Open fmichaelobrien opened 1 year ago
rerun
admin_@cloudshell:~/pdt-arg/ssc-spc-ccoe-cei/gcp-tools/scripts/bootstrap (pdt-arg-kcc10)$ ./setup-kcc.sh pdt-arg.env
Waiting for [operations/cf.9135754359470030039] to finish...done.
Created [<Folder
createTime: '2023-06-21T15:39:42.090Z'
displayName: 'pdt-arg-kcc11'
lifecycleState: LifecycleStateValueValuesEnum(ACTIVE, 1)
name: 'folders/872374816049'
parent: 'organizations/226082700214'>].
folders/872374816049
Create in progress for [https://cloudresourcemanager.googleapis.com/v1/projects/pdt-arg-kcc11].
Waiting for [operations/cp.6096008890562947989] to finish...done.
Enabling service [cloudapis.googleapis.com] on project [pdt-arg-kcc11]...
Operation "operations/acat.p2-831930126559-7d3397aa-1f57-42d1-94c5-d4f202782516" finished successfully.
Updated property [core/project] to [pdt-arg-kcc11].
billingAccountName: billingAccounts/01....82
billingEnabled: true
name: projects/pdt-arg-kcc11/billingInfo
projectId: pdt-arg-kcc11
Updated property [core/project].
Operation "operations/acf.p2-831930126559-170db725-4b96-4d2a-83ec-71579108e353" finished successfully.
Created [https://www.googleapis.com/compute/v1/projects/pdt-arg-kcc11/global/networks/pdt-arg].
NAME: pdt-arg
SUBNET_MODE: CUSTOM
BGP_ROUTING_MODE: REGIONAL
IPV4_RANGE:
GATEWAY_IPV4:
Instances on this network will not be reachable until firewall rules
are created. As an example, you can allow all internal traffic between
instances as well as SSH, RDP, and ICMP by running:
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network pdt-arg --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network pdt-arg --allow tcp:22,tcp:3389,icmp
Created [https://www.googleapis.com/compute/v1/projects/pdt-arg-kcc11/regions/northamerica-northeast1/subnetworks/pdt-arg-sn].
NAME: pdt-arg-sn
REGION: northamerica-northeast1
NETWORK: pdt-arg
RANGE: 192.168.0.0/16
STACK_TYPE: IPV4_ONLY
IPV6_ACCESS_TYPE:
INTERNAL_IPV6_PREFIX:
EXTERNAL_IPV6_PREFIX:
Creating router [kcc-router]...done.
NAME: kcc-router
REGION: northamerica-northeast1
NETWORK: pdt-arg
Creating NAT [kcc-router] in router [kcc-router]...done.
Created Policy [https://dns.googleapis.com/dns/v1/projects/pdt-arg-kcc11/policies/dnspolicy1].
{
"description": "dns policy to enable logging",
"enableInboundForwarding": false,
"enableLogging": true,
"id": "1134094650152878946",
"kind": "dns#policy",
"name": "dnspolicy1",
"networks": [
{
"kind": "dns#policyNetwork",
"networkUrl": "https://compute.googleapis.com/compute/v1/projects/pdt-arg-kcc11/global/networks/pdt-arg"
}
]
}
Created [https://www.googleapis.com/compute/v1/projects/pdt-arg-kcc11/global/addresses/apis-private-ip].
Created [https://www.googleapis.com/compute/v1/projects/pdt-arg-kcc11/global/forwardingRules/endpoint1].
Created [https://dns.googleapis.com/dns/v1/projects/pdt-arg-kcc11/managedZones/googleapis].
NAME: googleapis.com.
TYPE: A
TTL: 300
DATA: 10.255.255.254
NAME: *.googleapis.com.
TYPE: CNAME
TTL: 300
DATA: googleapis.com.
Created [https://dns.googleapis.com/dns/v1/projects/pdt-arg-kcc11/managedZones/gcrio].
NAME: gcr.io.
TYPE: A
TTL: 300
DATA: 10.255.255.254
NAME: *.gcr.io.
TYPE: CNAME
TTL: 300
DATA: gcr.io.
Creating firewall...working..Created [https://www.googleapis.com/compute/v1/projects/pdt-arg-kcc11/global/firewalls/allow-egress-azure].
Creating firewall...done.
NAME: allow-egress-azure
NETWORK: pdt-arg
DIRECTION: EGRESS
PRIORITY: 5000
ALLOW: tcp:22,tcp:443
DENY:
DISABLED: False
Creating firewall...working..Created [https://www.googleapis.com/compute/v1/projects/pdt-arg-kcc11/global/firewalls/allow-egress-github].
Creating firewall...done.
NAME: allow-egress-github
NETWORK: pdt-arg
DIRECTION: EGRESS
PRIORITY: 5001
ALLOW: tcp:22,tcp:443
DENY:
DISABLED: False
Creating firewall...working..Created [https://www.googleapis.com/compute/v1/projects/pdt-arg-kcc11/global/firewalls/allow-egress-internal].
Creating firewall...done.
NAME: allow-egress-internal
NETWORK: pdt-arg
DIRECTION: EGRESS
PRIORITY: 1000
ALLOW: all
DENY:
DISABLED: False
Creating firewall...working..Created [https://www.googleapis.com/compute/v1/projects/pdt-arg-kcc11/global/firewalls/deny-egress-internet].
Creating firewall...done.
NAME: deny-egress-internet
NETWORK: pdt-arg
DIRECTION: EGRESS
PRIORITY: 65535
ALLOW:
DENY: all
DISABLED: False
Create request issued for: [pdt-arg]
Waiting for operation [projects/pdt-arg-kcc11/locations/northamerica-northeast1/operations/operation-1687362167709-5fea59e9d1eb9-76df9161-d9eb9ad4] to complete...working.
moving back to https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/296 and installing min LZ
20231019 setup.sh script for kcc cluster delete/recreate and lz kpt apply/destroy in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/446#issuecomment-1771365186 under https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/gh446-hub/solutions/setup.sh
Actually for 1 of the 2 - the historical Shielded - we are good with the following override
michael@cloudshell:~/kcc-oi/kpt (kcc-oi-9428)$ kubectl get gcp -n policies
NAME AGE READY STATUS STATUS AGE
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-shielded-vm-except-mgt-project 9m36s True UpToDate 9m8s
assigned to fmichaelobrien https://github.com/ssc-spc-ccoe-cei/gcp-tools/blob/main/scripts/bootstrap/setup-kcc.sh
Issues pending
edit pdt-arg.env
run
comment to line 30 put a sleep 20 sec
check cluster and continue script after line 105
see https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/344#issuecomment-1600993940
see https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/132
rerun script past kcc cluster after setting secure boot policy override - constraints/compute.requireShieldedVm
see https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/132 KCC cluster up
continue script