[CI] Add Terraform resources for daily CronJob that processes LLVM commits (#495)

jriv01 · web-flow · commit 5d8aab5a8b02 · 2025-07-22T09:12:24.000-07:00
These resources are for a CronJob that executes the container at `ghcr.io/llvm/operations-metrics:latest` on a daily basis (07:00 UTC), which will scrape daily metrics regarding LLVM's commit volume and upload them for visualization in Grafana. Changes were made to the already existing terraform files since many of the same resources are being reused anyway. This way we can keep all relevant changes in the same place instead of having two separate terraform directories that access and modify shared resources. Since the container needs access to the BigQuery Google Cloud API, IAM and K8S service accounts were used to grant that access via Workload Identity Federation for GKE. More details at https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
diff --git a/premerge/gke_cluster/main.tf b/premerge/gke_cluster/main.tf
@@ -30,6 +30,10 @@ resource "google_container_node_pool" "llvm_premerge_linux_service" {
 
   node_config {
     machine_type = "e2-highcpu-4"
+
+    workload_metadata_config {
+      mode = "GKE_METADATA"
+    }
     # Terraform wants to recreate the node pool everytime whe running
     # terraform apply unless we explicitly set this.
     # TODO(boomanaiden154): Look into why terraform is doing this so we do
diff --git a/premerge/main.tf b/premerge/main.tf
@@ -221,3 +221,84 @@ resource "kubernetes_manifest" "metrics_deployment" {
 
   depends_on = [kubernetes_namespace.metrics, kubernetes_secret.metrics_secrets]
 }
+
+# Resources for collecting LLVM operational metrics data
+
+# Service accounts and bindings to grant access to the
+# BigQuery API for our cronjob
+resource "google_service_account" "operational_metrics_gsa" {
+  account_id   = "operational-metrics-gsa"
+  display_name = "Operational Metrics GSA"
+}
+
+resource "google_project_iam_binding" "bigquery_jobuser_binding" {
+  project = google_service_account.operational_metrics_gsa.project
+  role    = "roles/bigquery.jobUser"
+
+  members = [
+    "serviceAccount:${google_service_account.operational_metrics_gsa.email}",
+  ]
+
+  depends_on = [google_service_account.operational_metrics_gsa]
+}
+
+resource "kubernetes_namespace" "operational_metrics" {
+  metadata {
+    name = "operational-metrics"
+  }
+  provider = kubernetes.llvm-premerge-us-central
+}
+
+resource "kubernetes_service_account" "operational_metrics_ksa" {
+  metadata {
+    name      = "operational-metrics-ksa"
+    namespace = "operational-metrics"
+    annotations = {
+      "iam.gke.io/gcp-service-account" = google_service_account.operational_metrics_gsa.email
+    }
+  }
+
+  depends_on = [kubernetes_namespace.operational_metrics]
+}
+
+resource "google_service_account_iam_binding" "workload_identity_binding" {
+  service_account_id = google_service_account.operational_metrics_gsa.name
+  role               = "roles/iam.workloadIdentityUser"
+
+  members = [
+    "serviceAccount:${google_service_account.operational_metrics_gsa.project}.svc.id.goog[operational-metrics/operational-metrics-ksa]",
+  ]
+
+  depends_on = [
+    google_service_account.operational_metrics_gsa,
+    kubernetes_service_account.operational_metrics_ksa,
+  ]
+}
+
+resource "kubernetes_secret" "operational_metrics_secrets" {
+  metadata {
+    name      = "operational-metrics-secrets"
+    namespace = "operational-metrics"
+  }
+
+  data = {
+    "github-token"           = data.google_secret_manager_secret_version.metrics_github_pat.secret_data
+    "grafana-api-key"        = data.google_secret_manager_secret_version.metrics_grafana_api_key.secret_data
+    "grafana-metrics-userid" = data.google_secret_manager_secret_version.metrics_grafana_metrics_userid.secret_data
+  }
+
+  type       = "Opaque"
+  provider   = kubernetes.llvm-premerge-us-central
+  depends_on = [kubernetes_namespace.operational_metrics]
+}
+
+resource "kubernetes_manifest" "operational_metrics_cronjob" {
+  manifest = yamldecode(file("operational_metrics_cronjob.yaml"))
+  provider = kubernetes.llvm-premerge-us-central
+
+  depends_on = [
+    kubernetes_namespace.operational_metrics,
+    kubernetes_secret.operational_metrics_secrets,
+    kubernetes_service_account.operational_metrics_ksa,
+  ]
+}
diff --git a/premerge/operational_metrics_cronjob.yaml b/premerge/operational_metrics_cronjob.yaml
@@ -0,0 +1,45 @@
+# operational_metrics_cronjob.yaml
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: operational-metrics-cronjob
+  namespace: operational-metrics
+spec:
+  # Midnight PDT
+  schedule: "0 7 * * *"
+  timeZone: "Etc/UTC"
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          serviceAccountName: operational-metrics-ksa
+          nodeSelector:
+            iam.gke.io/gke-metadata-server-enabled: "true"
+          containers:
+          - name: process-llvm-commits
+            image: ghcr.io/llvm/operations-metrics:latest
+            env:
+            - name: GITHUB_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: operational-metrics-secrets
+                  key: github-token
+            - name: GRAFANA_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: operational-metrics-secrets
+                  key: grafana-api-key
+            - name: GRAFANA_METRICS_USERID
+              valueFrom:
+                secretKeyRef:
+                  name: operational-metrics-secrets
+                  key: grafana-metrics-userid
+            resources:
+              requests:
+                cpu: "250m"
+                memory: "256Mi"
+              limits:
+                cpu: "1"
+                memory: "512Mi"
+          restartPolicy: OnFailure
