[𝘀𝗽𝗿] initial version

boomanaiden154 · boomanaiden154 · commit 5f72dd7ca453 · 2025-07-18T16:34:07.000Z
Created using spr 1.3.4
diff --git a/premerge/gke_cluster/main.tf b/premerge/gke_cluster/main.tf
@@ -12,6 +12,13 @@ resource "google_container_cluster" "llvm_premerge" {
   # for adding windows nodes to the cluster.
   networking_mode = "VPC_NATIVE"
   ip_allocation_policy {}
+
+  # Set the workload identity config so that we can authenticate with Google
+  # Cloud APIs using workload identity federation as described in
+  # https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity.
+  workload_identity_config {
+    workload_pool = "llvm-premerge-checks.svc.id.goog"
+  }
 }
 
 resource "google_container_node_pool" "llvm_premerge_linux_service" {
@@ -62,6 +69,12 @@ resource "google_container_node_pool" "llvm_premerge_linux" {
     resource_labels = {
       "goog-gke-node-pool-provisioning-model" = "on-demand"
     }
+
+    # Enable workload identity federation for this pool so that we can access
+    # GCS buckets.
+    workload_metadata_config {
+      mode = "GKE_METADATA"
+    }
   }
 }
 
@@ -139,5 +152,27 @@ resource "google_container_node_pool" "llvm_premerge_windows_2022" {
     resource_labels = {
       "goog-gke-node-pool-provisioning-model" = "on-demand"
     }
+
+    # Enable workload identity federation for this pool so that we can access
+    # GCS buckets.
+    workload_metadata_config {
+      mode = "GKE_METADATA"
+    }
   }
 }
+
+resource "google_storage_bucket" "object_cache_linux" {
+  name     = format("%s-object-cache-linux", var.cluster_name)
+  location = var.region
+
+  uniform_bucket_level_access = true
+  public_access_prevention    = "enforced"
+}
+
+resource "google_storage_bucket" "object_cache_windows" {
+  name     = format("%s-object-cache-windows", var.cluster_name)
+  location = var.region
+
+  uniform_bucket_level_access = true
+  public_access_prevention    = "enforced"
+}
diff --git a/premerge/main.tf b/premerge/main.tf
@@ -121,27 +121,31 @@ provider "kubernetes" {
 }
 
 module "premerge_cluster_us_central_resources" {
-  source                     = "./premerge_resources"
-  github_app_id              = data.google_secret_manager_secret_version.github_app_id.secret_data
-  github_app_installation_id = data.google_secret_manager_secret_version.github_app_installation_id.secret_data
-  github_app_private_key     = data.google_secret_manager_secret_version.github_app_private_key.secret_data
-  cluster_name               = "llvm-premerge-cluster-us-central"
-  grafana_token              = data.google_secret_manager_secret_version.grafana_token.secret_data
-  runner_group_name          = "llvm-premerge-cluster-us-central"
+  source                              = "./premerge_resources"
+  github_app_id                       = data.google_secret_manager_secret_version.github_app_id.secret_data
+  github_app_installation_id          = data.google_secret_manager_secret_version.github_app_installation_id.secret_data
+  github_app_private_key              = data.google_secret_manager_secret_version.github_app_private_key.secret_data
+  cluster_name                        = "llvm-premerge-cluster-us-central"
+  grafana_token                       = data.google_secret_manager_secret_version.grafana_token.secret_data
+  runner_group_name                   = "llvm-premerge-cluster-us-central"
+  linux_runners_namespace_name        = "llvm-premerge-linux-runners"
+  windows_2022_runners_namespace_name = "llvm-premerge-windows-2022-runners"
   providers = {
     kubernetes = kubernetes.llvm-premerge-us-central
     helm       = helm.llvm-premerge-us-central
   }
 }
 
 module "premerge_cluster_us_west_resources" {
-  source                     = "./premerge_resources"
-  github_app_id              = data.google_secret_manager_secret_version.github_app_id.secret_data
-  github_app_installation_id = data.google_secret_manager_secret_version.github_app_installation_id.secret_data
-  github_app_private_key     = data.google_secret_manager_secret_version.github_app_private_key.secret_data
-  cluster_name               = "llvm-premerge-cluster-us-west"
-  grafana_token              = data.google_secret_manager_secret_version.grafana_token.secret_data
-  runner_group_name          = "llvm-premerge-cluster-us-west"
+  source                              = "./premerge_resources"
+  github_app_id                       = data.google_secret_manager_secret_version.github_app_id.secret_data
+  github_app_installation_id          = data.google_secret_manager_secret_version.github_app_installation_id.secret_data
+  github_app_private_key              = data.google_secret_manager_secret_version.github_app_private_key.secret_data
+  cluster_name                        = "llvm-premerge-cluster-us-west"
+  grafana_token                       = data.google_secret_manager_secret_version.grafana_token.secret_data
+  runner_group_name                   = "llvm-premerge-cluster-us-west"
+  linux_runners_namespace_name        = "llvm-premerge-linux-runners"
+  windows_2022_runners_namespace_name = "llvm-premerge-windows-2022-runners"
   providers = {
     kubernetes = kubernetes.llvm-premerge-us-west
     helm       = helm.llvm-premerge-us-west
diff --git a/premerge/premerge_resources/main.tf b/premerge/premerge_resources/main.tf
@@ -19,7 +19,7 @@ resource "kubernetes_namespace" "llvm_premerge_controller" {
 
 resource "kubernetes_namespace" "llvm_premerge_linux_runners" {
   metadata {
-    name = "llvm-premerge-linux-runners"
+    name = var.linux_runners_namespace_name
   }
 }
 
@@ -43,14 +43,14 @@ resource "kubernetes_namespace" "llvm_premerge_libcxx_next_runners" {
 
 resource "kubernetes_namespace" "llvm_premerge_windows_2022_runners" {
   metadata {
-    name = "llvm-premerge-windows-2022-runners"
+    name = var.windows_2022_runners_namespace_name
   }
 }
 
 resource "kubernetes_secret" "linux_github_pat" {
   metadata {
     name      = "github-token"
-    namespace = "llvm-premerge-linux-runners"
+    namespace = var.linux_runners_namespace_name
   }
 
   data = {
@@ -146,7 +146,7 @@ resource "helm_release" "github_actions_runner_controller" {
 
 resource "helm_release" "github_actions_runner_set_linux" {
   name       = "llvm-premerge-linux-runners"
-  namespace  = "llvm-premerge-linux-runners"
+  namespace  = var.linux_runners_namespace_name
   repository = "oci://ghcr.io/actions/actions-runner-controller-charts"
   version    = "0.11.0"
   chart      = "gha-runner-scale-set"
@@ -164,7 +164,7 @@ resource "helm_release" "github_actions_runner_set_linux" {
 
 resource "helm_release" "github_actions_runner_set_windows_2022" {
   name       = "llvm-premerge-windows-2022-runners"
-  namespace  = "llvm-premerge-windows-2022-runners"
+  namespace  = var.windows_2022_runners_namespace_name
   repository = "oci://ghcr.io/actions/actions-runner-controller-charts"
   version    = "0.11.0"
   chart      = "gha-runner-scale-set"
diff --git a/premerge/premerge_resources/variables.tf b/premerge/premerge_resources/variables.tf
@@ -70,3 +70,13 @@ variable "libcxx_next_runner_image" {
   type    = string
   default = "ghcr.io/llvm/libcxx-linux-builder:16f046281bf1a11d344eac1bc44d11f3e50e3b5d"
 }
+
+variable "linux_runners_namespace_name" {
+  description = "The name of the namespace containing the Linux runners"
+  type        = string
+}
+
+variable "windows_2022_runners_namespace_name" {
+  description = "The name of the namespace containing the Windows runners"
+  type        = string
+}
