from justinsb/kpt-samples

yuwenma · yuwenma · commit 32602a8ba613 · 2022-08-29T16:26:44.000-07:00
diff --git a/infra/environment/Kptfile b/infra/environment/Kptfile
@@ -0,0 +1,13 @@
+apiVersion: kpt.dev/v1
+kind: Kptfile
+metadata:
+  name: environment
+  annotations:
+    config.kubernetes.io/local-config: "true"
+info:
+  description: environment
+pipeline:
+  mutators:
+    - image: set-name-prefix
+    - image: generator-configconnectorcontext
+    - image: bind-gcp-resources
diff --git a/infra/environment/README.md b/infra/environment/README.md
@@ -0,0 +1 @@
+# environment
diff --git a/infra/environment/folder.yaml b/infra/environment/folder.yaml
@@ -0,0 +1,10 @@
+# Create an environment folder to hold the new project.
+apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
+kind: Folder
+metadata:
+  name: environments
+  namespace: config-control
+spec:
+  displayName: environments
+  folderRef:
+    name: root
diff --git a/infra/environment/kcc.yaml b/infra/environment/kcc.yaml
@@ -0,0 +1,105 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: packagename
+  annotations:
+    cnrm.cloud.google.com/project-id: googleprojectid
+
+---
+
+apiVersion: core.cnrm.cloud.google.com/v1beta1
+kind: ConfigConnectorContext
+metadata:
+  name: configconnectorcontext.core.cnrm.cloud.google.com
+  namespace: packagename
+spec:
+  googleServiceAccount: cc-robot@googleprojectid.iam.gserviceaccount.com
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cnrm-controller-manager-packagename
+  namespace: cnrm-system
+  annotations:
+    config.kubernetes.io/local-config: generated
+  ownerReferences:
+  - apiVersion: core.cnrm.cloud.google.com/v1beta1
+    kind: ConfigConnectorContext
+    name: configconnectorcontext.core.cnrm.cloud.google.com
+    namespace: packagename
+
+---
+
+apiVersion: iam.cnrm.cloud.google.com/v1beta1
+kind: IAMServiceAccount
+metadata:
+  name: packagename-cc-robot
+  namespace: config-control
+  annotations:
+    cnrm.cloud.google.com/project-id: googleprojectid
+spec:
+  displayName: ConfigConnector ServiceAccount
+  resourceID: cc-robot
+
+---
+
+apiVersion: porch.kpt.dev/v1alpha1
+kind: WorkloadIdentityBinding
+metadata:
+  name: packagename-cnrm-controller-manager
+  namespace: config-control
+spec:
+  resourceRef:
+    apiVersion: iam.cnrm.cloud.google.com/v1beta1
+    kind: IAMServiceAccount
+    name: packagename-cc-robot
+  serviceAccountRef:
+    name: cnrm-controller-manager-packagename
+    namespace: cnrm-system
+
+---
+
+apiVersion: iam.cnrm.cloud.google.com/v1beta1
+kind: IAMPolicyMember
+metadata:
+  name: packagename-cc-robot
+  namespace: config-control
+spec:
+  memberFrom:
+    serviceAccountRef:
+      name: packagename-cc-robot
+  role: roles/owner
+  resourceRef:
+    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
+    kind: Project
+    name: packagename
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: "packagename-cnrm:cnrm-viewer"
+  namespace: config-control
+subjects:
+- kind: ServiceAccount
+  namespace: cnrm-system
+  name: cnrm-controller-manager-packagename
+roleRef:
+  kind: ClusterRole
+  name: cnrm-viewer
+  apiGroup: rbac.authorization.k8s.io
diff --git a/infra/environment/project.yaml b/infra/environment/project.yaml
@@ -0,0 +1,58 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
+kind: Folder
+metadata:
+  name: packagename
+  namespace: config-control
+spec:
+  displayName: packagename
+  folderRef:
+    name: environments
+    namepace: environments-ns
+
+---
+
+apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
+kind: Project
+metadata:
+  name: packagename
+  namespace: config-control
+spec:
+  name: packagename
+  folderRef:
+    name: environments
+  billingAccountRef:
+    #name: default
+    # TODO: Is there a BillingAccount ref?
+    external: 016C6E-5D5038-702920
+  resourceID: googleprojectid
+
+
+---
+
+# We need to enable some services so we can enable other services
+
+apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
+kind: Service
+metadata:
+  annotations:
+    cnrm.cloud.google.com/deletion-policy: "abandon"
+  name: packagename-serviceusage
+  namespace: config-control
+spec:
+  resourceID: serviceusage.googleapis.com
+  projectRef:
+    name: packagename
diff --git a/infra/environment/rbac.yaml b/infra/environment/rbac.yaml
@@ -0,0 +1,32 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: iam.cnrm.cloud.google.com/v1beta1
+kind: IAMPartialPolicy
+metadata:
+  name: packagename-editors
+  namespace: config-control
+spec:
+  # TODO: Replace with group?
+  bindings:
+  - members:
+    - member: user:justinsb@google.com
+    role: roles/editor
+  - members:
+    - member: user:justinsb@google.com
+    role: roles/container.admin
+  resourceRef:
+    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
+    kind: Project
+    name: packagename
diff --git a/infra/environment/services.yaml b/infra/environment/services.yaml
@@ -0,0 +1,32 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
+kind: Service
+metadata:
+  annotations:
+    cnrm.cloud.google.com/deletion-policy: "abandon"
+  name: container.googleapis.com
+  namespace: packagename
+
+---
+
+# Needed to grant GCP IAM permissions on projects
+apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
+kind: Service
+metadata:
+  annotations:
+    cnrm.cloud.google.com/deletion-policy: "abandon"
+  name: cloudresourcemanager.googleapis.com
+  namespace: packagename
diff --git a/infra/gkecluster/Kptfile b/infra/gkecluster/Kptfile
@@ -0,0 +1,13 @@
+apiVersion: kpt.dev/v1
+kind: Kptfile
+metadata:
+  name: gkecluster
+  annotations:
+    config.kubernetes.io/local-config: "true"
+info:
+  description: sample description
+pipeline:
+  mutators:
+    - image: gcr.io/justinsb-root-20220725/set-name-prefix
+    - image: gcr.io/justinsb-root-20220725/generator-configconnectorcontext
+    - image: gcr.io/justinsb-root-20220725/bind-gcp-resources
diff --git a/infra/gkecluster/README.md b/infra/gkecluster/README.md
@@ -0,0 +1 @@
+# gkecluster
diff --git a/infra/gkecluster/bindings.yaml b/infra/gkecluster/bindings.yaml
@@ -0,0 +1,30 @@
+# # Copyright 2022 Google LLC
+# #
+# # Licensed under the Apache License, Version 2.0 (the "License");
+# # you may not use this file except in compliance with the License.
+# # You may obtain a copy of the License at
+# #
+# #      http://www.apache.org/licenses/LICENSE-2.0
+# #
+# # Unless required by applicable law or agreed to in writing, software
+# # distributed under the License is distributed on an "AS IS" BASIS,
+# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# # See the License for the specific language governing permissions and
+# # limitations under the License.
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: binding
+  annotations:
+    config.kubernetes.io/local-config: "binding"
+
+---
+
+apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
+kind: Project
+metadata:
+  name: binding
+  namespace: config-control
+  annotations:
+    config.kubernetes.io/local-config: "binding"
diff --git a/infra/gkecluster/cluster.yaml b/infra/gkecluster/cluster.yaml
@@ -0,0 +1,49 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: container.cnrm.cloud.google.com/v1beta1
+kind: ContainerCluster
+metadata:
+  name: packagename
+  namespace: binding
+  annotations:
+    cnrm.cloud.google.com/remove-default-node-pool: "true"
+    cnrm.cloud.google.com/state-into-spec: absent
+spec:
+  #description: cluster
+  location: us-central1
+  enableAutopilot: false
+  initialNodeCount: 1
+  releaseChannel:
+    channel: REGULAR
+---
+apiVersion: container.cnrm.cloud.google.com/v1beta1
+kind: ContainerNodePool
+metadata:
+  name: packagename-default
+  namespace: binding
+spec:
+  location: us-central1
+  autoscaling:
+    minNodeCount: 1
+    maxNodeCount: 3
+  nodeConfig:
+    serviceAccountRef:
+      name: packagename-gke
+  management:
+    autoRepair: true
+    autoUpgrade: true
+  clusterRef:
+    name: packagename
+  resourceID: default
diff --git a/infra/gkecluster/serviceaccount.yaml b/infra/gkecluster/serviceaccount.yaml
@@ -0,0 +1,39 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: iam.cnrm.cloud.google.com/v1beta1
+kind: IAMServiceAccount
+metadata:
+  name: packagename-gke
+  namespace: binding
+spec:
+  displayName: ServiceAccount for GKE cluster nodes
+
+---
+
+apiVersion: iam.cnrm.cloud.google.com/v1beta1
+kind: IAMPolicyMember
+metadata:
+  name: packagename-gke-owner
+  namespace: binding
+spec:
+  memberFrom:
+    serviceAccountRef:
+      name: packagename-gke
+  role: roles/owner
+  resourceRef:
+    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
+    kind: Project
+    name: binding
+    namespace: config-control
