Skip to content

Replace the in cluster greenhouse HTTP cache with a dedicated GCS bucket#5126

Merged
kubevirt-bot merged 3 commits into
kubevirt:mainfrom
Whitedyl:migrate-bazel-cache-to-gsp
Jun 12, 2026
Merged

Replace the in cluster greenhouse HTTP cache with a dedicated GCS bucket#5126
kubevirt-bot merged 3 commits into
kubevirt:mainfrom
Whitedyl:migrate-bazel-cache-to-gsp

Conversation

@Whitedyl

@Whitedyl Whitedyl commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

What this PR does / why we need it:
Migrates the Bazel remote cache from the in-cluster greenhouse HTTP service to a dedicated GCS bucket (kubevirt-bazel-cache). Moving to GCS gives us durable, scaleable object storage as well as reducing poisoned cache failures.

  • New bazel-cache-gcs Kubernetes Secret added to all three cluster overlays, sourced from a dedicated service account scoped only to the new bucket.
  • New preset-bazel-cache-gcs-credentials preset that mounts the secret and exposes the credential path via BAZEL_CACHE_GOOGLE_CREDENTIALS (intentionally separate from GOOGLE_APPLICATION_CREDENTIALS to avoid conflicts with preset-gcs-credentials).
  • preset-bazel-cache updated to point at the GCS bucket URL instead of the greenhouse cluster-local host
  • create_bazel_cache_rcs.sh updated to use the GCS URL when BAZEL_REMOTE_CACHE is set, preserving per-workspace/toolchain path isolation within the bucket and authenticating via --google_credentials
  • preset-bazel-cache-gcs-credentials added to all jobs that use Bazel caching

Special notes for your reviewer:
/cc @dhiller @dollierp
Please add a /hold after approval as prow-deploy periodic will need to be manually ran after merging to deploy the SA secret to the cluster.
Two follow up PR's will be needed:

  • Removing greenhouse
  • Updating hack/clear-bazel-cache.sh

Checklist

  • Create GSC bucket(kubevirt-bazel-cache) and dedicated service account(key stored in k/secrets).

@kubevirt-bot kubevirt-bot requested review from dhiller and dollierp June 9, 2026 16:07
@kubevirt-bot kubevirt-bot added dco-signoff: yes Indicates the PR's author has DCO signed all their commits. size/L labels Jun 9, 2026
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 9, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request migrates the Bazel remote cache from a local HTTP cache to a Google Cloud Storage (GCS) bucket. It introduces a new preset preset-bazel-cache-gcs-credentials to mount GCS service account credentials, updates numerous Prow job configurations to use this preset, and modifies the bootstrap script create_bazel_cache_rcs.sh to configure Bazel with the GCS remote cache. Feedback suggests wrapping the --google_credentials option in a check to ensure it is only appended when BAZEL_CACHE_GOOGLE_CREDENTIALS is non-empty, preventing Bazel configuration errors when running locally or relying on Application Default Credentials.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread images/bootstrap/create_bazel_cache_rcs.sh Outdated
dollierp
dollierp reviewed Jun 9, 2026
View reviewed changes
Comment thread github/ci/prow-deploy/kustom/base/configs/current/config/config.yaml Outdated
dollierp
dollierp reviewed Jun 9, 2026
View reviewed changes
Comment thread github/ci/prow-deploy/kustom/base/configs/current/config/config.yaml
@Whitedyl Whitedyl force-pushed the migrate-bazel-cache-to-gsp branch 2 times, most recently from 8e68310 to bc1fdff Compare June 10, 2026 17:58
@Whitedyl

Whitedyl commented Jun 11, 2026

Copy link
Copy Markdown
Contributor Author

@dollierp I've made the requested changes can you take a look?
Thanks!

@Whitedyl

Whitedyl commented Jun 11, 2026

Copy link
Copy Markdown
Contributor Author

/hold

@kubevirt-bot kubevirt-bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 11, 2026
dollierp
dollierp reviewed Jun 11, 2026
View reviewed changes
Comment thread images/bootstrap/create_bazel_cache_rcs.sh Outdated
@Whitedyl Whitedyl force-pushed the migrate-bazel-cache-to-gsp branch from bc1fdff to 9c6c8a6 Compare June 11, 2026 13:37
dollierp
dollierp approved these changes Jun 11, 2026
View reviewed changes

@dollierp dollierp left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@kubevirt-bot kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Jun 11, 2026
@kubevirt-bot

kubevirt-bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dollierp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubevirt-bot kubevirt-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 11, 2026
@dhiller

dhiller commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

/unhold

@kubevirt-bot kubevirt-bot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Jun 12, 2026
@dhiller

dhiller commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

@Whitedyl it seems you need to resolve merge conflicts here first

Whitedyl and others added 3 commits June 12, 2026 10:14
@Whitedyl @claude
Replace the in cluster greenhouse HTTP cache with a dedicated GSC buc…
14ac28e 
…ket (kubevirt-bazel-cache) as the remote bazel cache backend

-Add bazel-cache-gsc Kubernetes Secret to all three worload overlays, sourced from SA in k/secrets repo
-Add preset-bazel-cache-gcs-credentials to mount the secret and expose the credential path
via BAZEL_CACHE_GOOGLE_CREDENTIALS to avoid conflicts with preset-gcs-credentials)
-Update preset-bazel-cache to set BAZEL_REMOTE_CACHE pointing at the GCS bucket URL
instead of the greenhouse cluster-local host
-Update create_bazel_cache_rcs.sh to use the GCS URL when BAZEL_REMOTE_CACHE is set,
preserving per-workspace/toolchain path isolation
-Add preset-bazel-cache-gcs-credentials to all 37 jobs that use bazel caching

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Dylan White <dywhite@redhat.com>
@Whitedyl
Add bazel-cache-sa.json install to populate_secrets in deploy.sh and …
0e4c60a 
…test.sh

so kustomize can find the SA key file when building the overlay.
Guard --google_credentials in create_bazel_cache_rcs.sh so it is only
written when BAZEL_CACHE_GOOGLE_CREDENTIALS is non-empty.
Update preset-bazel-cache to include GCS bucket URL, credentials env var,
and SA secret volume/mount.
Remove preset-bazel-cache-gcs-credentials label from 37 job files as
credentials are now included directly in preset-bazel-cache.

Signed-off-by: Dylan White <dywhite@redhat.com>
@Whitedyl
Simplify create_bazel_cache_rcs.sh cache URL logic:
613007c 
Remove duplicated cache_id computation

Signed-off-by: Dylan White <dywhite@redhat.com>
@Whitedyl Whitedyl force-pushed the migrate-bazel-cache-to-gsp branch from 9c6c8a6 to 613007c Compare June 12, 2026 09:17
@kubevirt-bot kubevirt-bot removed lgtm Indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Jun 12, 2026
@Whitedyl

Whitedyl commented Jun 12, 2026

Copy link
Copy Markdown
Contributor Author

@Whitedyl it seems you need to resolve merge conflicts here first

Yeah there were additions to deploy.sh and test.sh, I have resolved them now.

@kubevirt-bot kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Jun 12, 2026
@kubevirt-bot kubevirt-bot merged commit 73bc71e into kubevirt:main Jun 12, 2026
7 checks passed
@kubevirt-bot

kubevirt-bot commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

@Whitedyl: Updated the config configmap in namespace kubevirt-prow at cluster default using the following files:

  • key config.yaml using file github/ci/prow-deploy/kustom/base/configs/current/config/config.yaml
Details

In response to this:

What this PR does / why we need it:
Migrates the Bazel remote cache from the in-cluster greenhouse HTTP service to a dedicated GCS bucket (kubevirt-bazel-cache). Moving to GCS gives us durable, scaleable object storage as well as reducing poisoned cache failures.

  • New bazel-cache-gcs Kubernetes Secret added to all three cluster overlays, sourced from a dedicated service account scoped only to the new bucket.
  • New preset-bazel-cache-gcs-credentials preset that mounts the secret and exposes the credential path via BAZEL_CACHE_GOOGLE_CREDENTIALS (intentionally separate from GOOGLE_APPLICATION_CREDENTIALS to avoid conflicts with preset-gcs-credentials).
  • preset-bazel-cache updated to point at the GCS bucket URL instead of the greenhouse cluster-local host
  • create_bazel_cache_rcs.sh updated to use the GCS URL when BAZEL_REMOTE_CACHE is set, preserving per-workspace/toolchain path isolation within the bucket and authenticating via --google_credentials
  • preset-bazel-cache-gcs-credentials added to all jobs that use Bazel caching

Special notes for your reviewer:
/cc @dhiller @dollierp
Please add a /hold after approval as prow-deploy periodic will need to be manually ran after merging to deploy the SA secret to the cluster.
Two follow up PR's will be needed:

  • Removing greenhouse
  • Updating hack/clear-bazel-cache.sh

Checklist

  • Create GSC bucket(kubevirt-bazel-cache) and dedicated service account(key stored in k/secrets).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dhiller dhiller dhiller approved these changes

@dollierp dollierp dollierp approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@dhiller dhiller

@dollierp dollierp

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. lgtm Indicates that a PR is ready to be merged. size/M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Whitedyl @kubevirt-bot @dhiller @dollierp