From 074d4705465614c6506d421bac484d481f69ff16 Mon Sep 17 00:00:00 2001 From: upodroid Date: Wed, 4 Dec 2024 15:38:23 +0300 Subject: [PATCH] configure gcp access for atlantis --- .atlantis.yaml | 1 - infra/gcp/terraform/README.md | 43 ++++++++++++++++++- kubernetes/gke-utility/atlantis/extras.yaml | 7 +++ .../gke-utility/atlantis/kustomization.yaml | 1 + 4 files changed, 50 insertions(+), 2 deletions(-) diff --git a/.atlantis.yaml b/.atlantis.yaml index bdd32599a88..1bce083397b 100644 --- a/.atlantis.yaml +++ b/.atlantis.yaml @@ -2,7 +2,6 @@ version: 3 automerge: true autodiscover: mode: auto -delete_source_branch_on_merge: true parallel_plan: true parallel_apply: true abort_on_execution_order_fail: true diff --git a/infra/gcp/terraform/README.md b/infra/gcp/terraform/README.md index d44b86f7223..e627717de1a 100644 --- a/infra/gcp/terraform/README.md +++ b/infra/gcp/terraform/README.md @@ -47,6 +47,7 @@ containing manifests that are deployed to the cluster ## Deploying +- Open a PR and Atlantis will apply and deploy your Terraform changes. - Ensure you are logged into your GCP account with `gcloud auth application-default login` - From within a module directory: - `terraform init` will initialize your local state (refresh modules) @@ -55,9 +56,49 @@ containing manifests that are deployed to the cluster ## Deleting -- Get approval from a WG K8s Infra lead (ask in [#sig-k8s-infra] before doing this) +- Get approval from a SIG K8s Infra lead (ask in [#sig-k8s-infra] before doing this) - Ensure you are logged into your GCP account with `gcloud auth application-default login` - From within a module directory: - `terraform destroy` will destroy and clean up all created resources [#sig-k8s-infra]: https://kubernetes.slack.com/messages/sig-k8s-infra + + +# Bootstrapping Terraform - One Time Setup + +Terraform needs to be bootstrapped manually before it can be used. This process was done during Atlantis Setup. It is noted here for completeness and for potential troubleshooting. + +This needs to be ran by a person. + +``` +# Get the ORG_ID +ORG_ID=$(gcloud organizations describe kubernetes.io --format json | jq .name -r | sed 's:.*/::') + +# Create the k8s-infra-seed project + +gcloud projects create k8s-infra-seed --organization $ORG_ID --name "K8s Infra Seed" --billing + +# Create the terraform service account + +gcloud iam service-accounts create atlantis —-display-name Atlantis --project k8s-infra-seed + +# Allow the Atlantis Kubernetes Service Account in k8s-infra-prow project to assume this service account + +gcloud iam service-accounts add-iam-policy-binding atlantis@k8s-infra-seed.iam.gserviceaccount.com \ + --member "serviceAccount:k8s-infra-prow.svc.id.goog[atlantis/atlantis]" --role='roles/iam.workloadIdentityUser' + +# Create the State Bucket and version it +gcloud storage buckets create gs://k8s-infra-tf-state --location=us --uniform-bucket-level-access +gcloud storage buckets update gs://k8s-infra-tf-state --versioning + +# Enable Google APIs +gcloud services enable container.googleapis.com run.googleapis.com cloudbuild.googleapis.com --async + +# Privilege the terraform service account +gcloud organizations add-iam-policy-binding --organization $ORG_ID \ + --member "serviceAccount:atlantis@k8s-infra-seed.iam.gserviceaccount.com" --role='roles/resourcemanager.organizationAdmin' +gcloud organizations add-iam-policy-binding --organization $ORG_ID \ + --member "serviceAccount:atlantis@k8s-infra-seed.iam.gserviceaccount.com" --role='roles/owner' +gcloud organizations add-iam-policy-binding --organization $ORG_ID \ + --member "serviceAccount:atlantis@k8s-infra-seed.iam.gserviceaccount.com" --role='roles/billing.admin' +``` diff --git a/kubernetes/gke-utility/atlantis/extras.yaml b/kubernetes/gke-utility/atlantis/extras.yaml index 88e8db45a30..7e26ddec422 100644 --- a/kubernetes/gke-utility/atlantis/extras.yaml +++ b/kubernetes/gke-utility/atlantis/extras.yaml @@ -13,3 +13,10 @@ spec: secretStoreRef: kind: ClusterSecretStore name: k8s-infra-prow +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: atlantis + annotations: + iam.gke.io/gcp-service-account: atlantis@k8s-infra-seed.iam.gserviceaccount.com diff --git a/kubernetes/gke-utility/atlantis/kustomization.yaml b/kubernetes/gke-utility/atlantis/kustomization.yaml index e271d84222c..fb48b2270a7 100644 --- a/kubernetes/gke-utility/atlantis/kustomization.yaml +++ b/kubernetes/gke-utility/atlantis/kustomization.yaml @@ -25,6 +25,7 @@ patchesStrategicMerge: spec: template: spec: + serviceAccountName: atlantis containers: - name: atlantis env: