Open obriensystems opened 5 months ago
Verify single package re-acquire before the full 5 package lz
michael@cloudshell:~/kcc-oi-20231206 (kcc-oi-7970)$ ls
github kpt
michael@cloudshell:~/kcc-oi-20231206 (kcc-oi-7970)$ ls kpt
_20240130 core-landing-zone
michael@cloudshell:~/kcc-oi-20231206 (kcc-oi-7970)$ cd github/pubsec-declarative-toolkit/solutions/
michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit/solutions (kcc-oi-7970)$
Check deployment
michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit/solutions (kcc-oi-7970)$ kubectl get gcp -n config-control
NAME AGE READY STATUS STATUS AGE
iamcustomrole.iam.cnrm.cloud.google.com/gke-firewall-admin 16d True UpToDate 16d
iamcustomrole.iam.cnrm.cloud.google.com/tier2-dnsrecord-admin 16d True UpToDate 16d
iamcustomrole.iam.cnrm.cloud.google.com/tier2-vpcpeering-admin 16d True UpToDate 16d
iamcustomrole.iam.cnrm.cloud.google.com/tier3-dnsrecord-admin 16d True UpToDate 16d
iamcustomrole.iam.cnrm.cloud.google.com/tier3-firewallrule-admin 16d True UpToDate 16d
iamcustomrole.iam.cnrm.cloud.google.com/tier3-subnetwork-admin 16d True UpToDate 16d
iamcustomrole.iam.cnrm.cloud.google.com/tier3-vpcsc-admin 16d True UpToDate 16d
iamcustomrole.iam.cnrm.cloud.google.com/tier4-secretmanager-admin 16d True UpToDate 16d
NAME AGE READY STATUS STATUS AGE
iamserviceaccount.iam.cnrm.cloud.google.com/config-mgmt-mon-default-sa 16d True UpToDate 16d
iamserviceaccount.iam.cnrm.cloud.google.com/gatekeeper-admin-sa 16d True UpToDate 16d
iamserviceaccount.iam.cnrm.cloud.google.com/hierarchy-sa 16d True UpToDate 16d
iamserviceaccount.iam.cnrm.cloud.google.com/logging-sa 16d True UpToDate 16d
iamserviceaccount.iam.cnrm.cloud.google.com/networking-sa 16d True UpToDate 16d
iamserviceaccount.iam.cnrm.cloud.google.com/policies-sa 16d True UpToDate 16d
iamserviceaccount.iam.cnrm.cloud.google.com/projects-sa 16d True UpToDate 16d
NAME AGE READY STATUS STATUS AGE
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-editor-permissions 16d True UpToDate 16d
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-serviceaccountadmin-permissions 16d True UpToDate 16d
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-orgroleadmin-permissions 16d True UpToDate 16d
iampolicymember.iam.cnrm.cloud.google.com/config-mgmt-mon-default-sa-metric-writer-permissions 16d True UpToDate 16d
iampolicymember.iam.cnrm.cloud.google.com/gatekeeper-admin-sa-metric-writer-permissions 16d True UpToDate 16d
iampolicymember.iam.cnrm.cloud.google.com/hierarchy-sa-folderadmin-permissions 16d True UpToDate 16d
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-logadmin-permissions 16d True UpToDate 16d
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-monitoring-admin-kcc-oi-7970-permissions 16d True UpToDate 16d
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-dns-permissions 16d True UpToDate 16d
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-networkadmin-permissions 16d True UpToDate 16d
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-security-permissions 16d True UpToDate 16d
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-service-control-org-permissions 16d True UpToDate 16d
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-servicedirectoryeditor-permissions 16d True UpToDate 16d
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-xpnadmin-permissions 16d True UpToDate 16d
iampolicymember.iam.cnrm.cloud.google.com/policies-sa-orgpolicyadmin-permissions 16d True UpToDate 16d
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-billinguser-permissions 16d True UpToDate 16d
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectcreator-permissions 16d True UpToDate 16d
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectdeleter-permissions 16d True UpToDate 16d
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectiamadmin-permissions 16d True UpToDate 16d
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectmover-permissions 16d True UpToDate 16d
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-serviceusageadmin-permissions 16d True UpToDate 16d
NAME AGE READY STATUS STATUS AGE
iampartialpolicy.iam.cnrm.cloud.google.com/config-mgmt-mon-default-sa-workload-identity-binding 16d True UpToDate 16d
iampartialpolicy.iam.cnrm.cloud.google.com/gatekeeper-admin-sa-workload-identity-binding 16d True UpToDate 16d
iampartialpolicy.iam.cnrm.cloud.google.com/hierarchy-sa-workload-identity-binding 16d True UpToDate 16d
iampartialpolicy.iam.cnrm.cloud.google.com/logging-sa-workload-identity-binding 16d True UpToDate 16d
iampartialpolicy.iam.cnrm.cloud.google.com/networking-sa-workload-identity-binding 16d True UpToDate 16d
iampartialpolicy.iam.cnrm.cloud.google.com/policies-sa-workload-identity-binding 16d True UpToDate 16d
iampartialpolicy.iam.cnrm.cloud.google.com/projects-sa-workload-identity-binding 16d True UpToDate 16d
NAME AGE READY STATUS STATUS AGE
service.serviceusage.cnrm.cloud.google.com/kcc-oi-7970-accesscontextmanager 16d True UpToDate 16d
service.serviceusage.cnrm.cloud.google.com/kcc-oi-7970-anthos 16d True UpToDate 16d
service.serviceusage.cnrm.cloud.google.com/kcc-oi-7970-cloudbilling 16d True UpToDate 16d
service.serviceusage.cnrm.cloud.google.com/kcc-oi-7970-cloudresourcemanager 16d True UpToDate 16d
service.serviceusage.cnrm.cloud.google.com/kcc-oi-7970-serviceusage 16d True UpToDate 16d
michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit/solutions (kcc-oi-7970)$ kubectl get gcp -n projects
NAME AGE READY STATUS STATUS AGE
iampartialpolicy.iam.cnrm.cloud.google.com/mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions 16d True UpToDate 16d
iampartialpolicy.iam.cnrm.cloud.google.com/platform-and-component-services-infra-log-bucket-writer-permissions 16d True UpToDate 16d
iampartialpolicy.iam.cnrm.cloud.google.com/platform-and-component-services-log-bucket-writer-permissions 16d True UpToDate 16d
iampartialpolicy.iam.cnrm.cloud.google.com/security-log-bucket-writer-permissions 16d True UpToDate 16d
NAME AGE READY STATUS STATUS AGE
iamauditconfig.iam.cnrm.cloud.google.com/logging-project-data-access-log-config 16d True UpToDate 16d
NAME AGE READY STATUS STATUS AGE
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-monitoring-admin-logging-project-oi0130-permissions 16d True UpToDate 16d
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-storageadmin-logging-project-oi0130-permissions 16d True UpToDate 16d
NAME AGE READY STATUS STATUS AGE
project.resourcemanager.cnrm.cloud.google.com/dns-project-oi0130 16d True UpToDate 16d
project.resourcemanager.cnrm.cloud.google.com/logging-project-oi0130 16d True UpToDate 16d
NAME AGE READY STATUS STATUS AGE
service.serviceusage.cnrm.cloud.google.com/dns-project-oi0130-dns 16d True UpToDate 16d
service.serviceusage.cnrm.cloud.google.com/logging-project-oi0130-logging 16d True UpToDate 16d
service.serviceusage.cnrm.cloud.google.com/logging-project-oi0130-monitoring 16d True UpToDate 16d
michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit/solutions (kcc-oi-7970)$ kubectl get gcp -n networking
NAME AGE READY STATUS STATUS AGE
dnsmanagedzone.dns.cnrm.cloud.google.com/dns-project-oi0130-standard-core-public-dns 16d True UpToDate 16d
michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit/solutions (kcc-oi-7970)$ kubectl get gcp -n hierarchy
NAME AGE READY STATUS STATUS AGE
folder.resourcemanager.cnrm.cloud.google.com/audits 16d True UpToDate 16d
folder.resourcemanager.cnrm.cloud.google.com/clients 16d True UpToDate 16d
folder.resourcemanager.cnrm.cloud.google.com/services 16d True UpToDate 16d
folder.resourcemanager.cnrm.cloud.google.com/services-infrastructure 16d True UpToDate 16d
michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit/solutions (kcc-oi-7970)$ kubectl get gcp -n policies
NAME AGE READY STATUS STATUS AGE
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-guest-attribute-access 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-nested-virtualization 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-serial-port-access 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-serial-port-logging 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-serial-port-logging-except-kcc-oi-7970 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-disable-vpc-external-ipv6 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-os-login 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-shielded-vm 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-shielded-vm-except-kcc-oi-7970 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-restrict-cloud-nat-usage 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-restrict-cloud-nat-usage-except-kcc-oi-7970 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-restrict-load-balancer-creation-for-types 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-restrict-shared-vpc-lien-removal 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-restrict-vpc-peering 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-restrict-vpn-peer-ips 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-skip-default-network-creation 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-trusted-image-projects 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-vm-can-ip-forward 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-vm-external-ip-access 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/essentialcontacts-allowed-contact-domains 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/gcp-restrict-resource-locations 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/iam-allowed-policy-member-domains 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/iam-automatic-iam-grants-for-default-service-accounts 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/iam-disable-audit-logging-exemption 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/iam-disable-service-account-key-creation 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/iam-disable-service-account-key-upload 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/sql-restrict-public-ip 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/storage-public-access-prevention 16d True UpToDate 16d
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/storage-uniform-bucket-level-access 16d True UpToDate 16d
michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit/solutions (kcc-oi-7970)$ kubectl get gcp -n logging
NAME AGE READY STATUS STATUS AGE
logginglogsink.logging.cnrm.cloud.google.com/logging-project-oi0130-data-access-sink 16d True UpToDate 16d
logginglogsink.logging.cnrm.cloud.google.com/mgmt-project-cluster-platform-and-component-log-sink 16d True UpToDate 16d
logginglogsink.logging.cnrm.cloud.google.com/org-log-sink-data-access-logging-project-oi0130 16d True UpToDate 16d
logginglogsink.logging.cnrm.cloud.google.com/org-log-sink-security-logging-project-oi0130 16d True UpToDate 16d
logginglogsink.logging.cnrm.cloud.google.com/platform-and-component-services-infra-log-sink 16d True UpToDate 16d
logginglogsink.logging.cnrm.cloud.google.com/platform-and-component-services-log-sink 16d True UpToDate 16d
NAME AGE READY STATUS STATUS AGE
logginglogbucket.logging.cnrm.cloud.google.com/platform-and-component-log-bucket-oi0130 16d True UpToDate 16d
logginglogbucket.logging.cnrm.cloud.google.com/security-log-bucket 16d True UpToDate 16d
NAME AGE READY STATUS STATUS AGE
monitoringmonitoredproject.monitoring.cnrm.cloud.google.com/kcc-oi-7970 16d True UpToDate 16d
NAME AGE READY STATUS STATUS AGE
storagebucket.storage.cnrm.cloud.google.com/security-incident-log-bucket-oi0130 14d True UpToDate 14d
destroy gke cluster
michael@cloudshell:~/kcc-oi-20231206/github/pubsec-declarative-toolkit/solutions (kcc-oi-7970)$ gcloud anthos config controller delete --location northamerica-northeast1 kcc --quiet
Delete request issued for: [kcc]
Waiting for operation [projects/kcc-oi-7970/locations/northamerica-northeast1/operations/operation-1708103535888-61182d87f07de-28fac1d2-2f39769d] to complete...working...
6 min
Deleted instance [kcc].
wait 24+ hours and restart the cluster
Check autopilot upgrades while the cluster was deleted
recreating cluster follow https://medium.com/@kasiarun/introduction-to-anthos-config-management-1a43917c26ae https://cloud.google.com/anthos-config-management/docs/config-sync-overview https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/docs/landing-zone-v2/README.md#clean-up
check nomos for config-controller https://cloud.google.com/anthos-config-management/docs/how-to/config-controller-migration#migrate-all
resources are in abandoned state https://cloud.google.com/anthos-config-management/docs/how-to/config-controller-setup#delete
michael@cloudshell:~$ gcloud config set project kcc-oi-7970
Updated property [core/project].
michael@cloudshell:~ (kcc-oi-7970)$ cd kcc-oi-20231206/
michael@cloudshell:~/kcc-oi-20231206 (kcc-oi-7970)$ cd kpt/
michael@cloudshell:~/kcc-oi-20231206/kpt (kcc-oi-7970)$ NETWORK=kcc-vpc
SUBNET=kcc-sn
export REGION=northamerica-northeast1
CLUSTER=kcc
echo "Creating Anthos KCC autopilot cluster ${CLUSTER} in region ${REGION} in subnet ${SUBNET} off VPC ${NETWORK}"
Creating Anthos KCC autopilot cluster kcc in region northamerica-northeast1 in subnet kcc-sn off VPC kcc-vpc
michael@cloudshell:~/kcc-oi-20231206/kpt (kcc-oi-7970)$
michael@cloudshell:~/kcc-oi-20231206/kpt (kcc-oi-7970)$ gcloud anthos config controller create "$CLUSTER" --location "$REGION" --network "$NETWORK" --subnet "$SUBNET" --master-ipv4-cidr-block="172.16.0.128/28" --full-management
Create request issued for: [kcc]
Waiting for operation [projects/kcc-oi-7970/locations/northamerica-northeast1/operations/operation-1711086561504-6143962adaeaf-52b17a8a-23d9a574] to comple
te...working
2249
...failed.
ERROR: (gcloud.anthos.config.controller.create) unexpected error occurred while waiting for SLM operation [projects/krmapihosting-slm/locations/northamerica-northeast1/operations/operation-1711086568132-614396312cf52-a6bfe5e9-1801c561]: errored while waiting for operation: projects/krmapihosting-slm/locations/northamerica-northeast1/operations/operation-1711086568132-614396312cf52-a6bfe5e9-1801c561: Operation failed with error:
generic::invalid_argument: terraform apply failed, error: exit status 1, stderr:
Error: Error creating Cluster: googleapi: Error 404: Not found: project "kcc-oi-7970" does not have a subnetwork named "kcc-sn" in region "northamerica-northeast1".
Details:
[
{
"@type": "type.googleapis.com/google.rpc.DebugInfo",
"detail": "NOT_FOUND: not found: project \"kcc-oi-7970\" does not have a subnetwork named \"kcc-sn\" in region \"northamerica-northeast1\"",
"stackEntries": [
checked vars.sh
NETWORK=kcc-ls-vpc
SUBNET=kcc-ls-sn
rerun
michael@cloudshell:~/kcc-oi-20231206/kpt (kcc-oi-7970)$ NETWORK=kcc-ls-vpc
SUBNET=kcc-ls-sn
michael@cloudshell:~/kcc-oi-20231206/kpt (kcc-oi-7970)$ echo "Creating Anthos KCC autopilot cluster ${CLUSTER} in region ${REGION} in subnet ${SUBNET} off VPC ${NETWORK}"
Creating Anthos KCC autopilot cluster kcc in region northamerica-northeast1 in subnet kcc-ls-sn off VPC kcc-ls-vpc
michael@cloudshell:~/kcc-oi-20231206/kpt (kcc-oi-7970)$ gcloud anthos config controller create "$CLUSTER" --location "$REGION" --network "$NETWORK" --subnet "$SUBNET" --master-ipv4-cidr-block="172.16.0.128/28" --full-management
Create request issued for: [kcc]
Waiting for operation [projects/kcc-oi-7970/locations/northamerica-northeast1/operations/operation-1711086838198-61439732bb1d4-230b07fc-dbefcb40] to comple
te...working...
2254
coming up
33% 2258
the new org constraint forced on projects is causing an issue
Constraint constraints/compute.restrictVpcPeering violated for project 729005816584. Peering the network projects/gke-prod-na-ne1-dd32/global/networks/gke-n25d53e7a23908121151-bea7-3124-net is not allowed.
...failed.
ERROR: (gcloud.anthos.config.controller.create) unexpected error occurred while waiting for SLM operation [projects/krmapihosting-slm/locations/northamerica-northeast1/operations/operation-1711086845035-614397394034b-61a56dd6-6c5c0b5e]: errored while waiting for operation: projects/krmapihosting-slm/locations/northamerica-northeast1/operations/operation-1711086845035-614397394034b-61a56dd6-6c5c0b5e: Operation failed with error:
generic::invalid_argument: terraform apply failed, error: exit status 1, stderr:
Error: Error waiting for creating GKE cluster: Constraint constraints/compute.restrictVpcPeering violated for project 729005816584. Peering the network projects/gke-prod-na-ne1-dd32/global/networks/gke-n25d53e7a23908121151-bea7-3124-net is not allowed.
on main_autopilot.tf line 32, in resource "google_container_cluster" "acp_cluster":
32: resource "google_container_cluster" "acp_cluster" {
, stdout:
google_container_cluster.acp_cluster: Creating...
google_container_cluster.acp_cluster: Still creating... [10s elapsed]
google_container_cluster.acp_cluster: Still creating... [20s elapsed]
google_container_cluster.acp_cluster: Still creating... [30s elapsed]
google_container_cluster.acp_cluster: Still creating... [40s elapsed]
google_container_cluster.acp_cluster: Still creating... [50s elapsed]
google_container_cluster.acp_cluster: Still creating... [1m0s elapsed]
google_container_cluster.acp_cluster: Still creating... [1m10s elapsed]
google_container_cluster.acp_cluster: Still creating... [1m20s elapsed]
google_container_cluster.acp_cluster: Still creating... [1m30s elapsed]
google_container_cluster.acp_cluster: Still creating... [1m40s elapsed]
google_container_cluster.acp_cluster: Still creating... [1m50s elapsed]
google_container_cluster.acp_cluster: Still creating... [2m0s elapsed]
google_container_cluster.acp_cluster: Still creating... [2m10s elapsed]
google_container_cluster.acp_cluster: Still creating... [2m20s elapsed]
google_container_cluster.acp_cluster: Still creating... [2m30s elapsed]
google_container_cluster.acp_cluster: Still creating... [2m40s elapsed]
google_container_cluster.acp_cluster: Still creating... [2m50s elapsed]
google_container_cluster.acp_cluster: Still creating... [3m0s elapsed]
google_container_cluster.acp_cluster: Still creating... [3m10s elapsed]
google_container_cluster.acp_cluster: Still creating... [3m20s elapsed]
google_container_cluster.acp_cluster: Still creating... [3m30s elapsed]
google_container_cluster.acp_cluster: Still creating... [3m40s elapsed]
google_container_cluster.acp_cluster: Still creating... [3m50s elapsed]
google_container_cluster.acp_cluster: Still creating... [4m0s elapsed]
google_container_cluster.acp_cluster: Still creating... [4m10s elapsed]
google_container_cluster.acp_cluster: Still creating... [4m20s elapsed]
google_container_cluster.acp_cluster: Still creating... [4m30s elapsed]
google_container_cluster.acp_cluster: Still creating... [4m40s elapsed]
google_container_cluster.acp_cluster: Still creating... [4m50s elapsed]
google_container_cluster.acp_cluster: Still creating... [5m0s elapsed]
google_container_cluster.acp_cluster: Still creating... [5m10s elapsed]
google_container_cluster.acp_cluster: Still creating... [5m20s elapsed]
google_container_cluster.acp_cluster: Still creating... [5m30s elapsed]
google_container_cluster.acp_cluster: Still creating... [5m40s elapsed]
google_container_cluster.acp_cluster: Still creating... [5m50s elapsed]
google_container_cluster.acp_cluster: Still creating... [6m0s elapsed]
google_container_cluster.acp_cluster: Still creating... [6m10s elapsed]
google_container_cluster.acp_cluster: Still creating... [6m20s elapsed]
google_container_cluster.acp_cluster: Still creating... [6m30s elapsed]
google_container_cluster.acp_cluster: Still creating... [6m40s elapsed]
google_container_cluster.acp_cluster: Still creating... [6m50s elapsed]
google_container_cluster.acp_cluster: Still creating... [7m0s elapsed]
google_container_cluster.acp_cluster: Still creating... [7m10s elapsed]
google_container_cluster.acp_cluster: Still creating... [7m20s elapsed]
google_container_cluster.acp_cluster: Still creating... [7m30s elapsed]
google_container_cluster.acp_cluster: Still creating... [7m40s elapsed]
google_container_cluster.acp_cluster: Still creating... [7m50s elapsed]
google_container_cluster.acp_cluster: Still creating... [8m0s elapsed]
google_container_cluster.acp_cluster: Still creating... [8m10s elapsed]
google_container_cluster.acp_cluster: Still creating... [8m20s elapsed]
google_container_cluster.acp_cluster: Still creating... [8m30s elapsed]
google_container_cluster.acp_cluster: Still creating... [8m40s elapsed]
google_container_cluster.acp_cluster: Still creating... [8m50s elapsed]
google_container_cluster.acp_cluster: Still creating... [9m0s elapsed]
google_container_cluster.acp_cluster: Still creating... [9m10s elapsed]
google_container_cluster.acp_cluster: Still creating... [9m20s elapsed]
Subsequent cleanup succeeded
michael@cloudshell:~/kcc-oi-20231206/kpt (kcc-oi-7970)$
Adding override
2313 rerun
michael@cloudshell:~/kcc-oi-20231206/kpt (kcc-oi-7970)$ gcloud anthos config controller create "$CLUSTER" --location "$REGION" --network "$NETWORK" --subnet "$SUBNET" --master-ipv4-cidr-block="172.16.0.128/28" --full-management
Create request issued for: [kcc]
Waiting for operation [projects/kcc-oi-7970/locations/northamerica-northeast1/operations/operation-1711087974997-61439b6edddd2-ee8a3043-f8d2c51e] to comple
te...working
2319 67%
2329 15 of 20 workloads
check object browser - empty as expected
finish config controller config then kpt apply again
michael@cloudshell:~/kcc-oi-20231206/kpt (kcc-oi-7970)$ gcloud anthos config controller get-credentials "$CLUSTER" --location "$REGION"
Fetching cluster endpoint and auth data.
kubeconfig entry generated for krmapihost-kcc.
michael@cloudshell:~/kcc-oi-20231206/kpt (kcc-oi-7970)$ gcloud anthos config controller get-credentials "$CLUSTER" --location "$REGION"
Fetching cluster endpoint and auth data.
kubeconfig entry generated for krmapihost-kcc.
michael@cloudshell:~/kcc-oi-20231206/kpt (kcc-oi-7970)$ gcloud anthos config controller list
NAME: kcc
LOCATION: northamerica-northeast1
STATE: RUNNING
reapply yamls
michael@cloudshell:~/kcc-oi-20231206/kpt (kcc-oi-7970)$ REL_SUB_PACKAGE="core-landing-zone"
michael@cloudshell:~/kcc-oi-20231206/kpt (kcc-oi-7970)$ kpt live apply $REL_SUB_PACKAGE --reconcile-timeout=15m --output=table
2340
TRiage unmanaged resources - check existence first
michael@cloudshell:~/kcc-oi-20231206/kpt (kcc-oi-7970)$ kpt live status $REL_SUB_PACKAGE --inv-type remote --statuses InProgress,NotFound
inventory-36746767/iampartialpolicy.iam.cnrm.cloud.google.com/projects/security-log-bucket-writer-permissions is InProgress: reference LoggingLogSink logging/org-log-sink-security-logging-project-oi0130 is not found
inventory-36746767/iampartialpolicy.iam.cnrm.cloud.google.com/projects/platform-and-component-services-log-bucket-writer-permissions is InProgress: reference LoggingLogSink logging/platform-and-component-services-log-sink is not found
inventory-36746767/iampartialpolicy.iam.cnrm.cloud.google.com/projects/platform-and-component-services-infra-log-bucket-writer-permissions is InProgress: reference LoggingLogSink logging/platform-and-component-services-infra-log-sink is not found
inventory-36746767/iampartialpolicy.iam.cnrm.cloud.google.com/projects/mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions is InProgress: reference LoggingLogSink logging/mgmt-project-cluster-platform-and-component-log-sink is not found
inventory-36746767/logginglogsink.logging.cnrm.cloud.google.com/logging/logging-project-oi0130-data-access-sink is NotFound: Resource not found
inventory-36746767/logginglogsink.logging.cnrm.cloud.google.com/logging/platform-and-component-services-log-sink is NotFound: Resource not found
inventory-36746767/dnsmanagedzone.dns.cnrm.cloud.google.com/networking/dns-project-oi0130-standard-core-public-dns is NotFound: Resource not found
inventory-36746767/service.serviceusage.cnrm.cloud.google.com/projects/dns-project-oi0130-dns is NotFound: Resource not found
inventory-36746767/logginglogsink.logging.cnrm.cloud.google.com/logging/platform-and-component-services-infra-log-sink is NotFound: Resource not found
inventory-36746767/logginglogsink.logging.cnrm.cloud.google.com/logging/mgmt-project-cluster-platform-and-component-log-sink is NotFound: Resource not found
inventory-36746767/logginglogsink.logging.cnrm.cloud.google.com/logging/org-log-sink-security-logging-project-oi0130 is NotFound: Resource not found
inventory-36746767/logginglogsink.logging.cnrm.cloud.google.com/logging/org-log-sink-data-access-logging-project-oi0130 is NotFound: Resource not found
Test out full scenario with 4 core packages (core-lz, client-lz, client-package.., client-setup https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/wiki/DevOps#full-client-package-structure
I have one org up with 4 above + hub-env to test
in private get the list of objects via all the namespaces - example from https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/wiki/DevOps#deployment-verifying-kubernetes-gcp-resources
root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ kubectl get namespaces
NAME STATUS AGE
...
hierarchy Active 67d
logging Active 67d
networking Active 67d
policies Active 67d
projects Active 67d
root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ kubectl get gcp -n networking | grep False
computefirewall.compute.cnrm.cloud.google.com/hub-allow-fortigates-ha-fwr 67d False DependencyNotFound 67d
computefirewall.compute.cnrm.cloud.google.com/hub-allow-spokes-to-fortigates-fwr 67d False DependencyNotFound 67d
computefirewall.compute.cnrm.cloud.google.com/hub-elb-allow-health-checks-to-fortigate-fwr 67d False DependencyNotFound 67d
computefirewall.compute.cnrm.cloud.google.com/hub-iap-allow-rdp-to-managementvm-fwr 67d False DependencyNotFound 67d
computefirewall.compute.cnrm.cloud.google.com/hub-ilb-allow-health-checks-to-fortigate-fwr 67d False DependencyNotFound 67d
computefirewall.compute.cnrm.cloud.google.com/hub-managementvm-allow-ssh-https-to-fortigates-fwr 67d False DependencyNotFound 67d
computeinstance.compute.cnrm.cloud.google.com/hub-fgt-primary-instance 67d False DependencyNotFound 67d
computeinstance.compute.cnrm.cloud.google.com/hub-fgt-secondary-instance 67d False DependencyNotFound 67d
computeinstance.compute.cnrm.cloud.google.com/hub-management-instance 67d False DependencyNotFound 67d
root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ kubectl get gcp -n projects | grep False
root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ kubectl get gcp -n policies | grep False
root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ kubectl get gcp -n hierarchy | grep False
root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ kubectl get gcp -n logging | grep False
For usually the FinOps case a developer or client wishes to shutdown the GKE cluster and behave like we used to with terraform - only use the IaC intent engine during actual changes. For sparse use cases where GCP infrastructure is rarely modified and drift protection is not required - keep the GKE cluster off
We will use the script from #446 or #766 and document on the staging wiki from this issue
see also #818 #817