diff --git a/content/artifact-registry/allow-artifact-registry.md b/content/artifact-registry/allow-artifact-registry.md index 34396e8a..9130b138 100644 --- a/content/artifact-registry/allow-artifact-registry.md +++ b/content/artifact-registry/allow-artifact-registry.md @@ -20,6 +20,8 @@ kind: IAMPolicyMember metadata: name: artifactregistry-admin-${GKE_PROJECT_ID} namespace: config-control + annotations: + config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMServiceAccount/${GKE_PROJECT_ID},resourcemanager.cnrm.cloud.google.com/namespaces/config-control/Project/${GKE_PROJECT_ID} spec: memberFrom: serviceAccountRef: diff --git a/content/artifact-registry/set-up-artifact-registry.md b/content/artifact-registry/set-up-artifact-registry.md index 909caed9..d5826993 100644 --- a/content/artifact-registry/set-up-artifact-registry.md +++ b/content/artifact-registry/set-up-artifact-registry.md @@ -38,6 +38,8 @@ kind: IAMPolicyMember metadata: name: artifactregistry-reader namespace: ${GKE_PROJECT_ID} + annotations: + config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/IAMServiceAccount/${GKE_SA},artifactregistry.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/ArtifactRegistryRepository/${CONTAINER_REGISTRY_NAME} spec: memberFrom: serviceAccountRef: @@ -117,7 +119,7 @@ getting 1 RepoSync and RootSync from krmapihost-configcontroller │ container.cnrm.cloud.google.com │ ContainerNodePool │ primary │ acm-workshop-464-gke │ │ container.cnrm.cloud.google.com │ ContainerCluster │ gke │ acm-workshop-464-gke │ │ gkehub.cnrm.cloud.google.com │ GKEHubMembership │ gke-hub-membership │ acm-workshop-464-gke │ -│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ gke-acm │ acm-workshop-464-gke │ +│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ configmanagement │ acm-workshop-464-gke │ │ gkehub.cnrm.cloud.google.com │ GKEHubFeatureMembership │ gke-acm-membership │ acm-workshop-464-gke │ │ iam.cnrm.cloud.google.com │ IAMPolicyMember │ log-writer │ acm-workshop-464-gke │ │ iam.cnrm.cloud.google.com │ IAMServiceAccount │ gke-primary-pool │ acm-workshop-464-gke │ diff --git a/content/gke-cluster/allow-gke hub.md b/content/gke-cluster/allow-gke hub.md index bd646735..4f651ae0 100644 --- a/content/gke-cluster/allow-gke hub.md +++ b/content/gke-cluster/allow-gke hub.md @@ -20,6 +20,8 @@ kind: IAMPolicyMember metadata: name: gke-hub-admin-${GKE_PROJECT_ID} namespace: config-control + annotations: + config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMServiceAccount/${GKE_PROJECT_ID},resourcemanager.cnrm.cloud.google.com/namespaces/config-control/Project/${GKE_PROJECT_ID} spec: memberFrom: serviceAccountRef: diff --git a/content/gke-cluster/allow-gke.md b/content/gke-cluster/allow-gke.md index dbf3edd4..9556fdbe 100644 --- a/content/gke-cluster/allow-gke.md +++ b/content/gke-cluster/allow-gke.md @@ -20,6 +20,8 @@ kind: IAMPolicyMember metadata: name: container-admin-${GKE_PROJECT_ID} namespace: config-control + annotations: + config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMServiceAccount/${GKE_PROJECT_ID},resourcemanager.cnrm.cloud.google.com/namespaces/config-control/Project/${GKE_PROJECT_ID} spec: memberFrom: serviceAccountRef: @@ -36,6 +38,8 @@ kind: IAMPolicyMember metadata: name: service-account-admin-${GKE_PROJECT_ID} namespace: config-control + annotations: + config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMServiceAccount/${GKE_PROJECT_ID},resourcemanager.cnrm.cloud.google.com/namespaces/config-control/Project/${GKE_PROJECT_ID} spec: memberFrom: serviceAccountRef: @@ -52,6 +56,8 @@ kind: IAMPolicyMember metadata: name: iam-admin-${GKE_PROJECT_ID} namespace: config-control + annotations: + config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMServiceAccount/${GKE_PROJECT_ID},resourcemanager.cnrm.cloud.google.com/namespaces/config-control/Project/${GKE_PROJECT_ID} spec: memberFrom: serviceAccountRef: @@ -68,6 +74,8 @@ kind: IAMPolicyMember metadata: name: service-account-user-${GKE_PROJECT_ID} namespace: config-control + annotations: + config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMServiceAccount/${GKE_PROJECT_ID},resourcemanager.cnrm.cloud.google.com/namespaces/config-control/Project/${GKE_PROJECT_ID} spec: memberFrom: serviceAccountRef: diff --git a/content/gke-cluster/create-gke-cluster.md b/content/gke-cluster/create-gke-cluster.md index 1fd70d7c..1cad4e84 100644 --- a/content/gke-cluster/create-gke-cluster.md +++ b/content/gke-cluster/create-gke-cluster.md @@ -92,6 +92,8 @@ kind: IAMPolicyMember metadata: name: log-writer namespace: ${GKE_PROJECT_ID} + annotations: + config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/IAMServiceAccount/${GKE_SA} spec: memberFrom: serviceAccountRef: @@ -109,6 +111,8 @@ kind: IAMPolicyMember metadata: name: metric-writer namespace: ${GKE_PROJECT_ID} + annotations: + config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/IAMServiceAccount/${GKE_SA} spec: memberFrom: serviceAccountRef: @@ -126,6 +130,8 @@ kind: IAMPolicyMember metadata: name: monitoring-viewer namespace: ${GKE_PROJECT_ID} + annotations: + config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/IAMServiceAccount/${GKE_SA} spec: memberFrom: serviceAccountRef: @@ -143,6 +149,8 @@ kind: IAMPolicyMember metadata: name: cloudtrace-agent namespace: ${GKE_PROJECT_ID} + annotations: + config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/IAMServiceAccount/${GKE_SA} spec: memberFrom: serviceAccountRef: @@ -166,6 +174,8 @@ kind: ContainerNodePool metadata: name: primary namespace: ${GKE_PROJECT_ID} + annotations: + config.kubernetes.io/depends-on: container.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/ContainerCluster/${GKE_NAME} spec: clusterRef: name: ${GKE_NAME} diff --git a/content/gke-cluster/set-up-gke-configs-git-repo.md b/content/gke-cluster/set-up-gke-configs-git-repo.md index df4a21f4..2fa83689 100644 --- a/content/gke-cluster/set-up-gke-configs-git-repo.md +++ b/content/gke-cluster/set-up-gke-configs-git-repo.md @@ -20,7 +20,7 @@ cat < ~/$GKE_PROJECT_DIR_NAME/config-sync/gke-hub-feature-acm.yaml apiVersion: gkehub.cnrm.cloud.google.com/v1beta1 kind: GKEHubFeature metadata: - name: ${GKE_NAME}-acm + name: configmanagement namespace: ${GKE_PROJECT_ID} spec: projectRef: @@ -38,8 +38,10 @@ cat < ~/$GKE_PROJECT_DIR_NAME/config-sync/gke-hub-membership.yaml apiVersion: gkehub.cnrm.cloud.google.com/v1beta1 kind: GKEHubMembership metadata: - name: ${GKE_NAME}-hub-membership + name: ${GKE_NAME} namespace: ${GKE_PROJECT_ID} + annotations: + config.kubernetes.io/depends-on: container.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/ContainerCluster/${GKE_NAME} spec: location: global authority: @@ -72,14 +74,16 @@ kind: GKEHubFeatureMembership metadata: name: ${GKE_NAME}-acm-membership namespace: ${GKE_PROJECT_ID} + annotations: + config.kubernetes.io/depends-on: gkehub.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/GKEHubMembership/${GKE_NAME},gkehub.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/GKEHubFeature/configmanagement spec: projectRef: external: ${GKE_PROJECT_ID} location: global membershipRef: - name: ${GKE_NAME}-hub-membership + name: ${GKE_NAME} featureRef: - name: ${GKE_NAME}-acm + name: configmanagement configmanagement: configSync: sourceFormat: unstructured @@ -115,6 +119,8 @@ kind: IAMPartialPolicy metadata: name: ${GKE_SA}-sa-cs-monitoring-wi-user namespace: ${GKE_PROJECT_ID} + annotations: + config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/IAMServiceAccount/${GKE_SA} spec: resourceRef: name: ${GKE_SA} @@ -173,7 +179,7 @@ getting 1 RepoSync and RootSync from krmapihost-configcontroller │ container.cnrm.cloud.google.com │ ContainerNodePool │ primary │ acm-workshop-464-gke │ │ container.cnrm.cloud.google.com │ ContainerCluster │ gke │ acm-workshop-464-gke │ │ gkehub.cnrm.cloud.google.com │ GKEHubMembership │ gke-hub-membership │ acm-workshop-464-gke │ -│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ gke-acm │ acm-workshop-464-gke │ +│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ configmanagement │ acm-workshop-464-gke │ │ gkehub.cnrm.cloud.google.com │ GKEHubFeatureMembership │ gke-acm-membership │ acm-workshop-464-gke │ │ iam.cnrm.cloud.google.com │ IAMPolicyMember │ log-writer │ acm-workshop-464-gke │ │ iam.cnrm.cloud.google.com │ IAMServiceAccount │ gke-primary-pool │ acm-workshop-464-gke │ diff --git a/content/gke-project/create-gke-project.md b/content/gke-project/create-gke-project.md index f7c0b016..989395a4 100644 --- a/content/gke-project/create-gke-project.md +++ b/content/gke-project/create-gke-project.md @@ -89,6 +89,8 @@ kind: IAMPartialPolicy metadata: name: ${GKE_PROJECT_ID}-sa-wi-user namespace: config-control + annotations: + config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMServiceAccount/${GKE_PROJECT_ID} spec: resourceRef: name: ${GKE_PROJECT_ID} @@ -100,6 +102,9 @@ spec: - member: serviceAccount:${CONFIG_CONTROLLER_PROJECT_ID}.svc.id.goog[cnrm-system/cnrm-controller-manager-${GKE_PROJECT_ID}] EOF ``` +{{% notice tip %}} +You could see that we use the annotation `config.kubernetes.io/depends-on`, [since the version 1.11 of Config Management](https://cloud.google.com/anthos-config-management/docs/release-notes#March_24_2022) we could declare [resource dependencies between resource objects](https://cloud.google.com/anthos-config-management/docs/how-to/declare-resource-dependency). KCC already handles dependencies with a retry loop with backoff, which can make things with long reconcile time even longer and generate warnings or errors on these resources. With that annotation we are optimizing these behaviors. We will use this annotation as much as we can throughout this workshop. +{{% /notice %}} ## Define GKE project namespace and ConfigConnectorContext diff --git a/content/ingress-gateway/allow-cloud-armor.md b/content/ingress-gateway/allow-cloud-armor.md index 46367f03..b8d0623b 100644 --- a/content/ingress-gateway/allow-cloud-armor.md +++ b/content/ingress-gateway/allow-cloud-armor.md @@ -20,6 +20,8 @@ kind: IAMPolicyMember metadata: name: security-admin-${GKE_PROJECT_ID} namespace: config-control + annotations: + config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMServiceAccount/${GKE_PROJECT_ID},resourcemanager.cnrm.cloud.google.com/namespaces/config-control/Project/${GKE_PROJECT_ID} spec: memberFrom: serviceAccountRef: diff --git a/content/ingress-gateway/set-up-cloud-armor.md b/content/ingress-gateway/set-up-cloud-armor.md index 7a2ef3fd..91544810 100644 --- a/content/ingress-gateway/set-up-cloud-armor.md +++ b/content/ingress-gateway/set-up-cloud-armor.md @@ -166,9 +166,9 @@ getting 1 RepoSync and RootSync from krmapihost-configcontroller │ compute.cnrm.cloud.google.com │ ComputeNetwork │ gke │ acm-workshop-464-gke │ │ container.cnrm.cloud.google.com │ ContainerNodePool │ primary │ acm-workshop-464-gke │ │ container.cnrm.cloud.google.com │ ContainerCluster │ gke │ acm-workshop-464-gke │ -│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ gke-acm │ acm-workshop-464-gke │ +│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ configmanagement │ acm-workshop-464-gke │ │ gkehub.cnrm.cloud.google.com │ GKEHubFeatureMembership │ gke-acm-membership │ acm-workshop-464-gke │ -│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ gke-asm │ acm-workshop-464-gke │ +│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ servicemesh │ acm-workshop-464-gke │ │ gkehub.cnrm.cloud.google.com │ GKEHubMembership │ gke-hub-membership │ acm-workshop-464-gke │ │ iam.cnrm.cloud.google.com │ IAMPartialPolicy │ gke-primary-pool-sa-cs-monitoring-wi-user │ acm-workshop-464-gke │ │ iam.cnrm.cloud.google.com │ IAMServiceAccount │ gke-primary-pool │ acm-workshop-464-gke │ diff --git a/content/ingress-gateway/set-up-ip-address.md b/content/ingress-gateway/set-up-ip-address.md index 37192d89..0d7b1f81 100644 --- a/content/ingress-gateway/set-up-ip-address.md +++ b/content/ingress-gateway/set-up-ip-address.md @@ -90,8 +90,8 @@ getting 1 RepoSync and RootSync from krmapihost-configcontroller │ container.cnrm.cloud.google.com │ ContainerNodePool │ primary │ acm-workshop-464-gke │ │ container.cnrm.cloud.google.com │ ContainerCluster │ gke │ acm-workshop-464-gke │ │ gkehub.cnrm.cloud.google.com │ GKEHubMembership │ gke-hub-membership │ acm-workshop-464-gke │ -│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ gke-asm │ acm-workshop-464-gke │ -│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ gke-acm │ acm-workshop-464-gke │ +│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ servicemesh │ acm-workshop-464-gke │ +│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ configmanagement │ acm-workshop-464-gke │ │ gkehub.cnrm.cloud.google.com │ GKEHubFeatureMembership │ gke-acm-membership │ acm-workshop-464-gke │ │ iam.cnrm.cloud.google.com │ IAMPolicyMember │ log-writer │ acm-workshop-464-gke │ │ iam.cnrm.cloud.google.com │ IAMServiceAccount │ gke-primary-pool │ acm-workshop-464-gke │ diff --git a/content/networking/allow-networking.md b/content/networking/allow-networking.md index 4ff5aa28..0332eac5 100644 --- a/content/networking/allow-networking.md +++ b/content/networking/allow-networking.md @@ -20,6 +20,8 @@ kind: IAMPolicyMember metadata: name: network-admin-${GKE_PROJECT_ID} namespace: config-control + annotations: + config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMServiceAccount/${GKE_PROJECT_ID},resourcemanager.cnrm.cloud.google.com/namespaces/config-control/Project/${GKE_PROJECT_ID} spec: memberFrom: serviceAccountRef: diff --git a/content/networking/set-up-network.md b/content/networking/set-up-network.md index f4db3d2f..910874d7 100644 --- a/content/networking/set-up-network.md +++ b/content/networking/set-up-network.md @@ -35,6 +35,8 @@ kind: ComputeSubnetwork metadata: name: ${GKE_NAME} namespace: ${GKE_PROJECT_ID} + annotations: + config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/ComputeNetwork/${GKE_NAME} spec: ipCidrRange: 10.2.0.0/20 region: ${GKE_LOCATION} @@ -57,6 +59,8 @@ kind: ComputeRouter metadata: name: ${GKE_NAME} namespace: ${GKE_PROJECT_ID} + annotations: + config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/ComputeNetwork/${GKE_NAME} spec: networkRef: name: ${GKE_NAME} @@ -71,6 +75,8 @@ kind: ComputeRouterNAT metadata: name: ${GKE_NAME} namespace: ${GKE_PROJECT_ID} + annotations: + config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/ComputeSubnetwork/${GKE_NAME},compute.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/ComputeRouter/${GKE_NAME} spec: natIpAllocateOption: AUTO_ONLY region: ${GKE_LOCATION} diff --git a/content/onlineboutique/set-up-memorystore.md b/content/onlineboutique/set-up-memorystore.md index 9bfaf753..8762d11c 100644 --- a/content/onlineboutique/set-up-memorystore.md +++ b/content/onlineboutique/set-up-memorystore.md @@ -107,9 +107,9 @@ getting 1 RepoSync and RootSync from krmapihost-configcontroller │ container.cnrm.cloud.google.com │ ContainerCluster │ gke │ acm-workshop-464-gke │ │ container.cnrm.cloud.google.com │ ContainerNodePool │ primary │ acm-workshop-464-gke │ │ gkehub.cnrm.cloud.google.com │ GKEHubFeatureMembership │ gke-acm-membership │ acm-workshop-464-gke │ -│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ gke-asm │ acm-workshop-464-gke │ +│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ servicemesh │ acm-workshop-464-gke │ │ gkehub.cnrm.cloud.google.com │ GKEHubMembership │ gke-hub-membership │ acm-workshop-464-gke │ -│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ gke-acm │ acm-workshop-464-gke │ +│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ configmanagement │ acm-workshop-464-gke │ │ iam.cnrm.cloud.google.com │ IAMPolicyMember │ artifactregistry-reader │ acm-workshop-464-gke │ │ iam.cnrm.cloud.google.com │ IAMPolicyMember │ metric-writer │ acm-workshop-464-gke │ │ iam.cnrm.cloud.google.com │ IAMPartialPolicy │ gke-primary-pool-sa-cs-monitoring-wi-user │ acm-workshop-464-gke │ diff --git a/content/service-mesh/install-asm.md b/content/service-mesh/install-asm.md index 91ea353b..4a533644 100644 --- a/content/service-mesh/install-asm.md +++ b/content/service-mesh/install-asm.md @@ -29,7 +29,7 @@ cat < ~/$GKE_PROJECT_DIR_NAME/config-sync/gke-hub-feature-asm.yaml apiVersion: gkehub.cnrm.cloud.google.com/v1beta1 kind: GKEHubFeature metadata: - name: ${GKE_NAME}-asm + name: servicemesh namespace: ${GKE_PROJECT_ID} spec: projectRef: @@ -78,6 +78,8 @@ metadata: namespace: istio-system labels: mesh.cloud.google.com/managed-cni-enabled: "true" + annotations: + config.kubernetes.io/depends-on: gkehub.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/GKEHubFeature/servicemesh spec: type: managed_service channel: "${ASM_CHANNEL}" @@ -141,8 +143,8 @@ getting 1 RepoSync and RootSync from krmapihost-configcontroller │ container.cnrm.cloud.google.com │ ContainerNodePool │ primary │ acm-workshop-464-gke │ │ container.cnrm.cloud.google.com │ ContainerCluster │ gke │ acm-workshop-464-gke │ │ gkehub.cnrm.cloud.google.com │ GKEHubMembership │ gke-hub-membership │ acm-workshop-464-gke │ -│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ gke-asm │ acm-workshop-464-gke │ -│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ gke-acm │ acm-workshop-464-gke │ +│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ servicemesh │ acm-workshop-464-gke │ +│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ configmanagement │ acm-workshop-464-gke │ │ gkehub.cnrm.cloud.google.com │ GKEHubFeatureMembership │ gke-acm-membership │ acm-workshop-464-gke │ │ iam.cnrm.cloud.google.com │ IAMPolicyMember │ log-writer │ acm-workshop-464-gke │ │ iam.cnrm.cloud.google.com │ IAMServiceAccount │ gke-primary-pool │ acm-workshop-464-gke │