From b9c46288871333f721b19eab8f6a92c2c35b693d Mon Sep 17 00:00:00 2001 From: Stephen Augustus Date: Mon, 28 Oct 2019 02:46:04 -0400 Subject: [PATCH] releng: Add ensure-release-projects to grant rights to Release Managers Establishes rights to GCS, GCB, and KMS for Release Managers - Admins: release-managers-admins@ - Writers: release-managers-private@ - Viewers: release-managers@ Signed-off-by: Stephen Augustus --- infra/gcp/ensure-release-projects.sh | 140 +++++++++++++++++++++++++++ infra/gcp/lib.sh | 17 ++++ 2 files changed, 157 insertions(+) create mode 100755 infra/gcp/ensure-release-projects.sh diff --git a/infra/gcp/ensure-release-projects.sh b/infra/gcp/ensure-release-projects.sh new file mode 100755 index 000000000000..fa58d3098c9c --- /dev/null +++ b/infra/gcp/ensure-release-projects.sh @@ -0,0 +1,140 @@ +#!/usr/bin/env bash +# +# Copyright 2019 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This script is used to ensure Release Managers have the appropriate access +# to SIG Release GCP projects. + +set -o errexit +set -o nounset +set -o pipefail + +SCRIPT_DIR=$(dirname "${BASH_SOURCE[0]}") +. "${SCRIPT_DIR}/lib.sh" + +function usage() { + echo "usage: $0 [repo...]" > /dev/stderr + echo "example:" > /dev/stderr + echo " $0 # do all staging repos" > /dev/stderr + echo " $0 coredns # just do one" > /dev/stderr + echo > /dev/stderr +} + +# NB: Please keep this sorted. +PROJECTS=( + k8s-staging-release-test + k8s-release-test-prod +) + +if [ $# = 0 ]; then + # default to all staging projects + set -- "${PROJECTS[@]}" +fi + +ADMINS="release-managers-admins@kubernetes.io" +WRITERS="release-managers-private@kubernetes.io" +VIEWERS="release-managers@kubernetes.io" + +for REPO; do + color 3 "Configuring: ${REPO}" + + # The GCP project name. + PROJECT="${REPO}" + + # The names of the buckets + STAGING_BUCKET="gs://${PROJECT}" # used by humans + GCB_BUCKET="gs://${PROJECT}-gcb" # used by GCB + ALL_BUCKETS=("${STAGING_BUCKET}" "${GCB_BUCKET}") + + # Make the project, if needed + color 6 "Ensuring project exists: ${PROJECT}" + ensure_project "${PROJECT}" + + for group in ${ADMINS} ${WRITERS} ${VIEWERS}; do + # Enable admins to use the UI + color 6 "Empowering ${group} as project viewers" + empower_group_as_viewer "${PROJECT}" "${group}" + done + + # Every project gets a GCR repo + + # Enable container registry APIs + color 6 "Enabling the container registry API" + enable_api "${PROJECT}" containerregistry.googleapis.com + + # Push an image to trigger the bucket to be created + color 6 "Ensuring the registry exists and is readable" + ensure_gcr_repo "${PROJECT}" + + # Enable GCR admins + color 6 "Empowering GCR admins" + empower_gcr_admins "${PROJECT}" + + # Enable GCR writers + for group in ${ADMINS} ${WRITERS}; do + color 6 "Empowering ${group} to GCR" + empower_group_to_gcr "${PROJECT}" "${group}" + done + + # Every project gets some GCS buckets + + # Enable GCS APIs + color 6 "Enabling the GCS API" + enable_api "${PROJECT}" storage-component.googleapis.com + + for BUCKET in "${ALL_BUCKETS[@]}"; do + color 3 "Configuring bucket: ${BUCKET}" + + # Create the bucket + color 6 "Ensuring the bucket exists and is world readable" + ensure_public_gcs_bucket "${PROJECT}" "${BUCKET}" + + # Enable admins on the bucket + color 6 "Empowering GCS admins" + empower_gcs_admins "${PROJECT}" "${BUCKET}" + + # Enable writers on the bucket + for group in ${ADMINS} ${WRITERS}; do + color 6 "Empowering ${group} to GCS" + empower_group_to_gcs_bucket "${group}" "${BUCKET}" + done + done + + # Enable GCB and Prow to build and push images. + + # Enable GCB APIs + color 6 "Enabling the GCB API" + enable_api "${PROJECT}" cloudbuild.googleapis.com + + # Let project writers use GCB. + for group in ${ADMINS} ${WRITERS}; do + color 6 "Empowering ${group} as GCB editors" + empower_group_for_gcb "${PROJECT}" "${group}" + done + + # Let prow trigger builds and access the scratch bucket + color 6 "Empowering Prow" + empower_prow "${PROJECT}" "${GCB_BUCKET}" + + # Enable KMS APIs + color 6 "Enabling the KMS API" + enable_api "${PROJECT}" cloudkms.googleapis.com + + # Let project admins use KMS. + color 6 "Empowering ${ADMINS} as KMS admins" + empower_group_for_kms "${PROJECT}" "${ADMINS}" + + color 6 "Done" +done diff --git a/infra/gcp/lib.sh b/infra/gcp/lib.sh index 72d6d29c6108..de58e9461373 100755 --- a/infra/gcp/lib.sh +++ b/infra/gcp/lib.sh @@ -287,6 +287,23 @@ function empower_group_for_gcb() { --role roles/serviceusage.serviceUsageConsumer } +# Grant KMS admin privileges to a principal +# $1: The GCP project +# $2: The group email +function empower_group_for_kms() { + if [ $# -lt 2 -o -z "$1" -o -z "$2" ]; then + echo "empower_group_for_kms(project, group) requires 2 arguments" >&2 + return 1 + fi + project="$1" + group="$2" + + gcloud \ + projects add-iam-policy-binding "${project}" \ + --member "group:${group}" \ + --role roles/cloudkms.admin +} + # Grant privileges to prow in a staging project # $1: The GCP project # $2: The GCS scratch bucket