gbrayut/kcc-gke-kms-cmek.yaml

## kcc-gke-kms-cmek.yaml
# config-connector export //cloudkms.googleapis.com/projects/gregbray-kms/locations/us-central1/keyRings/my-key-ring
apiVersion: kms.cnrm.cloud.google.com/v1beta1
kind: KMSKeyRing
metadata:
  annotations:
    cnrm.cloud.google.com/project-id: gregbray-kms
    cnrm.cloud.google.com/deletion-policy: abandon
  name: my-key-ring
spec:
  location: us-central1
  resourceID: my-key-ring
---
# config-connector export //cloudkms.googleapis.com/projects/gregbray-kms/locations/us-central1/keyRings/my-key-ring/cryptoKeys/my-gke-key
apiVersion: kms.cnrm.cloud.google.com/v1beta1
kind: KMSCryptoKey
metadata:
  annotations:
    cnrm.cloud.google.com/project-id: gregbray-kms
    cnrm.cloud.google.com/deletion-policy: abandon
  name: my-gke-key
spec:
  destroyScheduledDuration: 86400s
  keyRingRef:
  # https://cloud.google.com/config-connector/docs/reference/resource-docs/kms/kmscryptokey
    name: my-key-ring
    namespace: config-control
  # or
  #  external: projects/gregbray-kms/locations/us-central1/keyRings/my-key-ring
  purpose: ENCRYPT_DECRYPT
  resourceID: my-gke-key
  versionTemplate:
    algorithm: GOOGLE_SYMMETRIC_ENCRYPTION
    protectionLevel: SOFTWARE
---
# config-connector export //container.googleapis.com/gregbray-gke/us-central1/gke-iowa
apiVersion: container.cnrm.cloud.google.com/v1beta1
kind: ContainerCluster
metadata:
  annotations:
    cnrm.cloud.google.com/project-id: gregbray-gke
  name: gke-iowa
spec:
  addonsConfig:
    dnsCacheConfig:
      enabled: true
    gcePersistentDiskCsiDriverConfig:
      enabled: true
    horizontalPodAutoscaling:
      disabled: false
    httpLoadBalancing:
      disabled: false
    networkPolicyConfig:
      disabled: true
  clusterAutoscaling:
    autoscalingProfile: OPTIMIZE_UTILIZATION
    enabled: true
    resourceLimits:
    - resourceType: cpu
      maximum: 100
      minimum: 1
    - resourceType: memory
      maximum: 1000
      minimum: 100
  clusterIpv4Cidr: 10.120.0.0/13
  databaseEncryption:
    state: DECRYPTED
  datapathProvider: ADVANCED_DATAPATH
  defaultMaxPodsPerNode: 110
  defaultSnatStatus:
    disabled: false
  enableShieldedNodes: true
  initialNodeCount: 1
  ipAllocationPolicy:
    clusterIpv4CidrBlock: 10.120.0.0/13
    clusterSecondaryRangeName: gkepods
    servicesIpv4CidrBlock: 10.64.0.0/16
    servicesSecondaryRangeName: gkeservices
  location: us-central1
  loggingService: logging.googleapis.com/kubernetes
  monitoringService: monitoring.googleapis.com/kubernetes
  networkPolicy:
    enabled: false
    provider: PROVIDER_UNSPECIFIED
  networkRef:
    external: projects/gregbray-gke/global/networks/gke-vpc
  networkingMode: VPC_NATIVE
  nodeConfig:
    bootDiskKMSCryptoKeyRef:
      # https://cloud.google.com/config-connector/docs/reference/resource-docs/container/containercluster
      name: my-gke-key
      namespace: config-control
      # or
      #external: projects/gregbray-kms/locations/us-central1/keyRings/my-key-ring/cryptoKeys/my-gke-key
    diskSizeGb: 100
    diskType: pd-standard
    imageType: COS_CONTAINERD
    machineType: e2-standard-4
    metadata:
      disable-legacy-endpoints: "true"
    serviceAccountRef:
      external: default
    shieldedInstanceConfig:
      enableIntegrityMonitoring: true
    workloadMetadataConfig:
      mode: GKE_METADATA
      nodeMetadata: GKE_METADATA_SERVER
  nodeLocations:
  - us-central1-a
  - us-central1-b
  - us-central1-c
  notificationConfig:
    pubsub:
      enabled: false
  podSecurityPolicyConfig:
    enabled: false
  privateClusterConfig:
    enablePrivateEndpoint: false
    enablePrivateNodes: true
    masterGlobalAccessConfig:
      enabled: false
    masterIpv4CidrBlock: 10.69.17.16/28
  releaseChannel:
    channel: REGULAR
  resourceID: gke-iowa
  serviceExternalIpsConfig:
    enabled: false
  subnetworkRef:
    external: projects/gregbray-gke/regions/us-central1/subnetworks/gke-iowa-subnet
  workloadIdentityConfig:
    workloadPool: gregbray-gke.svc.id.goog
	# config-connector export //cloudkms.googleapis.com/projects/gregbray-kms/locations/us-central1/keyRings/my-key-ring
	apiVersion: kms.cnrm.cloud.google.com/v1beta1
	kind: KMSKeyRing
	metadata:
	annotations:
	cnrm.cloud.google.com/project-id: gregbray-kms
	cnrm.cloud.google.com/deletion-policy: abandon
	name: my-key-ring
	spec:
	location: us-central1
	resourceID: my-key-ring
	---
	# config-connector export //cloudkms.googleapis.com/projects/gregbray-kms/locations/us-central1/keyRings/my-key-ring/cryptoKeys/my-gke-key
	apiVersion: kms.cnrm.cloud.google.com/v1beta1
	kind: KMSCryptoKey
	metadata:
	annotations:
	cnrm.cloud.google.com/project-id: gregbray-kms
	cnrm.cloud.google.com/deletion-policy: abandon
	name: my-gke-key
	spec:
	destroyScheduledDuration: 86400s
	keyRingRef:
	# https://cloud.google.com/config-connector/docs/reference/resource-docs/kms/kmscryptokey
	name: my-key-ring
	namespace: config-control
	# or
	# external: projects/gregbray-kms/locations/us-central1/keyRings/my-key-ring
	purpose: ENCRYPT_DECRYPT
	resourceID: my-gke-key
	versionTemplate:
	algorithm: GOOGLE_SYMMETRIC_ENCRYPTION
	protectionLevel: SOFTWARE
	---
	# config-connector export //container.googleapis.com/gregbray-gke/us-central1/gke-iowa
	apiVersion: container.cnrm.cloud.google.com/v1beta1
	kind: ContainerCluster
	metadata:
	annotations:
	cnrm.cloud.google.com/project-id: gregbray-gke
	name: gke-iowa
	spec:
	addonsConfig:
	dnsCacheConfig:
	enabled: true
	gcePersistentDiskCsiDriverConfig:
	enabled: true
	horizontalPodAutoscaling:
	disabled: false
	httpLoadBalancing:
	disabled: false
	networkPolicyConfig:
	disabled: true
	clusterAutoscaling:
	autoscalingProfile: OPTIMIZE_UTILIZATION
	enabled: true
	resourceLimits:
	- resourceType: cpu
	maximum: 100
	minimum: 1
	- resourceType: memory
	maximum: 1000
	minimum: 100
	clusterIpv4Cidr: 10.120.0.0/13
	databaseEncryption:
	state: DECRYPTED
	datapathProvider: ADVANCED_DATAPATH
	defaultMaxPodsPerNode: 110
	defaultSnatStatus:
	disabled: false
	enableShieldedNodes: true
	initialNodeCount: 1
	ipAllocationPolicy:
	clusterIpv4CidrBlock: 10.120.0.0/13
	clusterSecondaryRangeName: gkepods
	servicesIpv4CidrBlock: 10.64.0.0/16
	servicesSecondaryRangeName: gkeservices
	location: us-central1
	loggingService: logging.googleapis.com/kubernetes
	monitoringService: monitoring.googleapis.com/kubernetes
	networkPolicy:
	enabled: false
	provider: PROVIDER_UNSPECIFIED
	networkRef:
	external: projects/gregbray-gke/global/networks/gke-vpc
	networkingMode: VPC_NATIVE
	nodeConfig:
	bootDiskKMSCryptoKeyRef:
	# https://cloud.google.com/config-connector/docs/reference/resource-docs/container/containercluster
	name: my-gke-key
	namespace: config-control
	# or
	#external: projects/gregbray-kms/locations/us-central1/keyRings/my-key-ring/cryptoKeys/my-gke-key
	diskSizeGb: 100
	diskType: pd-standard
	imageType: COS_CONTAINERD
	machineType: e2-standard-4
	metadata:
	disable-legacy-endpoints: "true"
	serviceAccountRef:
	external: default
	shieldedInstanceConfig:
	enableIntegrityMonitoring: true
	workloadMetadataConfig:
	mode: GKE_METADATA
	nodeMetadata: GKE_METADATA_SERVER
	nodeLocations:
	- us-central1-a
	- us-central1-b
	- us-central1-c
	notificationConfig:
	pubsub:
	enabled: false
	podSecurityPolicyConfig:
	enabled: false
	privateClusterConfig:
	enablePrivateEndpoint: false
	enablePrivateNodes: true
	masterGlobalAccessConfig:
	enabled: false
	masterIpv4CidrBlock: 10.69.17.16/28
	releaseChannel:
	channel: REGULAR
	resourceID: gke-iowa
	serviceExternalIpsConfig:
	enabled: false
	subnetworkRef:
	external: projects/gregbray-gke/regions/us-central1/subnetworks/gke-iowa-subnet
	workloadIdentityConfig:
	workloadPool: gregbray-gke.svc.id.goog