Ensure gcs bucket for k8s-infra prow instance

[ameukam]

Following prow documentation guidance :
Create a GCS bucket for tide history and build logs.
Create a service account and grant admin access to the bucket.
Create a service account key and add the generated key to Secret
Manager.

Signed-off-by: Arnaud Meukam ameukam@gmail.com

[ameukam]

/retitle Ensure gcs bucket for k8s-infra prow instance

[ameukam]

/hold

[rikatz]

/lgtm

[cpanato]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ameukam, cpanato

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ameukam]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[spiffxp]

Assuming this is supposed to be the community equivalent of kubernetes-jenkins?

Suggested change

	k8s-prow-infra-logs
	k8s-infra-prow-results

Naming is hard when I overthink things.

• First thought: k8s-infra-prow-logs to get the consistent k8s-infra prefix
• But...
  • "prow logs" sounds like logs of the prow components (plank, sinker, crier, etc)
  • there are more than "logs" that end up kubernetes-jenkins, there are also "artifacts" like junit.xml files, coverage files, metadata, etc.
• OK, so k8s-infra-prow-artifacts for "artifacts" produced by prow, including job results
• But...
  • "artifacts" clashes with the sig-release meaning of "binaries and container images that represent a given release of a given subproject"
  • makes me thing it's going to be the binaries/images for prow itself, a.k.a. the equivalent to gcr.io/k8s-prow
• OK, so how about just k8s-infra-prow and be done with it
• But...
  • If we're doing things over, one of the problems with kubernetes-jenkins is that it allows per-object ACLs. They allowed that single bucket to be used for multiple purposes, including occasionally storing secrets or credentials.
  • We don't want per-object ACLs in kubernetes.io, as they are painful and laborious to maintain, audit and enforce. We are planning on setting an org policy to explicitly require per-bucket IAM only (aka uniform bucket level access).
  • Thus we should name this bucket for the main purpose everyone expects of kubernetes-jenkins, public read access to things about and created by prow jobs for the kubernetes project. If other purposes arise, they should result in other buckets named/IAM'ed as such.
• OK, so how about k8s-infra-prow-results, as in the "results" of prow job runs
  • I looked around in prow's codebase and docs and couldn't find a consistent term for "things that are uploaded to GCS or S3 by the pod-utilities sidecar component and crier". Results isn't just "test results" but from the concept of running a prow job and then looking at the "resulting" files in GCS/S3.
  • I considered "data" but that sounds like "training data" or other metadata that is loaded in to help run a job, where I believe this bucket's intended purpose is storage of things about and created by prow jobs

WDYT about k8s-infra-prow-results?

[ameukam]

"artifacts" clashes with the sig-release meaning of "binaries and container images that represent a given release of a given subproject"

The buckets are prefixed (k8s-infra-prow) with a reference. I don't think we should have confusion with other projects.

Let's go with k8s-infra-prow-results, it's more aligned with the needs of this instance.

[spiffxp]

/hold
The rest of this I would like to wait to merge until I land a refactor of this file (#1974)

I am happy to take up redoing this part to fit in with the refactor as followup, or leaving it to you to ensure someone other than me understands the structure I tried to put in place

[ameukam]

@spiffxp made a refactor now #1974 is merged.

[k8s-ci-robot]

@ameukam: The following tests failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
pull-k8sio-terraform-prow-build-trusted	8723612	link	/test pull-k8sio-terraform-prow-build-trusted
pull-k8sio-terraform-prow-build	8723612	link	/test pull-k8sio-terraform-prow-build
pull-k8sio-terraform-aaa	8723612	link	/test pull-k8sio-terraform-aaa

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[ameukam]

/skip

[spiffxp]

I'm not sure provisioning new service accounts is required here. For the existing prow build clusters their service accounts are setup via terraform

[spiffxp]

I think you are going to want to reuse the existing service account(s) that prow jobs run as instead of creating a new service account

[spiffxp]

Ideally this would be happening via workload identity but I think we're still living in a world where pod-utils are ultimately what write to GCS, and they still get their credentials from a kubernetes secret named "service-account", according prow's config.yaml: https://github.com/kubernetes/test-infra/blob/c1d43437727eab8c84c5ac989b278feefd556a7d/config/prow/config.yaml#L23

The way I did this for k8s-infra-prow-build-trusted/prow-build-trusted was to setup a service account named k8s-infra-prow-build-trusted bindable via workload identity using terraform. Then manually create a key and store in a kubernetes secret named service-account in the test-pods namespace, to match the name in prow's config.yaml.

Looking at it now, I think I should have set it up so the WI binding was [test-pods/default] instead of [test-pods/k8s-infra-prow-build-trusted], because I doubt anything is actually using it. And we can also use external secrets instead of manually creating the secret

So that's build clusters.

Then there's the prow control plane. For example, I know that at least crier will write to the same GCS bucket.

Currently, prow.k8s.io uses a control-plane GCP service account, and then kubernetes service accounts that can bind to it for each component, e.g. https://github.com/kubernetes/test-infra/blob/c1d43437727eab8c84c5ac989b278feefd556a7d/config/prow/cluster/crier_rbac.yaml#L16-L22

[spiffxp]

So tl;dr I would create a k8s-infra-prow@kubernetes-public service account for the prow control plane, since it may require more than just write access to this one bucket.

Since you're doing this for the cluster in kubernetes-public, you could do all this in https://github.com/kubernetes/k8s.io/blob/main/infra/gcp/clusters/projects/kubernetes-public/aaa

But no objections to iterating in bash if you need to.

[ameukam]

@spiffxp I'll add a second commit with a HCL version.

[ameukam]

@spiffxp The Terraform version is done in 03d55ef.

[spiffxp]

Ideally this would be happening via workload identity but I think we're still living in a world where pod-utils are ultimately what write to GCS, and they still get their credentials from a kubernetes secret named "service-account", according prow's config.yaml: https://github.com/kubernetes/test-infra/blob/c1d43437727eab8c84c5ac989b278feefd556a7d/config/prow/config.yaml#L23

The way I did this for k8s-infra-prow-build-trusted/prow-build-trusted was to setup a service account named k8s-infra-prow-build-trusted bindable via workload identity using terraform. Then manually create a key and store in a kubernetes secret named service-account in the test-pods namespace, to match the name in prow's config.yaml.

Looking at it now, I think I should have set it up so the WI binding was [test-pods/default] instead of [test-pods/k8s-infra-prow-build-trusted], because I doubt anything is actually using it. And we can also use external secrets instead of manually creating the secret

So that's build clusters.

Then there's the prow control plane. For example, I know that at least crier will write to the same GCS bucket.

Currently, prow.k8s.io uses a control-plane GCP service account, and then kubernetes service accounts that can bind to it for each component, e.g. https://github.com/kubernetes/test-infra/blob/c1d43437727eab8c84c5ac989b278feefd556a7d/config/prow/cluster/crier_rbac.yaml#L16-L22

[spiffxp]

So tl;dr I would create a k8s-infra-prow@kubernetes-public service account for the prow control plane, since it may require more than just write access to this one bucket.

Since you're doing this for the cluster in kubernetes-public, you could do all this in https://github.com/kubernetes/k8s.io/blob/main/infra/gcp/clusters/projects/kubernetes-public/aaa

But no objections to iterating in bash if you need to.

[spiffxp]

This is basically

k8s.io/infra/gcp/ensure-conformance-storage.sh

Lines 104 to 131 in 4d98e1c

	# ensure_conformance_serviceaccount ensures that:
	# - a serviceaccount of the given name exists in PROJECT
	# - it can write to the given bucket
	# - it has a private key stored in a secret in PROJECT accessible to the given group
	function ensure_conformance_serviceaccount() {
	local name="${1}"
	local bucket="${2}"
	local secret_accessors="${3}"
	local email="$(svc_acct_email "${PROJECT}" "${name}")"
	local secret="${name}-key"
	local private_key_file="${TMPDIR}/key.json"
	color 6 "Ensuring service account exists: ${email}"
	ensure_service_account "${PROJECT}" "${name}" "Grants write access to ${bucket}"
	color 6 "Ensuring ${PROJECT} contains secret ${secret} with private key for ${email}"
	ensure_serviceaccount_key_secret "${PROJECT}" "${secret}" "${email}"
	color 6 "Empowering ${secret_accessors} to access secret: ${secret}"
	ensure_secret_role_binding \
	"projects/${PROJECT}/secrets/${secret}" \
	"group:${secret_accessors}" \
	"roles/secretmanager.secretAccessor"
	color 6 "Empowering ${email} to write to ${bucket}"
	empower_svcacct_to_write_gcs_bucket "${email}" "${bucket}"
	}

You could parameterize it on project and pull into lib_iam.sh for re-use. Can be done as followup though

[spiffxp]

merge conflict, you want to keep HEAD

[spiffxp]

/close
closing this in favor of #2181

[k8s-ci-robot]

@spiffxp: Closed this PR.

In response to this:

/close
closing this in favor of #2181

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.