From ba72c649b3fe85f6b3595e7a25a1fea266f062b0 Mon Sep 17 00:00:00 2001 From: upodroid Date: Tue, 18 Jun 2024 18:20:50 +0100 Subject: [PATCH] deploy new k8s-staging-images project --- .../terraform/k8s-staging-images/buckets.tf | 41 ++++++++++++++++ infra/gcp/terraform/k8s-staging-images/iam.tf | 36 ++++++++++++++ .../gcp/terraform/k8s-staging-images/main.tf | 38 +++++++++++++++ .../terraform/k8s-staging-images/provider.tf | 35 ++++++++++++++ .../k8s-staging-images/registries.tf | 47 +++++++++++++++++++ 5 files changed, 197 insertions(+) create mode 100644 infra/gcp/terraform/k8s-staging-images/buckets.tf create mode 100644 infra/gcp/terraform/k8s-staging-images/iam.tf create mode 100644 infra/gcp/terraform/k8s-staging-images/main.tf create mode 100644 infra/gcp/terraform/k8s-staging-images/provider.tf create mode 100644 infra/gcp/terraform/k8s-staging-images/registries.tf diff --git a/infra/gcp/terraform/k8s-staging-images/buckets.tf b/infra/gcp/terraform/k8s-staging-images/buckets.tf new file mode 100644 index 00000000000..b4a933c34ef --- /dev/null +++ b/infra/gcp/terraform/k8s-staging-images/buckets.tf @@ -0,0 +1,41 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +module "gcb_bucket" { + source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" + version = "~> 5" + + name = "k8s-staging-images-gcb" + project_id = module.project.project_id + location = "us" + + lifecycle_rules = [{ + action = { + type = "Delete" + } + condition = { + age = 90 # 90d + with_state = "ANY" + } + }] + + iam_members = [ + { + role = "roles/storage.admin" + member = "serviceAccount:gcb-builder@k8s-infra-prow-build-trusted.iam.gserviceaccount.com" + } + ] +} diff --git a/infra/gcp/terraform/k8s-staging-images/iam.tf b/infra/gcp/terraform/k8s-staging-images/iam.tf new file mode 100644 index 00000000000..5d0768d4aae --- /dev/null +++ b/infra/gcp/terraform/k8s-staging-images/iam.tf @@ -0,0 +1,36 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +module "iam" { + source = "terraform-google-modules/iam/google//modules/projects_iam" + version = "~> 7" + + projects = [module.project.project_id] + + mode = "authoritative" + + bindings = { + "roles/cloudbuild.builds.editor" = [ + "serviceAccount:gcb-builder@k8s-infra-prow-build-trusted.iam.gserviceaccount.com", + ] + "roles/owner" = [ + "group:k8s-infra-release-admins@kubernetes.io", + ] + "roles/viewer" = [ + for _, group in local.registries : group + ] + } +} diff --git a/infra/gcp/terraform/k8s-staging-images/main.tf b/infra/gcp/terraform/k8s-staging-images/main.tf new file mode 100644 index 00000000000..8e9e58636b8 --- /dev/null +++ b/infra/gcp/terraform/k8s-staging-images/main.tf @@ -0,0 +1,38 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +module "project" { + source = "terraform-google-modules/project-factory/google" + version = "~> 14.5" + + name = "k8s-staging-images" + project_id = "k8s-staging-images" + org_id = "758905017065" + billing_account = "018801-93540E-22A20E" + + # Sane project defaults + default_service_account = "keep" + disable_services_on_destroy = false + create_project_sa = false + random_project_id = false + auto_create_network = true + + + activate_apis = [ + "artifactregistry.googleapis.com", + "cloudbuild.googleapis.com" + ] +} diff --git a/infra/gcp/terraform/k8s-staging-images/provider.tf b/infra/gcp/terraform/k8s-staging-images/provider.tf new file mode 100644 index 00000000000..d3c2f6495f3 --- /dev/null +++ b/infra/gcp/terraform/k8s-staging-images/provider.tf @@ -0,0 +1,35 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +terraform { + required_version = "1.6.5" + + backend "gcs" { + bucket = "k8s-infra-tf-prow-clusters" + prefix = "k8s-infra-staging" + } + + required_providers { + google = { + source = "hashicorp/google" + version = "~> 5.34.0" + } + google-beta = { + source = "hashicorp/google-beta" + version = "~> 5.34.0" + } + } +} diff --git a/infra/gcp/terraform/k8s-staging-images/registries.tf b/infra/gcp/terraform/k8s-staging-images/registries.tf new file mode 100644 index 00000000000..2606abcf968 --- /dev/null +++ b/infra/gcp/terraform/k8s-staging-images/registries.tf @@ -0,0 +1,47 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +locals { + // The groups have to be created before applying this terraform code + registries = { + etcd-manager = "group:k8s-infra-staging-etcd-manager@kubernetes.io", + kubernetes = "group:k8s-infra-staging-kubernetes@kubernetes.io", + test-infra = "group:k8s-infra-staging-test-infra@kubernetes.io" + } +} + +module "artifact_registry" { + for_each = local.registries + source = "GoogleCloudPlatform/artifact-registry/google" + version = "~> 0.2" + + project_id = module.project.project_id + location = "us-central1" + format = "DOCKER" + repository_id = each.key + members = { + readers = ["allUsers"], + writers = [each.value], + } + cleanup_policies = { + "delete-images-older-than-90-days" = { + action = "DELETE" + condition = { + older_than = "7776000s" # 90d + } + } + } +}