Skip to content

Commit

Permalink
Setup gcb-builder-releng-test SA for k8s-infra-prow-build
Browse files Browse the repository at this point in the history
Try to converge on a consistent naming pattern:
- k8s-infra-staging-foo@kubernetes.io group
- k8s-staging-foo project
- gcb-builder-foo service account in k8s-staging-foo project
- gcb-builder-foo service account usable by prow
  • Loading branch information
spiffxp committed Feb 9, 2021
1 parent 40cb5e7 commit 2251314
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 21 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,6 @@ kind: ServiceAccount
apiVersion: v1
metadata:
annotations:
iam.gke.io/gcp-service-account: k8s-infra-staging-releng-test@k8s-infra-prow-build.iam.gserviceaccount.com
name: k8s-infra-staging-releng-test
iam.gke.io/gcp-service-account: gcb-builder-releng-test@k8s-staging-releng-test.iam.gserviceaccount.com
name: gcb-builder-releng-test
namespace: test-pods
13 changes: 0 additions & 13 deletions infra/gcp/ensure-main-project.sh
Original file line number Diff line number Diff line change
Expand Up @@ -154,19 +154,6 @@ empower_ksa_to_svcacct \
"${PROJECT}" \
"$(svc_acct_email "${PROJECT}" "k8s-infra-dns-updater")"

color 6 "Ensuring the k8s-infra-staging-releng-test serviceaccount exists"
ensure_service_account \
"${PROJECT}" \
"k8s-infra-staging-releng-test" \
"k8s-infra releng test"

color 6 -n "Empowering k8s-infra-staging-releng-test serviceaccount to be used on"
color 6 " build cluster"
empower_ksa_to_svcacct \
"k8s-infra-prow-build.svc.id.goog[test-pods/k8s-infra-staging-releng-test]" \
"${PROJECT}" \
"$(svc_acct_email "${PROJECT}" "k8s-infra-staging-releng-test")"

color 6 "Empowering ${DNS_GROUP}"
gcloud projects add-iam-policy-binding "${PROJECT}" \
--member "group:${DNS_GROUP}" \
Expand Down
32 changes: 26 additions & 6 deletions infra/gcp/ensure-staging-storage.sh
Original file line number Diff line number Diff line change
Expand Up @@ -296,12 +296,32 @@ color 6 "Configuring special case for k8s-staging-ci-images"

# Special case: In order for pull-release-image-* to run on k8s-infra-prow-build,
# it needs write access to gcr.io/k8s-staging-releng-test. For now,
# we will grant the prow-build service account write access. Longer
# term we would prefer service accounts per project, and restrictions
# on which jobs can use which service accounts.

color 6 "Configuring special case for k8s-staging-releng-test"
(
PROJECT="k8s-staging-releng-test"
SERVICE_ACCOUNT=$(svc_acct_email "k8s-infra-prow-build" "k8s-infra-staging-releng-test")
empower_svcacct_to_write_gcr "${SERVICE_ACCOUNT}" "${PROJECT}"
STAGING="releng-test"
PROJECT="k8s-staging-${STAGING}"
SERVICE_ACCOUNT_NAME="gcb-builder-${STAGING}"
SERVICE_ACCOUNT_EMAIL=$(svc_acct_email "${PROJECT}" "${SERVICE_ACCOUNT_NAME}")

color 6 "Ensuring ${SERVICE_ACCOUNT_EMAIL} serviceaccount exists"
ensure_service_account \
"${PROJECT}" \
"${SERVICE_ACCOUNT_NAME}" \
"used by k8s-infra-prow-build to trigger GCB, write to GCR for ${PROJECT}"

color 6 "Empowering ${SERVICE_ACCOUNT_EMAIL} to write to GCR for ${PROJECT}"
empower_svcacct_to_write_gcr "${SERVICE_ACCOUNT_EMAIL}" "${PROJECT}"

color 6 "Empowering ${SERVICE_ACCOUNT_EMAIL} to trigger GCB for ${PROJECT}"
gcloud \
projects add-iam-policy-binding "${PROJECT}" \
--member "serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
--role roles/cloudbuild.builds.builder

color 6 "Empowering ${SERVICE_ACCOUNT_EMAIL} to be used by k8s-infra-prow-build cluster"
empower_ksa_to_svcacct \
"k8s-infra-prow-build.svc.id.goog[test-pods/${SERVICE_ACCOUNT_NAME}]" \
"${PROJECT}" \
"${SERVICE_ACCOUNT_EMAIL}"
)

0 comments on commit 2251314

Please sign in to comment.