Merge pull request #2240 from ameukam/move-scalability-logs-k8s-public

Re-deploy k8s-infra-scalability-tests-logs to kubernetes-public
kubernetes · Jun 17, 2021 · 85c09d8 · 85c09d8
2 parents 872f67a + ea6274e
commit 85c09d8
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 65 deletions.
diff --git a/infra/gcp/clusters/projects/k8s-infra-prow-build/prow-build/main.tf b/infra/gcp/clusters/projects/k8s-infra-prow-build/prow-build/main.tf
@@ -24,14 +24,13 @@ This file defines:
 */
 
 locals {
-  project_id                         = "k8s-infra-prow-build"
-  cluster_name                       = "prow-build"                       // The name of the cluster defined in this file
-  cluster_location                   = "us-central1"                      // The GCP location (region or zone) where the cluster should be created
-  bigquery_location                  = "US"                               // The bigquery specific location where the dataset should be created
-  pod_namespace                      = "test-pods"                        // MUST match whatever prow is configured to use when it schedules to this cluster
-  cluster_sa_name                    = "prow-build"                       // Name of the GSA and KSA that pods use by default
-  boskos_janitor_sa_name             = "boskos-janitor"                   // Name of the GSA and KSA used by boskos-janitor
-  scalability_tests_logs_bucket_name = "k8s-infra-scalability-tests-logs" // Name of the bucket for the scalability test results
+  project_id             = "k8s-infra-prow-build"
+  cluster_name           = "prow-build"                       // The name of the cluster defined in this file
+  cluster_location       = "us-central1"                      // The GCP location (region or zone) where the cluster should be created
+  bigquery_location      = "US"                               // The bigquery specific location where the dataset should be created
+  pod_namespace          = "test-pods"                        // MUST match whatever prow is configured to use when it schedules to this cluster
+  cluster_sa_name        = "prow-build"                       // Name of the GSA and KSA that pods use by default
+  boskos_janitor_sa_name = "boskos-janitor"                   // Name of the GSA and KSA used by boskos-janitor
 }
 
 data "google_organization" "org" {
@@ -177,57 +176,3 @@ module "greenhouse_nodepool" {
   disk_type       = "pd-standard"
   service_account = module.prow_build_cluster.cluster_node_sa.email
 }
-
-
-// Bucket for scalability tests results
-resource "google_storage_bucket" "scalability_tests_logs" {
-  project = local.project_id
-  name    = local.scalability_tests_logs_bucket_name
-
-  uniform_bucket_level_access = true
-}
-
-data "google_iam_policy" "scalability_tests_logs_bindings" {
-  // Ensure k8s-infra-prow-oncall has admin privileges, and keep existing
-  // legacy bindings since we're overwriting all existing bindings below
-  binding {
-    members = [
-      "group:k8s-infra-prow-oncall@kubernetes.io",
-    ]
-    role = "roles/storage.admin"
-  }
-  binding {
-    members = [
-      "group:k8s-infra-prow-oncall@kubernetes.io",
-      "projectEditor:${local.project_id}",
-      "projectOwner:${local.project_id}",
-    ]
-    role = "roles/storage.legacyBucketOwner"
-  }
-  binding {
-    members = [
-      "projectViewer:${local.project_id}",
-    ]
-    role = "roles/storage.legacyBucketReader"
-  }
-  // Ensure prow-build serviceaccount can write to bucket
-  binding {
-    role = "roles/storage.objectAdmin"
-    members = [
-      "serviceAccount:${google_service_account.prow_build_cluster_sa.email}",
-    ]
-  }
-  // Ensure bucket is world readable
-  binding {
-    role = "roles/storage.objectViewer"
-    members = [
-      "allUsers"
-    ]
-  }
-}
-
-// Authoritative iam-policy: replaces any existing policy attached to the bucket
-resource "google_storage_bucket_iam_policy" "scalability_tests_logs_policy" {
-  bucket      = google_storage_bucket.scalability_tests_logs.name
-  policy_data = data.google_iam_policy.scalability_tests_logs_bindings.policy_data
-}
diff --git a/infra/gcp/clusters/projects/kubernetes-public/aaa/10-cluster-configuration.tf b/infra/gcp/clusters/projects/kubernetes-public/aaa/10-cluster-configuration.tf
@@ -8,9 +8,10 @@ Note that it does not configure any node pools; this is done in a separate file.
 */
 
 locals {
-  cluster_name      = "aaa"         // This is the name of the cluster defined in this file
-  cluster_location  = "us-central1" // This is the GCP location (region or zone) where the cluster should be created
-  bigquery_location = "US"          // This is the bigquery specific location where the dataset should be created
+  cluster_name                       = "aaa"         // This is the name of the cluster defined in this file
+  cluster_location                   = "us-central1" // This is the GCP location (region or zone) where the cluster should be created
+  bigquery_location                  = "US"          // This is the bigquery specific location where the dataset should be created
+  scalability_tests_logs_bucket_name = "k8s-infra-scalability-tests-logs" // Name of the bucket for the scalability test results
 }
 
 // Create SA for nodes
@@ -177,3 +178,56 @@ resource "google_container_cluster" "cluster" {
     enabled = true
   }
 }
+
+// Bucket for scalability tests results
+resource "google_storage_bucket" "scalability_tests_logs" {
+  project = data.google_project.project.project_id
+  name    = local.scalability_tests_logs_bucket_name
+
+  uniform_bucket_level_access = true
+}
+
+data "google_iam_policy" "scalability_tests_logs_bindings" {
+  // Ensure k8s-infra-prow-oncall has admin privileges, and keep existing
+  // legacy bindings since we're overwriting all existing bindings below
+  binding {
+    members = [
+      "group:k8s-infra-prow-oncall@kubernetes.io",
+    ]
+    role = "roles/storage.admin"
+  }
+  binding {
+    members = [
+      "group:k8s-infra-prow-oncall@kubernetes.io",
+      "projectEditor:${data.google_project.project.project_id}",
+      "projectOwner:${data.google_project.project.project_id}",
+    ]
+    role = "roles/storage.legacyBucketOwner"
+  }
+  binding {
+    members = [
+      "projectViewer:${data.google_project.project.project_id}",
+    ]
+    role = "roles/storage.legacyBucketReader"
+  }
+  // Ensure prow-build serviceaccount can write to bucket
+  binding {
+    role = "roles/storage.objectAdmin"
+    members = [
+      "serviceAccount:prow-build@k8s-infra-prow-build.iam.gserviceaccount.com",
+    ]
+  }
+  // Ensure bucket is world readable
+  binding {
+    role = "roles/storage.objectViewer"
+    members = [
+      "allUsers"
+    ]
+  }
+}
+
+// Authoritative iam-policy: replaces any existing policy attached to the bucket
+resource "google_storage_bucket_iam_policy" "scalability_tests_logs_policy" {
+  bucket      = google_storage_bucket.scalability_tests_logs.name
+  policy_data = data.google_iam_policy.scalability_tests_logs_bindings.policy_data
+}