Skip to content
This repository was archived by the owner on May 7, 2025. It is now read-only.

Commit 14ba194

Browse files
author
Mathieu Benoit
committed
depends-on implementation with acm 1.11.0
1 parent 3c41176 commit 14ba194

File tree

14 files changed

+62
-15
lines changed

14 files changed

+62
-15
lines changed

content/artifact-registry/allow-artifact-registry.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,8 @@ kind: IAMPolicyMember
2020
metadata:
2121
name: artifactregistry-admin-${GKE_PROJECT_ID}
2222
namespace: config-control
23+
annotations:
24+
config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMServiceAccount/${GKE_PROJECT_ID},resourcemanager.cnrm.cloud.google.com/namespaces/config-control/Project/${GKE_PROJECT_ID}
2325
spec:
2426
memberFrom:
2527
serviceAccountRef:

content/artifact-registry/set-up-artifact-registry.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,8 @@ kind: IAMPolicyMember
3838
metadata:
3939
name: artifactregistry-reader
4040
namespace: ${GKE_PROJECT_ID}
41+
annotations:
42+
config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/IAMServiceAccount/${GKE_SA},artifactregistry.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/ArtifactRegistryRepository/${CONTAINER_REGISTRY_NAME}
4143
spec:
4244
memberFrom:
4345
serviceAccountRef:
@@ -117,7 +119,7 @@ getting 1 RepoSync and RootSync from krmapihost-configcontroller
117119
│ container.cnrm.cloud.google.com │ ContainerNodePool │ primary │ acm-workshop-464-gke │
118120
│ container.cnrm.cloud.google.com │ ContainerCluster │ gke │ acm-workshop-464-gke │
119121
│ gkehub.cnrm.cloud.google.com │ GKEHubMembership │ gke-hub-membership │ acm-workshop-464-gke │
120-
│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ gke-acm │ acm-workshop-464-gke │
122+
│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ configmanagement │ acm-workshop-464-gke │
121123
│ gkehub.cnrm.cloud.google.com │ GKEHubFeatureMembership │ gke-acm-membership │ acm-workshop-464-gke │
122124
│ iam.cnrm.cloud.google.com │ IAMPolicyMember │ log-writer │ acm-workshop-464-gke │
123125
│ iam.cnrm.cloud.google.com │ IAMServiceAccount │ gke-primary-pool │ acm-workshop-464-gke │

content/gke-cluster/allow-gke hub.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,8 @@ kind: IAMPolicyMember
2020
metadata:
2121
name: gke-hub-admin-${GKE_PROJECT_ID}
2222
namespace: config-control
23+
annotations:
24+
config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMServiceAccount/${GKE_PROJECT_ID},resourcemanager.cnrm.cloud.google.com/namespaces/config-control/Project/${GKE_PROJECT_ID}
2325
spec:
2426
memberFrom:
2527
serviceAccountRef:

content/gke-cluster/allow-gke.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,8 @@ kind: IAMPolicyMember
2020
metadata:
2121
name: container-admin-${GKE_PROJECT_ID}
2222
namespace: config-control
23+
annotations:
24+
config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMServiceAccount/${GKE_PROJECT_ID},resourcemanager.cnrm.cloud.google.com/namespaces/config-control/Project/${GKE_PROJECT_ID}
2325
spec:
2426
memberFrom:
2527
serviceAccountRef:
@@ -36,6 +38,8 @@ kind: IAMPolicyMember
3638
metadata:
3739
name: service-account-admin-${GKE_PROJECT_ID}
3840
namespace: config-control
41+
annotations:
42+
config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMServiceAccount/${GKE_PROJECT_ID},resourcemanager.cnrm.cloud.google.com/namespaces/config-control/Project/${GKE_PROJECT_ID}
3943
spec:
4044
memberFrom:
4145
serviceAccountRef:
@@ -52,6 +56,8 @@ kind: IAMPolicyMember
5256
metadata:
5357
name: iam-admin-${GKE_PROJECT_ID}
5458
namespace: config-control
59+
annotations:
60+
config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMServiceAccount/${GKE_PROJECT_ID},resourcemanager.cnrm.cloud.google.com/namespaces/config-control/Project/${GKE_PROJECT_ID}
5561
spec:
5662
memberFrom:
5763
serviceAccountRef:
@@ -68,6 +74,8 @@ kind: IAMPolicyMember
6874
metadata:
6975
name: service-account-user-${GKE_PROJECT_ID}
7076
namespace: config-control
77+
annotations:
78+
config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMServiceAccount/${GKE_PROJECT_ID},resourcemanager.cnrm.cloud.google.com/namespaces/config-control/Project/${GKE_PROJECT_ID}
7179
spec:
7280
memberFrom:
7381
serviceAccountRef:

content/gke-cluster/create-gke-cluster.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -92,6 +92,8 @@ kind: IAMPolicyMember
9292
metadata:
9393
name: log-writer
9494
namespace: ${GKE_PROJECT_ID}
95+
annotations:
96+
config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/IAMServiceAccount/${GKE_SA}
9597
spec:
9698
memberFrom:
9799
serviceAccountRef:
@@ -109,6 +111,8 @@ kind: IAMPolicyMember
109111
metadata:
110112
name: metric-writer
111113
namespace: ${GKE_PROJECT_ID}
114+
annotations:
115+
config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/IAMServiceAccount/${GKE_SA}
112116
spec:
113117
memberFrom:
114118
serviceAccountRef:
@@ -126,6 +130,8 @@ kind: IAMPolicyMember
126130
metadata:
127131
name: monitoring-viewer
128132
namespace: ${GKE_PROJECT_ID}
133+
annotations:
134+
config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/IAMServiceAccount/${GKE_SA}
129135
spec:
130136
memberFrom:
131137
serviceAccountRef:
@@ -143,6 +149,8 @@ kind: IAMPolicyMember
143149
metadata:
144150
name: cloudtrace-agent
145151
namespace: ${GKE_PROJECT_ID}
152+
annotations:
153+
config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/IAMServiceAccount/${GKE_SA}
146154
spec:
147155
memberFrom:
148156
serviceAccountRef:
@@ -166,6 +174,8 @@ kind: ContainerNodePool
166174
metadata:
167175
name: primary
168176
namespace: ${GKE_PROJECT_ID}
177+
annotations:
178+
config.kubernetes.io/depends-on: container.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/ContainerCluster/${GKE_NAME}
169179
spec:
170180
clusterRef:
171181
name: ${GKE_NAME}

content/gke-cluster/set-up-gke-configs-git-repo.md

Lines changed: 11 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ cat <<EOF > ~/$GKE_PROJECT_DIR_NAME/config-sync/gke-hub-feature-acm.yaml
2020
apiVersion: gkehub.cnrm.cloud.google.com/v1beta1
2121
kind: GKEHubFeature
2222
metadata:
23-
name: ${GKE_NAME}-acm
23+
name: configmanagement
2424
namespace: ${GKE_PROJECT_ID}
2525
spec:
2626
projectRef:
@@ -38,8 +38,10 @@ cat <<EOF > ~/$GKE_PROJECT_DIR_NAME/config-sync/gke-hub-membership.yaml
3838
apiVersion: gkehub.cnrm.cloud.google.com/v1beta1
3939
kind: GKEHubMembership
4040
metadata:
41-
name: ${GKE_NAME}-hub-membership
41+
name: ${GKE_NAME}
4242
namespace: ${GKE_PROJECT_ID}
43+
annotations:
44+
config.kubernetes.io/depends-on: container.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/ContainerCluster/${GKE_NAME}
4345
spec:
4446
location: global
4547
authority:
@@ -72,14 +74,16 @@ kind: GKEHubFeatureMembership
7274
metadata:
7375
name: ${GKE_NAME}-acm-membership
7476
namespace: ${GKE_PROJECT_ID}
77+
annotations:
78+
config.kubernetes.io/depends-on: gkehub.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/GKEHubMembership/${GKE_NAME},gkehub.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/GKEHubFeature/configmanagement
7579
spec:
7680
projectRef:
7781
external: ${GKE_PROJECT_ID}
7882
location: global
7983
membershipRef:
80-
name: ${GKE_NAME}-hub-membership
84+
name: ${GKE_NAME}
8185
featureRef:
82-
name: ${GKE_NAME}-acm
86+
name: configmanagement
8387
configmanagement:
8488
configSync:
8589
sourceFormat: unstructured
@@ -115,6 +119,8 @@ kind: IAMPartialPolicy
115119
metadata:
116120
name: ${GKE_SA}-sa-cs-monitoring-wi-user
117121
namespace: ${GKE_PROJECT_ID}
122+
annotations:
123+
config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/${GKE_PROJECT_ID}/IAMServiceAccount/${GKE_SA}
118124
spec:
119125
resourceRef:
120126
name: ${GKE_SA}
@@ -173,7 +179,7 @@ getting 1 RepoSync and RootSync from krmapihost-configcontroller
173179
│ container.cnrm.cloud.google.com │ ContainerNodePool │ primary │ acm-workshop-464-gke │
174180
│ container.cnrm.cloud.google.com │ ContainerCluster │ gke │ acm-workshop-464-gke │
175181
│ gkehub.cnrm.cloud.google.com │ GKEHubMembership │ gke-hub-membership │ acm-workshop-464-gke │
176-
│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ gke-acm │ acm-workshop-464-gke │
182+
│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ configmanagement │ acm-workshop-464-gke │
177183
│ gkehub.cnrm.cloud.google.com │ GKEHubFeatureMembership │ gke-acm-membership │ acm-workshop-464-gke │
178184
│ iam.cnrm.cloud.google.com │ IAMPolicyMember │ log-writer │ acm-workshop-464-gke │
179185
│ iam.cnrm.cloud.google.com │ IAMServiceAccount │ gke-primary-pool │ acm-workshop-464-gke │

content/gke-project/create-gke-project.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,8 @@ kind: IAMPartialPolicy
8989
metadata:
9090
name: ${GKE_PROJECT_ID}-sa-wi-user
9191
namespace: config-control
92+
annotations:
93+
config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMServiceAccount/${GKE_PROJECT_ID}
9294
spec:
9395
resourceRef:
9496
name: ${GKE_PROJECT_ID}
@@ -100,6 +102,9 @@ spec:
100102
- member: serviceAccount:${CONFIG_CONTROLLER_PROJECT_ID}.svc.id.goog[cnrm-system/cnrm-controller-manager-${GKE_PROJECT_ID}]
101103
EOF
102104
```
105+
{{% notice tip %}}
106+
You could see that we use the annotation `config.kubernetes.io/depends-on`, [since the version 1.11 of Config Management](https://cloud.google.com/anthos-config-management/docs/release-notes#March_24_2022) we could declare [resource dependencies between resource objects](https://cloud.google.com/anthos-config-management/docs/how-to/declare-resource-dependency). KCC already handles dependencies with a retry loop with backoff, which can make things with long reconcile time even longer and generate warnings or errors on these resources. With that annotation we are optimizing these behaviors. We will use this annotation as much as we can throughout this workshop.
107+
{{% /notice %}}
103108

104109
## Define GKE project namespace and ConfigConnectorContext
105110

content/ingress-gateway/allow-cloud-armor.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,8 @@ kind: IAMPolicyMember
2020
metadata:
2121
name: security-admin-${GKE_PROJECT_ID}
2222
namespace: config-control
23+
annotations:
24+
config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMServiceAccount/${GKE_PROJECT_ID},resourcemanager.cnrm.cloud.google.com/namespaces/config-control/Project/${GKE_PROJECT_ID}
2325
spec:
2426
memberFrom:
2527
serviceAccountRef:

content/ingress-gateway/set-up-cloud-armor.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -166,9 +166,9 @@ getting 1 RepoSync and RootSync from krmapihost-configcontroller
166166
│ compute.cnrm.cloud.google.com │ ComputeNetwork │ gke │ acm-workshop-464-gke │
167167
│ container.cnrm.cloud.google.com │ ContainerNodePool │ primary │ acm-workshop-464-gke │
168168
│ container.cnrm.cloud.google.com │ ContainerCluster │ gke │ acm-workshop-464-gke │
169-
│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ gke-acm │ acm-workshop-464-gke │
169+
│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ configmanagement │ acm-workshop-464-gke │
170170
│ gkehub.cnrm.cloud.google.com │ GKEHubFeatureMembership │ gke-acm-membership │ acm-workshop-464-gke │
171-
│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ gke-asm │ acm-workshop-464-gke │
171+
│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ servicemesh │ acm-workshop-464-gke │
172172
│ gkehub.cnrm.cloud.google.com │ GKEHubMembership │ gke-hub-membership │ acm-workshop-464-gke │
173173
│ iam.cnrm.cloud.google.com │ IAMPartialPolicy │ gke-primary-pool-sa-cs-monitoring-wi-user │ acm-workshop-464-gke │
174174
│ iam.cnrm.cloud.google.com │ IAMServiceAccount │ gke-primary-pool │ acm-workshop-464-gke │

content/ingress-gateway/set-up-ip-address.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -90,8 +90,8 @@ getting 1 RepoSync and RootSync from krmapihost-configcontroller
9090
│ container.cnrm.cloud.google.com │ ContainerNodePool │ primary │ acm-workshop-464-gke │
9191
│ container.cnrm.cloud.google.com │ ContainerCluster │ gke │ acm-workshop-464-gke │
9292
│ gkehub.cnrm.cloud.google.com │ GKEHubMembership │ gke-hub-membership │ acm-workshop-464-gke │
93-
│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ gke-asm │ acm-workshop-464-gke │
94-
│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ gke-acm │ acm-workshop-464-gke │
93+
│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ servicemesh │ acm-workshop-464-gke │
94+
│ gkehub.cnrm.cloud.google.com │ GKEHubFeature │ configmanagement │ acm-workshop-464-gke │
9595
│ gkehub.cnrm.cloud.google.com │ GKEHubFeatureMembership │ gke-acm-membership │ acm-workshop-464-gke │
9696
│ iam.cnrm.cloud.google.com │ IAMPolicyMember │ log-writer │ acm-workshop-464-gke │
9797
│ iam.cnrm.cloud.google.com │ IAMServiceAccount │ gke-primary-pool │ acm-workshop-464-gke │

0 commit comments

Comments
 (0)