From bc480c8694ad3a8110cefd411ea3a942c9a1b996 Mon Sep 17 00:00:00 2001 From: upodroid Date: Wed, 13 Jul 2022 14:01:00 +0300 Subject: [PATCH 1/8] deploy ar in staging and production --- infra/gcp/bash/ensure-prod-storage.sh | 48 +++++++++++-- infra/gcp/bash/ensure-staging-storage.sh | 32 +++++++-- infra/gcp/bash/lib_ar.sh | 85 ++++++++++++++++++++++++ infra/gcp/bash/lib_iam.sh | 29 +++++++- 4 files changed, 179 insertions(+), 15 deletions(-) create mode 100644 infra/gcp/bash/lib_ar.sh diff --git a/infra/gcp/bash/ensure-prod-storage.sh b/infra/gcp/bash/ensure-prod-storage.sh index 5496c7944b1..54512dceb00 100755 --- a/infra/gcp/bash/ensure-prod-storage.sh +++ b/infra/gcp/bash/ensure-prod-storage.sh @@ -79,6 +79,8 @@ readonly PROD_PROJECT_SERVICES=( containerregistry.googleapis.com # prod projects host binaries in GCS storage-component.googleapis.com + # prod projects host containers in AR + artifactregistry.googleapis.com ) readonly PROD_PROJECT_DISABLED_SERVICES=( @@ -87,7 +89,9 @@ readonly PROD_PROJECT_DISABLED_SERVICES=( ) # Regions for prod GCR. -PROD_REGIONS=(us eu asia) +GCR_PROD_REGIONS=(us eu asia) +# Regions for prod AR. +AR_PROD_REGIONS=(us europe asia) # Minimum time we expect to keep prod GCS artifacts. PROD_RETENTION="10y" @@ -102,8 +106,8 @@ function ensure_prod_gcr() { fi local project="${1}" - color 6 "Ensuring prod GCR for regions: ${PROD_REGIONS[*]}" - for region in "${PROD_REGIONS[@]}"; do + color 6 "Ensuring prod GCR for regions: ${GCR_PROD_REGIONS[*]}" + for region in "${GCR_PROD_REGIONS[@]}"; do local gcr_bucket="gs://${region}.artifacts.${project}.appspot.com" color 3 "region: ${region}" @@ -121,6 +125,33 @@ function ensure_prod_gcr() { done 2>&1 | indent } +# Make a prod AR repository and grant access to it. +# +# $1: The GCP project name (GCR names == project names) +function ensure_prod_ar() { + if [ $# != 1 ] || [ -z "$1" ]; then + echo "ensure_prod_ar(project) requires 1 argument" >&2 + return 1 + fi + local project="${1}" + local serviceaccount + + color 6 "Ensuring prod AR registry for locations: ${AR_PROD_REGIONS[*]}" + for region in "${AR_PROD_REGIONS[@]}"; do + + color 3 "region: ${region}" + color 6 "Ensuring an AR repo exists in location: ${region} for project: ${project}" + ensure_ar_repo "${project}" "${region}" + + color 6 "Ensuring GCR admins can admin AR in location: ${region} for project: ${project}" + empower_ar_admins "${project}" "${region}" + + color 6 "Empowering image promoter with roles/artifactregistry.repoAdmin in project: ${project}" + serviceaccount=$(svc_acct_email "${project}" "${IMAGE_PROMOTER_SVCACCT}") + ensure_project_role_binding "${project}" "serviceAccount:$serviceaccount" "artifactregistry.repoAdmin" + done 2>&1 | indent +} + # Make a prod GCS bucket and grant access to it. We need whole buckets for # this because we want to grant minimal permissions, but there's no concept of # permissions on a "subdirectory" of a bucket. If we had a GCS promoter akin @@ -175,7 +206,7 @@ function empower_group_to_fake_prod() { empower_group_as_viewer "${project}" "${group}" color 6 "Empowering $group for GCR in $project" - for r in "${PROD_REGIONS[@]}"; do + for r in "${GCR_PROD_REGIONS[@]}"; do color 3 "region $r" empower_group_to_write_gcr "${group}" "${project}" "${r}" done @@ -198,15 +229,18 @@ function ensure_all_prod_projects() { color 6 "Ensuring project exists: ${prj}" ensure_project "${prj}" - color 6 "Ensuring Services to host and analyze aritfacts: ${prj}" + color 6 "Ensuring Services to host and analyze artifacts: ${prj}" ensure_services "${prj}" "${PROD_PROJECT_SERVICES[@]}" 2>&1 | indent color 6 "Ensuring disabled services for prod project: ${prj}" ensure_disabled_services "${prj}" "${PROD_PROJECT_DISABLED_SERVICES[@]}" 2>&1 | indent - color 6 "Ensuring the GCR repository: ${prj}" + color 6 "Ensuring the GCR repositories: ${prj}" ensure_prod_gcr "${prj}" 2>&1 | indent + color 6 "Ensuring the AR repositories: ${prj}" + ensure_prod_ar "${prj}" 2>&1 | indent + color 6 "Ensuring the GCS bucket: gs://${prj}" ensure_prod_gcs_bucket "${prj}" "gs://${prj}" 2>&1 | indent done @@ -289,7 +323,7 @@ function ensure_all_prod_special_cases() { # real $PRODBAK_PROJECT). We don't want this same power for the non-test # backup system, so a compromised promoter can't nuke backups. color 6 "Empowering backup-test-prod promoter to backup-test-prod GCR" - for r in "${PROD_REGIONS[@]}"; do + for r in "${GCR_PROD_REGIONS[@]}"; do color 3 "region $r" empower_svcacct_to_write_gcr \ "$(svc_acct_email "${GCR_BACKUP_TEST_PRODBAK_PROJECT}" "${IMAGE_PROMOTER_SVCACCT}")" \ diff --git a/infra/gcp/bash/ensure-staging-storage.sh b/infra/gcp/bash/ensure-staging-storage.sh index 97cea52ab4f..de96ae066c0 100755 --- a/infra/gcp/bash/ensure-staging-storage.sh +++ b/infra/gcp/bash/ensure-staging-storage.sh @@ -66,6 +66,8 @@ readonly STAGING_PROJECT_SERVICES=( secretmanager.googleapis.com # These projects may host binaries in GCS storage-component.googleapis.com + # These projects host images in AR + artifactregistry.googleapis.com # Dependencies (gcloud services used to encode these in its response) @@ -257,6 +259,30 @@ function ensure_staging_gcr_repo() { ensure_gcs_bucket_logging "${gcr_bucket}" } +# Ensure a AR repo is provisioned in the given staging project, with +# appropriate permissions for the given group and GCR/AR admins +# +# $1: The GCP project (e.g. k8s-staging-foo) +# $2: The group to grant write access (e.g. k8s-infra-staging-foo@kubernetes.io) +# Repo is called images and created in the us multiregion +function ensure_staging_ar_repo() { + if [ $# != 2 ] || [ -z "$1" ] || [ -z "$2" ]; then + echo "${FUNCNAME[0]}(project, writers) requires 2 arguments" >&2 + return 1 + fi + local project="${1}" + local writers="${2}" + + color 6 "Ensuring an AR repo exists for project: ${project}" + ensure_ar_repo "${project}" "us" + + color 6 "Ensuring ${writers} can write to AR for project: ${project}" + empower_group_to_write_ar "${writers}" "${project}" "us" + + color 6 "Ensuring GCR/AR admins can admin AR for project: ${project}" + empower_ar_admins "${project}" "us" +} + # Ensure GCB is setup for the given staging project, by ensuring the # given staging GCS bucket exists, and allowing the given group and a # prow service account to write to the GCS bucket and trigger GCB @@ -396,12 +422,6 @@ function ensure_release_manager_special_cases() { fi # Artifact Registry - # - # Enable Google Artifact Registry to allow Release Managers to prepare - # for GCR to Artifact Registry migration - # ref: https://github.com/kubernetes/k8s.io/issues/1343 - ensure_services "${project}" artifactregistry.googleapis.com - # Roles: https://cloud.google.com/artifact-registry/docs/access-control#roles # # Empower Release Manager admins to create and manage repositories and diff --git a/infra/gcp/bash/lib_ar.sh b/infra/gcp/bash/lib_ar.sh new file mode 100644 index 00000000000..464ce127af4 --- /dev/null +++ b/infra/gcp/bash/lib_ar.sh @@ -0,0 +1,85 @@ +#!/usr/bin/env bash + +# Copyright 2020 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Artifact Registry utility functions +# +# This is intended to be very general-purpose and "low-level". Higher-level +# policy does not belong here. +# +# This MUST NOT be used directly. Source it via lib.sh instead. + +# Grant write privileges on a AR to a group +# $1: The googlegroups group email +# $2: The GCP project +# $3: The AR region +function empower_group_to_write_ar() { + if [ $# -lt 3 ] || [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ]; then + echo "empower_group_to_write_ar(group_name, project, location) requires 3 arguments" >&2 + return 1 + fi + local group="$1" + local project="$2" + local region="$3" + + ensure_repository_role_binding "images" "${group}" "artifactregistry.repoAdmin" "${project}" "${location}" +} + +function ensure_public_ar_registry() { + if [ $# -lt 2 ] || [ -z "$1" ] || [ -z "$2" ]; then + echo "${FUNCNAME[0]}(project, location) requires 2 arguments" >&2 + return 1 + fi + local project="$1" + local location="$2" + + ensure_repository_role_binding "images" "allUsers" "artifactregistry.reader" "${project}" "${location}" +} + +function empower_ar_admins() { + # Reusing GCR Admins groups + if [ $# -lt 2 ] || [ -z "$1" ] || [ -z "$2" ]; then + echo "empower_ar_admins(project, location) requires 2 arguments" >&2 + return 1 + fi + local project="$1" + local location="$2" + + # TODO (upodroid) uncomment the code below once GCR is gone. + # ensure_project_role_binding "${project}" "group:${GCR_ADMINS}" "roles/viewer" + ensure_repository_role_binding "images" "group:${GCR_ADMINS}" "artifactregistry.admin" "${project}" "${location}" +} + +# Ensure the AR registry exists and is world-readable. +# $1: The GCP project +# $2: The AR location (optional) +function ensure_ar_repo() { + if [ $# -lt 2 ] || [ -z "$1" ] || [ -z "$2" ]; then + echo "ensure_ar_repo(project, location) requires 2 arguments" >&2 + return 1 + fi + local project="$1" + local location="$2" + + if ! gcloud artifacts repositories describe images --location="${location}" --project="${project}" >/dev/null 2>&1; then + gcloud artifacts repositories create images \ + --repository-format=docker \ + --location="${location}" \ + --project="${project}" + fi + + ensure_public_ar_registry "${project}" "${location}" +} + diff --git a/infra/gcp/bash/lib_iam.sh b/infra/gcp/bash/lib_iam.sh index 6d7152dc584..a3cf29669a8 100644 --- a/infra/gcp/bash/lib_iam.sh +++ b/infra/gcp/bash/lib_iam.sh @@ -197,7 +197,7 @@ function ensure_project_role_binding() { _ensure_resource_role_binding "projects" "${project}" "${principal}" "${role}" } -# Ensure that IAM binding is present for project +# Ensure that IAM binding is present for secrets # Arguments: # $1: The fully qualified secret id (e.g. "projects/k8s-infra-foo/secrets/my-secret-id") # $2: The principal (e.g. "group:k8s-infra-foo@kubernetes.io") @@ -215,6 +215,26 @@ function ensure_secret_role_binding() { _ensure_resource_role_binding "secrets" "${secret}" "${principal}" "${role}" } +# Ensure that IAM binding is present for repositories +# Arguments: +# $1: The repository name (e.g. "images") +# $2: The principal (e.g. "group:k8s-infra-foo@kubernetes.io") +# $3: The role name (e.g. "roles/storage.objectAdmin") +# $4: The project (e.g. "k8s-artifacts-prod") +# $5: The location (e.g. "europe") +function ensure_repository_role_binding() { + if [ ! $# -eq 5 ] || [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ] || [ -z "$4" ] || [ -z "$5" ]; then + echo "ensure_repository_role_binding(repository, principal, role, project, location) requires 5 arguments" >&2 + return 1 + fi + + local repository="${1}" + local principal="${2}" + local role="${3}" + + _ensure_resource_role_binding "artifacts repositories" "${repository}" "${principal}" "${role}" "${project}" "${location}" +} + # Ensure that IAM binding is present for service-account # Arguments: # $1: The serviceaccount email (e.g. "my-serviceaccount@k8s-infra-foo.iam.gserviceaccount.com") @@ -435,7 +455,7 @@ function _format_iam_policy() { # [$5]: (Optional) the id of the project hosting the resource (e.g. "k8s-infra-foo") function _ensure_resource_role_binding() { if [ $# -lt 4 ] || [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ] || [ -z "$4" ]; then - echo "${FUNCNAME[0]}(resource, id, principal, role, [project]) requires at least 4 arguments" >&2 + echo "${FUNCNAME[0]}(resource, id, principal, role, [project], [location]) requires at least 4 arguments" >&2 return 1 fi @@ -444,12 +464,17 @@ function _ensure_resource_role_binding() { local principal="${3}" local role="${4}" local project="${5:-""}" + local location="${6:-""}" local flags=() if [ -n "${project}" ]; then flags+=(--project "${project}") fi + if [ -n "${location}" ]; then + flags+=(--location "${location}") + fi + local before="${TMPDIR}/iam-bind.before.yaml" local after="${TMPDIR}/iam-bind.after.yaml" From 9eef61144fe41cde813e86b346a9f5b103f8b43a Mon Sep 17 00:00:00 2001 From: upodroid Date: Wed, 13 Jul 2022 14:05:50 +0300 Subject: [PATCH 2/8] source script --- infra/gcp/bash/lib.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/infra/gcp/bash/lib.sh b/infra/gcp/bash/lib.sh index aa3800c19d1..e91f2cad66d 100644 --- a/infra/gcp/bash/lib.sh +++ b/infra/gcp/bash/lib.sh @@ -44,6 +44,7 @@ trap 'cleanup_tmpdir' EXIT . "$(dirname "${BASH_SOURCE[0]}")/lib_gcs.sh" # order doesn't matter here, so keep sorted +. "$(dirname "${BASH_SOURCE[0]}")/lib_ar.sh" . "$(dirname "${BASH_SOURCE[0]}")/lib_gcr.sh" . "$(dirname "${BASH_SOURCE[0]}")/lib_gsm.sh" . "$(dirname "${BASH_SOURCE[0]}")/lib_services.sh" From 722dab7d45520c5c3e18715a27fc2d47be53b552 Mon Sep 17 00:00:00 2001 From: upodroid Date: Wed, 13 Jul 2022 14:22:06 +0300 Subject: [PATCH 3/8] fix typo --- infra/gcp/bash/lib_ar.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/gcp/bash/lib_ar.sh b/infra/gcp/bash/lib_ar.sh index 464ce127af4..890840469dc 100644 --- a/infra/gcp/bash/lib_ar.sh +++ b/infra/gcp/bash/lib_ar.sh @@ -32,7 +32,7 @@ function empower_group_to_write_ar() { fi local group="$1" local project="$2" - local region="$3" + local location="$3" ensure_repository_role_binding "images" "${group}" "artifactregistry.repoAdmin" "${project}" "${location}" } From f03326febcc2574aaf7ce7daef2f07535174c5ba Mon Sep 17 00:00:00 2001 From: upodroid Date: Tue, 26 Jul 2022 20:56:18 +0300 Subject: [PATCH 4/8] drop staging changes --- infra/gcp/bash/ensure-staging-storage.sh | 32 +++++------------------- infra/gcp/bash/lib_ar.sh | 25 +++++++++++++++--- infra/gcp/bash/lib_iam.sh | 20 --------------- 3 files changed, 27 insertions(+), 50 deletions(-) diff --git a/infra/gcp/bash/ensure-staging-storage.sh b/infra/gcp/bash/ensure-staging-storage.sh index de96ae066c0..97cea52ab4f 100755 --- a/infra/gcp/bash/ensure-staging-storage.sh +++ b/infra/gcp/bash/ensure-staging-storage.sh @@ -66,8 +66,6 @@ readonly STAGING_PROJECT_SERVICES=( secretmanager.googleapis.com # These projects may host binaries in GCS storage-component.googleapis.com - # These projects host images in AR - artifactregistry.googleapis.com # Dependencies (gcloud services used to encode these in its response) @@ -259,30 +257,6 @@ function ensure_staging_gcr_repo() { ensure_gcs_bucket_logging "${gcr_bucket}" } -# Ensure a AR repo is provisioned in the given staging project, with -# appropriate permissions for the given group and GCR/AR admins -# -# $1: The GCP project (e.g. k8s-staging-foo) -# $2: The group to grant write access (e.g. k8s-infra-staging-foo@kubernetes.io) -# Repo is called images and created in the us multiregion -function ensure_staging_ar_repo() { - if [ $# != 2 ] || [ -z "$1" ] || [ -z "$2" ]; then - echo "${FUNCNAME[0]}(project, writers) requires 2 arguments" >&2 - return 1 - fi - local project="${1}" - local writers="${2}" - - color 6 "Ensuring an AR repo exists for project: ${project}" - ensure_ar_repo "${project}" "us" - - color 6 "Ensuring ${writers} can write to AR for project: ${project}" - empower_group_to_write_ar "${writers}" "${project}" "us" - - color 6 "Ensuring GCR/AR admins can admin AR for project: ${project}" - empower_ar_admins "${project}" "us" -} - # Ensure GCB is setup for the given staging project, by ensuring the # given staging GCS bucket exists, and allowing the given group and a # prow service account to write to the GCS bucket and trigger GCB @@ -422,6 +396,12 @@ function ensure_release_manager_special_cases() { fi # Artifact Registry + # + # Enable Google Artifact Registry to allow Release Managers to prepare + # for GCR to Artifact Registry migration + # ref: https://github.com/kubernetes/k8s.io/issues/1343 + ensure_services "${project}" artifactregistry.googleapis.com + # Roles: https://cloud.google.com/artifact-registry/docs/access-control#roles # # Empower Release Manager admins to create and manage repositories and diff --git a/infra/gcp/bash/lib_ar.sh b/infra/gcp/bash/lib_ar.sh index 890840469dc..88307c9e7f1 100644 --- a/infra/gcp/bash/lib_ar.sh +++ b/infra/gcp/bash/lib_ar.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# Copyright 2020 The Kubernetes Authors. +# Copyright 2022 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -57,8 +57,6 @@ function empower_ar_admins() { local project="$1" local location="$2" - # TODO (upodroid) uncomment the code below once GCR is gone. - # ensure_project_role_binding "${project}" "group:${GCR_ADMINS}" "roles/viewer" ensure_repository_role_binding "images" "group:${GCR_ADMINS}" "artifactregistry.admin" "${project}" "${location}" } @@ -72,7 +70,7 @@ function ensure_ar_repo() { fi local project="$1" local location="$2" - + # AR Repos will always be called images. Format LOCATION-docker.pkg.dev/PROJECT_ID/images/foobar:latest if ! gcloud artifacts repositories describe images --location="${location}" --project="${project}" >/dev/null 2>&1; then gcloud artifacts repositories create images \ --repository-format=docker \ @@ -83,3 +81,22 @@ function ensure_ar_repo() { ensure_public_ar_registry "${project}" "${location}" } +# Ensure that IAM binding is present for repositories +# Arguments: +# $1: The repository name (e.g. "images") +# $2: The principal (e.g. "group:k8s-infra-foo@kubernetes.io") +# $3: The role name (e.g. "roles/storage.objectAdmin") +# $4: The project (e.g. "k8s-artifacts-prod") +# $5: The location (e.g. "europe") +function ensure_ar_repository_role_binding() { + if [ ! $# -eq 5 ] || [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ] || [ -z "$4" ] || [ -z "$5" ]; then + echo "ensure_ar_repository_role_binding(repository, principal, role, project, location) requires 5 arguments" >&2 + return 1 + fi + + local repository="${1}" + local principal="${2}" + local role="${3}" + + _ensure_resource_role_binding "artifacts repositories" "${repository}" "${principal}" "${role}" "${project}" "${location}" +} diff --git a/infra/gcp/bash/lib_iam.sh b/infra/gcp/bash/lib_iam.sh index a3cf29669a8..195baff9fb2 100644 --- a/infra/gcp/bash/lib_iam.sh +++ b/infra/gcp/bash/lib_iam.sh @@ -215,26 +215,6 @@ function ensure_secret_role_binding() { _ensure_resource_role_binding "secrets" "${secret}" "${principal}" "${role}" } -# Ensure that IAM binding is present for repositories -# Arguments: -# $1: The repository name (e.g. "images") -# $2: The principal (e.g. "group:k8s-infra-foo@kubernetes.io") -# $3: The role name (e.g. "roles/storage.objectAdmin") -# $4: The project (e.g. "k8s-artifacts-prod") -# $5: The location (e.g. "europe") -function ensure_repository_role_binding() { - if [ ! $# -eq 5 ] || [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ] || [ -z "$4" ] || [ -z "$5" ]; then - echo "ensure_repository_role_binding(repository, principal, role, project, location) requires 5 arguments" >&2 - return 1 - fi - - local repository="${1}" - local principal="${2}" - local role="${3}" - - _ensure_resource_role_binding "artifacts repositories" "${repository}" "${principal}" "${role}" "${project}" "${location}" -} - # Ensure that IAM binding is present for service-account # Arguments: # $1: The serviceaccount email (e.g. "my-serviceaccount@k8s-infra-foo.iam.gserviceaccount.com") From 93e09913219936251e5120703dbbda0a14d41af7 Mon Sep 17 00:00:00 2001 From: upodroid Date: Tue, 26 Jul 2022 21:04:54 +0300 Subject: [PATCH 5/8] add regions --- infra/gcp/bash/ensure-prod-storage.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/gcp/bash/ensure-prod-storage.sh b/infra/gcp/bash/ensure-prod-storage.sh index 54512dceb00..4565e09a55c 100755 --- a/infra/gcp/bash/ensure-prod-storage.sh +++ b/infra/gcp/bash/ensure-prod-storage.sh @@ -91,7 +91,7 @@ readonly PROD_PROJECT_DISABLED_SERVICES=( # Regions for prod GCR. GCR_PROD_REGIONS=(us eu asia) # Regions for prod AR. -AR_PROD_REGIONS=(us europe asia) +AR_PROD_REGIONS=(asia-east1 asia-northeast1 europe-north1 europe-west1 europe-west4 us-central1 us-east1 us-east4) # Minimum time we expect to keep prod GCS artifacts. PROD_RETENTION="10y" From 1d0fc774dbdc7e5b710f27fda5bca3652c181fea Mon Sep 17 00:00:00 2001 From: upodroid Date: Wed, 3 Aug 2022 22:56:54 +0300 Subject: [PATCH 6/8] add the 5 regions I mentioned --- infra/gcp/bash/ensure-prod-storage.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/gcp/bash/ensure-prod-storage.sh b/infra/gcp/bash/ensure-prod-storage.sh index 4565e09a55c..5f9d5e9d37a 100755 --- a/infra/gcp/bash/ensure-prod-storage.sh +++ b/infra/gcp/bash/ensure-prod-storage.sh @@ -91,7 +91,7 @@ readonly PROD_PROJECT_DISABLED_SERVICES=( # Regions for prod GCR. GCR_PROD_REGIONS=(us eu asia) # Regions for prod AR. -AR_PROD_REGIONS=(asia-east1 asia-northeast1 europe-north1 europe-west1 europe-west4 us-central1 us-east1 us-east4) +AR_PROD_REGIONS=(asia-east1 asia-south1 asia-northeast1 australia-southeast1 europe-north1 europe-southeast1 europe-west1 europe-west4 southamerica-west1 us-central1 us-east1 us-east4 us-west2) # Minimum time we expect to keep prod GCS artifacts. PROD_RETENTION="10y" From 8b9e0b2cab390c8f9d41d6405f83ac18106636d9 Mon Sep 17 00:00:00 2001 From: upodroid Date: Thu, 4 Aug 2022 23:15:29 +0300 Subject: [PATCH 7/8] add missing Tier 1 regions --- infra/gcp/bash/ensure-prod-storage.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/gcp/bash/ensure-prod-storage.sh b/infra/gcp/bash/ensure-prod-storage.sh index 5f9d5e9d37a..f5f7c624895 100755 --- a/infra/gcp/bash/ensure-prod-storage.sh +++ b/infra/gcp/bash/ensure-prod-storage.sh @@ -91,7 +91,7 @@ readonly PROD_PROJECT_DISABLED_SERVICES=( # Regions for prod GCR. GCR_PROD_REGIONS=(us eu asia) # Regions for prod AR. -AR_PROD_REGIONS=(asia-east1 asia-south1 asia-northeast1 australia-southeast1 europe-north1 europe-southeast1 europe-west1 europe-west4 southamerica-west1 us-central1 us-east1 us-east4 us-west2) +AR_PROD_REGIONS=(asia-east1 asia-south1 asia-northeast1 asia-northeast2 australia-southeast1 europe-north1 europe-southeast1 europe-west1 europe-west4 europe-west8 europe-west9 southamerica-west1 us-central1 us-east1 us-east4 us-east5 us-south1 us-west1 us-west2) # Minimum time we expect to keep prod GCS artifacts. PROD_RETENTION="10y" From cee0b5d07d20f1d707798424e316303dae6cefa6 Mon Sep 17 00:00:00 2001 From: upodroid Date: Tue, 9 Aug 2022 15:42:01 +0300 Subject: [PATCH 8/8] add london region --- infra/gcp/bash/ensure-prod-storage.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/gcp/bash/ensure-prod-storage.sh b/infra/gcp/bash/ensure-prod-storage.sh index f5f7c624895..4af59d8f309 100755 --- a/infra/gcp/bash/ensure-prod-storage.sh +++ b/infra/gcp/bash/ensure-prod-storage.sh @@ -91,7 +91,7 @@ readonly PROD_PROJECT_DISABLED_SERVICES=( # Regions for prod GCR. GCR_PROD_REGIONS=(us eu asia) # Regions for prod AR. -AR_PROD_REGIONS=(asia-east1 asia-south1 asia-northeast1 asia-northeast2 australia-southeast1 europe-north1 europe-southeast1 europe-west1 europe-west4 europe-west8 europe-west9 southamerica-west1 us-central1 us-east1 us-east4 us-east5 us-south1 us-west1 us-west2) +AR_PROD_REGIONS=(asia-east1 asia-south1 asia-northeast1 asia-northeast2 australia-southeast1 europe-north1 europe-southeast1 europe-west1 europe-west2 europe-west4 europe-west8 europe-west9 southamerica-west1 us-central1 us-east1 us-east4 us-east5 us-south1 us-west1 us-west2) # Minimum time we expect to keep prod GCS artifacts. PROD_RETENTION="10y"