[CI] Wire up kubernetes service accounts for object caching

premerge/gke_cluster/main.tf

@@ -176,3 +176,65 @@ resource "google_storage_bucket" "object_cache_windows" {
   uniform_bucket_level_access = true
   public_access_prevention    = "enforced"
 }
+
+resource "google_service_account" "object_cache_linux_gsa" {
+  account_id   = format("%s-linux-gsa", var.region)
+  display_name = format("%s Linux Object Cache Service Account", var.region)
+}
+
+resource "google_service_account" "object_cache_windows_gsa" {
+  account_id   = format("%s-windows-gsa", var.region)
+  display_name = format("%s Windows Object Cache Service Account", var.region)
+}
+
+resource "google_storage_bucket_iam_binding" "linux_bucket_binding" {
+  bucket = google_storage_bucket.object_cache_linux.name
+  role   = "roles/storage.objectUser"
+  members = [
+    format("serviceAccount:%s", google_service_account.object_cache_linux_gsa.email),
+  ]
+
+  depends_on = [
+    google_storage_bucket.object_cache_linux,
+    google_service_account.object_cache_linux_gsa,
+  ]
+}
+
+resource "google_storage_bucket_iam_binding" "windows_bucket_binding" {
+  bucket = google_storage_bucket.object_cache_windows.name
+  role   = "roles/storage.objectUser"
+  members = [
+    format("serviceAccount:%s", google_service_account.object_cache_windows_gsa.email),
+  ]
+
+  depends_on = [
+    google_storage_bucket.object_cache_windows,
+    google_service_account.object_cache_windows_gsa
+  ]
+}
+
+resource "google_service_account_iam_binding" "linux_bucket_gsa_workload_binding" {
+  service_account_id = google_service_account.object_cache_linux_gsa.name
+  role               = "roles/iam.workloadIdentityUser"
+
+  members = [
+    "serviceAccount:${google_service_account.object_cache_linux_gsa.project}.svc.id.goog[${var.linux_runners_namespace_name}/${var.linux_runners_kubernetes_service_account_name}]",
+  ]
+
+  depends_on = [
+    google_service_account.object_cache_linux_gsa,
+  ]
+}
+
+resource "google_service_account_iam_binding" "windows_bucket_gsa_workload_binding" {
+  service_account_id = google_service_account.object_cache_windows_gsa.name
+  role               = "roles/iam.workloadIdentityUser"
+
+  members = [
+    "serviceAccount:${google_service_account.object_cache_windows_gsa.project}.svc.id.goog[${var.windows_2022_runners_namespace_name}/${var.windows_2022_runners_kubernetes_service_account_name}]",
+  ]
+
+  depends_on = [
+    google_service_account.object_cache_windows_gsa,
+  ]
+}

premerge/gke_cluster/outputs.tf

@@ -12,4 +12,12 @@ output "client_key" {
 
 output "cluster_ca_certificate" {
   value = google_container_cluster.llvm_premerge.master_auth.0.cluster_ca_certificate
-}
+}
+
+output "linux_object_cache_gcp_service_account_email" {
+  value = google_service_account.object_cache_linux_gsa.email
+}
+
+output "windows_2022_object_cache_gcp_service_account_email" {
+  value = google_service_account.object_cache_windows_gsa.email
+}

premerge/gke_cluster/variables.tf

@@ -33,3 +33,23 @@ variable "service_node_pool_locations" {
   type        = list(any)
   default     = null
 }
+
+variable "linux_runners_namespace_name" {
+  description = "The name of the namespace containing the Linux runners"
+  type        = string
+}
+
+variable "linux_runners_kubernetes_service_account_name" {
+  description = "The name of the kubernetes service account used to access the Linux object cache GCS bucket"
+  type        = string
+}
+
+variable "windows_2022_runners_namespace_name" {
+  description = "The name of the namespace containing the Windows runners"
+  type        = string
+}
+
+variable "windows_2022_runners_kubernetes_service_account_name" {
+  description = "The name of the kubernetes service account used to access the Windows object cache GCS bucket"
+  type        = string
+}

premerge/main.tf

@@ -43,29 +43,44 @@ resource "local_file" "terraform_state" {
 
 data "google_client_config" "current" {}
 
+locals {
+  linux_runners_namespace_name                         = "llvm-premerge-linux-runners"
+  linux_runners_kubernetes_service_account_name        = "linux-runners-ksa"
+  windows_2022_runners_namespace_name                  = "llvm-premerge-windows-2022-runners"
+  windows_2022_runners_kubernetes_service_account_name = "windows-runners-ksa"
+}
+
 module "premerge_cluster_us_central" {
-  source               = "./gke_cluster"
-  cluster_name         = "llvm-premerge-cluster-us-central"
-  region               = "us-central1-a"
-  libcxx_machine_type  = "n2d-standard-32"
-  linux_machine_type   = "n2-standard-64"
-  windows_machine_type = "n2-standard-32"
-  gcs_bucket_location  = "us-central1"
+  source                                               = "./gke_cluster"
+  cluster_name                                         = "llvm-premerge-cluster-us-central"
+  region                                               = "us-central1-a"
+  libcxx_machine_type                                  = "n2d-standard-32"
+  linux_machine_type                                   = "n2-standard-64"
+  windows_machine_type                                 = "n2-standard-32"
+  gcs_bucket_location                                  = "us-central1"
+  linux_runners_namespace_name                         = local.linux_runners_namespace_name
+  linux_runners_kubernetes_service_account_name        = local.linux_runners_kubernetes_service_account_name
+  windows_2022_runners_namespace_name                  = local.windows_2022_runners_namespace_name
+  windows_2022_runners_kubernetes_service_account_name = local.windows_2022_runners_kubernetes_service_account_name
 }
 
 # We explicitly specify a single zone for the service node pool locations as
 # terraform by default will create node_count nodes per zone. We only want
 # node_count nodes rather than (node_count * zone count) nodes, so we
 # explicitly enumerate a specific region.
 module "premerge_cluster_us_west" {
-  source                      = "./gke_cluster"
-  cluster_name                = "llvm-premerge-cluster-us-west"
-  region                      = "us-west1"
-  libcxx_machine_type         = "n2d-standard-32"
-  linux_machine_type          = "n2d-standard-64"
-  windows_machine_type        = "n2d-standard-32"
-  service_node_pool_locations = ["us-west1-a"]
-  gcs_bucket_location         = "us-west1"
+  source                                               = "./gke_cluster"
+  cluster_name                                         = "llvm-premerge-cluster-us-west"
+  region                                               = "us-west1"
+  libcxx_machine_type                                  = "n2d-standard-32"
+  linux_machine_type                                   = "n2d-standard-64"
+  windows_machine_type                                 = "n2d-standard-32"
+  service_node_pool_locations                          = ["us-west1-a"]
+  gcs_bucket_location                                  = "us-west1"
+  linux_runners_namespace_name                         = local.linux_runners_namespace_name
+  linux_runners_kubernetes_service_account_name        = local.linux_runners_kubernetes_service_account_name
+  windows_2022_runners_namespace_name                  = local.windows_2022_runners_namespace_name
+  windows_2022_runners_kubernetes_service_account_name = local.windows_2022_runners_kubernetes_service_account_name
 }
 
 provider "helm" {
@@ -123,31 +138,39 @@ provider "kubernetes" {
 }
 
 module "premerge_cluster_us_central_resources" {
-  source                              = "./premerge_resources"
-  github_app_id                       = data.google_secret_manager_secret_version.github_app_id.secret_data
-  github_app_installation_id          = data.google_secret_manager_secret_version.github_app_installation_id.secret_data
-  github_app_private_key              = data.google_secret_manager_secret_version.github_app_private_key.secret_data
-  cluster_name                        = "llvm-premerge-cluster-us-central"
-  grafana_token                       = data.google_secret_manager_secret_version.grafana_token.secret_data
-  runner_group_name                   = "llvm-premerge-cluster-us-central"
-  linux_runners_namespace_name        = "llvm-premerge-linux-runners"
-  windows_2022_runners_namespace_name = "llvm-premerge-windows-2022-runners"
+  source                                               = "./premerge_resources"
+  github_app_id                                        = data.google_secret_manager_secret_version.github_app_id.secret_data
+  github_app_installation_id                           = data.google_secret_manager_secret_version.github_app_installation_id.secret_data
+  github_app_private_key                               = data.google_secret_manager_secret_version.github_app_private_key.secret_data
+  cluster_name                                         = "llvm-premerge-cluster-us-central"
+  grafana_token                                        = data.google_secret_manager_secret_version.grafana_token.secret_data
+  runner_group_name                                    = "llvm-premerge-cluster-us-central"
+  linux_runners_namespace_name                         = local.linux_runners_namespace_name
+  linux_runners_kubernetes_service_account_name        = local.linux_runners_kubernetes_service_account_name
+  windows_2022_runners_namespace_name                  = local.windows_2022_runners_namespace_name
+  windows_2022_runners_kubernetes_service_account_name = local.windows_2022_runners_kubernetes_service_account_name
+  linux_object_cache_gcp_service_account_email         = module.premerge_cluster_us_central.linux_object_cache_gcp_service_account_email
+  windows_2022_object_cache_gcp_service_account_email  = module.premerge_cluster_us_central.windows_2022_object_cache_gcp_service_account_email
   providers = {
     kubernetes = kubernetes.llvm-premerge-us-central
     helm       = helm.llvm-premerge-us-central
   }
 }
 
 module "premerge_cluster_us_west_resources" {
-  source                              = "./premerge_resources"
-  github_app_id                       = data.google_secret_manager_secret_version.github_app_id.secret_data
-  github_app_installation_id          = data.google_secret_manager_secret_version.github_app_installation_id.secret_data
-  github_app_private_key              = data.google_secret_manager_secret_version.github_app_private_key.secret_data
-  cluster_name                        = "llvm-premerge-cluster-us-west"
-  grafana_token                       = data.google_secret_manager_secret_version.grafana_token.secret_data
-  runner_group_name                   = "llvm-premerge-cluster-us-west"
-  linux_runners_namespace_name        = "llvm-premerge-linux-runners"
-  windows_2022_runners_namespace_name = "llvm-premerge-windows-2022-runners"
+  source                                               = "./premerge_resources"
+  github_app_id                                        = data.google_secret_manager_secret_version.github_app_id.secret_data
+  github_app_installation_id                           = data.google_secret_manager_secret_version.github_app_installation_id.secret_data
+  github_app_private_key                               = data.google_secret_manager_secret_version.github_app_private_key.secret_data
+  cluster_name                                         = "llvm-premerge-cluster-us-west"
+  grafana_token                                        = data.google_secret_manager_secret_version.grafana_token.secret_data
+  runner_group_name                                    = "llvm-premerge-cluster-us-west"
+  linux_runners_namespace_name                         = local.linux_runners_namespace_name
+  linux_runners_kubernetes_service_account_name        = local.linux_runners_kubernetes_service_account_name
+  windows_2022_runners_namespace_name                  = local.windows_2022_runners_namespace_name
+  windows_2022_runners_kubernetes_service_account_name = local.windows_2022_runners_kubernetes_service_account_name
+  linux_object_cache_gcp_service_account_email         = module.premerge_cluster_us_central.linux_object_cache_gcp_service_account_email
+  windows_2022_object_cache_gcp_service_account_email  = module.premerge_cluster_us_central.windows_2022_object_cache_gcp_service_account_email
   providers = {
     kubernetes = kubernetes.llvm-premerge-us-west
     helm       = helm.llvm-premerge-us-west

premerge/premerge_resources/main.tf

@@ -234,6 +234,30 @@ resource "helm_release" "github_actions_runner_set_libcxx_next" {
   ]
 }
 
+resource "kubernetes_service_account" "linux_object_cache_ksa" {
+  metadata {
+    name      = var.linux_runners_kubernetes_service_account_name
+    namespace = var.linux_runners_namespace_name
+    annotations = {
+      "iam.gke.io/gcp-service-account" = var.linux_object_cache_gcp_service_account_email
+    }
+  }
+
+  depends_on = [kubernetes_namespace.llvm_premerge_linux_runners]
+}
+
+resource "kubernetes_service_account" "windows_2022_object_cache_ksa" {
+  metadata {
+    name      = var.windows_2022_runners_kubernetes_service_account_name
+    namespace = var.windows_2022_runners_namespace_name
+    annotations = {
+      "iam.gke.io/gcp-service-account" = var.windows_2022_object_cache_gcp_service_account_email
+    }
+  }
+
+  depends_on = [kubernetes_namespace.llvm_premerge_windows_2022_runners]
+}
+
 resource "kubernetes_namespace" "grafana" {
   metadata {
     name = "grafana"

premerge/premerge_resources/variables.tf

@@ -76,7 +76,27 @@ variable "linux_runners_namespace_name" {
   type        = string
 }
 
+variable "linux_runners_kubernetes_service_account_name" {
+  description = "The name of the kubernetes service account used to access the Linux object cache GCS bucket"
+  type        = string
+}
+
 variable "windows_2022_runners_namespace_name" {
   description = "The name of the namespace containing the Windows runners"
   type        = string
 }
+
+variable "windows_2022_runners_kubernetes_service_account_name" {
+  description = "The name of the kubernetes service account used to access the Windows object cache GCS bucket"
+  type        = string
+}
+
+variable "linux_object_cache_gcp_service_account_email" {
+  description = "The email associated with the service account for accessing the object cache on Linux."
+  type        = string
+}
+
+variable "windows_2022_object_cache_gcp_service_account_email" {
+  description = "The email associated with the service account for accessing the object cache on Windows."
+  type        = string
+}