Management blueprint; add kptfile and use workload identity mode for …

…CNRM * management/instance needs a Kptfile to work with the latest versions of kpt * Per GoogleCloudPlatform#13 we don't want to run CNRM in namespace mode because this burdensome instead we use workload identity mode; i.e. the same GCP sa to administer multiple projects. Related to GoogleCloudPlatform#13 - Use workload identity mode Related to GoogleCloudPlatform#102 Fix blueprint * Remove cluster and nodepool patches from instance; we aren't actually patching anything.
jlewi · Aug 12, 2020 · dc8c0f2 · dc8c0f2
1 parent e2aabb7
commit dc8c0f2
Show file tree

Hide file tree

Showing 15 changed files with 152 additions and 264 deletions.
diff --git a/management/Makefile b/management/Makefile
@@ -5,15 +5,30 @@ NAME=$(shell yq r ./instance/settings.yaml name)
 MGMTCTXT=$(NAME)
 
 # The URL you want to fetch manifests from
-# TODO(jlewi): Change to kubeflow/gcp-blueprints once its checked in
-MANIFESTS_URL=https://github.com/jlewi/manifests.git/gcp/v2/management@blueprints
+MANIFESTS_URL=https://github.com/kubeflow/manifests.git/gcp/v2/management@master
 
 PROJECT=$(shell yq r ./instance/settings.yaml project)
 
 # Directory where manifests should be fetched to
 MANIFESTS_DIR=./upstream/management
 
 INSTANCE_DIR=./instance
+
+
+#***********************************************************************************************************************
+# Edit this section to set the values specific to your deployment
+
+.PHONY: set-values
+set-values:
+	set-values:	
+	kpt cfg set ./instance name <NAME>
+	kpt cfg set ./instance location <ZONE_OR_REGION>
+	kpt cfg set ./instance gcloud.core.project <PROJECT_TO_DEPLOY_IN>
+
+	kpt cfg set ./upstream/management name <NAME>
+	kpt cfg set ./upstream/management location <ZONE_OR_REGION>
+	kpt cfg set ./upstream/management gcloud.core.project <PROJECT_TO_DEPLOY_IN>
+
 # Print out the context
 .PHONY: echo
 echo-ctxt:
@@ -52,11 +67,26 @@ create-ctxt:
 
 .PHONY: hydrate-kcc
 hydrate-kcc:
-	rm -rf ./.build/cnrm-install-system	
-	mkdir -p ./.build/cnrm-install-system	
+	rm -rf ./.build/cnrm-install-system
+	rm -rf ./.build/cnrm-install-services
+	rm -rf ./.build/cnrm-install-iam
+	mkdir -p ./.build/cnrm-install-system
+	mkdir -p ./.build/cnrm-install-services
+	mkdir -p ./.build/cnrm-install-iam	
 	kustomize build -o ./.build/cnrm-install-system $(INSTANCE_DIR)/cnrm-install-system
+	kustomize build -o ./.build/cnrm-install-services $(INSTANCE_DIR)/cnrm-install-services
+	kustomize build -o ./.build/cnrm-install-iam $(INSTANCE_DIR)/cnrm-install-iam
 
 .PHONY: apply-kcc
 apply-kcc: hydrate-kcc
+	anthoscli apply -f .build/cnrm-install-services
+	anthoscli apply -f .build/cnrm-install-iam
 	kubectl --context=$(MGMTCTXT) apply -f .build/cnrm-install-system/~g_v1_namespace_cnrm-system.yaml
-	kubectl --context=$(MGMTCTXT) apply -f .build/cnrm-install-system
+	kubectl --context=$(MGMTCTXT) apply -f .build/cnrm-install-system
+
+# Update the upstream packages
+.PHONE: update
+update:
+	rm -rf upstream
+	make get-pkg
+	make set-values	
diff --git a/management/instance/Kptfile b/management/instance/Kptfile
@@ -0,0 +1,68 @@
+apiVersion: kpt.dev/v1alpha1
+kind: Kptfile
+metadata:
+  name: .
+packageMetadata:
+  shortDescription: Blueprint instance.
+openAPI:
+  definitions:
+    io.k8s.cli.setters.gcloud.core.project:
+      x-k8s-cli:
+        setter:
+          name: gcloud.core.project
+          value: YOUR-PROJECT
+          isSet: true
+    io.k8s.cli.setters.name:
+      x-k8s-cli:
+        setter:
+          name: name
+          value: YOUR-NAME
+          isSet: true
+    io.k8s.cli.setters.location:
+      x-k8s-cli:
+        setter:
+          name: location
+          value: us-central1
+    io.k8s.cli.substitutions.cluster-name:
+      x-k8s-cli:
+        substitution:
+          name: cluster-name
+          pattern: ${gcloud.core.project}/${location}/${name}
+          values:
+          - marker: ${gcloud.core.project}
+            ref: '#/definitions/io.k8s.cli.setters.gcloud.core.project'
+          - marker: ${location}
+            ref: '#/definitions/io.k8s.cli.setters.location'
+          - marker: ${name}
+            ref: '#/definitions/io.k8s.cli.setters.name'
+    io.k8s.cli.substitutions.node-pool-name:
+      x-k8s-cli:
+        substitution:
+          name: node-pool-name
+          pattern: ${name}-pool
+          values:
+          - marker: ${name}
+            ref: '#/definitions/io.k8s.cli.setters.name'
+    io.k8s.cli.substitutions.managed-project-owner-member:
+      x-k8s-cli:
+        substitution:
+          name: managed-project-owner-member
+          pattern: serviceAccount:${name}-cnrm-system@${gcloud.core.project}.iam.gserviceaccount.com
+          values:
+          - marker: ${name}
+            ref: '#/definitions/io.k8s.cli.setters.name'
+          - marker: ${gcloud.core.project}
+            ref: '#/definitions/io.k8s.cli.setters.gcloud.core.project'
+    io.k8s.cli.setters.managed-project:
+      x-k8s-cli:
+        setter:
+          name: managed-project
+          value: MANAGED_PROJECT
+    io.k8s.cli.substitutions.managed-project-ref:
+      x-k8s-cli:
+        substitution:
+          name: managed-project-ref
+          pattern: projects/${managed-project}
+          values:
+          - marker: ${managed-project}
+            ref: '#/definitions/io.k8s.cli.setters.managed-project'
diff --git a/management/instance/README.md b/management/instance/README.md
@@ -0,0 +1,17 @@
+.
+==================================================
+
+# NAME
+
+  .
+
+# SYNOPSIS
+
+  kubectl apply --recursive -f .
+
+# Description
+
+Blueprint instance.
+
+# SEE ALSO
+
diff --git a/management/instance/cluster/cluster.yaml b/management/instance/cluster/cluster.yaml
diff --git a/management/instance/cluster/kustomization.yaml b/management/instance/cluster/kustomization.yaml
@@ -1,8 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: HOST_PROJECT # {"type":"string","x-kustomize":{"setter":{"name":"gcloud.core.project","value":"HOST_PROJECT"}}}
+namespace: HOST_PROJECT # {"$kpt-set":"gcloud.core.project"}
 resources:
 - ../../upstream/management/cluster
-patchesStrategicMerge:
-- cluster.yaml
-- nodepool.yaml
diff --git a/management/instance/cluster/nodepool.yaml b/management/instance/cluster/nodepool.yaml
diff --git a/management/instance/cnrm-install-iam/kustomization.yaml b/management/instance/cnrm-install-iam/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: HOST_PROJECT # {"$kpt-set":"gcloud.core.project"}
+resources:
+- ../../upstream/management/cnrm-install/iam
diff --git a/management/instance/cnrm-install-per-namespace/README.md b/management/instance/cnrm-install-per-namespace/README.md
diff --git a/management/instance/cnrm-install-per-namespace/namespace.yaml b/management/instance/cnrm-install-per-namespace/namespace.yaml
diff --git a/management/instance/cnrm-install-per-namespace/per-namespace-components.yaml b/management/instance/cnrm-install-per-namespace/per-namespace-components.yaml