Skip to content

Commit

Permalink
Merge pull request #5067 from BenTheElder/module
Browse files Browse the repository at this point in the history
move oci-proxy configuration to common module
  • Loading branch information
k8s-ci-robot authored Apr 3, 2023
2 parents db5d2da + 0e7ab55 commit 150cff0
Show file tree
Hide file tree
Showing 13 changed files with 1,052 additions and 532 deletions.
482 changes: 482 additions & 0 deletions infra/gcp/terraform/k8s-infra-oci-proxy-prod/moved.tf

Large diffs are not rendered by default.

146 changes: 26 additions & 120 deletions infra/gcp/terraform/k8s-infra-oci-proxy-prod/oci-proxy.tf
Original file line number Diff line number Diff line change
Expand Up @@ -14,132 +14,38 @@ See the License for the specific language governing permissions and
limitations under the License.
*/

data "google_organization" "org" {
domain = "kubernetes.io"
locals {
project_id = "k8s-infra-oci-proxy-prod"
}

resource "google_project" "project" {
name = var.project_id
project_id = var.project_id
org_id = data.google_organization.org.org_id
billing_account = "018801-93540E-22A20E"
module "oci-proxy" {
source = "../modules/oci-proxy"
// ***** production vs staging variables inputs *****
//
// gcr.io/k8s-staging-infra-tools/archeio:v20230310-v0.2.0@sha256:bc742c5f47a69e21e828768991853faddbe13a7f69a9da4d7d2ad16e0e55892c
// If you're interested in running this image yourself releases are available at registry.k8s.io/infra-tools/archeio
digest = "sha256:bc742c5f47a69e21e828768991853faddbe13a7f69a9da4d7d2ad16e0e55892c"
domain = "registry.k8s.io"
project_id = local.project_id
// we increase this in staging, but not in production
// we already get a lot of info from build-in cloud run logs
verbosity = "0"
// Manually created. Monitoring channels can't be created with Terraform.
// See: https://github.com/hashicorp/terraform-provider-google/issues/1134
notification_channel_id = "15334306215710275143"
}

// we only sink logs to bigquery in production
resource "google_logging_project_sink" "bigquery_sink" {
project = local.project_id
name = "registry-k8s-io-logs-sink"
destination = "bigquery.googleapis.com/projects/k8s-infra-public-pii/datasets/registry_k8s_io_logs"

// Enable services needed for the project
resource "google_project_service" "project" {
project = google_project.project.id

for_each = toset([
"compute.googleapis.com",
"containerregistry.googleapis.com",
"logging.googleapis.com",
"monitoring.googleapis.com",
"oslogin.googleapis.com",
"pubsub.googleapis.com",
"run.googleapis.com",
"storage-api.googleapis.com",
"storage-component.googleapis.com"
])

service = each.key
}

// Ensure [email protected] has admin access to this project
resource "google_project_iam_member" "k8s_infra_oci_proxy_admins" {
project = google_project.project.id
role = "roles/owner"
member = "group:[email protected]"
}


resource "google_service_account" "oci-proxy" {
project = google_project.project.project_id
account_id = "oci-proxy-prod"
display_name = "Minimal Service Account for OCI Proxy"
}

// Make each service invokable by all users.
resource "google_cloud_run_service_iam_member" "allUsers" {
project = google_project.project.project_id
for_each = google_cloud_run_service.oci-proxy

service = google_cloud_run_service.oci-proxy[each.key].name
location = google_cloud_run_service.oci-proxy[each.key].location
role = "roles/run.invoker"
member = "allUsers"
}

resource "google_cloud_run_service" "oci-proxy" {
project = google_project.project.project_id
for_each = var.cloud_run_config
name = "${var.project_id}-${each.key}"
location = each.key

template {
metadata {
annotations = {
"autoscaling.knative.dev/maxScale" = "10" // TODO: adjust to control costs
"run.googleapis.com/launch-stage" = "BETA"
}
}
spec {
service_account_name = google_service_account.oci-proxy.email
containers {
// NOTE: We deploy from staging because:
// - We pin by digest anyhow (so it's comparably secure)
// - We need to be able to deploy registry fixes ASAP
// - We will eventually auto-deploy staging by overriding the project and digest on the production config to avoid skew
// If you're interested in running this image yourself releases are available at registry.k8s.io/infra-tools/archeio
image = "gcr.io/k8s-staging-infra-tools/archeio@${var.digest}"

dynamic "env" {
for_each = each.value.environment_variables
content {
name = env.value["name"]
value = env.value["value"]
}
}

// ensure this match the value for template.spec.containers.resources.limits
env {
name = "GOMAXPROCS"
value = "1"
}

resources {
limits = {
"cpu" = "1000m"
}
}
}

# we can probably hit 1k QPS/core (cloud run's maximum configurable)
# but we are leaving in a little overhead, if we actually hit 1k qps in
# a region we can scale to another 1 core instance
container_concurrency = 800

// we only serve cheap redirects, 60s is a rather long request
timeout_seconds = 60
}
bigquery_options {
use_partitioned_tables = false
}

traffic {
percent = 100
latest_revision = true
}
unique_writer_identity = true

depends_on = [
google_project_service.project["run.googleapis.com"]
]

lifecycle {
ignore_changes = [
// This gets added by the Cloud Run API post deploy and causes diffs, can be ignored...
template[0].metadata[0].annotations["client.knative.dev/sandbox"],
template[0].metadata[0].annotations["run.googleapis.com/user-image"],
template[0].metadata[0].annotations["run.googleapis.com/client-name"],
template[0].metadata[0].annotations["run.googleapis.com/client-version"],
]
}
filter = "resource.type = \"cloud_run_revision\" AND log_name= \"projects/${local.project_id}/logs/run.googleapis.com%2Frequests\""
}
Loading

0 comments on commit 150cff0

Please sign in to comment.