[CI] Wire up kubernetes service accounts for object caching

boomanaiden154 · web-flow · commit 131e3d036737 · 2025-07-21T10:53:17.000-07:00
This patch wires up the kubernetes service accounts for object caching. This will enable attaching them to test pods to test that the authentication and everything actually works. After we have validated that the setup works we can work on enabling it on all the incoming jobs. Reviewers: dschuff, lnihlen, Keenuts, cmtice, gburgessiv Reviewed By: cmtice Pull Request: #509
diff --git a/premerge/gke_cluster/outputs.tf b/premerge/gke_cluster/outputs.tf
@@ -12,4 +12,12 @@ output "client_key" {
 
 output "cluster_ca_certificate" {
   value = google_container_cluster.llvm_premerge.master_auth.0.cluster_ca_certificate
-}
+}
+
+output "linux_object_cache_gcp_service_account_email" {
+  value = google_service_account.object_cache_linux_gsa.email
+}
+
+output "windows_2022_object_cache_gcp_service_account_email" {
+  value = google_service_account.object_cache_windows_gsa.email
+}
diff --git a/premerge/main.tf b/premerge/main.tf
@@ -138,33 +138,41 @@ provider "kubernetes" {
 }
 
 module "premerge_cluster_us_central_resources" {
-  source                              = "./premerge_resources"
-  github_app_id                       = data.google_secret_manager_secret_version.github_app_id.secret_data
-  github_app_installation_id          = data.google_secret_manager_secret_version.github_app_installation_id.secret_data
-  github_app_private_key              = data.google_secret_manager_secret_version.github_app_private_key.secret_data
-  cluster_name                        = "llvm-premerge-cluster-us-central"
-  grafana_token                       = data.google_secret_manager_secret_version.grafana_token.secret_data
-  runner_group_name                   = "llvm-premerge-cluster-us-central"
-  linux_runners_namespace_name        = local.linux_runners_namespace_name
-  windows_2022_runners_namespace_name = local.windows_2022_runners_namespace_name
-  github_arc_version                  = "0.12.1"
+  source                                               = "./premerge_resources"
+  github_app_id                                        = data.google_secret_manager_secret_version.github_app_id.secret_data
+  github_app_installation_id                           = data.google_secret_manager_secret_version.github_app_installation_id.secret_data
+  github_app_private_key                               = data.google_secret_manager_secret_version.github_app_private_key.secret_data
+  cluster_name                                         = "llvm-premerge-cluster-us-central"
+  grafana_token                                        = data.google_secret_manager_secret_version.grafana_token.secret_data
+  runner_group_name                                    = "llvm-premerge-cluster-us-central"
+  linux_runners_namespace_name                         = local.linux_runners_namespace_name
+  linux_runners_kubernetes_service_account_name        = local.linux_runners_kubernetes_service_account_name
+  windows_2022_runners_namespace_name                  = local.windows_2022_runners_namespace_name
+  windows_2022_runners_kubernetes_service_account_name = local.windows_2022_runners_kubernetes_service_account_name
+  linux_object_cache_gcp_service_account_email         = module.premerge_cluster_us_central.linux_object_cache_gcp_service_account_email
+  windows_2022_object_cache_gcp_service_account_email  = module.premerge_cluster_us_central.windows_2022_object_cache_gcp_service_account_email
+  github_arc_version                                   = "0.12.1"
   providers = {
     kubernetes = kubernetes.llvm-premerge-us-central
     helm       = helm.llvm-premerge-us-central
   }
 }
 
 module "premerge_cluster_us_west_resources" {
-  source                              = "./premerge_resources"
-  github_app_id                       = data.google_secret_manager_secret_version.github_app_id.secret_data
-  github_app_installation_id          = data.google_secret_manager_secret_version.github_app_installation_id.secret_data
-  github_app_private_key              = data.google_secret_manager_secret_version.github_app_private_key.secret_data
-  cluster_name                        = "llvm-premerge-cluster-us-west"
-  grafana_token                       = data.google_secret_manager_secret_version.grafana_token.secret_data
-  runner_group_name                   = "llvm-premerge-cluster-us-west"
-  linux_runners_namespace_name        = local.linux_runners_namespace_name
-  windows_2022_runners_namespace_name = local.windows_2022_runners_namespace_name
-  github_arc_version                  = "0.12.1"
+  source                                               = "./premerge_resources"
+  github_app_id                                        = data.google_secret_manager_secret_version.github_app_id.secret_data
+  github_app_installation_id                           = data.google_secret_manager_secret_version.github_app_installation_id.secret_data
+  github_app_private_key                               = data.google_secret_manager_secret_version.github_app_private_key.secret_data
+  cluster_name                                         = "llvm-premerge-cluster-us-west"
+  grafana_token                                        = data.google_secret_manager_secret_version.grafana_token.secret_data
+  runner_group_name                                    = "llvm-premerge-cluster-us-west"
+  linux_runners_namespace_name                         = local.linux_runners_namespace_name
+  linux_runners_kubernetes_service_account_name        = local.linux_runners_kubernetes_service_account_name
+  windows_2022_runners_namespace_name                  = local.windows_2022_runners_namespace_name
+  windows_2022_runners_kubernetes_service_account_name = local.windows_2022_runners_kubernetes_service_account_name
+  linux_object_cache_gcp_service_account_email         = module.premerge_cluster_us_central.linux_object_cache_gcp_service_account_email
+  windows_2022_object_cache_gcp_service_account_email  = module.premerge_cluster_us_central.windows_2022_object_cache_gcp_service_account_email
+  github_arc_version                                   = "0.12.1"
   providers = {
     kubernetes = kubernetes.llvm-premerge-us-west
     helm       = helm.llvm-premerge-us-west
diff --git a/premerge/premerge_resources/main.tf b/premerge/premerge_resources/main.tf
@@ -234,6 +234,30 @@ resource "helm_release" "github_actions_runner_set_libcxx_next" {
   ]
 }
 
+resource "kubernetes_service_account" "linux_object_cache_ksa" {
+  metadata {
+    name      = var.linux_runners_kubernetes_service_account_name
+    namespace = var.linux_runners_namespace_name
+    annotations = {
+      "iam.gke.io/gcp-service-account" = var.linux_object_cache_gcp_service_account_email
+    }
+  }
+
+  depends_on = [kubernetes_namespace.llvm_premerge_linux_runners]
+}
+
+resource "kubernetes_service_account" "windows_2022_object_cache_ksa" {
+  metadata {
+    name      = var.windows_2022_runners_kubernetes_service_account_name
+    namespace = var.windows_2022_runners_namespace_name
+    annotations = {
+      "iam.gke.io/gcp-service-account" = var.windows_2022_object_cache_gcp_service_account_email
+    }
+  }
+
+  depends_on = [kubernetes_namespace.llvm_premerge_windows_2022_runners]
+}
+
 resource "kubernetes_namespace" "grafana" {
   metadata {
     name = "grafana"
diff --git a/premerge/premerge_resources/variables.tf b/premerge/premerge_resources/variables.tf
@@ -80,7 +80,27 @@ variable "linux_runners_namespace_name" {
   type        = string
 }
 
+variable "linux_runners_kubernetes_service_account_name" {
+  description = "The name of the kubernetes service account used to access the Linux object cache GCS bucket"
+  type        = string
+}
+
 variable "windows_2022_runners_namespace_name" {
   description = "The name of the namespace containing the Windows runners"
   type        = string
 }
+
+variable "windows_2022_runners_kubernetes_service_account_name" {
+  description = "The name of the kubernetes service account used to access the Windows object cache GCS bucket"
+  type        = string
+}
+
+variable "linux_object_cache_gcp_service_account_email" {
+  description = "The email associated with the service account for accessing the object cache on Linux."
+  type        = string
+}
+
+variable "windows_2022_object_cache_gcp_service_account_email" {
+  description = "The email associated with the service account for accessing the object cache on Windows."
+  type        = string
+}
