Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

terraform/kubernetes-public: add k8s-keps #2570

Merged
merged 1 commit into from
Nov 2, 2021
Merged

terraform/kubernetes-public: add k8s-keps #2570

merged 1 commit into from
Nov 2, 2021

Conversation

spiffxp
Copy link
Member

@spiffxp spiffxp commented Aug 18, 2021

Related:

Add a world-readable bucket gs://k8s-keps along with a service account
and dedicated k8s-infra-keps@kubernetes.io group with privileged access
to the bucket and its contents.

/hold
I would like eyes on this before attempting to deploy anything to make
sure we're agreed this is the right pattern / set of infrastructure for
this use case

@k8s-ci-robot k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. area/access Define who has access to what via IAM bindings, role bindings, policy, etc. labels Aug 18, 2021
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. area/groups Google Groups management, code in groups/ area/infra Infrastructure management, infrastructure design, code in infra/ approved Indicates a PR has been approved by an approver from all required OWNERS files. area/prow Setting up or working with prow in general, prow.k8s.io, prow build clusters area/terraform Terraform modules, testing them, writing more of them, code in infra/gcp/clusters/ sig/testing Categorizes an issue or PR as relevant to SIG Testing. wg/k8s-infra labels Aug 18, 2021
@spiffxp spiffxp mentioned this pull request Aug 18, 2021
Closed
@spiffxp
Copy link
Member Author

spiffxp commented Aug 18, 2021

/cc @sftim @shekhar-rajak
Does this satisfy your request?
/cc @ameukam
For the terraform changes

@spiffxp spiffxp force-pushed the k8s-keps branch 2 times, most recently from a57dce0 to ab175a2 Compare August 18, 2021 00:48
@spiffxp spiffxp mentioned this pull request Aug 30, 2021
Closed
justaugustus
justaugustus suggested changes Sep 2, 2021
View reviewed changes
Copy link
Member

@justaugustus justaugustus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Quick suggestions

groups/sig-architecture/groups.yaml Outdated
ACL for access to KEP related infrastructure
settings:
ReconcileMembers: "true"
members:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SIG leads + KEP tool reviewers/approvers?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I want to know who specifically is signing up to own and maintain this tooling and infrastructure. Not just a blanket list of people

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sftim @shekhar-rajak
Do you have suggestions for this list as originators of the request?

@justaugustus
Are you suggesting https://github.com/kubernetes/enhancements/blob/561c1d969a7dc02d1f17b352d0e2b31953a31c53/OWNERS_ALIASES#L164-L170 ? Not sure if I've got e-mails for everyone there

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am guessing Stephen meant https://github.com/kubernetes/enhancements/blob/561c1d969a7dc02d1f17b352d0e2b31953a31c53/OWNERS_ALIASES#L180-L190.

Since I was involved in the initial discussions around KEP Website, I am volunteering to own and maintain this tooling and infrastructure. @shekhar-rajak -- would you have time to sign up for this as well? Asking since you have been working on kubernetes/contributor-site#222.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed in the meeting, I will be on point to maintain this along with the other subproject owners.

PS: I am a kep-tool-reviewer as well.

groups/sig-architecture/groups.yaml Outdated Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 8, 2021
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 13, 2021
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 14, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: justaugustus, spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kikisdeliveryservice
Copy link
Member

Rebased to avoid merge conflict again

/cc @jeremyrickard @johnbelamaric @justaugustus @kikisdeliveryservice @LappleApple @mrbobbytables
I have arbitrarily chosen the members of enhancements-approvers in kubernetes/enhancements/OWNERS_ALIASES as the owners of this infrastructure

Added this to meeting agenda to see who should own this infra. Will update.

@k8s-ci-robot k8s-ci-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. and removed wg/k8s-infra labels Sep 29, 2021
@k8s-ci-robot k8s-ci-robot removed lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Oct 19, 2021
@spiffxp
Copy link
Member Author

spiffxp commented Oct 19, 2021

Rebased to avoid merge conflicts. AFAIK still waiting to hear from enhancements subproject if they actually want / plan on using this.

@palnabarun
Copy link
Member

@spiffxp -- thank you so much for keeping this PR updated! ❤️

This topic is on the agenda for the next subproject meeting.

@palnabarun
Copy link
Member

We discussed the KEP Website in yesterday's Enhancements subproject meeting.

We would really love to have the GCS bucket setup and necessary permissions around it so that we can make progress on having some mechanism to get data to the KEP Website page.

@spiffxp -- Do you need anything else from us? I have commented on your questions in the review comments above.

@spiffxp
terraform/kubernetes-public: add k8s-keps
b0e7405 
Add a world-readable bucket gs://k8s-keps along with a service account
and dedicated k8s-infra-keps@kubernetes.io group with privileged access
to the bucket and its contents.

After hearing back from the enhancements subproject on who should be
included in k8s-infra-keps membership, I used folks listed in
kubernetes/enhancements/OWNERS_ALIASES under the kep-tool-reviewers alias.

For the emails themselves I took educated uesses based on other group
memberships in this repo
@spiffxp
Copy link
Member Author

spiffxp commented Nov 1, 2021

@palnabarun updated group memberships to match kep-tool-reviewers alias so you're included, thanks for pushing this forward

Looking for LGTM and then I'll remove hold / deploy when I'm next around to do so

@bartsmykla
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 2, 2021
@spiffxp
Copy link
Member Author

spiffxp commented Nov 2, 2021

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 2, 2021
@k8s-ci-robot k8s-ci-robot merged commit 2bf2f9c into kubernetes:main Nov 2, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.23 milestone Nov 2, 2021
@spiffxp spiffxp deleted the k8s-keps branch November 2, 2021 19:25
@ameukam
Copy link
Member

ameukam commented Nov 2, 2021

Ran terraform apply :

Plan: 2 to add, 0 to change, 0 to destroy.
module.workload_identity_service_accounts["k8s-keps"].google_service_account.serviceaccount: Creating...
module.workload_identity_service_accounts["k8s-keps"].google_service_account.serviceaccount: Creation complete after 2s [id=projects/k8s-infra-prow-build-trusted/serviceAccounts/k8s-keps@k8s-infra-prow-build-trusted.iam.gserviceaccount.com]
module.workload_identity_service_accounts["k8s-keps"].google_service_account_iam_policy.serviceaccount_iam: Creating...
module.workload_identity_service_accounts["k8s-keps"].google_service_account_iam_policy.serviceaccount_iam: Creation complete after 1s [id=projects/k8s-infra-prow-build-trusted/serviceAccounts/k8s-keps@k8s-infra-prow-build-trusted.iam.gserviceaccount.com]
╷
│ Warning: Deprecated Attribute
│ 
│   with module.prow_build_cluster.google_container_cluster.prod_cluster,
│   on ../modules/gke-cluster/main.tf line 95, in resource "google_container_cluster" "prod_cluster":
│   95: resource "google_container_cluster" "prod_cluster" {
│ 
│ Basic authentication was removed for GKE cluster versions >= 1.19.
│ 
│ (and 3 more similar warnings elsewhere)
╵
Releasing state lock. This may take a few moments...

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

@palnabarun
Copy link
Member

Thanks @spiffxp @bartsmykla @ameukam for working on this one! We appreciate the help! ❤️

@shekhar-rajak
Copy link

Can anyone please let me on how to use this GCP bucket to upload and fetch the uploaded file ?

@PushkarJ PushkarJ mentioned this pull request Jan 21, 2022
Closed
@PushkarJ PushkarJ mentioned this pull request Mar 9, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@palnabarun palnabarun palnabarun left review comments

@ameukam ameukam ameukam left review comments

@endocrimes endocrimes endocrimes left review comments

@justaugustus justaugustus justaugustus approved these changes

@nikhita nikhita Awaiting requested review from nikhita

@thockin thockin Awaiting requested review from thockin

@sftim sftim Awaiting requested review from sftim

@shekhar-rajak shekhar-rajak Awaiting requested review from shekhar-rajak

@jeremyrickard jeremyrickard Awaiting requested review from jeremyrickard

@johnbelamaric johnbelamaric Awaiting requested review from johnbelamaric

@kikisdeliveryservice kikisdeliveryservice Awaiting requested review from kikisdeliveryservice

@lasomethingsomething lasomethingsomething Awaiting requested review from lasomethingsomething

@mrbobbytables mrbobbytables Awaiting requested review from mrbobbytables

Assignees

@justaugustus justaugustus

@ameukam ameukam

@bartsmykla bartsmykla

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/access Define who has access to what via IAM bindings, role bindings, policy, etc. area/groups Google Groups management, code in groups/ area/infra Infrastructure management, infrastructure design, code in infra/ area/prow Setting up or working with prow in general, prow.k8s.io, prow build clusters area/terraform Terraform modules, testing them, writing more of them, code in infra/gcp/clusters/ cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.23
Development

Successfully merging this pull request may close these issues.
9 participants
@spiffxp @ameukam @k8s-ci-robot @kikisdeliveryservice @palnabarun @bartsmykla @shekhar-rajak @justaugustus @endocrimes