0:SrSSKJr SSKJr SSKJr SSKrSSKrSSKrSSKrSSK J r SSK J r SSKJr SS KJr SSKJ r SS KJr SS KJr SS KJr SS KJr SrSrSrSrSrSrSr Sr!Sr"Sr#Sr$Sr%Sr&Sr'Sr(Sr)Sr*Sr+S r,\RZ"S!/S"Q5r.S#r/S$r0S%r1S&r2S'r3S(r4S)r5S*r6S+r7S,r8S-r9S.r:S/r;S0rS3r?S4r@S5rA"S6S7\B5rCS8rD"S9S:\R5rF"S;S<\R5rG"S=S>\R5rHg)?z6Utils for mesh flag in the instance template commands.)absolute_import)division)unicode_literalsN)util)service_proxy_aux_data)api_util) kube_util) exceptions)execution_utils)yaml)fileszistio-eastwestgatewayzYgs://gce-service-proxy/service-proxy-agent/releases/service-proxy-agent-asm-{}-stable.tgzzKgs://gce-service-proxy/service-proxy-agent-installer/releases/installer.tgzzgce-service-proxy-asm-version"gce-service-proxy-installer-bucketzgce-service-proxy-agent-bucketzservice.istio.io/canonical-namez#service.istio.io/canonical-revisionzapp.kubernetes.io/namezapp.kubernetes.io/versionISTIO_META_CLOUDRUN_ADDR CLOUDRUN_ADDR15012z (.*)\/(.*)z#\/\/gkehub(.*).googleapis.com\/(.*)z:(.*)-zistio-sidecar-injectoristiodzmeshconfig.googleapis.com:443ServiceProxyMetadataArgs) asm_version project_idexpansionagateway_ipservice_proxy_api_serveridentity_providerservice_accountasm_proxy_configmcp_env_config trust_domainmesh_idnetwork asm_labels workload_nameworkload_namespacecanonical_servicecanonical_revision asm_revision root_certc[R"[U5nU(a"URS5URS54$[R "SR U55e)zParses the workload value to workload namespace and name. Args: workload: The workload value with namespace/name format. Returns: workload namespace and workload name. Raises: Error: if the workload value is invalid. zSvalue workload: {} is invalid. Workload value should have the formatnamespace/name.)research_WORKLOAD_PATTERNgroupr Errorformat)workloadworkload_matchs Flib/googlecloudsdk/command_lib/compute/instance_templates/mesh_util.py ParseWorkloadr2Ms[99.9.    "N$8$8$; ;;x( **c[R"[U5nU(aURS5$[R "SR U55e)a^Get membership name from an owner id value. Args: owner_id: The owner ID value of a membership. e.g., //gkehub.googleapis.com/projects/123/locations/global/memberships/test. Returns: The full resource name of the membership, e.g., projects/foo/locations/global/memberships/name. Raises: Error: if the membership name cannot be parsed. r(zvalue owner_id: {} is invalid.)r)r*_GKEHUB_PATTERNr,r r-r.)owner_idmembership_matchs r1_ParseMembershipNamer8asJYY9  ! !! $$&--h7 99r3cU(d [S5e[R"U5n[ USSS5nU(d [S5e[U5n[R"U5nUR(d%[R"SR U55eS R URU5$![Ra+n[R"SR U5U5eSnAff=f) aBGet the identity provider for the VMs. Args: membership_manifest: The membership manifest from the cluster. workload_namespace: The namespace of the VM workload. Returns: The identity provider value to be used on the VM connected to the cluster. Raises: ClusterError: If the membership manifest cannot be read. z2Cannot verify an empty membership from the clusterz&Invalid membership from the cluster {}NspecowneridznInvalid membership does not have an owner id. Please make sure your cluster is correctly registered and retry.zwInvalid membership {} does not have a unique_Id field. Please make sure your cluster is correctly registered and retry.z {}@google@{}) ClusterErrorr loadr-r r._GetNestedKeyFromManifestr8r GetMembershipuniqueId)membership_manifestr!membership_dataer6membership_name memberships r1_GetVMIdentityProviderrGvs  K LLQii 34O 'vw.(    !!)2/%%o6*      3396/3J LL   z224F GG% Q   0778KLa QQQsB==C<&C77C<c|USnU$![[4a" U(a0s$[R"S5ef=f)zRetrieve proxy config from a mesh config. Args: is_mcp: Whether the control plane is managed or not. mesh_config: A mesh config from the cluster. Returns: proxy_config: The proxy config from the mesh config. defaultConfigz8Proxy config cannot be found in the Anthos Service Mesh.KeyError TypeErrorr r-)is_mcp mesh_config proxy_configs r1_RetrieveProxyConfigrPsRD/L  I D i   B DDDs  ;;cxUSnU$![[4a U(ag[R"S5ef=f)zRetrieve trust domain from a mesh config. Args: is_mcp: Whether the control plane is managed or not. mesh_config: A mesh config from the cluster. Returns: trust_domain: The trust domain from the mesh config. trustDomainNz8Trust Domain cannot be found in the Anthos Service Mesh.rJ)rMrNrs r1_RetrieveTrustDomainrSsPD}-L  I D    B DDDs  99c[X5nUSnU$![[4a U(ag[R"S5ef=f)zRetrieve mesh id from a mesh config. Args: is_mcp: Whether the control plane is managed or not. mesh_config: A mesh config from the cluster. Returns: mesh_id: The mesh id from the mesh config. meshIdNz3Mesh ID cannot be found in the Anthos Service Mesh.)rPrKrLr r-)rMrNrOrs r1_RetrieveMeshIdrVsV&f:,?8$G . I ?    = ???sAAcL[SUS9nUc0nURS[5$)zGet the discovery address used in the MCP installation. Args: mesh_config: A mesh config from the cluster. Returns: The discovery address. T)rMrNdiscoveryAddress)rPget _MCP_ADDRESS)rNrOs r1_RetrieveDiscoveryAddressr[s1&T{K,L   ,l ;;r3c6URU5nU(agg)zCheck if ASM control plane is managed. Args: kube_client: A kubernetes client for the cluster. revision: The ASM revision to check for control plane type. Returns: True if the control plane is MCP, otherwise False. TF)RetrieveMutatingWebhookURL) kube_clientrevisionurls r1_IsMCPras ..x8#  r3cU(d [S5e[R"U5n[ USSS5nU$![Ra+n[R"SR W5U5eSnAff=f)zGet the workload labels from a workload manifest. Args: workload_manifest: The manifest of the workload. Returns: The workload labels. Raises: WorkloadError: If the workload manifest cannot be read. 0Cannot verify an empty workload from the cluster$Invalid workload from the cluster {}Nr:metadatalabels WorkloadErrorr r>r-r r.r?)workload_manifest workload_datarDworkload_labelss r1_GetWorkloadLabelsrls  J KKIII/0M .mVZ.68/  I   .55mDa III:A9&A44A9c.[U5n[X 5$)zGet the canonical service name of the workload. Args: workload_name: The name of the workload. workload_manifest: The manifest of the workload. Returns: The canonical service name of the workload. )rl_ExtractCanonicalServiceName)r rirks r1_GetCanonicalServiceNamerp"s''89/ %o EEr3c.[U5n[U5$)zGet the canonical service revision of the workload. Args: workload_manifest: The manifest of the workload. Returns: The canonical service revision of the workload. )rl _ExtractCanonicalServiceRevision)rirks r1_GetCanonicalServiceRevisionrs1s''89/ )/ ::r3cU(dU$UR[5nU(aU$UR[5nU(aU$URS5nU(aU$U$)zGet the canonical service name of the workload. Args: workload_labels: A map of workload labels. workload_name: The name of the workload. Returns: The canonical service name of the workload. app)rY#_ISTIO_CANONICAL_SERVICE_NAME_LABEL_KUBERNETES_APP_NAME_LABEL)rkr svcs r1roro?s]  ?@# J67# JE"# J r3cU(dgUR[5nU(aU$UR[5nU(aU$URS5nU(aU$g)zGet the canonical service revision of the workload. Args: workload_labels: A map of workload labels. Returns: The canonical service revision of the workload. latestversion)rY'_ISTIO_CANONICAL_SERVICE_REVISION_LABEL_KUBERNETES_APP_VERSION_LABEL)rkrevs r1rrrr[sW  CD# J9:# JI&# J r3cU(d [S5e[R"U5n[ USSSS5nUS:wa [S 5eg![Ra+n[R"SR U5U5eSnAff=f) z(Verify VM workload setup in the cluster.rcrdNr:re annotationsz*security.cloud.google.com/IdentityProvidergooglezUnable to find the GCE IdentityProvider in the specified WorkloadGroup. Please make sure the GCE IdentityProvider is specified in the WorkloadGroup.rg)rirjrDidentity_provider_values r1VerifyWorkloadSetuprvs  J KKMII/0M 6VZ24( ) **) M   .556GH! MMMsA B &BB cU(d [S5e[R"U5n[ USSS5nU(d [S5eU$![Ra+n[R"SR U5U5eSnAff=f)z;Retrieve the Anthos Service Mesh revision for the workload.z1Cannot verify an empty namespace from the clusterz%Invalid namespace from the cluster {}Nrerfz istio.io/revzWorkload namespace does not have an Anthos Service Mesh revision label. Please make sure the namespace is labeled and try again.rg)namespace_manifestnamespace_datarDworkload_revisions r1RetrieveWorkloadRevisionrs  K LLOYY12N 0 08.J  4 55  O   /667IJA OOOsA B  &BB cU(d [S5e[R"U5n[ USSS5nU$![Ra+n[R"SR U5U5eSnAff=f)z3Retrieve the service account used for the workload.rcrdNr:templateserviceAccountrg)rirjrDrs r1_RetrieveWorkloadServiceAccountrs  J KKMII/0M .mVZ.>@/  M   .556GH! MMMrmc FU(a#Sn Sn Sn [U 5nURU 5nOq[UR;aUR[n OUR U 5n UR 5n UR 5n SRU [5nSn[UU5n[U5n[X5n[X5n[X5nURS5Sn[U5n[!Xg5n[#U5n[%XXUUUUUUUUUUUUU U 5$)z?Retrieve the necessary metadata to configure the service proxy.Nz{}:{}/)r[RetrieveEnvConfig'_GCE_SERVICE_PROXY_ASM_VERSION_METADATAreRetrieveASMVersionRetrieveExpansionGatewayIPRetrieveKubernetesRootCertr._ISTIO_DISCOVERY_PORTrGrrPrSrVsplitrlrprsr)argsrMr^rnetwork_resourcer!r rirBr$rNrrr%r env_configrrrrrrrr"r#s r1_RetrieveServiceProxyMetadatars@ KI8E..|%f:, F 0'  " "3 ' +'!"34*.}P34EF !3*:JGWj-+-?  r3cp UR(a URnO[R"5nURU['UR U[ '[R"USS9n[R"5nSUS'URURSS.US'0US'URnU(d[R"5nS U;a[R"5US 'O[R"US 5US 'US nURUS 'URUS 'S US 'S US'URUS'URUS'URUS'UR (aUR US'UR"(aUR"US'SR%UR&UR5US'URUS'UR US'XGS'UR(S:XaSUS'OUR(US'[R"5n[R"5n SU S'SU S'U(aqS S![*R,00/U S"'UR/UR05 [2U;aU[2U[4'S#UR6;a[8UR6S#'OS S![*R:R%UR<UR(S$900/U S"'UR>US%'UR@UR6S&'[BUR6;a0[DR%UR>5UR6[B'U /US''XeS('S UR6S)'S UR6S*'S+UR6S,'[R"U5UR6S-'[R"USS9UR6S.'URFc[R"5Ul#URURFS0'URURFS1'UR"(aUR"URFS2'O>[HRJ"UR&5n S3R%U 5URFS2'S4URFS.'g/)5zCModify the instance template to include the service proxy metadata.T) sort_keysONmodeinfo)rz api-serverz log-levelz proxy-specservice proxyMetadataISTIO_META_WORKLOAD_NAME POD_NAMESPACEtrueUSE_TOKEN_FOR_CSRISTIO_META_DNS_CAPTUREISTIO_META_AUTO_REGISTER_GROUPSERVICE_ACCOUNTCREDENTIAL_IDENTITY_PROVIDER TRUST_DOMAINISTIO_META_MESH_ID{}-{}ISTIO_META_NETWORKCANONICAL_SERVICECANONICAL_REVISIONISTIO_METAJSON_LABELSdefault ASM_REVISIONzinstall-gce-service-proxy-agentname INSTALLED desired_state scriptRunscript installStepsr) ingress_ipr$ISTIO_META_ISTIO_VERSIONrootcertsoftwareRecipesz asm-configzenable-osconfigzenable-guest-attributestaskszosconfig-disabled-featureszgce-software-declarationzgce-service-proxyNasm_service_nameasm_service_namespacerzproj-{}z asm-istiod)&r collections OrderedDictr"rvr#r|jsondumpsrrrr r!rrrrr.rr$r.startup_script_for_asm_service_proxy_installerupdater_CLOUDRUN_ADDR_KEY_ISTIO_META_CLOUDRUN_ADDR_KEYre$_SERVICE_PROXY_INSTALLER_BUCKET_NAME$startup_script_for_asm_service_proxyrrr%(_GCE_SERVICE_PROXY_AGENT_BUCKET_METADATA_SERVICE_PROXY_BUCKET_NAMErf project_utilGetProjectNumber) rrM metadata_argsrasm_labels_stringservice_proxy_configrOproxy_metadatagce_software_declarationservice_proxy_agent_recipeproject_numbers r1_ModifyInstanceTemplaters))J((*J.;-L-L )+2?1Q1Q -/jjt<$002!%v&&!::(|$ %'y!//, **,LL($/$;$;$=L!$/$;$;_%%'L! 0./"+8+@+@N'()0 5 5*7.%&(5(G(G.$%)6)I)I.%&,=()9,%'N>"%2%?%?N>"(446*668'HV$0;_-  &?? 32~.-667^+6D 7n23+4==@ . mm89  &KK,AA!.!;!;= 32~.2?1J1JN-. - 7 7DMM*/t}}D)// 0I0IJ mm 242L0L,-'3|$%+$--!"-3$--)*07$--,-.2jj/ $--*+'+zzd(,$--#$ [[))+DK$1$C$C$++ !)6)I)I$++%&*22DKK "22=3K3KLN&--n=DKK %1$++!"r3c R[X5n [X XUXEXgX5 n [X U 5 g)z@Configure the provided instance template args with ASM metadata.N)rarr) rr^rrr!r rirBr$rNrMservice_proxy_metadata_argss r1ConfigureInstanceTemplater`s7 + ,& = K-=):!! $(CDr3c\rSrSrSrSSjrSrSrSrSr S r S r S r S r S rSrSrSrSrSrSrSrSrSrSrSSjrSrg)KubernetesClientioz-Kubernetes client for access Kubernetes APIs.Nc SUl[R"5Ul[R "SSUSSSSSS9UlUR RUR5uUlUl g)zZKubernetesClient constructor. Args: gke_cluster: the location/name of the GKE cluster. 20sNF) api_adaptergke_uri gke_cluster kubeconfig internal_ipcross_connect_subnetworkprivate_endpoint_fqdncontext) kubectl_timeoutr TemporaryDirectorytemp_kubeconfig_dir hub_kube_utilKubeconfigProcessor processorGetKubeconfigAndContextrr)selfrs r1__init__KubernetesClient.__init__rsj !D$779D"66$KUT"D2DN%)NN$J$J   %"!DOT\r3cU$N)rs r1 __enter__KubernetesClient.__enter__s Kr3cTURbURR5 ggr)rClose)r_s r1__exit__KubernetesClient.__exit__s% + $$&,r3c UHtnURSSSSSU/S5up4U(a%[R"SRX$55eSU;dMQ[R"S RU55e g ) a@Check to see if the user has read permissions in the namespaces. Args: *namespaces: The namespaces to verify reader permissions. Returns: true, if reads can be performed on all of the specified namespaces. Raises: Error: if failing to get check for read permissions. Error: if read permissions are not found. authzcan-irY*-nNzBFailed to check if the user can read resources in {} namespace: {}yesz5Missing permissions to read resources in {} namespaceT _RunKubectlr r-r.)r namespacesnsouterrs r1HasNamespaceReaderPermissions.KubernetesClient.HasNamespaceReaderPermissionss!! 7E3b 149hc  P VB_  c  C J J2 NP P r3cUHqnURSSU/S5up4U(dM#SU;a%[R"SRX$55e[R"SRX$55e g)zCheck to see if the namespaces exist in the cluster. Args: *namespaces: The namespaces to check. Returns: true, if namespaces exist. Raises: Error: if failing to verify the namespaces. Error: if at least one of the namespaces do not exist. rY namespaceNNotFoundzNamespace {} does not exist: {}z*Failed to check if namespace {} exists: {}Tr)rrrrrs r1NamespacesExist KubernetesClient.NamespacesExists R 8$?fa     !B!I!I"  8 ? ? HJ J  r3cURSSUSS/S5up#U(a%[R"SRX55eU$)z/Get the YAML output of the specified namespace.rYr-or Nz!Error retrieving Namespace {}: {}r)rrrrs r1 GetNamespaceKubernetesClient.GetNamespacesR {ItV!56: @@ Jr3cUR/SQS5upU(a,SU;ag[R"SRU55eg)z*Verifies if GKE Hub membership CRD exists.)rY1customresourcedefinitions.v1.apiextensions.k8s.iorNr Fz'Error retrieving the Membership CRD: {}Trrrrs r1r%KubernetesClient._MembershipCRDExistssR    #$(*FA s     3 : :3 ? AA r3cUR5(d [S5eUR/SQS5upU(a6SU;a [S5e[R"SR U55eU$)z/Get the YAML output of the IdentityProvider CR.zoIdentityProvider CRD is not found in the cluster. Please install Anthos Service Mesh with VM support and retry.)rY+identityproviders.security.cloud.google.comrr r Nr zfGCE identity provider is not found in the cluster. Please install Anthos Service Mesh with VM support.zAError retrieving IdentityProvider google in default namespace: {})_IdentityProviderCRDExistsr=rr r-r.rs r1GetIdentityProviderCR&KubernetesClient.GetIdentityProviderCRs  * * , ,  ; << !"&(HC s  BC C    M 6#;  Jr3cUR/SQS5upU(a,SU;ag[R"SRU55eg)z)Verifies if Identity Provider CRD exists.)rYrrNr Fz.Error retrieving the Identity Provider CRD: {}Trrs r1r+KubernetesClient._IdentityProviderCRDExistssR    89=?FA s     : A A# F HH r3c UR5(d [S5eURSSUSUSS/S5up4U(aFSU;a[S R X!55e[ R "S R X!U55eU$) z6Get the YAML output of the specified WorkloadGroup CR.z\WorkloadGroup CRD is not found in the cluster. Please install Anthos Service Mesh and retry.rY"workloadgroups.networking.istio.iorr r Nr zhWorkloadGroup {} in namespace {} is not found in the cluster. Please create the WorkloadGroup and retry.z5Error retrieving WorkloadGroup {} in namespace {}: {})_WorkloadGroupCRDExistsr=rrhr.r r-)rr!r rrs r1GetWorkloadGroupCR#KubernetesClient.GetWorkloadGroupCRs  ' ' ) )  + ,, 3]DD&!  HC s  BBH&C34 4    A H H 6 77 Jr3cUR/SQS5upU(a,SU;ag[R"SRU55eg)z%Verifies if WorkloadGroup CRD exists.)rYrr"Nr Fz*Error retrieving the WorkloadGroup CRD: {}Trrs r1r#(KubernetesClient._WorkloadGroupCRDExistssR    /046FA s     6 = =c B DD r3cURSS[SS/S5upU(a,SU;ag[R"SR U55eg ) z8Verifies if the ASM Expansion Gateway deployment exists.rYdeployr istio-systemNr Fz5Error retrieving the expansion gateway deployment: {}Tr_EXPANSION_GATEWAY_NAMEr r-r.rs r1 ExpansionGatewayDeploymentExists1KubernetesClient.ExpansionGatewayDeploymentExists)sZ    14H$PFA s     A H H M OO r3cURSS[SS/S5upU(a,SU;ag[R"SR U55eg ) z5Verifies if the ASM Expansion Gateway service exists.rYrrr*Nr Fz2Error retrieving the expansion gateway service: {}Tr+rs r1ExpansionGatewayServiceExists.KubernetesClient.ExpansionGatewayServiceExists4sZ     2D.I4QFA s     > E Ec J LL r3c hUR5(d[SR[55eUR 5(d[SR[55eUR SS[SSSS/S 5upU(a%[ R"S RU55eU$) z4Retrieves the expansion gateway IP from the cluster.ztThe gateway {} deployment is not found in the cluster. Please install Anthos Service Mesh with VM support and retry.zqThe gateway {} service is not found in the cluster. Please install Anthos Service Mesh with VM support and retry.rYrxrr*r z-jsonpath={.status.loadBalancer.ingress[0].ip}Nz)Error retrieving expansion gateway IP: {})r-r=r.r,r0rr r-rs r1r+KubernetesClient.RetrieveExpansionGatewayIP?s  0 0 2 2  CCI6%D' ((  - - / /  CCI6%D' ((  u-t^T7!  HC    5 < )rr_env_config_namerrrs r1r"KubernetesClient.RetrieveEnvConfig~s9o 1o  _dN ! #$(*HC s  )+ +    C J J $ %%A99S>j  ::A    3 : :3 ? AAA B:Cc US:XaSnOSRU5nURSSUSSSS /S 5up4U(aES U;a[S RU55e[R"S RU55e[ R "U5nU$![ Ra& [R"SRU55ef=f)z.Retrieves the MeshConfig for the ASM revision.ristiozistio-{}rYr5rr*r zjsonpath={.data.mesh}Nr r:z5Error retrieving the mesh config from the cluster: {}z(Invalid mesh config from the cluster: {}rA)rr_mesh_config_namerrrNs r1RetrieveMeshConfig#KubernetesClient.RetrieveMeshConfigs9 #**84  -t^ & ()-/HC s  )+ +    A H H  BIIcNk  ::B    4 ; ;C @ BBBrDcUS:Xa[nOSR[U5nSR[U5nURSSUSS/S5upEURSSUSS/S5upgU(aRU(aKSU;a SU;a[ S RU55e[ R "S RU55eU(aU$U$) z7Retrieves the Mutating Webhook URL used for a revision.rrrYmutatingwebhookconfigurationr z(jsonpath={.webhooks[0].clientConfig.url}Nr r:zHError retrieving the mutating webhook configuration from the cluster: {})_INCLUSTER_WEBHOOK_PREFIXr._MCP_WEBHOOK_PREFIXrr=r r-)rr_incluster_webhook mcp_webhook incluster_out incluster_errmcp_outmcp_errs r1r]+KubernetesClient.RetrieveMutatingWebhookURLs93!..)BHM..!4h?K#'#3#3 .0A 9 ;<@$B M'' . 9 ;<@BG } $w)> )+ +     & ((  Nr3c[R"5/nUR(aURSUR/5 UR(aURSUR/5 URSUR /5 URU5 [ R"5n[ R"5n[R"USURURUS9nUS:wa5UR5(d URSRU55 US:XaUR5OSUS:waUR54$S4$) a&Runs a kubectl command with the cluster referenced by this client. Args: args: command line arguments to pass to kubectl stdin: text to be passed to kubectl via stdin Returns: The contents of stdout if the return code is 0, stderr (or a fabricated error if stderr is empty) otherwise z --contextz --kubeconfigz--request-timeoutT)no_exitout_funcerr_funcin_strrz"kubectl exited with return code {}N) c_utilCheckKubectlInstalledrextendrrioStringIOr Execwritegetvaluer.)rrstdincmdrr returncodes r1rKubernetesClient._RunKubectls  ' ' ) *C || jj+t||,-  jj.$//23JJ#T%9%9:;JJt ++-C ++-C %% TCII %JQs||~~ ii4;;JGH'1_3<<>$ q9< 9 ##" ##r3)rrrrrr)__name__ __module__ __qualname____firstlineno____doc__rrrrr rrrrrr$r#r-r0rrrrrHr]r__static_attributes__rr3r1rroso5" ' 2.( * ,   . 5688@#r3rcrUHn[U[5(d gXnM! U$![a  gf=f)zGet the value of a key path from a dict. Args: manifest: the dict representation of a manifest *keys: an ordered list of items in the nested key Returns: The value of the nested key in the manifest. None, if the nested key does not exist. N) isinstancedictrK)manifestkeyskeys r1r?r?sEc h % % h  /  s ( 66c\rSrSrSrSrg)PermissionsErrori z3Class for errors raised when verifying permissions.rNrfrgrhrirjrkrr3r1rsrs s;r3rsc\rSrSrSrSrg)r=iz5Class for errors raised when verifying cluster setup.rNrtrr3r1r=r=s=r3r=c\rSrSrSrSrg)rhiz6Class for errors raised when verifying workload setup.rNrtrr3r1rhrhs>r3rh)Irj __future__rrrrr]rr) googlecloudsdk.api_lib.containerrrZ5googlecloudsdk.command_lib.compute.instance_templatesr*googlecloudsdk.command_lib.container.fleetrr r#googlecloudsdk.command_lib.projectsrgooglecloudsdk.corer r r googlecloudsdk.core.utilr r,rrr,_GCE_SERVICE_PROXY_INSTALLER_BUCKET_METADATArrvr|rwr}rrrr+r5r;rLrMrZ namedtuplerr2r8rGrPrSrVr[rarlrprsrorrrrrrrrobjectrr?r-rsr=rhrr3r1rs=&' ;X?QD*/$*1,%+J'(-+K(&G#*O'5 ; :$!8 4. &112LO*(9*$HN**.<(*6 F ;86***  0fz2z EE#vE#P *:##>?J$$?r3