Add gcs public bucket for k8s-infra-prow logs.

Following prow [documentation](https://github.com/kubernetes/test-infra/blob/master/prow/getting_started_deploy.md#configure-a-gcs-buckethttps://github.com/kubernetes/test-infra/blob/master/prow/getting_started_deploy.md#configure-a-gcs-bucket) guidance :
Create a GCS bucket for tide history and build logs.
Create a service account and grant admin access to the bucket.
Create a service account key and add the generated key to Secret
Manager.

Signed-off-by: Arnaud Meukam <ameukam@gmail.com>

infra/gcp/ensure-main-project.sh

@@ -78,6 +78,12 @@ readonly TERRAFORM_STATE_BUCKET_ENTRIES=(
     k8s-infra-tf-sandbox-ii:k8s-infra-ii-coop@kubernetes.io
 )
 
+
+#GCS buckets for k8s-infra-prow
+readonly PROW_BUCKETS=(
+    k8s-infra-prow-results
+)
+
 # The services we explicitly want enabled for the main project
 #
 # NOTE: Expected services include dependencies of these services, which may be
@@ -169,6 +175,48 @@ function ensure_terraform_state_buckets() {
     done
 }
 
+function ensure_prow_buckets() {
+    if [ $# -ne 1 ] || [ -z "$1" ]; then
+        echo "${FUNCNAME[0]}(gcp_project) requires 1 argument" >&2
+        return 1
+    fi
+
+    local project="${1}"
+
+    for bucket in "${PROW_BUCKETS[@]}"; do
+        local svc_acct_name="${bucket}-sa"
+        local svc_acct_email="$(svc_acct_email "${project}" \
+        "${svc_acct_name}")"
+        local SECRET_ID="${svc_acct_name}-key"
+
+        color 6 "Ensuring bucket ${bucket} exists and is only word-readable"
+        ensure_public_gcs_bucket "${project}" "gs://${bucket}"
+
+
+        color 6 "Creating service account: ${svc_acct_name}"
+        ensure_service_account \
+            "${project}" \
+            "${svc_acct_name}" \
+            "${svc_acct_name}"
+
+        color 6 "Empowering service account: ${svc_acct_name}"
+        empower_svcacct_to_write_gcs_bucket "${svc_acct_email}" "gs://${bucket}"
+
+        color 6 "Ensure secret ${SECRET_ID} exists in project ${PROJECT}"
+        ensure_secret "${project}" "${SECRET_ID}"
+
+        color "Ensure ${SECRET_ID} contains secret key for ${svc_acct_name}"
+        ensure_serviceaccount_key_secret "${project}" "${SECRET_ID}" "${svc_acct_email}"
+
+        color 6 "Empowering k8s-infra-prow-oncall@kubernetes.io to read secret ${SECRET_ID}"
+        ensure_secrets_role_binding \
+            "projects/${project}/secrets/${SECRET_ID}" \
+            "group:k8s-infra-prow-oncall@kubernetes.io" \
+            "roles/secretmanager.secretAccessor"
+
+    done
+}
+
 function empower_cluster_admins_and_users() {
     if [ $# -ne 1 ] || [ -z "$1" ]; then
         echo "${FUNCNAME[0]}(gcp_project) requires 1 argument" >&2
@@ -379,6 +427,9 @@ function ensure_main_project() {
     color 6 "Ensuring terraform state buckets exist with correct permissions in: ${project}"
     ensure_terraform_state_buckets "${project}" 2>&1 | indent
 
+    color 6 "Ensuring prow buckets exist in: ${project}"
+    ensure_prow_buckets "${project}" 2>&1 | indent
+
     color 6 "Empowering cluster users and admins for clusters in: ${project}"
     empower_cluster_admins_and_users "${project}" 2>&1 | indent
 

infra/gcp/lib_gsm.sh

@@ -102,8 +102,13 @@ function ensure_secret_with_admins() {
 #   $2: The secret name (e.g. "my-secret")
 #   $3: The service-account (e.g. "foo@k8s-infra.iam.gserviceaccount.com")
 function ensure_serviceaccount_key_secret() {
+<<<<<<< HEAD
     if [ ! $# -eq 3 ] || [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ]; then
         echo "${FUNCNAME[0]}(project, secret, serviceaccountt) requires 3 arguments" >&2
+=======
+    if [ ! $# -eq 3 -o -z "$1" -o -z "$2" -o -z "$3" ]; then
+        echo "ensure_serviceaccount_key_secret(project, secret, serviceaccount) requires 3 arguments" >&2
+>>>>>>> 0b821977 (Add gcs public bucket for k8s-infra-prow logs.)
         return 1
     fi