Merge pull request #9053 from upodroid/switch-krel-to-community-project

migrate krel to community owned gcp project

Author: k8s-ci-robot

infra/gcp/bash/ensure-release-projects.sh

@@ -135,68 +135,3 @@ for PROJECT; do
 
     color 6 "Done"
 done
-
-## Special case: setup buckets that are used by CI
-
-# Ensure the given GCS bucket exists in the given project with auto-deletion
-# enabled after a default or optionally specified number of days, and
-# appropriate permissions for prow, on-call, and release-managers
-#
-# $1: The GCP project (e.g. k8s-release)
-# $2: The GCS bucket (e.g. gs://k8s-release-dev)
-# [$3]: The number of days after which objects are auto-delete (e.g. 14, default: 90)
-function ensure_kubernetes_ci_gcs_bucket() {
-    if [ $# -lt 2 ] || [ $# -gt 4 ] || [ -z "$1" ] || [ -z "$2" ] || [ -z "${3:-"x"}" ]; then
-        echo "${FUNCNAME[0]}(project, gcs_bucket, [auto_deletion_days])" >&2
-        return 1
-    fi
-    local project="${1}"
-    local bucket="${2}"
-    local auto_deletion_days="${3:-"90"}"
-
-    color 6 "Ensuring ${bucket} exists and is world readable in project: ${project}"
-    ensure_public_gcs_bucket "${project}" "${bucket}"
-
-    color 6 "Ensuring ${bucket} has auto-deletion of ${auto_deletion_days} days"
-    ensure_gcs_bucket_auto_deletion "${bucket}" "${auto_deletion_days}"
-
-    color 6 "Ensuring GCS admins can admin ${bucket} in project: ${project}"
-    empower_gcs_admins "${project}" "${bucket}"
-
-    color 6 "Ensuring prow on-call can admin ${bucket} in project: ${project}"
-    empower_group_to_admin_gcs_bucket "k8s-infra-prow-oncall@kubernetes.io" "${bucket}"
-
-    color 6 "Ensuring prow service account ${PROW_BUILD_SERVICE_ACCOUNT} can write to ${bucket} in project: ${project}"
-    empower_svcacct_to_write_gcs_bucket "${PROW_BUILD_SERVICE_ACCOUNT}" "${bucket}"
-
-    # Empower prow jobs running on google.com-owned k8s-prow or k8s-prow-builds
-    # clusters to write CI artifacts to the bucket
-    # TODO(spiffxp): remove this once we've migrated the jobs that rely on this account
-    #                to community-owned build cluster(s)
-    color 6 "Ensuring prow service account ${PR_KUBEKINS_SERVICE_ACCOUNT} can write to ${bucket} in project: ${project}"
-    empower_svcacct_to_write_gcs_bucket "${PR_KUBEKINS_SERVICE_ACCOUNT}" "${bucket}"
-
-    # Enable access logs to identify what pr-kubekins writes to this bucket
-    # TODO(spiffxp): consider disabling this once migration is complete
-    color 6 "Ensuring GCS access logs enabled for ${bucket} in project: ${project}"
-    ensure_gcs_bucket_logging "${bucket}"
-
-    # TODO(spiffxp): I'm not actually sure this makes sense. These groups don't
-    #                have permissions to do this with the google.com-owned bucket
-    #                today. These buckets should be strictly-CI unless there are
-    #                very exceptional circumstances (which is when I'd suggest we
-    #                escalate to the admins above)
-    for group in ${RELEASE_ADMINS} ${RELEASE_MANAGERS}; do
-        color 6 "Ensuring group ${group} can write to ${bucket} in project: ${project}"
-        empower_group_to_write_gcs_bucket "${group}" "${bucket}"
-    done
-
-}
-
-function special_case_kubernetes_ci_buckets() {
-  # community-owned equivalent to gs://kubernetes-release-dev
-  ensure_kubernetes_ci_gcs_bucket "k8s-release" "gs://k8s-release-dev"
-}
-
-color 3 "Special case: ensuring GCS buckets for kubernetes CI artifacts exist"
-special_case_kubernetes_ci_buckets 2>&1 | indent

infra/gcp/bash/ensure-staging-storage.sh

@@ -49,7 +49,6 @@ readonly RELEASE_STAGING_PROJECTS=(
   "$(k8s_infra_project staging k8s-staging-ci-images)"
   "$(k8s_infra_project staging k8s-staging-cip-test)"
   "$(k8s_infra_project staging k8s-staging-experimental)"
-  "$(k8s_infra_project staging k8s-staging-kubernetes)"
   "$(k8s_infra_project staging k8s-staging-releng)"
   "$(k8s_infra_project staging k8s-staging-releng-test)"
   "$(k8s_infra_project staging k8s-staging-publishing-bot)"
@@ -360,24 +359,6 @@ function ensure_release_manager_special_cases() {
     color 6 "Empowering ${RELEASE_VIEWERS} as project viewers in ${project}"
     ensure_project_role_binding "${project}" "group:${RELEASE_VIEWERS}" "roles/viewer"
 
-    # For k8s-staging-kubernetes, grant the kubernetes-release-test (old
-    # staging) GCB service account admin GCR access to the new staging
-    # project for Kubernetes releases. This is required for VDF as we need
-    # to continue running stages/releases from the old project while
-    # publishing container images to new project.
-    # ref: https://github.com/kubernetes/release/pull/1230
-    if [[ "${project}" == "k8s-staging-kubernetes" ]]; then
-      color 6 "Empowering kubernetes-release-test GCB service account to admin GCR"
-      empower_svcacct_to_admin_gcr "648026197307@cloudbuild.gserviceaccount.com" "${project}"
-    fi
-
-    # Artifact Registry
-    #
-    # Enable Google Artifact Registry to allow Release Managers to prepare
-    # for GCR to Artifact Registry migration
-    # ref: https://github.com/kubernetes/k8s.io/issues/1343
-    ensure_services "${project}" artifactregistry.googleapis.com
-
     # Roles: https://cloud.google.com/artifact-registry/docs/access-control#roles
     #
     # Empower Release Manager admins to create and manage repositories and

infra/gcp/infra.yaml

@@ -283,7 +283,6 @@ infra:
   release:
     managed_by: infra/gcp/bash/ensure-release-projects.sh
     projects:
-      k8s-release:
       k8s-release-test-prod: # TODO: should this be prod or release?:
 
   releng:
@@ -356,7 +355,6 @@ infra:
       k8s-staging-kubeadm:
       k8s-staging-kubebuilder:
       k8s-staging-kueue:
-      k8s-staging-kubernetes:
       k8s-staging-kubetest2:
       k8s-staging-kustomize:
       k8s-staging-kwok:

infra/gcp/terraform/k8s-infra-releases-prod/.terraform.lock.hcl

@@ -14,43 +14,6 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-data "google_iam_policy" "releng_access" {
-  binding {
-    role = "roles/storage.objectViewer"
-    members = [
-      "group:k8s-infra-release-editors@kubernetes.io",
-      "serviceAccount:${google_service_account.fastly_reader.email}"
-    ]
-  }
-
-  // TODO: remove this after https://github.com/kubernetes/release/issues/3425
-  binding {
-    role    = "roles/storage.objectAdmin"
-    members = ["serviceAccount:648026197307@cloudbuild.gserviceaccount.com"]
-  }
-
-  binding {
-    role = "roles/storage.legacyBucketOwner"
-    members = [
-      "projectOwner:${google_project.project.project_id}",
-      "projectEditor:${google_project.project.project_id}"
-    ]
-  }
-
-  binding {
-    role = "roles/storage.legacyBucketReader"
-    members = [
-      "projectViewer:${google_project.project.project_id}",
-      "group:k8s-infra-release-editors@kubernetes.io"
-    ]
-  }
-}
-
-resource "google_storage_bucket_iam_policy" "releng_access_policy" {
-  bucket      = module.k8s_releases_prod.bucket_name
-  policy_data = data.google_iam_policy.releng_access.policy_data
-}
-
 /*
 Ensure audit logging is enabled for GCS.
 See: https://cloud.google.com/storage/docs/audit-logging
@@ -59,7 +22,7 @@ module "audit_log_config" {
   source  = "terraform-google-modules/iam/google//modules/audit_config"
   version = "~> 8.1"
 
-  project = google_project.project.project_id
+  project = module.project.project_id
 
   audit_log_config = [
     {
@@ -69,3 +32,18 @@ module "audit_log_config" {
     }
   ]
 }
+
+module "iam" {
+  source  = "terraform-google-modules/iam/google//modules/projects_iam"
+  version = "~> 8"
+
+  projects = [module.project.project_id]
+
+  mode = "authoritative"
+
+  bindings = {
+    "roles/viewer" = [
+      "group:k8s-infra-release-editors@kubernetes.io",
+    ]
+  }
+}

infra/gcp/terraform/k8s-infra-releases-prod/iam.tf

@@ -14,35 +14,54 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-locals {
-  billing_account = "018801-93540E-22A20E"
-  org_id          = "758905017065"
+module "project" {
+  source  = "terraform-google-modules/project-factory/google"
+  version = "~> 18.2"
+
+  name            = "k8s-infra-releases-prod"
   project_id      = "k8s-infra-releases-prod"
-}
+  folder_id       = "455406320404" # Release Engineering
+  billing_account = "018801-93540E-22A20E"
 
+  # Sane project defaults
+  default_service_account     = "keep"
+  disable_services_on_destroy = false
+  create_project_sa           = false
+  random_project_id           = false
+  auto_create_network         = true
 
-resource "google_project" "project" {
-  name                = local.project_id
-  project_id          = local.project_id
-  org_id              = local.org_id
-  billing_account     = local.billing_account
-  auto_create_network = false
-}
 
-module "k8s_releases_prod" {
-  source      = "../modules/k8s-releases"
-  project_id  = google_project.project.project_id
-  bucket_name = "767373bbdcb8270361b96548387bf2a9ad0d48758c35"
+  activate_apis = [
+    "secretmanager.googleapis.com",
+    "storage.googleapis.com",
+    "storagetransfer.googleapis.com",
+  ]
 }
 
 resource "google_service_account" "fastly_reader" {
-  project     = google_project.project.project_id
+  project     = module.project.project_id
   account_id  = "fastly-reader"
   description = "Used by Fastly for read-only actions against the bucket"
 }
 
 resource "google_storage_hmac_key" "fastly_reader_key" {
-  project               = google_project.project.project_id
+  project               = module.project.project_id
   service_account_email = google_service_account.fastly_reader.email
 }
 
+
+module "release_bucket" {
+  source  = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
+  version = "~> 12.3"
+
+  name       = "767373bbdcb8270361b96548387bf2a9ad0d48758c35"
+  project_id = module.project.project_id
+  location   = "us-central1"
+
+  iam_members = [
+    {
+      role   = "roles/storage.objectAdmin"
+      member = "serviceAccount:648026197307@cloudbuild.gserviceaccount.com"
+    }
+  ]
+}

infra/gcp/terraform/k8s-infra-releases-prod/main.tf

@@ -21,7 +21,7 @@ This file defines:
 */
 
 terraform {
-  required_version = "1.12"
+  required_version = "1.12.2"
   backend "gcs" {
     bucket = "k8s-infra-tf-k8s-releases"
     prefix = "prod/terraform.tfstate"

infra/gcp/terraform/k8s-infra-releases-prod/providers.tf

@@ -18,13 +18,9 @@ module "secrets" {
   source  = "GoogleCloudPlatform/secret-manager/google"
   version = "~> 0.9"
 
-  project_id = google_project.project.project_id
+  project_id = module.project.project_id
 
   secrets = [
-    {
-      name        = "datadog_fastly_logs_streaming"
-      secret_data = "REDACT-ME"
-    },
     {
       name        = "fastly_reader_sa_access_key"
       secret_data = google_storage_hmac_key.fastly_reader_key.access_id