Skip to content

Releases: GDC-ConsumerEdge/automated-cluster-provisioner

v1.3.2 - GDCc versioned Group RBAC apply

01 Aug 14:12
@kevin-liangit kevin-liangit
v1.3.2
a9358b1
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.3.2 - GDCc versioned Group RBAC apply Latest
Latest

What's Changed

  • Add missing roles/storage.objectViewer to zone watcher builder role to pull cloud function package from cloud storage bucket by @benfogel in #25

  • Fix failure alerts by @benfogel in #26

  • Enabling Cluster with Group RBAC by @kevin-liangit in #22

    • gdc_version_evaluate
      • Sometimes there are version dependant steps that must be followed. Here the function gdc_version_evaluate, will be used whenever certain steps during cluster creation differ based on GDCc version. If the current_version is equal or greater than the required_version, then return true, otherwise return false: gdc_version_evaluate {current_version} {required_version}
    • By using gdc_version_evaluate for Group RBAC:
      • Starting in GDCc v1.10.0, Group RBAC: can only be enabled through gcloud edge-cloud container cluster create --enable-google-group-authentication.
      • Otherwise for GDCc versions less than < v1.10.0, Group RBAC should continue using ClientConfig updates as documented in #10.

  • Fix: fi placement by @kevin-liangit in #27

Upgrade Steps from v1.3.1

  • Upgrade the following files:
    • bootstrap/alerts.tf
    • bootstrap/main.tf
    • .github/workflows/unit_tests.yaml
    • bootstrap/metrics.tf
    • watchers/integration_tests/test_watcher_timing.py
    • watchers/src/main.py
    • watchers/src/requirements.txt
    • watchers/tests/test_main.py
    • bootstrap/create-cluster.yaml

Full Changelog: v1.3.1...v1.3.2

Contributors

benfogel and kevin-liangit
Assets 2
Loading

v1.3.1

25 Jun 20:26
@benfogel benfogel
v1.3.1
85159d6
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.3.1

Fixes

  • fix automated retry (introduced in v1.2.1 #12): Check for CUSTOMER_FACTORY_TURNUP_CHECKS_STARTED for retry behavior by @benfogel in #23. Automated retries have begun stalling with the release of the CUSTOMER_FACTORY_TURNUP_CHECKS_STARTED ZoneState. This logic restores automated retries behavior.

What's Changed

  • Refactor IAM to better associate required roles per SA by @benfogel in #19
  • Append environment name onto log based metric names by @benfogel in #18
  • Add unittests workflow by @benfogel in #24

Upgrade Steps from v1.3.0

  • Upgrade the following files:
    • bootstrap/alerts.tf
    • bootstrap/main.tf
    • bootstrap/metrics.tf
    • watchers/integration_tests/test_watcher_timing.py
    • watchers/src/main.py
    • watchers/src/requirements.txt
    • watchers/tests/test_main.py

Full Changelog: v1.3.0...v1.3.1

Contributors

benfogel
Loading

v1.3.0

30 May 18:44
@benfogel benfogel
v1.3.0
0e38d25
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.3.0

What's New

Upgrade Steps from v1.2.1

  • Upgrade the following files:
    • bootstrap/create-cluster.yaml
    • bootstrap/main.tf
    • bootstrap/variables.tf

Fixes

  • fix: hw mgmt api endpoint override in #16
  • fix: Set MAX_RETRIES in tf for zone-watcher function to align zone-watcher with cloud build trigger in #15
  • fix: Align variable naming with tf conventions in #17

Full Changelog: v1.2.1...v1.3.0

Loading

v1.2.1

15 Apr 15:31
@benfogel benfogel
v1.2.1
2433062
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.2.1

What's New

What's changed

  • Added kubernetesmetadata.googleapis.com as a required service to enable into tf bootstrap: by @kevin-liangit in #8
  • Group rbac update using clientconfig by @kevin-liangit in #10

Upgrade Steps from v1.1.0

  • Upgrade / Add the following files:
    • .github/workflows/validate_sot.yaml (New)
    • validation/cluster_intent.py (New)
    • bootstrap/create-cluster.yaml
    • bootstrap/main.tf
    • bootstrap/modify-cluster.yaml
    • bootstrap/variables.tf
    • watchers/src/build_history.py (New)
    • watchers/src/main.py
    • watchers/src/maintenance_windows.py (New)
    • watchers/src/requirements.txt
    • watchers/integration_tests/test_watcher_timing.py (New)
    • watchers/test/test_build_history.py (New)
    • watchers/test/test_maintenance_windows.py (New)

Migration Steps for Group Based RBAC

#10 changed the implementation of configuring group based RBAC. All the features of anthos identity service are not fully supported on GDC connected, so a direct integration is preferred. As part of this, cluster provisioner will now patch the ClientConfig object directly on clusters to enable group based RBAC.

Steps

New clusters will have group based RBAC applied via the cluster provisioner.

In order to standardize how existing clusters are managed, the following steps should be taken:

  1. Confirm existing cluster that are using Anthos Identity Service for Group RBAC
  2. For a cluster, delete the member from identity-service
    gcloud container fleet identity-service delete {select cluster from list}
  3. Manually update ClientConfig on said cluster. For example:
:/$ FLEET_PROJECT_NUMBER="REPLACE_WITH_FLEET_PROJECT_NUMBER"
:/$ CLUSTER_NAME="REPLACE_WITH_CLUSTER_NAME"
:/$ kubectl patch clientconfig default -n kube-public --type=merge -p '{"spec":{"authentication":[{"google":{"audiences":["//gkehub.googleapis.com/projects/'${FLEET_PROJECT_NUMBER}'/locations/global/memberships/'${CLUSTER_NAME}'"]},"name":"google-authentication-method"}]}}'

clientconfig.authentication.gke.io/default patched
  1. Repeat steps 1-3 for every cluster using Anthos Identity Service for Group RBAC.
  2. (Optional, but not required) Once all clusters have been migrated, disable identity-service

Fixes

  • Fix misspelled variable name and add maintenance windows by @Ben-Chapman in #11
  • fix: Fix logic when using incorrect trigger id by @benfogel in #14

New Contributors

Full Changelog: v1.1.0...v1.2.1

Contributors

Ben-Chapman, benfogel, and kevin-liangit
Loading

v1.1.0

23 Dec 17:16
@benfogel benfogel
v1.1.0
2b2aac6

Choose a tag to compare

View all tags
v1.1.0

This is the v1.1.0 release of automated cluster provisioner!

What's Changed

Implemented enhancements

  • Add alerts and metrics for provisioning operations
  • Updated provisioning failure handling to avoid retry loops
  • Add store_id and zone name tags on Cloud Build jobs. Easier searching!
  • Add support for fleet labels and maintenance exclusion windows
  • Support specifying ConfigSync version
  • Add flag to create GCS buckets for remote backups

Other

  • README updates
  • Add 30 minute wait to shutdown VMs to avoid corruption during VM bootstrapping

Full Changelog: v1.0.0...v1.1.0

Loading

Initial Release

19 Dec 14:03
@benfogel benfogel
v1.0.0
303b135

Choose a tag to compare

View all tags
Initial Release 
Add shell_check scripts and update detected warnings

Change-Id: I646fcac67511016f98ba4b8aa4d3bf286622dd16
Loading