developer quickstart session documentation

[fmichaelobrien]

reviewing https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/pull/28/files

$14 CAD / day - GKE standard $4 CAD / day - GKE autopilot

follow https://cloud.google.com/anthos-config-management/docs/how-to/config-controller-setup

gcloud services enable krmapihosting.googleapis.com container.googleapis.com cloudresourcemanager.googleapis.com michael@cloudshell:~/millhouse/pubsec-declarative-toolkit-main (pubsec-declarative-toolkit)$ gcloud compute networks create $NETWORK --subnet-mode=custom

michael@cloudshell:~/millhouse/pubsec-declarative-toolkit-main (pubsec-declarative-toolkit)$ gcloud compute networks list NAME: config-control SUBNET_MODE: CUSTOM BGP_ROUTING_MODE: REGIONAL IPV4_RANGE: GATEWAY_IPV4:

NAME: default SUBNET_MODE: AUTO BGP_ROUTING_MODE: REGIONAL IPV4_RANGE: GATEWAY_IPV4:

continuing....

update: some adjustments needed in addition... swap out us-east-1 as the config controller region --location northamerica-northeast1. or switch the region to us-east1 shorten the subnet name SUBNET=config-control

Create another subnet in us-east1 with a different cidr for now or shorten the cidr to 24

michael@cloudshell:~/millhouse/pubsec-declarative-toolkit-main (pubsec-declarative-toolkit)$ gcloud anthos config controller create main --location $REGION --network $NETWORK --subnet $SUBNET Create request issued for: [main] Waiting for operation [projects/pubsec-declarative-toolkit/locations/us-east1/operations/operation-1651678555874-5de31619b2404-3d855fcc-b2f0568d] to complete...working... Will return when the controller is up

session restart

michael@cloudshell:~$ PROJECT_ID=pubsec-declarative-toolkit
michael@cloudshell:~$ gcloud config set project $PROJECT_ID
Updated property [core/project].
michael@cloudshell:~ (pubsec-declarative-toolkit)$ REGION=us-east1
michael@cloudshell:~ (pubsec-declarative-toolkit)$ SUBNET=config-control
michael@cloudshell:~ (pubsec-declarative-toolkit)$ NETWORK=config-control
michael@cloudshell:~ (pubsec-declarative-toolkit)$ CLUSTER=config-controller

michael@cloudshell:~ (pubsec-declarative-toolkit)$ gcloud anthos config controller list --location $REGION
NAME: projects/pubsec-declarative-toolkit/locations/us-east1/krmApiHosts/main
LOCATION: us-east1
STATE: RUNNING

michael@cloudshell:~ (pubsec-declarative-toolkit)$ gcloud container clusters list --region $REGION
NAME: krmapihost-main
LOCATION: us-east1
MASTER_VERSION: 1.21.10-gke.2000
MASTER_IP: 35.227.115.119
MACHINE_TYPE: e2-standard-2
NODE_VERSION: 1.21.10-gke.2000
NUM_NODES: 3
STATUS: RUNNING

michael@cloudshell:~ (pubsec-declarative-toolkit)$ gcloud container clusters get-credentials krmapihost-main --region $REGION
Fetching cluster endpoint and auth data.
kubeconfig entry generated for krmapihost-main.

michael@cloudshell:~ (pubsec-declarative-toolkit)$ kubens config-control
Context "gke_pubsec-declarative-toolkit_us-east1_krmapihost-main" modified.
Active namespace is "config-control".
michael@cloudshell:~ (pubsec-declarative-toolkit)$ kubectl get nodes
NAME                                                  STATUS   ROLES    AGE     VERSION
gke-krmapihost-main-krmapihost-main-p-0bcb4ca9-zt4j   Ready    <none>   2d21h   v1.21.10-gke.2000
gke-krmapihost-main-krmapihost-main-p-337597e0-1vz7   Ready    <none>   2d21h   v1.21.10-gke.2000
gke-krmapihost-main-krmapihost-main-p-372ceb4a-rp36   Ready    <none>   2d21h   v1.21.10-gke.2000

michael@cloudshell:~ (pubsec-declarative-toolkit)$ kubectl get services --all-namespaces -o wide
NAMESPACE                         NAME                                                TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                       AGE     SELECTOR
cnrm-system                       abandon-on-uninstall                                ClusterIP   10.198.112.18    <none>        443/TCP                       2d20h   cnrm.cloud.google.com/component=cnrm-deletiondefender,cnrm.cloud.google.com/system=true
cnrm-system                       cnrm-deletiondefender                               ClusterIP   10.198.112.16    <none>        443/TCP                       2d20h   cnrm.cloud.google.com/component=cnrm-deletiondefender,cnrm.cloud.google.com/system=true
cnrm-system                       cnrm-manager-c9pa3k4gkgtab65ku6e0                   ClusterIP   10.198.112.140   <none>        443/TCP,8888/TCP              2d20h   cnrm.cloud.google.com/component=cnrm-controller-manager,cnrm.cloud.google.com/scoped-namespace=config-control,cnrm.cloud.google.com/system=true
cnrm-system                       cnrm-resource-stats-recorder-service                ClusterIP   10.198.112.251   <none>        8888/TCP                      2d20h   cnrm.cloud.google.com/component=cnrm-resource-stats-recorder,cnrm.cloud.google.com/system=true
cnrm-system                       cnrm-validating-webhook                             ClusterIP   10.198.112.245   <none>        443/TCP                       2d20h   cnrm.cloud.google.com/component=cnrm-webhook-manager,cnrm.cloud.google.com/system=true
config-management-monitoring      otel-collector                                      ClusterIP   10.198.112.33    <none>        55678/TCP,8888/TCP,8675/TCP   2d21h   app=opentelemetry,component=otel-collector
configconnector-operator-system   configconnector-operator-service                    ClusterIP   10.198.112.161   <none>        443/TCP                       2d21h   cnrm.cloud.google.com/component=configconnector-operator,cnrm.cloud.google.com/operator-system=true
default                           kubernetes                                          ClusterIP   10.198.112.1     <none>        443/TCP                       2d21h   <none>
gatekeeper-system                 gatekeeper-webhook-service                          ClusterIP   10.198.112.103   <none>        443/TCP                       2d21h   control-plane=controller-manager,gatekeeper.sh/operation=webhook,gatekeeper.sh/system=yes,policycontroller.configmanagement.gke.io=true
kube-system                       default-http-backend                                NodePort    10.198.112.49    <none>        80:31690/TCP                  2d21h   k8s-app=glbc
kube-system                       kube-dns                                            ClusterIP   10.198.112.10    <none>        53/UDP,53/TCP                 2d21h   k8s-app=kube-dns
kube-system                       metrics-server                                      ClusterIP   10.198.112.181   <none>        443/TCP                       2d21h   k8s-app=metrics-server
resource-group-system             resource-group-controller-manager-metrics-service   ClusterIP   10.198.112.179   <none>        8443/TCP                      2d21h   configmanagement.gke.io/arch=csmr,control-plane=controller-manager
michael@cloudshell:~ (pubsec-declarative-toolkit)$ kubectl get services --all-namespaces

michael@cloudshell:~ (pubsec-declarative-toolkit)$ kubectl get pods --all-namespaces -o wide
NAMESPACE                         NAME                                                             READY   STATUS    RESTARTS   AGE     IP             NODE                                                  NOMINATED NODE   READINESS GATES
cnrm-system                       cnrm-controller-manager-c9pa3k4gkgtab65ku6e0-0                   2/2     Running   0          14h     10.198.98.9    gke-krmapihost-main-krmapihost-main-p-372ceb4a-rp36   <none>           <none>
cnrm-system                       cnrm-deletiondefender-0                                          1/1     Running   0          14h     10.198.96.11   gke-krmapihost-main-krmapihost-main-p-0bcb4ca9-zt4j   <none>           <none>
cnrm-system                       cnrm-resource-stats-recorder-865dfb9dc5-l2p7k                    2/2     Running   0          14h     10.0.0.7       gke-krmapihost-main-krmapihost-main-p-372ceb4a-rp36   <none>           <none>
cnrm-system                       cnrm-webhook-manager-9dcc445c6-mmb4d                             1/1     Running   0          14h     10.198.98.10   gke-krmapihost-main-krmapihost-main-p-372ceb4a-rp36   <none>           <none>
cnrm-system                       cnrm-webhook-manager-9dcc445c6-psclj                             1/1     Running   0          14h     10.198.96.10   gke-krmapihost-main-krmapihost-main-p-0bcb4ca9-zt4j   <none>           <none>
config-management-monitoring      otel-collector-69fcb75cf6-pl9bh                                  1/1     Running   0          2d21h   10.198.98.5    gke-krmapihost-main-krmapihost-main-p-372ceb4a-rp36   <none>           <none>
config-management-system          config-management-operator-784c45fdf6-bmk9c                      1/1     Running   0          2d21h   10.198.96.2    gke-krmapihost-main-krmapihost-main-p-0bcb4ca9-zt4j   <none>           <none>
config-management-system          reconciler-manager-95f8cd694-6mpls                               2/2     Running   0          2d21h   10.198.96.6    gke-krmapihost-main-krmapihost-main-p-0bcb4ca9-zt4j   <none>           <none>
configconnector-operator-system   configconnector-operator-0                                       1/1     Running   0          14h     10.198.96.9    gke-krmapihost-main-krmapihost-main-p-0bcb4ca9-zt4j   <none>           <none>
gatekeeper-system                 gatekeeper-audit-7cdffcd49d-grdtk                                1/1     Running   0          2d21h   10.198.96.5    gke-krmapihost-main-krmapihost-main-p-0bcb4ca9-zt4j   <none>           <none>
gatekeeper-system                 gatekeeper-controller-manager-58b4c999b7-vrvmc                   1/1     Running   0          2d21h   10.198.96.4    gke-krmapihost-main-krmapihost-main-p-0bcb4ca9-zt4j   <none>           <none>
krmapihosting-monitoring          krmapihosting-metrics-agent-5fp8w                                1/1     Running   0          2d21h   10.0.0.7       gke-krmapihost-main-krmapihost-main-p-372ceb4a-rp36   <none>           <none>
krmapihosting-monitoring          krmapihosting-metrics-agent-bk966                                1/1     Running   0          2d21h   10.0.0.5       gke-krmapihost-main-krmapihost-main-p-0bcb4ca9-zt4j   <none>           <none>
krmapihosting-monitoring          krmapihosting-metrics-agent-t6tpt                                1/1     Running   0          2d21h   10.0.0.6       gke-krmapihost-main-krmapihost-main-p-337597e0-1vz7   <none>           <none>
krmapihosting-system              bootstrap-84b546c587-8x7rc                                       1/1     Running   0          14h     10.198.98.8    gke-krmapihost-main-krmapihost-main-p-372ceb4a-rp36   <none>           <none>
kube-system                       event-exporter-gke-5479fd58c8-49w8q                              2/2     Running   0          2d21h   10.198.97.8    gke-krmapihost-main-krmapihost-main-p-337597e0-1vz7   <none>           <none>
kube-system                       fluentbit-gke-66l29                                              2/2     Running   0          2d21h   10.0.0.6       gke-krmapihost-main-krmapihost-main-p-337597e0-1vz7   <none>           <none>
kube-system                       fluentbit-gke-dzsxj                                              2/2     Running   0          2d21h   10.0.0.5       gke-krmapihost-main-krmapihost-main-p-0bcb4ca9-zt4j   <none>           <none>
kube-system                       fluentbit-gke-trqjs                                              2/2     Running   0          2d21h   10.0.0.7       gke-krmapihost-main-krmapihost-main-p-372ceb4a-rp36   <none>           <none>
kube-system                       gke-metadata-server-6vh7k                                        1/1     Running   0          2d21h   10.0.0.6       gke-krmapihost-main-krmapihost-main-p-337597e0-1vz7   <none>           <none>
kube-system                       gke-metadata-server-q7nwz                                        1/1     Running   0          2d21h   10.0.0.7       gke-krmapihost-main-krmapihost-main-p-372ceb4a-rp36   <none>           <none>
kube-system                       gke-metadata-server-qqg6c                                        1/1     Running   0          2d21h   10.0.0.5       gke-krmapihost-main-krmapihost-main-p-0bcb4ca9-zt4j   <none>           <none>
kube-system                       gke-metrics-agent-2ws7w                                          1/1     Running   0          2d21h   10.0.0.7       gke-krmapihost-main-krmapihost-main-p-372ceb4a-rp36   <none>           <none>
kube-system                       gke-metrics-agent-5jhj2                                          1/1     Running   0          2d21h   10.0.0.5       gke-krmapihost-main-krmapihost-main-p-0bcb4ca9-zt4j   <none>           <none>
kube-system                       gke-metrics-agent-9mb5t                                          1/1     Running   0          2d21h   10.0.0.6       gke-krmapihost-main-krmapihost-main-p-337597e0-1vz7   <none>           <none>
kube-system                       kube-dns-697dc8fc8b-8s2q9                                        4/4     Running   0          2d21h   10.198.97.5    gke-krmapihost-main-krmapihost-main-p-337597e0-1vz7   <none>           <none>
kube-system                       kube-dns-697dc8fc8b-9hc4j                                        4/4     Running   0          2d21h   10.198.97.6    gke-krmapihost-main-krmapihost-main-p-337597e0-1vz7   <none>           <none>
kube-system                       kube-dns-autoscaler-844c9d9448-zrf2s                             1/1     Running   0          2d21h   10.198.97.7    gke-krmapihost-main-krmapihost-main-p-337597e0-1vz7   <none>           <none>
kube-system                       kube-proxy-gke-krmapihost-main-krmapihost-main-p-0bcb4ca9-zt4j   1/1     Running   0          2d21h   10.0.0.5       gke-krmapihost-main-krmapihost-main-p-0bcb4ca9-zt4j   <none>           <none>
kube-system                       kube-proxy-gke-krmapihost-main-krmapihost-main-p-337597e0-1vz7   1/1     Running   0          2d21h   10.0.0.6       gke-krmapihost-main-krmapihost-main-p-337597e0-1vz7   <none>           <none>
kube-system                       kube-proxy-gke-krmapihost-main-krmapihost-main-p-372ceb4a-rp36   1/1     Running   0          2d21h   10.0.0.7       gke-krmapihost-main-krmapihost-main-p-372ceb4a-rp36   <none>           <none>
kube-system                       l7-default-backend-69fb9fd9f9-g9bfl                              1/1     Running   0          2d21h   10.198.97.4    gke-krmapihost-main-krmapihost-main-p-337597e0-1vz7   <none>           <none>
kube-system                       metrics-server-v0.4.5-bbb794dcc-dgctd                            2/2     Running   0          2d21h   10.198.97.2    gke-krmapihost-main-krmapihost-main-p-337597e0-1vz7   <none>           <none>
kube-system                       netd-pv9m8                                                       1/1     Running   0          2d21h   10.0.0.5       gke-krmapihost-main-krmapihost-main-p-0bcb4ca9-zt4j   <none>           <none>
kube-system                       netd-r9zv5                                                       1/1     Running   0          2d21h   10.0.0.6       gke-krmapihost-main-krmapihost-main-p-337597e0-1vz7   <none>           <none>
kube-system                       netd-vcqtd                                                       1/1     Running   0          2d21h   10.0.0.7       gke-krmapihost-main-krmapihost-main-p-372ceb4a-rp36   <none>           <none>
kube-system                       pdcsi-node-8rd99                                                 2/2     Running   0          2d21h   10.0.0.7       gke-krmapihost-main-krmapihost-main-p-372ceb4a-rp36   <none>           <none>
kube-system                       pdcsi-node-945gp                                                 2/2     Running   0          2d21h   10.0.0.5       gke-krmapihost-main-krmapihost-main-p-0bcb4ca9-zt4j   <none>           <none>
kube-system                       pdcsi-node-jkxk6                                                 2/2     Running   0          2d21h   10.0.0.6       gke-krmapihost-main-krmapihost-main-p-337597e0-1vz7   <none>           <none>
resource-group-system             resource-group-controller-manager-cb44df4f5-c6pwt                3/3     Running   0          2d21h   10.198.98.3    gke-krmapihost-main-krmapihost-main-p-372ceb4a-rp36   <none>           <none>
michael@cloudshell:~ (pubsec-declarative-toolkit)$

register cluster with anthos https://console.cloud.google.com/anthos/clusters?project=pubsec-declarative-toolkit

[fmichaelobrien]

Deleting the config controller cluster https://cloud.google.com/anthos-config-management/docs/how-to/config-controller-setup#delete_your

michael@cloudshell:~ (pubsec-declarative-toolkit)$ gcloud anthos config controller delete --location $REGION main
You are about to delete instance [main]

Do you want to continue (Y/n)?  y

Delete request issued for: [main]
Waiting for operation [projects/pubsec-declarative-toolkit/locations/us-east1/operations/operation-
1651929776311-5de6bdf82cc5b-81bfef37-7cb9c8b6] to complete...working.. 

[fmichaelobrien]

rerun on anthos $800k 30d trial nimbostratus.info

michael@cloudshell:~$ gcloud config set project pubsec-declarative-toolkit-ns
michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ unzip pubsec-declarative-toolkit.zip
set billing on the project (make sure or request for quota 20+ over the default 5)
michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ gcloud services enable krmapihosting.googleapis.com container.googleapis.com cloudresourcemanager.googleapis.com
Operation "operations/acf.p2-1099466078563-4545516c-39b2-4f2c-ad81-e97396659272" finished successfully.

e-hA1P6gyA86mXSWcVo3RqiY3Kfba8xzSymh3I01vIl05HG1_o8cMQJDn5eud8qO6ZxBo9_Bic7Z_JuFlCi2ZuXF50vmFmL1sYh9pRUoYyM9h_g
- '@type': type.googleapis.com/google.rpc.PreconditionFailure
  violations:
  - subject: ?error_code=390001&project=1099466078563&services=container.googleapis.com&services=container.googleapis.com&services=compute.googleapis.com&services=compute.googleapis.com&services=compute.googleapis.com&services=containerregistry.googleapis.com
    type: googleapis.com/billing-enabled
- '@type': type.googleapis.com/google.rpc.ErrorInfo
  domain: serviceusage.googleapis.com/billing-enabled
  metadata:
    project: '1099466078563'
    services: container.googleapis.com,container.googleapis.com,compute.googleapis.com,compute.googleapis.com,compute.googleapis.com,containerregistry.googleapis.com
  reason: UREQ_PROJECT_BILLING_NOT_FOUND
michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ gcloud services enable krmapihosting.googleapis.com container.googleapis.com cloudresourcemanager.googleapis.com
Operation "operations/acf.p2-1099466078563-4545516c-39b2-4f2c-ad81-e97396659272" finished successfully.
michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ PROJECT_ID=pubsec-declarative-toolkit-ns
michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ REGION=us-east1
michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ SUBNET=config-control
michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ NETWORK=config-control
michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ CLUSTER=config-controller
michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ gcloud compute networks create $NETWORK --subnet-mode=custom
Created [https://www.googleapis.com/compute/v1/projects/pubsec-declarative-toolkit-ns/global/networks/config-control].
NAME: config-control
SUBNET_MODE: CUSTOM
BGP_ROUTING_MODE: REGIONAL
IPV4_RANGE:
GATEWAY_IPV4:

Instances on this network will not be reachable until firewall rules
are created. As an example, you can allow all internal traffic between
instances as well as SSH, RDP, and ICMP by running:

$ gcloud compute firewall-rules create <FIREWALL_NAME> --network config-control --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network config-control --allow tcp:22,tcp:3389,icmp

michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ gcloud compute networks subnets create $SUBNET --network $NETWORK --range 192.168.0.0/16 --region $REGION
Created [https://www.googleapis.com/compute/v1/projects/pubsec-declarative-toolkit-ns/regions/us-east1/subnetworks/config-control].
NAME: config-control
REGION: us-east1
NETWORK: config-control
RANGE: 192.168.0.0/16
STACK_TYPE: IPV4_ONLY
IPV6_ACCESS_TYPE:
INTERNAL_IPV6_PREFIX:
EXTERNAL_IPV6_PREFIX:

michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ gcloud anthos config controller create $CLUSTER --location $REGION --network $NETWORK --subnet $SUBNET
Create request issued for: [config-controller]
Waiting for operation [projects/pubsec-declarative-toolkit-ns/locations/us-east1/operations/operation-1652293623494-5dec0967e3790-ac228a1a-b61cfc97] to complete...working.

1428-1443 = 15min

michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ gcloud anthos config controller create $CLUSTER --location $REGION --network $NETWORK --subnet $SUBNET
Create request issued for: [config-controller]
Waiting for operation [projects/pubsec-declarative-toolkit-ns/locations/us-east1/operations/operation-1652293623494-5dec0967e3790-ac228a1a-b61cfc97] to complete...working.  
Waiting for operation [projects/pubsec-declarative-toolkit-ns/locations/us-east1/operations/operation-1652293623494-5dec0967e3790-ac228a1a-b61cfc97] to complete...working   
Waiting for operation [projects/pubsec-declarative-toolkit-ns/locations/us-east1/operations/operation-1652293623494-5dec0967e3790-ac228a1a-b61cfc97] to complete...working...
Waiting for operation [projects/pubsec-declarative-toolkit-ns/locations/us-east1/operations/operation-1652293623494-5dec0967e3790-ac228a1a-b61cfc97] to complete...working   
Waiting for operation [projects/pubsec-declarative-toolkit-ns/locations/us-east1/operations/operation-1652293623494-5dec0967e3790-ac228a1a-b61cfc97] to complete...done.     
Created instance [config-controller].
Fetching cluster endpoint and auth data.
kubeconfig entry generated for krmapihost-config-controller.
kubeconfig entry generated for krmapihost-config-controller.

efault Config Connector identity: [service-1099466078563@gcp-sa-yakima.iam.gserviceaccount.com].

For example, to give Config Connector permission to manage Google Cloud resources in the same project:
gcloud projects add-iam-policy-binding pubsec-declarative-toolkit-ns \
    --member "serviceAccount:service-1099466078563@gcp-sa-yakima.iam.gserviceaccount.com" \
    --role "roles/owner" \
    --project pubsec-declarative-toolkit-ns

from
gcloud container clusters get-credentials $CLUSTER --region $REGION
to
michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ gcloud container clusters get-credentials krmapihost-$CLUSTER --region $REGION
Fetching cluster endpoint and auth data.
kubeconfig entry generated for krmapihost-config-controller.

ael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ kubens config-control
Context "gke_pubsec-declarative-toolkit-ns_us-east1_krmapihost-config-controller" modified.
Active namespace is "config-control".

michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ ORG_ID=$(gcloud projects get-ancestors $PROJECT_ID --format='get(id)' | tail -1)
michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ echo $ORG_ID
19...
michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ BILLING_ID=$(gcloud alpha billing projects describe $PROJECT_ID '--format=value(billingAccountName)' | sed 's/.*\///')
michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ echo $BILLING_ID
01...A5

michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ export ORG_ID=$ORG_ID
michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ export SA_EMAIL="$(kubectl get ConfigConnectorContext -n config-control \
    -o jsonpath='{.items[0].spec.googleServiceAccount}' 2> /dev/null)"
michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ echo $SA_EMAIL
service-10...63@gcp-sa-yakima.iam.gserviceaccount.com

michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ gcloud organizations add-iam-policy-binding "${ORG_ID}" --member "serviceAccount:${SA_EMAIL}" --role "roles/resourcemanager.folderAdmin"
Updated IAM policy for organization [197381943134].
auditConfigs:
- auditLogConfigs:
  - logType: DATA_WRITE
  - logType: DATA_READ
  - logType: ADMIN_READ
  service: allServices
bindings:
- members:
  - serviceAccount:tfadmin-dev@dev-seed-project.iam.gserviceaccount.com
  - serviceAccount:tfadmin2-dev@dev-seed-project.iam.gserviceaccount.com
  role: roles/accesscontextmanager.policyAdmin
- members:
  - serviceAccount:tfadmin-dev@dev-seed-project.iam.gserviceaccount.com
  - serviceAccount:tfadmin2-dev@dev-seed-project.iam.gserviceaccount.com
  role: roles/bigquery.dataEditor
- members:
  - group:gcp-billing-admins@nimbostratus.info
  - serviceAccount:tfadmin-dev@dev-seed-project.iam.gserviceaccount.com
  - user:superadmin@nimbostratus.info
  role: roles/billing.admin
- members:
  - domain:nimbostratus.info
  - group:gcp-billing-admins@nimbostratus.info
  role: roles/billing.creator
- members:
  - user:michael@nimbostratus.info
  role: roles/billing.projectManager
- members:
  - group:gcp-organization-admins@nimbostratus.info
  - serviceAccount:tfadmin-dev@dev-seed-project.iam.gserviceaccount.com
  - serviceAccount:tfadmin2-dev@dev-seed-project.iam.gserviceaccount.com
  role: roles/billing.user
- members:
  - group:billingdata@nimbostratus.info
  - group:sscbroker@nimbostratus.info
  role: roles/billing.viewer
- members:
  - group:sscbroker@nimbostratus.info
  role: roles/cloudasset.viewer
- members:
  - group:gcp-organization-admins@nimbostratus.info
  role: roles/cloudsupport.admin
- members:
  - serviceAccount:tfadmin-dev@dev-seed-project.iam.gserviceaccount.com
  role: roles/compute.admin
- members:
  - serviceAccount:tfadmin-dev@dev-seed-project.iam.gserviceaccount.com
  - serviceAccount:tfadmin2-dev@dev-seed-project.iam.gserviceaccount.com
  role: roles/compute.networkAdmin
- members:
  - serviceAccount:tfadmin-dev@dev-seed-project.iam.gserviceaccount.com
  - serviceAccount:tfadmin2-dev@dev-seed-project.iam.gserviceaccount.com
  role: roles/compute.xpnAdmin
- members:
  - group:gcp-organization-admins@nimbostratus.info
  - serviceAccount:tfadmin-dev@dev-seed-project.iam.gserviceaccount.com
  - serviceAccount:tfadmin2-dev@dev-seed-project.iam.gserviceaccount.com
  role: roles/iam.organizationRoleAdmin
- members:
  - serviceAccount:tfadmin-dev@dev-seed-project.iam.gserviceaccount.com
  role: roles/iam.securityAdmin
- members:
  - serviceAccount:tfadmin-dev@dev-seed-project.iam.gserviceaccount.com
  - serviceAccount:tfadmin2-dev@dev-seed-project.iam.gserviceaccount.com
  role: roles/iam.serviceAccountAdmin
- members:
  - serviceAccount:tfadmin-dev@dev-seed-project.iam.gserviceaccount.com
  - serviceAccount:tfadmin2-dev@dev-seed-project.iam.gserviceaccount.com
  - user:michael@nimbostratus.info
  role: roles/iam.serviceAccountTokenCreator
- members:
  - serviceAccount:tfadmin-dev@dev-seed-project.iam.gserviceaccount.com
  role: roles/logging.admin
- members:
  - serviceAccount:tfadmin-dev@dev-seed-project.iam.gserviceaccount.com
  - serviceAccount:tfadmin2-dev@dev-seed-project.iam.gserviceaccount.com
  role: roles/logging.configWriter
- members:
  - group:gcp-organization-admins@nimbostratus.info
  - serviceAccount:tfadmin-dev@dev-seed-project.iam.gserviceaccount.com
  - serviceAccount:tfadmin2-dev@dev-seed-project.iam.gserviceaccount.com
  - user:michael@nimbostratus.info
  role: roles/orgpolicy.policyAdmin
- members:
  - serviceAccount:tfadmin-dev@dev-seed-project.iam.gserviceaccount.com
  - user:michael@nimbostratus.info
  - user:superadmin@nimbostratus.info
  role: roles/owner
- members:
  - serviceAccount:tfadmin-dev@dev-seed-project.iam.gserviceaccount.com
  - serviceAccount:tfadmin2-dev@dev-seed-project.iam.gserviceaccount.com
  role: roles/pubsub.admin
- members:
  - group:gcp-organization-admins@nimbostratus.info
  - serviceAccount:service-1099466078563@gcp-sa-yakima.iam.gserviceaccount.com
  - serviceAccount:tfadmin-dev@dev-seed-project.iam.gserviceaccount.com
  - serviceAccount:tfadmin2-dev@dev-seed-project.iam.gserviceaccount.com
  - user:michael@nimbostratus.info
  - user:superadmin@nimbostratus.info
  role: roles/resourcemanager.folderAdmin
- members:
  - group:gcp-organization-admins@nimbostratus.info
  - serviceAccount:tfadmin-dev@dev-seed-project.iam.gserviceaccount.com
  - serviceAccount:tfadmin2-dev@dev-seed-project.iam.gserviceaccount.com
  - user:michael@nimbostratus.info
  - user:superadmin@nimbostratus.info
  role: roles/resourcemanager.organizationAdmin
- members:
  - group:gcp-billing-admins@nimbostratus.info
  role: roles/resourcemanager.organizationViewer
- members:
  - domain:nimbostratus.info
  - group:gcp-organization-admins@nimbostratus.info
  - serviceAccount:tfadmin-dev@dev-seed-project.iam.gserviceaccount.com
  - serviceAccount:tfadmin2-dev@dev-seed-project.iam.gserviceaccount.com
  - user:michael@nimbostratus.info
  role: roles/resourcemanager.projectCreator
- members:
  - serviceAccount:tfadmin-dev@dev-seed-project.iam.gserviceaccount.com
  - serviceAccount:tfadmin2-dev@dev-seed-project.iam.gserviceaccount.com
  role: roles/resourcemanager.projectDeleter
- members:
  - serviceAccount:tfadmin-dev@dev-seed-project.iam.gserviceaccount.com
  - serviceAccount:tfadmin2-dev@dev-seed-project.iam.gserviceaccount.com
  role: roles/resourcemanager.projectIamAdmin
- members:
  - serviceAccount:tfadmin-dev@dev-seed-project.iam.gserviceaccount.com
  - serviceAccount:tfadmin2-dev@dev-seed-project.iam.gserviceaccount.com
  role: roles/resourcemanager.projectMover
- members:
  - user:michael@nimbostratus.info
  role: roles/resourcemanager.tagAdmin
- members:
  - group:gcp-organization-admins@nimbostratus.info
  - user:michael@nimbostratus.info
  role: roles/securitycenter.admin
- members:
  - serviceAccount:tfadmin-dev@dev-seed-project.iam.gserviceaccount.com
  - serviceAccount:tfadmin2-dev@dev-seed-project.iam.gserviceaccount.com
  role: roles/serviceusage.serviceUsageAdmin
- members:
  - serviceAccount:tfadmin-dev@dev-seed-project.iam.gserviceaccount.com
  - serviceAccount:tfadmin2-dev@dev-seed-project.iam.gserviceaccount.com
  role: roles/storage.admin
etag: BwXewPlEjNA=
version: 1

michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ gcloud organizations add-iam-policy-binding "${ORG_ID}" --member "serviceAccount:${SA_EMAIL}" --role "roles/resourcemanager.folderAdmin"

michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ gcloud organizations add-iam-policy-binding "${ORG_ID}" --member "serviceAccount:${SA_EMAIL}" --role "roles/resourcemanager.projectCreator"

michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ gcloud organizations add-iam-policy-binding "${ORG_ID}" --member "serviceAccount:${SA_EMAIL}" --role "roles/resourcemanager.projectDeleter"

michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ gcloud organizations add-iam-policy-binding "${ORG_ID}" --member "serviceAccount:${SA_EMAIL}" --role "roles/orgpolicy.policyAdmin"

michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ gcloud organizations add-iam-policy-binding "${ORG_ID}" --member "serviceAccount:${SA_EMAIL}" --role "roles/iam.securityAdmin"

michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ gcloud organizations add-iam-policy-binding "${ORG_ID}" --member "serviceAccount:${SA_EMAIL}" --role "roles/serviceusage.serviceUsageConsumer"

michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ gcloud organizations add-iam-policy-binding "${ORG_ID}" --member "serviceAccount:${SA_EMAIL}" --role "roles/billing.user"

[fmichaelobrien]

updating for multiple billing ID's

[fmichaelobrien]

thanks Chris michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ gcloud anthos config controller get-credentials $CLUSTER --location $REGION Fetching cluster endpoint and auth data. kubeconfig entry generated for krmapihost-config-controller. michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ kubens config-control Context "gke_pubsec-declarative-toolkit-ns_us-east1_krmapihost-config-controller" modified. Active namespace is "config-control".

[fmichaelobrien]

Running solutions/sandbox-gke Going through the solutions/sandbox-gke first. kpt does not support https, also same change to the get-credentials

change michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ gcloud anthos config controller get-credentials $CLUSTER --location $REGION Fetching cluster endpoint and auth data. kubeconfig entry generated for krmapihost-config-controller.

michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ kubens config-control Context "gke_pubsec-declarative-toolkit-ns_us-east1_krmapihost-config-controller" modified. Active namespace is "config-control". michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ kpt pkg get https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git/solutions/sandbox-gke sandbox-gke Error: Repository "https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit" requires authentication. kpt does not support this for the 'https' protocol. Please use the 'git' protocol instead.

add key https://cloud.google.com/build/docs/access-github-from-build michael@cloudshell:~ (pubsec-declarative-toolkit-ns)$ kpt pkg get git@github.com:fmichaelobrien/pubsec-declarative-toolkit.git/solutions/sandbox-gke sandbox-gke

[cartyc]

I just noticed the change to support only git this am. Will have to update the pull commands. What version of kpt (kpt version are you on?

[fmichaelobrien]

batching changes These as a search the code solutions/sandbox-gke/clouddeploy.yaml `` minor - just naming - clusers cluster: projects/config-controller-project-id/locations/{$host-location}/clusers/krmapihost-main # kpt-set: projects/${management-project-id}/locations/{$host-location}/clusers/krmapihost-${host-cluster}

cluster: projects/config-controller-project-id/locations/{$host-location}/clusters/krmapihost-main # kpt-set: projects/${management-project-id}/locations/{$host-location}/clusters/krmapihost-${host-cluster} `` these as I run the code

[fmichaelobrien]

Restarting via trying out onboarding of Chris's landing-zone solution https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/landing-zone

[fmichaelobrien]

20220829: arg

git clone https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git
cd pubsec-declarative-toolkit/
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ pwd
/home/admin_/wse_github/20220829/pubsec-declarative-toolkit

navigate via readme to arete readme https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/cli/README.md

admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ cd cli
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit/cli (pubsec-declarative-toolkit-arg)$ go install

no output from above determining path to

export PATH=$PATH:/path/to/your/install/directory

find via
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit/cli (pubsec-declarative-toolkit-arg)$ which arete
/home/admin_/gopath/bin/arete

set path
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ export PATH=$PATH:/home/admin_/gopath/bin/arete
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ echo $PATH
/opt/gradle/bin:/opt/maven/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/go/bin:/usr/local/nvm/versions/node/v16.4.0/bin:/usr/local/rvm/bin:/google/go_appengine:/google/google_appengine:/google/migrate/anthos/:/home/admin_/.gems/bin:/usr/local/rvm/bin:/home/admin_/gopath/bin:/google/gopath/bin:/google/flutter/bin:/home/admin_/gopath/bin/arete

20220831:0940
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ arete create pdt-arg-kcc --region=northamerica-northeast1 --project=pubsec-declarative-toolkit-arg
1:39PM INF Enabling required services...
0942
1:40PM INF Operation "operations/acf.p2-716449377354-1b0788dc-9131-4ba1-8fa0-23c766f3ac6b" finished successfully.
1:40PM INF Creating Network...
1:40PM INF Creating subnet....
1:40PM INF Creating Config Controller Cluster....

admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ arete create pdt-arg-kcc --region=northamerica-northeast1 --project=pubsec-declarative-toolkit-arg
1:39PM INF Enabling required services...
1:40PM INF Operation "operations/acf.p2-716449377354-1b0788dc-9131-4ba1-8fa0-23c766f3ac6b" finished successfully.
1:40PM INF Creating Network...
1:40PM INF Creating subnet....
1:40PM INF Creating Config Controller Cluster....
1:50PM FTL  error="Create request issued for: [pdt-arg-kcc]Waiting for operation [projects/pubsec-declarative-toolkit-arg/locations/northamerica-northeast1/operations/operation-1661953241365-5e789a495bca1-4baa162a-23745e56] to complete...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................failed.ERROR: (gcloud.anthos.config.controller.create) unexpected error occurred while waiting for SLM operation [projects/krmapihosting-slm/locations/northamerica-northeast1/operations/operation-1661953246921-5e789a4ea846e-92d726a8-893fa695]: errored while waiting for operation: projects/krmapihosting-slm/locations/northamerica-northeast1/operations/operation-1661953246921-5e789a4ea846e-92d726a8-893fa695: Operation failed with error: generic::invalid_argument: terraform apply failed, error: exit status 1, stderr: 2022/08/31 06:41:09 [DEBUG] Using modified User-Agent: Terraform/0.12.31 Cloud SSAError: Error waiting for creating GKE cluster: \t(1) Not all instances running in IGM after 18.757885147s. Expected 1, running 0, transitioning 1. Current errors: [CONDITION_NOT_MET]: Instance 'gke-krmapihost-pdt-arg-k-default-pool-36014ba0-fj66' creation failed: Constraint constraints/compute.requireShieldedVm violated for project projects/pubsec-declarative-toolkit-arg. Secure Boot is not enabled in the 'shielded_instance_config' field. See https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints for more information\t(2) Not all instances running in IGM after 23.407955739s. Expected 1, running 0, transitioning 1. Current errors: [CONDITION_NOT_MET]: Instance 'gke-krmapihost-pdt-arg-k-default-pool-f91b2aab-5zmw' creation failed: Constraint constraints/compute.requireShieldedVm violated for project projects/pubsec-declarative-toolkit-arg. Secure Boot is not enabled in the 'shielded_instance_config' field. See https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints for more information\t(3) Not all instances running in IGM after 24.065795965s. Expected 1, running 0, transitioning 1. Current errors: [CONDITION_NOT_MET]: Instance 'gke-krmapihost-pdt-arg-k-default-pool-2c4ae974-xt3n' creation failed: Constraint constraints/compute.requireShieldedVm violated for project projects/pubsec-declarative-toolkit-arg. Secure Boot is not enabled in the 'shielded_instance_config' field. See https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints for more information.  on main_gke.tf line 32, in resource \"google_container_cluster\" \"acp_cluster\":  32: resource \"google_container_cluster\" \"acp_cluster\" {, stdout: google_container_cluster.acp_cluster: Creating...google_container_cluster.acp_cluster: Still creating... [10s elapsed]google_container_cluster.acp_cluster: Still creating... [20s elapsed]google_container_cluster.acp_cluster: Still creating... [30s elapsed]google_container_cluster.acp_cluster: Still creating... [40s elapsed]google_container_cluster.acp_cluster: Still creating... [50s elapsed]google_container_cluster.acp_cluster: Still creating... [1m0s elapsed]google_container_cluster.acp_cluster: Still creating... [1m10s elapsed]google_container_cluster.acp_cluster: Still creating... [1m20s elapsed]google_container_cluster.acp_cluster: Still creating... [1m30s elapsed]google_container_cluster.acp_cluster: Still creating... [1m40s elapsed]google_container_cluster.acp_cluster: Still creating... [1m50s elapsed]google_container_cluster.acp_cluster: Still creating... [2m0s elapsed]google_container_cluster.acp_cluster: Still creating... [2m10s elapsed]google_container_cluster.acp_cluster: Still creating... [2m20s elapsed]google_container_cluster.acp_cluster: Still creating... [2m30s elapsed]google_container_cluster.acp_cluster: Still creating... [2m40s elapsed]google_container_cluster.acp_cluster: Still creating... [2m50s elapsed]google_container_cluster.acp_cluster: Still creating... [3m0s elapsed]google_container_cluster.acp_cluster: Still creating... [3m10s elapsed]google_container_cluster.acp_cluster: Still creating... [3m20s elapsed]google_container_cluster.acp_cluster: Still creating... [3m30s elapsed]google_container_cluster.acp_cluster: Still creating... [3m40s elapsed]google_container_cluster.acp_cluster: Still creating... [3m50s elapsed]google_container_cluster.acp_cluster: Still creating... [4m0s elapsed]google_container_cluster.acp_cluster: Still creating... [4m10s elapsed]google_container_cluster.acp_cluster: Still creating... [4m20s elapsed]google_container_cluster.acp_cluster: Still creating... [4m30s elapsed]google_container_cluster.acp_cluster: Still creating... [4m40s elapsed]google_container_cluster.acp_cluster: Still creating... [4m50s elapsed]google_container_cluster.acp_cluster: Still creating... [5m0s elapsed]google_container_cluster.acp_cluster: Still creating... [5m10s elapsed]google_container_cluster.acp_cluster: Still creating... [5m20s elapsed]google_container_cluster.acp_cluster: Still creating... [5m30s elapsed]google_container_cluster.acp_cluster: Still creating... [5m40s elapsed]google_container_cluster.acp_cluster: Still creating... [5m50s elapsed]google_container_cluster.acp_cluster: Still creating... [6m0s elapsed]google_container_cluster.acp_cluster: Still creating... [6m10s elapsed]google_container_cluster.acp_cluster: Still creating... [6m20s elapsed]google_container_cluster.acp_cluster: Still creating... [6m30s elapsed]google_container_cluster.acp_cluster: Still creating... [6m40s elapsed]google_container_cluster.acp_cluster: Still creating... [6m50s elapsed] Subsequent cleanup succeeded"
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$

cluster deleted will switch to a US region - but i suspect it is a missing set parameter and not related to na-ne1 tracking https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/82

Issue was org policy on one of my orgs - switched to a clean org (OK now)

cloud-nuage.org

Welcome to Cloud Shell! Type "help" to get started.
To set your Cloud Platform project in this session use “gcloud config set project [PROJECT_ID]”
admin_root@cloudshell:~$ gcloud config set project pubsec-declarative-toolkit-cno
Updated property [core/project].
admin_root@cloudshell:~ (pubsec-declarative-toolkit-cno)$ mkdir wse_github
admin_root@cloudshell:~ (pubsec-declarative-toolkit-cno)$ cd wse_github/
admin_root@cloudshell:~/wse_github (pubsec-declarative-toolkit-cno)$ mkdir 20220831
admin_root@cloudshell:~/wse_github (pubsec-declarative-toolkit-cno)$ cd 20220831/
admin_root@cloudshell:~/wse_github/20220831 (pubsec-declarative-toolkit-cno)$ git clone https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git
Cloning into 'pubsec-declarative-toolkit'...
remote: Enumerating objects: 4258, done.
remote: Counting objects: 100% (1121/1121), done.
remote: Compressing objects: 100% (470/470), done.
remote: Total 4258 (delta 627), reused 953 (delta 573), pack-reused 3137
Receiving objects: 100% (4258/4258), 1.72 MiB | 15.30 MiB/s, done.
Resolving deltas: 100% (2542/2542), done.
/home/admin_root/wse_github/20220831
admin_root@cloudshell:~/wse_github/20220831 (pubsec-declarative-toolkit-cno)$ cd pubsec-declarative-toolkit/
admin_root@cloudshell:~/wse_github/20220831/pubsec-declarative-toolkit (pubsec-declarative-toolkit-cno)$ cd cli
admin_root@cloudshell:~/wse_github/20220831/pubsec-declarative-toolkit/cli (pubsec-declarative-toolkit-cno)$ go install
go: downloading github.com/spf13/viper v1.10.1
go: downloading github.com/rs/zerolog v1.26.1
go: downloading github.com/fatih/color v1.13.0
go: downloading github.com/spf13/cobra v1.4.0
go: downloading github.com/fsnotify/fsnotify v1.5.1
go: downloading github.com/magiconair/properties v1.8.5
go: downloading github.com/mitchellh/mapstructure v1.4.3
go: downloading github.com/spf13/afero v1.6.0
go: downloading github.com/spf13/cast v1.4.1
go: downloading github.com/spf13/jwalterweatherman v1.1.0
go: downloading github.com/spf13/pflag v1.0.5
go: downloading github.com/subosito/gotenv v1.2.0
go: downloading gopkg.in/ini.v1 v1.66.2
go: downloading github.com/manifoldco/promptui v0.9.0
go: downloading gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
go: downloading sigs.k8s.io/kustomize/kyaml v0.13.6
go: downloading github.com/mattn/go-colorable v0.1.12
go: downloading github.com/mattn/go-isatty v0.0.14
go: downloading golang.org/x/sys v0.0.0-20211210111614-af8b64212486
go: downloading github.com/hashicorp/hcl v1.0.0
go: downloading github.com/pelletier/go-toml v1.9.4
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading golang.org/x/text v0.3.7
go: downloading github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e
go: downloading github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00
go: downloading github.com/stretchr/testify v1.7.0
go: downloading github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca
go: downloading github.com/davecgh/go-spew v1.1.1
go: downloading k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e
go: downloading github.com/go-errors/errors v1.0.1
go: downloading github.com/pkg/errors v0.9.1
go: downloading github.com/go-openapi/jsonreference v0.19.3
go: downloading github.com/go-openapi/swag v0.19.5
go: downloading github.com/pmezard/go-difflib v1.0.0
go: downloading github.com/PuerkitoBio/purell v1.1.1
go: downloading github.com/go-openapi/jsonpointer v0.19.3
go: downloading github.com/mailru/easyjson v0.7.0
go: downloading github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578
go: downloading golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f
admin_root@cloudshell:~/wse_github/20220831/pubsec-declarative-toolkit/cli (pubsec-declarative-toolkit-cno)$ cd ..

check...
admin_root@cloudshell:~/wse_github/20220831/pubsec-declarative-toolkit (pubsec-declarative-toolkit-cno)$ arete
Arete is a wrapper that makes deploying solutions onto Google Cloud Platform easier.

It utilizes Googles Config Connector and Config Controller to deploy declaritive resources into your environment
with as little changes as required.

Usage:
  arete [command]

Available Commands:
  completion  Generate the autocompletion script for the specified shell
  create      Create a new Config Controller instance
  help        Help about any command
  solution    Manage Solutions
  version     Print out the current version of arete

Flags:
  -h, --help      help for arete
  -v, --verbose   verbose output

Use "arete [command] --help" for more information about a command.

running

1109
admin_root@cloudshell:~/wse_github/20220831/pubsec-declarative-toolkit (pubsec-declarative-toolkit-cno)$ arete create pdt-cno-kcc --region=northamerica-northeast1 --project=pubsec-declarative-toolkit-cno
3:08PM INF Enabling required services...
3:10PM INF Operation "operations/acf.p2-491974186555-b627d941-ec23-4e06-a7ad-9310721ec1d9" finished successfully.
3:10PM INF Creating Network...
3:10PM INF Creating subnet....
3:10PM INF Creating Config Controller Cluster....

VPC Network creating

GKE Cluster coming up

1118 all good so far on the GKE cluster

3:10PM INF Creating Config Controller Cluster....
3:32PM INF Create request issued for: [pdt-cno-kcc]Waiting for operation [projects/pubsec-declarative-toolkit-cno/locations/northamerica-northeast1/operations/operation-1661958639201-5e78ae6522c5d-413922fa-928399d6] to complete.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................done.Created instance [pdt-cno-kcc].Fetching cluster endpoint and auth data.kubeconfig entry generated for krmapihost-pdt-cno-kcc.
3:32PM INF Add SA to roles/owner role...
3:32PM INF Config Controller setup complete

removing the solution

see https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/91

• all projects under pdt

check arete cache - pending on delete command

admin_root@cloudshell:~$ ls -la .arete/
total 20
drwxr--r--  2 admin_root admin_root 4096 Sep  2 18:15 .
drwxr-xr-x 11 admin_root admin_root 4096 Sep  1 19:27 ..
-rw-r--r--  1 admin_root admin_root   46 Aug 31 15:06 config.yaml
-rw-------  1 admin_root admin_root  100 Aug 31 15:32 .create
-rw-r--r--  1 admin_root admin_root 1318 Sep  2 18:15 solutions.yaml
admin_root@cloudshell:~$ cat .arete/solutions.yaml
solutions:
    - solution: guardrails
      description: |
        Implementation of the GC Cloud Guardrails Checks. More Info: https://github.com/canada-ca/cloud-guardrails-gcp
      url: https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git/solutions/guardrails@main
    - solution: guardrails-policy-bundle
      description: |
        Policy Bundle to help analyze compliance for Guardrails
      url: https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git/solutions/guardrails-policies@main
    - solution: kcc-namespaces
      description: |
        Simplified declarative multi-tenancy with project namespaces taken from: https://cloud.google.com/anthos-config-management/docs/tutorials/project-namespace-blueprint
      url: https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git/solutions/kcc-namespaces@main
    - solution: sandbox-gke
      description: |
        A private GKE cluster with so many bells and whistles!
      url: https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git/solutions/sandbox-gke@main
    - solution: landing-zone
      description: |
        This is a reimplementation of pbmm-on-gcp-onboarding Landing Zone using KRM.
      url: https://github.com/GoogleCloudPlatform/gcp-pbmm-sandbox.git/solutions/landing-zone@main
admin_root@cloudshell:~$ cat .arete/config.yaml
cache: /home/admin_root/.arete
verbose: false
admin_root@cloudshell:~$ cat .arete/.create
steps:
- step: services
- step: network
- step: subnet
- step: config-controller
- step: add-policy

• delete the solution project off the target folder
• delete the anthos GKE cluster off the host projectd
• remove the kcc-controller VPC

[cartyc]

We might need to point to directions for setting up a Go Env for the build process for those who want to build from source. Link --> https://go.dev/doc/install

[cartyc]

Alternatively you could download the build from releases, https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/releases/tag/v0.0.3-alpha . This process should be documented as most users probably don't have a go env set up nor should they need to.

[fmichaelobrien]

right, I am using cloud shell with Go preinstalled - I expect less than 50% have it on their local machine

fmichaelobrien-macbookpro:magellan fmichaelobrien$ go version
go version go1.19 darwin/amd64

A separate link/section for installing go would be beneficial - raised https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/80

good to go on shell as expected

find via
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit/cli (pubsec-declarative-toolkit-arg)$ which arete
/home/admin_/gopath/bin/arete

set path
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ export PATH=$PATH:/home/admin_/gopath/bin/arete
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ echo $PATH
/opt/gradle/bin:/opt/maven/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/go/bin:/usr/local/nvm/versions/node/v16.4.0/bin:/usr/local/rvm/bin:/google/go_appengine:/google/google_appengine:/google/migrate/anthos/:/home/admin_/.gems/bin:/usr/local/rvm/bin:/home/admin_/gopath/bin:/google/gopath/bin:/google/flutter/bin:/home/admin_/gopath/bin/arete

solution testing

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/landing-zone/README.md

see https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/pull/86

admin_root@cloudshell:~/wse_github/20220831/pubsec-declarative-toolkit (pubsec-declarative-toolkit-cno)$ arete create landing-zone-controller --region=$REGION
5:50PM INF Project name will be set to: landing-zone-controller-9bomd
✔ My Billing Account - 0199≥...D
✔ nuage-cloud.org - 47...947
✔ Folder Level
✔ pdt - 346...8
5:51PM INF Create in progress for [https://cloudresourcemanager.googleapis.com/v1/projects/landing-zone-controller-9bomd].Waiting for [operations/cp.8322183786461892312] to finish.....done.Enabling service [cloudapis.googleapis.com] on project [landing-zone-controller-9bomd]...Operation "operations/acat.p2-890165283493-618b6b75-ab44-49c6-be35-11fbdef2a7a0" finished successfully.Updated property [core/project] to [landing-zone-controller-9bomd].
5:51PM INF Config Controller setup complete

[fmichaelobrien]

20220907: switch over to alternate.gcp.zone (clean org) - continue with LZ solution

Made a mistake and typed a different project (non-existing) than the target

  140  mkdir wse_github
  141  cd wse_github/
  142  mkdir obriensystems
  143  cd obriensystems/
  144  git clone https://github.com/obriensystems/pubsec-declarative-toolkit.git
  145  gcloud config set project pubsec-declarative-tk-agz
  146  cd pubsec-declarative-toolkit/cli/
  147  go install
  149  ls ~/gopath/
  150  export PATH=$PATH:/home/admin_/gopath/bin/arete
  152  arete create pdt-arg-kcc --region=northamerica-northeast1 --project=pubsec-declarative-agz
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit/cli (pubsec-declarative-tk-agz)$ arete create pdt-arg-kcc --region=northamerica-northeast1 --project=pubsec-declarative-agz
✔ My Billing Account - 011BCB-037F97-C9169E
✔ alternate.gcp.zone - 6839210352
✔ Folder Level
✔ pdt - 85066258830
4:34PM INF Create in progress for [https://cloudresourcemanager.googleapis.com/v1/projects/pubsec-declarative-agz].Waiting for [operations/cp.8846125226641475772] to finish.....done.Enabling service [[cloudapis.googleapis.com](http://cloudapis.googleapis.com/)] on project [pubsec-declarative-agz]...Operation "operations/acat.p2-54024896165-813faaef-556c-422b-8152-175e9c33a9e7" finished successfully.Updated property [core/project] to [pubsec-declarative-agz].
4:34PM INF Enabling required services...
4:35PM INF Operation "operations/acf.p2-54024896165-cc0104fa-1896-4e2f-822a-7bfa8edb2636" finished successfully.
4:35PM INF Creating Network...
4:35PM INF Creating subnet....
4:35PM INF Creating Config Controller Cluster....

5:00PM INF Create request issued for: [pdt-arg-kcc]Waiting for operation [projects/pubsec-declarative-agz/locations/northamerica-northeast1/operations/operation-1662568549547-5e818e7cf7ccc-f9646a71-21ccd335] to complete..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................done.Created instance [pdt-arg-kcc].Fetching cluster endpoint and auth data.kubeconfig entry generated for krmapihost-pdt-arg-kcc.
5:00PM INF Add SA to roles/owner role...
5:00PM INF Config Controller setup complete

root_@cloudshell:~ (pubsec-declarative-tk-agz)$ arete create landing-zone-controller --region=northamerica-northeast1
5:55PM INF Project name will be set to: landing-zone-controller-3dy12
✔ My Billing Account - 011BCB-037F97-C9169E
✔ alternate.gcp.zone - 6839210352
✔ Folder Level
✔ pdt - 85066258830
5:56PM INF Create in progress for [https://cloudresourcemanager.googleapis.com/v1/projects/landing-zone-controller-3dy12].Waiting for [operations/cp.6843614771710427017] to finish.....done.Enabling service [[cloudapis.googleapis.com](http://cloudapis.googleapis.com/)] on project [landing-zone-controller-3dy12]...Operation "operations/acat.p2-755016227548-cf4437fa-1a07-415f-87e0-683eb742617c" finished successfully.Updated property [core/project] to [landing-zone-controller-3dy12].
5:56PM FTL Unable to assign billing account to project:  error="ERROR: (gcloud.beta.billing.projects.link) FAILED_PRECONDITION: Precondition check failed.\n- '@type': [type.googleapis.com/google.rpc.QuotaFailure\n](http://type.googleapis.com/google.rpc.QuotaFailure%5Cn)  violations:\n  - description: 'Cloud billing quota exceeded: https://support.google.com/code/contact/billing_quota_increase'\n    subject: billingAccounts/011BCB-037F97-C9169E\nexit status 1"

not a problem specific to the kcc lz - as it only needs 2-3 projects (with 1 default on org creation that was not disassociated 0 will hit quota on 2 more solutions with random project suffix) - will put a jira in to pre-mitigate anyway

deleted 2 projects while waiting for a quota increase

root_@cloudshell:~ (pubsec-declarative-tk-agz)$ arete create landing-zone-controller --region=northamerica-northeast1
8:55PM INF Project name will be set to: landing-zone-controller-x2dld
✔ My Billing Account - 011BCB-037F97-C9169E
✔ alternate.gcp.zone - 6839210352
✔ Folder Level
✔ pdt - 85066258830
8:55PM INF Create in progress for [https://cloudresourcemanager.googleapis.com/v1/projects/landing-zone-controller-x2dld].Waiting for [operations/cp.5411800376524751705] to finish.....done.Enabling service [[cloudapis.googleapis.com](http://cloudapis.googleapis.com/)] on project [landing-zone-controller-x2dld]...Operation "operations/acat.p2-281923370223-28732604-f4bb-435a-b797-d7360d1ec659" finished successfully.Updated property [core/project] to [landing-zone-controller-x2dld].
8:55PM INF Config Controller setup complete

deleting the solution before it is deployed - obviously n/a  
But deleting the projects created should be done manually
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (landing-zone-controller-x2dld)$ cd ~/.arete/
root_@cloudshell:~/.arete (landing-zone-controller-x2dld)$ ls -la
total 16
drwxr--r--  2 root_ root_ 4096 Sep  7 16:33 .
drwxr-xr-x 14 root_ root_ 4096 Sep  7 17:00 ..
-rw-r--r--  1 root_ root_   41 Sep  7 16:33 config.yaml
-rw-------  1 root_ root_  100 Sep  7 17:00 .create
root_@cloudshell:~/.arete (landing-zone-controller-x2dld)$ kpt live destroy
I0907 21:18:34.171654    1427 request.go:601] Waited for 1.02436099s due to client-side throttling, not priority and fairness, request: GET:https://35.203.49.115/apis/admissionregistration.k8s.io/v1?timeout=32s
Error: 1 resource types could not be found in the cluster or as CRDs among the applied resources.

Resource types:
/, Kind=

root_@cloudshell:~/.arete (pubsec-declarative-tk-agz)$ gcloud projects delete landing-zone-controller-x2dld
Your project will be deleted.

Do you want to continue (Y/n)?  y

Deleted [https://cloudresourcemanager.googleapis.com/v1/projects/landing-zone-controller-x2dld].

You can undo this operation for a limited period by running the command below.
    $ gcloud projects undelete landing-zone-controller-x2dld

See https://cloud.google.com/resource-manager/docs/creating-managing-projects for information on shutting down projects.
root_@cloudshell:~/.arete (pubsec-declarative-tk-agz)$ gcloud projects delete landing-zone-controller-3dy12
Your project will be deleted.

Do you want to continue (Y/n)?  y

Deleted [https://cloudresourcemanager.googleapis.com/v1/projects/landing-zone-controller-3dy12].

You can undo this operation for a limited period by running the command below.
    $ gcloud projects undelete landing-zone-controller-3dy12

See https://cloud.google.com/resource-manager/docs/creating-managing-projects for information on shutting down projects.

deleting the cluster is ok

At step 1b roles before configuration of https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/landing-zone#readme

root@cloudshell:~/.arete (pubsec-declarative-tk-agz)$ gcloud config set project pubsec-declarative-agz Updated property [core/project]. root@cloudshell:~/.arete (pubsec-declarative-agz)$ gcloud anthos config controller delete --location northamerica-northeast1 pdt-arg-kcc You are about to delete instance [pdt-arg-kcc]

Do you want to continue (Y/n)? y

Delete request issued for: [pdt-arg-kcc] Waiting for operation [projects/pubsec-declarative-agz/locations/northamerica-northeast1/operations/operation-1662586093387-5e81cfd813e46-bacb2933-aff745f8] to complete...working.

[obriensystems]

20220908: obrienlabs.dev (full quota billing, projects) I was curious as to why we had the cc k8s cluster creation on the main readme and a 2nd during solution creation - I'll make the readme more clear that you need either not both

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit#quickstart

michael@cloudshell:~/github/GoogleCloudPlatform (pubsec-declarative-toolkit)$ git clone https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git
Cloning into 'pubsec-declarative-toolkit'...
remote: Enumerating objects: 4298, done.
remote: Counting objects: 100% (1160/1160), done.
remote: Compressing objects: 100% (469/469), done.
remote: Total 4298 (delta 661), reused 1023 (delta 612), pack-reused 3138
Receiving objects: 100% (4298/4298), 1.72 MiB | 2.36 MiB/s, done.
Resolving deltas: 100% (2579/2579), done.
michael@cloudshell:~/github/GoogleCloudPlatform (pubsec-declarative-toolkit)$ cd pubsec-declarative-toolkit/
michael@cloudshell:~/github/GoogleCloudPlatform/pubsec-declarative-toolkit (pubsec-declarative-toolkit)$ cd cli/
michael@cloudshell:~/github/GoogleCloudPlatform/pubsec-declarative-toolkit/cli (pubsec-declarative-toolkit)$ go install
go: downloading github.com/rs/zerolog v1.26.1

michael@cloudshell:~/github/GoogleCloudPlatform/pubsec-declarative-toolkit (pubsec-declarative-toolkit)$ which arete
/home/michael/gopath/bin/arete

cc connector and solution https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/landing-zone#usage

michael@cloudshell:~/github/GoogleCloudPlatform/pubsec-declarative-toolkit (pubsec-declarative-toolkit)$ arete create landing-zone-controller --region=northamerica-northeast1
12:22AM INF Project name will be set to: landing-zone-controller-1z583
✔ My Billing Account - 011691-49FFF5-903E43
✔ obrienlabs.dev - 583675367868
✔ Folder Level
✔ millhouse - 41160724790

12:24AM INF Create in progress for [https://cloudresourcemanager.googleapis.com/v1/projects/landing-zone-controller-1z583].Waiting for [operations/cp.8513926499669922262] to finish.....done.Enabling service [cloudapis.googleapis.com] on project [landing-zone-controller-1z583]...Operation "operations/acat.p2-453474601356-f1fc23c1-e612-4030-9b60-d892c6301f6d" finished successfully.Updated property [core/project] to [landing-zone-controller-1z583].
12:24AM INF Enabling required services...
12:25AM INF Operation "operations/acf.p2-453474601356-d64883c3-ec43-4555-82e2-9554cb5663d1" finished successfully.
12:25AM INF Creating Network...
12:25AM INF Creating subnet....
12:25AM INF Creating Config Controller Cluster....

picked the wrong billing account - that one is shared - no problem we will switch billing id in the setters.yaml

Log explorer query (get off the GKE page https://console.cloud.google.com/kubernetes/clusters/details/northamerica-northeast1/krmapihost-landing-zone-controller/logs/cluster_logs?project=landing-zone-controller-1z583

https://console.cloud.google.com/logs/query;query=resource.type%3D%22k8s_cluster%22%0Aresource.labels.project_id%3D%22landing-zone-controller-1z583%22%0Aresource.labels.location%3D%22northamerica-northeast1%22%0Aresource.labels.cluster_name%3D%22krmapihost-landing-zone-controller%22%20severity%3E%3DDEFAULT;cursorTimestamp=2022-09-09T00:38:13.441508Z?project=landing-zone-controller-1z583

resource.type="k8s_cluster"
resource.labels.project_id="landing-zone-controller-1z583"
resource.labels.location="northamerica-northeast1"
resource.labels.cluster_name="krmapihost-landing-zone-controller" severity>=DEFAULT

...done.Created instance [landing-zone-controller].Fetching cluster endpoint and auth data.kubeconfig entry generated for krmapihost-landing-zone-controller.

12:47AM INF Add SA to roles/owner role...
12:47AM INF Config Controller setup complete

michael@cloudshell:~/github/GoogleCloudPlatform/pubsec-declarative-toolkit (landing-zone-controller-1z583)$

check empty cluster

michael@cloudshell:~/github/GoogleCloudPlatform/pubsec-declarative-toolkit (landing-zone-controller-1z583)$ kubectl get nodes -o wide
NAME                                                  STATUS   ROLES    AGE   VERSION            INTERNAL-IP   EXTERNAL-IP   OS-IMAGE                             KERNEL-VERSION   CONTAINER-RUNTIME
gke-krmapihost-landi-krmapihost-landi-7d75b5c9-bxqq   Ready    <none>   16m   v1.22.11-gke.400   192.168.0.7   <none>        Container-Optimized OS from Google   5.10.109+        containerd://1.5.13
gke-krmapihost-landi-krmapihost-landi-8aa5af79-z7nz   Ready    <none>   16m   v1.22.11-gke.400   192.168.0.6   <none>        Container-Optimized OS from Google   5.10.109+        containerd://1.5.13
gke-krmapihost-landi-krmapihost-landi-cfde5f71-9jw1   Ready    <none>   16m   v1.22.11-gke.400   192.168.0.5   <none>        Container-Optimized OS from Google   5.10.109+        containerd://1.5.13

michael@cloudshell:~/github/GoogleCloudPlatform/pubsec-declarative-toolkit (landing-zone-controller-1z583)$ kubectl get pods --all-namespaces
NAMESPACE                         NAME                                                             READY   STATUS    RESTARTS      AGE
cnrm-system                       cnrm-controller-manager-ccd8mhcgkgtdktv36t6g-0                   2/2     Running   0             15m
cnrm-system                       cnrm-deletiondefender-0                                          1/1     Running   0             14m
cnrm-system                       cnrm-resource-stats-recorder-7d49746fc6-5bsfq                    2/2     Running   0             14m
cnrm-system                       cnrm-webhook-manager-85f4848bc4-p2psg                            1/1     Running   0             14m
cnrm-system                       cnrm-webhook-manager-85f4848bc4-xqndg                            1/1     Running   0             14m
config-management-monitoring      otel-collector-5d9757b898-6x8fv                                  1/1     Running   0             14m
config-management-system          config-management-operator-64ff79d555-pbdvz                      1/1     Running   0             15m
config-management-system          reconciler-manager-6c5967d99b-7qw8p                              2/2     Running   0             14m
configconnector-operator-system   configconnector-operator-0                                       1/1     Running   0             15m
gatekeeper-system                 gatekeeper-audit-68fb44f5bc-ftpcc                                1/1     Running   0             14m
gatekeeper-system                 gatekeeper-controller-manager-5d768f8f49-rr96f                   1/1     Running   0             14m
krmapihosting-monitoring          krmapihosting-metrics-agent-m2dpz                                1/1     Running   0             15m
krmapihosting-monitoring          krmapihosting-metrics-agent-n25q9                                1/1     Running   0             15m
krmapihosting-monitoring          krmapihosting-metrics-agent-n7wkw                                1/1     Running   0             15m
krmapihosting-system              bootstrap-5ffd94d5cd-7xpml                                       1/1     Running   3 (10m ago)   15m
kube-system                       event-exporter-gke-5479fd58c8-zxx9x                              2/2     Running   0             21m
kube-system                       fluentbit-gke-48cmq                                              2/2     Running   0             16m
kube-system                       fluentbit-gke-74j6c                                              2/2     Running   0             16m
kube-system                       fluentbit-gke-hxgsm                                              2/2     Running   0             16m
kube-system                       gke-metadata-server-j87g5                                        1/1     Running   0             16m
kube-system                       gke-metadata-server-st8s7                                        1/1     Running   0             16m
kube-system                       gke-metadata-server-w6wv5                                        1/1     Running   0             16m
kube-system                       gke-metrics-agent-697lh                                          1/1     Running   0             16m
kube-system                       gke-metrics-agent-m2jgw                                          1/1     Running   0             16m
kube-system                       gke-metrics-agent-v8bd5                                          1/1     Running   0             16m
kube-system                       kube-dns-85df8994db-8j726                                        4/4     Running   0             21m
kube-system                       kube-dns-85df8994db-hs294                                        4/4     Running   0             21m
kube-system                       kube-dns-autoscaler-f4d55555-52v5m                               1/1     Running   0             21m
kube-system                       kube-proxy-gke-krmapihost-landi-krmapihost-landi-7d75b5c9-bxqq   1/1     Running   0             16m
kube-system                       kube-proxy-gke-krmapihost-landi-krmapihost-landi-8aa5af79-z7nz   1/1     Running   0             16m
kube-system                       kube-proxy-gke-krmapihost-landi-krmapihost-landi-cfde5f71-9jw1   1/1     Running   0             16m
kube-system                       l7-default-backend-69fb9fd9f9-42kch                              1/1     Running   0             21m
kube-system                       metrics-server-v0.4.5-fb4c49dd6-cqmcx                            2/2     Running   0             21m
kube-system                       netd-7q2xz                                                       1/1     Running   0             16m
kube-system                       netd-zjzvw                                                       1/1     Running   0             16m
kube-system                       netd-zzft8                                                       1/1     Running   0             16m
kube-system                       pdcsi-node-bw2fz                                                 2/2     Running   0             16m
kube-system                       pdcsi-node-pb2s2                                                 2/2     Running   0             16m
kube-system                       pdcsi-node-tqj8h                                                 2/2     Running   0             16m
resource-group-system             resource-group-controller-manager-6c6774ff66-9ktnm               3/3     Running   0             14m

michael@cloudshell:~/github/GoogleCloudPlatform/pubsec-declarative-toolkit (landing-zone-controller-1z583)$ kubectl get services --all-namespaces -o wide
NAMESPACE                         NAME                                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                       AGE   SELECTOR
cnrm-system                       abandon-on-uninstall                   ClusterIP   10.100.80.196   <none>        443/TCP                       15m   cnrm.cloud.google.com/component=cnrm-deletiondefender,cnrm.cloud.google.com/system=true
cnrm-system                       cnrm-deletiondefender                  ClusterIP   10.100.80.39    <none>        443/TCP                       15m   cnrm.cloud.google.com/component=cnrm-deletiondefender,cnrm.cloud.google.com/system=true
cnrm-system                       cnrm-manager-ccd8mhcgkgtdktv36t6g      ClusterIP   10.100.80.235   <none>        443/TCP,8888/TCP              15m   cnrm.cloud.google.com/component=cnrm-controller-manager,cnrm.cloud.google.com/scoped-namespace=config-control,cnrm.cloud.google.com/system=true
cnrm-system                       cnrm-resource-stats-recorder-service   ClusterIP   10.100.80.254   <none>        8888/TCP                      15m   cnrm.cloud.google.com/component=cnrm-resource-stats-recorder,cnrm.cloud.google.com/system=true
cnrm-system                       cnrm-validating-webhook                ClusterIP   10.100.80.110   <none>        443/TCP                       15m   cnrm.cloud.google.com/component=cnrm-webhook-manager,cnrm.cloud.google.com/system=true
config-management-monitoring      otel-collector                         ClusterIP   10.100.80.212   <none>        55678/TCP,8888/TCP,8675/TCP   15m   app=opentelemetry,component=otel-collector
configconnector-operator-system   configconnector-operator-service       ClusterIP   10.100.80.176   <none>        443/TCP                       16m   cnrm.cloud.google.com/component=configconnector-operator,cnrm.cloud.google.com/operator-system=true
default                           kubernetes                             ClusterIP   10.100.80.1     <none>        443/TCP                       25m   <none>
gatekeeper-system                 gatekeeper-webhook-service             ClusterIP   10.100.80.4     <none>        443/TCP                       15m   control-plane=controller-manager,gatekeeper.sh/operation=webhook,gatekeeper.sh/system=yes,policycontroller.configmanagement.gke.io=true
kube-system                       default-http-backend                   NodePort    10.100.80.180   <none>        80:32017/TCP                  23m   k8s-app=glbc
kube-system                       kube-dns                               ClusterIP   10.100.80.10    <none>        53/UDP,53/TCP                 23m   k8s-app=kube-dns
kube-system                       metrics-server                         ClusterIP   10.100.80.114   <none>        443/TCP                       23m   k8s-app=metrics-server
mi

role bindings see pending refactoring in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/96

michael@cloudshell:~/github/GoogleCloudPlatform/pubsec-declarative-toolkit (landing-zone-controller-1z583)$ export ORG_ID=583675367868
michael@cloudshell:~/github/GoogleCloudPlatform/pubsec-declarative-toolkit (landing-zone-controller-1z583)$ export SA_EMAIL="$(kubectl get ConfigConnectorContext -n config-control -o jsonpath='{.items[0].spec.googleServiceAccount}' 2> /dev/null)"
michael@cloudshell:~/github/GoogleCloudPlatform/pubsec-declarative-toolkit (landing-zone-controller-1z583)$ echo $SA_EMAIL
service-453474601356@gcp-sa-yakima.iam.gserviceaccount.com

we don't need the quotes
  547  gcloud organizations add-iam-policy-binding "${ORG_ID}" --member "serviceAccount:${SA_EMAIL}" --role "roles/resourcemanager.folderAdmin"
  548  gcloud organizations add-iam-policy-binding "${ORG_ID}" --member "serviceAccount:${SA_EMAIL}" --role "roles/resourcemanager.projectCreator"
  549  gcloud organizations add-iam-policy-binding "${ORG_ID}" --member "serviceAccount:${SA_EMAIL}" --role "roles/resourcemanager.projectDeleter"
  550  gcloud organizations add-iam-policy-binding "${ORG_ID}" --member "serviceAccount:${SA_EMAIL}" --role "roles/iam.securityAdmin"
  551  gcloud organizations add-iam-policy-binding "${ORG_ID}" --member "serviceAccount:${SA_EMAIL}" --role "roles/orgpolicy.policyAdmin"
  552  gcloud organizations add-iam-policy-binding "${ORG_ID}" --member "serviceAccount:${SA_EMAIL}" --role "roles/serviceusage.serviceUsageConsumer"
  553  gcloud organizations add-iam-policy-binding "${ORG_ID}" --member "serviceAccount:${SA_EMAIL}" --role "roles/billing.user"
  554  gcloud organizations add-iam-policy-binding "${ORG_ID}" --member "serviceAccount:${SA_EMAIL}" --role roles/accesscontextmanager.policyAdmin
  555  gcloud organizations add-iam-policy-binding "${ORG_ID}" --member "serviceAccount:${SA_EMAIL}" --role roles/compute.xpnAdmin
  556  gcloud organizations add-iam-policy-binding "${ORG_ID}" --member "serviceAccount:${SA_EMAIL}" --role roles/iam.serviceAccountAdmin
  557  gcloud organizations add-iam-policy-binding "${ORG_ID}" --member "serviceAccount:${SA_EMAIL}" --role roles/serviceusage.serviceUsageConsumer
  558  gcloud organizations add-iam-policy-binding "${ORG_ID}" --member "serviceAccount:${SA_EMAIL}" --role roles/logging.admin

michael@cloudshell:~/github/GoogleCloudPlatform/pubsec-declarative-toolkit (landing-zone-controller-1z583)$ kpt pkg get https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git/solutions/landing-zone landing-zone

Package "landing-zone":
Fetching https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit@main
From https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit
 * branch            main       -> FETCH_HEAD
 * [new branch]      main       -> origin/main
Adding package "solutions/landing-zone".

Fetched 1 package(s).

setters.yaml
apiVersion: v1
kind: ConfigMap
metadata: # kpt-merge: /setters
  name: setters
data:
  #############
  # General Settings Values
  #
  # The following are Settings for the environment to bootstrap with
  #
  #############
  billing-id: "019283-6F1AB5-7AD576"
  org-id: "583675367868"
  #############
  # Management Project
  # This is the project  landing-zone-controller-1z583er instance is running
  # Values can be viewed in the Project Dashboard
  management-project-id: landing-zone-controller-1z583
  management-project-number: "landing-zone-controller-1z583"
  #############
  # Project  IDs
  # These are the IDs for the projects that will be created by the LZ script
  # All IDs should be universally unique
  # Must be 6 to 30 characters in length.
  # Can only contain lowercase letters, numbers, and hyphens.
  # Must start with a letter.
  # Cannot end with a hyphen.
  # Cannot be in use or previously used; this includes deleted projects.
  # Cannot contain restricted strings, such as google and ssl.
  net-host-prj-nonprod-id: net-host-prj-nonprod-old1
  net-host-prj-prod-id: net-host-prj-prod-old1
  net-perimeter-prj-common-id: net-perimeter-prj-common-old1
  audit-prj-id: audit-prj-id-old1
  guardrails-project-id: guardrails-project-old1
  #############
  # Groups (allow for user:)
  # Permissions will be assigned to the specified group email
  audit-viewer: auditdata@obrienlabs.dev
  log-writer: auditdata@obrienlabs.dev
  log-reader: auditdata@obrienlabs.dev
  organization-viewer: auditdata@obrienlabs.dev

5.deploy

michael@cloudshell:~/github/GoogleCloudPlatform/pubsec-declarative-toolkit/landing-zone (landing-zone-controller-1z583)$ kpt fn render
Package "landing-zone/environments/common/guardrails-policies":
Package "landing-zone/environments/common":
[RUNNING] "gcr.io/kpt-fn/set-namespace:v0.4.1"
[PASS] "gcr.io/kpt-fn/set-namespace:v0.4.1" in 2.1s
  Results:
    [info]: namespace "common" updated to "config-control", 23 value(s) changed

Package "landing-zone/environments/nonprod":
[RUNNING] "gcr.io/kpt-fn/set-namespace:v0.4.1"
[PASS] "gcr.io/kpt-fn/set-namespace:v0.4.1" in 300ms
  Results:
    [info]: namespace "nonprod" updated to "config-control", 7 value(s) changed

Package "landing-zone/environments/prod":
[RUNNING] "gcr.io/kpt-fn/enable-gcp-services:v0.1.0"
[FAIL] "gcr.io/kpt-fn/enable-gcp-services:v0.1.0" in 700ms
  Stderr:
    "docker: Error response from daemon: Get \"https://gcr.io/v2/\": dial tcp [2607:f8b0:400c:c13::52]:443: connect: cannot assign requested address."
    "See 'docker run --help'."
  Exit code: 125

checking auth

20220908:0800 - was missing the project number - thanks Chris

Progressing, thanks for the project number vs id 

https://cloud.google.com/resource-manager/docs/creating-managing-projects#identifying_projects
I have not required the number yet - thought we were using the ID as the PK, GCP uses a composite key under the covers
I see now project number is essentially the primary key LONG, so we have the triplet number, id, name

rerunning with 
will adjust the docs
https://console.cloud.google.com/home/dashboard?project=landing-zone-controller-1z583
<img width="736" alt="Screen Shot 2022-09-09 at 8 01 22 AM" src="https://user-images.githubusercontent.com/94715080/189345474-de915b7b-4952-4100-86bf-30baafeaf47d.png">

michael@cloudshell:~ (landing-zone-controller-1z583)$ gcloud projects describe landing-zone-controller-1z583 createTime: '2022-09-09T00:24:01.131Z' labels: created-with-arete: 'true' lifecycleState: ACTIVE name: landing-zone-controller-1z583 parent: id: '41160724790' type: folder projectId: landing-zone-controller-1z583 projectNumber: '453474601356'

for

management-project-id: landing-zone-controller-1z583 management-project-number: "453474601356"

michael@cloudshell:~/github/GoogleCloudPlatform/pubsec-declarative-toolkit/landing-zone (landing-zone-controller-1z583)$ kpt fn render Package "landing-zone/environments/common/guardrails-policies": Package "landing-zone/environments/common": [RUNNING] "gcr.io/kpt-fn/set-namespace:v0.4.1" [PASS] "gcr.io/kpt-fn/set-namespace:v0.4.1" in 2.1s Results: [info]: namespace "common" updated to "config-control", 23 value(s) changed

Package "landing-zone/environments/nonprod": [RUNNING] "gcr.io/kpt-fn/set-namespace:v0.4.1" [PASS] "gcr.io/kpt-fn/set-namespace:v0.4.1" in 300ms Results: [info]: namespace "nonprod" updated to "config-control", 7 value(s) changed

Package "landing-zone/environments/prod": [RUNNING] "gcr.io/kpt-fn/enable-gcp-services:v0.1.0" [PASS] "gcr.io/kpt-fn/enable-gcp-services:v0.1.0" in 2.9s Results: [info] serviceusage.cnrm.cloud.google.com/v1beta1/Service/config-control/prod-nethost-service-compute: generated service [info] serviceusage.cnrm.cloud.google.com/v1beta1/Service/config-control/prod-nethost-service-logging: generated service [RUNNING] "gcr.io/kpt-fn/set-namespace:v0.4.1" [PASS] "gcr.io/kpt-fn/set-namespace:v0.4.1" in 400ms Results: [info]: namespace "prod" updated to "config-control", 4 value(s) changed

Package "landing-zone": [RUNNING] "gcr.io/kpt-fn/apply-setters:v0.2" [PASS] "gcr.io/kpt-fn/apply-setters:v0.2" in 1.9s Results: [info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "583675367868" [info] metadata.annotations.cnrm.cloud.google.com/organization-id: set field value to "583675367868" [info] spec.projectID: set field value to "net-perimeter-prj-common-old1" [info] spec.parentRef.external: set field value to "583675367868" ...(87 line(s) truncated, use '--truncate-output=false' to disable) [RUNNING] "gcr.io/kpt-fn/generate-folders:v0.1.1" [PASS] "gcr.io/kpt-fn/generate-folders:v0.1.1" in 4.5s [RUNNING] "gcr.io/kpt-fn/enable-gcp-services:v0.1.0" [PASS] "gcr.io/kpt-fn/enable-gcp-services:v0.1.0" in 1.7s Results: [info] serviceusage.cnrm.cloud.google.com/v1beta1/Service/config-control/nonprod-nethost-service-compute: generated service [info] serviceusage.cnrm.cloud.google.com/v1beta1/Service/config-control/nonprod-nethost-service-dns: generated service [info] serviceusage.cnrm.cloud.google.com/v1beta1/Service/config-control/nonprod-nethost-service-logging: generated service [info] serviceusage.cnrm.cloud.google.com/v1beta1/Service/config-control/prod-nethost-service-compute: recreated service ...(3 line(s) truncated, use '--truncate-output=false' to disable) [RUNNING] "gcr.io/kpt-fn/gatekeeper:v0.2.1" [PASS] "gcr.io/kpt-fn/gatekeeper:v0.2.1" in 3.1s [RUNNING] "gcr.io/kpt-fn/kubeval:v0.3.0" [PASS] "gcr.io/kpt-fn/kubeval:v0.3.0" in 21.3s

Successfully executed 9 function(s) in 5 package(s).

changes: 1) we don't need the quotes gcloud organizations add-iam-policy-binding "${ORG_ID}" --member "serviceAccount:${SA_EMAIL}" --role "roles/resourcemanager.folderAdmin"

2) add root folder environments/common/hiearchy.yaml to landingzone/environments/common/hiearchy.yaml

3) not clear where to pull the kpt fetch (inside the repo? and why are we not using the folder already in the repo?)

michael@cloudshell:~/github/GoogleCloudPlatform/pubsec-declarative-toolkit (landing-zone-controller-1z583)$ ls landing-zone/
cicd-examples  environments  img  Kptfile  README.md  setters.yaml  solution.yaml
michael@cloudshell:~/github/GoogleCloudPlatform/pubsec-declarative-toolkit (landing-zone-controller-1z583)$ ls solutions/landing-zone/
cicd-examples  environments  img  Kptfile  README.md  setters.yaml  solution.yaml
michael@cloudshell:~/github/GoogleCloudPlatform/pubsec-declarative-toolkit (landing-zone-controller-1z583)$ git status
On branch main
Your branch is up to date with 'origin/main'.

Untracked files:
  (use "git add <file>..." to include in what will be committed)
        landing-zone/

nothing added to commit but untracked files present (use "git add" to track)

4) we need an example run
what is project number - I would expect it to be project id but we already have one of these - are they switched as in project name and project id (not always the same unless name is unique - or is it the random postfix
  management-project-id: management-project-12345
  management-project-number: "0000000000"

Why is one in quotes (i need to check their usage)
I would expect the same as the project id should be unique 
  management-project-id: landing-zone-controller-1z583
  management-project-number: "landing-zone-controller-1z583"

for 4
20220908:0800 - was missing the project number - thanks Chris
Progressing, thanks for the project number vs id 
https://cloud.google.com/resource-manager/docs/creating-managing-projects#identifying_projects

2022909:0800 step 5 a b https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/landing-zone#usage

kpt live init landing-zone --namespace config-control

We need to run from the parent dir

michael@cloudshell:~/github/GoogleCloudPlatform/pubsec-declarative-toolkit/landing-zone (landing-zone-controller-1z583)$ cd ..
michael@cloudshell:~/github/GoogleCloudPlatform/pubsec-declarative-toolkit (landing-zone-controller-1z583)$ kpt live init landing-zone --namespace config-control
initializing Kptfile inventory info (namespace: config-control)...success

michael@cloudshell:~/github/GoogleCloudPlatform/pubsec-declarative-toolkit (landing-zone-controller-1z583)$ kpt live apply landing-zone --reconcile-timeout=2m --output=table
Error: 4 resource types could not be found in the cluster or as CRDs among the applied resources.

Resource types:
constraints.gatekeeper.sh/v1beta1, Kind=NamingPolicy
constraints.gatekeeper.sh/v1beta1, Kind=DataLocation
constraints.gatekeeper.sh/v1beta1, Kind=LimitEgressTraffic
constraints.gatekeeper.sh/v1beta1, Kind=CloudMarketPlaceConfig

Thanks Chris, adding the policy directory to .krmignore https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/landing-zone/.krmignore https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/103#issuecomment-1241961723

[fmichaelobrien]

Clean org testing of #103 also in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/pull/107

issue is installing inventory ResourceGroup CRD. namespace/config-control apply failed: can't adopt an object without the annotation config.k8s.io/owning-inventory namespace/config-control reconcile skipped configmap/setters unchanged

using --inventory-policy adopt via https://github.com/GoogleContainerTools/kpt/issues/1724 works well

before

michael@cloudshell:~/github/GoogleCloudPlatform/20220909-103 (lz-20220910-oldev)$ kpt live apply landing-zone
installing inventory ResourceGroup CRD.
namespace/config-control apply failed: can't adopt an object without the annotation [config.k8s.io/owning-inventory](http://config.k8s.io/owning-inventory)
namespace/config-control reconcile skipped
configmap/setters unchanged
..
[iampolicymember.iam.cnrm.cloud.google.com/log-sink-writer](http://iampolicymember.iam.cnrm.cloud.google.com/log-sink-writer) reconcile skipped
0 resource(s) reconciled, 90 skipped, 0 failed to reconcile, 0 timed out
1 resources failed

after

michael@cloudshell:~/github/GoogleCloudPlatform/20220909-103 (lz-20220910-oldev)$ kpt live apply landing-zone --inventory-policy adopt
installing inventory ResourceGroup CRD.
namespace/config-control configured
namespace/config-control reconcile pending
namespace/config-control reconciled
configmap/setters created
[accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/commonaccesslevels](http://accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/commonaccesslevels) created
[accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/nonprodperimaccesslevel](http://accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/nonprodperimaccesslevel) created
[accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/prodaccesslevels](http://accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/prodaccesslevels) created
[accesscontextmanageraccesspolicy.accesscontextmanager.cnrm.cloud.google.com/orgaccesspolicy](http://accesscontextmanageraccesspolicy.accesscontextmanager.cnrm.cloud.google.com/orgaccesspolicy) created
[computefirewall.compute.cnrm.cloud.google.com/allow-egress-internet](http://computefirewall.compute.cnrm.cloud.google.com/allow-egress-internet) created

michael@cloudshell:~ (magellan-01)$ kubectl get gcp

NAME                                                                                                 AGE     READY   STATUS               STATUS AGE
accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/commonaccesslevels        9m29s   False   DependencyNotReady   9m28s

accesscontextmanageraccesslevel.accesscontextmanager.cnrm.cloud.google.com/nonprodperimaccesslevel   9m28s   False   DependencyNotReady   9m28s

[fmichaelobrien]

Status Fixed affecting bringing up the cluster and landing zone so far

add --inventory-policy adopt - when kpt live apply - fails #112 See workaround in https://github.com/GoogleContainerTools/kpt/issues/1724

.krmignore additions in #103

periodic krm fn render - retry in #108

checking issue with project creation - 2nd time around with advanced install

michael@cloudshell:~ (magellan-01)$ kubectl get gcpservice
NAME                              AGE   READY   STATUS         STATUS AGE
common-nethost-service-compute    55m   False   UpdateFailed   55m
common-nethost-service-logging    55m   False   UpdateFailed   55m
nonprod-nethost-service-compute   55m   False   UpdateFailed   55m
nonprod-nethost-service-dns       55m   False   UpdateFailed   55m
nonprod-nethost-service-logging   55m   False   UpdateFailed   55m
prod-nethost-service-compute      55m   False   UpdateFailed   55m
prod-nethost-service-logging      55m   False   UpdateFailed   55m

michael@cloudshell:~ (magellan-01)$ kubectl describe gcpservice nonprod-nethost-service-compute

missing projects - may be quota

, forbidden
  Warning  UpdateFailed  51m  service-controller  Update call failed: error fetching live state: error reading underlying resource: summary: Error when reading or editing Project Service projects/net-host-prj-nonprod-old1/services/: Request `List Project Services net-host-prj-nonprod-old1` returned error: Batch request and retried single request "List Project Services net-host-prj-nonprod-old1" both failed. Final error: Failed to list enabled services for project net-host-prj-nonprod-old1: googleapi: Error 403: Project 'projects/net-host-prj-nonprod-old1' not found or permission denied.
Help Token: AfeSHlJ8OVrQ2USjlwYAuSQpQlkvh55EVAPx13B1_FVPxC9p6d59t-GmTmeaC9ZMR3ACMzKApyEC2nJzw1ttuzDLbX6FPNnl2LAbKZ0uVTIG7rVv
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.PreconditionFailure",

[obriensystems]

deleting gcp.zone anthos cc in prep of restarting it and reentering the landing-zone solution

michael@cloudshell:~ (landing-zone-controller-e4g7d)$ gcloud anthos config controller list
NAME: landing-zone-controller
LOCATION: northamerica-northeast1
STATE: RUNNING
michael@cloudshell:~ (landing-zone-controller-e4g7d)$ gcloud anthos config controller delete --location northamerica-northeast1 landing-zone-controller
You are about to delete instance [landing-zone-controller]

Do you want to continue (Y/n)?  y

Delete request issued for: [landing-zone-controller]
Waiting for operation [projects/landing-zone-controller-e4g7d/locations/northamerica-northeast1/operations/operation-1662994254655-5e87c05cfeff7-f012477d-f9ded40b] to complete...working.  

[fmichaelobrien]

Testing post https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/132#issuecomment-1249542479

for https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/landing-zone#usage

page needs gcloud config set project, and link to advanced install for cc bootstrap https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/dev/docs/advanced-install.md#advanced-install

admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit$ gcloud config set project pubsec-declarative-toolkit-arg
Updated property [core/project].
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ export PROJECT_ID=$(gcloud config list --format 'value(core.project)')
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ export REGION=northamerica-northeast2
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ echo $PROJECT_ID
pubsec-declarative-toolkit-arg
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ export ORG_ID=$(gcloud projects get-ancestors $PROJECT_ID --format='get(id)' | tail -1)
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ echo $ORG_ID
226082700214

admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ export EMAIL=$(gcloud config list --format json|jq .core.account | sed 's/"//g')
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ echo $EMAIL
admin@fmichaelobrien.altostrat.com
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ gcloud organizations add-iam-policy-binding "${ORG_ID}" --member "user:${EMAIL}" --role roles/logging.admin
Updated IAM policy for organization [226082700214].
bindings:

admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ gcloud alpha logging settings update --organization=$ORG_ID --storage-location=$REGION
name: organizations/226082700214
storageLocation: northamerica-northeast2

[fmichaelobrien]

Advanced install adjust

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/132#issuecomment-1251437879

admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ export CLUSTER=pdt
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ export REGION=northamerica-northeast2
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ export CC_PROJECT_ID=controller-arg-0919
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ export NETWORK=pdt
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ export SUBNET=pdt
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ export BOOT_PROJECT_ID=$(gcloud config list --format 'value(core.project)')
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ export ORG_ID=$(gcloud projects get-ancestors $BOOT_PROJECT_ID --format='get(id)' | tail -1)
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ export BILLING_ID=$(gcloud alpha billing projects describe $PROJECT_ID '--format=value(billingAccountName)' | sed 's/.*\///')
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ echo $BILLING_ID
01A5BD-D56C52-FB1D82
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ echo $ORG_ID
226082700214
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (pubsec-declarative-toolkit-arg)$ gcloud projects create $CC_PROJECT_ID --name="Config Controller" --labels=type=infrastructure-automation --set-as-default
Create in progress for [https://cloudresourcemanager.googleapis.com/v1/projects/controller-arg-0919].
Waiting for [operations/cp.8995885859641859690] to finish...done.    
Enabling service [cloudapis.googleapis.com] on project [controller-arg-0919]...
Operation "operations/acat.p2-370436361900-cb037b1f-6576-4b1c-930d-190a867f4340" finished successfully.
Updated property [core/project] to [controller-arg-0919].
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (controller-arg-0919)$ gcloud beta billing projects link $CC_PROJECT_ID --billing-account $BILLING_ID
billingAccountName: billingAccounts/01A5BD-D56C52-FB1D82
billingEnabled: true
name: projects/controller-arg-0919/billingInfo
projectId: controller-arg-0919
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (controller-arg-0919)$ gcloud config set project $CC_PROJECT_ID
Updated property [core/project].
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (controller-arg-0919)$ gcloud services enable krmapihosting.googleapis.com \
    container.googleapis.com \
    cloudresourcemanager.googleapis.com
Operation "operations/acf.p2-370436361900-dc7e6cf6-8322-465d-98d8-618bfd068805" finished successfully.
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (controller-arg-0919)$ gcloud compute networks create $NETWORK --subnet-mode=custom
Created [https://www.googleapis.com/compute/v1/projects/controller-arg-0919/global/networks/pdt].
NAME: pdt
SUBNET_MODE: CUSTOM
BGP_ROUTING_MODE: REGIONAL
IPV4_RANGE:
GATEWAY_IPV4:

Instances on this network will not be reachable until firewall rules
are created. As an example, you can allow all internal traffic between
instances as well as SSH, RDP, and ICMP by running:

$ gcloud compute firewall-rules create <FIREWALL_NAME> --network pdt --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network pdt --allow tcp:22,tcp:3389,icmp

admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (controller-arg-0919)$ gcloud compute networks subnets create $SUBNET  \
--network $NETWORK \
--range 192.168.0.0/16 \
--region $REGION
Created [https://www.googleapis.com/compute/v1/projects/controller-arg-0919/regions/northamerica-northeast2/subnetworks/pdt].
NAME: pdt
REGION: northamerica-northeast2
NETWORK: pdt
RANGE: 192.168.0.0/16
STACK_TYPE: IPV4_ONLY
IPV6_ACCESS_TYPE:
INTERNAL_IPV6_PREFIX:
EXTERNAL_IPV6_PREFIX:

checking on turning off org policies first local to the project
admin_@cloudshell:~/wse_github/20220829/pubsec-declarative-toolkit (controller-arg-0919)$ gcloud anthos config controller create $CLUSTER --location $REGION --network $NETWORK --subnet $SUBNETCreate request issued for: [pdt]
Waiting for operation [projects/controller-arg-0919/locations/northamerica-northeast2/operations/operation-1663613870842-5e90c49d0a29a-a96e5f2b-e412a316] to complete...working...

requireOsLogin

requireShieldedVm

[fmichaelobrien]

Testing main after https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/174 env = arg - pdt-arg, kcc project controller-arg-0919

admin_@cloudshell:~/wse_github/20221128_main (pubsec-declarative-toolkit-arg)$ git clone https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git

Using existing arete created cluster

[fmichaelobrien]

20221201 3rd cluster on alternate.gcp.zone follow https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/dev/docs/advanced-install.md https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/dev/solutions/landing-zone/architecture.md#creating-the-config-controller-cluster

watch for multiple billing accounts - pick the right one

root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (pubsec-declarative-agz)$ export CC_PROJECT_ID=controller-agz-1201
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (pubsec-declarative-agz)$ export REGION=northamerica-northeast2
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (pubsec-declarative-agz)$ export CLUSTER=pdt
export NETWORK=pdt-vpc
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (pubsec-declarative-agz)$ export REGION=northamerica-northeast1
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (pubsec-declarative-agz)$ export SUBNET=pdt
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (pubsec-declarative-agz)$ export BOOT_PROJECT_ID=$(gcloud config list --format 'value(core.project)')
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (pubsec-declarative-agz)$ echo $BOOT_PROJECT_ID
pubsec-declarative-agz
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (pubsec-declarative-agz)$ export ORG_ID=$(gcloud projects get-ancestors $BOOT_PROJECT_ID --format='get(id)' | tail -1)
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (pubsec-declarative-agz)$ echo $ORG_ID
6839210352
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (pubsec-declarative-agz)$ export BILLING_ID=$(gcloud alpha billing projects describe $BOOT_PROJECT_ID '--format=value(billingAccountName)' | sed 's/.*\///')
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (pubsec-declarative-agz)$ echo $BILLING_ID
019283-6F1AB5-7AD576
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (pubsec-declarative-agz)$

root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (pubsec-declarative-agz)$ gcloud projects create $CC_PROJECT_ID --name="Config Controller" --labels=type=infrastructure-automation --set-as-default
Create in progress for [https://cloudresourcemanager.googleapis.com/v1/projects/controller-agz-1201].
Waiting for [operations/cp.7683542102938739329] to finish...done.    
Enabling service [cloudapis.googleapis.com] on project [controller-agz-1201]...
Operation "operations/acat.p2-482702030934-67906db4-95f9-4ed3-b34d-8061b192168e" finished successfully.
Updated property [core/project] to [controller-agz-1201].
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (controller-agz-1201)$ gcloud beta billing projects link $CC_PROJECT_ID --billing-account $BILLING_ID
billingAccountName: billingAccounts/019283-6F1AB5-7AD576
billingEnabled: true
name: projects/controller-agz-1201/billingInfo
projectId: controller-agz-1201
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (controller-agz-1201)$ gcloud config set project $CC_PROJECT_ID
Updated property [core/project].

root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (controller-agz-1201)$ gcloud services enable krmapihosting.googleapis.com container.googleapis.com cloudresourcemanager.googleapis.com accesscontextmanager.googleapis.com
Operation "operations/acf.p2-482702030934-71d1d53e-7745-4133-9c10-7da1ce2f2099" finished successfully.

root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (controller-agz-1201)$ gcloud compute networks create $NETWORK --subnet-mode=custom
Created [https://www.googleapis.com/compute/v1/projects/controller-agz-1201/global/networks/pdt-vpc].
NAME: pdt-vpc
SUBNET_MODE: CUSTOM
BGP_ROUTING_MODE: REGIONAL
IPV4_RANGE:
GATEWAY_IPV4:

Instances on this network will not be reachable until firewall rules
are created. As an example, you can allow all internal traffic between
instances as well as SSH, RDP, and ICMP by running:

$ gcloud compute firewall-rules create <FIREWALL_NAME> --network pdt-vpc --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network pdt-vpc --allow tcp:22,tcp:3389,icmp

oot_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (controller-agz-1201)$ gcloud compute networks subnets create $SUBNET --network $NETWORK --range 192.168.0.0/16 --region $REGION
Created [https://www.googleapis.com/compute/v1/projects/controller-agz-1201/regions/northamerica-northeast1/subnetworks/pdt].
NAME: pdt
REGION: northamerica-northeast1
NETWORK: pdt-vpc
RANGE: 192.168.0.0/16
STACK_TYPE: IPV4_ONLY
IPV6_ACCESS_TYPE:
INTERNAL_IPV6_PREFIX:
EXTERNAL_IPV6_PREFIX:

1230

root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (controller-agz-1201)$ gcloud anthos config controller create $CLUSTER --location $REGION --network $NETWORK --subnet $SUBNET
Create request issued for: [pdt]
Waiting for operation [projects/controller-agz-1201/locations/northamerica-northeast1/operations/operation-1669915762847-5eec78fd970f6-f8ad4661-a32cc57c] to complete...working   

1239

1254 - use us-west1 for now due to timeouts

40 min timeout - cluster deleting

1315 root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (controller-agz-1201)$ gcloud anthos config controller create $CLUSTER --location $REGION --network $NETWORK --subnet $SUBNET Create request issued for: [pdt2] Waiting for operation [projects/controller-agz-1201/locations/northamerica-northeast1/operations/operation-1669918481596-5eec831e64237-1b3fee95-253b80b7] to complete...working..

--full-management

Other regions for now

root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (controller-agz-1201)$ export REGION=us-east1
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (controller-agz-1201)$ export NETWORK=pdt-e1a-vpc
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (controller-agz-1201)$ export SUBNET=pdte1a
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (controller-agz-1201)$ export CLUSTER=pdt-e1a
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (controller-agz-1201)$ gcloud compute networks create $NETWORK --subnet-mode=custom
ERROR: (gcloud.compute.networks.create) Could not fetch resource:
 - Quota 'NETWORKS' exceeded.  Limit: 5.0 globally.
        metric name = compute.googleapis.com/networks
        limit name = NETWORKS-per-project
        dimensions = global: global

deleted 4 VPCs

root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (controller-agz-1201)$ export REGION=us-east1
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (controller-agz-1201)$ export NETWORK=pdt-e1a-vpc
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (controller-agz-1201)$ export SUBNET=pdte1a
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (controller-agz-1201)$ export CLUSTER=pdt-e1a
oot_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (controller-agz-1201)$ export REGION=us-east1
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (controller-agz-1201)$ export NETWORK=pdt-e1a-vpc
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (controller-agz-1201)$ export SUBNET=pdte1a
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (controller-agz-1201)$ export CLUSTER=pdt-e1a

root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (controller-agz-1201)$ gcloud compute networks create $NETWORK --subnet-mode=custom
Created [https://www.googleapis.com/compute/v1/projects/controller-agz-1201/global/networks/pdt-e1a-vpc].
NAME: pdt-e1a-vpc
SUBNET_MODE: CUSTOM
BGP_ROUTING_MODE: REGIONAL
IPV4_RANGE:
GATEWAY_IPV4:

Instances on this network will not be reachable until firewall rules
are created. As an example, you can allow all internal traffic between
instances as well as SSH, RDP, and ICMP by running:

$ gcloud compute firewall-rules create <FIREWALL_NAME> --network pdt-e1a-vpc --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network pdt-e1a-vpc --allow tcp:22,tcp:3389,icmp

root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (controller-agz-1201)$ gcloud compute networks subnets create $SUBNET --network $NETWORK --range 192.168.0.0/16 --region $REGION
Created [https://www.googleapis.com/compute/v1/projects/controller-agz-1201/regions/us-east1/subnetworks/pdte1a].
NAME: pdte1a
REGION: us-east1
NETWORK: pdt-e1a-vpc
RANGE: 192.168.0.0/16
STACK_TYPE: IPV4_ONLY
IPV6_ACCESS_TYPE:
INTERNAL_IPV6_PREFIX:
EXTERNAL_IPV6_PREFIX:
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (controller-agz-1201)$ gcloud anthos config controller create $CLUSTER --location $REGION --network $NETWORK --subnet $SUBNET
Create request issued for: [pdt-e1a]
Waiting for operation [projects/controller-agz-1201/locations/us-east1/operations/operation-1669920779412-5eec8badc2298-64f958f6-3a41c93e] to complete...working   

us-east1 is ok (as is one of the other na-ne1's are ok) - behaviour is random - so disregard and retry

northamerica-northeast1 all good with autopilot now

export REGION=northamerica-northeast1
export SUBNET=pdt-na1-sn
export CLUSTER=pdt-na1
export NETWORK=pdt-na1-vpc
export CC_PROJECT_ID=controller-agz-1201
export BOOT_PROJECT_ID=$(gcloud config list --format 'value(core.project)')
export BILLING_ID=$(gcloud alpha billing projects describe $BOOT_PROJECT_ID '--format=value(billingAccountName)' | sed 's/.*\///')
USER="$(kubectl get ConfigConnectorContext -n config-control -o jsonpath='{.items[0].spec.googleServiceAccount}' 2> /dev/null)"
ORGID=$(gcloud projects get-ancestors $CC_PROJECT_ID --format='get(id)' | tail -1)
gcloud compute networks create $NETWORK --subnet-mode=custom
gcloud compute networks subnets create $SUBNET --network $NETWORK --range 192.168.0.0/16 --region $REGION
gcloud alpha anthos config controller create $CLUSTER --location $REGION --network $NETWORK --subnet $SUBNET --full-management
gcloud anthos config controller list

[fmichaelobrien]

continue

root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit/solutions/landing-zone (controller-agz-1201)$ export REGION=northamerica-northeast1
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit/solutions/landing-zone (controller-agz-1201)$ export CLUSTER=pdt-na1
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit/solutions/landing-zone (controller-agz-1201)$ gcloud anthos config controller get-credentials $CLUSTER  --location $REGION
Fetching cluster endpoint and auth data.
kubeconfig entry generated for krmapihost-pdt-na1.

root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit/solutions/landing-zone (controller-agz-1201)$ export CC_PROJECT_ID=controller-agz-1201
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit/solutions/landing-zone (controller-agz-1201)$ export ORG_ID=$(gcloud projects get-ancestors $CC_PROJECT_ID --format='get(id)' | tail -1)
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit/solutions/landing-zone (controller-agz-1201)$ echo $ORG_ID
6839210352

root-sync on oci render under metadata:

switch to root-sync - see https://cloud.google.com/anthos-config-management/docs/how-to/config-controller-setup#manage-resources

export ORG_ID=$ORG_ID
export SA_EMAIL="$(kubectl get ConfigConnectorContext -n config-control \
    -o jsonpath='{.items[0].spec.googleServiceAccount}' 2> /dev/null)"
gcloud organizations add-iam-policy-binding "${ORG_ID}" \
    --member "serviceAccount:${SA_EMAIL}" \
    --role "roles/resourcemanager.folderAdmin"
gcloud organizations add-iam-policy-binding "${ORG_ID}" \
    --member "serviceAccount:${SA_EMAIL}" \
    --role "roles/resourcemanager.projectCreator"
gcloud organizations add-iam-policy-binding "${ORG_ID}" \
    --member "serviceAccount:${SA_EMAIL}" \
    --role "roles/resourcemanager.projectDeleter"
gcloud organizations add-iam-policy-binding "${ORG_ID}" \
    --member "serviceAccount:${SA_EMAIL}" \
    --role "roles/iam.securityAdmin"
gcloud organizations add-iam-policy-binding "${ORG_ID}" \
    --member "serviceAccount:${SA_EMAIL}" \
    --role "roles/orgpolicy.policyAdmin"
gcloud organizations add-iam-policy-binding "${ORG_ID}" \
    --member "serviceAccount:${SA_EMAIL}" \
    --role "roles/serviceusage.serviceUsageConsumer"
gcloud organizations add-iam-policy-binding "${ORG_ID}" \
    --member "serviceAccount:${SA_EMAIL}" \
    --role "roles/billing.user"    

root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit/solutions/landing-zone (controller-agz-1201)$ export PROJECT_ID=controller-agz-1201
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit/solutions/landing-zone (controller-agz-1201)$ gcloud services enable artifactregistry.googleapis.com --project=${PROJECT_ID}Operation "operations/acat.p2-482702030934-2e81e615-ca24-4782-b360-86066881c91f" finished successfully.

oot_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit/solutions/landing-zone (controller-agz-1201)$ export AR_REPO_NAME=lz-pdt-na1
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit/solutions/landing-zone (controller-agz-1201)$ gcloud artifacts repositories create ${AR_REPO_NAME} \
--repository-format=docker \
--location=northamerica-northeast1 \
--description="Config Sync OCI repo" \
--project=${PROJECT_ID}
Create request issued for: [lz-pdt-na1]
Waiting for operation [projects/controller-agz-1201/locations/northamerica-northeast1/operations/36128da8-cb00-44c5-8245-843b07499c85] to complete...working.API [artifactregistry.googleapis.com] Waiting for operation [projects/controller-agz-1201/locations/northamerica-northeast1/operations/36128da8-cb00-44c5-8245-843b07499c85] to complete...working.. 

rename first -landing-zone before installing crane

Waiting for operation [projects/controller-agz-1201/locations/northamerica-northeast1/operations/36128da8-cb00-44c5-8245-843b07499c85] to complete...working...

Waiting for operation [projects/controller-agz-1201/locations/northamerica-northeast1/operations/36128da8-cb00-44c5-8245-843b07499c85] to complete...failed.
ERROR: (gcloud.artifacts.repositories.create) PERMISSION_DENIED: Artifact Registry API has not been used in project 482702030934 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/artifactregistry.googleapis.com/overview?project=482702030934 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
- '@type': type.googleapis.com/google.rpc.Help
  links:
  - description: Google developers console API activation
    url: https://console.developers.google.com/apis/api/artifactregistry.googleapis.com/overview?project=482702030934
- '@type': type.googleapis.com/google.rpc.ErrorInfo
  domain: googleapis.com
  metadata:
    consumer: projects/482702030934
    service: artifactregistry.googleapis.com
  reason: SERVICE_DISABLED

ignore above

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/landing-zone#oci Create a Service Account for Config Management to Access the Artifact Repository.

root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit/solutions/landing-zone (controller-agz-1201)$ gcloud iam service-accounts create $GSA_NAME \
--project=${PROJECT_ID}
Created service account [config-management-oci].
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit/solutions/landing-zone (controller-agz-1201)$ gcloud artifacts repositories add-iam-policy-binding ${AR_REPO_NAME} \
--member "serviceAccount:${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
--location northamerica-northeast1 \
--role "roles/artifactregistry.reader"
API [artifactregistry.googleapis.com] not enabled on project [482702030934]. Would you like to enable and retry (this will take a few minutes)? (y/N)?  y

Enabling service [artifactregistry.googleapis.com] on project [482702030934]...

gcloud iam service-accounts add-iam-policy-binding ${GSA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:${PROJECT_ID}.svc.id.goog[config-management-system/root-reconciler-landing-zone]"root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit/solutions/landing-zone (controller-agz-1201)$ go install github.com/google/go-containerregistry/cmd/crane@latest
crane auth login northamerica-northeast1-docker.pkg.dev  -u oauth2accesstoken -p "$(gcloud auth print-access-token)"
go: downloading github.com/google/go-containerregistry v0.12.1
go: downloading github.com/docker/cli v20.10.20+incompatible
go: downloading github.com/opencontainers/image-spec v1.1.0-rc2
go: downloading github.com/spf13/cobra v1.6.0
go: downloading github.com/mitchellh/go-homedir v1.1.0
go: downloading github.com/containerd/stargz-snapshotter/estargz v0.12.1
go: downloading github.com/opencontainers/go-digest v1.0.0
go: downloading golang.org/x/sync v0.1.0
go: downloading github.com/google/go-cmp v0.5.9
go: downloading github.com/klauspost/compress v1.15.11
go: downloading github.com/vbatts/tar-split v0.11.2
go: downloading github.com/docker/distribution v2.8.1+incompatible
go: downloading github.com/docker/docker v20.10.20+incompatible
go: downloading github.com/sirupsen/logrus v1.9.0
go: downloading github.com/docker/docker-credential-helpers v0.7.0
go: downloading golang.org/x/sys v0.1.0
2022/12/02 18:28:51 logged in via /home/root_/.docker/config.json
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit/solutions/landing-zone (controller-agz-1201)$

missed CSR creation via KCC https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/landing-zone#git

root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit/solutions/landing-zone (controller-agz-1201)$ vi service.yaml

root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit/solutions/landing-zone (controller-agz-1201)$ kubectl apply -f service.yaml
service.serviceusage.cnrm.cloud.google.com/sourcerepo.googleapis.com created
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit/solutions/landing-zone (controller-agz-1201)$ kubectl wait -f service.yaml --for=condition=Ready

git step iii - we don't apply this - need root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit/solutions/landing-zone (controller-agz-1201)$ vi repo.yaml

apiVersion: sourcerepo.cnrm.cloud.google.com/v1beta1
kind: SourceRepoRepository
metadata:
  name: my-lz-repo
  namespace: config-control

root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit/solutions/landing-zone (controller-agz-1201)$ vi repo.yaml
root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit/solutions/landing-zone (controller-agz-1201)$ kubectl apply -f repo.yaml
sourcereporepository.sourcerepo.cnrm.cloud.google.com/my-lz-repo created

see https://cloud.google.com/anthos-config-management/docs/how-to/config-controller-setup#manage-resources cat <> lz-oci.yaml apiVersion: configsync.gke.io/v1beta1 kind: RootSync metadata:

• name: landing-zone
• name: root-sync

config -management - system kubectl get rootsync

v1 missing from lz-oci.yaml

if using kpt live apply - mind the 4 error workaround --inventory-policy adopt https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/112

access management policy issues are known

cloud billing and acm api's enabled on main project - need to be added

automation (2-3 part kcc + lz automation) https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/192

minor but we still need to add the prereq billing instructions as we run into these - like the 30char one https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/113 for kpt the workaround --inventory-policy extracting out from https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/112 towards the goal of full automation in the script

csr yaml apply missing - like in https://cloud.google.com/anthos-config-management/docs/how-to/config-controller-setup#manage-resources https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/195 autopilot workaround (thanks for the flag Chris) https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/191

[fmichaelobrien]

Continue with clean run iteration - this time with kpt pkg outside the repo like before Adding adjustments to the PR https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/pull/196/files

under https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/195 https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/191 https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/192

root_@cloudshell:~/wse_github/obriensystems (pubsec-declarative-agz)$ kpt pkg get https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit.git/solutions/landing-zone landing-zone
Package "landing-zone":
Fetching https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit@main
From https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit
 * branch            main       -> FETCH_HEAD
 * [new branch]      main       -> origin/main
Adding package "solutions/landing-zone".

Fetched 1 package(s).

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/dev/docs/advanced-install.md#5-enable-the-required-services

• acm already set root_@cloudshell:~/wse_github/obriensystems/pubsec-declarative-toolkit (controller-agz-1201)$ gcloud services enable krmapihosting.googleapis.com container.googleapis.com cloudresourcemanager.googleapis.com accesscontextmanager.googleapis.com Operation "operations/acf.p2-482702030934-71d1d53e-7745-4133-9c10-7da1ce2f2099" finished successfully.

[obriensystems]

on ol.dev dev branch script

1224
michael@cloudshell:~/dev/pdt-oldev/pubsec-declarative-toolkit/solutions/landing-zone (pubsec-declarative-toolkit)$ ./deployment.sh -b pdt-oldev -u pdtoldev -c true -l true -d false -p controller-oldev
Date: Wed 07 Dec 2022 05:24:09 PM UTC
Timestamp: 1670433849
running with: -b pdt-oldev -u pdtoldev -c true -l true -d false -p controller-oldev
Updated property [core/project].
Switched back to boot project pdt-oldev
Start: 1670433850
unique string: pdtoldev
REGION: northamerica-northeast1
NETWORK: pdt-pdtoldev-vpc
SUBNET: pdt-pdtoldev-sn
CLUSTER: pdt-pdtoldev
CC_PROJECT_ID: controller-oldev-3495
BOOT_PROJECT_ID: pdt-oldev
BILLING_ID: 011D7E-BD499C-CF71C5
ORGID: 583675367868
Create in progress for [https://cloudresourcemanager.googleapis.com/v1/projects/controller-oldev-3495].
Waiting for [operations/cp.5356056990227740854] to finish...done.    
Enabling service [cloudapis.googleapis.com] on project [controller-oldev-3495]...
Operation "operations/acat.p2-734150532580-6951f5e7-0016-4805-af4d-37894e20999c" finished successfully.
Updated property [core/project] to [controller-oldev-3495].
Created KCC project: controller-oldev-3495
Updated property [core/project].
billingAccountName: billingAccounts/011D7E-BD499C-CF71C5
billingEnabled: true
name: projects/controller-oldev-3495/billingInfo
projectId: controller-oldev-3495
Enabling APIs
Operation "operations/acf.p2-734150532580-b03730ab-8976-462e-908a-cf3b3f90f9a1" finished successfully.
Create VPC: pdt-pdtoldev-vpc
Created [https://www.googleapis.com/compute/v1/projects/controller-oldev-3495/global/networks/pdt-pdtoldev-vpc].
NAME: pdt-pdtoldev-vpc
SUBNET_MODE: CUSTOM
BGP_ROUTING_MODE: REGIONAL
IPV4_RANGE:
GATEWAY_IPV4:

Instances on this network will not be reachable until firewall rules
are created. As an example, you can allow all internal traffic between
instances as well as SSH, RDP, and ICMP by running:

$ gcloud compute firewall-rules create <FIREWALL_NAME> --network pdt-pdtoldev-vpc --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network pdt-pdtoldev-vpc --allow tcp:22,tcp:3389,icmp

Create subnet pdt-pdtoldev-sn off VPC: pdt-pdtoldev-vpc
Created [https://www.googleapis.com/compute/v1/projects/controller-oldev-3495/regions/northamerica-northeast1/subnetworks/pdt-pdtoldev-sn].
NAME: pdt-pdtoldev-sn
REGION: northamerica-northeast1
NETWORK: pdt-pdtoldev-vpc
RANGE: 192.168.0.0/16
STACK_TYPE: IPV4_ONLY
IPV6_ACCESS_TYPE:
INTERNAL_IPV6_PREFIX:
EXTERNAL_IPV6_PREFIX:
Creating Anthos KCC autopilot cluster pdt-pdtoldev in region northamerica-northeast1 in subnet pdt-pdtoldev-sn off VPC pdt-pdtoldev-vpc
Create request issued for: [pdt-pdtoldev]
Waiting for operation [projects/controller-oldev-3495/locations/northamerica-northeast1/operations/operation-1670433959044-5ef4036bfe736-a631626f-62b4b87b] to complete...working.  
Waiting for operation [projects/controller-oldev-3495/locations/northamerica-northeast1/operations/operation-1670433959044-5ef4036bfe736-a631626f-62b4b87b] to complete...done.     
Created instance [pdt-pdtoldev].
Fetching cluster endpoint and auth data.
kubeconfig entry generated for krmapihost-pdt-pdtoldev.
Cluster create time: 1104 sec
Fetching cluster endpoint and auth data.
kubeconfig entry generated for krmapihost-pdt-pdtoldev.
Context "gke_controller-oldev-3495_northamerica-northeast1_krmapihost-pdt-pdtoldev" modified.
Active namespace is "config-control".
List Clusters:
NAME: pdt-pdtoldev
LOCATION: northamerica-northeast1
STATE: RUNNING
Total Duration: 1216 sec
Date: Wed 07 Dec 2022 05:44:26 PM UTC
Timestamp: 1670435066
Updated property [core/project].
Switched back to boot project pdt-oldev

run lz only in existing created project
michael@cloudshell:~/dev/pdt-oldev/pubsec-declarative-toolkit/solutions/landing-zone (pdt-oldev)$ ./deployment.sh -b pdt-oldev -u pdtoldev -c false -l true -d false -p controller-oldev-3495

[fmichaelobrien]

Autopilot now link with aboe