forked from xenova/whisper-web
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.jsonnet
174 lines (174 loc) · 4.94 KB
/
index.jsonnet
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
{
Config:: {
Project: '${project}',
Env: '${pulumi.stack}',
Region: '${region}',
ShortRegion: '${shortRegion}',
K8sVersion: 1.29,
},
configuration: {
project: {
type: 'String',
},
region: {
type: 'String',
},
shortRegion: {
type: 'String',
},
ipPrefix: {
type: 'String',
},
'gcp:project': {
type: 'String',
},
},
variables: {
k8sVersion: {
'fn::invoke': {
'function': 'gcp:container:getEngineVersions',
arguments: {
location: '${region}',
versionPrefix: $.Config.K8sVersion,
},
},
},
kubeConfig: {
'fn::toJSON': import './template/kubeconfig.json',
},
},
resources: {
refNetwork: {
type: 'pulumi:pulumi:StackReference',
properties: {
name: 'organization/init-network-k8s/${pulumi.stack}',
},
},
k8sServiceAccount: (import '../../lib/iam/serviceaccount.libsonnet').ServiceAccount {
saType: 'gke',
Config: $.Config,
},
k8sSaBinding1: (import '../../lib/iam/serviceaccount.libsonnet').RoleBinding {
serviceAccount: '${k8sServiceAccount.email}',
role: 'roles/artifactregistry.reader',
},
k8sSaBinding2: (import '../../lib/iam/serviceaccount.libsonnet').RoleBinding {
serviceAccount: '${k8sServiceAccount.email}',
role: 'roles/logging.logWriter',
},
k8sSaBinding3: (import '../../lib/iam/serviceaccount.libsonnet').RoleBinding {
serviceAccount: '${k8sServiceAccount.email}',
role: 'roles/monitoring.metricWriter',
},
k8sSaBinding4: (import '../../lib/iam/serviceaccount.libsonnet').RoleBinding {
serviceAccount: '${k8sServiceAccount.email}',
role: 'roles/monitoring.viewer',
},
irsaSecretsSa: (import '../../lib/iam/serviceaccount.libsonnet').ServiceAccount {
saType: 'irsa-secrets',
Config: $.Config,
},
irsaSecretsBinding1: (import '../../lib/iam/serviceaccount.libsonnet').RoleBinding {
serviceAccount: '${irsaSecretsSa.email}',
role: 'roles/secretmanager.secretAccessor',
},
irsaSecretsBinding2: (import '../../lib/iam/serviceaccount.libsonnet').RoleBinding {
serviceAccount: '${irsaSecretsSa.email}',
role: 'roles/iam.serviceAccountTokenCreator',
},
irsaSecretsBinding3: (import '../../lib/iam/serviceaccount.libsonnet').RoleBinding {
serviceAccount: '${irsaSecretsSa.email}',
role: 'roles/secretmanager.viewer',
},
irsaSecretsSaBinding: (import '../../lib/iam/trust.libsonnet').AssumeMember {
serviceAccountId: '${irsaSecretsSa.name}',
member: 'serviceAccount:${gcp:project}.svc.id.goog[kube-system/irsa-external-secrets]',
roleType: 'workload',
},
k8sMaster: (import '../../lib/k8s/cluster.libsonnet').Cluster {
name: 'cluster',
Config: $.Config,
network: '${refNetwork.outputs["networkId"]}',
privateCluster: true,
masterIpCidr: '${ipPrefix}.64.0/28',
subnet: '${refNetwork.outputs["subnetPrivWorkloadId"]}',
properties+: {
minMasterVersion: $.Config.K8sVersion,
},
},
npDefault: (import '../../lib/k8s/nodepool.libsonnet').NodePool {
name: 'default',
Config: $.Config,
cluster: '${k8sMaster.id}',
serviceAccount: '${k8sServiceAccount.email}',
machineType: 't2d-standard-2',
minNodes: 1,
maxNodes: 10,
properties+: {
version: '${k8sVersion.latestNodeVersion}',
},
},
kubeProvider: {
type: 'pulumi:providers:kubernetes',
properties: {
kubeconfig: '${kubeConfig}',
},
},
kubeIrsaSecretsSA: {
type: 'kubernetes:yaml/v2:ConfigGroup',
properties: {
objs: [
import './template/irsa-secrets.json',
],
},
options: {
provider: '${kubeProvider}',
},
},
kubeExternalSecretsChart: {
type: 'kubernetes:helm.sh/v4:Chart',
properties: {
name: 'secrets',
chart: 'external-secrets',
repositoryOpts: {
repo: 'https://charts.external-secrets.io/',
},
version: '0.9.14',
namespace: 'kube-system',
values: {
serviceAccount: {
create: false,
name: 'irsa-external-secrets',
},
podDisruptionBudget: {
enabled: true,
minAvailable: 1,
priorityClassName: 'system-cluster-critical',
},
},
},
options: {
provider: '${kubeProvider}',
}
},
kubeSecretsStore: {
type: 'kubernetes:yaml/v2:ConfigGroup',
properties: {
objs: [
import './template/secret-store.json',
],
},
options: {
provider: '${kubeProvider}',
dependsOn: [
'${kubeExternalSecretsChart}'
]
},
},
},
outputs: {
k8sEndpoint: '${k8sMaster.endpoint}',
kubeConfig: '${kubeConfig}',
k8sVersion: '${k8sMaster.masterVersion}',
},
}