search

kptdev / kpt

Automate Kubernetes Configuration Editing
https://kpt.dev
Apache License 2.0
1.68k stars 225 forks source link

`set-project-id` function should configure GCP project ID and project Number in KCC resources #2562

Open droot opened 2 years ago

droot commented 2 years ago

Configuring a GCP project (ID and number in some cases) is one of the most common customizations for GCP resources (KCC resources). This customization fits the category of horizontal transformations (applicable to multiple types of KRM resources). set-namespace , set-labels, set-annotations are some examples of horizontal transformations.

Making the use-case more concrete, consider the snippet below that shows KRM resources for configuring a GCP service account to grant roles for workload identity and project reader. 

# gitops-iam.yaml

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: config-sync-sa
  namespace: config-control
spec:
  displayName: ConfigSync

---

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: config-sync-wi
  namespace: config-control
spec:
  member: serviceAccount:PROJECT_ID.svc.id.goog[config-management-system/importer]
  role: roles/iam.workloadIdentityUser
  resourceRef:
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
    name: config-sync-sa

---

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: allow-configsync-sa-read-csr
  namespace: config-control
spec:
  member: serviceAccount:config-sync-sa@PROJECT_ID.iam.gserviceaccount.com
  role: roles/source.reader
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: projects/PROJECT_ID

Proposal is to enhance set-project-id function that takes a GCP project ID (and possible number) as input and customizes the GCP resources to use the provided GCP project ID. The function is expected to have knowledge of how GCP resources use the project ID in their spec.

An example of using function declaratively:

# Kptfile
apiVersion: kpt.dev/v1
kind: Kptfile
metadata:
  name: config-controller-setup
info:
  description: sample description
pipeline:
  mutators:
    - image: gcr.io/kpt-fn/set-project-id:v0.0.1
      configMap:
        projectID: user1-sandbox

An example of using function imperatively:

$ kpt fn eval [PKG_DIR] -i set-project-id:v0.0.1 – project-id=user1-sandbox project-number=xyz
morgante commented 2 years ago

Do not build a new function for this. This functionality should be captured in the set-project-id function.

droot commented 2 years ago

Do not build a new function for this. This functionality should be captured in the set-project-id function.

Updated the description to enhance the existing function.

yuwenma commented 2 years ago

Issues for current set-project-id https://github.com/GoogleContainerTools/kpt/issues/2690