From 998a518a17e54a792bd52cf31b217775eb20f5a3 Mon Sep 17 00:00:00 2001 From: Jeremiah Stuever Date: Fri, 25 Oct 2019 15:29:18 -0700 Subject: [PATCH] gcp upi: split templates to simplify shared vpc workflow. Prior to this change, users needed to edit the gcp upi python templates in order to provision an cluster using a shared VPC. This was prone to user error. This change breaks up the templates so that only the yaml files need to be modified, thus greatly simplifying the process. All of the resources that would be provisioned in the host project are now in their own python templates (01_vpc.py, 02_dns.py, and 03_firewall.py). These resources can be removed from the yaml files to be run against the service project and placed into yaml files to be run against the host project instead. --- docs/user/gcp/install_upi.md | 68 ++++++++++++---------- upi/gcp/02_dns.py | 18 ++++++ upi/gcp/{02_infra.py => 02_lb_ext.py} | 13 ----- upi/gcp/{03_security.py => 03_firewall.py} | 26 ++++----- upi/gcp/03_iam.py | 19 ++++++ upi/gcp/04_bootstrap.py | 12 ---- 6 files changed, 85 insertions(+), 71 deletions(-) create mode 100644 upi/gcp/02_dns.py rename upi/gcp/{02_infra.py => 02_lb_ext.py} (83%) rename upi/gcp/{03_security.py => 03_firewall.py} (89%) create mode 100644 upi/gcp/03_iam.py diff --git a/docs/user/gcp/install_upi.md b/docs/user/gcp/install_upi.md index 14532cbb3c..262e8ba161 100644 --- a/docs/user/gcp/install_upi.md +++ b/docs/user/gcp/install_upi.md @@ -87,8 +87,8 @@ Update the scheduler configuration to keep router pods and other workloads off t ```sh python -c ' import yaml; -path = "manifests/cluster-scheduler-02-config.yml" -data = yaml.load(open(path)); +path = "manifests/cluster-scheduler-02-config.yml"; +data = yaml.full_load(open(path)); data["spec"]["mastersSchedulable"] = False; open(path, "w").write(yaml.dump(data, default_flow_style=False))' ``` @@ -170,14 +170,12 @@ Create a resource definition file: `01_vpc.yaml` $ cat <01_vpc.yaml imports: - path: 01_vpc.py - resources: - name: cluster-vpc type: 01_vpc.py properties: infra_id: '${INFRA_ID}' region: '${REGION}' - master_subnet_cidr: '${MASTER_SUBNET_CIDR}' worker_subnet_cidr: '${WORKER_SUBNET_CIDR}' EOF @@ -195,7 +193,8 @@ gcloud deployment-manager deployments create ${INFRA_ID}-vpc --config 01_vpc.yam ## Create DNS entries and load balancers -Copy [`02_infra.py`](../../../upi/gcp/02_infra.py) locally. +Copy [`02_dns.py`](../../../upi/gcp/02_dns.py) locally. +Copy [`02_lb_ext.py`](../../../upi/gcp/02_lb_ext.py) locally. Export variables needed by the resource definition. @@ -208,17 +207,20 @@ Create a resource definition file: `02_infra.yaml` ```console $ cat <02_infra.yaml imports: -- path: 02_infra.py - +- path: 02_dns.py +- path: 02_lb_ext.py resources: -- name: cluster-infra - type: 02_infra.py +- name: cluster-dns + type: 02_dns.py + properties: + infra_id: '${INFRA_ID}' + cluster_domain: '${CLUSTER_NAME}.${BASE_DOMAIN}' + cluster_network: '${CLUSTER_NETWORK}' +- name: cluster-lb-ext + type: 02_lb_ext.py properties: infra_id: '${INFRA_ID}' region: '${REGION}' - - cluster_domain: '${CLUSTER_NAME}.${BASE_DOMAIN}' - cluster_network: '${CLUSTER_NETWORK}' EOF ``` - `infra_id`: the infrastructure name (INFRA_ID above) @@ -254,7 +256,8 @@ gcloud dns record-sets transaction execute --zone ${INFRA_ID}-private-zone ## Create firewall rules and IAM roles -Copy [`03_security.py`](../../../upi/gcp/03_security.py) locally. +Copy [`03_firewall.py`](../../../upi/gcp/03_firewall.py) locally. +Copy [`03_iam.py`](../../../upi/gcp/03_iam.py) locally. Export variables needed by the resource definition. @@ -268,19 +271,21 @@ Create a resource definition file: `03_security.yaml` ```console $ cat <03_security.yaml imports: -- path: 03_security.py - +- path: 03_firewall.py +- path: 03_iam.py resources: -- name: cluster-security - type: 03_security.py +- name: cluster-firewall + type: 03_firewall.py properties: infra_id: '${INFRA_ID}' - region: '${REGION}' - cluster_network: '${CLUSTER_NETWORK}' network_cidr: '${NETWORK_CIDR}' master_nat_ip: '${MASTER_NAT_IP}' worker_nat_ip: '${WORKER_NAT_IP}' +- name: cluster-iam + type: 03_iam.py + properties: + infra_id: '${INFRA_ID}' EOF ``` - `infra_id`: the infrastructure name (INFRA_ID above) @@ -361,7 +366,6 @@ Create a resource definition file: `04_bootstrap.yaml` $ cat <04_bootstrap.yaml imports: - path: 04_bootstrap.py - resources: - name: cluster-bootstrap type: 04_bootstrap.py @@ -369,13 +373,10 @@ resources: infra_id: '${INFRA_ID}' region: '${REGION}' zone: '${ZONE_0}' - - cluster_network: '${CLUSTER_NETWORK}' control_subnet: '${CONTROL_SUBNET}' image: '${CLUSTER_IMAGE}' machine_type: 'n1-standard-4' root_volume_size: '128' - bootstrap_ign: '${BOOTSTRAP_IGN}' EOF ``` @@ -419,24 +420,20 @@ Create a resource definition file: `05_control_plane.yaml` $ cat <05_control_plane.yaml imports: - path: 05_control_plane.py - resources: - name: cluster-control-plane type: 05_control_plane.py properties: infra_id: '${INFRA_ID}' - region: '${REGION}' zones: - '${ZONE_0}' - '${ZONE_1}' - '${ZONE_2}' - control_subnet: '${CONTROL_SUBNET}' image: '${CLUSTER_IMAGE}' machine_type: 'n1-standard-4' root_volume_size: '128' service_account_email: '${MASTER_SERVICE_ACCOUNT_EMAIL}' - ignition: '${MASTER_IGNITION}' EOF ``` @@ -533,21 +530,28 @@ Create a resource definition file: `06_worker.yaml` $ cat <06_worker.yaml imports: - path: 06_worker.py - resources: -- name: 'w-a-0' +- name: 'w-0' type: 06_worker.py properties: infra_id: '${INFRA_ID}' - region: '${REGION}' zone: '${ZONE_0}' - compute_subnet: '${COMPUTE_SUBNET}' image: '${CLUSTER_IMAGE}' machine_type: 'n1-standard-4' root_volume_size: '128' service_account_email: '${WORKER_SERVICE_ACCOUNT_EMAIL}' - + ignition: '${WORKER_IGNITION}' +- name: 'w-1' + type: 06_worker.py + properties: + infra_id: '${INFRA_ID}' + zone: '${ZONE_1}' + compute_subnet: '${COMPUTE_SUBNET}' + image: '${CLUSTER_IMAGE}' + machine_type: 'n1-standard-4' + root_volume_size: '128' + service_account_email: '${WORKER_SERVICE_ACCOUNT_EMAIL}' ignition: '${WORKER_IGNITION}' EOF ``` diff --git a/upi/gcp/02_dns.py b/upi/gcp/02_dns.py new file mode 100644 index 0000000000..60234cbdb7 --- /dev/null +++ b/upi/gcp/02_dns.py @@ -0,0 +1,18 @@ +def GenerateConfig(context): + + resources = [{ + 'name': context.properties['infra_id'] + '-private-zone', + 'type': 'dns.v1.managedZone', + 'properties': { + 'description': '', + 'dnsName': context.properties['cluster_domain'] + '.', + 'visibility': 'private', + 'privateVisibilityConfig': { + 'networks': [{ + 'networkUrl': context.properties['cluster_network'] + }] + } + } + }] + + return {'resources': resources} diff --git a/upi/gcp/02_infra.py b/upi/gcp/02_lb_ext.py similarity index 83% rename from upi/gcp/02_infra.py rename to upi/gcp/02_lb_ext.py index 08c9476232..9a832f564b 100644 --- a/upi/gcp/02_infra.py +++ b/upi/gcp/02_lb_ext.py @@ -54,19 +54,6 @@ def GenerateConfig(context): 'target': '$(ref.' + context.properties['infra_id'] + '-ign-target-pool.selfLink)', 'portRange': '22623' } - }, { - 'name': context.properties['infra_id'] + '-private-zone', - 'type': 'dns.v1.managedZone', - 'properties': { - 'description': '', - 'dnsName': context.properties['cluster_domain'] + '.', - 'visibility': 'private', - 'privateVisibilityConfig': { - 'networks': [{ - 'networkUrl': context.properties['cluster_network'] - }] - } - } }] return {'resources': resources} diff --git a/upi/gcp/03_security.py b/upi/gcp/03_firewall.py similarity index 89% rename from upi/gcp/03_security.py rename to upi/gcp/03_firewall.py index a0d33b6534..5940f18d31 100644 --- a/upi/gcp/03_security.py +++ b/upi/gcp/03_firewall.py @@ -1,6 +1,18 @@ def GenerateConfig(context): resources = [{ + 'name': context.properties['infra_id'] + '-bootstrap-in-ssh', + 'type': 'compute.v1.firewall', + 'properties': { + 'network': context.properties['cluster_network'], + 'allowed': [{ + 'IPProtocol': 'tcp', + 'ports': ['22'] + }], + 'sourceRanges': ['0.0.0.0/0'], + 'targetTags': [context.properties['infra_id'] + '-bootstrap'] + } + }, { 'name': context.properties['infra_id'] + '-api', 'type': 'compute.v1.firewall', 'properties': { @@ -120,20 +132,6 @@ def GenerateConfig(context): context.properties['infra_id'] + '-worker' ] } - }, { - 'name': context.properties['infra_id'] + '-master-node-sa', - 'type': 'iam.v1.serviceAccount', - 'properties': { - 'accountId': context.properties['infra_id'] + '-m', - 'displayName': context.properties['infra_id'] + '-master-node' - } - }, { - 'name': context.properties['infra_id'] + '-worker-node-sa', - 'type': 'iam.v1.serviceAccount', - 'properties': { - 'accountId': context.properties['infra_id'] + '-w', - 'displayName': context.properties['infra_id'] + '-worker-node' - } }] return {'resources': resources} diff --git a/upi/gcp/03_iam.py b/upi/gcp/03_iam.py new file mode 100644 index 0000000000..ef7f11ace9 --- /dev/null +++ b/upi/gcp/03_iam.py @@ -0,0 +1,19 @@ +def GenerateConfig(context): + + resources = [{ + 'name': context.properties['infra_id'] + '-master-node-sa', + 'type': 'iam.v1.serviceAccount', + 'properties': { + 'accountId': context.properties['infra_id'] + '-m', + 'displayName': context.properties['infra_id'] + '-master-node' + } + }, { + 'name': context.properties['infra_id'] + '-worker-node-sa', + 'type': 'iam.v1.serviceAccount', + 'properties': { + 'accountId': context.properties['infra_id'] + '-w', + 'displayName': context.properties['infra_id'] + '-worker-node' + } + }] + + return {'resources': resources} diff --git a/upi/gcp/04_bootstrap.py b/upi/gcp/04_bootstrap.py index 18c28228e3..b67c87a710 100644 --- a/upi/gcp/04_bootstrap.py +++ b/upi/gcp/04_bootstrap.py @@ -6,18 +6,6 @@ def GenerateConfig(context): 'properties': { 'region': context.properties['region'] } - }, { - 'name': context.properties['infra_id'] + '-bootstrap-in-ssh', - 'type': 'compute.v1.firewall', - 'properties': { - 'network': context.properties['cluster_network'], - 'allowed': [{ - 'IPProtocol': 'tcp', - 'ports': ['22'] - }], - 'sourceRanges': ['0.0.0.0/0'], - 'targetTags': [context.properties['infra_id'] + '-bootstrap'] - } }, { 'name': context.properties['infra_id'] + '-bootstrap', 'type': 'compute.v1.instance',