def create_subst()

in hack/create_kptfile.py [0:0]


  def create_subst(path):
    # Service account substitutions
    create_setter("gcloud.core.project", "project-id", path)
    create_setter("name", "name", path)

    create_setter("gcloud.compute.zone", "us-east1-d", path)
    create_setter("gcloud.compute.region", "us-central1", path)

    # Workload identity bindings for the kf-admin account
    for ns in ["kubeflow", "istio-system"]:
      name = f"iampolicy-member-kfadmin-{ns}"
      value = f"serviceAccount:project-id.svc.id.goog[{ns}/kf-admin]"
      pattern = f"serviceAccount:${{gcloud.core.project}}.svc.id.goog[{ns}/kf-admin]"
      create_subst(name, value, pattern, path)


    # For user account create names for IAM policy member rules
    services = ["cloudbuild", "viewer", "source",
                "storage", "bigquery", "dataflow",
                "ml", "dataproc", "cloudsql", "logging",
                "metricwriter", "monitoringviewer"]


    # Import create zone and region before location so that location overrides
    # it
    create_setter("location", "us-east1-d", path)

    # Private GKE
    create_setter("log-firewalls", "false", path, field="spec.enableLogging")


    create_subst("name-storage-metadata-store", "name-storage-metadata-store",
                 "${name}-storage-metadata-store", path)
    create_subst("name-storage-artifact-store", "name-storage-artifact-store",
                 "${name}-storage-artifact-store", path)
    create_subst("name-ip", "name-ip", "${name}-ip", path)

    # DNS
    zones = ["gcr", "gcr-cname", "gcr-a", "goog-apis", "goog-cname",
             "goog-a"]
    for z in zones:
      name = f"name-{z}"
      value = f"name-{z}"
      pattern = f"${{name}}-{z}"
      create_subst(name, value, pattern, path)

    # Routes:
    routes = ["google-apis", "internet"]
    for r in routes:
      name = f"name-{r}"
      value = f"name-{r}"
      pattern= f"${{name}}-{r}"
      create_subst(name, value, pattern, path)

    # Names of firewall rules
    rules = ["deny-egress", "health-ingress", "health-egress", "apis-egress",
             "master-egress", "int-egress", "istio", "cm", "dockerhub",
             "iap-jwks"]

    for r in rules:
      name = f"name-{r}"
      value = f"name-{r}"
      pattern= f"${{name}}-{r}"
      create_subst(name, value, pattern, path)


    # Names for IAM Policies granting pipelines KSA's workload identity
    # on user service account
    ksa_names = ["ml-pipeline-ui",
                 "ml-pipeline-visualization", # TODO(jlewi): Not sure we actually need this.
                 "ml-pipeline-visualizationserver",
                 "pipeline-runner"]

    for ksa in ksa_names:
      name = f"name-user-workload-identity-user-{ksa}"
      value = f"name-user-workload-identity-user-{ksa}"
      pattern = "${name}-user-workload-identity-user-" + f"{ksa}"
      create_subst(name, value, pattern, path)

    # Members for IAM policy members for these service account
    for ksa in ksa_names:
      name = f"name-user-workload-identity-user-{ksa}-member"
      value = f"serviceAccount:project-id.svc.id.goog[kubeflow/{ksa}]"
      pattern = f"serviceAccount:${{gcloud.core.project}}.svc.id.goog[kubeflow/{ksa}]"
      create_subst(name, value, pattern, path)


    # For user account create names for IAM policy member rules
    services = ["cloudbuild", "viewer", "source",
                "storage", "bigquery", "dataflow",
                "ml", "dataproc", "cloudsql", "logging",
                "metricwriter", "monitoringviewer"]

    for s in services:
      name = f"name-user-{s}"
      value = f"name-user-{s}"
      pattern = "${name}-user-" + f"{s}"
      create_subst(name, value, pattern, path)

    # For vm account create substitutions of names of IAM policy members
    create_subst("name-vm-policy-logging", "name-vm-logging",
                 "${name}-vm-logging", path)

    policies = ["monitoring", "meshtelemetry", "cloudtrace",
                "monitoring-viewer", "storage"]

    for a in policies:
      name = f"name-vm-policy-{a}"
      value = f"name-vm-policy-{a}"
      pattern = "${name}-vm-policy-" + f"{a}"
      create_subst(name, value, pattern, path)


    # Cluster substitutions
    create_subst("cluster-name", "project-id/us-east1-d/name",
                 "${gcloud.core.project}/${location}/${name}", path)

    create_subst("identity-ns", "project-id.svc.id.goog",
                 "${gcloud.core.project}.svc.id.goog", path)

    # Names for service accounts
    create_subst("admin-sa-name",
                 "name-admin",
                 "${name}-admin",
                 path)

    create_subst("user-sa-name",
                 "name-user",
                 "${name}-user",
                 path)

    # Workload identity
    create_subst("name-admin-wi", "name-admin-workload-identity-user",
                 "${name}-admin-workload-identity-user", path)

    create_subst("admin-profiles-sa-wi",
                 "serviceAccount:project-id.svc.id.goog[kubeflow/profiles-controller-service-account]",
                 "serviceAccount:${gcloud.core.project}.svc.id.goog[kubeflow/profiles-controller-service-account]",
                 path)

    # Names for WI identity bindings
    for suffix in ["ml-pipeline-ui", "ml-pipeline-visualizationserver", "pipeline-runner"]:
      name = "user-wi-" + suffix
      value = "name-user-workload-identity-user-" + suffix
      pattern = "${name}" + "-user-workload-identity-user-" + suffix

      create_subst(name, value, pattern, path)

    create_subst("projects",
                 "projects/project-id",
                 "projects/${gcloud.core.project}",
                 path)

    create_subst("admin-service-account",
                 "serviceAccount:name-admin@project-id.iam.gserviceaccount.com",
                 "serviceAccount:${name}-admin@${gcloud.core.project}.iam.gserviceaccount.com",
                 path)

    create_subst("user-service-account",
                 "serviceAccount:name-user@project-id.iam.gserviceaccount.com",
                 "serviceAccount:${name}-user@${gcloud.core.project}.iam.gserviceaccount.com",
                 path)

    create_subst("vm-service-account",
                 "serviceAccount:name-vm@project-id.iam.gserviceaccount.com",
                 "serviceAccount:${name}-vm@${gcloud.core.project}.iam.gserviceaccount.com",
                 path)

    # VM Service account ref
    create_subst("vm-sa-ref",
                 "name-vm@project-id.iam.gserviceaccount.com",
                 "${name}-vm@${gcloud.core.project}.iam.gserviceaccount.com",
                 path)

    # Admin service account ref
    create_subst("admin-sa-ref",
                 "name-admin@project-id.iam.gserviceaccount.com",
                 "${name}-admin@${gcloud.core.project}.iam.gserviceaccount.com",
                 path)

    # User service account ref
    create_subst("user-sa-ref",
                 "name-user@project-id.iam.gserviceaccount.com",
                 "${name}-user@${gcloud.core.project}.iam.gserviceaccount.com",
                 path)


    create_subst("node-pool-cpu",
                 "name-cpu-pool-v1",
                 "${name}-cpu-pool-v1",
                 path)


    create_subst("name-admin-manages-user",
                 "name-admin-manages-user","${name}-admin-manages-user", path)

    # Create policy substitutions for admin account
    policies = ["admin-source", "admin-servicemanagement", "admin-network",
                "admin-cloudbuild", "admin-viewer", "admin-storage", "admin-bigquery",
                "admin-dataflow", "admin-ml", "admin-dataproc", "admin-cloudsql",
                "admin-logging", "admin-metricwriter",
                "admin-monitoringviewer",]

    for a in policies:
      create_subst(a + "-iam", f"name-{a}", r"""${name}-""" + a, path)

    create_subst("name-vm", "name-vm", "${name}-vm", path)

    KptCreator.create_subst_asm(path)
    KptCreator.create_subst_private(path)
    KptCreator.restore()