Merge pull request #8085 from chrischdi/pr-infra-vsphere

infra: add k8s-infra-broadcom-admins and terraform for vSphere based CI

Author: k8s-ci-robot

groups/restrictions.yaml

@@ -290,6 +290,7 @@ restrictions:
       - "^[email protected]$"
       - "^[email protected]$"
       - "^[email protected]$"
+      - "^[email protected]$"
       - "^[email protected]$"
       - "^[email protected]$"
       - "^[email protected]$"

groups/sig-k8s-infra/groups.yaml

@@ -551,3 +551,17 @@ groups:
       - [email protected]
       - [email protected]
       - [email protected]
+
+  - email-id: [email protected]
+    name: k8s-infra-gcp-gcve-admins
+    description: |-
+      ACL for Broadcom/vSphere project on GCP
+    settings:
+      WhoCanPostMessage: "ANYONE_CAN_POST"
+      ReconcileMembers: "true"
+    members:
+      - [email protected]
+      - [email protected]
+      - [email protected]
+      - [email protected]
+      - [email protected]

infra/gcp/terraform/k8s-infra-gcp-gcve/OWNERS

@@ -0,0 +1,6 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+approvers:
+- chrischdi
+- sbueringer
+- fabriziopandini

infra/gcp/terraform/k8s-infra-gcp-gcve/README.md

@@ -0,0 +1,74 @@
+# Setup
+
+## Creation of GCVE
+
+```sh
+gcloud auth application-default login
+terraform init
+terraform apply
+```
+
+## Setup jumphost/vpn for further configuration
+
+See [maintenance-jumphost/README.md](./maintenance-jumphost/README.md).
+
+## Manual creation of a user and other IAM configuration in vSphere
+
+> **Note:**
+> The configuration described here cannot be done via terraform due to non-existing functionality.
+
+First we generate a password for the user which will be used in prow and set it as environment variable:
+
+```sh
+ export GCVE_PROW_CI_PASSWORD="SomePassword"
+```
+
+And set credentials for `govc`:
+
+```sh
+ export GOVC_URL="$(gcloud vmware private-clouds describe k8s-gcp-gcve-pc --location us-central1-a --format='get(vcenter.fqdn)')"
+ export GOVC_USERNAME='[email protected]'
+ export GOVC_PASSWORD="$(gcloud vmware private-clouds vcenter credentials describe --private-cloud=k8s-gcp-gcve-pc [email protected] --location=us-central1-a --format='get(password)')"
+```
+
+Run the script to setup the user, groups and IAM in vSphere.
+
+```
+./vsphere/scripts/ensure-users-groups.sh
+```
+
+Create relevant secrets in Secrets Manager
+
+```sh
+gcloud secrets describe k8s-gcp-gcve-ci-url 2>/dev/null || echo "$GOVC_URL" | gcloud secrets create k8s-gcp-gcve-ci-url --data-file=-
+gcloud secrets describe k8s-gcp-gcve-ci-username 2>/dev/null || echo "[email protected]" | gcloud secrets create k8s-gcp-gcve-ci-username --data-file=-
+gcloud secrets describe k8s-gcp-gcve-ci-password 2>/dev/null || echo "${GCVE_PROW_CI_PASSWORD}" | gcloud secrets create k8s-gcp-gcve-ci-password --data-file=-
+gcloud secrets describe k8s-gcp-gcve-ci-thumbprint 2>/dev/null || echo "$(govc about.cert -json | jq -r '.thumbprintSHA256')" | gcloud secrets create k8s-gcp-gcve-ci-thumbprint --data-file=-
+```
+
+* `k8s-gcp-gcve-ci-username` with value `[email protected]`
+* `k8s-gcp-gcve-ci-password` with value set above for `GCVE_PROW_CI_PASSWORD`
+* `k8s-gcp-gcve-ci-url` with value set above for `GOVC_URL`
+
+> **Note:** Changing the GCVE CI user's password
+>
+> 1. Set GOVC credentials as above.
+> 2. Run govc command to update password: `govc sso.user.update -p "${GCVE_PROW_CI_PASSWORD}" prow-ci-user`
+> 3. Update secret `k8s-gcp-gcve-ci-password` in secrets-manager: `echo "${GCVE_PROW_CI_PASSWORD}" | gcloud secrets versions add k8s-gcp-gcve-ci-password --data-file=-`
+
+## Configuration of GCVE
+
+```sh
+ export [email protected]
+ export TF_VAR_vsphere_password="$(gcloud vmware private-clouds vcenter credentials describe --private-cloud=k8s-gcp-gcve-pc [email protected] --location=us-central1-a --format='get(password)')" # gcloud command
+ export TF_VAR_vsphere_server="$(gcloud vmware private-clouds describe k8s-gcp-gcve-pc --location us-central1-a --format='get(vcenter.fqdn)')"
+ export TF_VAR_nsxt_user=admin
+ export TF_VAR_nsxt_password="$(gcloud vmware private-clouds nsx credentials describe --private-cloud k8s-gcp-gcve-pc --location us-central1-a --format='get(password)')"
+ export TF_VAR_nsxt_server="$(gcloud vmware private-clouds describe k8s-gcp-gcve-pc --location us-central1-a --format='get(nsx.fqdn)')"
+```
+
+```sh
+cd vsphere
+terraform init
+terraform apply
+```

infra/gcp/terraform/k8s-infra-gcp-gcve/main.tf

@@ -0,0 +1,50 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+locals {
+  project_id = "broadcom-451918"
+}
+
+data "google_project" "project" {
+  project_id      = local.project_id
+}
+
+resource "google_project_service" "project" {
+  project = data.google_project.project.id
+
+  for_each = toset([
+    "compute.googleapis.com",
+    "secretmanager.googleapis.com",
+    "vmwareengine.googleapis.com"
+  ])
+
+  service = each.key
+}
+
+// Ensure [email protected] has admin access to this project
+resource "google_project_iam_member" "k8s_infra_leads" {
+  project = data.google_project.project.id
+  role    = "roles/admin"
+  member  = "group:[email protected]"
+}
+
+# TODO(chrischdi): we first need the group
+# // Ensure [email protected] has owner access to this project
+# resource "google_project_iam_member" "k8s_infra_vsphere" {
+#   project = data.google_project.project.id
+#   role    = "roles/owner"
+#   member  = "group:[email protected]"
+# }

infra/gcp/terraform/k8s-infra-gcp-gcve/maintenance-jumphost/README.md

@@ -0,0 +1,64 @@
+# Maintenance VM
+
+## Reprovisioning
+
+```sh
+terraform taint google_compute_instance.jumphost
+terraform apply
+```
+
+## Configuration
+
+### Configure a connection
+
+First we need to generate a wireguard keypair using `wg` (install on ubuntu via `apt-get install wireguard-tools`)
+
+```sh
+export CLIENT_PRIVATE_KEY="$(wg genkey)"
+export CLIENT_PUBLIC_KEY="$(echo $CLIENT_PRIVATE_KEY | wg pubkey)"
+```
+
+Next we have to pick a free IP address from the `192.168.29.0/24` subnet, which is not already in the server config file (see gcloud secret `maintenance-vm-wireguard-config`):
+
+```sh
+export CLIENT_IP_ADDRESS="192.168.29.X"
+```
+
+After that we generate a peer entry for the server configuration by using the output of the following script:
+
+```sh
+cat << EOF
+[Peer]
+PublicKey = ${CLIENT_PUBLIC_KEY}
+AllowedIPs = ${CLIENT_IP_ADDRESS}/32
+
+EOF
+```
+
+Then we add it to the secret `maintenance-vm-wireguard-config` [here](https://console.cloud.google.com/security/secret-manager/secret/maintenance-vm-wireguard-config/versions).
+
+To add it to a running VM:
+
+```sh
+gcloud compute ssh maintenance-jumphost
+sudo systemctl stop wg-quick@wg0
+sudo vim /etc/wireguard/wg0.conf
+sudo systemctl start wg-quick@wg0
+```
+
+Last we generate a wireguard client configuration:
+
+```sh
+cat << EOF
+[Interface]
+PrivateKey = ${CLIENT_PRIVATE_KEY}
+Address = ${CLIENT_IP_ADDRESS}/24
+MTU = 1360
+
+[Peer]
+PublicKey = $(gcloud secrets versions access --secret maintenance-vm-wireguard-pubkey latest)
+AllowedIPs = 192.168.30.0/24, 192.168.32.0/21
+Endpoint = $(gcloud compute instances list --format='get(networkInterfaces[0].accessConfigs[0].natIP)' --filter='name=maintenance-jumphost'):51820
+PersistentKeepalive = 25
+EOF
+```

infra/gcp/terraform/k8s-infra-gcp-gcve/maintenance-jumphost/cloud-config.yaml.tftpl

@@ -0,0 +1,18 @@
+#cloud-config
+
+write_files:
+- path: /etc/wireguard/wg0.conf
+  content: "${wg0}"
+  encoding: b64
+  permissions: "0600"
+
+- path: /etc/sysctl.d/10-wireguard.conf
+  content: |
+    net.ipv4.ip_forward = 1
+
+runcmd:
+- apt-get update
+- apt install wireguard -q -y
+- sysctl -p /etc/sysctl.d/10-wireguard.conf
+- systemctl enable wg-quick@wg0
+- systemctl start wg-quick@wg0

infra/gcp/terraform/k8s-infra-gcp-gcve/maintenance-jumphost/jumphost.tf

@@ -0,0 +1,50 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+locals {
+  project_id = "broadcom-451918"
+}
+
+resource "google_compute_instance" "jumphost" {
+  project      = local.project_id
+  name         = "maintenance-jumphost"
+  machine_type = "f1-micro"
+  zone         = "us-central1-f"
+
+  boot_disk {
+    initialize_params {
+      image = "ubuntu-os-cloud/ubuntu-2404-lts-amd64"
+    }
+  }
+
+  network_interface {
+    network = "maintenance-vpc-network"
+    subnetwork = "maintenance-subnet"
+    subnetwork_project = local.project_id
+    access_config {
+      network_tier = "STANDARD"
+    }
+  }
+
+  metadata = {
+    user-data = templatefile("${path.module}/cloud-config.yaml.tftpl", { wg0 = base64encode(data.google_secret_manager_secret_version_access.wireguard-config.secret_data) })
+  }
+}
+
+data "google_secret_manager_secret_version_access" "wireguard-config" {
+  project      = local.project_id
+  secret = "maintenance-vm-wireguard-config"
+}

infra/gcp/terraform/k8s-infra-gcp-gcve/maintenance-jumphost/provider.tf

@@ -0,0 +1,37 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/*
+This file defines:
+- Required provider versions
+- Storage backend details
+*/
+
+terraform {
+
+  backend "gcs" {
+    bucket = "k8s-infra-tf-gcp-gcve"
+    prefix = "k8s-infra-gcp-maintenance-jumphost"
+  }
+
+
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 6.34.1"
+    }
+  }
+}

infra/gcp/terraform/k8s-infra-gcp-gcve/provider.tf

@@ -0,0 +1,37 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/*
+This file defines:
+- Required provider versions
+- Storage backend details
+*/
+
+terraform {
+
+  backend "gcs" {
+    bucket = "k8s-infra-tf-gcp-gcve"
+    prefix = "k8s-infra-gcp-gcve"
+  }
+
+
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 6.34.1"
+    }
+  }
+}