeflow/common/cluster/upstream/Kptfile b/kubeflow/common/cluster/upstream/Kptfile index d45171df..db406e16 100755 --- a/kubeflow/common/cluster/upstream/Kptfile +++ b/kubeflow/common/cluster/upstream/Kptfile @@ -29,6 +29,7 @@ openAPI: setter: name: gcloud.compute.region value: REGION + isSet: true io.k8s.cli.setters.location: x-k8s-cli: setter: diff --git a/kubeflow/common/iam/upstream/Kptfile b/kubeflow/common/iam/upstream/Kptfile index d45171df..db406e16 100755 --- a/kubeflow/common/iam/upstream/Kptfile +++ b/kubeflow/common/iam/upstream/Kptfile @@ -29,6 +29,7 @@ openAPI: setter: name: gcloud.compute.region value: REGION + isSet: true io.k8s.cli.setters.location: x-k8s-cli: setter: diff --git a/kubeflow/common/ingress/upstream/Kptfile b/kubeflow/common/ingress/upstream/Kptfile index d45171df..db406e16 100755 --- a/kubeflow/common/ingress/upstream/Kptfile +++ b/kubeflow/common/ingress/upstream/Kptfile @@ -29,6 +29,7 @@ openAPI: setter: name: gcloud.compute.region value: REGION + isSet: true io.k8s.cli.setters.location: x-k8s-cli: setter: diff --git a/kubeflow/common/managed-storage/Kptfile b/kubeflow/common/managed-storage/Kptfile new file mode 100644 index 00000000..9854fd9a --- /dev/null +++ b/kubeflow/common/managed-storage/Kptfile @@ -0,0 +1,50 @@ +apiVersion: kpt.dev/v1alpha1 +kind: Kptfile +metadata: + name: storage +packageMetadata: + shortDescription: sample description +openAPI: + definitions: + io.k8s.cli.setters.name: + x-k8s-cli: + setter: + name: name + value: KUBEFLOW-NAME + isSet: true + io.k8s.cli.setters.gcloud.core.project: + x-k8s-cli: + setter: + name: gcloud.core.project + value: PROJECT + isSet: true + io.k8s.cli.setters.gcloud.compute.region: + x-k8s-cli: + setter: + name: gcloud.compute.region + value: REGION + isSet: true + io.k8s.cli.setters.gcloud.compute.zone: + x-k8s-cli: + setter: + name: gcloud.compute.zone + value: ZONE + isSet: true + io.k8s.cli.setters.cloudsql-name: + x-k8s-cli: + setter: + name: cloudsql-name + value: CLOUDSQL-NAME + isSet: true + io.k8s.cli.setters.bucket-name: + x-k8s-cli: + setter: + name: bucket-name + value: BUCKET-NAME + isSet: true + io.k8s.cli.setters.mgmt-ctxt: + x-k8s-cli: + setter: + name: mgmt-ctxt + value: MANAGEMENT-CTXT + isSet: true diff --git a/kubeflow/common/managed-storage/Makefile b/kubeflow/common/managed-storage/Makefile new file mode 100644 index 00000000..04f31757 --- /dev/null +++ b/kubeflow/common/managed-storage/Makefile @@ -0,0 +1,51 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +KF_PROJECT=$(shell yq r ./Kptfile 'openAPI.definitions."io.k8s.cli.setters.gcloud.core.project".x-k8s-cli.setter.value') +# The kubectl context for your management cluster +MGMTCTXT=$(shell yq r ./Kptfile 'openAPI.definitions."io.k8s.cli.setters.mgmt-ctxt".x-k8s-cli.setter.value') +build_dir?=./build + +.PHONY: hydrate +hydrate: + rm -rf $(build_dir) + mkdir -p $(build_dir) + kustomize build -o $(build_dir)/ . + +.PHONY: apply +apply: apply-cnrm wait + +.PHONY: delete +delete: + kubectl --context=$(MGMTCTXT) delete -f $(build_dir) + +.PHONY: apply-cnrm +apply-cnrm: hydrate + kubectl --context=$(MGMTCTXT) apply -f $(build_dir) + +.PHONY: wait +wait: + # Wait for all Google Cloud resources to get created and become ready. + # If this takes long, you can view status by: + @echo "cd common/managed-storage && make status" + # For resources with READY=False, debug by: + @echo "kubectl --context=$(MGMTCTXT) -n $(KF_PROJECT) describe /" + @echo + kubectl --context=$(MGMTCTXT) wait --for=condition=Ready --timeout=100s -f $(build_dir) \ + || kubectl --context=$(MGMTCTXT) get -f $(build_dir) + kubectl --context=$(MGMTCTXT) wait --for=condition=Ready --timeout=500s -f $(build_dir) + +.PHONY: status +status: + kubectl --context=$(MGMTCTXT) get -f $(build_dir) diff --git a/kubeflow/apps/pipelines/cloudsql/cnrm/enable-services.sh b/kubeflow/common/managed-storage/cloudsql/enable-services.sh similarity index 100% rename from kubeflow/apps/pipelines/cloudsql/cnrm/enable-services.sh rename to kubeflow/common/managed-storage/cloudsql/enable-services.sh diff --git a/kubeflow/apps/pipelines/cloudsql/cnrm/sql-instance.yaml b/kubeflow/common/managed-storage/cloudsql/sql-instance.yaml similarity index 96% rename from kubeflow/apps/pipelines/cloudsql/cnrm/sql-instance.yaml rename to kubeflow/common/managed-storage/cloudsql/sql-instance.yaml index 3dffc853..a41ba364 100644 --- a/kubeflow/apps/pipelines/cloudsql/cnrm/sql-instance.yaml +++ b/kubeflow/common/managed-storage/cloudsql/sql-instance.yaml @@ -15,7 +15,7 @@ apiVersion: sql.cnrm.cloud.google.com/v1beta1 kind: SQLInstance metadata: - name: dev-4-28-kfp-4 # {"$kpt-set":"cloudsql-name"} + name: CLOUDSQL-NAME # {"$kpt-set":"cloudsql-name"} # Spec reference: # https://cloud.google.com/config-connector/docs/reference/resource-docs/sql/sqlinstance # Other examples to enable private cloudsql or high availability: diff --git a/kubeflow/apps/pipelines/gcs/cnrm/bucket.yaml b/kubeflow/common/managed-storage/gcs/bucket.yaml similarity index 80% rename from kubeflow/apps/pipelines/gcs/cnrm/bucket.yaml rename to kubeflow/common/managed-storage/gcs/bucket.yaml index fd332a68..1bd14fff 100644 --- a/kubeflow/apps/pipelines/gcs/cnrm/bucket.yaml +++ b/kubeflow/common/managed-storage/gcs/bucket.yaml @@ -16,8 +16,10 @@ apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: annotations: - cnrm.cloud.google.com/force-destroy: "false" - name: dev-4-28-kfp-artifacts # {"$kpt-set":"bucket-name"} + # If set to true, the force-destroy directive cleans up the objects within a + # storage bucket before issuing the delete command. + cnrm.cloud.google.com/force-destroy: "true" + name: BUCKET-NAME # {"$kpt-set":"bucket-name"} # Reference: # https://cloud.google.com/config-connector/docs/reference/resource-docs/storage/storagebucket spec: diff --git a/kubeflow/common/managed-storage/kustomization.yaml b/kubeflow/common/managed-storage/kustomization.yaml new file mode 100644 index 00000000..e2f4d640 --- /dev/null +++ b/kubeflow/common/managed-storage/kustomization.yaml @@ -0,0 +1,23 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: PROJECT # {"$kpt-set":"gcloud.core.project"} +commonLabels: + kf-name: KUBEFLOW-NAME # {"$kpt-set":"name"} + app: managed-storage +resources: +- cloudsql/sql-instance.yaml +- gcs/bucket.yaml diff --git a/kubeflow/env.sh b/kubeflow/env.sh index f9cb0dfe..4a541cd8 100644 --- a/kubeflow/env.sh +++ b/kubeflow/env.sh @@ -1,11 +1,55 @@ -export KF_NAME= -export KF_PROJECT= -export KF_DIR= +# 1. Edit . +# 2. Other env vars are configurable, but with default values set below. + +# The KF_PROJECT env var contains the Google Cloud project ID where Kubeflow +# cluster will be deployed to. +export KF_PROJECT= +# You can get your project number by running this command +# (replace ${KF_PROJECT} with the actual project ID): +# gcloud projects describe --format='value(projectNumber)' "${KF_PROJECT}" +export KF_PROJECT_NUMBER= +# ADMIN_EMAIL env var is the Kubeflow admin's email address, it should be +# consistent with login email on Google Cloud. +# Example: admin@gmail.com +export ADMIN_EMAIL= +# The MGMT_NAME env var contains the name of your management cluster created in +# management cluster setup: +# https://www.kubeflow.org/docs/distributions/gke/deploy/management-setup/ export MGMT_NAME= +# The MGMTCTXT env var contains a kubectl context that connects to the management +# cluster. By default, management cluster setup creates a context named +# ${MGMT_NAME} for you. export MGMTCTXT="${MGMT_NAME}" -export LOCATION= -export ADMIN_EMAIL= -export ASM_LABEL=asm-192-1 +###################### +# NOTICE: The following env vars have default values, but they are also configurable. +###################### -export KF_PROJECT_NUMBER=$(gcloud projects describe ${KF_PROJECT} --format='value(projectNumber)') +# KF_NAME env var is name of your new Kubeflow cluster. +# It should satisfy the following prerequisites: +# * be unique within your project, e.g. if you already deployed cluster with the +# name "kubeflow", use a different name when deploying another Kubeflow cluster. +# * start with a lowercase letter +# * only contain lowercase letters, numbers and "-"s (hyphens) +# * end with a number or a letter +# * contain no more than 24 characters +export KF_NAME=kubeflow +# Default values for managed storage used by Kubeflow Pipelines (KFP), you can +# override as you like. +# The CloudSQL instance and Cloud Storage bucket instance are created during +# deployment, so you should make sure their names are not used before. +export CLOUDSQL_NAME="${KF_NAME}-kfp" +# Note, Cloud Storage bucket name needs to be globally unique across projects. +# So we default to a name related to ${KF_PROJECT}. +export BUCKET_NAME="${KF_PROJECT}-kfp" +# LOCATION can either be a zone or a region, that determines whether the deployed +# Kubeflow cluster is a zonal cluster or a regional cluster. +# Specify LOCATION as a region like the following line to create a regional Kubeflow cluster. +# export LOCATION=us-central1 +export LOCATION=us-central1-c +# REGION should match LOCATION. +export REGION=us-central1 +# Preferred zone of Cloud SQL. Note, ZONE should be in REGION. +export ZONE=us-central1-c +# Anthos Service Mesh version label +export ASM_LABEL=asm-192-1 diff --git a/kubeflow/hack/delete_gcp.sh b/kubeflow/hack/delete_gcp.sh index c6c8f3bc..fba9da6a 100755 --- a/kubeflow/hack/delete_gcp.sh +++ b/kubeflow/hack/delete_gcp.sh @@ -1,9 +1,15 @@ #!/bin/bash -set -e +set -ex -echo "Deleting all GCP resources will cause destruction of all services and data on this cluster. Confirm? [y/N]"; -read REPLY; -if [[ $REPLY =~ ^[Yy]$ ]] -then - kubectl --context=$MGMTCTXT delete -f common/cnrm/$BUILD_DIR +if [[ -z "${MGMTCTXT}" ]]; then + echo "MGMTCTXT env var is required" + exit 1 +fi + +echo "Deleting all GCP resources will cause destruction of all services and data on this cluster. Confirm? [y/N]"; +read REPLY; +if [[ "${REPLY}" =~ ^[Yy]$ ]] +then + BUILD_DIR="${BUILD_DIR:-build}" + kubectl --context="${MGMTCTXT}" delete -f "common/cnrm/${BUILD_DIR}" fi diff --git a/kubeflow/kpt-set.sh b/kubeflow/kpt-set.sh index 89626bf3..655bae6c 100644 --- a/kubeflow/kpt-set.sh +++ b/kubeflow/kpt-set.sh @@ -1,24 +1,69 @@ - -# Use kpt to set kustomize values +# Set kpt setters using env vars. set -ex -kpt cfg set -R . gke.private false +if [[ -z "${KF_NAME}" ]]; then + echo "KF_NAME env var is required" + exit 1 +fi +if [[ -z "${MGMT_NAME}" ]]; then + echo "MGMT_NAME env var is required" + exit 1 +fi +if [[ -z "${KF_PROJECT}" ]]; then + echo "KF_PROJECT env var is required" + exit 1 +fi +if [[ -z "${KF_PROJECT_NUMBER}" ]]; then + echo "KF_PROJECT_NUMBER env var is required" + exit 1 +fi +if [[ -z "${LOCATION}" ]]; then + echo "LOCATION env var is required" + exit 1 +fi +if [[ -z "${ZONE}" ]]; then + echo "ZONE env var is required" + exit 1 +fi +if [[ -z "${REGION}" ]]; then + echo "REGION env var is required" + exit 1 +fi +if [[ -z "${ADMIN_EMAIL}" ]]; then + echo "ADMIN_EMAIL env var is required" + exit 1 +fi +if [[ -z "${ASM_LABEL}" ]]; then + echo "ASM_LABEL env var is required" + exit 1 +fi +if [[ -z "${CLOUDSQL_NAME}" ]]; then + echo "CLOUDSQL_NAME env var is required" + exit 1 +fi +if [[ -z "${BUCKET_NAME}" ]]; then + echo "BUCKET_NAME env var is required" + exit 1 +fi +# kpt setter documentation: +# https://googlecontainertools.github.io/kpt/guides/consumer/set/ kpt cfg set -R . mgmt-ctxt "${MGMT_NAME}" kpt cfg set -R . name "${KF_NAME}" kpt cfg set -R . gcloud.core.project "${KF_PROJECT}" -kpt cfg set -R . gcloud.compute.zone "${LOCATION}" +kpt cfg set -R . gcloud.project.projectNumber "${KF_PROJECT_NUMBER}" kpt cfg set -R . location "${LOCATION}" -kpt cfg set -R . log-firewalls false - +kpt cfg set -R . gcloud.compute.zone "${ZONE}" +kpt cfg set -R . gcloud.compute.region "${REGION}" kpt cfg set -R . email "${ADMIN_EMAIL}" kpt cfg set -R . asm-label "${ASM_LABEL}" -# Default values for Kubeflow Pipelines, you can override as you like. -kpt cfg set apps/pipelines cloudsql-name "${KF_NAME}-kfp" -kpt cfg set apps/pipelines bucket-name "${KF_NAME}-kfp-artifacts" - -kpt cfg set -R . gcloud.project.projectNumber "${KF_PROJECT_NUMBER}" +# common/managed-storage deploys specified CloudSQL and Cloud Storage bucket. +kpt cfg set common/managed-storage cloudsql-name "${CLOUDSQL_NAME}" +kpt cfg set common/managed-storage bucket-name "${BUCKET_NAME}" +# apps/pipelines uses specified CloudSQL and Cloud Storage bucket. +kpt cfg set apps/pipelines cloudsql-name "${CLOUDSQL_NAME}" +kpt cfg set apps/pipelines bucket-name "${BUCKET_NAME}" diff --git a/management/Kptfile b/management/Kptfile index ad5f53e1..0c3b636e 100644 --- a/management/Kptfile +++ b/management/Kptfile @@ -16,7 +16,7 @@ openAPI: x-k8s-cli: setter: name: name - value: NAME + value: MANAGEMENT-NAME isSet: true io.k8s.cli.setters.gcloud.core.project: x-k8s-cli: diff --git a/management/cluster/cluster.yaml b/management/cluster/cluster.yaml index 08906bb1..83506576 100644 --- a/management/cluster/cluster.yaml +++ b/management/cluster/cluster.yaml @@ -5,7 +5,7 @@ apiVersion: container.cnrm.cloud.google.com/v1beta1 kind: ContainerCluster metadata: - name: NAME # {"$kpt-set":"name"} + name: MANAGEMENT-NAME # {"$kpt-set":"name"} annotations: # We are defining the nodepool in nodepool.yaml cnrm.cloud.google.com/remove-default-node-pool: "true" diff --git a/management/cluster/nodepool.yaml b/management/cluster/nodepool.yaml index 4f410db7..961de1ec 100644 --- a/management/cluster/nodepool.yaml +++ b/management/cluster/nodepool.yaml @@ -2,7 +2,7 @@ apiVersion: container.cnrm.cloud.google.com/v1beta1 kind: ContainerNodePool metadata: - name: NAME-pool # {"$kpt-set":"pool"} + name: MANAGEMENT-NAME-pool # {"$kpt-set":"pool"} spec: autoscaling: minNodeCount: 1 @@ -25,4 +25,4 @@ spec: autoRepair: true autoUpgrade: true clusterRef: - name: NAME # {"$kpt-set":"name"} + name: MANAGEMENT-NAME # {"$kpt-set":"name"} diff --git a/management/cnrm-install/iam/iam.yaml b/management/cnrm-install/iam/iam.yaml index 337f42ff..59866a41 100644 --- a/management/cnrm-install/iam/iam.yaml +++ b/management/cnrm-install/iam/iam.yaml @@ -1,7 +1,7 @@ apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: - name: NAME-cnrm-system # {"$kpt-set":"cnrm-system-sa"} + name: MANAGEMENT-NAME-cnrm-system # {"$kpt-set":"cnrm-system-sa"} spec: displayName: Service account for CNRM --- @@ -12,12 +12,12 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicy metadata: - name: NAME-cnrm-system-wi # {"$kpt-set":"cnrm-system-wi"} + name: MANAGEMENT-NAME-cnrm-system-wi # {"$kpt-set":"cnrm-system-wi"} spec: resourceRef: apiVersion: iam.cnrm.cloud.google.com/v1alpha1 kind: IAMServiceAccount - name: NAME-cnrm-system # {"$kpt-set":"cnrm-system-sa"} + name: MANAGEMENT-NAME-cnrm-system # {"$kpt-set":"cnrm-system-sa"} bindings: - role: roles/iam.workloadIdentityUser members: diff --git a/management/cnrm-install/install-system/configconnector-instance.yaml b/management/cnrm-install/install-system/configconnector-instance.yaml index 311d7436..b4f138fd 100644 --- a/management/cnrm-install/install-system/configconnector-instance.yaml +++ b/management/cnrm-install/install-system/configconnector-instance.yaml @@ -4,4 +4,4 @@ metadata: name: configconnector.core.cnrm.cloud.google.com spec: mode: cluster - googleServiceAccount: "NAME-cnrm-system@PROJECT.iam.gserviceaccount.com" # {"$kpt-set":"cnrm-system"} + googleServiceAccount: "MANAGEMENT-NAME-cnrm-system@PROJECT.iam.gserviceaccount.com" # {"$kpt-set":"cnrm-system"} diff --git a/management/managed-project/iam.yaml b/management/managed-project/iam.yaml index cc52561e..0fe63333 100644 --- a/management/managed-project/iam.yaml +++ b/management/managed-project/iam.yaml @@ -4,7 +4,7 @@ metadata: name: cnrm-system-MANAGED_PROJECT-owner # {"$kpt-set":"managed-project-policy-name"} namespace: MANAGED_PROJECT # {"$kpt-set":"managed-project"} spec: - member: serviceAccount:NAME-cnrm-system@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"managed-project-owner-member"} + member: serviceAccount:MANAGEMENT-NAME-cnrm-system@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"managed-project-owner-member"} role: roles/owner resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 diff --git a/packages/gcp-resources/Kptfile b/packages/gcp-resources/Kptfile index 83c5600b..7c48893b 100644 --- a/packages/gcp-resources/Kptfile +++ b/packages/gcp-resources/Kptfile @@ -10,32 +10,38 @@ openAPI: x-k8s-cli: setter: name: gcloud.core.project - value: project-id + value: PROJECT + isSet: true io.k8s.cli.setters.name: x-k8s-cli: setter: name: name - value: name + value: KUBEFLOW-NAME + isSet: true io.k8s.cli.setters.gcloud.compute.zone: x-k8s-cli: setter: name: gcloud.compute.zone value: ZONE + isSet: true io.k8s.cli.setters.gcloud.compute.region: x-k8s-cli: setter: name: gcloud.compute.region value: REGION + isSet: true io.k8s.cli.setters.location: x-k8s-cli: setter: name: location - value: location + value: LOCATION + isSet: true io.k8s.cli.setters.log-firewalls: x-k8s-cli: setter: name: log-firewalls value: "false" + isSet: true io.k8s.cli.substitutions.name-storage-metadata-store: x-k8s-cli: substitution: @@ -696,7 +702,8 @@ openAPI: x-k8s-cli: setter: name: gcloud.project.projectNumber - value: projectNumber + value: PROJECT_NUMBER + isSet: true io.k8s.cli.substitutions.asm-gcp-metadata: x-k8s-cli: substitution: diff --git a/packages/gcp-resources/asm/istio-operator.yaml b/packages/gcp-resources/asm/istio-operator.yaml index b0cef462..6a4ae107 100644 --- a/packages/gcp-resources/asm/istio-operator.yaml +++ b/packages/gcp-resources/asm/istio-operator.yaml @@ -15,7 +15,7 @@ apiVersion: install.istio.io/v1alpha2 kind: IstioControlPlane metadata: - clusterName: "project-id/location/name" # {"$kpt-set":"asm-cluster-name"} + clusterName: "PROJECT/LOCATION/KUBEFLOW-NAME" # {"$kpt-set":"asm-cluster-name"} spec: profile: asm hub: gcr.io/gke-release/asm @@ -25,14 +25,14 @@ spec: istio-ingressgateway: type: NodePort global: - meshID: "proj-projectNumber" # {"$kpt-set":"asm-mesh-id"} - trustDomain: "project-id.svc.id.goog" # {"$kpt-set":"identity-ns"} + meshID: "proj-PROJECT_NUMBER" # {"$kpt-set":"asm-mesh-id"} + trustDomain: "PROJECT.svc.id.goog" # {"$kpt-set":"identity-ns"} sds: token: - aud: "project-id.svc.id.goog" # {"$kpt-set":"identity-ns"} + aud: "PROJECT.svc.id.goog" # {"$kpt-set":"identity-ns"} proxy: env: - GCP_METADATA: "project-id|projectNumber|name|location" # {"$kpt-set":"asm-gcp-metadata"} + GCP_METADATA: "PROJECT|PROJECT_NUMBER|KUBEFLOW-NAME|LOCATION" # {"$kpt-set":"asm-gcp-metadata"} nodeagent: env: - GKE_CLUSTER_URL: "https://container.googleapis.com/v1/projects/project-id/locations/location/clusters/name" # {"$kpt-set":"asm-cluster-url"} + GKE_CLUSTER_URL: "https://container.googleapis.com/v1/projects/PROJECT/locations/LOCATION/clusters/KUBEFLOW-NAME" # {"$kpt-set":"asm-cluster-url"} diff --git a/packages/gcp-resources/cnrm/cluster/cluster.yaml b/packages/gcp-resources/cnrm/cluster/cluster.yaml index 5c7519bc..24fc740d 100644 --- a/packages/gcp-resources/cnrm/cluster/cluster.yaml +++ b/packages/gcp-resources/cnrm/cluster/cluster.yaml @@ -17,10 +17,10 @@ apiVersion: container.cnrm.cloud.google.com/v1beta1 kind: ContainerCluster metadata: - clusterName: "project-id/location/name" # {"$kpt-set":"cluster-name"} + clusterName: "PROJECT/LOCATION/KUBEFLOW-NAME" # {"$kpt-set":"cluster-name"} labels: - mesh_id: "proj-projectNumber" # {"$kpt-set":"asm-mesh-id"} - name: name # {"$kpt-set":"name"} + mesh_id: "proj-PROJECT_NUMBER" # {"$kpt-set":"asm-mesh-id"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} spec: initialNodeCount: 2 addonsConfig: @@ -34,7 +34,7 @@ spec: - https://www.googleapis.com/auth/monitoring - https://www.googleapis.com/auth/devstorage.read_only serviceAccountRef: - name: name-vm # {"$kpt-set":"name-vm"} + name: KUBEFLOW-NAME-vm # {"$kpt-set":"name-vm"} resourceLimits: - resourceType: cpu maximum: 128 @@ -46,9 +46,9 @@ spec: # Per https://github.com/GoogleCloudPlatform/k8s-config-connector/issues/194 # use upper case for the channels channel: REGULAR - location: location # {"$kpt-set":"location"} + location: LOCATION # {"$kpt-set":"location"} workloadIdentityConfig: - identityNamespace: project-id.svc.id.goog # {"$kpt-set":"identity-ns"} + identityNamespace: PROJECT.svc.id.goog # {"$kpt-set":"identity-ns"} loggingService: logging.googleapis.com/kubernetes monitoringService: monitoring.googleapis.com/kubernetes nodeConfig: @@ -60,6 +60,6 @@ spec: - https://www.googleapis.com/auth/monitoring - https://www.googleapis.com/auth/devstorage.read_only serviceAccountRef: - name: name-vm # {"$kpt-set":"name-vm"} + name: KUBEFLOW-NAME-vm # {"$kpt-set":"name-vm"} workloadMetadataConfig: - nodeMetadata: GKE_METADATA_SERVER \ No newline at end of file + nodeMetadata: GKE_METADATA_SERVER diff --git a/packages/gcp-resources/cnrm/cluster/kf-vm-policy.yaml b/packages/gcp-resources/cnrm/cluster/kf-vm-policy.yaml index d53438c4..fa7a50f8 100644 --- a/packages/gcp-resources/cnrm/cluster/kf-vm-policy.yaml +++ b/packages/gcp-resources/cnrm/cluster/kf-vm-policy.yaml @@ -1,71 +1,71 @@ apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-vm-logging # {"$kpt-set":"name-vm-policy-logging"} + name: KUBEFLOW-NAME-vm-logging # {"$kpt-set":"name-vm-policy-logging"} spec: - member: serviceAccount:name-vm@project-id.iam.gserviceaccount.com # {"$kpt-set":"vm-service-account"} + member: serviceAccount:KUBEFLOW-NAME-vm@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"vm-service-account"} role: roles/logging.logWriter resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-vm-policy-monitoring # {"$kpt-set":"name-vm-policy-monitoring"} + name: KUBEFLOW-NAME-vm-policy-monitoring # {"$kpt-set":"name-vm-policy-monitoring"} spec: - member: serviceAccount:name-vm@project-id.iam.gserviceaccount.com # {"$kpt-set":"vm-service-account"} + member: serviceAccount:KUBEFLOW-NAME-vm@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"vm-service-account"} role: roles/monitoring.metricWriter resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-vm-policy-meshtelemetry # {"$kpt-set":"name-vm-policy-meshtelemetry"} + name: KUBEFLOW-NAME-vm-policy-meshtelemetry # {"$kpt-set":"name-vm-policy-meshtelemetry"} spec: - member: serviceAccount:name-vm@project-id.iam.gserviceaccount.com # {"$kpt-set":"vm-service-account"} + member: serviceAccount:KUBEFLOW-NAME-vm@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"vm-service-account"} role: roles/meshtelemetry.reporter resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-vm-policy-cloudtrace # {"$kpt-set":"name-vm-policy-cloudtrace"} + name: KUBEFLOW-NAME-vm-policy-cloudtrace # {"$kpt-set":"name-vm-policy-cloudtrace"} spec: - member: serviceAccount:name-vm@project-id.iam.gserviceaccount.com # {"$kpt-set":"vm-service-account"} + member: serviceAccount:KUBEFLOW-NAME-vm@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"vm-service-account"} role: roles/cloudtrace.agent resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-vm-policy-monitoring-viewer # {"$kpt-set":"name-vm-policy-monitoring-viewer"} + name: KUBEFLOW-NAME-vm-policy-monitoring-viewer # {"$kpt-set":"name-vm-policy-monitoring-viewer"} spec: - member: serviceAccount:name-vm@project-id.iam.gserviceaccount.com # {"$kpt-set":"vm-service-account"} + member: serviceAccount:KUBEFLOW-NAME-vm@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"vm-service-account"} role: roles/monitoring.viewer resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-vm-policy-storage # {"$kpt-set":"name-vm-policy-storage"} + name: KUBEFLOW-NAME-vm-policy-storage # {"$kpt-set":"name-vm-policy-storage"} spec: - member: serviceAccount:name-vm@project-id.iam.gserviceaccount.com # {"$kpt-set":"vm-service-account"} + member: serviceAccount:KUBEFLOW-NAME-vm@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"vm-service-account"} role: roles/storage.objectViewer resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} diff --git a/packages/gcp-resources/cnrm/cluster/kf-vm-sa.yaml b/packages/gcp-resources/cnrm/cluster/kf-vm-sa.yaml index 75f3993d..f10265d7 100644 --- a/packages/gcp-resources/cnrm/cluster/kf-vm-sa.yaml +++ b/packages/gcp-resources/cnrm/cluster/kf-vm-sa.yaml @@ -15,6 +15,6 @@ apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: - name: name-vm # {"$kpt-set":"name-vm"} + name: KUBEFLOW-NAME-vm # {"$kpt-set":"name-vm"} spec: displayName: kubeflow vm service account diff --git a/packages/gcp-resources/cnrm/cluster/nodepool.yaml b/packages/gcp-resources/cnrm/cluster/nodepool.yaml index 04f25054..9a01068f 100644 --- a/packages/gcp-resources/cnrm/cluster/nodepool.yaml +++ b/packages/gcp-resources/cnrm/cluster/nodepool.yaml @@ -15,8 +15,8 @@ apiVersion: container.cnrm.cloud.google.com/v1beta1 kind: ContainerNodePool metadata: - clusterName: "project-id/location/name" # {"$kpt-set":"cluster-name"} - name: name-cpu-pool-v1 # {"$kpt-set":"node-pool-cpu"} + clusterName: "PROJECT/LOCATION/KUBEFLOW-NAME" # {"$kpt-set":"cluster-name"} + name: KUBEFLOW-NAME-cpu-pool-v1 # {"$kpt-set":"node-pool-cpu"} spec: initialNodeCount: 2 autoscaling: @@ -28,8 +28,8 @@ spec: metadata: disable-legacy-endpoints: "true" serviceAccountRef: - name: name-vm@project-id.iam.gserviceaccount.com # {"$kpt-set":"vm-sa-ref"} + name: KUBEFLOW-NAME-vm@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"vm-sa-ref"} workloadMetadataConfig: nodeMetadata: GKE_METADATA_SERVER clusterRef: - name: name # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} diff --git a/packages/gcp-resources/cnrm/iam/admin-manages-user-policy.yaml b/packages/gcp-resources/cnrm/iam/admin-manages-user-policy.yaml index d9dc8a0d..9ed21696 100644 --- a/packages/gcp-resources/cnrm/iam/admin-manages-user-policy.yaml +++ b/packages/gcp-resources/cnrm/iam/admin-manages-user-policy.yaml @@ -1,13 +1,13 @@ apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-admin-manages-user # {"$kpt-set":"name-admin-manages-user"} + name: KUBEFLOW-NAME-admin-manages-user # {"$kpt-set":"name-admin-manages-user"} spec: - member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} + member: serviceAccount:KUBEFLOW-NAME-admin@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} # "roles/serviceAccountAdmin" grants kf-admin service account permission to # manage workload identity binding policies for kf-user service account. role: roles/iam.serviceAccountAdmin resourceRef: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount - name: name-user # {"$kpt-set":"user-sa-name"} + name: KUBEFLOW-NAME-user # {"$kpt-set":"user-sa-name"} diff --git a/packages/gcp-resources/cnrm/iam/kf-admin-policy.yaml b/packages/gcp-resources/cnrm/iam/kf-admin-policy.yaml index 71ca4fbd..1e71cf44 100644 --- a/packages/gcp-resources/cnrm/iam/kf-admin-policy.yaml +++ b/packages/gcp-resources/cnrm/iam/kf-admin-policy.yaml @@ -1,167 +1,167 @@ apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-admin-source # {"$kpt-set":"admin-source-iam"} + name: KUBEFLOW-NAME-admin-source # {"$kpt-set":"admin-source-iam"} spec: - member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} + member: serviceAccount:KUBEFLOW-NAME-admin@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} role: roles/source.admin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-admin-servicemanagement # {"$kpt-set":"admin-servicemanagement-iam"} + name: KUBEFLOW-NAME-admin-servicemanagement # {"$kpt-set":"admin-servicemanagement-iam"} spec: - member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} + member: serviceAccount:KUBEFLOW-NAME-admin@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} role: roles/servicemanagement.admin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-admin-network # {"$kpt-set":"admin-network-iam"} + name: KUBEFLOW-NAME-admin-network # {"$kpt-set":"admin-network-iam"} spec: - member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} + member: serviceAccount:KUBEFLOW-NAME-admin@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} role: roles/compute.networkAdmin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-admin-cloudbuild # {"$kpt-set":"admin-cloudbuild-iam"} + name: KUBEFLOW-NAME-admin-cloudbuild # {"$kpt-set":"admin-cloudbuild-iam"} spec: - member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} + member: serviceAccount:KUBEFLOW-NAME-admin@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} role: roles/cloudbuild.builds.editor resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-admin-viewer # {"$kpt-set":"admin-viewer-iam"} + name: KUBEFLOW-NAME-admin-viewer # {"$kpt-set":"admin-viewer-iam"} spec: - member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} + member: serviceAccount:KUBEFLOW-NAME-admin@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} role: roles/viewer resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-admin-storage # {"$kpt-set":"admin-storage-iam"} + name: KUBEFLOW-NAME-admin-storage # {"$kpt-set":"admin-storage-iam"} spec: - member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} + member: serviceAccount:KUBEFLOW-NAME-admin@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} role: roles/storage.admin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-admin-bigquery # {"$kpt-set":"admin-bigquery-iam"} + name: KUBEFLOW-NAME-admin-bigquery # {"$kpt-set":"admin-bigquery-iam"} spec: - member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} + member: serviceAccount:KUBEFLOW-NAME-admin@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} role: roles/bigquery.admin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-admin-dataflow # {"$kpt-set":"admin-dataflow-iam"} + name: KUBEFLOW-NAME-admin-dataflow # {"$kpt-set":"admin-dataflow-iam"} spec: - member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} + member: serviceAccount:KUBEFLOW-NAME-admin@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} role: roles/dataflow.admin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-admin-ml # {"$kpt-set":"admin-ml-iam"} + name: KUBEFLOW-NAME-admin-ml # {"$kpt-set":"admin-ml-iam"} spec: - member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} + member: serviceAccount:KUBEFLOW-NAME-admin@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} role: roles/ml.admin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-admin-dataproc # {"$kpt-set":"admin-dataproc-iam"} + name: KUBEFLOW-NAME-admin-dataproc # {"$kpt-set":"admin-dataproc-iam"} spec: - member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} + member: serviceAccount:KUBEFLOW-NAME-admin@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} role: roles/dataproc.editor resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-admin-cloudsql # {"$kpt-set":"admin-cloudsql-iam"} + name: KUBEFLOW-NAME-admin-cloudsql # {"$kpt-set":"admin-cloudsql-iam"} spec: - member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} + member: serviceAccount:KUBEFLOW-NAME-admin@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} role: roles/cloudsql.admin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-admin-logging # {"$kpt-set":"admin-logging-iam"} + name: KUBEFLOW-NAME-admin-logging # {"$kpt-set":"admin-logging-iam"} spec: - member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} + member: serviceAccount:KUBEFLOW-NAME-admin@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} role: roles/logging.logWriter resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-admin-metricwriter # {"$kpt-set":"admin-metricwriter-iam"} + name: KUBEFLOW-NAME-admin-metricwriter # {"$kpt-set":"admin-metricwriter-iam"} spec: - member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} + member: serviceAccount:KUBEFLOW-NAME-admin@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} role: roles/monitoring.metricWriter resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-admin-monitoringviewer # {"$kpt-set":"admin-monitoringviewer-iam"} + name: KUBEFLOW-NAME-admin-monitoringviewer # {"$kpt-set":"admin-monitoringviewer-iam"} spec: - member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} + member: serviceAccount:KUBEFLOW-NAME-admin@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"admin-service-account"} role: roles/monitoring.viewer resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} diff --git a/packages/gcp-resources/cnrm/iam/kf-admin-sa.yaml b/packages/gcp-resources/cnrm/iam/kf-admin-sa.yaml index def100bf..95933dfa 100644 --- a/packages/gcp-resources/cnrm/iam/kf-admin-sa.yaml +++ b/packages/gcp-resources/cnrm/iam/kf-admin-sa.yaml @@ -15,6 +15,6 @@ apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: - name: name-admin # {"$kpt-set":"admin-sa-name"} + name: KUBEFLOW-NAME-admin # {"$kpt-set":"admin-sa-name"} spec: displayName: kubeflow admin service account diff --git a/packages/gcp-resources/cnrm/iam/kf-admin-workload-identity-bindings.yaml b/packages/gcp-resources/cnrm/iam/kf-admin-workload-identity-bindings.yaml index c9855a67..35a5b345 100644 --- a/packages/gcp-resources/cnrm/iam/kf-admin-workload-identity-bindings.yaml +++ b/packages/gcp-resources/cnrm/iam/kf-admin-workload-identity-bindings.yaml @@ -1,36 +1,36 @@ apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-admin-workload-identity-user # {"$kpt-set":"name-admin-wi"} + name: KUBEFLOW-NAME-admin-workload-identity-user # {"$kpt-set":"name-admin-wi"} spec: - member: serviceAccount:project-id.svc.id.goog[kubeflow/profiles-controller-service-account] # {"$kpt-set":"admin-profiles-sa-wi"} + member: serviceAccount:PROJECT.svc.id.goog[kubeflow/profiles-controller-service-account] # {"$kpt-set":"admin-profiles-sa-wi"} role: roles/iam.workloadIdentityUser resourceRef: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount - name: name-admin # {"$kpt-set":"admin-sa-name"} + name: KUBEFLOW-NAME-admin # {"$kpt-set":"admin-sa-name"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-admin-kubeflow-wi # {"$kpt-set":"name-admin-kubeflow-wi"} + name: KUBEFLOW-NAME-admin-kubeflow-wi # {"$kpt-set":"name-admin-kubeflow-wi"} spec: resourceRef: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount - name: name-admin # {"$kpt-set":"admin-sa-name"} - member: serviceAccount:project-id.svc.id.goog[kubeflow/kf-admin] # {"$kpt-set":"iampolicy-member-kfadmin-kubeflow"} + name: KUBEFLOW-NAME-admin # {"$kpt-set":"admin-sa-name"} + member: serviceAccount:PROJECT.svc.id.goog[kubeflow/kf-admin] # {"$kpt-set":"iampolicy-member-kfadmin-kubeflow"} role: roles/iam.workloadIdentityUser --- # kf-admin binding in namespace istio-system apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-admin-istio-wi # {"$kpt-set":"name-admin-istio-wi"} + name: KUBEFLOW-NAME-admin-istio-wi # {"$kpt-set":"name-admin-istio-wi"} spec: resourceRef: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount - name: name-admin # {"$kpt-set":"admin-sa-name"} - member: serviceAccount:project-id.svc.id.goog[istio-system/kf-admin] # {"$kpt-set":"iampolicy-member-kfadmin-istio-system"} + name: KUBEFLOW-NAME-admin # {"$kpt-set":"admin-sa-name"} + member: serviceAccount:PROJECT.svc.id.goog[istio-system/kf-admin] # {"$kpt-set":"iampolicy-member-kfadmin-istio-system"} role: roles/iam.workloadIdentityUser diff --git a/packages/gcp-resources/cnrm/iam/kf-user-policy.yaml b/packages/gcp-resources/cnrm/iam/kf-user-policy.yaml index 81ea358c..17967da2 100644 --- a/packages/gcp-resources/cnrm/iam/kf-user-policy.yaml +++ b/packages/gcp-resources/cnrm/iam/kf-user-policy.yaml @@ -1,143 +1,143 @@ apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-user-cloudbuild # {"$kpt-set":"name-user-cloudbuild"} + name: KUBEFLOW-NAME-user-cloudbuild # {"$kpt-set":"name-user-cloudbuild"} spec: - member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"$kpt-set":"user-service-account"} + member: serviceAccount:KUBEFLOW-NAME-user@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"user-service-account"} role: roles/cloudbuild.builds.editor resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-user-viewer # {"$kpt-set":"name-user-viewer"} + name: KUBEFLOW-NAME-user-viewer # {"$kpt-set":"name-user-viewer"} spec: - member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"$kpt-set":"user-service-account"} + member: serviceAccount:KUBEFLOW-NAME-user@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"user-service-account"} role: roles/viewer resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-user-source # {"$kpt-set":"name-user-source"} + name: KUBEFLOW-NAME-user-source # {"$kpt-set":"name-user-source"} spec: - member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"$kpt-set":"user-service-account"} + member: serviceAccount:KUBEFLOW-NAME-user@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"user-service-account"} role: roles/source.admin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-user-storage # {"$kpt-set":"name-user-storage"} + name: KUBEFLOW-NAME-user-storage # {"$kpt-set":"name-user-storage"} spec: - member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"$kpt-set":"user-service-account"} + member: serviceAccount:KUBEFLOW-NAME-user@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"user-service-account"} role: roles/storage.admin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-user-bigquery # {"$kpt-set":"name-user-bigquery"} + name: KUBEFLOW-NAME-user-bigquery # {"$kpt-set":"name-user-bigquery"} spec: - member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"$kpt-set":"user-service-account"} + member: serviceAccount:KUBEFLOW-NAME-user@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"user-service-account"} role: roles/bigquery.admin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-user-dataflow # {"$kpt-set":"name-user-dataflow"} + name: KUBEFLOW-NAME-user-dataflow # {"$kpt-set":"name-user-dataflow"} spec: - member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"$kpt-set":"user-service-account"} + member: serviceAccount:KUBEFLOW-NAME-user@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"user-service-account"} role: roles/dataflow.admin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-user-ml # {"$kpt-set":"name-user-ml"} + name: KUBEFLOW-NAME-user-ml # {"$kpt-set":"name-user-ml"} spec: - member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"$kpt-set":"user-service-account"} + member: serviceAccount:KUBEFLOW-NAME-user@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"user-service-account"} role: roles/ml.admin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-user-dataproc # {"$kpt-set":"name-user-dataproc"} + name: KUBEFLOW-NAME-user-dataproc # {"$kpt-set":"name-user-dataproc"} spec: - member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"$kpt-set":"user-service-account"} + member: serviceAccount:KUBEFLOW-NAME-user@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"user-service-account"} role: roles/dataproc.editor resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-user-cloudsql # {"$kpt-set":"name-user-cloudsql"} + name: KUBEFLOW-NAME-user-cloudsql # {"$kpt-set":"name-user-cloudsql"} spec: - member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"$kpt-set":"user-service-account"} + member: serviceAccount:KUBEFLOW-NAME-user@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"user-service-account"} role: roles/cloudsql.admin resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-user-logging # {"$kpt-set":"name-user-logging"} + name: KUBEFLOW-NAME-user-logging # {"$kpt-set":"name-user-logging"} spec: - member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"$kpt-set":"user-service-account"} + member: serviceAccount:KUBEFLOW-NAME-user@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"user-service-account"} role: roles/logging.logWriter resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-user-metricwriter # {"$kpt-set":"name-user-metricwriter"} + name: KUBEFLOW-NAME-user-metricwriter # {"$kpt-set":"name-user-metricwriter"} spec: - member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"$kpt-set":"user-service-account"} + member: serviceAccount:KUBEFLOW-NAME-user@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"user-service-account"} role: roles/monitoring.metricWriter resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-user-monitoringviewer # {"$kpt-set":"name-user-monitoringviewer"} + name: KUBEFLOW-NAME-user-monitoringviewer # {"$kpt-set":"name-user-monitoringviewer"} spec: - member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"$kpt-set":"user-service-account"} + member: serviceAccount:KUBEFLOW-NAME-user@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"user-service-account"} role: roles/monitoring.viewer resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project - external: projects/project-id # {"$kpt-set":"projects"} + external: projects/PROJECT # {"$kpt-set":"projects"} diff --git a/packages/gcp-resources/cnrm/iam/kf-user-sa.yaml b/packages/gcp-resources/cnrm/iam/kf-user-sa.yaml index 2bfb4db9..f295a968 100644 --- a/packages/gcp-resources/cnrm/iam/kf-user-sa.yaml +++ b/packages/gcp-resources/cnrm/iam/kf-user-sa.yaml @@ -15,6 +15,6 @@ apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: - name: name-user # {"$kpt-set":"user-sa-name"} + name: KUBEFLOW-NAME-user # {"$kpt-set":"user-sa-name"} spec: displayName: kubeflow user service account diff --git a/packages/gcp-resources/cnrm/iam/kf-user-workload-identity-bindings.yaml b/packages/gcp-resources/cnrm/iam/kf-user-workload-identity-bindings.yaml index 654a29e5..6bccd542 100644 --- a/packages/gcp-resources/cnrm/iam/kf-user-workload-identity-bindings.yaml +++ b/packages/gcp-resources/cnrm/iam/kf-user-workload-identity-bindings.yaml @@ -1,35 +1,35 @@ apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-user-workload-identity-user-ml-pipeline-ui # {"$kpt-set":"user-wi-ml-pipeline-ui"} + name: KUBEFLOW-NAME-user-workload-identity-user-ml-pipeline-ui # {"$kpt-set":"user-wi-ml-pipeline-ui"} spec: - member: serviceAccount:project-id.svc.id.goog[kubeflow/ml-pipeline-ui] # {"$kpt-set":"name-user-workload-identity-user-ml-pipeline-ui-member"} + member: serviceAccount:PROJECT.svc.id.goog[kubeflow/ml-pipeline-ui] # {"$kpt-set":"name-user-workload-identity-user-ml-pipeline-ui-member"} role: roles/iam.workloadIdentityUser resourceRef: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount - name: name-user # {"$kpt-set":"user-sa-name"} + name: KUBEFLOW-NAME-user # {"$kpt-set":"user-sa-name"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-user-workload-identity-user-ml-pipeline-visualizationserver # {"$kpt-set":"user-wi-ml-pipeline-visualizationserver"} + name: KUBEFLOW-NAME-user-workload-identity-user-ml-pipeline-visualizationserver # {"$kpt-set":"user-wi-ml-pipeline-visualizationserver"} spec: - member: serviceAccount:project-id.svc.id.goog[kubeflow/ml-pipeline-visualizationserver] # {"$kpt-set":"name-user-workload-identity-user-ml-pipeline-visualizationserver-member"} + member: serviceAccount:PROJECT.svc.id.goog[kubeflow/ml-pipeline-visualizationserver] # {"$kpt-set":"name-user-workload-identity-user-ml-pipeline-visualizationserver-member"} role: roles/iam.workloadIdentityUser resourceRef: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount - name: name-user # {"$kpt-set":"user-sa-name"} + name: KUBEFLOW-NAME-user # {"$kpt-set":"user-sa-name"} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: - name: name-user-workload-identity-user-pipeline-runner # {"$kpt-set":"user-wi-pipeline-runner"} + name: KUBEFLOW-NAME-user-workload-identity-user-pipeline-runner # {"$kpt-set":"user-wi-pipeline-runner"} spec: - member: serviceAccount:project-id.svc.id.goog[kubeflow/pipeline-runner] # {"$kpt-set":"name-user-workload-identity-user-pipeline-runner-member"} + member: serviceAccount:PROJECT.svc.id.goog[kubeflow/pipeline-runner] # {"$kpt-set":"name-user-workload-identity-user-pipeline-runner-member"} role: roles/iam.workloadIdentityUser resourceRef: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount - name: name-user # {"$kpt-set":"user-sa-name"} + name: KUBEFLOW-NAME-user # {"$kpt-set":"user-sa-name"} diff --git a/packages/gcp-resources/cnrm/ingress/compute-address.yaml b/packages/gcp-resources/cnrm/ingress/compute-address.yaml index bc9c89bf..d9ebacc2 100644 --- a/packages/gcp-resources/cnrm/ingress/compute-address.yaml +++ b/packages/gcp-resources/cnrm/ingress/compute-address.yaml @@ -1,7 +1,7 @@ apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeAddress metadata: - name: name-ip # {"$kpt-set":"name-ip"} + name: KUBEFLOW-NAME-ip # {"$kpt-set":"name-ip"} labels: label-one: "value-one" spec: diff --git a/packages/gcp-resources/cnrm/pipelines/disk.yaml b/packages/gcp-resources/cnrm/pipelines/disk.yaml index e9d5be84..0ddb7e91 100644 --- a/packages/gcp-resources/cnrm/pipelines/disk.yaml +++ b/packages/gcp-resources/cnrm/pipelines/disk.yaml @@ -1,15 +1,15 @@ apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeDisk metadata: - name: name-storage-metadata-store # {"$kpt-set":"name-storage-metadata-store"} + name: KUBEFLOW-NAME-storage-metadata-store # {"$kpt-set":"name-storage-metadata-store"} spec: - location: location # {"$kpt-set":"location"} + location: LOCATION # {"$kpt-set":"location"} size: 20 --- apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeDisk metadata: - name: name-storage-artifact-store # {"$kpt-set":"name-storage-artifact-store"} + name: KUBEFLOW-NAME-storage-artifact-store # {"$kpt-set":"name-storage-artifact-store"} spec: - location: location # {"$kpt-set":"location"} + location: LOCATION # {"$kpt-set":"location"} size: 200 diff --git a/packages/gcp-resources/management/Kptfile b/packages/gcp-resources/management/Kptfile index 3a7372a2..e65c85f6 100644 --- a/packages/gcp-resources/management/Kptfile +++ b/packages/gcp-resources/management/Kptfile @@ -10,13 +10,13 @@ openAPI: x-k8s-cli: setter: name: location - value: us-east1 + value: LOCATION isSet: true io.k8s.cli.setters.name: x-k8s-cli: setter: name: name - value: NAME + value: KUBEFLOW-NAME isSet: true io.k8s.cli.setters.gcloud.core.project: x-k8s-cli: diff --git a/packages/gcp-resources/management/cluster/cluster.yaml b/packages/gcp-resources/management/cluster/cluster.yaml index b5f79832..341c1001 100644 --- a/packages/gcp-resources/management/cluster/cluster.yaml +++ b/packages/gcp-resources/management/cluster/cluster.yaml @@ -5,7 +5,7 @@ apiVersion: container.cnrm.cloud.google.com/v1beta1 kind: ContainerCluster metadata: - name: name # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} # N.B. AnthosCLI doesn't appear to support this annotation yet (anthos CLI 0.2.4) # cnrm.cloud.google.com/remove-default-node-pool: "true" annotations: @@ -13,11 +13,11 @@ metadata: gke.io/cluster: "bootstrap://" spec: # Use a regional cluster. Regional offer higher availability and the cluster management fee is the same. - location: location # {"$kpt-set":"location"} + location: LOCATION # {"$kpt-set":"location"} initialNodeCount: 3 # See https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#sharing_identities_across_clusters # Currently there is only one pool per project workloadIdentityConfig: - identityNamespace: project-id.svc.id.goog # {"$kpt-set":"wi-pool"} + identityNamespace: PROJECT.svc.id.goog # {"$kpt-set":"wi-pool"} releaseChannel: channel: REGULAR diff --git a/packages/gcp-resources/management/cluster/nodepool.yaml b/packages/gcp-resources/management/cluster/nodepool.yaml index cfe7eb62..12352e3b 100644 --- a/packages/gcp-resources/management/cluster/nodepool.yaml +++ b/packages/gcp-resources/management/cluster/nodepool.yaml @@ -3,7 +3,7 @@ apiVersion: container.cnrm.cloud.google.com/v1beta1 kind: ContainerNodePool metadata: clusterName: "mgmt-project-id/mgmt-location/mgmt-name" # {"$kpt-set":"mgmt-cluster-name"} - name: NAME-pool # {"$kpt-set":"pool"} + name: KUBEFLOW-NAME-pool # {"$kpt-set":"pool"} annotations: # Annotation required by anthoscli gke.io/cluster: "bootstrap://" @@ -29,4 +29,4 @@ spec: autoRepair: true autoUpgrade: true clusterRef: - name: name # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} diff --git a/packages/gcp-resources/management/cnrm-install/iam/iam.yaml b/packages/gcp-resources/management/cnrm-install/iam/iam.yaml index 337f42ff..84bea74e 100644 --- a/packages/gcp-resources/management/cnrm-install/iam/iam.yaml +++ b/packages/gcp-resources/management/cnrm-install/iam/iam.yaml @@ -1,7 +1,7 @@ apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: - name: NAME-cnrm-system # {"$kpt-set":"cnrm-system-sa"} + name: KUBEFLOW-NAME-cnrm-system # {"$kpt-set":"cnrm-system-sa"} spec: displayName: Service account for CNRM --- @@ -12,12 +12,12 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicy metadata: - name: NAME-cnrm-system-wi # {"$kpt-set":"cnrm-system-wi"} + name: KUBEFLOW-NAME-cnrm-system-wi # {"$kpt-set":"cnrm-system-wi"} spec: resourceRef: apiVersion: iam.cnrm.cloud.google.com/v1alpha1 kind: IAMServiceAccount - name: NAME-cnrm-system # {"$kpt-set":"cnrm-system-sa"} + name: KUBEFLOW-NAME-cnrm-system # {"$kpt-set":"cnrm-system-sa"} bindings: - role: roles/iam.workloadIdentityUser members: diff --git a/packages/gcp-resources/management/cnrm-install/install-system/0-cnrm-system.yaml b/packages/gcp-resources/management/cnrm-install/install-system/0-cnrm-system.yaml index 2ed6b854..1dfc4886 100644 --- a/packages/gcp-resources/management/cnrm-install/install-system/0-cnrm-system.yaml +++ b/packages/gcp-resources/management/cnrm-install/install-system/0-cnrm-system.yaml @@ -26,7 +26,7 @@ kind: ServiceAccount metadata: annotations: cnrm.cloud.google.com/version: 1.27.2 - iam.gke.io/gcp-service-account: NAME-cnrm-system@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"cnrm-system"} + iam.gke.io/gcp-service-account: KUBEFLOW-NAME-cnrm-system@PROJECT.iam.gserviceaccount.com # {"$kpt-set":"cnrm-system"} labels: cnrm.cloud.google.com/system: "true" name: cnrm-controller-manager diff --git a/packages/gcp-resources/privateGKE/cluster-private-patch.yaml b/packages/gcp-resources/privateGKE/cluster-private-patch.yaml index 0c9252f1..94b7e112 100644 --- a/packages/gcp-resources/privateGKE/cluster-private-patch.yaml +++ b/packages/gcp-resources/privateGKE/cluster-private-patch.yaml @@ -2,8 +2,8 @@ apiVersion: container.cnrm.cloud.google.com/v1beta1 kind: ContainerCluster metadata: - clusterName: "project-id/location/name" # {"$kpt-set":"asm-cluster-name"} - name: name # {"$kpt-set":"name"} + clusterName: "PROJECT/LOCATION/KUBEFLOW-NAME" # {"$kpt-set":"asm-cluster-name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} spec: nodeLocations: # {"$kpt-set":"node-locations"} - "ZONE" @@ -37,6 +37,6 @@ spec: networkingMode: VPC_NATIVE # Create the cluster in the private network we created. networkRef: - name: name # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} subnetworkRef: - name: name # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} diff --git a/packages/gcp-resources/privateGKE/compute-network.yaml b/packages/gcp-resources/privateGKE/compute-network.yaml index 5b8eeb3e..c320f90d 100644 --- a/packages/gcp-resources/privateGKE/compute-network.yaml +++ b/packages/gcp-resources/privateGKE/compute-network.yaml @@ -1,7 +1,7 @@ apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeNetwork metadata: - name: name # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} spec: routingMode: GLOBAL autoCreateSubnetworks: false @@ -10,14 +10,14 @@ spec: apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeSubnetwork metadata: - name: name # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} spec: ipCidrRange: 10.10.10.0/24 region: REGION # {"$kpt-set":"gcloud.compute.region"} description: kubeflow private subnet privateIpGoogleAccess: true networkRef: - name: name # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} logConfig: aggregationInterval: INTERVAL_10_MIN flowSampling: 0.5 @@ -31,11 +31,11 @@ spec: apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeRoute metadata: - name: name-google-apis # {"$kpt-set":"name-google-apis"} + name: KUBEFLOW-NAME-google-apis # {"$kpt-set":"name-google-apis"} spec: destRange: 199.36.153.4/30 networkRef: - name: name # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} nextHopGateway: default-internet-gateway priority: 1000 --- @@ -46,12 +46,12 @@ spec: apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeRoute metadata: - name: name-internet # {"$kpt-set":"name-internet"} + name: KUBEFLOW-NAME-internet # {"$kpt-set":"name-internet"} spec: description: "internet-route for IAP JWKS" destRange: 0.0.0.0/0 networkRef: - name: name # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} # Important this must be higher priority then the Google APIs route # because otherwise we will end up trying to route calls to google APIs over public internet and we will have problems. priority: 1100 diff --git a/packages/gcp-resources/privateGKE/dns-gcr.yaml b/packages/gcp-resources/privateGKE/dns-gcr.yaml index 3b82c17e..7e95c00b 100644 --- a/packages/gcp-resources/privateGKE/dns-gcr.yaml +++ b/packages/gcp-resources/privateGKE/dns-gcr.yaml @@ -1,7 +1,7 @@ apiVersion: dns.cnrm.cloud.google.com/v1beta1 kind: DNSManagedZone metadata: - name: name-gcr # {"$kpt-set":"name-gcr"} + name: KUBEFLOW-NAME-gcr # {"$kpt-set":"name-gcr"} spec: description: "private zone for GCR.io" dnsName: "gcr.io." @@ -9,31 +9,31 @@ spec: privateVisibilityConfig: networks: - networkRef: - name: name # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} --- apiVersion: dns.cnrm.cloud.google.com/v1beta1 kind: DNSRecordSet metadata: - name: name-gcr-cname # {"$kpt-set":"name-gcr-cname"} + name: KUBEFLOW-NAME-gcr-cname # {"$kpt-set":"name-gcr-cname"} spec: name: "*.gcr.io." type: "CNAME" ttl: 300 managedZoneRef: - name: name-gcr # {"$kpt-set":"name-gcr"} + name: KUBEFLOW-NAME-gcr # {"$kpt-set":"name-gcr"} rrdatas: - "gcr.io." --- apiVersion: dns.cnrm.cloud.google.com/v1beta1 kind: DNSRecordSet metadata: - name: name-gcr-a # {"$kpt-set":"name-gcr-a"} + name: KUBEFLOW-NAME-gcr-a # {"$kpt-set":"name-gcr-a"} spec: name: "gcr.io." type: "A" ttl: 300 managedZoneRef: - name: name-gcr # {"$kpt-set":"name-gcr"} + name: KUBEFLOW-NAME-gcr # {"$kpt-set":"name-gcr"} rrdatas: - "199.36.153.4" - "199.36.153.5" diff --git a/packages/gcp-resources/privateGKE/dns-google-apis.yaml b/packages/gcp-resources/privateGKE/dns-google-apis.yaml index 85c77e75..42030d78 100644 --- a/packages/gcp-resources/privateGKE/dns-google-apis.yaml +++ b/packages/gcp-resources/privateGKE/dns-google-apis.yaml @@ -1,7 +1,7 @@ apiVersion: dns.cnrm.cloud.google.com/v1beta1 kind: DNSManagedZone metadata: - name: name-goog-apis # {"$kpt-set":"name-goog-apis"} + name: KUBEFLOW-NAME-goog-apis # {"$kpt-set":"name-goog-apis"} spec: description: "private zone for Google APIs" dnsName: "googleapis.com." @@ -9,31 +9,31 @@ spec: privateVisibilityConfig: networks: - networkRef: - name: name # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} --- apiVersion: dns.cnrm.cloud.google.com/v1beta1 kind: DNSRecordSet metadata: - name: name-goog-cname # {"$kpt-set":"name-goog-cname"} + name: KUBEFLOW-NAME-goog-cname # {"$kpt-set":"name-goog-cname"} spec: name: "*.googleapis.com." type: "CNAME" ttl: 300 managedZoneRef: - name: name-goog-apis # {"$kpt-set":"name-goog-apis"} + name: KUBEFLOW-NAME-goog-apis # {"$kpt-set":"name-goog-apis"} rrdatas: - "restricted.googleapis.com." --- apiVersion: dns.cnrm.cloud.google.com/v1beta1 kind: DNSRecordSet metadata: - name: name-goog-a # {"$kpt-set":"name-goog-a"} + name: KUBEFLOW-NAME-goog-a # {"$kpt-set":"name-goog-a"} spec: name: "restricted.googleapis.com." type: "A" ttl: 300 managedZoneRef: - name: name-goog-apis # {"$kpt-set":"name-goog-apis"} + name: KUBEFLOW-NAME-goog-apis # {"$kpt-set":"name-goog-apis"} rrdatas: - "199.36.153.4" - "199.36.153.5" diff --git a/packages/gcp-resources/privateGKE/firewall.yaml b/packages/gcp-resources/privateGKE/firewall.yaml index e2c41c86..8f783db2 100644 --- a/packages/gcp-resources/privateGKE/firewall.yaml +++ b/packages/gcp-resources/privateGKE/firewall.yaml @@ -1,7 +1,7 @@ apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewall metadata: - name: name-deny-egress # {"$kpt-set":"name-deny-egress"} + name: KUBEFLOW-NAME-deny-egress # {"$kpt-set":"name-deny-egress"} spec: description: "Deny all internet traffic by default" deny: @@ -13,14 +13,14 @@ spec: direction: EGRESS priority: 1100 networkRef: - name: name # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} # Enable logging to help debugging enableLogging: false # {"$kpt-set":"log-firewalls"} --- apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewall metadata: - name: name-health-ingress # {"$kpt-set":"name-health-ingress"} + name: KUBEFLOW-NAME-health-ingress # {"$kpt-set":"name-health-ingress"} spec: description: "Allow health check ingress" allow: @@ -35,14 +35,14 @@ spec: - 35.191.0.0/16 direction: INGRESS networkRef: - name: name # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} # Enable logging to help debugging enableLogging: false # {"$kpt-set":"log-firewalls"} --- apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewall metadata: - name: name-health-egress # {"$kpt-set":"name-health-egress"} + name: KUBEFLOW-NAME-health-egress # {"$kpt-set":"name-health-egress"} spec: description: "Allow health check egress" allow: @@ -57,14 +57,14 @@ spec: - 35.191.0.0/16 direction: EGRESS networkRef: - name: name # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} # Enable logging to help debugging enableLogging: false # {"$kpt-set":"log-firewalls"} --- apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewall metadata: - name: name-apis-egress # {"$kpt-set":"name-apis-egress"} + name: KUBEFLOW-NAME-apis-egress # {"$kpt-set":"name-apis-egress"} spec: description: "Allow egress to google APIs" allow: @@ -75,14 +75,14 @@ spec: - 199.36.153.4/30 direction: EGRESS networkRef: - name: name # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} # Enable logging to help debugging enableLogging: false # {"$kpt-set":"log-firewalls"} --- apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewall metadata: - name: name-master-egress # {"$kpt-set":"name-master-egress"} + name: KUBEFLOW-NAME-master-egress # {"$kpt-set":"name-master-egress"} spec: description: "Allow master node egress" allow: @@ -99,14 +99,14 @@ spec: direction: EGRESS networkRef: - name: name # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} # Enable logging to help debugging enableLogging: false # {"$kpt-set":"log-firewalls"} --- apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewall metadata: - name: name-int-egress # {"$kpt-set":"name-int-egress"} + name: KUBEFLOW-NAME-int-egress # {"$kpt-set":"name-int-egress"} spec: description: "Allow traffic to internal ips" allow: @@ -119,7 +119,7 @@ spec: - 192.168.0.0/16 direction: EGRESS networkRef: - name: name # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} # Enable logging to help debugging enableLogging: false # {"$kpt-set":"log-firewalls"} --- @@ -129,7 +129,7 @@ spec: apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewall metadata: - name: name-istio # {"$kpt-set":"name-istio"} + name: KUBEFLOW-NAME-istio # {"$kpt-set":"name-istio"} spec: description: "Allow traffic to ISTIO webhook" allow: @@ -142,7 +142,7 @@ spec: - 172.16.0.32/28 # {"$kpt-set":"master-ip-cidr-block"} direction: INGRESS networkRef: - name: name # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} # Enable logging to help debugging enableLogging: false # {"$kpt-set":"log-firewalls"} --- @@ -151,7 +151,7 @@ spec: apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewall metadata: - name: name-cm # {"$kpt-set":"name-cm"} + name: KUBEFLOW-NAME-cm # {"$kpt-set":"name-cm"} spec: description: "Allow traffic to cert manager webhook" allow: @@ -163,7 +163,7 @@ spec: - 172.16.0.32/28 # {"$kpt-set":"master-ip-cidr-block"} direction: INGRESS networkRef: - name: name # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} # Enable logging to help debugging enableLogging: false # {"$kpt-set":"log-firewalls"} --- @@ -176,7 +176,7 @@ spec: apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewall metadata: - name: name-dockerhub # {"$kpt-set":"name-dockerhub"} + name: KUBEFLOW-NAME-dockerhub # {"$kpt-set":"name-dockerhub"} spec: description: "Allow egress to dockerhub and quay.io" allow: @@ -219,14 +219,14 @@ spec: - "13.35.101.104" direction: EGRESS networkRef: - name: name # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} # Enable logging to help debugging enableLogging: false # {"$kpt-set":"log-firewalls"} --- apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewall metadata: - name: name-iap-jwks # {"$kpt-set":"name-iap-jwks"} + name: KUBEFLOW-NAME-iap-jwks # {"$kpt-set":"name-iap-jwks"} spec: description: "Allow traffic to www.gstatic.com to get IAP JWKs" allow: @@ -250,6 +250,6 @@ spec: - "23.202.231.169" direction: EGRESS networkRef: - name: name # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} # Enable logging to help debugging enableLogging: false # {"$kpt-set":"log-firewalls"} diff --git a/packages/gcp-resources/privateGKE/kustomize-fns/image_prefix.yaml b/packages/gcp-resources/privateGKE/kustomize-fns/image_prefix.yaml index 0ea27270..bf655eaf 100644 --- a/packages/gcp-resources/privateGKE/kustomize-fns/image_prefix.yaml +++ b/packages/gcp-resources/privateGKE/kustomize-fns/image_prefix.yaml @@ -10,8 +10,8 @@ metadata: spec: imageMappings: - src: quay.io/jetstack - dest: gcr.io/project-id/mirror/quay.io/jetstack # {"$kpt-set":"image-mirror-quay-io-jetstack"} + dest: gcr.io/PROJECT/mirror/quay.io/jetstack # {"$kpt-set":"image-mirror-quay-io-jetstack"} - src: gcr.io/kubeflow-images-public - dest: gcr.io/project-id/mirror/gcr.io/kubeflow-images-public # {"$kpt-set":"image-mirror-kubeflow-images-public"} + dest: gcr.io/PROJECT/mirror/gcr.io/kubeflow-images-public # {"$kpt-set":"image-mirror-kubeflow-images-public"} - src: metacontroller - dest: gcr.io/project-id/mirror/metacontroller # {"$kpt-set":"image-mirror-metacontroller"} + dest: gcr.io/PROJECT/mirror/metacontroller # {"$kpt-set":"image-mirror-metacontroller"} diff --git a/packages/gcp-resources/privateGKE/nat.yaml b/packages/gcp-resources/privateGKE/nat.yaml index 06c1a780..bb8efefa 100644 --- a/packages/gcp-resources/privateGKE/nat.yaml +++ b/packages/gcp-resources/privateGKE/nat.yaml @@ -1,20 +1,20 @@ apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeRouter metadata: - name: name # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} spec: description: Router to allow outbound internet access region: REGION # {"$kpt-set":"gcloud.compute.region"} networkRef: - name: name # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} --- apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeRouterNAT metadata: - name: name # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} spec: region: REGION # {"$kpt-set":"gcloud.compute.region"} routerRef: - name: name # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} natIpAllocateOption: AUTO_ONLY sourceSubnetworkIpRangesToNat: ALL_SUBNETWORKS_ALL_IP_RANGES diff --git a/packages/management/Kptfile b/packages/management/Kptfile index 37ff926a..6f13a124 100644 --- a/packages/management/Kptfile +++ b/packages/management/Kptfile @@ -16,7 +16,7 @@ openAPI: x-k8s-cli: setter: name: name - value: NAME + value: KUBEFLOW-NAME isSet: true io.k8s.cli.setters.gcloud.core.project: x-k8s-cli: diff --git a/packages/management/cluster/cluster.yaml b/packages/management/cluster/cluster.yaml index 08906bb1..3cee5dff 100644 --- a/packages/management/cluster/cluster.yaml +++ b/packages/management/cluster/cluster.yaml @@ -5,7 +5,7 @@ apiVersion: container.cnrm.cloud.google.com/v1beta1 kind: ContainerCluster metadata: - name: NAME # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} annotations: # We are defining the nodepool in nodepool.yaml cnrm.cloud.google.com/remove-default-node-pool: "true" diff --git a/packages/management/cluster/nodepool.yaml b/packages/management/cluster/nodepool.yaml index 4f410db7..8872202b 100644 --- a/packages/management/cluster/nodepool.yaml +++ b/packages/management/cluster/nodepool.yaml @@ -2,7 +2,7 @@ apiVersion: container.cnrm.cloud.google.com/v1beta1 kind: ContainerNodePool metadata: - name: NAME-pool # {"$kpt-set":"pool"} + name: KUBEFLOW-NAME-pool # {"$kpt-set":"pool"} spec: autoscaling: minNodeCount: 1 @@ -25,4 +25,4 @@ spec: autoRepair: true autoUpgrade: true clusterRef: - name: NAME # {"$kpt-set":"name"} + name: KUBEFLOW-NAME # {"$kpt-set":"name"} diff --git a/packages/management/cnrm-install/iam/iam.yaml b/packages/management/cnrm-install/iam/iam.yaml index 337f42ff..84bea74e 100644 --- a/packages/management/cnrm-install/iam/iam.yaml +++ b/packages/management/cnrm-install/iam/iam.yaml @@ -1,7 +1,7 @@ apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: - name: NAME-cnrm-system # {"$kpt-set":"cnrm-system-sa"} + name: KUBEFLOW-NAME-cnrm-system # {"$kpt-set":"cnrm-system-sa"} spec: displayName: Service account for CNRM --- @@ -12,12 +12,12 @@ spec: apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicy metadata: - name: NAME-cnrm-system-wi # {"$kpt-set":"cnrm-system-wi"} + name: KUBEFLOW-NAME-cnrm-system-wi # {"$kpt-set":"cnrm-system-wi"} spec: resourceRef: apiVersion: iam.cnrm.cloud.google.com/v1alpha1 kind: IAMServiceAccount - name: NAME-cnrm-system # {"$kpt-set":"cnrm-system-sa"} + name: KUBEFLOW-NAME-cnrm-system # {"$kpt-set":"cnrm-system-sa"} bindings: - role: roles/iam.workloadIdentityUser members: diff --git a/packages/management/cnrm-install/install-system/configconnector-instance.yaml b/packages/management/cnrm-install/install-system/configconnector-instance.yaml index 311d7436..43337756 100644 --- a/packages/management/cnrm-install/install-system/configconnector-instance.yaml +++ b/packages/management/cnrm-install/install-system/configconnector-instance.yaml @@ -4,4 +4,4 @@ metadata: name: configconnector.core.cnrm.cloud.google.com spec: mode: cluster - googleServiceAccount: "NAME-cnrm-system@PROJECT.iam.gserviceaccount.com" # {"$kpt-set":"cnrm-system"} + googleServiceAccount: "KUBEFLOW-NAME-cnrm-system@PROJECT.iam.gserviceaccount.com" # {"$kpt-set":"cnrm-system"}