fix(scripts/gcp): default to workload identity service account

ZettaAI · Jan 3, 2024 · ad74ad9 · ad74ad9
1 parent 5d78841
commit ad74ad9
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/scripts/gcp/create_corgie_igneous_cluster.py b/scripts/gcp/create_corgie_igneous_cluster.py
@@ -2,10 +2,10 @@
 import argparse
 import subprocess
 
-CREATE_COMMAND_TMPL = 'gcloud beta container --project "{PROJECT_NAME}" clusters create "{CLUSTER_NAME}" --region "{REGION}" --no-enable-basic-auth --release-channel "regular" --machine-type "e2-medium" --image-type "COS_CONTAINERD" --disk-type "pd-standard" --disk-size "10" --metadata disable-legacy-endpoints=true --scopes "https://www.googleapis.com/auth/devstorage.read_write","https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring","https://www.googleapis.com/auth/pubsub","https://www.googleapis.com/auth/servicecontrol","https://www.googleapis.com/auth/service.management.readonly","https://www.googleapis.com/auth/trace.append" --max-pods-per-node "16" --spot --num-nodes "1" --logging=SYSTEM,WORKLOAD --monitoring=SYSTEM --enable-ip-alias --network "projects/{PROJECT_NAME}/global/networks/default" --subnetwork "projects/{PROJECT_NAME}/regions/{REGION}/subnetworks/default" --no-enable-intra-node-visibility --default-max-pods-per-node "16" --enable-dataplane-v2 --no-enable-master-authorized-networks --addons HorizontalPodAutoscaling,GcePersistentDiskCsiDriver --enable-autoupgrade --enable-autorepair --max-surge-upgrade 0 --max-unavailable-upgrade 1 --maintenance-window-start "2022-01-19T05:00:00Z" --maintenance-window-end "2022-01-20T05:00:00Z" --maintenance-window-recurrence "FREQ=WEEKLY;BYDAY=SA,SU" --labels owner={USERNAME} --workload-pool "{PROJECT_NAME}.svc.id.goog" --enable-shielded-nodes --node-locations {NODE_LOCATIONS} --enable-image-streaming'
+CREATE_COMMAND_TMPL = 'gcloud beta container --project "{PROJECT_NAME}" clusters create "{CLUSTER_NAME}" --region "{REGION}" --no-enable-basic-auth --release-channel "regular" --machine-type "e2-medium" --image-type "COS_CONTAINERD" --disk-type "pd-standard" --disk-size "10" --metadata disable-legacy-endpoints=true --service-account "{CLUSTER_NAME}-worker@{PROJECT_NAME}.iam.gserviceaccount.com" --max-pods-per-node "16" --spot --num-nodes "1" --logging=SYSTEM,WORKLOAD --monitoring=SYSTEM --enable-ip-alias --network "projects/{PROJECT_NAME}/global/networks/default" --subnetwork "projects/{PROJECT_NAME}/regions/{REGION}/subnetworks/default" --no-enable-intra-node-visibility --default-max-pods-per-node "16" --enable-dataplane-v2 --no-enable-master-authorized-networks --addons HorizontalPodAutoscaling,GcePersistentDiskCsiDriver --enable-autoupgrade --enable-autorepair --max-surge-upgrade 0 --max-unavailable-upgrade 1 --maintenance-window-start "2022-01-19T05:00:00Z" --maintenance-window-end "2022-01-20T05:00:00Z" --maintenance-window-recurrence "FREQ=WEEKLY;BYDAY=SA,SU" --labels owner={USERNAME} --workload-pool "{PROJECT_NAME}.svc.id.goog" --enable-shielded-nodes --node-locations {NODE_LOCATIONS} --enable-image-streaming'
 
-ADD_CPU_COMMAND_TMPL = 'gcloud beta container --project "{PROJECT_NAME}" node-pools create "cpu-e2-highmem-4" --cluster "{CLUSTER_NAME}" --region "{REGION}" --machine-type "e2-highmem-4" --image-type "COS_CONTAINERD" --disk-type "pd-standard" --disk-size "64" --metadata disable-legacy-endpoints=true --scopes "https://www.googleapis.com/auth/devstorage.read_write","https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring","https://www.googleapis.com/auth/pubsub","https://www.googleapis.com/auth/servicecontrol","https://www.googleapis.com/auth/service.management.readonly","https://www.googleapis.com/auth/trace.append" --spot --num-nodes "1" --enable-autoupgrade --enable-autorepair --max-surge-upgrade 1 --max-unavailable-upgrade 0 --max-pods-per-node "16" --node-locations {NODE_LOCATIONS} --enable-autoscaling --num-nodes 0 --total-min-nodes=0 --total-max-nodes=10 --node-taints=worker-pool=true:NoSchedule --enable-image-streaming'
-ADD_GPU_COMMAND_TMPL = 'gcloud beta container --project "{PROJECT_NAME}" node-pools create "gpu-n1-highmem-4-t4" --cluster "{CLUSTER_NAME}" --region "{REGION}" --machine-type "n1-highmem-4" --accelerator "type=nvidia-tesla-t4,count=1" --image-type "COS_CONTAINERD" --disk-type "pd-standard" --disk-size "64" --metadata disable-legacy-endpoints=true --scopes "https://www.googleapis.com/auth/devstorage.read_write","https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring","https://www.googleapis.com/auth/pubsub","https://www.googleapis.com/auth/servicecontrol","https://www.googleapis.com/auth/service.management.readonly","https://www.googleapis.com/auth/trace.append" --spot --num-nodes "1" --enable-autoupgrade --enable-autorepair --max-surge-upgrade 1 --max-unavailable-upgrade 0 --max-pods-per-node "16" --node-locations {NODE_LOCATIONS} --enable-autoscaling --num-nodes 0 --total-min-nodes=0 --total-max-nodes=10 --node-taints=worker-pool=true:NoSchedule --enable-image-streaming'
+ADD_CPU_COMMAND_TMPL = 'gcloud beta container --project "{PROJECT_NAME}" node-pools create "cpu-e2-highmem-4" --cluster "{CLUSTER_NAME}" --region "{REGION}" --machine-type "e2-highmem-4" --image-type "COS_CONTAINERD" --disk-type "pd-standard" --disk-size "64" --metadata disable-legacy-endpoints=true --service-account "{CLUSTER_NAME}-worker@{PROJECT_NAME}.iam.gserviceaccount.com" --spot --enable-autoupgrade --enable-autorepair --max-surge-upgrade 1 --max-unavailable-upgrade 0 --max-pods-per-node "16" --node-locations {NODE_LOCATIONS} --enable-autoscaling --num-nodes 0 --total-min-nodes=0 --total-max-nodes=10 --node-taints=worker-pool=true:NoSchedule --enable-image-streaming'
+ADD_GPU_COMMAND_TMPL = 'gcloud beta container --project "{PROJECT_NAME}" node-pools create "gpu-n1-highmem-4-t4" --cluster "{CLUSTER_NAME}" --region "{REGION}" --machine-type "n1-highmem-4" --accelerator "type=nvidia-tesla-t4,count=1" --image-type "COS_CONTAINERD" --disk-type "pd-standard" --disk-size "64" --metadata disable-legacy-endpoints=true --service-account "{CLUSTER_NAME}-worker@{PROJECT_NAME}.iam.gserviceaccount.com" --spot --enable-autoupgrade --enable-autorepair --max-surge-upgrade 1 --max-unavailable-upgrade 0 --max-pods-per-node "16" --node-locations {NODE_LOCATIONS} --enable-autoscaling --num-nodes 0 --total-min-nodes=0 --total-max-nodes=10 --node-taints=worker-pool=true:NoSchedule --enable-image-streaming'
 
 ADD_WORKLOAD_IDENTITY_TMPL = 'gcloud container clusters get-credentials {CLUSTER_NAME} --region {REGION} --project {PROJECT_NAME} && gcloud iam service-accounts create {CLUSTER_NAME}-worker --project={PROJECT_NAME} && gcloud projects add-iam-policy-binding {PROJECT_NAME} --member "serviceAccount:{CLUSTER_NAME}-worker@{PROJECT_NAME}.iam.gserviceaccount.com" --role "roles/storage.objectUser" && gcloud projects add-iam-policy-binding {PROJECT_NAME} --member "serviceAccount:{CLUSTER_NAME}-worker@{PROJECT_NAME}.iam.gserviceaccount.com" --role "roles/artifactregistry.reader" && gcloud iam service-accounts add-iam-policy-binding {CLUSTER_NAME}-worker@{PROJECT_NAME}.iam.gserviceaccount.com --role roles/iam.workloadIdentityUser --member "serviceAccount:{PROJECT_NAME}.svc.id.goog[default/default]" --project {PROJECT_NAME} && kubectl annotate serviceaccount default --namespace default iam.gke.io/gcp-service-account={CLUSTER_NAME}-worker@{PROJECT_NAME}.iam.gserviceaccount.com'