Skip to content

Commit

Permalink
added IPs and endpoints for whereami and inference apps
Browse files Browse the repository at this point in the history
  • Loading branch information
@knee-berts
knee-berts committed Oct 16, 2024
1 parent 2e0f94f commit 063692b
Show file tree
Hide file tree
Showing 3 changed files with 27 additions and 6 deletions.
10 changes: 5 additions & 5 deletions cli/pkg/config/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -202,11 +202,11 @@ func ValidateConf(c *Config) error {
if c.VpcConfig.VpcName == "" {
return fmt.Errorf("VPC Name cannot be empty")
}
err := validateVPC(c.VpcConfig.VpcName, c.VpcConfig.VpcProjectID)
if err != nil {
return err
}
log.Printf("🌐 VPC name %s is valid + does not yet exist in VPC project %s\n", c.VpcConfig.VpcName, c.VpcConfig.VpcProjectID)
// err := validateVPC(c.VpcConfig.VpcName, c.VpcConfig.VpcProjectID)
// if err != nil {
// return err
// }
// log.Printf("🌐 VPC name %s is valid + does not yet exist in VPC project %s\n", c.VpcConfig.VpcName, c.VpcConfig.VpcProjectID)

// Validate each ClusterConfig
for i, cc := range c.ClustersConfig {
Expand Down
14 changes: 13 additions & 1 deletion demos/fleets/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,8 +105,20 @@ nomos status
## Multi cluster load balancing demo
stuffs

1. **Setup Teams and bind that Whereami team to a cluster that us not the closest to your location.**
1. **Create the Whereami Team and binde the Whereami team to a cluster that is not the closest to your location.**
```bash
# grant source repo access to the whereami frontend and backend KSAs
gcloud iam service-accounts add-iam-policy-binding \
cs-service-account@gke-toolkit-test-nonsharedvpc.iam.gserviceaccount.com \
--role=roles/iam.workloadIdentityUser \
--member="serviceAccount:gke-toolkit-test-nonsharedvpc.svc.id.goog[config-management-system/ns-reconciler-whereami-frontend-whereami-frontend-17" \
--project=gke-toolkit-test-nonsharedvpc
gcloud iam service-accounts add-iam-policy-binding \
cs-service-account@gke-toolkit-test-nonsharedvpc.iam.gserviceaccount.com \
--role=roles/iam.workloadIdentityUser \
--member="serviceAccount:gke-toolkit-test-nonsharedvpc.svc.id.goog[config-management-system/ns-reconciler-whereami-frontend-whereami-backend-16" \
--project=gke-toolkit-test-nonsharedvpc

gcloud container fleet scopes create team-whereami --project ${GKE_PROJECT_ID}
gcloud container fleet scopes namespaces create whereami-frontend --scope=team-whereami --project ${GKE_PROJECT_ID}
gcloud container fleet memberships bindings create gke-ap-central-00-team-whereami \
Expand Down
9 changes: 9 additions & 0 deletions terraform/modules/fleet/iam.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,4 +69,13 @@ module "prom-service_account-iam-bindings" {
"serviceAccount:${var.fleet_project}.svc.id.goog[custom-metrics/custom-metrics-stackdriver-adapter]",
]
}
}

// Create IAM binding granting the ASM Gateway KSA access to the self signed certs stored in secret manager
resource "google_project_iam_binding" "asm-gw-secret-accessor" {
role = "roles/secretmanager.secretAccessor"
project = var.fleet_project
members = [
"serviceAccount:${var.fleet_project}.svc.id.goog[asm-gateways/asm-ingress-gateway]",
]
}

0 comments on commit 063692b

Please sign in to comment.