From fce8a1f0a887c3263f69e45733f4f2cb45269ab7 Mon Sep 17 00:00:00 2001 From: deepak Date: Tue, 19 Jul 2022 16:15:53 +0530 Subject: [PATCH 1/9] selkies image streaming check --- images/cloudbuild.yaml | 79 ++++++++++++++++++++++++++---------------- 1 file changed, 49 insertions(+), 30 deletions(-) diff --git a/images/cloudbuild.yaml b/images/cloudbuild.yaml index 458cf96..9fbe754 100644 --- a/images/cloudbuild.yaml +++ b/images/cloudbuild.yaml @@ -53,14 +53,20 @@ steps: waitFor: ["-"] - name: 'gcr.io/cloud-builders/docker' id: installer - args: [ - 'build', - '-t', 'gcr.io/${PROJECT_ID}/broker-installer:${_IMAGE_TAG}', - '--cache-from', 'gcr.io/${PROJECT_ID}/broker-installer:latest', - 'installer' - ] + entrypoint: 'bash' + args: + - '-c' + - | + docker build -t gcr.io/${PROJECT_ID}/broker-installer:${_IMAGE_TAG} --cache-from gcr.io/${PROJECT_ID}/broker-installer:latest installer + apt install jq -y + export DOCKER_CLI_EXPERIMENTAL=enabled + curl -o check_docker_image.sh https://gist.githubusercontent.com/deepak7093/17a0ce3506c39bae0ecaba46d0821510/raw/a2e63872ccb9ef02b718156a2b5c7744221830c5/check_docker_image.sh + chmod +x check_docker_image.sh + ./check_docker_image.sh -i gcr.io/${PROJECT_ID}/broker-installer:${_IMAGE_TAG} || true waitFor: - - installer-pull + - installer-pull + + - name: 'gcr.io/cloud-builders/docker' id: installer-tags args: [ @@ -81,14 +87,19 @@ steps: waitFor: ["-"] - name: 'gcr.io/cloud-builders/docker' id: controller - args: [ - 'build', - '-t', 'gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-controller:${_IMAGE_TAG}', - '--cache-from', 'gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-controller:latest', - 'controller' - ] + entrypoint: 'bash' + args: + - '-c' + - | + docker build -t gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-controller:${_IMAGE_TAG} --cache-from gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-controller:latest controller + apt install jq -y + export DOCKER_CLI_EXPERIMENTAL=enabled + curl -o check_docker_image.sh https://gist.githubusercontent.com/deepak7093/17a0ce3506c39bae0ecaba46d0821510/raw/a2e63872ccb9ef02b718156a2b5c7744221830c5/check_docker_image.sh + chmod +x check_docker_image.sh + ./check_docker_image.sh -i gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-controller:${_IMAGE_TAG} || true waitFor: - - controller-pull + - controller-pull + - name: 'gcr.io/cloud-builders/docker' id: controller-tags args: [ @@ -106,17 +117,22 @@ steps: id: gce-proxy-pull entrypoint: 'bash' args: ["-c", "if [[ '${_USE_CACHE}' == 'true' ]]; then (docker pull gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-gce-proxy:latest || exit 0); fi"] - waitFor: ["-"] + waitFor: ["-"] - name: 'gcr.io/cloud-builders/docker' id: gce-proxy - args: [ - 'build', - '-t', 'gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-gce-proxy:${_IMAGE_TAG}', - '--cache-from', 'gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-gce-proxy:latest', - 'gce-proxy' - ] + entrypoint: 'bash' + args: + - '-c' + - | + docker build -t gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-gce-proxy:${_IMAGE_TAG} --cache-from gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-gce-proxy:latest gce-proxy + apt install jq -y + export DOCKER_CLI_EXPERIMENTAL=enabled + curl -o check_docker_image.sh https://gist.githubusercontent.com/deepak7093/17a0ce3506c39bae0ecaba46d0821510/raw/a2e63872ccb9ef02b718156a2b5c7744221830c5/check_docker_image.sh + chmod +x check_docker_image.sh + ./check_docker_image.sh -i gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-gce-proxy:${_IMAGE_TAG} || true waitFor: - - gce-proxy-pull + - gce-proxy-pull + - name: 'gcr.io/cloud-builders/docker' id: gce-proxy-tags args: [ @@ -159,15 +175,18 @@ steps: - autoneg-controller-clone - name: 'gcr.io/cloud-builders/docker' id: autoneg-controller-docker - dir: gke-autoneg-controller - args: [ - 'build', - '-t', 'gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-autoneg-controller:${_IMAGE_TAG}', - '--cache-from', 'gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-autoneg-controller:latest', - '.' - ] + entrypoint: 'bash' + args: + - '-c' + - | + docker build -t gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-autoneg-controller:${_IMAGE_TAG} --cache-from gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-autoneg-controller:latest . + apt install jq -y + export DOCKER_CLI_EXPERIMENTAL=enabled + curl -o check_docker_image.sh https://gist.githubusercontent.com/deepak7093/17a0ce3506c39bae0ecaba46d0821510/raw/a2e63872ccb9ef02b718156a2b5c7744221830c5/check_docker_image.sh + chmod +x check_docker_image.sh + ./check_docker_image.sh -i gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-autoneg-controller:${_IMAGE_TAG} || true waitFor: - - autoneg-controller-build + - autoneg-controller-build - name: 'gcr.io/cloud-builders/docker' id: autoneg-controller-tags args: [ From 6151b35bfdd1f04afdbee6c8ea19f047580339ab Mon Sep 17 00:00:00 2001 From: deepak Date: Tue, 19 Jul 2022 17:50:51 +0530 Subject: [PATCH 2/9] GAR tagging --- images/cloudbuild.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/images/cloudbuild.yaml b/images/cloudbuild.yaml index 9fbe754..98d2e8d 100644 --- a/images/cloudbuild.yaml +++ b/images/cloudbuild.yaml @@ -31,15 +31,23 @@ images: [ # installer 'gcr.io/${PROJECT_ID}/broker-installer:${_IMAGE_TAG}', 'gcr.io/${PROJECT_ID}/broker-installer:latest', + 'us-docker.pkg.dev/${PROJECT_ID}/spaces-images/broker-installer:${_IMAGE_TAG}', + 'us-docker.pkg.dev/${PROJECT_ID}/spaces-images/broker-installer:latest', # controller 'gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-controller:${_IMAGE_TAG}', 'gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-controller:latest', + 'us-docker.pkg.dev/${PROJECT_ID}/spaces-images/${_IMAGE_PREFIX}-controller:${_IMAGE_TAG}', + 'us-docker.pkg.dev/${PROJECT_ID}/spaces-images/${_IMAGE_PREFIX}-controller:latest', # broker gce proxy 'gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-gce-proxy:${_IMAGE_TAG}', 'gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-gce-proxy:latest', + 'us-docker.pkg.dev/${PROJECT_ID}/spaces-images/${_IMAGE_PREFIX}-gce-proxy:${_IMAGE_TAG}', + 'us-docker.pkg.dev/${PROJECT_ID}/spaces-images/${_IMAGE_PREFIX}-gce-proxy:latest', # autoneg controller 'gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-autoneg-controller:${_IMAGE_TAG}', 'gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-autoneg-controller:latest', + 'us-docker.pkg.dev/${PROJECT_ID}/spaces-images/${_IMAGE_PREFIX}-autoneg-controller:${_IMAGE_TAG}', + 'us-docker.pkg.dev/${PROJECT_ID}/spaces-images/${_IMAGE_PREFIX}-autoneg-controller:latest' ] steps: @@ -58,6 +66,9 @@ steps: - '-c' - | docker build -t gcr.io/${PROJECT_ID}/broker-installer:${_IMAGE_TAG} --cache-from gcr.io/${PROJECT_ID}/broker-installer:latest installer + docker tag gcr.io/${PROJECT_ID}/broker-installer:${_IMAGE_TAG} us-docker.pkg.dev/${PROJECT_ID}/spaces-images/broker-installer:${_IMAGE_TAG} + docker tag gcr.io/${PROJECT_ID}/broker-installer:${_IMAGE_TAG} us-docker.pkg.dev/${PROJECT_ID}/spaces-images/broker-installer:latest + apt install jq -y export DOCKER_CLI_EXPERIMENTAL=enabled curl -o check_docker_image.sh https://gist.githubusercontent.com/deepak7093/17a0ce3506c39bae0ecaba46d0821510/raw/a2e63872ccb9ef02b718156a2b5c7744221830c5/check_docker_image.sh @@ -92,6 +103,9 @@ steps: - '-c' - | docker build -t gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-controller:${_IMAGE_TAG} --cache-from gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-controller:latest controller + docker tag gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-controller:${_IMAGE_TAG} us-docker.pkg.dev/${PROJECT_ID}/spaces-images/${_IMAGE_PREFIX}-controller:${_IMAGE_TAG} + docker tag gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-controller:${_IMAGE_TAG} us-docker.pkg.dev/${PROJECT_ID}/spaces-images/${_IMAGE_PREFIX}-controller:latest + apt install jq -y export DOCKER_CLI_EXPERIMENTAL=enabled curl -o check_docker_image.sh https://gist.githubusercontent.com/deepak7093/17a0ce3506c39bae0ecaba46d0821510/raw/a2e63872ccb9ef02b718156a2b5c7744221830c5/check_docker_image.sh @@ -125,6 +139,8 @@ steps: - '-c' - | docker build -t gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-gce-proxy:${_IMAGE_TAG} --cache-from gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-gce-proxy:latest gce-proxy + docker tag gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-gce-proxy:${_IMAGE_TAG} us-docker.pkg.dev/${PROJECT_ID}/spaces-images/${_IMAGE_PREFIX}-gce-proxy:${_IMAGE_TAG} + docker tag gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-gce-proxy:${_IMAGE_TAG} us-docker.pkg.dev/${PROJECT_ID}/spaces-images/${_IMAGE_PREFIX}-gce-proxy:laest apt install jq -y export DOCKER_CLI_EXPERIMENTAL=enabled curl -o check_docker_image.sh https://gist.githubusercontent.com/deepak7093/17a0ce3506c39bae0ecaba46d0821510/raw/a2e63872ccb9ef02b718156a2b5c7744221830c5/check_docker_image.sh @@ -175,11 +191,14 @@ steps: - autoneg-controller-clone - name: 'gcr.io/cloud-builders/docker' id: autoneg-controller-docker + dir: gke-autoneg-controller entrypoint: 'bash' args: - '-c' - | docker build -t gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-autoneg-controller:${_IMAGE_TAG} --cache-from gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-autoneg-controller:latest . + docker tag gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-autoneg-controller:${_IMAGE_TAG} us-docker.pkg.dev/${PROJECT_ID}/spaces-images/${_IMAGE_PREFIX}-autoneg-controller:${_IMAGE_TAG} + docker tag gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-autoneg-controller:${_IMAGE_TAG} us-docker.pkg.dev/${PROJECT_ID}/spaces-images/${_IMAGE_PREFIX}-autoneg-controller:laest apt install jq -y export DOCKER_CLI_EXPERIMENTAL=enabled curl -o check_docker_image.sh https://gist.githubusercontent.com/deepak7093/17a0ce3506c39bae0ecaba46d0821510/raw/a2e63872ccb9ef02b718156a2b5c7744221830c5/check_docker_image.sh From f1266a50acb876f68ebcf90662747ae0d4576e9e Mon Sep 17 00:00:00 2001 From: deepak Date: Sat, 23 Jul 2022 12:56:33 +0530 Subject: [PATCH 3/9] move docker script --- images/cloudbuild.yaml | 56 ++++++++++---------- images/setup/scripts/check_docker_image.sh | 60 ++++++++++++++++++++++ 2 files changed, 87 insertions(+), 29 deletions(-) create mode 100644 images/setup/scripts/check_docker_image.sh diff --git a/images/cloudbuild.yaml b/images/cloudbuild.yaml index 98d2e8d..0d02379 100644 --- a/images/cloudbuild.yaml +++ b/images/cloudbuild.yaml @@ -18,9 +18,11 @@ substitutions: _USE_CACHE: "false" _IMAGE_PREFIX: kube-pod-broker _IMAGE_TAG: latest - + _TARGET_REPO: us-docker.pkg.dev/${PROJECT_ID}/selkies-images +# options: machineType: N1_HIGHCPU_8 + dynamic_substitutions: true tags: - selkies-images @@ -31,23 +33,23 @@ images: [ # installer 'gcr.io/${PROJECT_ID}/broker-installer:${_IMAGE_TAG}', 'gcr.io/${PROJECT_ID}/broker-installer:latest', - 'us-docker.pkg.dev/${PROJECT_ID}/spaces-images/broker-installer:${_IMAGE_TAG}', - 'us-docker.pkg.dev/${PROJECT_ID}/spaces-images/broker-installer:latest', + '${_TARGET_REPO}/broker-installer:${_IMAGE_TAG}', + '${_TARGET_REPO}/broker-installer:latest', # controller 'gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-controller:${_IMAGE_TAG}', 'gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-controller:latest', - 'us-docker.pkg.dev/${PROJECT_ID}/spaces-images/${_IMAGE_PREFIX}-controller:${_IMAGE_TAG}', - 'us-docker.pkg.dev/${PROJECT_ID}/spaces-images/${_IMAGE_PREFIX}-controller:latest', + '${_TARGET_REPO}/${_IMAGE_PREFIX}-controller:${_IMAGE_TAG}', + '${_TARGET_REPO}/${_IMAGE_PREFIX}-controller:latest', # broker gce proxy 'gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-gce-proxy:${_IMAGE_TAG}', 'gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-gce-proxy:latest', - 'us-docker.pkg.dev/${PROJECT_ID}/spaces-images/${_IMAGE_PREFIX}-gce-proxy:${_IMAGE_TAG}', - 'us-docker.pkg.dev/${PROJECT_ID}/spaces-images/${_IMAGE_PREFIX}-gce-proxy:latest', + '${_TARGET_REPO}/${_IMAGE_PREFIX}-gce-proxy:${_IMAGE_TAG}', + '${_TARGET_REPO}/${_IMAGE_PREFIX}-gce-proxy:latest', # autoneg controller 'gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-autoneg-controller:${_IMAGE_TAG}', 'gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-autoneg-controller:latest', - 'us-docker.pkg.dev/${PROJECT_ID}/spaces-images/${_IMAGE_PREFIX}-autoneg-controller:${_IMAGE_TAG}', - 'us-docker.pkg.dev/${PROJECT_ID}/spaces-images/${_IMAGE_PREFIX}-autoneg-controller:latest' + '${_TARGET_REPO}/${_IMAGE_PREFIX}-autoneg-controller:${_IMAGE_TAG}', + '${_TARGET_REPO}/${_IMAGE_PREFIX}-autoneg-controller:latest' ] steps: @@ -66,14 +68,13 @@ steps: - '-c' - | docker build -t gcr.io/${PROJECT_ID}/broker-installer:${_IMAGE_TAG} --cache-from gcr.io/${PROJECT_ID}/broker-installer:latest installer - docker tag gcr.io/${PROJECT_ID}/broker-installer:${_IMAGE_TAG} us-docker.pkg.dev/${PROJECT_ID}/spaces-images/broker-installer:${_IMAGE_TAG} - docker tag gcr.io/${PROJECT_ID}/broker-installer:${_IMAGE_TAG} us-docker.pkg.dev/${PROJECT_ID}/spaces-images/broker-installer:latest + docker tag gcr.io/${PROJECT_ID}/broker-installer:${_IMAGE_TAG} ${_TARGET_REPO}/broker-installer:${_IMAGE_TAG} + docker tag gcr.io/${PROJECT_ID}/broker-installer:${_IMAGE_TAG} ${_TARGET_REPO}/broker-installer:latest apt install jq -y export DOCKER_CLI_EXPERIMENTAL=enabled - curl -o check_docker_image.sh https://gist.githubusercontent.com/deepak7093/17a0ce3506c39bae0ecaba46d0821510/raw/a2e63872ccb9ef02b718156a2b5c7744221830c5/check_docker_image.sh - chmod +x check_docker_image.sh - ./check_docker_image.sh -i gcr.io/${PROJECT_ID}/broker-installer:${_IMAGE_TAG} || true + chmod +x setup/scripts/check_docker_image.sh + ./setup/scripts/check_docker_image.sh -i gcr.io/${PROJECT_ID}/broker-installer:${_IMAGE_TAG} || true waitFor: - installer-pull @@ -103,14 +104,13 @@ steps: - '-c' - | docker build -t gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-controller:${_IMAGE_TAG} --cache-from gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-controller:latest controller - docker tag gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-controller:${_IMAGE_TAG} us-docker.pkg.dev/${PROJECT_ID}/spaces-images/${_IMAGE_PREFIX}-controller:${_IMAGE_TAG} - docker tag gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-controller:${_IMAGE_TAG} us-docker.pkg.dev/${PROJECT_ID}/spaces-images/${_IMAGE_PREFIX}-controller:latest + docker tag gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-controller:${_IMAGE_TAG} ${_TARGET_REPO}/${_IMAGE_PREFIX}-controller:${_IMAGE_TAG} + docker tag gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-controller:${_IMAGE_TAG} ${_TARGET_REPO}/${_IMAGE_PREFIX}-controller:latest apt install jq -y export DOCKER_CLI_EXPERIMENTAL=enabled - curl -o check_docker_image.sh https://gist.githubusercontent.com/deepak7093/17a0ce3506c39bae0ecaba46d0821510/raw/a2e63872ccb9ef02b718156a2b5c7744221830c5/check_docker_image.sh - chmod +x check_docker_image.sh - ./check_docker_image.sh -i gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-controller:${_IMAGE_TAG} || true + chmod +x setup/scripts/check_docker_image.sh + ./setup/scripts/check_docker_image.sh -i gcr.io/${PROJECT_ID}/broker-installer:${_IMAGE_TAG} || true waitFor: - controller-pull @@ -139,13 +139,12 @@ steps: - '-c' - | docker build -t gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-gce-proxy:${_IMAGE_TAG} --cache-from gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-gce-proxy:latest gce-proxy - docker tag gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-gce-proxy:${_IMAGE_TAG} us-docker.pkg.dev/${PROJECT_ID}/spaces-images/${_IMAGE_PREFIX}-gce-proxy:${_IMAGE_TAG} - docker tag gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-gce-proxy:${_IMAGE_TAG} us-docker.pkg.dev/${PROJECT_ID}/spaces-images/${_IMAGE_PREFIX}-gce-proxy:laest + docker tag gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-gce-proxy:${_IMAGE_TAG} ${_TARGET_REPO}/${_IMAGE_PREFIX}-gce-proxy:${_IMAGE_TAG} + docker tag gcr.io/${PROJECT_ID}/broker-installer:${_IMAGE_TAG} ${_TARGET_REPO}/${_IMAGE_PREFIX}-gce-proxy:laest apt install jq -y export DOCKER_CLI_EXPERIMENTAL=enabled - curl -o check_docker_image.sh https://gist.githubusercontent.com/deepak7093/17a0ce3506c39bae0ecaba46d0821510/raw/a2e63872ccb9ef02b718156a2b5c7744221830c5/check_docker_image.sh - chmod +x check_docker_image.sh - ./check_docker_image.sh -i gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-gce-proxy:${_IMAGE_TAG} || true + chmod +x setup/scripts/check_docker_image.sh + ./setup/scripts/check_docker_image.sh -i gcr.io/${PROJECT_ID}/broker-installer:${_IMAGE_TAG} || true waitFor: - gce-proxy-pull @@ -197,13 +196,12 @@ steps: - '-c' - | docker build -t gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-autoneg-controller:${_IMAGE_TAG} --cache-from gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-autoneg-controller:latest . - docker tag gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-autoneg-controller:${_IMAGE_TAG} us-docker.pkg.dev/${PROJECT_ID}/spaces-images/${_IMAGE_PREFIX}-autoneg-controller:${_IMAGE_TAG} - docker tag gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-autoneg-controller:${_IMAGE_TAG} us-docker.pkg.dev/${PROJECT_ID}/spaces-images/${_IMAGE_PREFIX}-autoneg-controller:laest + docker tag gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-autoneg-controller:${_IMAGE_TAG} ${_TARGET_REPO}/${_IMAGE_PREFIX}-autoneg-controller:${_IMAGE_TAG} + docker tag gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-autoneg-controller:${_IMAGE_TAG} ${_TARGET_REPO}/${_IMAGE_PREFIX}-autoneg-controller:laest apt install jq -y export DOCKER_CLI_EXPERIMENTAL=enabled - curl -o check_docker_image.sh https://gist.githubusercontent.com/deepak7093/17a0ce3506c39bae0ecaba46d0821510/raw/a2e63872ccb9ef02b718156a2b5c7744221830c5/check_docker_image.sh - chmod +x check_docker_image.sh - ./check_docker_image.sh -i gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-autoneg-controller:${_IMAGE_TAG} || true + chmod +x setup/scripts/check_docker_image.sh + ./setup/scripts/check_docker_image.sh -i gcr.io/${PROJECT_ID}/broker-installer:${_IMAGE_TAG} || true waitFor: - autoneg-controller-build - name: 'gcr.io/cloud-builders/docker' diff --git a/images/setup/scripts/check_docker_image.sh b/images/setup/scripts/check_docker_image.sh new file mode 100644 index 0000000..98905b5 --- /dev/null +++ b/images/setup/scripts/check_docker_image.sh @@ -0,0 +1,60 @@ +#!/bin/bash +# Limitations of GKE image streaming +# 1. You can't use a Secret to pull container images on GKE versions prior to 1.23.5-gke.1900. +# 2. Container images that use the V2 Image Manifest, schema version 1 are not eligible. +# 3. Container images encrypted with customer-managed encryption keys (CMEK) are not eligible for Image streaming. GKE downloads these images without streaming the data. You can still use CMEK to protect attached persistent disks and custom boot disks in clusters that use Image streaming. +# 4. Container images with empty layers or duplicate layers are not eligible for Image streaming. GKE downloads these images without streaming the data. Check your container image for empty layers or duplicate layers. +# 5. The Artifact Registry repository must be in the same region as your GKE nodes, or in a multi-region that corresponds with the region where your nodes are running. For example: +# If your nodes are in us-east1, Image streaming is available for repositories in the us-east1 region or the us multi-region since both GKE and Artifact Registry are running in data center locations within the United States. +# If your nodes are in the northamerica-northeast1 region, the nodes are running in Canada. In this situation, Image streaming is only available for repositories in the same region. +# 6. If your workloads read many files in an image during initialization, you might notice increased initialization times because of the latency added by the remote file reads. +# 7. You might not notice the benefits of Image streaming during the first pull of an eligible image. However, after Image streaming caches the image, future image pulls on any cluster benefit from Image streaming. +# 8. GKE uses the cluster-level configuration to determine whether to enable Image streaming on new node pools created using node auto-provisioning. However, you cannot use workload separation to create node pools with Image streaming enabled when Image streaming is disabled at the cluster level. +# 9. Linux file capabilities such as CAP_NET_RAW are supported with Image streaming in GKE version 1.22.6-gke.300 and later. For previous GKE versions, these capabilities are not available when the image file is streamed, or when the image is saved to the local disk. To avoid potential disruptions, do not use Image streaming for containers with these capabilities in GKE versions prior to 1.22.6-gke.300. If your container relies on Linux file capabilities, it might fail to start with permission denied errors when running with Image streaming enabled. +set -ex +display_usage() { + + echo -e "\nUsage: $0 -i \n" + echo -e "Argument: \n" + echo -e "\t -i: IMAGE_NAME" +} +if [ $# -le 1 ] + then + display_usage + exit 1 +fi + +while getopts i:h: flag +do + case "${flag}" in + i) IMAGE=${OPTARG};; + *) display_usage + exit 1 ;; + esac +done + +# docker pull $IMAGE +DOCKER_SCHEMA_VERSION=$(docker manifest inspect --verbose ${IMAGE} | grep '"schemaVersion": 2,' | wc -l) +LAYERS=$(docker inspect $IMAGE | jq .[].RootFS.Layers | sort | wc -l) +UNIQUE_LAYERS=$(docker inspect $IMAGE | jq .[].RootFS.Layers | sort | uniq | wc -l ) +EMPTY_LAYER=$(docker inspect $IMAGE | jq .[].RootFS.Layers | grep -i "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4" | wc -l) + +if [[ $DOCKER_SCHEMA_VERSION -eq 0 ]]; then + echo "[ ERROR ] Image ${IMAGE} failed to match image streaming criteria. Reason: Docker schema version mismatch, reqires schemaVersion: 2" + echo "[ ERROR ] schemaVersion : $(docker manifest inspect --verbose ${IMAGE} | grep '"schemaVersion"')" + exit 1 +fi + +if [[ $LAYERS -ne $UNIQUE_LAYERS ]]; then + echo "[ ERROR ] Image ${IMAGE} failed to match image streaming criteria. Reason: Duplicate docker layers." + echo "[ ERROR ] Duplicate layers: $(docker inspect $IMAGE | jq .[].RootFS.Layers | sort | uniq -d)" + exit 1 +fi + +if [[ $EMPTY_LAYER -gt 0 ]]; then + echo "[ ERROR ] Image ${IMAGE} failed to match image streaming criteria. Reason: Empty docker layers." + echo "[ ERROR ] Image contains empty layers with sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4" + exit 1 +fi + +echo "[ INFO ] Success!!! Image ${IMAGE} matching criteria for image streaming." \ No newline at end of file From fac8817dd37cb9ebd4a146c57c0c63d33c3b5466 Mon Sep 17 00:00:00 2001 From: deepak Date: Sat, 23 Jul 2022 13:04:14 +0530 Subject: [PATCH 4/9] fix image tags --- images/cloudbuild.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/images/cloudbuild.yaml b/images/cloudbuild.yaml index 0d02379..2b2807a 100644 --- a/images/cloudbuild.yaml +++ b/images/cloudbuild.yaml @@ -110,7 +110,7 @@ steps: apt install jq -y export DOCKER_CLI_EXPERIMENTAL=enabled chmod +x setup/scripts/check_docker_image.sh - ./setup/scripts/check_docker_image.sh -i gcr.io/${PROJECT_ID}/broker-installer:${_IMAGE_TAG} || true + ./setup/scripts/check_docker_image.sh -i gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-controller:${_IMAGE_TAG} || true waitFor: - controller-pull @@ -144,7 +144,7 @@ steps: apt install jq -y export DOCKER_CLI_EXPERIMENTAL=enabled chmod +x setup/scripts/check_docker_image.sh - ./setup/scripts/check_docker_image.sh -i gcr.io/${PROJECT_ID}/broker-installer:${_IMAGE_TAG} || true + ./setup/scripts/check_docker_image.sh -i gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-gce-proxy:${_IMAGE_TAG} || true waitFor: - gce-proxy-pull @@ -201,7 +201,7 @@ steps: apt install jq -y export DOCKER_CLI_EXPERIMENTAL=enabled chmod +x setup/scripts/check_docker_image.sh - ./setup/scripts/check_docker_image.sh -i gcr.io/${PROJECT_ID}/broker-installer:${_IMAGE_TAG} || true + ./setup/scripts/check_docker_image.sh -i gcr.io/${PROJECT_ID}/${_IMAGE_PREFIX}-autoneg-controller:${_IMAGE_TAG} || true waitFor: - autoneg-controller-build - name: 'gcr.io/cloud-builders/docker' From dc084c05d59e5ee918ede7b7ae3d365d4f0034a5 Mon Sep 17 00:00:00 2001 From: deepak Date: Sat, 23 Jul 2022 13:56:01 +0530 Subject: [PATCH 5/9] add artifat registry --- cloudbuild.yaml | 33 ++++++ .../image-streaming/artifact-registry.tf | 7 ++ setup/infra/image-streaming/cloudbuild.yaml | 63 ++++++++++ setup/infra/image-streaming/deploy.sh | 86 ++++++++++++++ setup/infra/image-streaming/main.tf | 10 ++ setup/infra/image-streaming/sa.tf | 19 +++ setup/infra/image-streaming/tier3.tf | 109 ++++++++++++++++++ setup/infra/image-streaming/variables.tf | 93 +++++++++++++++ setup/infra/image-streaming/versions.tf | 29 +++++ 9 files changed, 449 insertions(+) create mode 100644 setup/infra/image-streaming/artifact-registry.tf create mode 100644 setup/infra/image-streaming/cloudbuild.yaml create mode 100755 setup/infra/image-streaming/deploy.sh create mode 100644 setup/infra/image-streaming/main.tf create mode 100644 setup/infra/image-streaming/sa.tf create mode 100644 setup/infra/image-streaming/tier3.tf create mode 100644 setup/infra/image-streaming/variables.tf create mode 100644 setup/infra/image-streaming/versions.tf diff --git a/cloudbuild.yaml b/cloudbuild.yaml index b8f7a20..7a921e2 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -30,6 +30,7 @@ substitutions: _ENABLE_COS_GPU: "true" _ENABLE_UBUNTU_GPU: "false" _WAIT_FOR_IAP: "true" + _TIER3: "true" tags: - selkies-deploy steps: @@ -243,3 +244,35 @@ steps: timeout 1200 bash ./setup/scripts/wait_for_iap.sh broker@${PROJECT_ID}.iam.gserviceaccount.com $${CLIENT_ID} $${ENDPOINT} waitFor: - fix-autoneg + + ### + # Create image streaming + ### + - name: "gcr.io/cloud-builders/gcloud" + id: "deploy-img-streaming" + dir: "setup/infra/image-streaming" + args: + - "builds" + - "submit" + - "--substitutions=_NAME=${_NAME},_ACTION=${_ACTION},_REGION=${_REGION},_TIER3=${_TIER3}" + waitFor: + - "wait-for-iap-2" + + ### + # Enable image-streaming feature on existing cluster + # Note: Changing the Image streaming setting on a cluster causes GKE to recreate nodes in node pools that inherit the cluster-level setting. Although GKE respects maintenance windows when recreating nodes, + # your workloads might still experience disruptions. + ### + - name: "gcr.io/cloud-builders/kubectl" + id: enable-image-streaming + entrypoint: "bash" + args: + - "-exec" + - | + gcloud container clusters update "$${CLOUDSDK_CONTAINER_CLUSTER}" --enable-image-streaming --project="$${PROJECT_ID}" --region="$${CLOUDSDK_COMPUTE_REGION}" + env: + - "PROJECT_ID=${PROJECT_ID}" + - "CLOUDSDK_CORE_PROJECT=${PROJECT_ID}" + - "CLOUDSDK_COMPUTE_REGION=${_REGION}" + - "CLOUDSDK_CONTAINER_CLUSTER=${_NAME}-${_REGION}" + waitFor: ["deploy-img-streaming"] \ No newline at end of file diff --git a/setup/infra/image-streaming/artifact-registry.tf b/setup/infra/image-streaming/artifact-registry.tf new file mode 100644 index 0000000..4d69acf --- /dev/null +++ b/setup/infra/image-streaming/artifact-registry.tf @@ -0,0 +1,7 @@ +resource "google_artifact_registry_repository" "spaces-repo" { + provider = google-beta + location = var.region + repository_id = "selkies-images" + description = "selkies image artifact registry" + format = "DOCKER" +} \ No newline at end of file diff --git a/setup/infra/image-streaming/cloudbuild.yaml b/setup/infra/image-streaming/cloudbuild.yaml new file mode 100644 index 0000000..c02b4c3 --- /dev/null +++ b/setup/infra/image-streaming/cloudbuild.yaml @@ -0,0 +1,63 @@ +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +timeout: 10800s +substitutions: + _ACTION: apply + _NAME: broker + _REGION: us-west1 + _TIER3: "true" +tags: + - selkies-node-pool-image-streaming + - selkies-image-streaming +steps: + ### + # Create GCS bucket to store terraform state + ### + - name: "gcr.io/cloud-builders/gsutil" + id: "create-tf-state-bucket" + entrypoint: "/bin/bash" + args: + - "-xe" + - "-c" + - | + gsutil mb gs://${PROJECT_ID}-${_NAME}-tf-state || true + waitFor: ["-"] + ### + # Copy terraform binary + ### + - name: "hashicorp/terraform:1.2.0" + id: "terraform-download" + entrypoint: "/bin/sh" + args: + - "-exc" + - | + cp /bin/terraform /workspace/ + waitFor: ["-"] + + ### + # Apply terraform to create base infrastructure + ### + - name: "gcr.io/cloud-builders/gcloud" + id: "terraform-apply" + entrypoint: "/workspace/deploy.sh" + env: + - PATH=/builder/google-cloud-sdk/bin/:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/workspace + - TF_VAR_project_id=${PROJECT_ID} + - TF_VAR_name=${_NAME} + - TF_VAR_region=${_REGION} + - TF_VAR_tier3_pool_enabled=${_TIER3} + - TERRAFORM_WORKSPACE_NAME=image-straming-${_REGION} + - ACTION=${_ACTION} + waitFor: ["terraform-download"] \ No newline at end of file diff --git a/setup/infra/image-streaming/deploy.sh b/setup/infra/image-streaming/deploy.sh new file mode 100755 index 0000000..ba26d30 --- /dev/null +++ b/setup/infra/image-streaming/deploy.sh @@ -0,0 +1,86 @@ +#!/bin/bash + +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e + +export RED='\033[1;31m' +export CYAN='\033[1;36m' +export GREEN='\033[1;32m' +export NC='\033[0m' # No Color +function log_red() { echo -e "${RED}$@${NC}"; } +function log_cyan() { echo -e "${CYAN}$@${NC}"; } +function log_green() { echo -e "${GREEN}$@${NC}"; } + +SCRIPT_DIR=$(dirname $(readlink -f $0 2>/dev/null) 2>/dev/null || echo "${PWD}/$(dirname $0)") + +cd "${SCRIPT_DIR}" + +# Fetch any Secret Manager secrets named broker-tfvars* and same them to .auto.tfvars files. +for secret in $(gcloud -q secrets list --filter=name~broker-tfvars- --format="value(name)"); do + latest=$(gcloud secrets versions list ${secret} --sort-by=created --format='value(name)' --filter='STATE=enabled' --limit=1) + [[ -z "${latest}" ]] && log_red "WARN: no enabled versions found for secret ${secret}" && continue + dest="${secret/broker-tfvars-/}.auto.tfvars" + log_cyan "Creating ${dest} from secret: ${secret}" + gcloud -q secrets versions access ${latest} --secret ${secret} > ${dest} +done + +# Fetch any Secret Manager secrets named broker-${TF_VAR_region}-tfvars* and same them to .auto.tfvars files. +for secret in $(gcloud -q secrets list --filter=name~broker-${TF_VAR_region}-tfvars- --format="value(name)"); do + latest=$(gcloud secrets versions list ${secret} --sort-by=created --format='value(name)' --filter='STATE=enabled' --limit=1) + [[ -z "${latest}" ]] && log_red "WARN: no enabled versions found for secret ${secret}" && continue + dest="${secret/broker-${TF_VAR_region}-tfvars-/}.auto.tfvars" + log_cyan "Creating ${dest} from secret: ${secret}" + gcloud -q secrets versions access ${latest} --secret ${secret} > ${dest} +done + +# Fetch any Secret Manager secrets named broker-${TF_VAR_region}-node-pool-apps-override-* and same them to *_override.tf files. +for secret in $(gcloud -q secrets list --filter=name~broker-${TF_VAR_region}-node-pool-apps-override- --format="value(name)"); do + latest=$(gcloud secrets versions list ${secret} --sort-by=created --format='value(name)' --filter='STATE=enabled' --limit=1) + [[ -z "${latest}" ]] && log_red "WARN: no enabled versions found for secret ${secret}" && continue + dest="${secret/broker-${TF_VAR_region}-node-pool-apps-override-/}_override.tf" + log_cyan "Creating ${dest} from secret: ${secret}" + gcloud -q secrets versions access ${latest} --secret ${secret} > ${dest} +done + +export TF_IN_AUTOMATION=1 + +# Set default project for google provider. +export GOOGLE_PROJECT=${TF_VAR_project_id?} + +# Initialize backend and select workspace +terraform init -upgrade=true -input=false \ + -backend-config="bucket=${TF_VAR_project_id?}-${TF_VAR_name?}-tf-state" \ + -backend-config="prefix=${TF_VAR_name?}" || true +terraform workspace select ${TERRAFORM_WORKSPACE_NAME?} || terraform workspace new ${TERRAFORM_WORKSPACE_NAME?} +terraform init -input=false \ + -backend-config="bucket=${TF_VAR_project_id?}-${TF_VAR_name?}-tf-state" \ + -backend-config="prefix=${TF_VAR_name?}" || true + +if [[ "${ACTION?}" == "destroy" ]]; then + log_cyan "Running terraform destroy..." + terraform destroy -auto-approve -input=false +elif [[ "${ACTION?}" == "plan" ]]; then + log_cyan "Running terraform plan..." + terraform plan -out terraform.tfplan -input=false +elif [[ "${ACTION?}" == "apply" ]]; then + log_cyan "Running terraform plan..." + terraform plan -out terraform.tfplan -input=false + + log_cyan "Running terraform apply..." + terraform apply -input=false terraform.tfplan +fi + +log_green "Done" \ No newline at end of file diff --git a/setup/infra/image-streaming/main.tf b/setup/infra/image-streaming/main.tf new file mode 100644 index 0000000..6688444 --- /dev/null +++ b/setup/infra/image-streaming/main.tf @@ -0,0 +1,10 @@ +data "google_container_cluster" "broker" { + name = "${var.name}-${var.region}" + location = var.region + project = var.project_id +} + +data "google_service_account" "broker_cluster" { + account_id = var.name + project = var.project_id +} diff --git a/setup/infra/image-streaming/sa.tf b/setup/infra/image-streaming/sa.tf new file mode 100644 index 0000000..3315dbe --- /dev/null +++ b/setup/infra/image-streaming/sa.tf @@ -0,0 +1,19 @@ +resource "google_project_iam_member" "cluster_service_account-artifact-registry" { + project = var.project_id + role = "roles/artifactregistry.reader" + member = "serviceAccount:${data.google_service_account.broker_cluster.email}" +} + +resource "google_project_service" "containerfilesystem" { + for_each = toset(var.gcp_service_list) + + project = var.project_id + service = each.key + + timeouts { + create = "30m" + update = "40m" + } + + disable_dependent_services = true +} \ No newline at end of file diff --git a/setup/infra/image-streaming/tier3.tf b/setup/infra/image-streaming/tier3.tf new file mode 100644 index 0000000..05583bb --- /dev/null +++ b/setup/infra/image-streaming/tier3.tf @@ -0,0 +1,109 @@ +/** + * Copyright 2019 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "google_container_node_pool" "tier3" { + provider = google-beta + count = var.tier3_pool_enabled ? 1 : 0 + name = "tier3" + location = var.region + cluster = data.google_container_cluster.broker.name + initial_node_count = var.tier3_pool_initial_node_count + + node_config { + preemptible = var.tier3_pool_preemptive_nodes + machine_type = var.tier3_pool_machine_type + + service_account = data.google_service_account.broker_cluster.email + + disk_size_gb = var.tier3_pool_disk_size_gb + disk_type = var.tier3_pool_disk_type + + ephemeral_storage_config { + local_ssd_count = var.tier3_pool_ephemeral_storage_ssd_count + } + + image_type = "COS_CONTAINERD" + # gcfs_config - (Optional) Parameters for the Google Container Filesystem (GCFS). If unspecified, + # GCFS will not be enabled on the node pool. + # When enabling this feature you must specify + # image_type = "COS_CONTAINERD" and node_version from + # GKE versions 1.19 or later to use it. + # For GKE versions 1.19, 1.20, and 1.21, + # the recommended minimum node_version would be + # 1.19.15-gke.1300, 1.20.11-gke.1300, and 1.21.5-gke.1300 respectively. + # A machine_type that has more than 16 GiB of memory is also recommended. + # GCFS must be enabled in order to use image streaming. + # Open ISSUE + # https://github.com/hashicorp/terraform-provider-google/issues/10509 + gcfs_config { + enabled = true + } + oauth_scopes = [ + "https://www.googleapis.com/auth/cloud-platform", + ] + + metadata = { + cluster_name = data.google_container_cluster.broker.name + node_pool = "tier3" + disable-legacy-endpoints = "true" + } + + labels = { + cluster_name = data.google_container_cluster.broker.name + node_pool = "tier3" + + # updated by node init daemonset when finished. + "app.broker/initialized" = "false" + + # Used to set pod affinity + "app.broker/tier" = "tier3" + } + + taint = [ + { + # Taint to be removed when node init daemonset completes. + key = "app.broker/node-init" + value = true + effect = "NO_SCHEDULE" + }, + { + # Repel pods without the tier toleration. + key = "app.broker/tier" + value = "tier3" + effect = "NO_SCHEDULE" + }, + ] + } + + management { + auto_repair = true + auto_upgrade = true + } + + autoscaling { + min_node_count = var.tier3_pool_min_node_count + max_node_count = var.tier3_pool_max_node_count + } + + // node labels and taints are modified dynamically by the node init containers + // ignore changes so that Terraform doesn't try to undo their modifications. + lifecycle { + ignore_changes = [ + node_config[0].labels, + node_config[0].taint + ] + } +} diff --git a/setup/infra/image-streaming/variables.tf b/setup/infra/image-streaming/variables.tf new file mode 100644 index 0000000..bf68340 --- /dev/null +++ b/setup/infra/image-streaming/variables.tf @@ -0,0 +1,93 @@ +variable "gcp_service_list" { + description ="The list of apis necessary for the project" + type = list(string) + default = [ + "containerfilesystem.googleapis.com", + "artifactregistry.googleapis.com" + ] +} + +/** + * Copyright 2019 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable project_id {} +variable region {} + +variable name { + default = "broker" +} + +# Tier 1 COS node pool parameters +variable tier3_pool_enabled { + default = true +} +variable tier3_pool_machine_type { + default = "e2-standard-8" +} +variable tier3_pool_initial_node_count { + default = 1 +} +variable tier3_pool_min_node_count { + default = 0 +} +variable tier3_pool_max_node_count { + default = 10 +} +variable tier3_pool_preemptive_nodes { + default = false +} +variable tier3_pool_disk_size_gb { + default = 100 +} +variable tier3_pool_disk_type { + default = "pd-balanced" +} +variable tier3_pool_ephemeral_storage_ssd_count { + description = "use local-ssd for ephemeral container storage. NOTE: requires either n1, n2 or n2d instance types." + default = 0 +} + +# Tier 1 Ubuntu node pool parameters +variable tier3_ubuntu_pool_enabled { + default = false +} +variable tier3_ubuntu_pool_machine_type { + default = "e2-standard-8" +} +variable tier3_ubuntu_pool_initial_node_count { + default = 1 +} +variable tier3_ubuntu_pool_min_node_count { + default = 0 +} +variable tier3_ubuntu_pool_max_node_count { + default = 10 +} +variable tier3_ubuntu_pool_preemptive_nodes { + default = false +} +variable tier3_ubuntu_pool_disk_size_gb { + default = 100 +} +variable tier3_ubuntu_pool_disk_type { + default = "pd-balanced" +} +variable tier3_ubuntu_pool_ephemeral_storage_ssd_count { + description = "use local-ssd for ephemeral container storage. NOTE: requires either n1, n2 or n2d instance types." + default = 0 +} + + diff --git a/setup/infra/image-streaming/versions.tf b/setup/infra/image-streaming/versions.tf new file mode 100644 index 0000000..d2e57b3 --- /dev/null +++ b/setup/infra/image-streaming/versions.tf @@ -0,0 +1,29 @@ +/** + * Copyright 2019 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + backend "gcs" {} + required_version = ">= 1.2.0" + required_providers { + external = "~> 1.2.0" + google = "~> 4.25.0, <4.25.6" + google-beta ="~> 4.25.0" + kubernetes = "~> 2.11.0" + template = "~> 2.1" + null = "~> 2.1" + random = "~> 2.2" + } +} From 367348ec2549020aeb5d002ced88f6023e8fd035 Mon Sep 17 00:00:00 2001 From: deepak Date: Thu, 4 Aug 2022 18:44:11 +0530 Subject: [PATCH 6/9] artifact sa moved to core infra --- setup/infra/image-streaming/artifact-registry.tf | 2 +- setup/infra/image-streaming/main.tf | 5 ----- setup/infra/sa.tf | 6 ++++++ 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/setup/infra/image-streaming/artifact-registry.tf b/setup/infra/image-streaming/artifact-registry.tf index 4d69acf..dd4cb68 100644 --- a/setup/infra/image-streaming/artifact-registry.tf +++ b/setup/infra/image-streaming/artifact-registry.tf @@ -1,4 +1,4 @@ -resource "google_artifact_registry_repository" "spaces-repo" { +resource "google_artifact_registry_repository" "selkies-repo" { provider = google-beta location = var.region repository_id = "selkies-images" diff --git a/setup/infra/image-streaming/main.tf b/setup/infra/image-streaming/main.tf index 6688444..4f21b0b 100644 --- a/setup/infra/image-streaming/main.tf +++ b/setup/infra/image-streaming/main.tf @@ -3,8 +3,3 @@ data "google_container_cluster" "broker" { location = var.region project = var.project_id } - -data "google_service_account" "broker_cluster" { - account_id = var.name - project = var.project_id -} diff --git a/setup/infra/sa.tf b/setup/infra/sa.tf index d22fee1..3c9703b 100644 --- a/setup/infra/sa.tf +++ b/setup/infra/sa.tf @@ -143,3 +143,9 @@ resource "google_project_iam_member" "user_pod_service_account-iap-user" { role = "roles/iap.httpsResourceAccessor" member = "serviceAccount:${google_service_account.user_pod_service_account.email}" } +# Grant user service account access to Artifact Registry. +resource "google_project_iam_member" "cluster_service_account-artifact-registry" { + project = var.project_id + role = "roles/artifactregistry.reader" + member = "serviceAccount:${google_service_account.cluster_service_account.email}" +} From 66f693bc4bcc53981674ca537f9d7abc08e22ec5 Mon Sep 17 00:00:00 2001 From: deepak Date: Thu, 4 Aug 2022 18:51:17 +0530 Subject: [PATCH 7/9] selkies copyright --- .../image-streaming/artifact-registry.tf | 13 +++++++++ setup/infra/image-streaming/cloudbuild.yaml | 2 +- setup/infra/image-streaming/deploy.sh | 2 +- setup/infra/image-streaming/main.tf | 13 +++++++++ setup/infra/image-streaming/sa.tf | 20 +++++++++---- setup/infra/image-streaming/tier3.tf | 28 +++++++++---------- setup/infra/image-streaming/variables.tf | 28 +++++++++---------- setup/infra/image-streaming/versions.tf | 28 +++++++++---------- 8 files changed, 81 insertions(+), 53 deletions(-) diff --git a/setup/infra/image-streaming/artifact-registry.tf b/setup/infra/image-streaming/artifact-registry.tf index dd4cb68..707a494 100644 --- a/setup/infra/image-streaming/artifact-registry.tf +++ b/setup/infra/image-streaming/artifact-registry.tf @@ -1,3 +1,16 @@ +# Copyright 2022 The Selkies Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. resource "google_artifact_registry_repository" "selkies-repo" { provider = google-beta location = var.region diff --git a/setup/infra/image-streaming/cloudbuild.yaml b/setup/infra/image-streaming/cloudbuild.yaml index c02b4c3..46438d2 100644 --- a/setup/infra/image-streaming/cloudbuild.yaml +++ b/setup/infra/image-streaming/cloudbuild.yaml @@ -1,4 +1,4 @@ -# Copyright 2019 Google LLC +# Copyright 2022 The Selkies Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/setup/infra/image-streaming/deploy.sh b/setup/infra/image-streaming/deploy.sh index ba26d30..b5d90c5 100755 --- a/setup/infra/image-streaming/deploy.sh +++ b/setup/infra/image-streaming/deploy.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright 2019 Google LLC +# Copyright 2022 The Selkies Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/setup/infra/image-streaming/main.tf b/setup/infra/image-streaming/main.tf index 4f21b0b..4b8adec 100644 --- a/setup/infra/image-streaming/main.tf +++ b/setup/infra/image-streaming/main.tf @@ -1,3 +1,16 @@ +# Copyright 2022 The Selkies Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. data "google_container_cluster" "broker" { name = "${var.name}-${var.region}" location = var.region diff --git a/setup/infra/image-streaming/sa.tf b/setup/infra/image-streaming/sa.tf index 3315dbe..edaff38 100644 --- a/setup/infra/image-streaming/sa.tf +++ b/setup/infra/image-streaming/sa.tf @@ -1,9 +1,16 @@ -resource "google_project_iam_member" "cluster_service_account-artifact-registry" { - project = var.project_id - role = "roles/artifactregistry.reader" - member = "serviceAccount:${data.google_service_account.broker_cluster.email}" -} - +# Copyright 2022 The Selkies Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. resource "google_project_service" "containerfilesystem" { for_each = toset(var.gcp_service_list) @@ -16,4 +23,5 @@ resource "google_project_service" "containerfilesystem" { } disable_dependent_services = true + disable_on_destroy = false } \ No newline at end of file diff --git a/setup/infra/image-streaming/tier3.tf b/setup/infra/image-streaming/tier3.tf index 05583bb..7bc4c9a 100644 --- a/setup/infra/image-streaming/tier3.tf +++ b/setup/infra/image-streaming/tier3.tf @@ -1,18 +1,16 @@ -/** - * Copyright 2019 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +# Copyright 2022 The Selkies Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. resource "google_container_node_pool" "tier3" { provider = google-beta diff --git a/setup/infra/image-streaming/variables.tf b/setup/infra/image-streaming/variables.tf index bf68340..1b5276d 100644 --- a/setup/infra/image-streaming/variables.tf +++ b/setup/infra/image-streaming/variables.tf @@ -1,3 +1,16 @@ +# Copyright 2022 The Selkies Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. variable "gcp_service_list" { description ="The list of apis necessary for the project" type = list(string) @@ -7,21 +20,6 @@ variable "gcp_service_list" { ] } -/** - * Copyright 2019 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ variable project_id {} variable region {} diff --git a/setup/infra/image-streaming/versions.tf b/setup/infra/image-streaming/versions.tf index d2e57b3..a571013 100644 --- a/setup/infra/image-streaming/versions.tf +++ b/setup/infra/image-streaming/versions.tf @@ -1,18 +1,16 @@ -/** - * Copyright 2019 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +# Copyright 2022 The Selkies Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. terraform { backend "gcs" {} From 0df8811fb1b5dc96f34f9f743d817071b45b12ad Mon Sep 17 00:00:00 2001 From: deepak Date: Thu, 4 Aug 2022 18:54:53 +0530 Subject: [PATCH 8/9] sa email ref --- setup/infra/image-streaming/main.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/setup/infra/image-streaming/main.tf b/setup/infra/image-streaming/main.tf index 4b8adec..239cee6 100644 --- a/setup/infra/image-streaming/main.tf +++ b/setup/infra/image-streaming/main.tf @@ -16,3 +16,8 @@ data "google_container_cluster" "broker" { location = var.region project = var.project_id } + +data "google_service_account" "broker_cluster" { + account_id = var.name + project = var.project_id +} \ No newline at end of file From ac9501935bda3442ca3c584e03129c83a89a6772 Mon Sep 17 00:00:00 2001 From: deepak Date: Sat, 20 Aug 2022 20:20:12 +0530 Subject: [PATCH 9/9] tf fmt,installer image --- .../image-streaming/artifact-registry.tf | 8 +-- setup/infra/image-streaming/cloudbuild.yaml | 17 +------ setup/infra/image-streaming/main.tf | 4 +- .../image-streaming/{sa.tf => services.tf} | 6 +-- setup/infra/image-streaming/tier3.tf | 2 +- setup/infra/image-streaming/variables.tf | 50 +++++++++---------- setup/infra/image-streaming/versions.tf | 2 +- 7 files changed, 38 insertions(+), 51 deletions(-) rename setup/infra/image-streaming/{sa.tf => services.tf} (92%) diff --git a/setup/infra/image-streaming/artifact-registry.tf b/setup/infra/image-streaming/artifact-registry.tf index 707a494..6aacbca 100644 --- a/setup/infra/image-streaming/artifact-registry.tf +++ b/setup/infra/image-streaming/artifact-registry.tf @@ -12,9 +12,9 @@ # See the License for the specific language governing permissions and # limitations under the License. resource "google_artifact_registry_repository" "selkies-repo" { - provider = google-beta - location = var.region + provider = google-beta + location = var.region repository_id = "selkies-images" - description = "selkies image artifact registry" - format = "DOCKER" + description = "selkies image artifact registry" + format = "DOCKER" } \ No newline at end of file diff --git a/setup/infra/image-streaming/cloudbuild.yaml b/setup/infra/image-streaming/cloudbuild.yaml index 46438d2..44aab4b 100644 --- a/setup/infra/image-streaming/cloudbuild.yaml +++ b/setup/infra/image-streaming/cloudbuild.yaml @@ -34,30 +34,17 @@ steps: - | gsutil mb gs://${PROJECT_ID}-${_NAME}-tf-state || true waitFor: ["-"] - ### - # Copy terraform binary - ### - - name: "hashicorp/terraform:1.2.0" - id: "terraform-download" - entrypoint: "/bin/sh" - args: - - "-exc" - - | - cp /bin/terraform /workspace/ - waitFor: ["-"] ### # Apply terraform to create base infrastructure ### - - name: "gcr.io/cloud-builders/gcloud" + - name: "gcr.io/${PROJECT_ID}/${_NAME}-installer" id: "terraform-apply" entrypoint: "/workspace/deploy.sh" env: - - PATH=/builder/google-cloud-sdk/bin/:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/workspace - TF_VAR_project_id=${PROJECT_ID} - TF_VAR_name=${_NAME} - TF_VAR_region=${_REGION} - TF_VAR_tier3_pool_enabled=${_TIER3} - TERRAFORM_WORKSPACE_NAME=image-straming-${_REGION} - - ACTION=${_ACTION} - waitFor: ["terraform-download"] \ No newline at end of file + - ACTION=${_ACTION} \ No newline at end of file diff --git a/setup/infra/image-streaming/main.tf b/setup/infra/image-streaming/main.tf index 239cee6..a66536b 100644 --- a/setup/infra/image-streaming/main.tf +++ b/setup/infra/image-streaming/main.tf @@ -14,10 +14,10 @@ data "google_container_cluster" "broker" { name = "${var.name}-${var.region}" location = var.region - project = var.project_id + project = var.project_id } data "google_service_account" "broker_cluster" { account_id = var.name - project = var.project_id + project = var.project_id } \ No newline at end of file diff --git a/setup/infra/image-streaming/sa.tf b/setup/infra/image-streaming/services.tf similarity index 92% rename from setup/infra/image-streaming/sa.tf rename to setup/infra/image-streaming/services.tf index edaff38..0e006b7 100644 --- a/setup/infra/image-streaming/sa.tf +++ b/setup/infra/image-streaming/services.tf @@ -13,8 +13,8 @@ # limitations under the License. resource "google_project_service" "containerfilesystem" { for_each = toset(var.gcp_service_list) - - project = var.project_id + + project = var.project_id service = each.key timeouts { @@ -23,5 +23,5 @@ resource "google_project_service" "containerfilesystem" { } disable_dependent_services = true - disable_on_destroy = false + disable_on_destroy = false } \ No newline at end of file diff --git a/setup/infra/image-streaming/tier3.tf b/setup/infra/image-streaming/tier3.tf index 7bc4c9a..04c28dc 100644 --- a/setup/infra/image-streaming/tier3.tf +++ b/setup/infra/image-streaming/tier3.tf @@ -47,7 +47,7 @@ resource "google_container_node_pool" "tier3" { # Open ISSUE # https://github.com/hashicorp/terraform-provider-google/issues/10509 gcfs_config { - enabled = true + enabled = true } oauth_scopes = [ "https://www.googleapis.com/auth/cloud-platform", diff --git a/setup/infra/image-streaming/variables.tf b/setup/infra/image-streaming/variables.tf index 1b5276d..fcd7cd9 100644 --- a/setup/infra/image-streaming/variables.tf +++ b/setup/infra/image-streaming/variables.tf @@ -12,8 +12,8 @@ # See the License for the specific language governing permissions and # limitations under the License. variable "gcp_service_list" { - description ="The list of apis necessary for the project" - type = list(string) + description = "The list of apis necessary for the project" + type = list(string) default = [ "containerfilesystem.googleapis.com", "artifactregistry.googleapis.com" @@ -21,71 +21,71 @@ variable "gcp_service_list" { } -variable project_id {} -variable region {} +variable "project_id" {} +variable "region" {} -variable name { +variable "name" { default = "broker" } # Tier 1 COS node pool parameters -variable tier3_pool_enabled { +variable "tier3_pool_enabled" { default = true } -variable tier3_pool_machine_type { +variable "tier3_pool_machine_type" { default = "e2-standard-8" } -variable tier3_pool_initial_node_count { +variable "tier3_pool_initial_node_count" { default = 1 } -variable tier3_pool_min_node_count { +variable "tier3_pool_min_node_count" { default = 0 } -variable tier3_pool_max_node_count { +variable "tier3_pool_max_node_count" { default = 10 } -variable tier3_pool_preemptive_nodes { +variable "tier3_pool_preemptive_nodes" { default = false } -variable tier3_pool_disk_size_gb { +variable "tier3_pool_disk_size_gb" { default = 100 } -variable tier3_pool_disk_type { +variable "tier3_pool_disk_type" { default = "pd-balanced" } -variable tier3_pool_ephemeral_storage_ssd_count { +variable "tier3_pool_ephemeral_storage_ssd_count" { description = "use local-ssd for ephemeral container storage. NOTE: requires either n1, n2 or n2d instance types." - default = 0 + default = 0 } # Tier 1 Ubuntu node pool parameters -variable tier3_ubuntu_pool_enabled { +variable "tier3_ubuntu_pool_enabled" { default = false } -variable tier3_ubuntu_pool_machine_type { +variable "tier3_ubuntu_pool_machine_type" { default = "e2-standard-8" } -variable tier3_ubuntu_pool_initial_node_count { +variable "tier3_ubuntu_pool_initial_node_count" { default = 1 } -variable tier3_ubuntu_pool_min_node_count { +variable "tier3_ubuntu_pool_min_node_count" { default = 0 } -variable tier3_ubuntu_pool_max_node_count { +variable "tier3_ubuntu_pool_max_node_count" { default = 10 } -variable tier3_ubuntu_pool_preemptive_nodes { +variable "tier3_ubuntu_pool_preemptive_nodes" { default = false } -variable tier3_ubuntu_pool_disk_size_gb { +variable "tier3_ubuntu_pool_disk_size_gb" { default = 100 } -variable tier3_ubuntu_pool_disk_type { +variable "tier3_ubuntu_pool_disk_type" { default = "pd-balanced" } -variable tier3_ubuntu_pool_ephemeral_storage_ssd_count { +variable "tier3_ubuntu_pool_ephemeral_storage_ssd_count" { description = "use local-ssd for ephemeral container storage. NOTE: requires either n1, n2 or n2d instance types." - default = 0 + default = 0 } diff --git a/setup/infra/image-streaming/versions.tf b/setup/infra/image-streaming/versions.tf index a571013..307fbd5 100644 --- a/setup/infra/image-streaming/versions.tf +++ b/setup/infra/image-streaming/versions.tf @@ -18,7 +18,7 @@ terraform { required_providers { external = "~> 1.2.0" google = "~> 4.25.0, <4.25.6" - google-beta ="~> 4.25.0" + google-beta = "~> 4.25.0" kubernetes = "~> 2.11.0" template = "~> 2.1" null = "~> 2.1"