From 9ba8b0d76a93233758975be2808e20088dbb36a0 Mon Sep 17 00:00:00 2001
From: YuviPanda <yuvipanda@gmail.com>
Date: Thu, 6 May 2021 23:23:35 +0530
Subject: [PATCH] Cleanup how GCP storage bucket is created

- Move everything into the base chart, rather than the daskhub
  chart. No reason this has to be coupled with dask. And if we
  want to use `z2jh.get_config` in `hub.extraConfig` to dynamically
  set environment values, the config needs to be under jupyterhub.
- Scope the resources more clearly to be gcp specific.
- Move some repetitive name constructions to a _helpers.tpl file
---
 config/hubs/2i2c.cluster.yaml                 | 26 +++++++---
 .../cloud-resources/gcp/_helpers.tpl          |  9 ++++
 .../cloud-resources/gcp/env-vars.yaml         |  9 ++++
 .../cloud-resources/gcp/service-account.yaml  | 47 +++++++++++++++++
 .../cloud-resources/gcp/storage-bucket.yaml}  | 18 +++----
 hub-templates/basehub/values.yaml             |  6 +++
 hub-templates/daskhub/templates/env-vars.yaml |  9 ----
 .../daskhub/templates/service-account.yaml    | 50 -------------------
 8 files changed, 97 insertions(+), 77 deletions(-)
 create mode 100644 hub-templates/basehub/templates/cloud-resources/gcp/_helpers.tpl
 create mode 100644 hub-templates/basehub/templates/cloud-resources/gcp/env-vars.yaml
 create mode 100644 hub-templates/basehub/templates/cloud-resources/gcp/service-account.yaml
 rename hub-templates/{daskhub/templates/storage.yaml => basehub/templates/cloud-resources/gcp/storage-bucket.yaml} (52%)
 delete mode 100644 hub-templates/daskhub/templates/env-vars.yaml
 delete mode 100644 hub-templates/daskhub/templates/service-account.yaml

diff --git a/config/hubs/2i2c.cluster.yaml b/config/hubs/2i2c.cluster.yaml
index 41912e4c4..f65bebab9 100644
--- a/config/hubs/2i2c.cluster.yaml
+++ b/config/hubs/2i2c.cluster.yaml
@@ -48,11 +48,14 @@ hubs:
     auth0:
       connection: google-oauth2
     config:
-      iam:
-        # FIXME: Automatically inject this
-        projectId: two-eye-two-see
       basehub:
         jupyterhub:
+          cloudResources:
+            provider: gcp
+            gcp:
+              projectId: two-eye-two-see
+            scratchBucket:
+              enabled: true
           homepage:
             templateVars:
               org:
@@ -219,10 +222,14 @@ hubs:
     auth0:
       connection: google-oauth2
     config:
-      iam:
-        projectId: two-eye-two-see
       basehub:
         jupyterhub:
+          cloudResources:
+            provider: gcp
+            gcp:
+              projectId: two-eye-two-see
+            scratchBucket:
+              enabled: true
           singleuser:
             image:
               name: catalystcoop/pudl-jupyter
@@ -293,11 +300,14 @@ hubs:
     auth0:
       connection: github
     config:
-      iam:
-        # FIXME: Automatically inject this
-        projectId: two-eye-two-see
       basehub:
         jupyterhub:
+          cloudResources:
+            provider: gcp
+            gcp:
+              projectId: two-eye-two-see
+            scratchBucket:
+              enabled: true
           singleuser:
             image:
               name: pangeo/pangeo-notebook
diff --git a/hub-templates/basehub/templates/cloud-resources/gcp/_helpers.tpl b/hub-templates/basehub/templates/cloud-resources/gcp/_helpers.tpl
new file mode 100644
index 000000000..ede5d9a18
--- /dev/null
+++ b/hub-templates/basehub/templates/cloud-resources/gcp/_helpers.tpl
@@ -0,0 +1,9 @@
+{{- define "cloudResources.gcp.serviceAccountName" -}}
+{{.Release.Name}}-user-sa
+{{- end }}
+
+{{- define "cloudResources.scratchBucket.name" -}}
+{{- if eq .Values.jupyterhub.cloudResources.provider "gcp" -}}
+{{ .Values.jupyterhub.cloudResources.gcp.projectId }}-{{ .Release.Name }}-scratch-bucket
+{{- end -}}
+{{- end }}
\ No newline at end of file
diff --git a/hub-templates/basehub/templates/cloud-resources/gcp/env-vars.yaml b/hub-templates/basehub/templates/cloud-resources/gcp/env-vars.yaml
new file mode 100644
index 000000000..442e8c23f
--- /dev/null
+++ b/hub-templates/basehub/templates/cloud-resources/gcp/env-vars.yaml
@@ -0,0 +1,9 @@
+{{ if .Values.jupyterhub.cloudResources.scratchBucket.enabled}}
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: cloud-env-vars
+data:
+  scratch-bucket-name: {{ include "cloudResources.scratchBucket.name" . }}
+  scratch-bucket-protocol: "gcs"
+{{- end }}
\ No newline at end of file
diff --git a/hub-templates/basehub/templates/cloud-resources/gcp/service-account.yaml b/hub-templates/basehub/templates/cloud-resources/gcp/service-account.yaml
new file mode 100644
index 000000000..9c25341fb
--- /dev/null
+++ b/hub-templates/basehub/templates/cloud-resources/gcp/service-account.yaml
@@ -0,0 +1,47 @@
+{{ if .Values.jupyterhub.cloudResources.scratchBucket.enabled}}
+apiVersion: iam.cnrm.cloud.google.com/v1beta1
+kind: IAMServiceAccount
+metadata:
+  name: {{ include "cloudResources.gcp.serviceAccountName" . }}
+  annotations:
+    cnrm.cloud.google.com/project-id : {{ .Values.jupyterhub.cloudResources.gcp.projectId | quote }}
+spec:
+  displayName: {{ .Release.Name }} hub user service account
+---
+apiVersion: iam.cnrm.cloud.google.com/v1beta1
+kind: IAMPolicy
+metadata:
+  name: workload-identity-binding
+  annotations:
+    cnrm.cloud.google.com/project-id : {{ .Values.jupyterhub.cloudResources.gcp.projectId | quote }}
+spec:
+  resourceRef:
+    apiVersion: iam.cnrm.cloud.google.com/v1beta1
+    kind: IAMServiceAccount
+    name: {{ include "cloudResources.gcp.serviceAccountName" . }}
+  bindings:
+    - role: roles/iam.workloadIdentityUser
+      members:
+        - serviceAccount:{{ .Values.jupyterhub.cloudResources.gcp.projectId }}.svc.id.goog[{{ .Release.Namespace }}/user-sa]
+---
+apiVersion: iam.cnrm.cloud.google.com/v1beta1
+kind: IAMPolicyMember
+metadata:
+  name: sa-requester-pays-binding
+  annotations:
+    cnrm.cloud.google.com/project-id : {{ .Values.jupyterhub.cloudResources.gcp.projectId | quote }}
+spec:
+  member: serviceAccount:{{ include "cloudResources.gcp.serviceAccountName" . }}@{{ .Values.jupyterhub.cloudResources.gcp.projectId }}.iam.gserviceaccount.com
+  role: roles/serviceusage.serviceUsageConsumer
+  resourceRef:
+    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
+    kind: Project
+    external: projects/{{ .Values.jupyterhub.cloudResources.gcp.projectId }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: {{ include "cloudResources.gcp.serviceAccountName" .}}@{{ .Values.jupyterhub.cloudResources.gcp.projectId }}.iam.gserviceaccount.com
+  name: user-sa
+{{- end }}
\ No newline at end of file
diff --git a/hub-templates/daskhub/templates/storage.yaml b/hub-templates/basehub/templates/cloud-resources/gcp/storage-bucket.yaml
similarity index 52%
rename from hub-templates/daskhub/templates/storage.yaml
rename to hub-templates/basehub/templates/cloud-resources/gcp/storage-bucket.yaml
index 87181c985..71d7e15e6 100644
--- a/hub-templates/daskhub/templates/storage.yaml
+++ b/hub-templates/basehub/templates/cloud-resources/gcp/storage-bucket.yaml
@@ -1,15 +1,12 @@
-{{- define "daskhub.scratchBucket.name" -}}
-{{ .Values.iam.projectId }}-{{ .Release.Name }}-scratch-bucket
-{{- end }}
-{{ if .Values.scratchBucket.enabled }}
+{{ if .Values.jupyterhub.cloudResources.scratchBucket.enabled  }}
+{{ if eq .Values.jupyterhub.cloudResources.provider "gcp" }}
 apiVersion: storage.cnrm.cloud.google.com/v1beta1
 kind: StorageBucket
 metadata:
   annotations:
-    cnrm.cloud.google.com/project-id : {{ .Values.iam.projectId | quote }}
+    cnrm.cloud.google.com/project-id : {{ .Values.jupyterhub.cloudResources.gcp.projectId | quote }}
     cnrm.cloud.google.com/force-destroy: "false"
-
-  name: {{ include "daskhub.scratchBucket.name" . }}
+  name: {{ include "cloudResources.scratchBucket.name" . }}
 spec:
   bucketPolicyOnly: true
   lifecycleRule:
@@ -23,14 +20,15 @@ kind: IAMPolicyMember
 metadata:
   name: scratch-bucket-binding
   annotations:
-    cnrm.cloud.google.com/project-id : {{ .Values.iam.projectId | quote }}
+    cnrm.cloud.google.com/project-id : {{ .Values.jupyterhub.cloudResources.gcp.projectId | quote }}
 spec:
-  member: serviceAccount:{{ include "daskhub.serviceAccountName" . }}@{{ .Values.iam.projectId }}.iam.gserviceaccount.com
+  member: serviceAccount:{{ include "cloudResources.gcp.serviceAccountName" . }}@{{ .Values.jupyterhub.cloudResources.gcp.projectId}}.iam.gserviceaccount.com
   # This gives users the ability to delete the bucket too :(
   # But without this, I think you can't list objects in the bucket
   role: roles/storage.admin
   resourceRef:
     apiVersion: storage.cnrm.cloud.google.com/v1beta1
     kind: StorageBucket
-    name: {{ include "daskhub.scratchBucket.name" . }}
+    name: {{ include "cloudResources.scratchBucket.name" . }}
+{{- end }}
 {{- end }}
\ No newline at end of file
diff --git a/hub-templates/basehub/values.yaml b/hub-templates/basehub/values.yaml
index 62b2822dc..755f81c7d 100644
--- a/hub-templates/basehub/values.yaml
+++ b/hub-templates/basehub/values.yaml
@@ -24,6 +24,12 @@ nfsPVC:
     baseShareName: /export/home-01/homes/
 
 jupyterhub:
+  cloudResources:
+    provider: null
+    gcp:
+      projectId: null
+    scratchBucket:
+      enabled: false
   ingress:
     enabled: true
     annotations:
diff --git a/hub-templates/daskhub/templates/env-vars.yaml b/hub-templates/daskhub/templates/env-vars.yaml
deleted file mode 100644
index c93a56244..000000000
--- a/hub-templates/daskhub/templates/env-vars.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-{{ if .Values.scratchBucket.enabled }}
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  name: cloud-env-vars
-data:
-  scratch-bucket-name: {{ include "daskhub.scratchBucket.name" . }}
-  scratch-bucket-protocol: "gcs"
-{{- end }}
\ No newline at end of file
diff --git a/hub-templates/daskhub/templates/service-account.yaml b/hub-templates/daskhub/templates/service-account.yaml
deleted file mode 100644
index 957337fad..000000000
--- a/hub-templates/daskhub/templates/service-account.yaml
+++ /dev/null
@@ -1,50 +0,0 @@
-{{- define "daskhub.serviceAccountName" -}}
-{{.Release.Name}}-user-sa
-{{- end }}
-{{ if .Values.scratchBucket.enabled }}
-apiVersion: iam.cnrm.cloud.google.com/v1beta1
-kind: IAMServiceAccount
-metadata:
-  name: {{ include "daskhub.serviceAccountName" . }}
-  annotations:
-    cnrm.cloud.google.com/project-id : {{ .Values.iam.projectId | quote }}
-spec:
-  displayName: {{ .Release.Name }} hub user service account
----
-apiVersion: iam.cnrm.cloud.google.com/v1beta1
-kind: IAMPolicy
-metadata:
-  name: workload-identity-binding
-  annotations:
-    cnrm.cloud.google.com/project-id : {{ .Values.iam.projectId | quote }}
-spec:
-  resourceRef:
-    apiVersion: iam.cnrm.cloud.google.com/v1beta1
-    kind: IAMServiceAccount
-    name: {{ include "daskhub.serviceAccountName" . }}
-  bindings:
-    - role: roles/iam.workloadIdentityUser
-      members:
-        - serviceAccount:{{ .Values.iam.projectId }}.svc.id.goog[{{ .Release.Namespace }}/user-sa]
----
-apiVersion: iam.cnrm.cloud.google.com/v1beta1
-kind: IAMPolicyMember
-metadata:
-  name: sa-requester-pays-binding
-  annotations:
-    cnrm.cloud.google.com/project-id : {{ .Values.iam.projectId | quote }}
-spec:
-  member: serviceAccount:{{ include "daskhub.serviceAccountName" . }}@{{ .Values.iam.projectId }}.iam.gserviceaccount.com
-  role: roles/serviceusage.serviceUsageConsumer
-  resourceRef:
-    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
-    kind: Project
-    external: projects/{{ .Values.iam.projectId }}
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  annotations:
-    iam.gke.io/gcp-service-account: {{ include "daskhub.serviceAccountName" .}}@{{ .Values.iam.projectId }}.iam.gserviceaccount.com
-  name: user-sa
-{{- end }}
\ No newline at end of file