From e1dca0a1a820814d3855a29eb283ce99f4d0d77f Mon Sep 17 00:00:00 2001 From: Aiden Grossman Date: Fri, 18 Jul 2025 16:34:07 +0000 Subject: [PATCH 1/2] =?UTF-8?q?[=F0=9D=98=80=F0=9D=97=BD=F0=9D=97=BF]=20ch?= =?UTF-8?q?anges=20to=20main=20this=20commit=20is=20based=20on?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Created using spr 1.3.4 [skip ci] --- premerge/gke_cluster/main.tf | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/premerge/gke_cluster/main.tf b/premerge/gke_cluster/main.tf index 294a10c0..bc43d7d9 100644 --- a/premerge/gke_cluster/main.tf +++ b/premerge/gke_cluster/main.tf @@ -12,6 +12,13 @@ resource "google_container_cluster" "llvm_premerge" { # for adding windows nodes to the cluster. networking_mode = "VPC_NATIVE" ip_allocation_policy {} + + # Set the workload identity config so that we can authenticate with Google + # Cloud APIs using workload identity federation as described in + # https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity. + workload_identity_config { + workload_pool = "llvm-premerge-checks.svc.id.goog" + } } resource "google_container_node_pool" "llvm_premerge_linux_service" { @@ -62,6 +69,12 @@ resource "google_container_node_pool" "llvm_premerge_linux" { resource_labels = { "goog-gke-node-pool-provisioning-model" = "on-demand" } + + # Enable workload identity federation for this pool so that we can access + # GCS buckets. + workload_metadata_config { + mode = "GKE_METADATA" + } } } @@ -139,5 +152,27 @@ resource "google_container_node_pool" "llvm_premerge_windows_2022" { resource_labels = { "goog-gke-node-pool-provisioning-model" = "on-demand" } + + # Enable workload identity federation for this pool so that we can access + # GCS buckets. + workload_metadata_config { + mode = "GKE_METADATA" + } } } + +resource "google_storage_bucket" "object_cache_linux" { + name = format("%s-object-cache-linux", var.cluster_name) + location = var.region + + uniform_bucket_level_access = true + public_access_prevention = "enforced" +} + +resource "google_storage_bucket" "object_cache_windows" { + name = format("%s-object-cache-windows", var.cluster_name) + location = var.region + + uniform_bucket_level_access = true + public_access_prevention = "enforced" +} From 2583870ec27630338d616d6b1c674ca67db8f5a1 Mon Sep 17 00:00:00 2001 From: Aiden Grossman Date: Fri, 18 Jul 2025 16:35:42 +0000 Subject: [PATCH 2/2] =?UTF-8?q?[=F0=9D=98=80=F0=9D=97=BD=F0=9D=97=BF]=20ch?= =?UTF-8?q?anges=20introduced=20through=20rebase?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Created using spr 1.3.4 [skip ci] --- premerge/gke_cluster/main.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/premerge/gke_cluster/main.tf b/premerge/gke_cluster/main.tf index bc43d7d9..1bf5ea52 100644 --- a/premerge/gke_cluster/main.tf +++ b/premerge/gke_cluster/main.tf @@ -162,17 +162,17 @@ resource "google_container_node_pool" "llvm_premerge_windows_2022" { } resource "google_storage_bucket" "object_cache_linux" { - name = format("%s-object-cache-linux", var.cluster_name) + name = format("%s-object-cache-linux", var.cluster_name) location = var.region uniform_bucket_level_access = true - public_access_prevention = "enforced" + public_access_prevention = "enforced" } resource "google_storage_bucket" "object_cache_windows" { - name = format("%s-object-cache-windows", var.cluster_name) + name = format("%s-object-cache-windows", var.cluster_name) location = var.region uniform_bucket_level_access = true - public_access_prevention = "enforced" + public_access_prevention = "enforced" }