Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

infra/gcp: k8s-metrics move cleanup #2451

Merged
merged 1 commit into from
Aug 3, 2021
Merged

infra/gcp: k8s-metrics move cleanup #2451

merged 1 commit into from
Aug 3, 2021

Conversation

spiffxp
Copy link
Member

@spiffxp spiffxp commented Aug 3, 2021
edited
Loading

Related:

Specific things done here:

  • add the roles/bigquery.user role to k8s-infra-prow-build-trusted's terraform that I had to manually add to get the metrics-bigquery-canary job working
  • switch the special-case in ensure-main-project.sh to create gs://k8s-metrics, and flip the iam binding calls for the google.com prow instance to removes

While I was here I also tried to reorganize some of the service account creation resources in k8s-infra-prow-build-trusted terraform into a workload_identity_service_account pseudo-module

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Aug 3, 2021
@k8s-ci-robot k8s-ci-robot added the area/prow Setting up or working with prow in general, prow.k8s.io, prow build clusters label Aug 3, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added sig/testing Categorizes an issue or PR as relevant to SIG Testing. approved Indicates a PR has been approved by an approver from all required OWNERS files. wg/k8s-infra size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 3, 2021
@spiffxp
Copy link
Member Author

spiffxp commented Aug 3, 2021

/cc @ameukam @dims

@spiffxp
infra/gcp: k8s-metrics move cleanup
30cb355 
specifically

- add the roles/bigquery.user role to k8s-infra-prow-build-trusted's
  terraform that I had to manually add to get the
  metrics-bigquery-canary job working
- switch the special-case in ensure-main-project.sh to create
  gs://k8s-metrics, and flip the iam binding calls for the google.com
  prow instance to removes

While I was here I also tried to reorganize some of the service account
creation resources in k8s-infra-prow-build-trusted terraform into
a workload_identity_service_account pseudo-module
@spiffxp
Copy link
Member Author

spiffxp commented Aug 3, 2021

Updated PTAL

@ameukam
Copy link
Member

ameukam commented Aug 3, 2021

/lgtm
/hold
Remove hold when ready to apply.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 3, 2021
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 3, 2021
@spiffxp
Copy link
Member Author

spiffxp commented Aug 3, 2021

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 3, 2021
@k8s-ci-robot k8s-ci-robot merged commit b0271d2 into kubernetes:main Aug 3, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.22 milestone Aug 3, 2021
This was referenced Aug 3, 2021
Merged
Closed
@spiffxp spiffxp deleted the k8s-metrics-cleanup branch August 3, 2021 19:39
@spiffxp
Copy link
Member Author

spiffxp commented Aug 3, 2021

Ran ./infra/gcp/ensure-main-project.sh

Ensuring prow special cases for: kubernetes-public
  Special case: ensuring k8s-infra-ci-robot-github-token accessible by k8s-infra-prow-build-trusted
  Special case: ensuring gs://k8s-metrics exists
    @@ -20,5 +20,3 @@
       role: roles/storage.objectAdmin
     - member: serviceAccount:triage@k8s-gubernator.iam.gserviceaccount.com
       role: roles/storage.legacyBucketWriter
    -- member: serviceAccount:triage@k8s-gubernator.iam.gserviceaccount.com
    -  role: roles/storage.objectAdmin
    @@ -18,5 +18,3 @@
       role: roles/storage.legacyBucketWriter
     - member: serviceAccount:k8s-metrics@k8s-infra-prow-build-trusted.iam.gserviceaccount.com
       role: roles/storage.objectAdmin
    -- member: serviceAccount:triage@k8s-gubernator.iam.gserviceaccount.com
    -  role: roles/storage.legacyBucketWriter
    Updated IAM policy for project [kubernetes-public].
    @@ -54,6 +54,8 @@
       role: roles/viewer
     - member: serviceAccount:k8s-infra-monitoring-viewer@kubernetes-public.iam.gserviceaccount.com
       role: roles/monitoring.viewer
    +- member: serviceAccount:k8s-metrics@k8s-infra-prow-build-trusted.iam.gserviceaccount.com
    +  role: roles/bigquery.user
     - member: serviceAccount:kubernetes-external-secrets@kubernetes-public.iam.gserviceaccount.com
       role: roles/secretmanager.secretAccessor
     - member: serviceAccount:kubernetes-public@appspot.gserviceaccount.com

@spiffxp
Copy link
Member Author

spiffxp commented Aug 3, 2021

Ran terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_project_iam_member.k8s_metrics_sa_bigquery_user will be created
  + resource "google_project_iam_member" "k8s_metrics_sa_bigquery_user" {
      + etag    = (known after apply)
      + id      = (known after apply)
      + member  = "serviceAccount:k8s-metrics@k8s-infra-prow-build-trusted.iam.gserviceaccount.com"
      + project = "k8s-infra-prow-build-trusted"
      + role    = "roles/bigquery.user"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

google_project_iam_member.k8s_metrics_sa_bigquery_user: Creating...
google_project_iam_member.k8s_metrics_sa_bigquery_user: Creation complete after 7s [id=k8s-infra-prow-build-trusted/roles/bigquery.user/serviceAccount:k8s-metrics@k8s-infra-prow-build-trusted.iam.gserviceaccount.com]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

@spiffxp spiffxp mentioned this pull request Aug 3, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ameukam ameukam ameukam left review comments

@chaodaiG chaodaiG Awaiting requested review from chaodaiG

@puerco puerco Awaiting requested review from puerco

@dims dims Awaiting requested review from dims

Assignees

@ameukam ameukam

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/prow Setting up or working with prow in general, prow.k8s.io, prow build clusters cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.22
Development

Successfully merging this pull request may close these issues.
3 participants
@spiffxp @k8s-ci-robot @ameukam