From 951a4e339141ad6d1fdc56ebd97419a3eac99e36 Mon Sep 17 00:00:00 2001 From: Arnaud Meukam Date: Wed, 19 May 2021 20:58:46 +0200 Subject: [PATCH] Add gcs public bucket for k8s-infra-prow logs. Following prow [documentation](https://github.com/kubernetes/test-infra/blob/master/prow/getting_started_deploy.md#configure-a-gcs-buckethttps://github.com/kubernetes/test-infra/blob/master/prow/getting_started_deploy.md#configure-a-gcs-bucket) guidance : Create a GCS bucket for tide history and build logs. Create a service account and grant admin access to the bucket. Create a service account key and add the generated key to Secret Manager. Signed-off-by: Arnaud Meukam --- infra/gcp/ensure-main-project.sh | 51 ++++++++++++++++++++++++++++++++ infra/gcp/lib_gsm.sh | 5 ++++ 2 files changed, 56 insertions(+) diff --git a/infra/gcp/ensure-main-project.sh b/infra/gcp/ensure-main-project.sh index d212f817456..d5cd9f76b5a 100755 --- a/infra/gcp/ensure-main-project.sh +++ b/infra/gcp/ensure-main-project.sh @@ -78,6 +78,12 @@ readonly TERRAFORM_STATE_BUCKET_ENTRIES=( k8s-infra-tf-sandbox-ii:k8s-infra-ii-coop@kubernetes.io ) + +#GCS buckets for k8s-infra-prow +readonly PROW_BUCKETS=( + k8s-infra-prow-results +) + # The services we explicitly want enabled for the main project # # NOTE: Expected services include dependencies of these services, which may be @@ -169,6 +175,48 @@ function ensure_terraform_state_buckets() { done } +function ensure_prow_buckets() { + if [ $# -ne 1 ] || [ -z "$1" ]; then + echo "${FUNCNAME[0]}(gcp_project) requires 1 argument" >&2 + return 1 + fi + + local project="${1}" + + for bucket in "${PROW_BUCKETS[@]}"; do + local svc_acct_name="${bucket}-sa" + local svc_acct_email="$(svc_acct_email "${project}" \ + "${svc_acct_name}")" + local SECRET_ID="${svc_acct_name}-key" + + color 6 "Ensuring bucket ${bucket} exists and is only word-readable" + ensure_public_gcs_bucket "${project}" "gs://${bucket}" + + + color 6 "Creating service account: ${svc_acct_name}" + ensure_service_account \ + "${project}" \ + "${svc_acct_name}" \ + "${svc_acct_name}" + + color 6 "Empowering service account: ${svc_acct_name}" + empower_svcacct_to_write_gcs_bucket "${svc_acct_email}" "gs://${bucket}" + + color 6 "Ensure secret ${SECRET_ID} exists in project ${PROJECT}" + ensure_secret "${project}" "${SECRET_ID}" + + color "Ensure ${SECRET_ID} contains secret key for ${svc_acct_name}" + ensure_serviceaccount_key_secret "${project}" "${SECRET_ID}" "${svc_acct_email}" + + color 6 "Empowering k8s-infra-prow-oncall@kubernetes.io to read secret ${SECRET_ID}" + ensure_secrets_role_binding \ + "projects/${project}/secrets/${SECRET_ID}" \ + "group:k8s-infra-prow-oncall@kubernetes.io" \ + "roles/secretmanager.secretAccessor" + + done +} + function empower_cluster_admins_and_users() { if [ $# -ne 1 ] || [ -z "$1" ]; then echo "${FUNCNAME[0]}(gcp_project) requires 1 argument" >&2 @@ -379,6 +427,9 @@ function ensure_main_project() { color 6 "Ensuring terraform state buckets exist with correct permissions in: ${project}" ensure_terraform_state_buckets "${project}" 2>&1 | indent + color 6 "Ensuring prow buckets exist in: ${project}" + ensure_prow_buckets "${project}" 2>&1 | indent + color 6 "Empowering cluster users and admins for clusters in: ${project}" empower_cluster_admins_and_users "${project}" 2>&1 | indent diff --git a/infra/gcp/lib_gsm.sh b/infra/gcp/lib_gsm.sh index 9a1df0519f8..8a814e63050 100644 --- a/infra/gcp/lib_gsm.sh +++ b/infra/gcp/lib_gsm.sh @@ -102,8 +102,13 @@ function ensure_secret_with_admins() { # $2: The secret name (e.g. "my-secret") # $3: The service-account (e.g. "foo@k8s-infra.iam.gserviceaccount.com") function ensure_serviceaccount_key_secret() { +<<<<<<< HEAD if [ ! $# -eq 3 ] || [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ]; then echo "${FUNCNAME[0]}(project, secret, serviceaccountt) requires 3 arguments" >&2 +======= + if [ ! $# -eq 3 -o -z "$1" -o -z "$2" -o -z "$3" ]; then + echo "ensure_serviceaccount_key_secret(project, secret, serviceaccount) requires 3 arguments" >&2 +>>>>>>> 0b821977 (Add gcs public bucket for k8s-infra-prow logs.) return 1 fi