Merge branch 'iam-move' into aws-kubeconfig

2i2c-org · May 6, 2021 · 1b1d422 · 1b1d422
2 parents e69fa32 + 9ba8b0d
commit 1b1d422
Show file tree

Hide file tree

Showing 9 changed files with 97 additions and 88 deletions.
diff --git a/config/hubs/2i2c.cluster.yaml b/config/hubs/2i2c.cluster.yaml
@@ -48,11 +48,14 @@ hubs:
     auth0:
       connection: google-oauth2
     config:
-      iam:
-        # FIXME: Automatically inject this
-        projectId: two-eye-two-see
       basehub:
         jupyterhub:
+          cloudResources:
+            provider: gcp
+            gcp:
+              projectId: two-eye-two-see
+            scratchBucket:
+              enabled: true
           homepage:
             templateVars:
               org:
@@ -219,10 +222,14 @@ hubs:
     auth0:
       connection: google-oauth2
     config:
-      iam:
-        projectId: two-eye-two-see
       basehub:
         jupyterhub:
+          cloudResources:
+            provider: gcp
+            gcp:
+              projectId: two-eye-two-see
+            scratchBucket:
+              enabled: true
           singleuser:
             image:
               name: catalystcoop/pudl-jupyter
@@ -293,11 +300,14 @@ hubs:
     auth0:
       connection: github
     config:
-      iam:
-        # FIXME: Automatically inject this
-        projectId: two-eye-two-see
       basehub:
         jupyterhub:
+          cloudResources:
+            provider: gcp
+            gcp:
+              projectId: two-eye-two-see
+            scratchBucket:
+              enabled: true
           singleuser:
             image:
               name: pangeo/pangeo-notebook

diff --git a/hub-templates/basehub/templates/cloud-resources/gcp/_helpers.tpl b/hub-templates/basehub/templates/cloud-resources/gcp/_helpers.tpl
@@ -0,0 +1,9 @@
+{{- define "cloudResources.gcp.serviceAccountName" -}}
+{{.Release.Name}}-user-sa
+{{- end }}
+
+{{- define "cloudResources.scratchBucket.name" -}}
+{{- if eq .Values.jupyterhub.cloudResources.provider "gcp" -}}
+{{ .Values.jupyterhub.cloudResources.gcp.projectId }}-{{ .Release.Name }}-scratch-bucket
+{{- end -}}
+{{- end }}
diff --git a/hub-templates/basehub/templates/cloud-resources/gcp/env-vars.yaml b/hub-templates/basehub/templates/cloud-resources/gcp/env-vars.yaml
@@ -0,0 +1,9 @@
+{{ if .Values.jupyterhub.cloudResources.scratchBucket.enabled}}
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: cloud-env-vars
+data:
+  scratch-bucket-name: {{ include "cloudResources.scratchBucket.name" . }}
+  scratch-bucket-protocol: "gcs"
+{{- end }}
diff --git a/hub-templates/basehub/templates/cloud-resources/gcp/service-account.yaml b/hub-templates/basehub/templates/cloud-resources/gcp/service-account.yaml
@@ -0,0 +1,47 @@
+{{ if .Values.jupyterhub.cloudResources.scratchBucket.enabled}}
+apiVersion: iam.cnrm.cloud.google.com/v1beta1
+kind: IAMServiceAccount
+metadata:
+  name: {{ include "cloudResources.gcp.serviceAccountName" . }}
+  annotations:
+    cnrm.cloud.google.com/project-id : {{ .Values.jupyterhub.cloudResources.gcp.projectId | quote }}
+spec:
+  displayName: {{ .Release.Name }} hub user service account
+---
+apiVersion: iam.cnrm.cloud.google.com/v1beta1
+kind: IAMPolicy
+metadata:
+  name: workload-identity-binding
+  annotations:
+    cnrm.cloud.google.com/project-id : {{ .Values.jupyterhub.cloudResources.gcp.projectId | quote }}
+spec:
+  resourceRef:
+    apiVersion: iam.cnrm.cloud.google.com/v1beta1
+    kind: IAMServiceAccount
+    name: {{ include "cloudResources.gcp.serviceAccountName" . }}
+  bindings:
+    - role: roles/iam.workloadIdentityUser
+      members:
+        - serviceAccount:{{ .Values.jupyterhub.cloudResources.gcp.projectId }}.svc.id.goog[{{ .Release.Namespace }}/user-sa]
+---
+apiVersion: iam.cnrm.cloud.google.com/v1beta1
+kind: IAMPolicyMember
+metadata:
+  name: sa-requester-pays-binding
+  annotations:
+    cnrm.cloud.google.com/project-id : {{ .Values.jupyterhub.cloudResources.gcp.projectId | quote }}
+spec:
+  member: serviceAccount:{{ include "cloudResources.gcp.serviceAccountName" . }}@{{ .Values.jupyterhub.cloudResources.gcp.projectId }}.iam.gserviceaccount.com
+  role: roles/serviceusage.serviceUsageConsumer
+  resourceRef:
+    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
+    kind: Project
+    external: projects/{{ .Values.jupyterhub.cloudResources.gcp.projectId }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: {{ include "cloudResources.gcp.serviceAccountName" .}}@{{ .Values.jupyterhub.cloudResources.gcp.projectId }}.iam.gserviceaccount.com
+  name: user-sa
+{{- end }}
diff --git a/hub-templates/daskhub/templates/storage.yaml → ...s/cloud-resources/gcp/storage-bucket.yaml b/hub-templates/daskhub/templates/storage.yaml → ...s/cloud-resources/gcp/storage-bucket.yaml
@@ -1,15 +1,12 @@
-{{- define "daskhub.scratchBucket.name" -}}
-{{ .Values.iam.projectId }}-{{ .Release.Name }}-scratch-bucket
-{{- end }}
-{{ if .Values.scratchBucket.enabled }}
+{{ if .Values.jupyterhub.cloudResources.scratchBucket.enabled  }}
+{{ if eq .Values.jupyterhub.cloudResources.provider "gcp" }}
 apiVersion: storage.cnrm.cloud.google.com/v1beta1
 kind: StorageBucket
 metadata:
   annotations:
-    cnrm.cloud.google.com/project-id : {{ .Values.iam.projectId | quote }}
+    cnrm.cloud.google.com/project-id : {{ .Values.jupyterhub.cloudResources.gcp.projectId | quote }}
     cnrm.cloud.google.com/force-destroy: "false"
-
-  name: {{ include "daskhub.scratchBucket.name" . }}
+  name: {{ include "cloudResources.scratchBucket.name" . }}
 spec:
   bucketPolicyOnly: true
   lifecycleRule:
@@ -23,14 +20,15 @@ kind: IAMPolicyMember
 metadata:
   name: scratch-bucket-binding
   annotations:
-    cnrm.cloud.google.com/project-id : {{ .Values.iam.projectId | quote }}
+    cnrm.cloud.google.com/project-id : {{ .Values.jupyterhub.cloudResources.gcp.projectId | quote }}
 spec:
-  member: serviceAccount:{{ include "daskhub.serviceAccountName" . }}@{{ .Values.iam.projectId }}.iam.gserviceaccount.com
+  member: serviceAccount:{{ include "cloudResources.gcp.serviceAccountName" . }}@{{ .Values.jupyterhub.cloudResources.gcp.projectId}}.iam.gserviceaccount.com
   # This gives users the ability to delete the bucket too :(
   # But without this, I think you can't list objects in the bucket
   role: roles/storage.admin
   resourceRef:
     apiVersion: storage.cnrm.cloud.google.com/v1beta1
     kind: StorageBucket
-    name: {{ include "daskhub.scratchBucket.name" . }}
+    name: {{ include "cloudResources.scratchBucket.name" . }}
+{{- end }}
 {{- end }}
diff --git a/hub-templates/basehub/values.yaml b/hub-templates/basehub/values.yaml
@@ -28,6 +28,12 @@ nfsPVC:
     baseShareName: /export/home-01/homes/
 
 jupyterhub:
+  cloudResources:
+    provider: null
+    gcp:
+      projectId: null
+    scratchBucket:
+      enabled: false
   ingress:
     enabled: true
     annotations:

diff --git a/hub-templates/daskhub/templates/env-vars.yaml b/hub-templates/daskhub/templates/env-vars.yaml
diff --git a/hub-templates/daskhub/templates/gcp-iam.yaml b/hub-templates/daskhub/templates/gcp-iam.yaml
diff --git a/hub-templates/daskhub/templates/sa.yaml b/hub-templates/daskhub/templates/sa.yaml