From 02a9e70c8f6d0f6d297f992506e088e03f27e7fa Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Mon, 17 Apr 2023 10:23:56 +0200 Subject: [PATCH] Update: ConfigConnector setup Signed-off-by: Nicolas Lamirault --- Makefile | 35 ++++- README.md | 3 +- krm/ack/README.md | 12 +- krm/crossplane/gcp/infra/gke.yaml | 4 +- krm/kcc/README.md | 35 +++++ krm/kcc/infra/artifactregistry.yaml | 32 +++++ krm/kcc/infra/bucket.yaml | 32 +++++ krm/kcc/infra/firewall.yaml | 89 ++++++++++++ krm/kcc/infra/gke.yaml | 216 ++++++++++++++++++++++++++++ krm/kcc/infra/iam.yaml | 23 +++ krm/kcc/infra/ip.yaml | 23 +++ krm/kcc/infra/kustomization.yaml | 33 +++++ krm/kcc/infra/labels.yaml | 33 +++++ krm/kcc/infra/network.yaml | 24 ++++ krm/kcc/infra/pubsub.yaml | 21 +++ krm/kcc/infra/router.yaml | 41 ++++++ krm/kcc/infra/subnetwork.yaml | 32 +++++ 17 files changed, 675 insertions(+), 13 deletions(-) create mode 100644 krm/kcc/README.md create mode 100644 krm/kcc/infra/artifactregistry.yaml create mode 100644 krm/kcc/infra/bucket.yaml create mode 100644 krm/kcc/infra/firewall.yaml create mode 100644 krm/kcc/infra/gke.yaml create mode 100644 krm/kcc/infra/iam.yaml create mode 100644 krm/kcc/infra/ip.yaml create mode 100644 krm/kcc/infra/kustomization.yaml create mode 100644 krm/kcc/infra/labels.yaml create mode 100644 krm/kcc/infra/network.yaml create mode 100644 krm/kcc/infra/pubsub.yaml create mode 100644 krm/kcc/infra/router.yaml create mode 100644 krm/kcc/infra/subnetwork.yaml diff --git a/Makefile b/Makefile index 3102bd6..8e59afc 100644 --- a/Makefile +++ b/Makefile @@ -42,6 +42,10 @@ ASO_SYSTEM_NAMESPACE = aso-system # datasource=github-tags depName=Azure/azure-service-operator ASO_VERSION = v2.0.0-beta.5 +KCC_SYSTEM_NAMESPACE = cnrm-system +# datasource=github-tags depName=GoogleCloudPlatform/k8s-config-connector +ASO_VERSION = v1.101.0 + # ==================================== # D E V E L O P M E N T # ==================================== @@ -166,6 +170,13 @@ ack-uninstall: ## Uninstall the ACK controllers helm uninstall -n $(ACK_SYSTEM_NAMESPACE) ack-s3-controller kubectl delete namespace $(ACK_SYSTEM_NAMESPACE) + +# ==================================== +# ASO +# ==================================== + +##@ ASO + .PHONY: aso-azure-credentials aso-azure-credentials: guard-AZURE_TENANT_ID guard-AZURE_SUBSCRIPTION_ID ## Generate credentials for AWS (AWS_ACCESS_KEY=xxx AWS_SECRET_ACCESS_KEY=xxx) @./hack/scripts/aso.sh aso-controller-settings $(ASO_SYSTEM_NAMESPACE) @@ -180,7 +191,7 @@ aso-dependencies: ## Install dependencies cert-manager cert-manager/cert-manager --version 1.9.1 .PHONY: aso-install -aso-install:## Install the ASO controlplane +aso-install: ## Install the ASO controlplane @helm repo add aso2 https://raw.githubusercontent.com/Azure/azure-service-operator/main/v2/charts @helm repo update @helm upgrade --install --devel --create-namespace --namespace=$(ASO_SYSTEM_NAMESPACE) azure-service-operator \ @@ -198,3 +209,25 @@ aso-uninstall: ## Uninstall the ACK controllers @kubectl delete namespace $(ASO_SYSTEM_NAMESPACE) @helm uninstall -n cert-manager cert-manager @kubectl delete namespace cert-manager + + +# ==================================== +# KCC +# ==================================== + +##@ KCC + +kcc-install: # Install the KCC controlplane + helm upgrade --install --devel --create-namespace --namespace=$(KCC_SYSTEM_NAMESPACE) kubernetes-config-connector \ + aso2/azure-service-operator \ + --version=v$(KCC_VERSION) \ + -f krm/kcc/values.yaml + +.PHONY: kcc-infra +kcc-infra: guard-ACTION ## Manage the components (ACTION=xxx, apply or delete) + @kustomize build krm/kcc/infra | kubectl $(ACTION) -f - + +.PHONY: kcc-uninstall +kcc-uninstall: ## Uninstall KCC controlplane + @helm uninstall -n $(KCC_SYSTEM_NAMESPACE) kubernetes-config-connector + @kubectl delete namespace $(KCC_SYSTEM_NAMESPACE) diff --git a/README.md b/README.md index aabfd64..c73b058 100644 --- a/README.md +++ b/README.md @@ -11,13 +11,14 @@ Tools: * [Crossplane](https://crossplane.io) * [AWS Controllers for Kubernetes](https://aws-controllers-k8s.github.io/community/) * [Azure Service Operator](https://github.com/Azure/azure-service-operator) -* [Config Connector](https://cloud.google.com/config-connector/docs/overview) +* [Kubernetes Config Connector](https://cloud.google.com/config-connector/docs/overview) ## Documentation * [Crossplane](./krm/crossplane) * [AWS Controllers for Kubernetes](./krm/ack/) * [Azure Service Operator](./krm/aso/) +* [Kubernetes Config Connector](./krm/kcc) ## Contributing diff --git a/krm/ack/README.md b/krm/ack/README.md index 63546b2..e4f82f9 100644 --- a/krm/ack/README.md +++ b/krm/ack/README.md @@ -6,12 +6,6 @@ > make kind-create ENV=aws ``` -* Install ACK: - -```shell -> make ack-controlplane ENV=aws -``` - ## Cloud provider credentials ```shell @@ -23,10 +17,10 @@ * Install ACK controllers: ```shell -> make ack-install +> make kcc-install ``` -* Check controllers: +* Check controller: ```shell > kubectl -n ack-system get pods -l "app.kubernetes.io/instance=ack-ec2-controller" @@ -39,5 +33,5 @@ * Clean cluster: ```shell -> make ack-uninstall +> make kcc-uninstall ``` diff --git a/krm/crossplane/gcp/infra/gke.yaml b/krm/crossplane/gcp/infra/gke.yaml index bd7f80b..023e469 100644 --- a/krm/crossplane/gcp/infra/gke.yaml +++ b/krm/crossplane/gcp/infra/gke.yaml @@ -75,8 +75,8 @@ spec: # service: kubernetes # role: cluster # made-by: crossplane - # workloadIdentityConfig: - # workloadPool: portefaix-krm #.svc.id.goog + workloadIdentityConfig: + workloadPool: portefaix-krm-crossplane.svc.id.goog writeConnectionSecretToRef: name: portefaix-krm-gke namespace: crossplane-system diff --git a/krm/kcc/README.md b/krm/kcc/README.md new file mode 100644 index 0000000..ef51a9a --- /dev/null +++ b/krm/kcc/README.md @@ -0,0 +1,35 @@ +# KRM / KCC + +Resources: https://cloud.google.com/config-connector/docs/reference/overview + +* Create Kind cluster : + +```shell +> make kind-create ENV=gcp +``` + +## Cloud provider credentials + +```shell +> make kcc-gcp-credentials +``` + +## KCC Control Plane + +* Install KCC: + +```shell +> make kcc-install +``` + +* Check controllers: + +```shell + +``` + +* Clean cluster: + +```shell +> make kcc-uninstall +``` diff --git a/krm/kcc/infra/artifactregistry.yaml b/krm/kcc/infra/artifactregistry.yaml new file mode 100644 index 0000000..45911cf --- /dev/null +++ b/krm/kcc/infra/artifactregistry.yaml @@ -0,0 +1,32 @@ +# Copyright (C) Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +--- +apiVersion: artifactregistry.cnrm.cloud.google.com/v1beta1 +kind: ArtifactRegistryRepository +metadata: + name: portefaix-krm-kcc-charts +spec: + format: DOCKER + location: eu-west1 +--- +apiVersion: artifactregistry.cnrm.cloud.google.com/v1beta1 +kind: ArtifactRegistryRepository +metadata: + name: portefaix-krm-kcc-containers +spec: + format: DOCKER + location: eu-west1 diff --git a/krm/kcc/infra/bucket.yaml b/krm/kcc/infra/bucket.yaml new file mode 100644 index 0000000..24ee063 --- /dev/null +++ b/krm/kcc/infra/bucket.yaml @@ -0,0 +1,32 @@ +# Copyright (C) Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +--- +apiVersion: storage.cnrm.cloud.google.com/v1beta1 +kind: StorageBucket +metadata: + name: portefaix-krm-kcc +spec: + location: eu-west1 + storageClass: standard + uniformBucketLevelAccess: true + versioning: + enabled: true + lifecycleRule: + - action: + type: Delete + condition: + age: 10 diff --git a/krm/kcc/infra/firewall.yaml b/krm/kcc/infra/firewall.yaml new file mode 100644 index 0000000..dde1aea --- /dev/null +++ b/krm/kcc/infra/firewall.yaml @@ -0,0 +1,89 @@ +# Copyright (C) Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +--- +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeFirewall +metadata: + name: portefaix-krm-kcc-allow-tcp-ssh-icmp +spec: + allow: + - protocol: tcp + ports: + - "22" + - "3389" + - protocol: icmp + networkRef: + name: portefaix-krm-kcc +--- +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeFirewall +metadata: + name: portefaix-krm-kcc-internal +spec: + allow: + - protocol: tcp + - protocol: icmp + - protocol: udp + networkRef: + name: portefaix-krm-kcc + sourceRanges: + - "10.2.0.0/16" +--- +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeFirewall +metadata: + name: portefaix-krm-kcc-allow-iap-ssh +spec: + priority: 10000 + allow: + - ports: + - "22" + protocol: tcp + direction: INGRESS + disabled: false + enableLogging: false + networkRef: + name: portefaix-krm-kcc + sourceRanges: + - "35.235.240.0/20" + targetTags: + - allow-iap-ssh +--- +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeFirewall +metadata: + name: portefaix-krm-kcc-allow-gcp-lb +spec: + priority: 10000 + allow: + - ports: + - "80" + - "443" + - "8080" + protocol: tcp + direction: INGRESS + disabled: false + enableLogging: false + networkRef: + name: portefaix-krm-kcc + sourceRanges: + - "35.191.0.0/16" + - "130.211.0.0/22" + - "209.85.152.0/22" + - "209.85.204.0/22" + targetTags: + - allow-gcp-lb diff --git a/krm/kcc/infra/gke.yaml b/krm/kcc/infra/gke.yaml new file mode 100644 index 0000000..66969d3 --- /dev/null +++ b/krm/kcc/infra/gke.yaml @@ -0,0 +1,216 @@ +# Copyright (C) Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +--- +apiVersion: container.cnrm.cloud.google.com/v1beta1 +kind: ContainerCluster +metadata: + name: portefaix-krm-kcc +spec: + description: portefaix-krm-kcc + location: eu-west1 + releaseChannel: + channel: REGULAR + networkRef: + name: portefaix-krm-kcc + subnetworkRef: + name: portefaix-krm-kcc + + workloadIdentityConfig: + workloadPool: portefaix-krm-kcc.svc.id.goog + + # Automation + + clusterAutoscaling: + enabled: true + autoscalingProfile: BALANCED + resourceLimits: + - resourceType: cpu + maximum: 100 + minimum: 10 + - resourceType: memory + maximum: 1000 + minimum: 100 + verticalPodAutoscaling: + enabled: false + maintenancePolicy: + dailyMaintenanceWindow: + startTime: 03:00 + notificationConfig: + pubsub: + enabled: true + topicRef: + name: portefaix-krm-kcc + + # Node Pools + + initialNodeCount: 1 + defaultMaxPodsPerNode: 16 + nodeLocations: + - eu-west1-a + - eu-west1-b + - eu-west1-c + + # Networking + + networkingMode: VPC_NATIVE + # Enable dataplane V2 + # https://cloud.google.com/kubernetes-engine/docs/concepts/dataplane-v2 + datapathProvider: ADVANCED_DATAPATH + masterAuthorizedNetworksConfig: + cidrBlocks: + - cidrBlock: 0.0.0.0/0 + displayName: The Internet + ipAllocationPolicy: + servicesSecondaryRangeName: services + clusterSecondaryRangeName: pods + enableIntranodeVisibility: true + networkPolicy: + enabled: true + dnsConfig: + clusterDns: CLOUD_DNS + clusterDnsScope: CLUSTER_SCOPE + + # Security + + enableBinaryAuthorization: true + enableShieldedNodes: true + confidentialNodes: + enabled: true + privateClusterConfig: + # Allow public access to the GKE control plane by default. + # This default is a deliberate compromise for ease of use over security. + # For increased security, set to true to disable public IP access. + enablePrivateEndpoint: false + enablePrivateNodes: true + # Enable global access to the GKE control plane's internal loab balancer. + # https://cloud.google.com/load-balancing/docs/internal/setting-up-internal#ilb-global-access + masterGlobalAccessConfig: + enabled: true + masterIpv4CidrBlock: 172.16.0.0/28 + podSecurityPolicyConfig: + enabled: false + + # Features + + loggingConfig: + enableComponents: + - "SYSTEM_COMPONENTS" + - "WORKLOADS" + monitoringConfig: + enableComponents: + - "SYSTEM_COMPONENTS" + enableAutopilot: false + costManagementConfig: + enabled: true + addonsConfig: + cloudrunConfig: + disabled: true + configConnectorConfig: + enabled: false + dnsCacheConfig: + enabled: true + gcePersistentDiskCsiDriverConfig: + enabled: true + gcpFilestoreCsiDriverConfig: + enabled: true + gkeBackupAgentConfig: + enabled: true + horizontalPodAutoscaling: + disabled: true + httpLoadBalancing: + disabled: true + istioConfig: + disabled: true + kalmConfig: + enabled: false + networkPolicyConfig: + disabled: false +--- +apiVersion: container.cnrm.cloud.google.com/v1beta1 +kind: ContainerNodePool +metadata: + name: portefaix-krm-kcc-core +spec: + location: eu-west1 + autoscaling: + minNodeCount: 1 + maxNodeCount: 3 + nodeConfig: + imageType: COS_CONTAINERD + machineType: e2-standard-16 + diskSizeGb: 100 + diskType: pd-ssd + labels: + gke.io/nodepool: core + tags: + - kubernetes + - nodes + preemptible: false + minCpuPlatform: "Intel Haswell" + oauthScopes: + - https://www.googleapis.com/auth/cloud-platform + # - https://www.googleapis.com/auth/logging.write + # - https://www.googleapis.com/auth/monitoring + metadata: + disable-legacy-endpoints: "true" + shieldedInstanceConfig: + enableIntegrityMonitoring: true + enableSecureBoot: true + serviceAccountRef: + name: portefaix-krm-kcc-gke + management: + autoRepair: true + autoUpgrade: true + clusterRef: + name: portefaix-krm-kcc +--- +apiVersion: container.cnrm.cloud.google.com/v1beta1 +kind: ContainerNodePool +metadata: + name: portefaix-krm-kcc-ops +spec: + location: eu-west1 + autoscaling: + minNodeCount: 1 + maxNodeCount: 3 + nodeConfig: + machineType: e2-standard-16 + diskSizeGb: 100 + diskType: pd-ssd + labels: + gke.io/nodepool: ops + tags: + - kubernetes + - nodes + preemptible: false + minCpuPlatform: "Intel Haswell" + oauthScopes: + - https://www.googleapis.com/auth/cloud-platform + # - https://www.googleapis.com/auth/logging.write + # - https://www.googleapis.com/auth/monitoring + metadata: + disable-legacy-endpoints: "true" + shieldedInstanceConfig: + enableIntegrityMonitoring: true + enableSecureBoot: true + serviceAccountRef: + name: portefaix-krm-kcc-gke + management: + autoRepair: true + autoUpgrade: true + clusterRef: + name: portefaix-krm-kcc diff --git a/krm/kcc/infra/iam.yaml b/krm/kcc/infra/iam.yaml new file mode 100644 index 0000000..be7d23e --- /dev/null +++ b/krm/kcc/infra/iam.yaml @@ -0,0 +1,23 @@ +# Copyright (C) Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMServiceAccount +metadata: + name: portefaix-krm-kcc-gke +spec: + displayName: portefaix-krm-kcc-gke diff --git a/krm/kcc/infra/ip.yaml b/krm/kcc/infra/ip.yaml new file mode 100644 index 0000000..279446c --- /dev/null +++ b/krm/kcc/infra/ip.yaml @@ -0,0 +1,23 @@ +# Copyright (C) Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +--- +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeAddress +metadata: + name: portefaix-krm-kcc +spec: + location: global diff --git a/krm/kcc/infra/kustomization.yaml b/krm/kcc/infra/kustomization.yaml new file mode 100644 index 0000000..4560f5f --- /dev/null +++ b/krm/kcc/infra/kustomization.yaml @@ -0,0 +1,33 @@ +# Copyright (C) Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: cnrm-system +transformers: +- labels.yaml +resources: +- network.yaml +- subnetwork.yaml +- router.yaml +- bucket.yaml +- artifactregistry.yaml +- firewall.yaml +- iam.yaml +- ip.yaml +- pubsub.yaml +- gke.yaml diff --git a/krm/kcc/infra/labels.yaml b/krm/kcc/infra/labels.yaml new file mode 100644 index 0000000..7ff8d87 --- /dev/null +++ b/krm/kcc/infra/labels.yaml @@ -0,0 +1,33 @@ +# Copyright (C) Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +--- +apiVersion: builtin +kind: LabelTransformer +metadata: + name: labels +labels: + app.kubernetes.io/name: portefaix-krm-kcc + app.kubernetes.io/instance: portefaix-krm-kcc-app + app.kubernetes.io/component: krm + app.kubernetes.io/version: v0.1.0 + app.kubernetes.io/part-of: portefaix-krm-kcc + app.kubernetes.io/managed-by: kustomize + portefaix.xyz/stack: krm + portefaix.xyz/krm: kcc +fieldSpecs: +- path: metadata/labels + create: true diff --git a/krm/kcc/infra/network.yaml b/krm/kcc/infra/network.yaml new file mode 100644 index 0000000..23beebd --- /dev/null +++ b/krm/kcc/infra/network.yaml @@ -0,0 +1,24 @@ +# Copyright (C) Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +--- +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeNetwork +metadata: + name: portefaix-krm-kcc +spec: + routingMode: REGIONAL + autoCreateSubnetworks: true diff --git a/krm/kcc/infra/pubsub.yaml b/krm/kcc/infra/pubsub.yaml new file mode 100644 index 0000000..59f8af1 --- /dev/null +++ b/krm/kcc/infra/pubsub.yaml @@ -0,0 +1,21 @@ +# Copyright (C) Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +--- +apiVersion: pubsub.cnrm.cloud.google.com/v1beta1 +kind: PubSubTopic +metadata: + name: portefaix-krm-kcc diff --git a/krm/kcc/infra/router.yaml b/krm/kcc/infra/router.yaml new file mode 100644 index 0000000..d9dfb90 --- /dev/null +++ b/krm/kcc/infra/router.yaml @@ -0,0 +1,41 @@ +# Copyright (C) Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +--- +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeRouter +metadata: + name: portefaix-krm-kcc +spec: + networkRef: + name: gke + region: eu-west1 +--- +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeRouterNAT +metadata: + name: portefaix-krm-kcc +spec: + natIpAllocateOption: AUTO_ONLY + region: eu-west1 + routerRef: + name: portefaix-krm-kcc + sourceSubnetworkIpRangesToNat: LIST_OF_SUBNETWORKS + subnetwork: + - subnetworkRef: + name: portefaix-krm-kcc + sourceIpRangesToNat: + - ALL_IP_RANGES diff --git a/krm/kcc/infra/subnetwork.yaml b/krm/kcc/infra/subnetwork.yaml new file mode 100644 index 0000000..57d7568 --- /dev/null +++ b/krm/kcc/infra/subnetwork.yaml @@ -0,0 +1,32 @@ +# Copyright (C) Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +--- +apiVersion: compute.cnrm.cloud.google.com/v1beta1 +kind: ComputeSubnetwork +metadata: + name: portefaix-krm-kcc +spec: + ipCidrRange: 10.2.0.0/16 + description: portefaix-krm-kcc + region: eu-west1 + networkRef: + name: portefaix-krm-kcc + secondaryIpRange: + - ipCidrRange: 10.3.0.0/16 + rangeName: services + - ipCidrRange: 10.4.0.0/16 + rangeName: pods