diff --git a/infra/configcontroller/Kptfile b/infra/configcontroller/Kptfile new file mode 100644 index 0000000..ad12ea7 --- /dev/null +++ b/infra/configcontroller/Kptfile @@ -0,0 +1,13 @@ +apiVersion: kpt.dev/v1 +kind: Kptfile +metadata: + name: configcontroller + annotations: + config.kubernetes.io/local-config: "true" +info: + description: configcontroller +pipeline: + mutators: + - image: set-name-prefix + - image: generator-configconnectorcontext + - image: bind-gcp-resources diff --git a/infra/configcontroller/bindings.yaml b/infra/configcontroller/bindings.yaml new file mode 100644 index 0000000..87b9587 --- /dev/null +++ b/infra/configcontroller/bindings.yaml @@ -0,0 +1,20 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Namespace +metadata: + name: binding + annotations: + config.kubernetes.io/local-config: "binding" diff --git a/infra/configcontroller/configcontroller.yaml b/infra/configcontroller/configcontroller.yaml new file mode 100644 index 0000000..c77d699 --- /dev/null +++ b/infra/configcontroller/configcontroller.yaml @@ -0,0 +1,10 @@ +apiVersion: configcontroller.cnrm.cloud.google.com/v1beta1 +kind: ConfigControllerInstance +metadata: + name: packagename + namespace: binding +spec: + location: us-central1 + managementConfig: + standardManagementConfig: + masterIPv4CidrBlock: 172.16.0.128/28 diff --git a/infra/environment/Kptfile b/infra/environment/Kptfile new file mode 100644 index 0000000..1ef8012 --- /dev/null +++ b/infra/environment/Kptfile @@ -0,0 +1,13 @@ +apiVersion: kpt.dev/v1 +kind: Kptfile +metadata: + name: environment + annotations: + config.kubernetes.io/local-config: "true" +info: + description: environment +pipeline: + mutators: + - image: set-name-prefix + - image: generator-configconnectorcontext + - image: bind-gcp-resources diff --git a/infra/environment/README.md b/infra/environment/README.md new file mode 100644 index 0000000..5094355 --- /dev/null +++ b/infra/environment/README.md @@ -0,0 +1 @@ +# environment diff --git a/infra/environment/bindings.yaml b/infra/environment/bindings.yaml new file mode 100644 index 0000000..d2b3d31 --- /dev/null +++ b/infra/environment/bindings.yaml @@ -0,0 +1,9 @@ +apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 +kind: Folder +metadata: + name: environments + namespace: environments-ns + annotations: + config.kubernetes.io/local-config: "binding" + labels: + parent-for: environment diff --git a/infra/environment/kcc.yaml b/infra/environment/kcc.yaml new file mode 100644 index 0000000..2168b35 --- /dev/null +++ b/infra/environment/kcc.yaml @@ -0,0 +1,105 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Namespace +metadata: + name: packagename + annotations: + cnrm.cloud.google.com/project-id: googleprojectid + +--- + +apiVersion: core.cnrm.cloud.google.com/v1beta1 +kind: ConfigConnectorContext +metadata: + name: configconnectorcontext.core.cnrm.cloud.google.com + namespace: packagename +spec: + googleServiceAccount: cc-robot@googleprojectid.iam.gserviceaccount.com + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cnrm-controller-manager-packagename + namespace: cnrm-system + annotations: + config.kubernetes.io/local-config: generated + ownerReferences: + - apiVersion: core.cnrm.cloud.google.com/v1beta1 + kind: ConfigConnectorContext + name: configconnectorcontext.core.cnrm.cloud.google.com + namespace: packagename + +--- + +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMServiceAccount +metadata: + name: packagename-cc-robot + namespace: config-control + annotations: + cnrm.cloud.google.com/project-id: googleprojectid +spec: + displayName: ConfigConnector ServiceAccount + resourceID: cc-robot + +--- + +apiVersion: porch.kpt.dev/v1alpha1 +kind: WorkloadIdentityBinding +metadata: + name: packagename-cnrm-controller-manager + namespace: config-control +spec: + resourceRef: + apiVersion: iam.cnrm.cloud.google.com/v1beta1 + kind: IAMServiceAccount + name: packagename-cc-robot + serviceAccountRef: + name: cnrm-controller-manager-packagename + namespace: cnrm-system + +--- + +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: packagename-cc-robot + namespace: config-control +spec: + memberFrom: + serviceAccountRef: + name: packagename-cc-robot + role: roles/owner + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + name: packagename +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "packagename-cnrm:cnrm-viewer" + namespace: config-control +subjects: +- kind: ServiceAccount + namespace: cnrm-system + name: cnrm-controller-manager-packagename +roleRef: + kind: ClusterRole + name: cnrm-viewer + apiGroup: rbac.authorization.k8s.io diff --git a/infra/environment/project.yaml b/infra/environment/project.yaml new file mode 100644 index 0000000..18ac42d --- /dev/null +++ b/infra/environment/project.yaml @@ -0,0 +1,58 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 +kind: Folder +metadata: + name: packagename + namespace: config-control +spec: + displayName: packagename + folderRef: + name: environments + namepace: environments-ns + +--- + +apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 +kind: Project +metadata: + name: packagename + namespace: config-control +spec: + name: packagename + folderRef: + name: environments + billingAccountRef: + #name: default + # TODO: Is there a BillingAccount ref? + external: 016C6E-5D5038-702920 + resourceID: googleprojectid + + +--- + +# We need to enable some services so we can enable other services + +apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1 +kind: Service +metadata: + annotations: + cnrm.cloud.google.com/deletion-policy: "abandon" + name: packagename-serviceusage + namespace: config-control +spec: + resourceID: serviceusage.googleapis.com + projectRef: + name: packagename diff --git a/infra/environment/rbac.yaml b/infra/environment/rbac.yaml new file mode 100644 index 0000000..6ad0091 --- /dev/null +++ b/infra/environment/rbac.yaml @@ -0,0 +1,32 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPartialPolicy +metadata: + name: packagename-editors + namespace: config-control +spec: + # TODO: Replace with group? + bindings: + - members: + - member: user:justinsb@google.com + role: roles/editor + - members: + - member: user:justinsb@google.com + role: roles/container.admin + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + name: packagename diff --git a/infra/environment/services.yaml b/infra/environment/services.yaml new file mode 100644 index 0000000..7269423 --- /dev/null +++ b/infra/environment/services.yaml @@ -0,0 +1,32 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1 +kind: Service +metadata: + annotations: + cnrm.cloud.google.com/deletion-policy: "abandon" + name: container.googleapis.com + namespace: packagename + +--- + +# Needed to grant GCP IAM permissions on projects +apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1 +kind: Service +metadata: + annotations: + cnrm.cloud.google.com/deletion-policy: "abandon" + name: cloudresourcemanager.googleapis.com + namespace: packagename diff --git a/infra/gkecluster/Kptfile b/infra/gkecluster/Kptfile new file mode 100644 index 0000000..d4cfddd --- /dev/null +++ b/infra/gkecluster/Kptfile @@ -0,0 +1,13 @@ +apiVersion: kpt.dev/v1 +kind: Kptfile +metadata: + name: gkecluster + annotations: + config.kubernetes.io/local-config: "true" +info: + description: sample description +pipeline: + mutators: + - image: set-name-prefix + - image: generator-configconnectorcontext + - image: bind-gcp-resources diff --git a/infra/gkecluster/README.md b/infra/gkecluster/README.md new file mode 100644 index 0000000..29632e6 --- /dev/null +++ b/infra/gkecluster/README.md @@ -0,0 +1 @@ +# gkecluster diff --git a/infra/gkecluster/bindings.yaml b/infra/gkecluster/bindings.yaml new file mode 100644 index 0000000..2fb53c6 --- /dev/null +++ b/infra/gkecluster/bindings.yaml @@ -0,0 +1,30 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Namespace +metadata: + name: binding + annotations: + config.kubernetes.io/local-config: "binding" + +--- + +apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 +kind: Project +metadata: + name: binding + namespace: config-control + annotations: + config.kubernetes.io/local-config: "binding" diff --git a/infra/gkecluster/cluster.yaml b/infra/gkecluster/cluster.yaml new file mode 100644 index 0000000..9a37844 --- /dev/null +++ b/infra/gkecluster/cluster.yaml @@ -0,0 +1,49 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: container.cnrm.cloud.google.com/v1beta1 +kind: ContainerCluster +metadata: + name: packagename + namespace: binding + annotations: + cnrm.cloud.google.com/remove-default-node-pool: "true" + cnrm.cloud.google.com/state-into-spec: absent +spec: + #description: cluster + location: us-central1 + enableAutopilot: false + initialNodeCount: 1 + releaseChannel: + channel: REGULAR +--- +apiVersion: container.cnrm.cloud.google.com/v1beta1 +kind: ContainerNodePool +metadata: + name: packagename-default + namespace: binding +spec: + location: us-central1 + autoscaling: + minNodeCount: 1 + maxNodeCount: 3 + nodeConfig: + serviceAccountRef: + name: packagename-gke + management: + autoRepair: true + autoUpgrade: true + clusterRef: + name: packagename + resourceID: default diff --git a/infra/gkecluster/serviceaccount.yaml b/infra/gkecluster/serviceaccount.yaml new file mode 100644 index 0000000..f5a7bd2 --- /dev/null +++ b/infra/gkecluster/serviceaccount.yaml @@ -0,0 +1,39 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMServiceAccount +metadata: + name: packagename-gke + namespace: binding +spec: + displayName: ServiceAccount for GKE cluster nodes + +--- + +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: packagename-gke-owner + namespace: binding +spec: + memberFrom: + serviceAccountRef: + name: packagename-gke + role: roles/owner + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + name: binding + namespace: config-control diff --git a/infra/subdomain/Kptfile b/infra/subdomain/Kptfile new file mode 100644 index 0000000..42af3b5 --- /dev/null +++ b/infra/subdomain/Kptfile @@ -0,0 +1,13 @@ +apiVersion: kpt.dev/v1 +kind: Kptfile +metadata: + name: gkecluster + annotations: + config.kubernetes.io/local-config: "true" +info: + description: sample description +pipeline: + mutators: + - image: gcr.io/justinsb-root-20220725/set-name-prefix + - image: gcr.io/justinsb-root-20220725/generator-configconnectorcontext + - image: gcr.io/justinsb-root-20220725/bind-gcp-resources diff --git a/infra/subdomain/README.md b/infra/subdomain/README.md new file mode 100644 index 0000000..3de2937 --- /dev/null +++ b/infra/subdomain/README.md @@ -0,0 +1 @@ +# subdomain diff --git a/infra/subdomain/bindings.yaml b/infra/subdomain/bindings.yaml new file mode 100644 index 0000000..206286d --- /dev/null +++ b/infra/subdomain/bindings.yaml @@ -0,0 +1,23 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 +kind: Folder +metadata: + name: binding + namespace: config-control + annotations: + config.kubernetes.io/local-config: "binding" + labels: + parent-for: subdomain diff --git a/infra/subdomain/kcc.yaml b/infra/subdomain/kcc.yaml new file mode 100644 index 0000000..05b3d8d --- /dev/null +++ b/infra/subdomain/kcc.yaml @@ -0,0 +1,105 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Namespace +metadata: + name: packagename + annotations: + cnrm.cloud.google.com/project-id: googleprojectid + +--- + +apiVersion: core.cnrm.cloud.google.com/v1beta1 +kind: ConfigConnectorContext +metadata: + name: configconnectorcontext.core.cnrm.cloud.google.com + namespace: packagename +spec: + googleServiceAccount: cc-robot@googleprojectid.iam.gserviceaccount.com + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cnrm-controller-manager-packagename + namespace: cnrm-system + ownerReferences: + - apiVersion: core.cnrm.cloud.google.com/v1beta1 + kind: ConfigConnectorContext + name: configconnectorcontext.core.cnrm.cloud.google.com + namespace: packagename + +--- + +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMServiceAccount +metadata: + name: packagename-cc-robot + namespace: config-control + annotations: + cnrm.cloud.google.com/project-id: googleprojectid +spec: + displayName: ConfigConnector ServiceAccount + resourceID: cc-robot + +--- + +apiVersion: porch.kpt.dev/v1alpha1 +kind: WorkloadIdentityBinding +metadata: + name: packagename-cc-robot + namespace: config-control +spec: + resourceRef: + apiVersion: iam.cnrm.cloud.google.com/v1beta1 + kind: IAMServiceAccount + name: packagename-cc-robot + serviceAccountRef: + name: cnrm-controller-manager-packagename + namespace: cnrm-system + +--- + +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: packagename-cc-robot + namespace: config-control +spec: + memberFrom: + serviceAccountRef: + name: packagename-cc-robot + role: roles/owner + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + name: packagename + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: packagename-cnrm:cnrm-viewer + namespace: config-control +subjects: +- kind: ServiceAccount + namespace: cnrm-system + name: cnrm-controller-manager-packagename +roleRef: + kind: ClusterRole + name: cnrm-viewer + apiGroup: rbac.authorization.k8s.io diff --git a/infra/subdomain/project.yaml b/infra/subdomain/project.yaml new file mode 100644 index 0000000..14ecd82 --- /dev/null +++ b/infra/subdomain/project.yaml @@ -0,0 +1,55 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 +kind: Folder +metadata: + name: packagename + namespace: config-control +spec: + displayName: packagename + folderRef: + name: binding + +--- + +apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 +kind: Project +metadata: + name: packagename + namespace: config-control +spec: + name: packagepath + folderRef: + name: packagename + billingAccountRef: + #name: default + # TODO: Is there a BillingAccount ref? + external: 016C6E-5D5038-702920 + resourceID: googleprojectid + +--- + +# We need to enable some services so we can enable other services +apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1 +kind: Service +metadata: + annotations: + cnrm.cloud.google.com/deletion-policy: "abandon" + name: packagename-serviceusage + namespace: config-control +spec: + resourceID: serviceusage.googleapis.com + projectRef: + name: packagename diff --git a/infra/subdomain/rbac.yaml b/infra/subdomain/rbac.yaml new file mode 100644 index 0000000..6ad0091 --- /dev/null +++ b/infra/subdomain/rbac.yaml @@ -0,0 +1,32 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPartialPolicy +metadata: + name: packagename-editors + namespace: config-control +spec: + # TODO: Replace with group? + bindings: + - members: + - member: user:justinsb@google.com + role: roles/editor + - members: + - member: user:justinsb@google.com + role: roles/container.admin + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + name: packagename diff --git a/infra/subdomain/services.yaml b/infra/subdomain/services.yaml new file mode 100644 index 0000000..aa71c83 --- /dev/null +++ b/infra/subdomain/services.yaml @@ -0,0 +1,44 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1 +kind: Service +metadata: + annotations: + cnrm.cloud.google.com/deletion-policy: "abandon" + name: container.googleapis.com + namespace: packagename + +--- + +# Needed to grant GCP IAM permissions on projects +apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1 +kind: Service +metadata: + annotations: + cnrm.cloud.google.com/deletion-policy: "abandon" + name: cloudresourcemanager.googleapis.com + namespace: packagename + +--- + +apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1 +kind: Service +metadata: + annotations: + cnrm.cloud.google.com/deletion-policy: "abandon" + name: krmapihosting + namespace: packagename +spec: + resourceID: krmapihosting.googleapis.com