depends-on implementation with acm 1.11.0

mathieu-benoit · Mar 31, 2022 · 14ba194 · 14ba194
1 parent 3c41176
commit 14ba194
Show file tree

Hide file tree

Showing 14 changed files with 62 additions and 15 deletions.
diff --git a/content/artifact-registry/allow-artifact-registry.md b/content/artifact-registry/allow-artifact-registry.md
@@ -20,6 +20,8 @@ kind: IAMPolicyMember
 metadata:
   name: artifactregistry-admin-${GKE_PROJECT_ID}
   namespace: config-control
+  annotations:
+    config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMServiceAccount/${GKE_PROJECT_ID},resourcemanager.cnrm.cloud.google.com/namespaces/config-control/Project/${GKE_PROJECT_ID}
 spec:
   memberFrom:
     serviceAccountRef:

diff --git a/content/artifact-registry/set-up-artifact-registry.md b/content/artifact-registry/set-up-artifact-registry.md
@@ -38,6 +38,8 @@ kind: IAMPolicyMember
 metadata:
   name: artifactregistry-reader
   namespace: ${GKE_PROJECT_ID}
+  annotations:
+    config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/IAMServiceAccount/${GKE_SA},artifactregistry.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/ArtifactRegistryRepository/${CONTAINER_REGISTRY_NAME}
 spec:
   memberFrom:
     serviceAccountRef:
@@ -117,7 +119,7 @@ getting 1 RepoSync and RootSync from krmapihost-configcontroller
 │ container.cnrm.cloud.google.com        │ ContainerNodePool          │ primary                                   │ acm-workshop-464-gke │
 │ container.cnrm.cloud.google.com        │ ContainerCluster           │ gke                                       │ acm-workshop-464-gke │
 │ gkehub.cnrm.cloud.google.com           │ GKEHubMembership           │ gke-hub-membership                        │ acm-workshop-464-gke │
-│ gkehub.cnrm.cloud.google.com           │ GKEHubFeature              │ gke-acm                                   │ acm-workshop-464-gke │
+│ gkehub.cnrm.cloud.google.com           │ GKEHubFeature              │ configmanagement                          │ acm-workshop-464-gke │
 │ gkehub.cnrm.cloud.google.com           │ GKEHubFeatureMembership    │ gke-acm-membership                        │ acm-workshop-464-gke │
 │ iam.cnrm.cloud.google.com              │ IAMPolicyMember            │ log-writer                                │ acm-workshop-464-gke │
 │ iam.cnrm.cloud.google.com              │ IAMServiceAccount          │ gke-primary-pool                          │ acm-workshop-464-gke │

diff --git a/content/gke-cluster/allow-gke hub.md b/content/gke-cluster/allow-gke hub.md
@@ -20,6 +20,8 @@ kind: IAMPolicyMember
 metadata:
   name: gke-hub-admin-${GKE_PROJECT_ID}
   namespace: config-control
+  annotations:
+    config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMServiceAccount/${GKE_PROJECT_ID},resourcemanager.cnrm.cloud.google.com/namespaces/config-control/Project/${GKE_PROJECT_ID}
 spec:
   memberFrom:
     serviceAccountRef:

diff --git a/content/gke-cluster/allow-gke.md b/content/gke-cluster/allow-gke.md
@@ -20,6 +20,8 @@ kind: IAMPolicyMember
 metadata:
   name: container-admin-${GKE_PROJECT_ID}
   namespace: config-control
+  annotations:
+    config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMServiceAccount/${GKE_PROJECT_ID},resourcemanager.cnrm.cloud.google.com/namespaces/config-control/Project/${GKE_PROJECT_ID}
 spec:
   memberFrom:
     serviceAccountRef:
@@ -36,6 +38,8 @@ kind: IAMPolicyMember
 metadata:
   name: service-account-admin-${GKE_PROJECT_ID}
   namespace: config-control
+  annotations:
+    config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMServiceAccount/${GKE_PROJECT_ID},resourcemanager.cnrm.cloud.google.com/namespaces/config-control/Project/${GKE_PROJECT_ID}
 spec:
   memberFrom:
     serviceAccountRef:
@@ -52,6 +56,8 @@ kind: IAMPolicyMember
 metadata:
   name: iam-admin-${GKE_PROJECT_ID}
   namespace: config-control
+  annotations:
+    config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMServiceAccount/${GKE_PROJECT_ID},resourcemanager.cnrm.cloud.google.com/namespaces/config-control/Project/${GKE_PROJECT_ID}
 spec:
   memberFrom:
     serviceAccountRef:
@@ -68,6 +74,8 @@ kind: IAMPolicyMember
 metadata:
   name: service-account-user-${GKE_PROJECT_ID}
   namespace: config-control
+  annotations:
+    config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMServiceAccount/${GKE_PROJECT_ID},resourcemanager.cnrm.cloud.google.com/namespaces/config-control/Project/${GKE_PROJECT_ID}
 spec:
   memberFrom:
     serviceAccountRef:

diff --git a/content/gke-cluster/create-gke-cluster.md b/content/gke-cluster/create-gke-cluster.md
@@ -92,6 +92,8 @@ kind: IAMPolicyMember
 metadata:
   name: log-writer
   namespace: ${GKE_PROJECT_ID}
+  annotations:
+    config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/IAMServiceAccount/${GKE_SA}
 spec:
   memberFrom:
     serviceAccountRef:
@@ -109,6 +111,8 @@ kind: IAMPolicyMember
 metadata:
   name: metric-writer
   namespace: ${GKE_PROJECT_ID}
+  annotations:
+    config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/IAMServiceAccount/${GKE_SA}
 spec:
   memberFrom:
     serviceAccountRef:
@@ -126,6 +130,8 @@ kind: IAMPolicyMember
 metadata:
   name: monitoring-viewer
   namespace: ${GKE_PROJECT_ID}
+  annotations:
+    config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/IAMServiceAccount/${GKE_SA}
 spec:
   memberFrom:
     serviceAccountRef:
@@ -143,6 +149,8 @@ kind: IAMPolicyMember
 metadata:
   name: cloudtrace-agent
   namespace: ${GKE_PROJECT_ID}
+  annotations:
+    config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/IAMServiceAccount/${GKE_SA}
 spec:
   memberFrom:
     serviceAccountRef:
@@ -166,6 +174,8 @@ kind: ContainerNodePool
 metadata:
   name: primary
   namespace: ${GKE_PROJECT_ID}
+  annotations:
+    config.kubernetes.io/depends-on: container.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/ContainerCluster/${GKE_NAME}
 spec:
   clusterRef:
     name: ${GKE_NAME}

diff --git a/content/gke-cluster/set-up-gke-configs-git-repo.md b/content/gke-cluster/set-up-gke-configs-git-repo.md
@@ -20,7 +20,7 @@ cat <<EOF > ~/$GKE_PROJECT_DIR_NAME/config-sync/gke-hub-feature-acm.yaml
 apiVersion: gkehub.cnrm.cloud.google.com/v1beta1
 kind: GKEHubFeature
 metadata:
-  name: ${GKE_NAME}-acm
+  name: configmanagement
   namespace: ${GKE_PROJECT_ID}
 spec:
   projectRef:
@@ -38,8 +38,10 @@ cat <<EOF > ~/$GKE_PROJECT_DIR_NAME/config-sync/gke-hub-membership.yaml
 apiVersion: gkehub.cnrm.cloud.google.com/v1beta1
 kind: GKEHubMembership
 metadata:
-  name: ${GKE_NAME}-hub-membership
+  name: ${GKE_NAME}
   namespace: ${GKE_PROJECT_ID}
+  annotations:
+    config.kubernetes.io/depends-on: container.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/ContainerCluster/${GKE_NAME}
 spec:
   location: global
   authority:
@@ -72,14 +74,16 @@ kind: GKEHubFeatureMembership
 metadata:
   name: ${GKE_NAME}-acm-membership
   namespace: ${GKE_PROJECT_ID}
+  annotations:
+    config.kubernetes.io/depends-on: gkehub.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/GKEHubMembership/${GKE_NAME},gkehub.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/GKEHubFeature/configmanagement
 spec:
   projectRef:
     external: ${GKE_PROJECT_ID}
   location: global
   membershipRef:
-    name: ${GKE_NAME}-hub-membership
+    name: ${GKE_NAME}
   featureRef:
-    name: ${GKE_NAME}-acm
+    name: configmanagement
   configmanagement:
     configSync:
       sourceFormat: unstructured
@@ -115,6 +119,8 @@ kind: IAMPartialPolicy
 metadata:
   name: ${GKE_SA}-sa-cs-monitoring-wi-user
   namespace: ${GKE_PROJECT_ID}
+  annotations:
+    config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/IAMServiceAccount/${GKE_SA}
 spec:
   resourceRef:
     name: ${GKE_SA}
@@ -173,7 +179,7 @@ getting 1 RepoSync and RootSync from krmapihost-configcontroller
 │ container.cnrm.cloud.google.com        │ ContainerNodePool          │ primary                                   │ acm-workshop-464-gke │
 │ container.cnrm.cloud.google.com        │ ContainerCluster           │ gke                                       │ acm-workshop-464-gke │
 │ gkehub.cnrm.cloud.google.com           │ GKEHubMembership           │ gke-hub-membership                        │ acm-workshop-464-gke │
-│ gkehub.cnrm.cloud.google.com           │ GKEHubFeature              │ gke-acm                                   │ acm-workshop-464-gke │
+│ gkehub.cnrm.cloud.google.com           │ GKEHubFeature              │ configmanagement                          │ acm-workshop-464-gke │
 │ gkehub.cnrm.cloud.google.com           │ GKEHubFeatureMembership    │ gke-acm-membership                        │ acm-workshop-464-gke │
 │ iam.cnrm.cloud.google.com              │ IAMPolicyMember            │ log-writer                                │ acm-workshop-464-gke │
 │ iam.cnrm.cloud.google.com              │ IAMServiceAccount          │ gke-primary-pool                          │ acm-workshop-464-gke │

diff --git a/content/gke-project/create-gke-project.md b/content/gke-project/create-gke-project.md
@@ -89,6 +89,8 @@ kind: IAMPartialPolicy
 metadata:
   name: ${GKE_PROJECT_ID}-sa-wi-user
   namespace: config-control
+  annotations:
+    config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMServiceAccount/${GKE_PROJECT_ID}
 spec:
   resourceRef:
     name: ${GKE_PROJECT_ID}
@@ -100,6 +102,9 @@ spec:
         - member: serviceAccount:${CONFIG_CONTROLLER_PROJECT_ID}.svc.id.goog[cnrm-system/cnrm-controller-manager-${GKE_PROJECT_ID}]
 EOF
 ```
+{{% notice tip %}}
+You could see that we use the annotation `config.kubernetes.io/depends-on`, [since the version 1.11 of Config Management](https://cloud.google.com/anthos-config-management/docs/release-notes#March_24_2022) we could declare [resource dependencies between resource objects](https://cloud.google.com/anthos-config-management/docs/how-to/declare-resource-dependency). KCC already handles dependencies with a retry loop with backoff, which can make things with long reconcile time even longer and generate warnings or errors on these resources. With that annotation we are optimizing these behaviors. We will use this annotation as much as we can throughout this workshop.
+{{% /notice %}}
 
 ## Define GKE project namespace and ConfigConnectorContext
 

diff --git a/content/ingress-gateway/allow-cloud-armor.md b/content/ingress-gateway/allow-cloud-armor.md
@@ -20,6 +20,8 @@ kind: IAMPolicyMember
 metadata:
   name: security-admin-${GKE_PROJECT_ID}
   namespace: config-control
+  annotations:
+    config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMServiceAccount/${GKE_PROJECT_ID},resourcemanager.cnrm.cloud.google.com/namespaces/config-control/Project/${GKE_PROJECT_ID}
 spec:
   memberFrom:
     serviceAccountRef:

diff --git a/content/ingress-gateway/set-up-cloud-armor.md b/content/ingress-gateway/set-up-cloud-armor.md
@@ -166,9 +166,9 @@ getting 1 RepoSync and RootSync from krmapihost-configcontroller
 │ compute.cnrm.cloud.google.com          │ ComputeNetwork             │ gke                                       │ acm-workshop-464-gke │
 │ container.cnrm.cloud.google.com        │ ContainerNodePool          │ primary                                   │ acm-workshop-464-gke │
 │ container.cnrm.cloud.google.com        │ ContainerCluster           │ gke                                       │ acm-workshop-464-gke │
-│ gkehub.cnrm.cloud.google.com           │ GKEHubFeature              │ gke-acm                                   │ acm-workshop-464-gke │
+│ gkehub.cnrm.cloud.google.com           │ GKEHubFeature              │ configmanagement                          │ acm-workshop-464-gke │
 │ gkehub.cnrm.cloud.google.com           │ GKEHubFeatureMembership    │ gke-acm-membership                        │ acm-workshop-464-gke │
-│ gkehub.cnrm.cloud.google.com           │ GKEHubFeature              │ gke-asm                                   │ acm-workshop-464-gke │
+│ gkehub.cnrm.cloud.google.com           │ GKEHubFeature              │ servicemesh                               │ acm-workshop-464-gke │
 │ gkehub.cnrm.cloud.google.com           │ GKEHubMembership           │ gke-hub-membership                        │ acm-workshop-464-gke │
 │ iam.cnrm.cloud.google.com              │ IAMPartialPolicy           │ gke-primary-pool-sa-cs-monitoring-wi-user │ acm-workshop-464-gke │
 │ iam.cnrm.cloud.google.com              │ IAMServiceAccount          │ gke-primary-pool                          │ acm-workshop-464-gke │

diff --git a/content/ingress-gateway/set-up-ip-address.md b/content/ingress-gateway/set-up-ip-address.md
@@ -90,8 +90,8 @@ getting 1 RepoSync and RootSync from krmapihost-configcontroller
 │ container.cnrm.cloud.google.com        │ ContainerNodePool          │ primary                                   │ acm-workshop-464-gke │
 │ container.cnrm.cloud.google.com        │ ContainerCluster           │ gke                                       │ acm-workshop-464-gke │
 │ gkehub.cnrm.cloud.google.com           │ GKEHubMembership           │ gke-hub-membership                        │ acm-workshop-464-gke │
-│ gkehub.cnrm.cloud.google.com           │ GKEHubFeature              │ gke-asm                                   │ acm-workshop-464-gke │
-│ gkehub.cnrm.cloud.google.com           │ GKEHubFeature              │ gke-acm                                   │ acm-workshop-464-gke │
+│ gkehub.cnrm.cloud.google.com           │ GKEHubFeature              │ servicemesh                               │ acm-workshop-464-gke │
+│ gkehub.cnrm.cloud.google.com           │ GKEHubFeature              │ configmanagement                          │ acm-workshop-464-gke │
 │ gkehub.cnrm.cloud.google.com           │ GKEHubFeatureMembership    │ gke-acm-membership                        │ acm-workshop-464-gke │
 │ iam.cnrm.cloud.google.com              │ IAMPolicyMember            │ log-writer                                │ acm-workshop-464-gke │
 │ iam.cnrm.cloud.google.com              │ IAMServiceAccount          │ gke-primary-pool                          │ acm-workshop-464-gke │

diff --git a/content/networking/allow-networking.md b/content/networking/allow-networking.md
@@ -20,6 +20,8 @@ kind: IAMPolicyMember
 metadata:
   name: network-admin-${GKE_PROJECT_ID}
   namespace: config-control
+  annotations:
+    config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMServiceAccount/${GKE_PROJECT_ID},resourcemanager.cnrm.cloud.google.com/namespaces/config-control/Project/${GKE_PROJECT_ID}
 spec:
   memberFrom:
     serviceAccountRef:

diff --git a/content/networking/set-up-network.md b/content/networking/set-up-network.md
@@ -35,6 +35,8 @@ kind: ComputeSubnetwork
 metadata:
   name: ${GKE_NAME}
   namespace: ${GKE_PROJECT_ID}
+  annotations:
+    config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/ComputeNetwork/${GKE_NAME}
 spec:
   ipCidrRange: 10.2.0.0/20
   region: ${GKE_LOCATION}
@@ -57,6 +59,8 @@ kind: ComputeRouter
 metadata:
   name: ${GKE_NAME}
   namespace: ${GKE_PROJECT_ID}
+  annotations:
+    config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/ComputeNetwork/${GKE_NAME}
 spec:
   networkRef:
     name: ${GKE_NAME}
@@ -71,6 +75,8 @@ kind: ComputeRouterNAT
 metadata:
   name: ${GKE_NAME}
   namespace: ${GKE_PROJECT_ID}
+  annotations:
+    config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/ComputeSubnetwork/${GKE_NAME},compute.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/ComputeRouter/${GKE_NAME}
 spec:
   natIpAllocateOption: AUTO_ONLY
   region: ${GKE_LOCATION}

diff --git a/content/onlineboutique/set-up-memorystore.md b/content/onlineboutique/set-up-memorystore.md
@@ -107,9 +107,9 @@ getting 1 RepoSync and RootSync from krmapihost-configcontroller
 │ container.cnrm.cloud.google.com        │ ContainerCluster           │ gke                                       │ acm-workshop-464-gke │
 │ container.cnrm.cloud.google.com        │ ContainerNodePool          │ primary                                   │ acm-workshop-464-gke │
 │ gkehub.cnrm.cloud.google.com           │ GKEHubFeatureMembership    │ gke-acm-membership                        │ acm-workshop-464-gke │
-│ gkehub.cnrm.cloud.google.com           │ GKEHubFeature              │ gke-asm                                   │ acm-workshop-464-gke │
+│ gkehub.cnrm.cloud.google.com           │ GKEHubFeature              │ servicemesh                               │ acm-workshop-464-gke │
 │ gkehub.cnrm.cloud.google.com           │ GKEHubMembership           │ gke-hub-membership                        │ acm-workshop-464-gke │
-│ gkehub.cnrm.cloud.google.com           │ GKEHubFeature              │ gke-acm                                   │ acm-workshop-464-gke │
+│ gkehub.cnrm.cloud.google.com           │ GKEHubFeature              │ configmanagement                          │ acm-workshop-464-gke │
 │ iam.cnrm.cloud.google.com              │ IAMPolicyMember            │ artifactregistry-reader                   │ acm-workshop-464-gke │
 │ iam.cnrm.cloud.google.com              │ IAMPolicyMember            │ metric-writer                             │ acm-workshop-464-gke │
 │ iam.cnrm.cloud.google.com              │ IAMPartialPolicy           │ gke-primary-pool-sa-cs-monitoring-wi-user │ acm-workshop-464-gke │

diff --git a/content/service-mesh/install-asm.md b/content/service-mesh/install-asm.md
@@ -29,7 +29,7 @@ cat <<EOF > ~/$GKE_PROJECT_DIR_NAME/config-sync/gke-hub-feature-asm.yaml
 apiVersion: gkehub.cnrm.cloud.google.com/v1beta1
 kind: GKEHubFeature
 metadata:
-  name: ${GKE_NAME}-asm
+  name: servicemesh
   namespace: ${GKE_PROJECT_ID}
 spec:
   projectRef:
@@ -78,6 +78,8 @@ metadata:
   namespace: istio-system
   labels:
     mesh.cloud.google.com/managed-cni-enabled: "true"
+  annotations:
+    config.kubernetes.io/depends-on: gkehub.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/GKEHubFeature/servicemesh
 spec:
   type: managed_service
   channel: "${ASM_CHANNEL}"
@@ -141,8 +143,8 @@ getting 1 RepoSync and RootSync from krmapihost-configcontroller
 │ container.cnrm.cloud.google.com        │ ContainerNodePool          │ primary                                   │ acm-workshop-464-gke │
 │ container.cnrm.cloud.google.com        │ ContainerCluster           │ gke                                       │ acm-workshop-464-gke │
 │ gkehub.cnrm.cloud.google.com           │ GKEHubMembership           │ gke-hub-membership                        │ acm-workshop-464-gke │
-│ gkehub.cnrm.cloud.google.com           │ GKEHubFeature              │ gke-asm                                   │ acm-workshop-464-gke │
-│ gkehub.cnrm.cloud.google.com           │ GKEHubFeature              │ gke-acm                                   │ acm-workshop-464-gke │
+│ gkehub.cnrm.cloud.google.com           │ GKEHubFeature              │ servicemesh                               │ acm-workshop-464-gke │
+│ gkehub.cnrm.cloud.google.com           │ GKEHubFeature              │ configmanagement                          │ acm-workshop-464-gke │
 │ gkehub.cnrm.cloud.google.com           │ GKEHubFeatureMembership    │ gke-acm-membership                        │ acm-workshop-464-gke │
 │ iam.cnrm.cloud.google.com              │ IAMPolicyMember            │ log-writer                                │ acm-workshop-464-gke │
 │ iam.cnrm.cloud.google.com              │ IAMServiceAccount          │ gke-primary-pool                          │ acm-workshop-464-gke │