Use terraform for workload identity in pangeo

Ref #1153
2i2c-org · Apr 3, 2022 · 3449481 · 3449481
1 parent 18bab32
commit 3449481
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 4 deletions.
diff --git a/config/clusters/pangeo-hubs/prod.values.yaml b/config/clusters/pangeo-hubs/prod.values.yaml
@@ -1,7 +1,7 @@
 basehub:
   userServiceAccount:
     annotations:
-      iam.gke.io/gcp-service-account: prod-user-sa@pangeo-integration-te-3eea.iam.gserviceaccount.com
+      iam.gke.io/gcp-service-account: pangeo-hubs-prod@pangeo-integration-te-3eea.iam.gserviceaccount.com
   jupyterhub:
     hub:
       config:

diff --git a/config/clusters/pangeo-hubs/staging.values.yaml b/config/clusters/pangeo-hubs/staging.values.yaml
@@ -1,7 +1,7 @@
 basehub:
   userServiceAccount:
     annotations:
-      iam.gke.io/gcp-service-account: staging-user-sa@pangeo-integration-te-3eea.iam.gserviceaccount.com
+      iam.gke.io/gcp-service-account: pangeo-hubs-staging@pangeo-integration-te-3eea.iam.gserviceaccount.com
   jupyterhub:
     hub:
       config:

diff --git a/terraform/gcp/projects/pangeo-hubs.tfvars b/terraform/gcp/projects/pangeo-hubs.tfvars
@@ -7,14 +7,15 @@ enable_private_cluster = true
 enable_network_policy  = true
 
 # Some hubs want a storage bucket, so we need to have config connector enabled
-config_connector_enabled = true
+config_connector_enabled = false
 
 # Setup a filestore for in-cluster NFS
 enable_filestore = true
 filestore_capacity_gb = 2048
 
 user_buckets = [
-  "pangeo-scratch"
+  "scratch",
+  "scratch-staging"
 ]
 
 # Setup notebook node pools
@@ -59,3 +60,16 @@ dask_nodes = {
     labels: {},
   },
 }
+
+hub_cloud_permissions = {
+  "staging" : {
+    requestor_pays : true,
+    bucket_admin_access: ["scratch-staging"],
+    hub_namespace: "staging"
+  },
+  "prod" : {
+    requestor_pays : true,
+    bucket_admin_access: ["scratch"],
+    hub_namespace: "prod"
+  },
+}