Ensure gcs bucket for k8s-infra prow instance #1909
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -78,6 +78,12 @@ readonly TERRAFORM_STATE_BUCKET_ENTRIES=( | |
| k8s-infra-tf-sandbox-ii:k8s-infra-ii-coop@kubernetes.io | ||
| ) | ||
|
|
||
|
|
||
| #GCS buckets for k8s-infra-prow | ||
| readonly PROW_BUCKETS=( | ||
| k8s-infra-prow-results | ||
| ) | ||
|
|
||
| # The services we explicitly want enabled for the main project | ||
| # | ||
| # NOTE: Expected services include dependencies of these services, which may be | ||
|
|
@@ -169,6 +175,48 @@ function ensure_terraform_state_buckets() { | |
| done | ||
| } | ||
|
|
||
| function ensure_prow_buckets() { | ||
| if [ $# -ne 1 ] || [ -z "$1" ]; then | ||
| echo "${FUNCNAME[0]}(gcp_project) requires 1 argument" >&2 | ||
| return 1 | ||
| fi | ||
|
|
||
| local project="${1}" | ||
|
|
||
| for bucket in "${PROW_BUCKETS[@]}"; do | ||
| local svc_acct_name="${bucket}-sa" | ||
| local svc_acct_email="$(svc_acct_email "${project}" \ | ||
| "${svc_acct_name}")" | ||
| local SECRET_ID="${svc_acct_name}-key" | ||
|
|
||
| color 6 "Ensuring bucket ${bucket} exists and is only word-readable" | ||
| ensure_public_gcs_bucket "${project}" "gs://${bucket}" | ||
|
|
||
|
|
||
| color 6 "Creating service account: ${svc_acct_name}" | ||
| ensure_service_account \ | ||
| "${project}" \ | ||
| "${svc_acct_name}" \ | ||
| "${svc_acct_name}" | ||
|
|
||
| color 6 "Empowering service account: ${svc_acct_name}" | ||
| empower_svcacct_to_write_gcs_bucket "${svc_acct_email}" "gs://${bucket}" | ||
|
|
||
| color 6 "Ensure secret ${SECRET_ID} exists in project ${PROJECT}" | ||
| ensure_secret "${project}" "${SECRET_ID}" | ||
|
|
||
| color "Ensure ${SECRET_ID} contains secret key for ${svc_acct_name}" | ||
| ensure_serviceaccount_key_secret "${project}" "${SECRET_ID}" "${svc_acct_email}" | ||
|
|
||
| color 6 "Empowering k8s-infra-prow-oncall@kubernetes.io to read secret ${SECRET_ID}" | ||
| ensure_secrets_role_binding \ | ||
| "projects/${project}/secrets/${SECRET_ID}" \ | ||
| "group:k8s-infra-prow-oncall@kubernetes.io" \ | ||
| "roles/secretmanager.secretAccessor" | ||
|
Comment on lines
+196
to
+215
Contributor
There was a problem hiding this comment. This is basically k8s.io/infra/gcp/ensure-conformance-storage.sh Lines 104 to 131 in 4d98e1c You could parameterize it on project and pull into lib_iam.sh for re-use. Can be done as followup though |
||
|
|
||
| done | ||
| } | ||
|
|
||
| function empower_cluster_admins_and_users() { | ||
| if [ $# -ne 1 ] || [ -z "$1" ]; then | ||
| echo "${FUNCNAME[0]}(gcp_project) requires 1 argument" >&2 | ||
|
|
@@ -379,6 +427,9 @@ function ensure_main_project() { | |
| color 6 "Ensuring terraform state buckets exist with correct permissions in: ${project}" | ||
| ensure_terraform_state_buckets "${project}" 2>&1 | indent | ||
|
|
||
| color 6 "Ensuring prow buckets exist in: ${project}" | ||
| ensure_prow_buckets "${project}" 2>&1 | indent | ||
|
|
||
| color 6 "Empowering cluster users and admins for clusters in: ${project}" | ||
| empower_cluster_admins_and_users "${project}" 2>&1 | indent | ||
|
|
||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you are going to want to reuse the existing service account(s) that prow jobs run as instead of creating a new service account
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ideally this would be happening via workload identity but I think we're still living in a world where pod-utils are ultimately what write to GCS, and they still get their credentials from a kubernetes secret named "service-account", according prow's
config.yaml: https://github.com/kubernetes/test-infra/blob/c1d43437727eab8c84c5ac989b278feefd556a7d/config/prow/config.yaml#L23The way I did this for k8s-infra-prow-build-trusted/prow-build-trusted was to setup a service account named
k8s-infra-prow-build-trustedbindable via workload identity using terraform. Then manually create a key and store in a kubernetes secret namedservice-accountin thetest-podsnamespace, to match the name in prow'sconfig.yaml.Looking at it now, I think I should have set it up so the WI binding was
[test-pods/default]instead of[test-pods/k8s-infra-prow-build-trusted], because I doubt anything is actually using it. And we can also use external secrets instead of manually creating the secretSo that's build clusters.
Then there's the prow control plane. For example, I know that at least
crierwill write to the same GCS bucket.Currently, prow.k8s.io uses a
control-planeGCP service account, and then kubernetes service accounts that can bind to it for each component, e.g. https://github.com/kubernetes/test-infra/blob/c1d43437727eab8c84c5ac989b278feefd556a7d/config/prow/cluster/crier_rbac.yaml#L16-L22There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So tl;dr I would create a
k8s-infra-prow@kubernetes-publicservice account for the prow control plane, since it may require more than just write access to this one bucket.Since you're doing this for the cluster in kubernetes-public, you could do all this in https://github.com/kubernetes/k8s.io/blob/main/infra/gcp/clusters/projects/kubernetes-public/aaa
But no objections to iterating in bash if you need to.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@spiffxp I'll add a second commit with a HCL version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@spiffxp The Terraform version is done in
03d55ef.