├── .github ├── CODEOWNERS ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── SECURITY.md ├── header-checker-lint.yml ├── renovate.json ├── snippet-bot.yml └── workflows │ └── asm-acm-tutorial-ci.yaml ├── .gitignore ├── LICENSE ├── README.md ├── asm-acm-tutorial ├── README.md ├── ingress-gateway │ ├── authorization-policies │ │ └── kustomization.yaml │ ├── deployments │ │ └── kustomization.yaml │ └── init │ │ └── kustomization.yaml ├── online-boutique │ ├── authorization-policies │ │ ├── for-ingress-gateway │ │ │ └── kustomization.yaml │ │ └── kustomization.yaml │ ├── deployments │ │ └── kustomization.yaml │ └── init │ │ └── kustomization.yaml └── root-sync │ ├── deploy-authorization-policies │ ├── ingress-gateway │ │ └── kustomization.yaml │ ├── kustomization.yaml │ └── online-boutique │ │ └── kustomization.yaml │ ├── deployments │ ├── ingress-gateway │ │ └── kustomization.yaml │ ├── kustomization.yaml │ └── online-boutique │ │ └── kustomization.yaml │ ├── enforce-authorization-policies │ ├── kustomization.yaml │ └── policies │ │ ├── authz-source-principals-not-all.yaml │ │ ├── default-deny-authorization-policies.yaml │ │ └── kustomization.yaml │ ├── enforce-sidecar-injection │ ├── kustomization.yaml │ ├── namespace-sidecar-injection-label.yaml │ └── pod-sidecar-injection-annotation.yaml │ ├── enforce-strict-mtls │ ├── gatekeeper-system │ │ ├── config-referential-constraints.yaml │ │ ├── kustomization.yaml │ │ └── namespace.yaml │ ├── kustomization.yaml │ └── policies │ │ ├── destinationrule-tls-enabled.yaml │ │ ├── kustomization.yaml │ │ ├── mesh-level-strict-mtls.yaml │ │ └── peerauthentication-strict-mtls.yaml │ ├── fix-default-deny-authorization-policy │ ├── default-deny-authorization-policy │ │ ├── authorizationpolicy.yaml │ │ └── kustomization.yaml │ └── kustomization.yaml │ ├── fix-strict-mtls │ ├── enable-mesh-strict-mtls │ │ ├── kustomization.yaml │ │ └── peerauthentication.yaml │ └── kustomization.yaml │ └── init │ ├── ingress-gateway-repo-sync │ ├── kustomization.yaml │ ├── reposync-namespace.yaml │ ├── reposync-role-binding.yaml │ └── reposync.yaml │ ├── istio-clusterrole.yaml │ ├── kustomization.yaml │ └── online-boutique-repo-sync │ ├── kustomization.yaml │ ├── reposync-namespace.yaml │ ├── reposync-role-binding.yaml │ └── reposync.yaml ├── ci-app ├── README.md ├── acm-repo │ ├── README.md │ ├── cluster │ │ ├── deployment-must-have-owner.yaml │ │ └── requiredlabels.yaml │ ├── clusterregistry │ │ └── .gitkeep │ ├── namespaces │ │ └── .gitkeep │ └── system │ │ ├── README.md │ │ └── repo.yaml └── app-repo │ ├── cloudbuild.yaml │ └── config │ ├── base │ ├── deployment.yaml │ └── kustomization.yaml │ └── prod │ └── kustomization.yaml ├── ci-pipeline-unstructured ├── README.md ├── cloudbuild.yaml └── config-root │ ├── configmap.yaml │ └── constraints │ ├── banned-key-constraint.yaml │ └── banned-key-template.yaml ├── ci-pipeline ├── README.md ├── cloudbuild.yaml └── config-root │ ├── cluster │ ├── fulfillmentcenter-crd.yaml │ ├── namespace-reader-clusterrole.yaml │ ├── namespace-reader-clusterrolebinding.yaml │ ├── pod-creator-clusterrole.yaml │ ├── pod-security-policy.yaml │ ├── required-labels-constraint.yaml │ └── required-labels-template.yaml │ ├── namespaces │ ├── audit │ │ └── namespace.yaml │ ├── online │ │ └── shipping-app-backend │ │ │ ├── pod-creator-rolebinding.yaml │ │ │ ├── quota.yaml │ │ │ ├── shipping-dev │ │ │ ├── job-creator-role.yaml │ │ │ ├── job-creator-rolebinding.yaml │ │ │ └── namespace.yaml │ │ │ ├── shipping-prod │ │ │ ├── fulfillmentcenter.yaml │ │ │ └── namespace.yaml │ │ │ └── shipping-staging │ │ │ ├── fulfillmentcenter.yaml │ │ │ └── namespace.yaml │ ├── sre-rolebinding.yaml │ ├── sre-supported-selector.yaml │ └── viewers-rolebinding.yaml │ └── system │ ├── README.md │ └── repo.yaml ├── config-controller-quickstart ├── pubsub-api.yaml └── pubsub-topic.yaml ├── config-sync-quickstart ├── README.md └── multirepo │ ├── namespaces │ └── gamestore │ │ ├── configmap-inventory.yaml │ │ └── webstore.yaml │ └── root │ ├── acm-monitor │ ├── acm-prometheus-config.yaml │ ├── namespace-monitoring.yaml │ └── prometheus-operator.yaml │ ├── clusterrole-namespace-reader.yaml │ ├── clusterrole-webstore-admin.yaml │ ├── crd-anvil.yaml │ ├── crd-webstore.yaml │ ├── namespace-gamestore.yaml │ ├── reposync-gamestore.yaml │ ├── rolebinding-gamestore-admin.yaml │ └── rolebinding-gamestore-webstore-admin.yaml ├── crds └── configmanagement_v1_configmanagement.yaml ├── fleet-packages-quickstart ├── README.md └── config │ └── nginx.yaml ├── fleet-tenancy ├── README.md ├── config │ ├── backend-bookstore-reposync.yaml │ ├── backend-namespace-selector.yaml │ ├── backend-network-policy.yaml │ ├── frontend-namespace-selector.yaml │ └── frontend-resource-quota.yaml ├── images │ ├── fleet-team-structure.svg │ └── fleet-tenancy-resources.png ├── teams │ └── backend │ │ └── bookstore │ │ └── config.yaml └── terraform │ ├── 1-fleet │ ├── README.md │ ├── main.tf │ └── variables.tf │ ├── 2-fleet-default-config │ ├── README.md │ ├── main.tf │ └── variables.tf │ ├── 3-clusters │ ├── README.md │ ├── cluster │ │ └── cluster.tf │ ├── main.tf │ └── variables.tf │ └── 4-scopes-and-namespaces │ ├── README.md │ ├── main.tf │ └── variables.tf ├── foo-corp ├── README.md ├── cluster │ ├── fulfillmentcenter-crd.yaml │ ├── namespace-reader-clusterrole.yaml │ ├── namespace-reader-clusterrolebinding.yaml │ └── pod-creator-clusterrole.yaml ├── namespaces │ ├── audit │ │ └── namespace.yaml │ ├── online │ │ └── shipping-app-backend │ │ │ ├── pod-creator-rolebinding.yaml │ │ │ ├── quota.yaml │ │ │ ├── shipping-dev │ │ │ ├── job-creator-role.yaml │ │ │ ├── job-creator-rolebinding.yaml │ │ │ └── namespace.yaml │ │ │ ├── shipping-prod │ │ │ ├── fulfillmentcenter.yaml │ │ │ └── namespace.yaml │ │ │ └── shipping-staging │ │ │ ├── fulfillmentcenter.yaml │ │ │ └── namespace.yaml │ ├── sre-rolebinding.yaml │ ├── sre-supported-selector.yaml │ └── viewers-rolebinding.yaml └── system │ ├── README.md │ └── repo.yaml ├── hello-namespace ├── README.md ├── config-root │ ├── README.md │ ├── cluster │ │ └── README.md │ ├── clusterregistry │ │ └── README.md │ ├── namespaces │ │ ├── README.md │ │ └── hello │ │ │ └── namespace.yaml │ └── system │ │ ├── README.md │ │ └── repo.yaml └── setup │ └── hello-namespace │ └── config-management.yaml ├── helm-component ├── README.md ├── automated-rendering │ ├── README.md │ ├── base │ │ └── kustomization.yaml │ ├── ignore-deployment-mutation-patch.yaml │ └── kustomization.yaml └── manual-rendering │ ├── README.md │ ├── cert-manager │ └── manifests │ ├── README.md │ ├── cert-manager │ └── templates │ │ ├── cainjector-deployment.yaml │ │ ├── cainjector-rbac.yaml │ │ ├── cainjector-serviceaccount.yaml │ │ ├── deployment.yaml │ │ ├── rbac.yaml │ │ ├── service.yaml │ │ ├── serviceaccount.yaml │ │ ├── webhook-deployment.yaml │ │ ├── webhook-mutating-webhook.yaml │ │ ├── webhook-rbac.yaml │ │ ├── webhook-service.yaml │ │ ├── webhook-serviceaccount.yaml │ │ └── webhook-validating-webhook.yaml │ └── namespace-cert-manager.yaml ├── hierarchical-format ├── README.md ├── compiled │ ├── README.md │ ├── clusterrole_namespace-reader.yaml │ ├── clusterrole_secret-admin.yaml │ ├── clusterrole_secret-reader.yaml │ ├── clusterrolebinding_namespace-reader.yaml │ ├── customresourcedefinition_crontabs.stable.example.com.yaml │ ├── namespace_team-1.yaml │ ├── namespace_team-2.yaml │ ├── team-1 │ │ ├── crontab_my-new-cron-object.yaml │ │ ├── limitrange_limits.yaml │ │ ├── networkpolicy_default-deny-egress.yaml │ │ ├── resourcequota_pvc.yaml │ │ ├── rolebinding_secret-reader.yaml │ │ └── serviceaccount_sa.yaml │ └── team-2 │ │ ├── crontab_my-new-cron-object.yaml │ │ ├── limitrange_limits.yaml │ │ ├── networkpolicy_default-deny-all.yaml │ │ ├── resourcequota_pvc.yaml │ │ ├── rolebinding_secret-admin.yaml │ │ └── serviceaccount_sa.yaml └── config │ ├── README.md │ ├── cluster │ ├── clusterrole-namespace-reader.yaml │ ├── clusterrole-secret-admin.yaml │ ├── clusterrole-secret-reader.yaml │ ├── clusterrolebinding-namespace-reader.yaml │ └── crontab-crd.yaml │ ├── namespaces │ ├── limit-range.yaml │ ├── team-1 │ │ ├── crontab.yaml │ │ ├── namespace.yaml │ │ ├── network-policy-default-deny-egress.yaml │ │ ├── resource-quota-pvc.yaml │ │ ├── rolebinding-secret-reader.yaml │ │ └── sa.yaml │ └── team-2 │ │ ├── crontab.yaml │ │ ├── namespace.yaml │ │ ├── network-policy-default-deny-all.yaml │ │ ├── resource-quota-pvc.yaml │ │ ├── rolebinding-secret-admin.yaml │ │ └── sa.yaml │ └── system │ └── repo.yaml ├── kustomize-pipeline ├── README.md ├── build │ └── cloudbuild.yaml ├── config-management.yaml ├── deploy-config │ └── README.md └── source-config │ ├── bases │ └── roles │ │ ├── clusterrole-namespace-reader.yaml │ │ └── kustomization.yaml │ └── kustomization.yaml ├── locality-specific-policy ├── README.md ├── config-root │ ├── README.md │ ├── cluster │ │ ├── README.md │ │ ├── clusterrole.auditor.yaml │ │ └── clusterrolebinding.auditors.yaml │ ├── clusterregistry │ │ ├── README.md │ │ ├── cluster.belgium-2.yaml │ │ ├── cluster.belgium.yaml │ │ ├── cluster.iowa.yaml │ │ ├── cluster.taiwan.yaml │ │ ├── clusterselector.select-env-prod.yaml │ │ └── clusterselector.select-location-belgium.yaml │ ├── namespaces │ │ └── README.md │ └── system │ │ ├── README.md │ │ └── repo.yaml └── setup │ ├── belgium-2.config-management.yaml │ ├── belgium.config-management.yaml │ ├── iowa.config-management.yaml │ └── taiwan.config-management.yaml ├── multi-cluster-access-and-quota ├── README.md ├── docs │ └── architecture.png └── repos │ └── platform │ ├── configsync-src │ ├── all-clusters │ │ ├── all-namespaces │ │ │ ├── kustomization.yaml │ │ │ └── resource-quota.yaml │ │ ├── kustomization.yaml │ │ ├── namespaces.yaml │ │ └── namespaces │ │ │ ├── tenant-a │ │ │ ├── kustomization.yaml │ │ │ └── rbac.yaml │ │ │ ├── tenant-b │ │ │ ├── kustomization.yaml │ │ │ └── rbac.yaml │ │ │ └── tenant-c │ │ │ ├── kustomization.yaml │ │ │ └── rbac.yaml │ └── clusters │ │ ├── cluster-east │ │ ├── kustomization.yaml │ │ └── namespaces │ │ │ ├── tenant-a │ │ │ ├── kustomization.yaml │ │ │ └── resource-quota.yaml │ │ │ ├── tenant-b │ │ │ └── kustomization.yaml │ │ │ └── tenant-c │ │ │ └── kustomization.yaml │ │ └── cluster-west │ │ ├── kustomization.yaml │ │ └── namespaces │ │ ├── tenant-a │ │ └── kustomization.yaml │ │ ├── tenant-b │ │ └── kustomization.yaml │ │ └── tenant-c │ │ └── kustomization.yaml │ ├── configsync │ └── clusters │ │ ├── cluster-east │ │ ├── namespaces │ │ │ ├── tenant-a │ │ │ │ ├── rbac.authorization.k8s.io_v1_rolebinding_namespace-viewer.yaml │ │ │ │ └── v1_resourcequota_hard-limit.yaml │ │ │ ├── tenant-b │ │ │ │ ├── rbac.authorization.k8s.io_v1_rolebinding_namespace-viewer.yaml │ │ │ │ └── v1_resourcequota_hard-limit.yaml │ │ │ └── tenant-c │ │ │ │ ├── rbac.authorization.k8s.io_v1_rolebinding_namespace-viewer.yaml │ │ │ │ └── v1_resourcequota_hard-limit.yaml │ │ ├── v1_namespace_tenant-a.yaml │ │ ├── v1_namespace_tenant-b.yaml │ │ └── v1_namespace_tenant-c.yaml │ │ └── cluster-west │ │ ├── namespaces │ │ ├── tenant-a │ │ │ ├── rbac.authorization.k8s.io_v1_rolebinding_namespace-viewer.yaml │ │ │ └── v1_resourcequota_hard-limit.yaml │ │ ├── tenant-b │ │ │ ├── rbac.authorization.k8s.io_v1_rolebinding_namespace-viewer.yaml │ │ │ └── v1_resourcequota_hard-limit.yaml │ │ └── tenant-c │ │ │ ├── rbac.authorization.k8s.io_v1_rolebinding_namespace-viewer.yaml │ │ │ └── v1_resourcequota_hard-limit.yaml │ │ ├── v1_namespace_tenant-a.yaml │ │ ├── v1_namespace_tenant-b.yaml │ │ └── v1_namespace_tenant-c.yaml │ └── scripts │ └── render.sh ├── multi-cluster-acm-setup └── README.md ├── multi-cluster-fan-out ├── README.md ├── docs │ └── architecture.png └── repos │ └── platform │ └── configsync │ └── all-clusters │ ├── namespaces.yaml │ └── namespaces │ ├── tenant-a │ ├── quota.yaml │ └── rbac.yaml │ ├── tenant-b │ ├── quota.yaml │ └── rbac.yaml │ └── tenant-c │ ├── quota.yaml │ └── rbac.yaml ├── multi-cluster-ingress ├── README.md ├── docs │ └── architecture.png └── repos │ ├── platform │ ├── configsync-src │ │ ├── all-clusters │ │ │ ├── gke-networking-rbac.yaml │ │ │ ├── kustomization.yaml │ │ │ └── namespaces.yaml │ │ └── clusters │ │ │ ├── cluster-east │ │ │ └── kustomization.yaml │ │ │ └── cluster-west │ │ │ └── kustomization.yaml │ ├── configsync │ │ └── clusters │ │ │ ├── cluster-east │ │ │ └── v1_namespace_zoneprinter.yaml │ │ │ └── cluster-west │ │ │ └── v1_namespace_zoneprinter.yaml │ └── scripts │ │ └── render.sh │ └── zoneprinter │ ├── configsync-src │ ├── all-clusters │ │ └── namespaces │ │ │ └── zoneprinter │ │ │ ├── kustomization.yaml │ │ │ └── zoneprinter-deployment.yaml │ └── clusters │ │ ├── cluster-east │ │ └── namespaces │ │ │ └── zoneprinter │ │ │ └── kustomization.yaml │ │ └── cluster-west │ │ └── namespaces │ │ └── zoneprinter │ │ ├── kustomization.yaml │ │ └── mci.yaml │ ├── configsync │ └── clusters │ │ ├── cluster-east │ │ └── namespaces │ │ │ └── zoneprinter │ │ │ └── apps_v1_deployment_zoneprinter.yaml │ │ └── cluster-west │ │ └── namespaces │ │ └── zoneprinter │ │ ├── apps_v1_deployment_zoneprinter.yaml │ │ ├── networking.gke.io_v1_multiclusteringress_zoneprinter.yaml │ │ └── networking.gke.io_v1_multiclusterservice_zoneprinter.yaml │ └── scripts │ └── render.sh ├── multi-environments-kustomize ├── README.md ├── cleanup.sh ├── cloud-build-rendering │ ├── cloudbuilder-kustomize │ │ └── Dockerfile │ └── install-config │ │ ├── config-management-dev.yaml │ │ └── config-management-prod.yaml ├── config-source │ ├── README.md │ ├── base │ │ ├── foo │ │ │ ├── kustomization.yaml │ │ │ ├── namespace.yaml │ │ │ └── serviceaccount.yaml │ │ ├── kustomization.yaml │ │ ├── pod-creator-clusterrole.yaml │ │ └── pod-creator-rolebinding.yaml │ ├── cloudbuild.yaml │ └── overlays │ │ ├── dev │ │ └── kustomization.yaml │ │ └── prod │ │ └── kustomization.yaml ├── config-sync-rendering │ └── install-config │ │ ├── config-management-dev.yaml │ │ └── config-management-prod.yaml ├── create-clusters.sh ├── create-repos.sh ├── install-config-sync.sh ├── register-clusters.sh └── secret-manager-git.sh ├── namespace-inheritance ├── README.md ├── compiled │ ├── analytics │ │ ├── networkpolicy_allow-gamestore-ingress.yaml │ │ ├── networkpolicy_default-deny-all-traffic.yaml │ │ ├── resourcequota_quota.yaml │ │ ├── role_eng-viewer.yaml │ │ ├── rolebinding_eng-admin.yaml │ │ └── rolebinding_viewers.yaml │ ├── clusterrole_foo-admin.yaml │ ├── clusterrole_namespace-reader.yaml │ ├── clusterrole_rbac-viewer.yaml │ ├── clusterrolebinding_namespace-readers.yaml │ ├── clusterrolebinding_rbac-viewers.yaml │ ├── gamestore │ │ ├── configmap_store-inventory.yaml │ │ ├── networkpolicy_allow-gamestore-ingress.yaml │ │ ├── networkpolicy_default-deny-all-traffic.yaml │ │ ├── resourcequota_quota.yaml │ │ ├── role_eng-viewer.yaml │ │ ├── rolebinding_bob-rolebinding.yaml │ │ ├── rolebinding_eng-admin.yaml │ │ └── rolebinding_viewers.yaml │ ├── incubator-1 │ │ ├── networkpolicy_default-deny-all-traffic.yaml │ │ ├── role_incubator-1-admin.yaml │ │ └── rolebinding_viewers.yaml │ ├── incubator-2 │ │ ├── networkpolicy_default-deny-all-traffic.yaml │ │ └── rolebinding_viewers.yaml │ ├── namespace_analytics.yaml │ ├── namespace_gamestore.yaml │ ├── namespace_incubator-1.yaml │ └── namespace_incubator-2.yaml └── config │ ├── cluster │ ├── admin-clusterrole.yaml │ ├── namespace-reader-clusterrole.yaml │ ├── namespace-reader-clusterrolebinding.yaml │ ├── rbac-viewer-clusterrole.yaml │ └── rbac-viewers.yaml │ ├── namespaces │ ├── eng │ │ ├── analytics │ │ │ └── namespace.yaml │ │ ├── eng-role.yaml │ │ ├── eng-roleinding.yaml │ │ ├── gamestore │ │ │ ├── bob-rolebinding.yaml │ │ │ ├── inventory-configmap.yaml │ │ │ └── namespace.yaml │ │ ├── network-policy-allow-gamestore-ingress.yaml │ │ ├── quota.yaml │ │ └── selectors.yaml │ ├── network-policy-default-deny-all.yaml │ ├── rnd │ │ ├── incubator-1 │ │ │ ├── incubator-1-admin-role.yaml │ │ │ └── namespace.yaml │ │ └── incubator-2 │ │ │ └── namespace.yaml │ └── viewers-rolebinding.yaml │ └── system │ ├── README.md │ └── repo.yaml ├── namespace-specific-policy ├── README.md ├── automated-rendering │ ├── README.md │ ├── configsync-src │ └── kustomization.yaml ├── configsync-src │ ├── example │ │ ├── base │ │ │ ├── kustomization.yaml │ │ │ ├── namespace.yaml │ │ │ ├── networkpolicy.yaml │ │ │ ├── role.yaml │ │ │ └── rolebinding.yaml │ │ ├── kustomization.yaml │ │ ├── team-a │ │ │ └── kustomization.yaml │ │ ├── team-b │ │ │ └── kustomization.yaml │ │ └── team-c │ │ │ └── kustomization.yaml │ ├── external-data.txt │ └── external-team │ │ └── kustomization.yaml └── manual-rendering │ ├── README.md │ ├── configsync │ ├── external-team_networking.k8s.io_v1_networkpolicy_deny-all.yaml │ ├── external-team_rbac.authorization.k8s.io_v1_role_team-admin.yaml │ ├── external-team_rbac.authorization.k8s.io_v1_rolebinding_team-admin-rolebinding.yaml │ ├── my-namespace_v1_configmap_my-configmap-5f4h4hkd89.yaml │ ├── team-a_networking.k8s.io_v1_networkpolicy_deny-all.yaml │ ├── team-a_rbac.authorization.k8s.io_v1_role_team-admin.yaml │ ├── team-a_rbac.authorization.k8s.io_v1_rolebinding_team-admin-rolebinding.yaml │ ├── team-b_networking.k8s.io_v1_networkpolicy_deny-all.yaml │ ├── team-b_rbac.authorization.k8s.io_v1_role_team-admin.yaml │ ├── team-b_rbac.authorization.k8s.io_v1_rolebinding_team-admin-rolebinding.yaml │ ├── team-c_networking.k8s.io_v1_networkpolicy_deny-all.yaml │ ├── team-c_rbac.authorization.k8s.io_v1_role_team-admin.yaml │ ├── team-c_rbac.authorization.k8s.io_v1_rolebinding_team-admin-rolebinding.yaml │ ├── v1_namespace_external-team.yaml │ ├── v1_namespace_team-a.yaml │ ├── v1_namespace_team-b.yaml │ └── v1_namespace_team-c.yaml │ └── scripts │ └── render.sh ├── pre-sync └── oci-image-verification │ ├── Dockerfile │ ├── README.md │ ├── go.mod │ ├── go.sum │ ├── main.go │ ├── signature-verification-deployment.yaml │ └── signature-verification-validatingwebhookconfiguration.yaml ├── quickstart ├── README.md ├── config-sync │ ├── namespaces │ │ └── hello.yaml │ └── policies │ │ └── no-ext-services.yaml └── resources │ └── service.yaml ├── screenshots ├── ci-app-pipeline.svg ├── hello-namespace.svg └── locality-specific-policy.svg └── third_party └── cert-manager ├── Chart.yaml ├── LICENSE ├── README.md ├── templates ├── NOTES.txt ├── _helpers.tpl ├── cainjector-deployment.yaml ├── cainjector-psp-clusterrole.yaml ├── cainjector-psp-clusterrolebinding.yaml ├── cainjector-psp.yaml ├── cainjector-rbac.yaml ├── cainjector-serviceaccount.yaml ├── crds.yaml ├── deployment.yaml ├── psp-clusterrole.yaml ├── psp-clusterrolebinding.yaml ├── psp.yaml ├── rbac.yaml ├── service.yaml ├── serviceaccount.yaml ├── servicemonitor.yaml ├── webhook-deployment.yaml ├── webhook-mutating-webhook.yaml ├── webhook-psp-clusterrole.yaml ├── webhook-psp-clusterrolebinding.yaml ├── webhook-psp.yaml ├── webhook-rbac.yaml ├── webhook-service.yaml ├── webhook-serviceaccount.yaml └── webhook-validating-webhook.yaml └── values.yaml /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | 2 | # See https://help.github.com/en/articles/about-code-owners 3 | # for more info about CODEOWNERS file. 4 | 5 | # These owners will be the default owners for everything in 6 | # the repo. Unless a later match takes precedence. 7 | * @GoogleCloudPlatform/anthos-dpe @janetkuo 8 | -------------------------------------------------------------------------------- /.github/SECURITY.md: -------------------------------------------------------------------------------- 1 | # Security Policy 2 | 3 | To report a security issue, please use [g.co/vulnz](https://g.co/vulnz). 4 | 5 | The Google Security Team will respond within 5 working days of your report on g.co/vulnz. 6 | 7 | We use g.co/vulnz for our intake, and do coordination and disclosure here using GitHub Security Advisory to privately discuss and fix the issue. 8 | -------------------------------------------------------------------------------- /.github/renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "extends": [ 3 | "config:base" 4 | ] 5 | } 6 | -------------------------------------------------------------------------------- /.github/snippet-bot.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | dev-key.json 2 | prod-key.json 3 | env 4 | -------------------------------------------------------------------------------- /asm-acm-tutorial/ingress-gateway/init/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_ingress_gateway_init_kustomization_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | # [END anthosconfig_ingress_gateway_init_kustomization_kustomization] -------------------------------------------------------------------------------- /asm-acm-tutorial/online-boutique/init/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_online_boutique_init_kustomization_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | # [END anthosconfig_online_boutique_init_kustomization_kustomization] -------------------------------------------------------------------------------- /asm-acm-tutorial/root-sync/deploy-authorization-policies/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_root_sync_deploy_authorization_policies_kustomization_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | resources: 19 | - ../fix-default-deny-authorization-policy 20 | components: 21 | - ingress-gateway 22 | - online-boutique 23 | # [END anthosconfig_root_sync_deploy_authorization_policies_kustomization_kustomization] -------------------------------------------------------------------------------- /asm-acm-tutorial/root-sync/deployments/ingress-gateway/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_deployments_ingress_gateway_kustomization_component] 16 | apiVersion: kustomize.config.k8s.io/v1alpha1 17 | kind: Component 18 | patchesJson6902: 19 | - target: 20 | kind: RepoSync 21 | name: repo-sync 22 | namespace: asm-ingress 23 | patch: |- 24 | - op: replace 25 | path: /spec/git/dir 26 | value: asm-acm-tutorial/ingress-gateway/deployments 27 | # [END anthosconfig_deployments_ingress_gateway_kustomization_component] -------------------------------------------------------------------------------- /asm-acm-tutorial/root-sync/deployments/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_root_sync_deployments_kustomization_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | resources: 19 | - ../init 20 | components: 21 | - online-boutique 22 | - ingress-gateway 23 | # [END anthosconfig_root_sync_deployments_kustomization_kustomization] -------------------------------------------------------------------------------- /asm-acm-tutorial/root-sync/deployments/online-boutique/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_deployments_online_boutique_kustomization_component] 16 | apiVersion: kustomize.config.k8s.io/v1alpha1 17 | kind: Component 18 | patchesJson6902: 19 | - target: 20 | kind: RepoSync 21 | name: repo-sync 22 | namespace: onlineboutique 23 | patch: |- 24 | - op: replace 25 | path: /spec/git/dir 26 | value: asm-acm-tutorial/online-boutique/deployments 27 | # [END anthosconfig_deployments_online_boutique_kustomization_component] -------------------------------------------------------------------------------- /asm-acm-tutorial/root-sync/enforce-authorization-policies/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_root_sync_enforce_authorization_policies_kustomization_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | resources: 19 | - ../fix-strict-mtls 20 | - policies 21 | # [END anthosconfig_root_sync_enforce_authorization_policies_kustomization_kustomization] -------------------------------------------------------------------------------- /asm-acm-tutorial/root-sync/enforce-authorization-policies/policies/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_enforce_authorization_policies_policies_kustomization_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | resources: 19 | - default-deny-authorization-policies.yaml 20 | - authz-source-principals-not-all.yaml 21 | # [END anthosconfig_enforce_authorization_policies_policies_kustomization_kustomization] -------------------------------------------------------------------------------- /asm-acm-tutorial/root-sync/enforce-sidecar-injection/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_root_sync_enforce_sidecar_injection_kustomization_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | resources: 19 | - ../deployments 20 | - namespace-sidecar-injection-label.yaml 21 | - pod-sidecar-injection-annotation.yaml 22 | # [END anthosconfig_root_sync_enforce_sidecar_injection_kustomization_kustomization] -------------------------------------------------------------------------------- /asm-acm-tutorial/root-sync/enforce-strict-mtls/gatekeeper-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_enforce_strict_mtls_gatekeeper_system_kustomization_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | namespace: gatekeeper-system 19 | resources: 20 | - config-referential-constraints.yaml 21 | - namespace.yaml 22 | # [END anthosconfig_enforce_strict_mtls_gatekeeper_system_kustomization_kustomization] -------------------------------------------------------------------------------- /asm-acm-tutorial/root-sync/enforce-strict-mtls/gatekeeper-system/namespace.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_gatekeeper_system_namespace_namespace_gatekeeper_system] 16 | apiVersion: v1 17 | kind: Namespace 18 | metadata: 19 | name: gatekeeper-system 20 | # [END anthosconfig_gatekeeper_system_namespace_namespace_gatekeeper_system] -------------------------------------------------------------------------------- /asm-acm-tutorial/root-sync/enforce-strict-mtls/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_root_sync_enforce_strict_mtls_kustomization_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | resources: 19 | - ../enforce-sidecar-injection 20 | - gatekeeper-system 21 | - policies 22 | # [END anthosconfig_root_sync_enforce_strict_mtls_kustomization_kustomization] -------------------------------------------------------------------------------- /asm-acm-tutorial/root-sync/enforce-strict-mtls/policies/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_enforce_strict_mtls_policies_kustomization_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | resources: 19 | - destinationrule-tls-enabled.yaml 20 | - mesh-level-strict-mtls.yaml 21 | - peerauthentication-strict-mtls.yaml 22 | # [END anthosconfig_enforce_strict_mtls_policies_kustomization_kustomization] -------------------------------------------------------------------------------- /asm-acm-tutorial/root-sync/fix-default-deny-authorization-policy/default-deny-authorization-policy/authorizationpolicy.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_with_default_deny_authorization_policy_authorizationpolicy_authorizationpolicy_deny_all] 16 | apiVersion: security.istio.io/v1beta1 17 | kind: AuthorizationPolicy 18 | metadata: 19 | name: deny-all 20 | spec: 21 | {} 22 | # [END anthosconfig_with_default_deny_authorization_policy_authorizationpolicy_authorizationpolicy_deny_all] -------------------------------------------------------------------------------- /asm-acm-tutorial/root-sync/fix-default-deny-authorization-policy/default-deny-authorization-policy/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_fix_default_deny_authorization_policy_default_deny_authorization_policy_kustomization_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | resources: 19 | - authorizationpolicy.yaml 20 | namespace: istio-system 21 | # [END anthosconfig_fix_default_deny_authorization_policy_default_deny_authorization_policy_kustomization_kustomization] -------------------------------------------------------------------------------- /asm-acm-tutorial/root-sync/fix-default-deny-authorization-policy/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_root_sync_fix_default_deny_authorization_policy_kustomization_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | resources: 19 | - ../enforce-authorization-policies 20 | - default-deny-authorization-policy 21 | # [END anthosconfig_root_sync_fix_default_deny_authorization_policy_kustomization_kustomization] -------------------------------------------------------------------------------- /asm-acm-tutorial/root-sync/fix-strict-mtls/enable-mesh-strict-mtls/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_fix_strict_mtls_enable_mesh_strict_mtls_kustomization_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | resources: 19 | - peerauthentication.yaml 20 | namespace: istio-system 21 | # [END anthosconfig_fix_strict_mtls_enable_mesh_strict_mtls_kustomization_kustomization] -------------------------------------------------------------------------------- /asm-acm-tutorial/root-sync/fix-strict-mtls/enable-mesh-strict-mtls/peerauthentication.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_enable_mesh_strict_mtls_peerauthentication_peerauthentication_default] 16 | apiVersion: security.istio.io/v1beta1 17 | kind: PeerAuthentication 18 | metadata: 19 | name: default 20 | spec: 21 | mtls: 22 | mode: STRICT 23 | # [END anthosconfig_enable_mesh_strict_mtls_peerauthentication_peerauthentication_default] -------------------------------------------------------------------------------- /asm-acm-tutorial/root-sync/fix-strict-mtls/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_root_sync_fix_strict_mtls_kustomization_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | resources: 19 | - ../enforce-strict-mtls 20 | - enable-mesh-strict-mtls 21 | # [END anthosconfig_root_sync_fix_strict_mtls_kustomization_kustomization] -------------------------------------------------------------------------------- /asm-acm-tutorial/root-sync/init/ingress-gateway-repo-sync/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_init_ingress_gateway_repo_sync_kustomization_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | resources: 19 | - reposync.yaml 20 | - reposync-namespace.yaml 21 | - reposync-role-binding.yaml 22 | namespace: asm-ingress 23 | # [END anthosconfig_init_ingress_gateway_repo_sync_kustomization_kustomization] -------------------------------------------------------------------------------- /asm-acm-tutorial/root-sync/init/ingress-gateway-repo-sync/reposync-namespace.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_ingress_gateway_repo_sync_reposync_namespace_namespace_asm_ingress] 16 | apiVersion: v1 17 | kind: Namespace 18 | metadata: 19 | name: asm-ingress 20 | labels: 21 | istio-injection: enabled 22 | # [END anthosconfig_ingress_gateway_repo_sync_reposync_namespace_namespace_asm_ingress] -------------------------------------------------------------------------------- /asm-acm-tutorial/root-sync/init/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_root_sync_init_kustomization_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | resources: 19 | - online-boutique-repo-sync 20 | - ingress-gateway-repo-sync 21 | - istio-clusterrole.yaml 22 | # [END anthosconfig_root_sync_init_kustomization_kustomization] -------------------------------------------------------------------------------- /asm-acm-tutorial/root-sync/init/online-boutique-repo-sync/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_init_online_boutique_repo_sync_kustomization_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | resources: 19 | - reposync.yaml 20 | - reposync-namespace.yaml 21 | - reposync-role-binding.yaml 22 | namespace: onlineboutique 23 | # [END anthosconfig_init_online_boutique_repo_sync_kustomization_kustomization] -------------------------------------------------------------------------------- /asm-acm-tutorial/root-sync/init/online-boutique-repo-sync/reposync-namespace.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_online_boutique_repo_sync_reposync_namespace_namespace_onlineboutique] 16 | apiVersion: v1 17 | kind: Namespace 18 | metadata: 19 | name: onlineboutique 20 | labels: 21 | istio-injection: enabled 22 | # [END anthosconfig_online_boutique_repo_sync_reposync_namespace_namespace_onlineboutique] -------------------------------------------------------------------------------- /ci-app/acm-repo/README.md: -------------------------------------------------------------------------------- 1 | # Anthos Configuration Management Directory 2 | 3 | This is the root directory for Anthos Configuration Management. 4 | 5 | See [our documentation](https://cloud.google.com/anthos-config-management/docs/repo) for how to use each subdirectory. 6 | -------------------------------------------------------------------------------- /ci-app/acm-repo/clusterregistry/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-config-management-samples/bcef7278e0268e5da3105d5a5b5c0735564bd967/ci-app/acm-repo/clusterregistry/.gitkeep -------------------------------------------------------------------------------- /ci-app/acm-repo/namespaces/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-config-management-samples/bcef7278e0268e5da3105d5a5b5c0735564bd967/ci-app/acm-repo/namespaces/.gitkeep -------------------------------------------------------------------------------- /ci-app/acm-repo/system/README.md: -------------------------------------------------------------------------------- 1 | # System 2 | 3 | This directory contains system configs such as the repo version and how resources are synced. 4 | -------------------------------------------------------------------------------- /ci-app/acm-repo/system/repo.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2020 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_ci_app_repo] 15 | apiVersion: configmanagement.gke.io/v1 16 | kind: Repo 17 | metadata: 18 | name: repo 19 | spec: 20 | version: 1.0.0 21 | # [END anthosconfig_ci_app_repo] 22 | -------------------------------------------------------------------------------- /ci-app/app-repo/config/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2020 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_config_base_kustomization_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | resources: 19 | - deployment.yaml 20 | # [END anthosconfig_config_base_kustomization_kustomization] -------------------------------------------------------------------------------- /ci-app/app-repo/config/prod/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2020 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_config_prod_kustomization_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | bases: 19 | - ../base 20 | # [END anthosconfig_config_prod_kustomization_kustomization] 21 | -------------------------------------------------------------------------------- /ci-pipeline-unstructured/README.md: -------------------------------------------------------------------------------- 1 | # CI Pipeline - Unstructured 2 | 3 | This is an example for how to create a CloudBuild CI pipeline on an unstructured directory, so called because the config-root of this directory does not follow the ACM repo structure. 4 | We will change the ConfigMap to adhere to the OPA Gatekeeper constraint. 5 | 6 | See [our documentation](https://cloud.google.com/anthos-config-management/docs/how-to/policy-agent-ci-pipeline) for how to set up this example. 7 | 8 | ## Config Overview 9 | 10 | This repository contains the following files. 11 | 12 | ```console 13 | ci-pipeline-unstructured/ 14 | ├── config-root 15 | │   ├── configmap.yaml 16 | │   └── constraints 17 | │   ├── banned-key-constraint.yaml # OPA Gatekeeper constraint to ban secrets in ConfigMaps 18 | │   └── banned-key-template.yaml # OPA Gatekeeper template for banned ConfigMap keys 19 | ├── cloudbuild.yaml # CloudBuild configuration file with which to set up a trigger 20 | └── README.md 21 | ``` 22 | -------------------------------------------------------------------------------- /ci-pipeline-unstructured/config-root/configmap.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_ci_pipeline_unstructured_configmap] 15 | apiVersion: v1 16 | kind: ConfigMap 17 | metadata: 18 | name: super-secret 19 | namespace: default 20 | data: 21 | private_key: sensitive data goes here 22 | # [END anthosconfig_ci_pipeline_unstructured_configmap] 23 | -------------------------------------------------------------------------------- /ci-pipeline-unstructured/config-root/constraints/banned-key-constraint.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_ci_pipeline_unstructured_no_secrets_in_configmap] 15 | apiVersion: constraints.gatekeeper.sh/v1beta1 16 | kind: K8sBannedConfigMapKeysV1 17 | metadata: 18 | name: no-secrets-in-configmap 19 | spec: 20 | match: 21 | kinds: 22 | - apiGroups: 23 | - '' 24 | kinds: 25 | - ConfigMap 26 | parameters: 27 | keys: 28 | - private_key 29 | # [END anthosconfig_ci_pipeline_unstructured_no_secrets_in_configmap] 30 | -------------------------------------------------------------------------------- /ci-pipeline/config-root/cluster/namespace-reader-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_ci_pipeline_namespace_reader] 15 | kind: ClusterRole 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | metadata: 18 | name: namespace-reader 19 | rules: 20 | - apiGroups: [""] 21 | resources: ["namespaces"] 22 | verbs: ["get", "watch", "list"] 23 | # [END anthosconfig_ci_pipeline_namespace_reader] 24 | -------------------------------------------------------------------------------- /ci-pipeline/config-root/cluster/namespace-reader-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_ci_pipeline_namespace_readers] 15 | kind: ClusterRoleBinding 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | metadata: 18 | name: namespace-readers 19 | subjects: 20 | - kind: User 21 | name: cheryl@foo-corp.com 22 | apiGroup: rbac.authorization.k8s.io 23 | roleRef: 24 | kind: ClusterRole 25 | name: namespace-reader 26 | apiGroup: rbac.authorization.k8s.io 27 | # [END anthosconfig_ci_pipeline_namespace_readers] 28 | -------------------------------------------------------------------------------- /ci-pipeline/config-root/cluster/pod-creator-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_ci_pipeline_pod_creator] 15 | kind: ClusterRole 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | metadata: 18 | name: pod-creator 19 | rules: 20 | - apiGroups: [""] 21 | resources: ["pods"] 22 | verbs: 23 | - "*" 24 | # [END anthosconfig_ci_pipeline_pod_creator] 25 | -------------------------------------------------------------------------------- /ci-pipeline/config-root/cluster/pod-security-policy.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_ci_pipeline_pod_security_policy] 15 | apiVersion: policy/v1beta1 16 | kind: PodSecurityPolicy 17 | metadata: 18 | name: psp 19 | spec: 20 | privileged: false 21 | seLinux: 22 | rule: RunAsAny 23 | supplementalGroups: 24 | rule: RunAsAny 25 | runAsUser: 26 | rule: RunAsAny 27 | fsGroup: 28 | rule: RunAsAny 29 | volumes: 30 | - '*' 31 | # [END anthosconfig_ci_pipeline_pod_security_policy] 32 | -------------------------------------------------------------------------------- /ci-pipeline/config-root/namespaces/audit/namespace.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_ci_pipeline_audit] 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | name: audit 19 | labels: 20 | cost-center: "audit.foo-corp.com" 21 | # [END anthosconfig_ci_pipeline_audit] 22 | -------------------------------------------------------------------------------- /ci-pipeline/config-root/namespaces/online/shipping-app-backend/pod-creator-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_ci_pipeline_pod_creators] 15 | kind: RoleBinding 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | metadata: 18 | name: pod-creators 19 | subjects: 20 | - kind: User 21 | name: bob@foo-corp.com 22 | apiGroup: rbac.authorization.k8s.io 23 | roleRef: 24 | kind: ClusterRole 25 | name: pod-creator 26 | apiGroup: rbac.authorization.k8s.io 27 | # [END anthosconfig_ci_pipeline_pod_creators] 28 | -------------------------------------------------------------------------------- /ci-pipeline/config-root/namespaces/online/shipping-app-backend/quota.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_ci_pipeline_quota] 15 | kind: ResourceQuota 16 | apiVersion: v1 17 | metadata: 18 | name: backend-quota 19 | spec: 20 | hard: 21 | pods: "3" 22 | cpu: "1" 23 | memory: 1Gi 24 | # [END anthosconfig_ci_pipeline_quota] 25 | -------------------------------------------------------------------------------- /ci-pipeline/config-root/namespaces/online/shipping-app-backend/shipping-dev/job-creator-role.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_ci_pipeline_shipping_dev_job_creator] 15 | kind: Role 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | metadata: 18 | name: job-creator 19 | rules: 20 | - apiGroups: ["batch/v1"] 21 | resources: ["jobs"] 22 | verbs: 23 | - "*" 24 | # [END anthosconfig_ci_pipeline_shipping_dev_job_creator] 25 | -------------------------------------------------------------------------------- /ci-pipeline/config-root/namespaces/online/shipping-app-backend/shipping-dev/job-creator-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_ci_pipeline_shipping_dev_job_creators] 15 | kind: RoleBinding 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | metadata: 18 | name: job-creators 19 | subjects: 20 | - kind: User 21 | name: sam@foo-corp.com 22 | apiGroup: rbac.authorization.k8s.io 23 | roleRef: 24 | kind: Role 25 | name: job-creator 26 | apiGroup: rbac.authorization.k8s.io 27 | # [END anthosconfig_ci_pipeline_shipping_dev_job_creators] 28 | -------------------------------------------------------------------------------- /ci-pipeline/config-root/namespaces/online/shipping-app-backend/shipping-dev/namespace.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_ci_pipeline_shipping_dev_namespace] 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | name: shipping-dev 19 | labels: 20 | cost-center: "shipping.foo-corp.com" 21 | # [END anthosconfig_ci_pipeline_shipping_dev_namespace] 22 | -------------------------------------------------------------------------------- /ci-pipeline/config-root/namespaces/online/shipping-app-backend/shipping-prod/fulfillmentcenter.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_ci_pipeline_shipping_prod_fulfillment_center] 15 | kind: FulfillmentCenter 16 | apiVersion: foo-corp.com/v1 17 | metadata: 18 | name: production 19 | spec: 20 | address: "100 Industry St." 21 | # [END anthosconfig_ci_pipeline_shipping_prod_fulfillment_center] 22 | -------------------------------------------------------------------------------- /ci-pipeline/config-root/namespaces/online/shipping-app-backend/shipping-prod/namespace.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_ci_pipeline_shipping_prod_namespace] 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | name: shipping-prod 19 | labels: 20 | env: prod 21 | annotations: 22 | audit: "true" 23 | # [END anthosconfig_ci_pipeline_shipping_prod_namespace] 24 | -------------------------------------------------------------------------------- /ci-pipeline/config-root/namespaces/online/shipping-app-backend/shipping-staging/fulfillmentcenter.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_ci_pipeline_shipping_staging_fulfillment_center] 15 | kind: FulfillmentCenter 16 | apiVersion: foo-corp.com/v1 17 | metadata: 18 | name: staging 19 | spec: 20 | address: "100 Main St." 21 | # [END anthosconfig_ci_pipeline_shipping_staging_fulfillment_center] 22 | -------------------------------------------------------------------------------- /ci-pipeline/config-root/namespaces/online/shipping-app-backend/shipping-staging/namespace.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_ci_pipeline_shipping_staging_namespace] 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | name: shipping-staging 19 | labels: 20 | cost-center: "shipping.foo-corp.com" 21 | # [END anthosconfig_ci_pipeline_shipping_staging_namespace] 22 | -------------------------------------------------------------------------------- /ci-pipeline/config-root/namespaces/sre-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_ci_pipeline_sre_admin] 15 | kind: RoleBinding 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | metadata: 18 | name: sre-admin 19 | annotations: 20 | configmanagement.gke.io/namespace-selector: sre-supported 21 | subjects: 22 | - kind: Group 23 | name: sre@foo-corp.com 24 | apiGroup: rbac.authorization.k8s.io 25 | roleRef: 26 | kind: ClusterRole 27 | name: admin 28 | apiGroup: rbac.authorization.k8s.io 29 | # [END anthosconfig_ci_pipeline_sre_admin] 30 | -------------------------------------------------------------------------------- /ci-pipeline/config-root/namespaces/sre-supported-selector.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_ci_pipeline_sre_supported] 15 | kind: NamespaceSelector 16 | apiVersion: configmanagement.gke.io/v1 17 | metadata: 18 | name: sre-supported 19 | spec: 20 | selector: 21 | matchLabels: 22 | env: prod 23 | # [END anthosconfig_ci_pipeline_sre_supported] 24 | -------------------------------------------------------------------------------- /ci-pipeline/config-root/namespaces/viewers-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_ci_pipeline_viewers] 15 | kind: RoleBinding 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | metadata: 18 | name: viewers 19 | subjects: 20 | - kind: Group 21 | name: system:serviceaccounts:audit 22 | apiGroup: rbac.authorization.k8s.io 23 | roleRef: 24 | kind: ClusterRole 25 | name: view 26 | apiGroup: rbac.authorization.k8s.io 27 | # [END anthosconfig_ci_pipeline_viewers] 28 | -------------------------------------------------------------------------------- /ci-pipeline/config-root/system/README.md: -------------------------------------------------------------------------------- 1 | # System 2 | 3 | This directory contains system configs such as the repo version and how resources are synced. 4 | -------------------------------------------------------------------------------- /ci-pipeline/config-root/system/repo.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_ci_pipeline_repo] 15 | apiVersion: configmanagement.gke.io/v1 16 | kind: Repo 17 | metadata: 18 | name: repo 19 | spec: 20 | version: 1.0.0 21 | # [END anthosconfig_ci_pipeline_repo] 22 | -------------------------------------------------------------------------------- /config-controller-quickstart/pubsub-api.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_config_controller_quickstart_pubsub_api] 16 | apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1 17 | kind: Service 18 | metadata: 19 | name: pubsub.googleapis.com 20 | namespace: config-control 21 | # [END anthosconfig_config_controller_quickstart_pubsub_api] 22 | -------------------------------------------------------------------------------- /config-controller-quickstart/pubsub-topic.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_config_controller_quickstart_pubsub_topic] 16 | apiVersion: pubsub.cnrm.cloud.google.com/v1beta1 17 | kind: PubSubTopic 18 | metadata: 19 | name: pubsub-topic-sample-sync 20 | namespace: config-control 21 | # [END anthosconfig_config_controller_quickstart_pubsub_topic] 22 | -------------------------------------------------------------------------------- /config-sync-quickstart/README.md: -------------------------------------------------------------------------------- 1 | See https://cloud.google.com/anthos-config-management/docs/quickstart to get started. 2 | -------------------------------------------------------------------------------- /config-sync-quickstart/multirepo/namespaces/gamestore/configmap-inventory.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_config_sync_quickstart_multirepo_gamestore_configmap_inventory] 15 | apiVersion: v1 16 | kind: ConfigMap 17 | metadata: 18 | name: store-inventory 19 | namespace: gamestore 20 | annotations: 21 | marketplace.com/comments: "What about chess?" 22 | data: 23 | single_player: "20" 24 | cooperative: "60" 25 | competitive: "300" 26 | # [END anthosconfig_config_sync_quickstart_multirepo_gamestore_configmap_inventory] 27 | -------------------------------------------------------------------------------- /config-sync-quickstart/multirepo/namespaces/gamestore/webstore.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_config_sync_quickstart_multirepo_gamestore_webstore] 15 | kind: WebStore 16 | apiVersion: marketplace.com/v2 17 | metadata: 18 | name: gameplace 19 | namespace: gamestore 20 | spec: 21 | product: "boardgames" 22 | employees: 5 23 | # [END anthosconfig_config_sync_quickstart_multirepo_gamestore_webstore] 24 | -------------------------------------------------------------------------------- /config-sync-quickstart/multirepo/root/acm-monitor/namespace-monitoring.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_config_sync_quickstart_multirepo_root_acm_monitor_namespace] 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | name: monitoring 19 | # [END anthosconfig_config_sync_quickstart_multirepo_root_acm_monitor_namespace] 20 | -------------------------------------------------------------------------------- /config-sync-quickstart/multirepo/root/clusterrole-namespace-reader.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_config_sync_quickstart_multirepo_root_cluster_role_namespace_reader] 15 | kind: ClusterRole 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | metadata: 18 | name: namespace-reader 19 | rules: 20 | - apiGroups: [""] 21 | resources: ["namespaces"] 22 | verbs: ["get", "watch", "list"] 23 | # [END anthosconfig_config_sync_quickstart_multirepo_root_cluster_role_namespace_reader] 24 | -------------------------------------------------------------------------------- /config-sync-quickstart/multirepo/root/clusterrole-webstore-admin.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_config_sync_quickstart_multirepo_root_cluster_role_webstore_admin] 15 | kind: ClusterRole 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | metadata: 18 | name: webstore-admin 19 | rules: 20 | - apiGroups: ["marketplace.com"] 21 | resources: ["webstores"] 22 | verbs: 23 | - "*" 24 | # [END anthosconfig_config_sync_quickstart_multirepo_root_cluster_role_webstore_admin] 25 | -------------------------------------------------------------------------------- /config-sync-quickstart/multirepo/root/namespace-gamestore.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_config_sync_quickstart_multirepo_root_namespace_gamestore] 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | name: gamestore 19 | # [END anthosconfig_config_sync_quickstart_multirepo_root_namespace_gamestore] 20 | -------------------------------------------------------------------------------- /fleet-tenancy/config/backend-namespace-selector.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | apiVersion: configmanagement.gke.io/v1 15 | kind: NamespaceSelector 16 | metadata: 17 | name: backend-scope 18 | spec: 19 | mode: dynamic 20 | selector: 21 | matchLabels: 22 | fleet.gke.io/fleet-scope: backend # Change the value of this label selector to match different scopes by scope name 23 | -------------------------------------------------------------------------------- /fleet-tenancy/config/backend-network-policy.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_config_example] 16 | apiVersion: networking.k8s.io/v1 17 | kind: NetworkPolicy 18 | metadata: 19 | name: be-deny-all 20 | annotations: 21 | configmanagement.gke.io/namespace-selector: backend-scope # Actuate this resource in the namespaces with labels matched by the namespace selector 22 | spec: 23 | ingress: 24 | - from: 25 | - podSelector: {} 26 | podSelector: 27 | matchLabels: null 28 | # [END anthosconfig_config_example] 29 | -------------------------------------------------------------------------------- /fleet-tenancy/config/frontend-namespace-selector.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | apiVersion: configmanagement.gke.io/v1 15 | kind: NamespaceSelector 16 | metadata: 17 | name: frontend-scope 18 | spec: 19 | mode: dynamic 20 | selector: 21 | matchLabels: 22 | fleet.gke.io/fleet-scope: frontend # Change the value of this label selector to match different scopes by scope name 23 | -------------------------------------------------------------------------------- /fleet-tenancy/config/frontend-resource-quota.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # ResourceQuota Reference: https://kubernetes.io/docs/concepts/policy/resource-quotas/ 15 | kind: ResourceQuota 16 | apiVersion: v1 17 | metadata: 18 | name: fe-quota 19 | annotations: 20 | configmanagement.gke.io/namespace-selector: frontend-scope # Actuate this resource in the namespaces with labels matched by the namespace selector 21 | spec: 22 | hard: 23 | persistentvolumeclaims: "6" 24 | -------------------------------------------------------------------------------- /fleet-tenancy/images/fleet-tenancy-resources.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-config-management-samples/bcef7278e0268e5da3105d5a5b5c0735564bd967/fleet-tenancy/images/fleet-tenancy-resources.png -------------------------------------------------------------------------------- /fleet-tenancy/teams/backend/bookstore/config.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | kind: ConfigMap 15 | apiVersion: v1 16 | metadata: 17 | name: bookstore-config 18 | data: 19 | bookstore.property.1: hello 20 | bookstore.property.2: world 21 | -------------------------------------------------------------------------------- /fleet-tenancy/terraform/1-fleet/README.md: -------------------------------------------------------------------------------- 1 | # Set up your fleet 2 | 3 | The Terraform configurations in this directory sets up a fleet, along with the a list of enabled API services, and a service account that Terraform can use to access the Google Cloud APIs. 4 | 5 | ## Usage 6 | 7 | See the [variable definitions file] for an exhaustive list of variables. 8 | These can be provided as [command line variables] at runtime. 9 | 10 | For example: 11 | ```shell 12 | export TF_VAR_project= 13 | terraform init 14 | terraform plan 15 | terraform apply 16 | ``` 17 | 18 | [variable definitions file]: ./variables.tf 19 | [command line variables]: https://www.terraform.io/language/values/variables#variables-on-the-command-line 20 | -------------------------------------------------------------------------------- /fleet-tenancy/terraform/1-fleet/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | # [START anthosconfig_fleet_variables] 18 | variable "project" { 19 | type = string 20 | description = "GCP project ID" 21 | } 22 | # [END anthosconfig_fleet_variables] 23 | -------------------------------------------------------------------------------- /fleet-tenancy/terraform/2-fleet-default-config/README.md: -------------------------------------------------------------------------------- 1 | # Configure Fleet Default Member Config 2 | 3 | The Terraform configurations in this directory configures the fleet default member config for Config Management 4 | 5 | ## Usage 6 | 7 | See the [variable definitions file] for an exhaustive list of variables. 8 | These can be provided as [command line variables] at runtime. 9 | 10 | For example: 11 | ```shell 12 | terraform init 13 | terraform plan 14 | terraform apply 15 | ``` 16 | 17 | [variable definitions file]: ./variables.tf 18 | [command line variables]: https://www.terraform.io/language/values/variables#variables-on-the-command-line 19 | -------------------------------------------------------------------------------- /fleet-tenancy/terraform/2-fleet-default-config/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | # [START anthosconfig_fleet_default_variables] 18 | variable "project" { 19 | type = string 20 | description = "GCP project ID" 21 | } 22 | # [END anthosconfig_fleet_default_variables] 23 | -------------------------------------------------------------------------------- /fleet-tenancy/terraform/3-clusters/README.md: -------------------------------------------------------------------------------- 1 | # Create and register clusters 2 | 3 | The Terraform configurations in this directory creates and registers clusters 4 | 5 | ## Usage 6 | 7 | See the [variable definitions file] for an exhaustive list of variables. 8 | These can be provided as [command line variables] at runtime. 9 | 10 | For example: 11 | ```shell 12 | terraform init 13 | terraform plan 14 | terraform apply 15 | ``` 16 | 17 | [variable definitions file]: ./variables.tf 18 | [command line variables]: https://www.terraform.io/language/values/variables#variables-on-the-command-line 19 | -------------------------------------------------------------------------------- /fleet-tenancy/terraform/3-clusters/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | # [START anthosconfig_cluster_variables] 18 | variable "project" { 19 | type = string 20 | description = "GCP project ID" 21 | } 22 | # [END anthosconfig_cluster_variables] 23 | -------------------------------------------------------------------------------- /fleet-tenancy/terraform/4-scopes-and-namespaces/README.md: -------------------------------------------------------------------------------- 1 | # Configure fleet scopes and namespaces 2 | 3 | The Terraform configurations in this directory sets up fleet scopes and namespaces. 4 | 5 | ## Usage 6 | 7 | See the [variable definitions file] for an exhaustive list of variables. 8 | These can be provided as [command line variables] at runtime. 9 | 10 | For example: 11 | ```shell 12 | terraform init 13 | terraform plan 14 | terraform apply 15 | ``` 16 | 17 | [variable definitions file]: ./variables.tf 18 | [command line variables]: https://www.terraform.io/language/values/variables#variables-on-the-command-line 19 | -------------------------------------------------------------------------------- /fleet-tenancy/terraform/4-scopes-and-namespaces/variables.tf: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright 2024 Google LLC 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | # [START anthosconfig_scope_variables] 18 | variable "project" { 19 | type = string 20 | description = "GCP project ID" 21 | } 22 | 23 | # [END anthosconfig_scope_variables] 24 | -------------------------------------------------------------------------------- /foo-corp/README.md: -------------------------------------------------------------------------------- 1 | # Anthos Configuration Management Directory 2 | 3 | This is the root directory for Anthos Configuration Management. 4 | 5 | See [the Hierarchical Repo documentation](https://cloud.google.com/anthos-config-management/docs/concepts/hierarchical-repo) for how to use each subdirectory. 6 | -------------------------------------------------------------------------------- /foo-corp/cluster/namespace-reader-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_foo_corp_namespace_reader_cluster_role] 15 | kind: ClusterRole 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | metadata: 18 | name: namespace-reader 19 | rules: 20 | - apiGroups: [""] 21 | resources: ["namespaces"] 22 | verbs: ["get", "watch", "list"] 23 | # [END anthosconfig_foo_corp_namespace_reader_cluster_role] 24 | -------------------------------------------------------------------------------- /foo-corp/cluster/namespace-reader-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_foo_corp_namespace_readers_cluster_role_binding] 15 | kind: ClusterRoleBinding 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | metadata: 18 | name: namespace-readers 19 | subjects: 20 | - kind: User 21 | name: cheryl@foo-corp.com 22 | apiGroup: rbac.authorization.k8s.io 23 | roleRef: 24 | kind: ClusterRole 25 | name: namespace-reader 26 | apiGroup: rbac.authorization.k8s.io 27 | # [END anthosconfig_foo_corp_namespace_readers_cluster_role_binding] 28 | -------------------------------------------------------------------------------- /foo-corp/cluster/pod-creator-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_foo_corp_pod_creator_cluster_role] 15 | kind: ClusterRole 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | metadata: 18 | name: pod-creator 19 | rules: 20 | - apiGroups: [""] 21 | resources: ["pods"] 22 | verbs: 23 | - "*" 24 | # [END anthosconfig_foo_corp_pod_creator_cluster_role] 25 | -------------------------------------------------------------------------------- /foo-corp/namespaces/audit/namespace.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_foo_corp_audit_namespace] 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | name: audit 19 | # [END anthosconfig_foo_corp_audit_namespace] 20 | -------------------------------------------------------------------------------- /foo-corp/namespaces/online/shipping-app-backend/pod-creator-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_foo_corp_shipping_app_backend_role_binding] 15 | kind: RoleBinding 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | metadata: 18 | name: pod-creators 19 | subjects: 20 | - kind: User 21 | name: bob@foo-corp.com 22 | apiGroup: rbac.authorization.k8s.io 23 | roleRef: 24 | kind: ClusterRole 25 | name: pod-creator 26 | apiGroup: rbac.authorization.k8s.io 27 | # [END anthosconfig_foo_corp_shipping_app_backend_role_binding] 28 | -------------------------------------------------------------------------------- /foo-corp/namespaces/online/shipping-app-backend/quota.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_foo_corp_shipping_app_backend_quota] 15 | kind: ResourceQuota 16 | apiVersion: v1 17 | metadata: 18 | name: backend-quota 19 | spec: 20 | hard: 21 | pods: "3" 22 | cpu: "1" 23 | memory: 1Gi 24 | # [END anthosconfig_foo_corp_shipping_app_backend_quota] 25 | -------------------------------------------------------------------------------- /foo-corp/namespaces/online/shipping-app-backend/shipping-dev/job-creator-role.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_foo_corp_shipping_dev_job_creator_role] 15 | kind: Role 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | metadata: 18 | name: job-creator 19 | rules: 20 | - apiGroups: ["batch/v1"] 21 | resources: ["jobs"] 22 | verbs: 23 | - "*" 24 | # [END anthosconfig_foo_corp_shipping_dev_job_creator_role] 25 | -------------------------------------------------------------------------------- /foo-corp/namespaces/online/shipping-app-backend/shipping-dev/job-creator-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_foo_corp_shipping_dev_job_creators_role_binding] 15 | kind: RoleBinding 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | metadata: 18 | name: job-creators 19 | subjects: 20 | - kind: User 21 | name: sam@foo-corp.com 22 | apiGroup: rbac.authorization.k8s.io 23 | roleRef: 24 | kind: Role 25 | name: job-creator 26 | apiGroup: rbac.authorization.k8s.io 27 | # [END anthosconfig_foo_corp_shipping_dev_job_creators_role_binding] 28 | -------------------------------------------------------------------------------- /foo-corp/namespaces/online/shipping-app-backend/shipping-dev/namespace.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_foo_corp_shipping_dev_namespace] 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | name: shipping-dev 19 | # [END anthosconfig_foo_corp_shipping_dev_namespace] 20 | -------------------------------------------------------------------------------- /foo-corp/namespaces/online/shipping-app-backend/shipping-prod/fulfillmentcenter.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_foo_corp_shipping_prod_fulfillment_center] 15 | kind: FulfillmentCenter 16 | apiVersion: foo-corp.com/v1 17 | metadata: 18 | name: production 19 | spec: 20 | address: "100 Industry St." 21 | # [END anthosconfig_foo_corp_shipping_prod_fulfillment_center] 22 | -------------------------------------------------------------------------------- /foo-corp/namespaces/online/shipping-app-backend/shipping-prod/namespace.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_foo_corp_shipping_prod_namespace] 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | name: shipping-prod 19 | labels: 20 | env: prod 21 | annotations: 22 | audit: "true" 23 | # [END anthosconfig_foo_corp_shipping_prod_namespace] 24 | -------------------------------------------------------------------------------- /foo-corp/namespaces/online/shipping-app-backend/shipping-staging/fulfillmentcenter.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_foo_corp_shipping_staging_fulfillment_center] 15 | kind: FulfillmentCenter 16 | apiVersion: foo-corp.com/v1 17 | metadata: 18 | name: staging 19 | spec: 20 | address: "100 Main St." 21 | # [END anthosconfig_foo_corp_shipping_staging_fulfillment_center] 22 | -------------------------------------------------------------------------------- /foo-corp/namespaces/online/shipping-app-backend/shipping-staging/namespace.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_foo_corp_shipping_staging_namespace] 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | name: shipping-staging 19 | # [END anthosconfig_foo_corp_shipping_staging_namespace] 20 | -------------------------------------------------------------------------------- /foo-corp/namespaces/sre-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_foo_corp_sre_role_binding] 15 | kind: RoleBinding 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | metadata: 18 | name: sre-admin 19 | annotations: 20 | configmanagement.gke.io/namespace-selector: sre-supported 21 | subjects: 22 | - kind: Group 23 | name: sre@foo-corp.com 24 | apiGroup: rbac.authorization.k8s.io 25 | roleRef: 26 | kind: ClusterRole 27 | name: admin 28 | apiGroup: rbac.authorization.k8s.io 29 | # [END anthosconfig_foo_corp_sre_role_binding] 30 | -------------------------------------------------------------------------------- /foo-corp/namespaces/sre-supported-selector.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_foo_corp_sre_supported_selector] 15 | kind: NamespaceSelector 16 | apiVersion: configmanagement.gke.io/v1 17 | metadata: 18 | name: sre-supported 19 | spec: 20 | selector: 21 | matchLabels: 22 | env: prod 23 | # [END anthosconfig_foo_corp_sre_supported_selector] 24 | -------------------------------------------------------------------------------- /foo-corp/namespaces/viewers-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_foo_corp_viewers_role_binding] 15 | kind: RoleBinding 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | metadata: 18 | name: viewers 19 | subjects: 20 | - kind: Group 21 | name: system:serviceaccounts:audit 22 | apiGroup: rbac.authorization.k8s.io 23 | roleRef: 24 | kind: ClusterRole 25 | name: view 26 | apiGroup: rbac.authorization.k8s.io 27 | # [END anthosconfig_foo_corp_viewers_role_binding] 28 | -------------------------------------------------------------------------------- /foo-corp/system/README.md: -------------------------------------------------------------------------------- 1 | # System 2 | 3 | This directory contains system configs such as the repo version and how resources are synced. 4 | -------------------------------------------------------------------------------- /foo-corp/system/repo.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_foo_corp_repo] 15 | apiVersion: configmanagement.gke.io/v1 16 | kind: Repo 17 | metadata: 18 | name: repo 19 | spec: 20 | version: 1.0.0 21 | # [END anthosconfig_foo_corp_repo] 22 | -------------------------------------------------------------------------------- /hello-namespace/config-root/README.md: -------------------------------------------------------------------------------- 1 | # Anthos Configuration Management Directory 2 | 3 | This is the root directory for Anthos Configuration Management. 4 | 5 | See [our documentation](https://cloud.google.com/anthos-config-management/docs/repo) for how to use each subdirectory. 6 | -------------------------------------------------------------------------------- /hello-namespace/config-root/cluster/README.md: -------------------------------------------------------------------------------- 1 | # Cluster 2 | 3 | This directory contains configs that apply to entire clusters. [Read more about the cluster directory here.](https://cloud.google.com/anthos-config-management/docs/how-to/repo#clusters) 4 | -------------------------------------------------------------------------------- /hello-namespace/config-root/clusterregistry/README.md: -------------------------------------------------------------------------------- 1 | # Clusterregistry 2 | 3 | This directory contains configs `ClusterSelectors` and `Cluster` configs. [Read more about the clusterreggistry directory here.](https://cloud.google.com/anthos-config-management/docs/how-to/repo#clusterregistry) 4 | -------------------------------------------------------------------------------- /hello-namespace/config-root/namespaces/README.md: -------------------------------------------------------------------------------- 1 | # Namespaces 2 | 3 | This directory contains configs `Namespaces` and Namespace scoped objects. [Read more about the namespaces directory here.](https://cloud.google.com/anthos-config-management/docs/how-to/repo#namespaces) 4 | -------------------------------------------------------------------------------- /hello-namespace/config-root/namespaces/hello/namespace.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # creates namespace named "hello" 15 | # [START anthosconfig_hello_namespace_namespace] 16 | apiVersion: v1 17 | kind: Namespace 18 | metadata: 19 | name: hello 20 | # [END anthosconfig_hello_namespace_namespace] 21 | -------------------------------------------------------------------------------- /hello-namespace/config-root/system/README.md: -------------------------------------------------------------------------------- 1 | # System 2 | 3 | This directory contains system configs such as the repo version and how resources are synced. 4 | -------------------------------------------------------------------------------- /hello-namespace/config-root/system/repo.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_hello_namespace_repo] 15 | apiVersion: configmanagement.gke.io/v1 16 | kind: Repo 17 | metadata: 18 | name: repo 19 | spec: 20 | version: 1.0.0 21 | # [END anthosconfig_hello_namespace_repo] 22 | -------------------------------------------------------------------------------- /helm-component/README.md: -------------------------------------------------------------------------------- 1 | This example provides two different ways of rendering and syncing your configurations 2 | - [manual rendering](manual-rendering/README.md): 3 | this option requires you to render the configurations using the Helm CLI manually, 4 | and check in the rendered configurations to your Git repository. 5 | Config Sync will sync from the rendered output directly. 6 | - [automated rendering](automated-rendering/README.md): 7 | Config Sync supports rendering Kustomize configurations and Helm Charts in version 1.9.0 or later. 8 | You can check in the Kustomize configurations and Helm charts to your Git repository, 9 | and Config Sync will render and sync them to your clusters. -------------------------------------------------------------------------------- /helm-component/automated-rendering/README.md: -------------------------------------------------------------------------------- 1 | See https://cloud.google.com/anthos-config-management/docs/tutorials/config-sync-helm to get started with automated rendering in Config Sync. -------------------------------------------------------------------------------- /helm-component/automated-rendering/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | helmCharts: 15 | - name: cert-manager 16 | repo: https://charts.jetstack.io 17 | version: v1.17.2 18 | releaseName: my-cert-manager 19 | namespace: cert-manager 20 | -------------------------------------------------------------------------------- /helm-component/automated-rendering/ignore-deployment-mutation-patch.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_automated_rendering_ignore_deployment_mutation_patch_deployment_any] 16 | apiVersion: apps/v1 17 | kind: Deployment 18 | metadata: 19 | name: any 20 | annotations: 21 | client.lifecycle.config.k8s.io/mutation: ignore 22 | # [END anthosconfig_automated_rendering_ignore_deployment_mutation_patch_deployment_any] -------------------------------------------------------------------------------- /helm-component/automated-rendering/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_helm_component_automated_rendering_kustomization_yaml] 16 | resources: 17 | - base 18 | 19 | patches: 20 | - path: ignore-deployment-mutation-patch.yaml 21 | target: 22 | kind: Deployment 23 | # [END anthosconfig_helm_component_automated_rendering_kustomization_yaml] -------------------------------------------------------------------------------- /helm-component/manual-rendering/cert-manager: -------------------------------------------------------------------------------- 1 | ../../third_party/cert-manager/ -------------------------------------------------------------------------------- /helm-component/manual-rendering/manifests/README.md: -------------------------------------------------------------------------------- 1 | This is the root of unstructured repo, including 2 | - the namespace where to deploy the cert-manager chart 3 | - the rendered manifests 4 | -------------------------------------------------------------------------------- /helm-component/manual-rendering/manifests/namespace-cert-manager.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_helm_component_manifests_cert_manager_namespace] 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | name: cert-manager 19 | # [END anthosconfig_helm_component_manifests_cert_manager_namespace] 20 | -------------------------------------------------------------------------------- /hierarchical-format/config/cluster/clusterrole-namespace-reader.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_hierarchical_format_config_cluster_role_namespace_reader] 15 | kind: ClusterRole 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | metadata: 18 | name: namespace-reader 19 | rules: 20 | - apiGroups: [""] 21 | resources: ["namespaces"] 22 | verbs: ["get", "watch", "list"] 23 | # [END anthosconfig_hierarchical_format_config_cluster_role_namespace_reader] 24 | -------------------------------------------------------------------------------- /hierarchical-format/config/namespaces/limit-range.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # LimitRange Reference: https://kubernetes.io/docs/concepts/policy/limit-range/ 15 | # [START anthosconfig_hierarchical_format_config_namespaces_limit_range] 16 | apiVersion: v1 17 | kind: LimitRange 18 | metadata: 19 | name: limits 20 | spec: 21 | limits: 22 | - max: 23 | cpu: "300m" 24 | memory: 1Gi 25 | type: Container 26 | - type: PersistentVolumeClaim 27 | max: 28 | storage: 2Gi 29 | # [END anthosconfig_hierarchical_format_config_namespaces_limit_range] 30 | -------------------------------------------------------------------------------- /hierarchical-format/config/namespaces/team-1/crontab.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_hierarchical_format_config_namespaces_team_1_crontab] 15 | apiVersion: "stable.example.com/v1" 16 | kind: CronTab 17 | metadata: 18 | name: my-new-cron-object 19 | spec: 20 | cronSpec: "* * * * */5" 21 | image: my-awesome-cron-image 22 | # [END anthosconfig_hierarchical_format_config_namespaces_team_1_crontab] 23 | -------------------------------------------------------------------------------- /hierarchical-format/config/namespaces/team-1/namespace.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_hierarchical_format_config_namespaces_team_1_namespace] 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | name: team-1 19 | # [END anthosconfig_hierarchical_format_config_namespaces_team_1_namespace] 20 | -------------------------------------------------------------------------------- /hierarchical-format/config/namespaces/team-1/network-policy-default-deny-egress.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_hierarchical_format_config_namespaces_team_1_network_policy] 15 | apiVersion: networking.k8s.io/v1 16 | kind: NetworkPolicy 17 | metadata: 18 | name: default-deny-egress 19 | namespace: team-1 20 | spec: 21 | podSelector: {} 22 | policyTypes: 23 | - Egress 24 | # [END anthosconfig_hierarchical_format_config_namespaces_team_1_network_policy] 25 | -------------------------------------------------------------------------------- /hierarchical-format/config/namespaces/team-1/resource-quota-pvc.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_hierarchical_format_config_namespaces_team_1_resource_quota] 15 | # ResourceQuota Reference: https://kubernetes.io/docs/concepts/policy/resource-quotas/ 16 | kind: ResourceQuota 17 | apiVersion: v1 18 | metadata: 19 | name: pvc 20 | spec: 21 | hard: 22 | persistentvolumeclaims: "3" 23 | # [END anthosconfig_hierarchical_format_config_namespaces_team_1_resource_quota] 24 | -------------------------------------------------------------------------------- /hierarchical-format/config/namespaces/team-1/sa.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_hierarchical_format_config_namespaces_team_1_service_account] 15 | apiVersion: v1 16 | kind: ServiceAccount 17 | metadata: 18 | name: sa 19 | # [END anthosconfig_hierarchical_format_config_namespaces_team_1_service_account] 20 | -------------------------------------------------------------------------------- /hierarchical-format/config/namespaces/team-2/crontab.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_hierarchical_format_config_namespaces_team_2_crontab] 15 | apiVersion: "stable.example.com/v1" 16 | kind: CronTab 17 | metadata: 18 | name: my-new-cron-object 19 | spec: 20 | cronSpec: "* * * * */5" 21 | image: my-awesome-cron-image 22 | # [END anthosconfig_hierarchical_format_config_namespaces_team_2_crontab] 23 | -------------------------------------------------------------------------------- /hierarchical-format/config/namespaces/team-2/namespace.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_hierarchical_format_config_namespaces_team_2_namespace] 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | name: team-2 19 | # [END anthosconfig_hierarchical_format_config_namespaces_team_2_namespace] 20 | -------------------------------------------------------------------------------- /hierarchical-format/config/namespaces/team-2/network-policy-default-deny-all.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_hierarchical_format_config_namespaces_team_2_network_policy] 15 | apiVersion: networking.k8s.io/v1 16 | kind: NetworkPolicy 17 | metadata: 18 | name: default-deny-all 19 | namespace: team-2 20 | spec: 21 | podSelector: {} 22 | policyTypes: 23 | - Ingress 24 | - Egress 25 | # [END anthosconfig_hierarchical_format_config_namespaces_team_2_network_policy] 26 | -------------------------------------------------------------------------------- /hierarchical-format/config/namespaces/team-2/resource-quota-pvc.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_hierarchical_format_config_namespaces_team_2_resource_quota] 15 | # ResourceQuota Reference: https://kubernetes.io/docs/concepts/policy/resource-quotas/ 16 | kind: ResourceQuota 17 | apiVersion: v1 18 | metadata: 19 | name: pvc 20 | spec: 21 | hard: 22 | persistentvolumeclaims: "6" 23 | # [END anthosconfig_hierarchical_format_config_namespaces_team_2_resource_quota] 24 | -------------------------------------------------------------------------------- /hierarchical-format/config/namespaces/team-2/sa.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_hierarchical_format_config_namespaces_team_2_service_account] 15 | apiVersion: v1 16 | kind: ServiceAccount 17 | metadata: 18 | name: sa 19 | # [END anthosconfig_hierarchical_format_config_namespaces_team_2_service_account] 20 | -------------------------------------------------------------------------------- /hierarchical-format/config/system/repo.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # For the mono-repo mode, declaring a Repo resource under system/ directory is required. 15 | # For the multi-repo mode, declaring a Repo resource under system/ directory is optional. 16 | # [START anthosconfig_hierarchical_format_config_repo] 17 | apiVersion: configmanagement.gke.io/v1 18 | kind: Repo 19 | metadata: 20 | name: repo 21 | spec: 22 | version: 1.0.0 23 | # [END anthosconfig_hierarchical_format_config_repo] 24 | -------------------------------------------------------------------------------- /kustomize-pipeline/README.md: -------------------------------------------------------------------------------- 1 | # Rendering Configs using Kustomize 2 | 3 | This example demonstrates how to use Kustomize and Cloud Build to prepare configs for deployment with Config Sync. 4 | 5 | The process for using this example is explained in the associated tutorial. 6 | 7 | 8 | -------------------------------------------------------------------------------- /kustomize-pipeline/deploy-config/README.md: -------------------------------------------------------------------------------- 1 | # Deploy Config 2 | 3 | This directory contains configuration which will be connected to Config Sync. 4 | 5 | Last sync: `XXXXXXX` 6 | -------------------------------------------------------------------------------- /kustomize-pipeline/source-config/bases/roles/clusterrole-namespace-reader.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_kustomize_pipeline_cluster_role_namespace_reader] 15 | kind: ClusterRole 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | metadata: 18 | name: namespace-reader 19 | rules: 20 | - apiGroups: [""] 21 | resources: ["namespaces"] 22 | verbs: ["get", "watch", "list"] 23 | # [END anthosconfig_kustomize_pipeline_cluster_role_namespace_reader] 24 | -------------------------------------------------------------------------------- /kustomize-pipeline/source-config/bases/roles/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_kustomize_pipeline_bases_roles_kustomization] 15 | apiVersion: kustomize.config.k8s.io/v1beta1 16 | kind: Kustomization 17 | resources: 18 | - clusterrole-namespace-reader.yaml 19 | # [END anthosconfig_kustomize_pipeline_bases_roles_kustomization] 20 | -------------------------------------------------------------------------------- /kustomize-pipeline/source-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_kustomize_pipeline_bases_kustomization] 15 | apiVersion: kustomize.config.k8s.io/v1beta1 16 | kind: Kustomization 17 | bases: 18 | - bases/roles/ 19 | namePrefix: sample- 20 | # [END anthosconfig_kustomize_pipeline_bases_kustomization] 21 | -------------------------------------------------------------------------------- /locality-specific-policy/config-root/README.md: -------------------------------------------------------------------------------- 1 | # Anthos Configuration Management Directory 2 | 3 | This is the root directory for Anthos Configuration Management. 4 | 5 | See [our documentation](https://cloud.google.com/anthos-config-management/docs/repo) for how to use each subdirectory. 6 | 7 | -------------------------------------------------------------------------------- /locality-specific-policy/config-root/cluster/README.md: -------------------------------------------------------------------------------- 1 | # Cluster 2 | 3 | This directory contains configs that apply to entire clusters. [Read more about the cluster directory here.](https://cloud.google.com/anthos-config-management/docs/how-to/repo#clusters) 4 | -------------------------------------------------------------------------------- /locality-specific-policy/config-root/clusterregistry/README.md: -------------------------------------------------------------------------------- 1 | # Clusterregistry 2 | 3 | This directory contains configs `ClusterSelectors` and `Cluster` configs. [Read more about the clusterreggistry directory here.](https://cloud.google.com/anthos-config-management/docs/how-to/repo#clusterregistry) 4 | -------------------------------------------------------------------------------- /locality-specific-policy/config-root/clusterregistry/cluster.belgium-2.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_locality_specific_policy_cluster_belgium_2] 15 | # applies location and environment labels to cluster 16 | kind: Cluster 17 | apiVersion: clusterregistry.k8s.io/v1alpha1 18 | metadata: 19 | name: belgium-2 20 | labels: 21 | environment: dev 22 | location: belgium 23 | # [END anthosconfig_locality_specific_policy_cluster_belgium_2] 24 | -------------------------------------------------------------------------------- /locality-specific-policy/config-root/clusterregistry/cluster.belgium.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_locality_specific_policy_cluster_belgium] 15 | # applies location and environment labels to cluster 16 | kind: Cluster 17 | apiVersion: clusterregistry.k8s.io/v1alpha1 18 | metadata: 19 | name: belgium 20 | labels: 21 | environment: prod 22 | location: belgium 23 | # [END anthosconfig_locality_specific_policy_cluster_belgium] 24 | -------------------------------------------------------------------------------- /locality-specific-policy/config-root/clusterregistry/cluster.iowa.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_locality_specific_policy_cluster_iowa] 15 | # applies location and environment labels to cluster 16 | kind: Cluster 17 | apiVersion: clusterregistry.k8s.io/v1alpha1 18 | metadata: 19 | name: iowa 20 | labels: 21 | environment: prod 22 | location: usa 23 | # [END anthosconfig_locality_specific_policy_cluster_iowa] 24 | -------------------------------------------------------------------------------- /locality-specific-policy/config-root/clusterregistry/cluster.taiwan.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_locality_specific_policy_cluster_taiwan] 15 | # applies location and environment labels to cluster 16 | kind: Cluster 17 | apiVersion: clusterregistry.k8s.io/v1alpha1 18 | metadata: 19 | name: taiwan 20 | labels: 21 | environment: prod 22 | location: taiwan 23 | # [END anthosconfig_locality_specific_policy_cluster_taiwan] 24 | -------------------------------------------------------------------------------- /locality-specific-policy/config-root/clusterregistry/clusterselector.select-env-prod.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_locality_specific_policy_cluster_selector_env_prod] 15 | # selects clusters with prod environment label 16 | kind: ClusterSelector 17 | apiVersion: configmanagement.gke.io/v1 18 | metadata: 19 | name: select-env-prod 20 | spec: 21 | selector: 22 | matchLabels: 23 | environment: prod 24 | # [END anthosconfig_locality_specific_policy_cluster_selector_env_prod] 25 | -------------------------------------------------------------------------------- /locality-specific-policy/config-root/clusterregistry/clusterselector.select-location-belgium.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_locality_specific_policy_cluster_selector_location_belgium] 15 | # selects clusters with belgium location label 16 | kind: ClusterSelector 17 | apiVersion: configmanagement.gke.io/v1 18 | metadata: 19 | name: select-location-belgium 20 | spec: 21 | selector: 22 | matchLabels: 23 | location: belgium 24 | # [END anthosconfig_locality_specific_policy_cluster_selector_location_belgium] 25 | -------------------------------------------------------------------------------- /locality-specific-policy/config-root/namespaces/README.md: -------------------------------------------------------------------------------- 1 | # Namespaces 2 | 3 | This directory contains configs `Namespaces` and Namespace scoped objects. [Read more about the namespaces directory here.](https://cloud.google.com/anthos-config-management/docs/how-to/repo#namespaces) 4 | -------------------------------------------------------------------------------- /locality-specific-policy/config-root/system/README.md: -------------------------------------------------------------------------------- 1 | # System 2 | 3 | This directory contains system configs such as the repo version and how resources are synced. 4 | -------------------------------------------------------------------------------- /locality-specific-policy/config-root/system/repo.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_locality_specific_policy_repo] 15 | apiVersion: configmanagement.gke.io/v1 16 | kind: Repo 17 | metadata: 18 | name: repo 19 | spec: 20 | version: 1.0.0 21 | # [END anthosconfig_locality_specific_policy_repo] 22 | -------------------------------------------------------------------------------- /multi-cluster-access-and-quota/docs/architecture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-config-management-samples/bcef7278e0268e5da3105d5a5b5c0735564bd967/multi-cluster-access-and-quota/docs/architecture.png -------------------------------------------------------------------------------- /multi-cluster-access-and-quota/repos/platform/configsync-src/all-clusters/all-namespaces/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_multi_cluster_access_and_quota_src_all_namespaces_kustomization] 15 | apiVersion: kustomize.config.k8s.io/v1beta1 16 | kind: Kustomization 17 | resources: 18 | - resource-quota.yaml 19 | commonLabels: 20 | owner: platform-team 21 | # [END anthosconfig_multi_cluster_access_and_quota_src_all_namespaces_kustomization] 22 | -------------------------------------------------------------------------------- /multi-cluster-access-and-quota/repos/platform/configsync-src/all-clusters/all-namespaces/resource-quota.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_multi_cluster_access_and_quota_src_all_namespaces_resource_quota] 15 | apiVersion: v1 16 | kind: ResourceQuota 17 | metadata: 18 | name: hard-limit 19 | spec: 20 | hard: 21 | cpu: "100" 22 | memory: 10Gi 23 | pods: "10" 24 | # [END anthosconfig_multi_cluster_access_and_quota_src_all_namespaces_resource_quota] 25 | -------------------------------------------------------------------------------- /multi-cluster-access-and-quota/repos/platform/configsync-src/all-clusters/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_multi_cluster_access_and_quota_src_kustomization] 15 | apiVersion: kustomize.config.k8s.io/v1beta1 16 | kind: Kustomization 17 | resources: 18 | - namespaces.yaml 19 | commonLabels: 20 | owner: platform-team 21 | # [END anthosconfig_multi_cluster_access_and_quota_src_kustomization] 22 | -------------------------------------------------------------------------------- /multi-cluster-access-and-quota/repos/platform/configsync-src/all-clusters/namespaces/tenant-a/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_multi_cluster_access_and_quota_src_tenant_a_kustomization] 15 | apiVersion: kustomize.config.k8s.io/v1beta1 16 | kind: Kustomization 17 | resources: 18 | - rbac.yaml 19 | commonLabels: 20 | owner: platform-team 21 | # [END anthosconfig_multi_cluster_access_and_quota_src_tenant_a_kustomization] 22 | -------------------------------------------------------------------------------- /multi-cluster-access-and-quota/repos/platform/configsync-src/all-clusters/namespaces/tenant-b/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_multi_cluster_access_and_quota_src_tenant_b_kustomization] 15 | apiVersion: kustomize.config.k8s.io/v1beta1 16 | kind: Kustomization 17 | resources: 18 | - rbac.yaml 19 | commonLabels: 20 | owner: platform-team 21 | # [END anthosconfig_multi_cluster_access_and_quota_src_tenant_b_kustomization] 22 | -------------------------------------------------------------------------------- /multi-cluster-access-and-quota/repos/platform/configsync-src/all-clusters/namespaces/tenant-c/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_multi_cluster_access_and_quota_src_tenant_c_kustomization] 15 | apiVersion: kustomize.config.k8s.io/v1beta1 16 | kind: Kustomization 17 | resources: 18 | - rbac.yaml 19 | commonLabels: 20 | owner: platform-team 21 | # [END anthosconfig_multi_cluster_access_and_quota_src_tenant_c_kustomization] 22 | -------------------------------------------------------------------------------- /multi-cluster-access-and-quota/repos/platform/configsync-src/clusters/cluster-east/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_multi_cluster_access_and_quota_src_cluster_east_kustomization] 15 | apiVersion: kustomize.config.k8s.io/v1beta1 16 | kind: Kustomization 17 | resources: 18 | - ../../all-clusters/ 19 | commonLabels: 20 | cluster: cluster-east 21 | # [END anthosconfig_multi_cluster_access_and_quota_src_cluster_east_kustomization] 22 | -------------------------------------------------------------------------------- /multi-cluster-access-and-quota/repos/platform/configsync-src/clusters/cluster-east/namespaces/tenant-a/resource-quota.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_multi_cluster_access_and_quota_src_cluster_east_tenant_a_resource_quota] 15 | apiVersion: v1 16 | kind: ResourceQuota 17 | metadata: 18 | name: hard-limit 19 | spec: 20 | hard: 21 | cpu: "1000" 22 | memory: 100Gi 23 | pods: "100" 24 | # [END anthosconfig_multi_cluster_access_and_quota_src_cluster_east_tenant_a_resource_quota] 25 | -------------------------------------------------------------------------------- /multi-cluster-access-and-quota/repos/platform/configsync-src/clusters/cluster-west/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_multi_cluster_access_and_quota_src_cluster_west_kustomization] 15 | apiVersion: kustomize.config.k8s.io/v1beta1 16 | kind: Kustomization 17 | resources: 18 | - ../../all-clusters/ 19 | commonLabels: 20 | cluster: cluster-west 21 | # [END anthosconfig_multi_cluster_access_and_quota_src_cluster_west_kustomization] 22 | -------------------------------------------------------------------------------- /multi-cluster-access-and-quota/repos/platform/configsync/clusters/cluster-east/v1_namespace_tenant-a.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_multi_cluster_access_and_quota_cluster_east_tenant_a_namespace] 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | labels: 19 | cluster: cluster-east 20 | owner: platform-team 21 | name: tenant-a 22 | # [END anthosconfig_multi_cluster_access_and_quota_cluster_east_tenant_a_namespace] 23 | -------------------------------------------------------------------------------- /multi-cluster-access-and-quota/repos/platform/configsync/clusters/cluster-east/v1_namespace_tenant-b.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_multi_cluster_access_and_quota_cluster_east_tenant_b_namespace] 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | labels: 19 | cluster: cluster-east 20 | owner: platform-team 21 | name: tenant-b 22 | # [END anthosconfig_multi_cluster_access_and_quota_cluster_east_tenant_b_namespace] 23 | -------------------------------------------------------------------------------- /multi-cluster-access-and-quota/repos/platform/configsync/clusters/cluster-east/v1_namespace_tenant-c.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_multi_cluster_access_and_quota_cluster_east_tenant_c_namespace] 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | labels: 19 | cluster: cluster-east 20 | owner: platform-team 21 | name: tenant-c 22 | # [END anthosconfig_multi_cluster_access_and_quota_cluster_east_tenant_c_namespace] 23 | -------------------------------------------------------------------------------- /multi-cluster-access-and-quota/repos/platform/configsync/clusters/cluster-west/v1_namespace_tenant-a.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_multi_cluster_access_and_quota_cluster_west_tenant_a_namespace] 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | labels: 19 | cluster: cluster-west 20 | owner: platform-team 21 | name: tenant-a 22 | # [END anthosconfig_multi_cluster_access_and_quota_cluster_west_tenant_a_namespace] 23 | -------------------------------------------------------------------------------- /multi-cluster-access-and-quota/repos/platform/configsync/clusters/cluster-west/v1_namespace_tenant-b.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_multi_cluster_access_and_quota_cluster_west_tenant_b_namespace] 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | labels: 19 | cluster: cluster-west 20 | owner: platform-team 21 | name: tenant-b 22 | # [END anthosconfig_multi_cluster_access_and_quota_cluster_west_tenant_b_namespace] 23 | -------------------------------------------------------------------------------- /multi-cluster-access-and-quota/repos/platform/configsync/clusters/cluster-west/v1_namespace_tenant-c.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_multi_cluster_access_and_quota_cluster_west_tenant_c_namespace] 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | labels: 19 | cluster: cluster-west 20 | owner: platform-team 21 | name: tenant-c 22 | # [END anthosconfig_multi_cluster_access_and_quota_cluster_west_tenant_c_namespace] 23 | -------------------------------------------------------------------------------- /multi-cluster-fan-out/docs/architecture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-config-management-samples/bcef7278e0268e5da3105d5a5b5c0735564bd967/multi-cluster-fan-out/docs/architecture.png -------------------------------------------------------------------------------- /multi-cluster-fan-out/repos/platform/configsync/all-clusters/namespaces/tenant-a/quota.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_multi_cluster_fanout_tenant_a_resource_quota] 15 | apiVersion: v1 16 | kind: ResourceQuota 17 | metadata: 18 | labels: 19 | owner: platform-team 20 | name: hard-limit 21 | namespace: tenant-a 22 | spec: 23 | hard: 24 | cpu: "1000" 25 | memory: 100Gi 26 | pods: "100" 27 | # [END anthosconfig_multi_cluster_fanout_tenant_a_resource_quota] 28 | -------------------------------------------------------------------------------- /multi-cluster-fan-out/repos/platform/configsync/all-clusters/namespaces/tenant-b/quota.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_multi_cluster_fanout_tenant_b_resource_quota] 16 | apiVersion: v1 17 | kind: ResourceQuota 18 | metadata: 19 | labels: 20 | owner: platform-team 21 | name: hard-limit 22 | namespace: tenant-b 23 | spec: 24 | hard: 25 | cpu: "100" 26 | memory: 10Gi 27 | pods: "10" 28 | # [END anthosconfig_multi_cluster_fanout_tenant_b_resource_quota] 29 | -------------------------------------------------------------------------------- /multi-cluster-fan-out/repos/platform/configsync/all-clusters/namespaces/tenant-c/quota.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_multi_cluster_fanout_tenant_c_resource_quota] 16 | apiVersion: v1 17 | kind: ResourceQuota 18 | metadata: 19 | labels: 20 | owner: platform-team 21 | name: hard-limit 22 | namespace: tenant-c 23 | spec: 24 | hard: 25 | cpu: "100" 26 | memory: 10Gi 27 | pods: "10" 28 | # [END anthosconfig_multi_cluster_fanout_tenant_c_resource_quota] 29 | -------------------------------------------------------------------------------- /multi-cluster-ingress/docs/architecture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/GoogleCloudPlatform/anthos-config-management-samples/bcef7278e0268e5da3105d5a5b5c0735564bd967/multi-cluster-ingress/docs/architecture.png -------------------------------------------------------------------------------- /multi-cluster-ingress/repos/platform/configsync-src/all-clusters/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_multi_cluster_ingress_platform_all_clusters_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | resources: 19 | - gke-networking-rbac.yaml 20 | - namespaces.yaml 21 | # [END anthosconfig_multi_cluster_ingress_platform_all_clusters_kustomization] -------------------------------------------------------------------------------- /multi-cluster-ingress/repos/platform/configsync-src/all-clusters/namespaces.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_multi_cluster_ingress_platform_all_clusters_namespace_zoneprinter] 16 | apiVersion: v1 17 | kind: Namespace 18 | metadata: 19 | name: zoneprinter 20 | # [END anthosconfig_multi_cluster_ingress_platform_all_clusters_namespace_zoneprinter] 21 | -------------------------------------------------------------------------------- /multi-cluster-ingress/repos/platform/configsync-src/clusters/cluster-east/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_multi_cluster_ingress_platform_cluster_east_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | resources: 19 | - ../../all-clusters/ 20 | commonLabels: 21 | cluster: cluster-east 22 | owner: platform-team 23 | # [END anthosconfig_multi_cluster_ingress_platform_cluster_east_kustomization] 24 | -------------------------------------------------------------------------------- /multi-cluster-ingress/repos/platform/configsync-src/clusters/cluster-west/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_multi_cluster_ingress_platform_cluster_west_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | resources: 19 | - ../../all-clusters/ 20 | commonLabels: 21 | cluster: cluster-west 22 | owner: platform-team 23 | # [END anthosconfig_multi_cluster_ingress_platform_cluster_west_kustomization] 24 | -------------------------------------------------------------------------------- /multi-cluster-ingress/repos/platform/configsync/clusters/cluster-east/v1_namespace_zoneprinter.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_multi_cluster_ingress_platform_cluster_east_namespace_zoneprinter] 16 | apiVersion: v1 17 | kind: Namespace 18 | metadata: 19 | labels: 20 | cluster: cluster-east 21 | owner: platform-team 22 | name: zoneprinter 23 | # [END anthosconfig_multi_cluster_ingress_platform_cluster_east_namespace_zoneprinter] 24 | -------------------------------------------------------------------------------- /multi-cluster-ingress/repos/platform/configsync/clusters/cluster-west/v1_namespace_zoneprinter.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_multi_cluster_ingress_platform_cluster_west_namespace_zoneprinter] 16 | apiVersion: v1 17 | kind: Namespace 18 | metadata: 19 | labels: 20 | cluster: cluster-west 21 | owner: platform-team 22 | name: zoneprinter 23 | # [END anthosconfig_multi_cluster_ingress_platform_cluster_west_namespace_zoneprinter] 24 | -------------------------------------------------------------------------------- /multi-cluster-ingress/repos/zoneprinter/configsync-src/all-clusters/namespaces/zoneprinter/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_multi_cluster_ingress_zoneprinter_src_all_clusters_kustomization] 15 | apiVersion: kustomize.config.k8s.io/v1beta1 16 | kind: Kustomization 17 | resources: 18 | - zoneprinter-deployment.yaml 19 | # [END anthosconfig_multi_cluster_ingress_zoneprinter_src_all_clusters_kustomization] 20 | -------------------------------------------------------------------------------- /multi-environments-kustomize/cloud-build-rendering/cloudbuilder-kustomize/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_multi_environments_kustomize_dockerfile] 16 | FROM gcr.io/cloud-builders/kubectl:latest 17 | RUN apt-get update && apt-get install -y wget 18 | 19 | RUN wget https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv4.0.5/kustomize_v4.0.5_linux_amd64.tar.gz 20 | 21 | RUN tar xf kustomize_v4.0.5_linux_amd64.tar.gz -C /usr/local/bin 22 | # [END anthosconfig_multi_environments_kustomize_dockerfile] 23 | -------------------------------------------------------------------------------- /multi-environments-kustomize/config-source/README.md: -------------------------------------------------------------------------------- 1 | # ConfigSync - Foo Source 2 | 3 | -------------------------------------------------------------------------------- /multi-environments-kustomize/config-source/base/foo/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_multi_environments_kustomize_config_source_base_foo_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | resources: 19 | - namespace.yaml 20 | - serviceaccount.yaml 21 | # [END anthosconfig_multi_environments_kustomize_config_source_base_foo_kustomization] 22 | -------------------------------------------------------------------------------- /multi-environments-kustomize/config-source/base/foo/namespace.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_multi_environments_kustomize_config_source_base_foo_namespace] 16 | apiVersion: v1 17 | kind: Namespace 18 | metadata: 19 | name: foo 20 | # [END anthosconfig_multi_environments_kustomize_config_source_base_foo_namespace] 21 | -------------------------------------------------------------------------------- /multi-environments-kustomize/config-source/base/foo/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_multi_environments_kustomize_config_source_base_foo_service_account] 16 | apiVersion: v1 17 | kind: ServiceAccount 18 | metadata: 19 | name: foo-ksa 20 | namespace: foo 21 | # [END anthosconfig_multi_environments_kustomize_config_source_base_foo_service_account] 22 | -------------------------------------------------------------------------------- /multi-environments-kustomize/config-source/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_multi_environments_kustomize_config_source_base_kustomization] 16 | apiVersion: kustomize.config.k8s.io/v1beta1 17 | kind: Kustomization 18 | bases: 19 | - foo/ 20 | resources: 21 | - pod-creator-clusterrole.yaml 22 | - pod-creator-rolebinding.yaml 23 | # [END anthosconfig_multi_environments_kustomize_config_source_base_kustomization] 24 | -------------------------------------------------------------------------------- /multi-environments-kustomize/config-source/base/pod-creator-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_multi_environments_kustomize_config_source_base_cluster_role] 16 | kind: ClusterRole 17 | apiVersion: rbac.authorization.k8s.io/v1 18 | metadata: 19 | name: pod-creator 20 | rules: 21 | - apiGroups: [""] 22 | resources: ["pods"] 23 | verbs: 24 | - "*" 25 | # [END anthosconfig_multi_environments_kustomize_config_source_base_cluster_role] 26 | -------------------------------------------------------------------------------- /namespace-inheritance/config/cluster/namespace-reader-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_namespace_inheritance_config_cluster_role_namespace_reader] 16 | kind: ClusterRole 17 | apiVersion: rbac.authorization.k8s.io/v1 18 | metadata: 19 | name: namespace-reader 20 | rules: 21 | - apiGroups: [""] 22 | resources: ["namespaces"] 23 | verbs: ["get", "watch", "list"] 24 | # [END anthosconfig_namespace_inheritance_config_cluster_role_namespace_reader] 25 | -------------------------------------------------------------------------------- /namespace-inheritance/config/cluster/rbac-viewer-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_namespace_inheritance_config_cluster_role_rbac_viewer] 16 | kind: ClusterRole 17 | apiVersion: rbac.authorization.k8s.io/v1 18 | metadata: 19 | name: rbac-viewer 20 | rules: 21 | - apiGroups: ["rbac.authorization.k8s.io"] 22 | resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"] 23 | verbs: ["get", "list"] 24 | # [END anthosconfig_namespace_inheritance_config_cluster_role_rbac_viewer] 25 | -------------------------------------------------------------------------------- /namespace-inheritance/config/namespaces/eng/analytics/namespace.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_namespace_inheritance_config_namespaces_eng_analytics_namespace] 16 | apiVersion: v1 17 | kind: Namespace 18 | metadata: 19 | name: analytics 20 | labels: 21 | app: analytics 22 | # [END anthosconfig_namespace_inheritance_config_namespaces_eng_analytics_namespace] 23 | -------------------------------------------------------------------------------- /namespace-inheritance/config/namespaces/eng/eng-role.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_namespace_inheritance_config_namespaces_eng_role] 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | kind: Role 18 | metadata: 19 | name: eng-viewer 20 | rules: 21 | - apiGroups: [""] 22 | resources: ["*"] 23 | verbs: ["get", "list"] 24 | # [END anthosconfig_namespace_inheritance_config_namespaces_eng_role] 25 | -------------------------------------------------------------------------------- /namespace-inheritance/config/namespaces/eng/eng-roleinding.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_namespace_inheritance_config_namespaces_eng_role_binding] 16 | kind: RoleBinding 17 | apiVersion: rbac.authorization.k8s.io/v1 18 | metadata: 19 | name: eng-admin 20 | subjects: 21 | - kind: Group 22 | name: eng@example.com 23 | apiGroup: rbac.authorization.k8s.io 24 | roleRef: 25 | kind: Role 26 | name: eng-viewer 27 | apiGroup: rbac.authorization.k8s.io 28 | # [END anthosconfig_namespace_inheritance_config_namespaces_eng_role_binding] 29 | -------------------------------------------------------------------------------- /namespace-inheritance/config/namespaces/eng/gamestore/inventory-configmap.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_namespace_inheritance_config_namespaces_eng_gamestore_configmap_store_inventory] 16 | apiVersion: v1 17 | kind: ConfigMap 18 | metadata: 19 | name: store-inventory 20 | annotations: 21 | marketplace.com/comments: "Too much sci-fi" 22 | data: 23 | action: "30" 24 | documentary: "5" 25 | sci_fi: "1000" 26 | # [END anthosconfig_namespace_inheritance_config_namespaces_eng_gamestore_configmap_store_inventory] 27 | -------------------------------------------------------------------------------- /namespace-inheritance/config/namespaces/eng/gamestore/namespace.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_namespace_inheritance_config_namespaces_eng_gamestore_namespace] 16 | apiVersion: v1 17 | kind: Namespace 18 | metadata: 19 | name: gamestore 20 | labels: 21 | app: gamestore 22 | annotations: 23 | retail: "true" 24 | # [END anthosconfig_namespace_inheritance_config_namespaces_eng_gamestore_namespace] 25 | -------------------------------------------------------------------------------- /namespace-inheritance/config/namespaces/eng/network-policy-allow-gamestore-ingress.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_namespace_inheritance_config_namespaces_eng_network_policy_allow_gamestore_ingress] 16 | kind: NetworkPolicy 17 | apiVersion: networking.k8s.io/v1 18 | metadata: 19 | name: allow-gamestore-ingress 20 | spec: 21 | podSelector: 22 | matchLabels: 23 | app: gamestore 24 | ingress: 25 | - {} 26 | # [END anthosconfig_namespace_inheritance_config_namespaces_eng_network_policy_allow_gamestore_ingress] 27 | -------------------------------------------------------------------------------- /namespace-inheritance/config/namespaces/network-policy-default-deny-all.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_namespace_inheritance_config_namespaces_network_policy_default_deny_all_traffic] 16 | kind: NetworkPolicy 17 | apiVersion: networking.k8s.io/v1 18 | metadata: 19 | name: default-deny-all-traffic 20 | spec: 21 | podSelector: {} 22 | # [END anthosconfig_namespace_inheritance_config_namespaces_network_policy_default_deny_all_traffic] 23 | -------------------------------------------------------------------------------- /namespace-inheritance/config/namespaces/rnd/incubator-1/namespace.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_namespace_inheritance_config_namespaces_rnd_namespace_incubator_1] 16 | apiVersion: v1 17 | kind: Namespace 18 | metadata: 19 | name: incubator-1 20 | # [END anthosconfig_namespace_inheritance_config_namespaces_rnd_namespace_incubator_1] 21 | -------------------------------------------------------------------------------- /namespace-inheritance/config/namespaces/rnd/incubator-2/namespace.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_namespace_inheritance_config_namespaces_rnd_namespace_incubator_2] 16 | apiVersion: v1 17 | kind: Namespace 18 | metadata: 19 | name: incubator-2 20 | # [END anthosconfig_namespace_inheritance_config_namespaces_rnd_namespace_incubator_2] 21 | -------------------------------------------------------------------------------- /namespace-inheritance/config/system/README.md: -------------------------------------------------------------------------------- 1 | # System 2 | 3 | This directory contains system configs such as the repo version and how resources are synced. 4 | -------------------------------------------------------------------------------- /namespace-inheritance/config/system/repo.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # [START anthosconfig_namespace_inheritance_repo] 16 | apiVersion: configmanagement.gke.io/v1 17 | kind: Repo 18 | metadata: 19 | name: repo 20 | spec: 21 | version: 1.0.0 22 | # [END anthosconfig_namespace_inheritance_repo] 23 | -------------------------------------------------------------------------------- /namespace-specific-policy/automated-rendering/configsync-src: -------------------------------------------------------------------------------- 1 | ../configsync-src -------------------------------------------------------------------------------- /namespace-specific-policy/automated-rendering/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_namespace_specific_policy_automated_rendering_kustomization] 15 | resources: 16 | - configsync-src/example 17 | # [END anthosconfig_namespace_specific_policy_automated_rendering_kustomization] 18 | -------------------------------------------------------------------------------- /namespace-specific-policy/configsync-src/example/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_namespace_specific_policy_src_example_base_kustomization] 15 | resources: 16 | - namespace.yaml 17 | - rolebinding.yaml 18 | - role.yaml 19 | - networkpolicy.yaml 20 | # [END anthosconfig_namespace_specific_policy_src_example_base_kustomization] 21 | -------------------------------------------------------------------------------- /namespace-specific-policy/configsync-src/example/base/namespace.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_namespace_specific_policy_src_example_base_namespace] 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | name: default 19 | # [END anthosconfig_namespace_specific_policy_src_example_base_namespace] 20 | -------------------------------------------------------------------------------- /namespace-specific-policy/configsync-src/example/base/role.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # deny all ingress traffic to avoid Pods from one namespace 15 | # accidentally sending traffic to Services in other namespaces. 16 | # [START anthosconfig_namespace_specific_policy_src_example_base_role] 17 | apiVersion: rbac.authorization.k8s.io/v1 18 | kind: Role 19 | metadata: 20 | name: team-admin 21 | rules: 22 | - apiGroups: ["apps"] 23 | resources: ["deployments"] 24 | verbs: ["*"] 25 | # [END anthosconfig_namespace_specific_policy_src_example_base_role] 26 | -------------------------------------------------------------------------------- /namespace-specific-policy/configsync-src/external-data.txt: -------------------------------------------------------------------------------- 1 | FOO=Bar -------------------------------------------------------------------------------- /namespace-specific-policy/manual-rendering/configsync/external-team_networking.k8s.io_v1_networkpolicy_deny-all.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_namespace_specific_policy_external_team_network_policy] 15 | apiVersion: networking.k8s.io/v1 16 | kind: NetworkPolicy 17 | metadata: 18 | name: deny-all 19 | namespace: external-team 20 | spec: 21 | ingress: 22 | - from: 23 | - podSelector: {} 24 | podSelector: 25 | matchLabels: null 26 | # [END anthosconfig_namespace_specific_policy_external_team_network_policy] -------------------------------------------------------------------------------- /namespace-specific-policy/manual-rendering/configsync/external-team_rbac.authorization.k8s.io_v1_role_team-admin.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_namespace_specific_policy_external_team_role] 15 | apiVersion: rbac.authorization.k8s.io/v1 16 | kind: Role 17 | metadata: 18 | name: team-admin 19 | namespace: external-team 20 | rules: 21 | - apiGroups: 22 | - apps 23 | resources: 24 | - deployments 25 | verbs: 26 | - '*' 27 | # [END anthosconfig_namespace_specific_policy_external_team_role] -------------------------------------------------------------------------------- /namespace-specific-policy/manual-rendering/configsync/my-namespace_v1_configmap_my-configmap-5f4h4hkd89.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_namespace_specific_policy_configmap] 15 | apiVersion: v1 16 | data: 17 | external-data.txt: FOO=Bar 18 | kind: ConfigMap 19 | metadata: 20 | name: my-configmap-5f4h4hkd89 21 | namespace: my-namespace 22 | # [END anthosconfig_namespace_specific_policy_configmap] -------------------------------------------------------------------------------- /namespace-specific-policy/manual-rendering/configsync/team-a_networking.k8s.io_v1_networkpolicy_deny-all.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_namespace_specific_policy_team_a_network_policy] 15 | apiVersion: networking.k8s.io/v1 16 | kind: NetworkPolicy 17 | metadata: 18 | name: deny-all 19 | namespace: team-a 20 | spec: 21 | ingress: 22 | - from: 23 | - podSelector: {} 24 | podSelector: 25 | matchLabels: null 26 | # [END anthosconfig_namespace_specific_policy_team_a_network_policy] -------------------------------------------------------------------------------- /namespace-specific-policy/manual-rendering/configsync/team-a_rbac.authorization.k8s.io_v1_role_team-admin.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_namespace_specific_policy_team_a_role] 15 | apiVersion: rbac.authorization.k8s.io/v1 16 | kind: Role 17 | metadata: 18 | name: team-admin 19 | namespace: team-a 20 | rules: 21 | - apiGroups: 22 | - apps 23 | resources: 24 | - deployments 25 | verbs: 26 | - '*' 27 | # [END anthosconfig_namespace_specific_policy_team_a_role] -------------------------------------------------------------------------------- /namespace-specific-policy/manual-rendering/configsync/team-b_networking.k8s.io_v1_networkpolicy_deny-all.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_namespace_specific_policy_team_b_network_policy] 15 | apiVersion: networking.k8s.io/v1 16 | kind: NetworkPolicy 17 | metadata: 18 | name: deny-all 19 | namespace: team-b 20 | spec: 21 | ingress: 22 | - from: 23 | - podSelector: {} 24 | podSelector: 25 | matchLabels: null 26 | # [END anthosconfig_namespace_specific_policy_team_b_network_policy] -------------------------------------------------------------------------------- /namespace-specific-policy/manual-rendering/configsync/team-b_rbac.authorization.k8s.io_v1_role_team-admin.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_namespace_specific_policy_team_b_role] 15 | apiVersion: rbac.authorization.k8s.io/v1 16 | kind: Role 17 | metadata: 18 | name: team-admin 19 | namespace: team-b 20 | rules: 21 | - apiGroups: 22 | - apps 23 | resources: 24 | - deployments 25 | verbs: 26 | - '*' 27 | # [END anthosconfig_namespace_specific_policy_team_b_role] -------------------------------------------------------------------------------- /namespace-specific-policy/manual-rendering/configsync/team-c_networking.k8s.io_v1_networkpolicy_deny-all.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_namespace_specific_policy_team_c_network_policy] 15 | apiVersion: networking.k8s.io/v1 16 | kind: NetworkPolicy 17 | metadata: 18 | name: deny-all 19 | namespace: team-c 20 | spec: 21 | ingress: 22 | - from: 23 | - podSelector: {} 24 | podSelector: 25 | matchLabels: null 26 | # [END anthosconfig_namespace_specific_policy_team_c_network_policy] -------------------------------------------------------------------------------- /namespace-specific-policy/manual-rendering/configsync/team-c_rbac.authorization.k8s.io_v1_role_team-admin.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_namespace_specific_policy_team_c_role] 15 | apiVersion: rbac.authorization.k8s.io/v1 16 | kind: Role 17 | metadata: 18 | name: team-admin 19 | namespace: team-c 20 | rules: 21 | - apiGroups: 22 | - apps 23 | resources: 24 | - deployments 25 | verbs: 26 | - '*' 27 | # [END anthosconfig_namespace_specific_policy_team_c_role] -------------------------------------------------------------------------------- /namespace-specific-policy/manual-rendering/configsync/v1_namespace_external-team.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_namespace_specific_policy_external_team_namespace] 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | name: external-team 19 | # [END anthosconfig_namespace_specific_policy_external_team_namespace] -------------------------------------------------------------------------------- /namespace-specific-policy/manual-rendering/configsync/v1_namespace_team-a.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_namespace_specific_policy_team_a_namespace] 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | name: team-a 19 | # [END anthosconfig_namespace_specific_policy_team_a_namespace] -------------------------------------------------------------------------------- /namespace-specific-policy/manual-rendering/configsync/v1_namespace_team-b.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_namespace_specific_policy_team_b_namespace] 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | name: team-b 19 | # [END anthosconfig_namespace_specific_policy_team_b_namespace] -------------------------------------------------------------------------------- /namespace-specific-policy/manual-rendering/configsync/v1_namespace_team-c.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_namespace_specific_policy_team_c_namespace] 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | name: team-c 19 | # [END anthosconfig_namespace_specific_policy_team_c_namespace] -------------------------------------------------------------------------------- /namespace-specific-policy/manual-rendering/scripts/render.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright 2021 Google LLC 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | # [START anthosconfig_scripts_render] 18 | # Render kustomizations 19 | 20 | set -o errexit -o nounset -o pipefail 21 | 22 | REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd -P)" 23 | 24 | cd "${REPO_ROOT}/configsync-src/example" 25 | if [[ -f kustomization.yaml ]]; then 26 | kustomize build --load-restrictor=LoadRestrictionsNone -o ../../manual-rendering/configsync 27 | fi 28 | # [END anthosconfig_scripts_render] -------------------------------------------------------------------------------- /pre-sync/oci-image-verification/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright 2024 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | # Build stage 16 | FROM golang:1.24 as builder 17 | 18 | WORKDIR / 19 | COPY . . 20 | 21 | # Set GOPATH 22 | ENV GOPATH=/go 23 | 24 | # Build the webhook server binary for Linux 25 | RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o webhook-server main.go 26 | 27 | # Final stage 28 | FROM gcr.io/distroless/static:nonroot 29 | 30 | WORKDIR / 31 | 32 | # Copy the built binary from the builder stage 33 | COPY --from=builder /webhook-server /webhook-server 34 | 35 | CMD ["/webhook-server"] -------------------------------------------------------------------------------- /quickstart/README.md: -------------------------------------------------------------------------------- 1 | # Anthos Config Management Quickstart 2 | 3 | [![Open in Cloud Shell](https://gstatic.com/cloudssh/images/open-btn.svg)](https://ssh.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https://github.com/GoogleCloudPlatform/anthos-config-management-samples&cloudshell_tutorial=README.md&cloudshell_workspace=quickstart/) 4 | 5 | Please follow the [Configure a cluster with Anthos Config Management][quickstart] quickstart to 6 | run the code in this directory. 7 | 8 | [quickstart]: https://cloud.google.com/anthos-config-management/docs/tutorials/create-configure-cluster -------------------------------------------------------------------------------- /quickstart/config-sync/namespaces/hello.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_quickstart_namespaces_hello_namespace] 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | name: hello 19 | # [END anthosconfig_quickstart_namespaces_hello_namespace] 20 | -------------------------------------------------------------------------------- /quickstart/config-sync/policies/no-ext-services.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_quickstart_policies_no_ext_services] 15 | apiVersion: constraints.gatekeeper.sh/v1beta1 16 | kind: K8sNoExternalServices 17 | metadata: 18 | name: no-internet-services 19 | spec: 20 | parameters: 21 | internalCIDRs: [] 22 | # [END anthosconfig_quickstart_policies_no_ext_services] 23 | -------------------------------------------------------------------------------- /quickstart/resources/service.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # [START anthosconfig_quickstart_resources_service_hello] 15 | apiVersion: v1 16 | kind: Service 17 | metadata: 18 | name: hello 19 | namespace: default 20 | spec: 21 | type: LoadBalancer 22 | selector: 23 | app: hello 24 | ports: 25 | - name: http 26 | port: 80 27 | targetPort: 8080 28 | # [END anthosconfig_quickstart_resources_service_hello] 29 | -------------------------------------------------------------------------------- /third_party/cert-manager/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | appVersion: v1.3.0 3 | description: A Helm chart for cert-manager 4 | home: https://github.com/jetstack/cert-manager 5 | icon: https://raw.githubusercontent.com/jetstack/cert-manager/master/logo/logo.png 6 | keywords: 7 | - cert-manager 8 | - kube-lego 9 | - letsencrypt 10 | - tls 11 | maintainers: 12 | - email: james@jetstack.io 13 | name: munnerz 14 | name: cert-manager 15 | sources: 16 | - https://github.com/jetstack/cert-manager 17 | version: v1.3.0 18 | -------------------------------------------------------------------------------- /third_party/cert-manager/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | cert-manager has been deployed successfully! 2 | 3 | In order to begin issuing certificates, you will need to set up a ClusterIssuer 4 | or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer). 5 | 6 | More information on the different types of issuers and how to configure them 7 | can be found in our documentation: 8 | 9 | https://cert-manager.io/docs/configuration/ 10 | 11 | For information on how to configure cert-manager to automatically provision 12 | Certificates for Ingress resources, take a look at the `ingress-shim` 13 | documentation: 14 | 15 | https://cert-manager.io/docs/usage/ingress/ 16 | -------------------------------------------------------------------------------- /third_party/cert-manager/templates/cainjector-psp-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.cainjector.enabled -}} 2 | {{- if .Values.global.podSecurityPolicy.enabled }} 3 | kind: ClusterRole 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ template "cainjector.fullname" . }}-psp 7 | labels: 8 | app: {{ include "cainjector.name" . }} 9 | app.kubernetes.io/name: {{ include "cainjector.name" . }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | app.kubernetes.io/managed-by: {{ .Release.Service }} 12 | app.kubernetes.io/component: "cainjector" 13 | helm.sh/chart: {{ include "cainjector.chart" . }} 14 | rules: 15 | - apiGroups: ['policy'] 16 | resources: ['podsecuritypolicies'] 17 | verbs: ['use'] 18 | resourceNames: 19 | - {{ template "cainjector.fullname" . }} 20 | {{- end }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /third_party/cert-manager/templates/cainjector-psp-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.cainjector.enabled -}} 2 | {{- if .Values.global.podSecurityPolicy.enabled }} 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRoleBinding 5 | metadata: 6 | name: {{ template "cainjector.fullname" . }}-psp 7 | labels: 8 | app: {{ include "cainjector.name" . }} 9 | app.kubernetes.io/name: {{ include "cainjector.name" . }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | app.kubernetes.io/managed-by: {{ .Release.Service }} 12 | app.kubernetes.io/component: "cainjector" 13 | helm.sh/chart: {{ include "cainjector.chart" . }} 14 | roleRef: 15 | apiGroup: rbac.authorization.k8s.io 16 | kind: ClusterRole 17 | name: {{ template "cainjector.fullname" . }}-psp 18 | subjects: 19 | - kind: ServiceAccount 20 | name: {{ template "cainjector.serviceAccountName" . }} 21 | namespace: {{ .Release.Namespace }} 22 | {{- end }} 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /third_party/cert-manager/templates/cainjector-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.cainjector.enabled -}} 2 | {{- if .Values.cainjector.serviceAccount.create -}} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | automountServiceAccountToken: {{ .Values.cainjector.serviceAccount.automountServiceAccountToken }} 6 | metadata: 7 | name: {{ template "cainjector.serviceAccountName" . }} 8 | namespace: {{ .Release.Namespace | quote }} 9 | {{- if .Values.cainjector.serviceAccount.annotations }} 10 | annotations: 11 | {{ toYaml .Values.cainjector.serviceAccount.annotations | indent 4 }} 12 | {{- end }} 13 | labels: 14 | app: {{ include "cainjector.name" . }} 15 | app.kubernetes.io/name: {{ include "cainjector.name" . }} 16 | app.kubernetes.io/instance: {{ .Release.Name }} 17 | app.kubernetes.io/managed-by: {{ .Release.Service }} 18 | app.kubernetes.io/component: "cainjector" 19 | helm.sh/chart: {{ include "cainjector.chart" . }} 20 | {{- if .Values.global.imagePullSecrets }} 21 | imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 2 }} 22 | {{- end }} 23 | {{- end -}} 24 | {{- end -}} 25 | -------------------------------------------------------------------------------- /third_party/cert-manager/templates/psp-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.podSecurityPolicy.enabled }} 2 | kind: ClusterRole 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ template "cert-manager.fullname" . }}-psp 6 | labels: 7 | app: {{ include "cert-manager.name" . }} 8 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 9 | app.kubernetes.io/instance: {{ .Release.Name }} 10 | app.kubernetes.io/managed-by: {{ .Release.Service }} 11 | app.kubernetes.io/component: "controller" 12 | helm.sh/chart: {{ include "cert-manager.chart" . }} 13 | rules: 14 | - apiGroups: ['policy'] 15 | resources: ['podsecuritypolicies'] 16 | verbs: ['use'] 17 | resourceNames: 18 | - {{ template "cert-manager.fullname" . }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /third_party/cert-manager/templates/psp-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.podSecurityPolicy.enabled }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: {{ template "cert-manager.fullname" . }}-psp 6 | labels: 7 | app: {{ include "cert-manager.name" . }} 8 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 9 | app.kubernetes.io/instance: {{ .Release.Name }} 10 | app.kubernetes.io/managed-by: {{ .Release.Service }} 11 | app.kubernetes.io/component: "controller" 12 | helm.sh/chart: {{ include "cert-manager.chart" . }} 13 | roleRef: 14 | apiGroup: rbac.authorization.k8s.io 15 | kind: ClusterRole 16 | name: {{ template "cert-manager.fullname" . }}-psp 17 | subjects: 18 | - kind: ServiceAccount 19 | name: {{ template "cert-manager.serviceAccountName" . }} 20 | namespace: {{ .Release.Namespace }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /third_party/cert-manager/templates/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.prometheus.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ template "cert-manager.fullname" . }} 6 | namespace: {{ .Release.Namespace | quote }} 7 | labels: 8 | app: {{ include "cert-manager.name" . }} 9 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | app.kubernetes.io/managed-by: {{ .Release.Service }} 12 | app.kubernetes.io/component: "controller" 13 | helm.sh/chart: {{ include "cert-manager.chart" . }} 14 | spec: 15 | type: ClusterIP 16 | ports: 17 | - protocol: TCP 18 | port: 9402 19 | targetPort: {{ .Values.prometheus.servicemonitor.targetPort }} 20 | selector: 21 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 22 | app.kubernetes.io/instance: {{ .Release.Name }} 23 | app.kubernetes.io/component: "controller" 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /third_party/cert-manager/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | {{- if .Values.global.imagePullSecrets }} 5 | imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 2 }} 6 | {{- end }} 7 | automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} 8 | metadata: 9 | name: {{ template "cert-manager.serviceAccountName" . }} 10 | namespace: {{ .Release.Namespace | quote }} 11 | {{- if .Values.serviceAccount.annotations }} 12 | annotations: 13 | {{ toYaml .Values.serviceAccount.annotations | indent 4 }} 14 | {{- end }} 15 | labels: 16 | app: {{ include "cert-manager.name" . }} 17 | app.kubernetes.io/name: {{ include "cert-manager.name" . }} 18 | app.kubernetes.io/instance: {{ .Release.Name }} 19 | app.kubernetes.io/managed-by: {{ .Release.Service }} 20 | app.kubernetes.io/component: "controller" 21 | helm.sh/chart: {{ include "cert-manager.chart" . }} 22 | {{- end }} 23 | -------------------------------------------------------------------------------- /third_party/cert-manager/templates/webhook-psp-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.podSecurityPolicy.enabled }} 2 | kind: ClusterRole 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ template "webhook.fullname" . }}-psp 6 | labels: 7 | app: {{ include "webhook.name" . }} 8 | app.kubernetes.io/name: {{ include "webhook.name" . }} 9 | app.kubernetes.io/instance: {{ .Release.Name }} 10 | app.kubernetes.io/managed-by: {{ .Release.Service }} 11 | app.kubernetes.io/component: "webhook" 12 | helm.sh/chart: {{ include "webhook.chart" . }} 13 | rules: 14 | - apiGroups: ['policy'] 15 | resources: ['podsecuritypolicies'] 16 | verbs: ['use'] 17 | resourceNames: 18 | - {{ template "webhook.fullname" . }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /third_party/cert-manager/templates/webhook-psp-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.global.podSecurityPolicy.enabled }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: {{ template "webhook.fullname" . }}-psp 6 | labels: 7 | app: {{ include "webhook.name" . }} 8 | app.kubernetes.io/name: {{ include "webhook.name" . }} 9 | app.kubernetes.io/instance: {{ .Release.Name }} 10 | app.kubernetes.io/managed-by: {{ .Release.Service }} 11 | app.kubernetes.io/component: "webhook" 12 | helm.sh/chart: {{ include "webhook.chart" . }} 13 | roleRef: 14 | apiGroup: rbac.authorization.k8s.io 15 | kind: ClusterRole 16 | name: {{ template "webhook.fullname" . }}-psp 17 | subjects: 18 | - kind: ServiceAccount 19 | name: {{ template "webhook.serviceAccountName" . }} 20 | namespace: {{ .Release.Namespace }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /third_party/cert-manager/templates/webhook-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ template "webhook.fullname" . }} 5 | namespace: {{ .Release.Namespace | quote }} 6 | labels: 7 | app: {{ include "webhook.name" . }} 8 | app.kubernetes.io/name: {{ include "webhook.name" . }} 9 | app.kubernetes.io/instance: {{ .Release.Name }} 10 | app.kubernetes.io/managed-by: {{ .Release.Service }} 11 | app.kubernetes.io/component: "webhook" 12 | helm.sh/chart: {{ include "webhook.chart" . }} 13 | spec: 14 | type: ClusterIP 15 | ports: 16 | - name: https 17 | port: 443 18 | targetPort: {{ .Values.webhook.securePort }} 19 | selector: 20 | app.kubernetes.io/name: {{ include "webhook.name" . }} 21 | app.kubernetes.io/instance: {{ .Release.Name }} 22 | app.kubernetes.io/component: "webhook" 23 | -------------------------------------------------------------------------------- /third_party/cert-manager/templates/webhook-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.webhook.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | automountServiceAccountToken: {{ .Values.webhook.serviceAccount.automountServiceAccountToken }} 5 | metadata: 6 | name: {{ template "webhook.serviceAccountName" . }} 7 | namespace: {{ .Release.Namespace | quote }} 8 | {{- if .Values.webhook.serviceAccount.annotations }} 9 | annotations: 10 | {{ toYaml .Values.webhook.serviceAccount.annotations | indent 4 }} 11 | {{- end }} 12 | labels: 13 | app: {{ include "webhook.name" . }} 14 | app.kubernetes.io/name: {{ include "webhook.name" . }} 15 | app.kubernetes.io/instance: {{ .Release.Name }} 16 | app.kubernetes.io/managed-by: {{ .Release.Service }} 17 | app.kubernetes.io/component: "webhook" 18 | helm.sh/chart: {{ include "webhook.chart" . }} 19 | {{- if .Values.global.imagePullSecrets }} 20 | imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 2 }} 21 | {{- end -}} 22 | {{- end -}} 23 | --------------------------------------------------------------------------------