update samples for version 0.1.2

apps/bookstore/README.md

@@ -34,12 +34,14 @@ sensible-browser ${address}
 
 ### Prerequisites
 To build and deploy the images, the following binaries must be in your PATH:
+
 - sed
 - make
 - docker
 - kubectl
 - kustomize
 - gcloud
+- jq
 
 To build and run the images for yourself:
 
@@ -50,6 +52,6 @@ make docker-build
 # Push them to Google Container Registry (GCR)
 make docker-push
 
-# Deploy your built images to your GKE cluster
+# Deploy your built images to your Kubernetes cluster
 make deploy
 ```

apps/bookstore/config/image_patch_template.yaml

@@ -21,7 +21,8 @@ spec:
     spec:
       containers:
       - name: booksfe-svc
-        image: gcr.io/[PROJECT_ID]/bookstore/app:[TAG]
+        # hardcoding a6254e8 image tag: last known good configuration
+        image: gcr.io/[PROJECT_ID]/bookstore/app:a6254e8
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment

apps/bookstore/config/kustomize/kustomization.yaml

@@ -24,6 +24,12 @@ resources:
 - ../manifests/pubsub-topic.yaml
 - ../manifests/pubsub-subscription.yaml
 - ../manifests/spanner-instance.yaml
+- ../manifests/pubsub-sa.yaml
+- ../manifests/pubsub-sa-key.yaml
+- ../manifests/pubsub-policy.yaml
+- ../manifests/spanner-sa.yaml
+- ../manifests/spanner-sa-key.yaml
+- ../manifests/spanner-policy.yaml
 
 patches:
 - image_patch.yaml

apps/bookstore/config/manifests/booksfe-deployment.yaml

@@ -27,17 +27,17 @@ spec:
         app: booksfe
     spec:
       volumes:
-      - name: google-cloud-key
+      - name: cnrm-bookstore-frontend-key
         secret:
-          secretName: gcp-key
+          secretName: cnrm-bookstore-frontend-key
       containers:
       - name: booksfe-svc
         image: gcr.io/cnrm-eap/bookstore/app
         imagePullPolicy: Always
         ports:
           - containerPort: 8080
         volumeMounts:
-        - name: google-cloud-key
+        - name: cnrm-bookstore-frontend-key
           mountPath: /var/secrets/google
         env:
           - name: SVC_USERS_HOST

apps/bookstore/config/manifests/inventory-deployment.yaml

@@ -27,17 +27,17 @@ spec:
         app: inventory
     spec:
       volumes:
-      - name: google-cloud-key
+      - name: cnrm-bookstore-inventory-key
         secret:
-          secretName: gcp-key
+          secretName: cnrm-bookstore-inventory-key
       containers:
       - name: inventory-svc
         image: gcr.io/cnrm-eap/bookstore/inventory
         imagePullPolicy: Always
         ports:
           - containerPort: 8080
         volumeMounts:
-        - name: google-cloud-key
+        - name: cnrm-bookstore-inventory-key
           mountPath: /var/secrets/google
         env:
           - name: GOOGLE_APPLICATION_CREDENTIALS

apps/bookstore/config/manifests/pubsub-policy.yaml

@@ -0,0 +1,13 @@
+apiVersion: iam.cnrm.cloud.google.com/v1alpha1
+kind: IAMPolicy
+metadata:
+  name: cnrm-bookstore-pubsub-policy
+spec:
+  resourceRef:
+    apiVersion: pubsub.cnrm.cloud.google.com/v1alpha2
+    kind: PubSubTopic
+    name: cnrm-topic
+  bindings:
+    - role: roles/editor
+      members:
+        - serviceAccount:cnrm-bookstore-frontend@[PROJECT_ID].iam.gserviceaccount.com

apps/bookstore/config/manifests/pubsub-sa-key.yaml

@@ -0,0 +1,10 @@
+apiVersion: iam.cnrm.cloud.google.com/v1alpha1
+kind: IAMServiceAccountKey
+metadata:
+  name: cnrm-bookstore-frontend-key
+spec:
+  publicKeyType: TYPE_X509_PEM_FILE
+  keyAlgorithm: KEY_ALG_RSA_2048
+  privateKeyType: TYPE_GOOGLE_CREDENTIALS_FILE
+  serviceAccountRef:
+    name: cnrm-bookstore-frontend

apps/bookstore/config/manifests/pubsub-sa.yaml

@@ -0,0 +1,6 @@
+apiVersion: iam.cnrm.cloud.google.com/v1alpha1
+kind: IAMServiceAccount
+metadata:
+  name: cnrm-bookstore-frontend
+spec:
+  displayName: Service account for Config Connector bookstore demo frontend

apps/bookstore/config/manifests/spanner-policy.yaml

@@ -0,0 +1,13 @@
+apiVersion: iam.cnrm.cloud.google.com/v1alpha1
+kind: IAMPolicy
+metadata:
+  name: cnrm-bookstore-spanner-policy
+spec:
+  resourceRef:
+    apiVersion: spanner.cnrm.cloud.google.com/v1alpha2
+    kind: SpannerInstance
+    name: cnrm-instance
+  bindings:
+    - role: roles/editor
+      members:
+        - serviceAccount:cnrm-bookstore-inventory@[PROJECT_ID].iam.gserviceaccount.com

apps/bookstore/config/manifests/spanner-sa-key.yaml

@@ -0,0 +1,10 @@
+apiVersion: iam.cnrm.cloud.google.com/v1alpha1
+kind: IAMServiceAccountKey
+metadata:
+  name: cnrm-bookstore-inventory-key
+spec:
+  publicKeyType: TYPE_X509_PEM_FILE
+  keyAlgorithm: KEY_ALG_RSA_2048
+  privateKeyType: TYPE_GOOGLE_CREDENTIALS_FILE
+  serviceAccountRef:
+    name: cnrm-bookstore-inventory

apps/bookstore/config/manifests/spanner-sa.yaml

@@ -0,0 +1,6 @@
+apiVersion: iam.cnrm.cloud.google.com/v1alpha1
+kind: IAMServiceAccount
+metadata:
+  name: cnrm-bookstore-inventory
+spec:
+  displayName: Service account for Config Connector bookstore demo inventory

resources/bigtableinstance/bigtable_v1alpha1_bigtableinstance.yaml

@@ -0,0 +1,9 @@
+apiVersion: bigtable.cnrm.cloud.google.com/v1alpha1
+kind: BigtableInstance
+metadata:
+  labels:
+    label-one: "value-one"
+  name: bigtableinstance-sample
+spec:
+  displayName: BigtableSample
+  type: PRODUCTION

resources/computetargethttpproxy/compute_v1alpha1_computebackendservice.yaml

@@ -0,0 +1,7 @@
+apiVersion: compute.cnrm.cloud.google.com/v1alpha1
+kind: ComputeBackendService
+metadata:
+  name: computeurlmap-dep
+spec:
+  healthCheckRef:
+    name: computebackendservice-dep

resources/computetargethttpproxy/compute_v1alpha1_computehealthcheck.yaml

@@ -0,0 +1,8 @@
+apiVersion: compute.cnrm.cloud.google.com/v1alpha1
+kind: ComputeHealthCheck
+metadata:
+  name: computebackendservice-dep
+spec:
+  checkIntervalSec: 10
+  httpHealthCheck:
+    port: 80

resources/computetargethttpproxy/compute_v1alpha1_computetargethttpproxy.yaml

@@ -0,0 +1,8 @@
+apiVersion: compute.cnrm.cloud.google.com/v1alpha1
+kind: ComputeTargetHTTPProxy
+metadata:
+  name: computetargethttpproxy-sample
+spec:
+  description: "A sample proxy"
+  urlMapRef:
+    name: computetargethttpproxy-dep

resources/computetargethttpproxy/compute_v1alpha1_computeurlmap.yaml

@@ -0,0 +1,8 @@
+apiVersion: compute.cnrm.cloud.google.com/v1alpha1
+kind: ComputeURLMap
+metadata:
+  name: computetargethttpproxy-dep
+spec:
+  defaultServiceRef:
+    name: computeurlmap-dep
+    kind: ComputeBackendService

resources/iampolicy/project-level/iam_v1alpha1_iampolicy.yaml

@@ -33,7 +33,7 @@ spec:
         - serviceAccount:service-[PROJECT_NUMBER]@containerregistry.iam.gserviceaccount.com
       role: roles/editor
     - members:
-        # Make sure to keep the "cnrm-system" service account permission, or else KCC will
+        # Make sure to keep the "cnrm-system" service account permission, or else Config Connector will
         # be locked out from managing GCP resources.
         - serviceAccount:cnrm-system@[PROJECT_ID].iam.gserviceaccount.com
         # Ensure that your account is not locked out of the project.

resources/iampolicy/pubsub-admin/iam_v1alpha1_iampolicy.yaml

@@ -12,5 +12,5 @@ spec:
   bindings:
     - role: roles/editor
       members:
-        # replace ${PROJECT_NAME?} with your project name
-        - serviceAccount:iampolicy-dep@${PROJECT_NAME?}.iam.gserviceaccount.com
+        # replace ${PROJECT_ID?} with your project name
+        - serviceAccount:iampolicy-dep@${PROJECT_ID?}.iam.gserviceaccount.com

resources/iampolicy/workload-identity/iam_v1alpha1_iampolicy.yaml

@@ -10,5 +10,5 @@ spec:
   bindings:
     - role: roles/iam.workloadIdentityUser
       members:
-        # replace ${PROJECT_NAME?} with your project name
-        - serviceAccount:${PROJECT_NAME?}.svc.id.goog[default/iampolicy-ksa-dep]
+        # replace ${PROJECT_ID} with your project name
+        - serviceAccount:${PROJECT_ID?}.svc.id.goog[default/iampolicy-ksa-dep]

resources/iampolicy/workload-identity/kubernetes_service_account.yaml

@@ -3,5 +3,5 @@ kind: ServiceAccount
 metadata:
   name: iampolicy-ksa-dep
   annotations:
-    # replace ${PROJECT_NAME?} with your project name
-    iam.gke.io/gcp-service-account: iampolicy-gsa-dep@${PROJECT_NAME?}.iam.gserviceaccount.com
+    # replace ${PROJECT_ID?} with your project name
+    iam.gke.io/gcp-service-account: iampolicy-gsa-dep@${PROJECT_ID?}.iam.gserviceaccount.com