Skip to content

Support runway deployment in external GCP projects/organizations

Overview

Today we have runway-staging and runway-production and all services run in those GCP projects today. With Create GCP project hierarchy in new GitLab.com ... (gitlab-com/gl-infra/production-engineering#25282 - closed) we are going to create a new GCP organization for Cells. This means that runway-staging and runway-production isn't going to be part of that organization.

We also have the topology service which will require a data store (Google Spanner) and we shouldn't give the possibility of access to other services, unless it's through the topology service.

Action Items

Implementation items

  • Refactor provisioner and runwayctl to stop using hardcoded GCP project
  • Add functionality to create google_project resource (use ops.gitlab.net/gitlab-com/project/google module). User to provide billing account info, folder id and namespace.
  • Grant provisioner SA list of roles for new project using the runway-project module in config-mgmt.
  • Add functionality for users to define runway services using external projects

External dependency:

  • [optional - not urgent for this issue] Create a runway subfolder the current infrastructure/environment folder for future gcp projects within the current organization.
  • [require help from Cells] Add the roles/resourcemanager.projectCreator for the runway subfolder in the cluster-wide service folder to the our provisioner service account.

Related workflow: migrate provisioner pipeline to ops mirror

Stages of delivery

Edited by Sylvester Chin