audit followup: restore k8s-infra-gcr-auditor service account

[spiffxp]

I accidentally the account, noticed in #1718 (comment)

We need to:

• restore the account?
• or create a new one and rotate service account keys wherever necessary
• ensure everything that depended on this account is... back up? for whatever that looked like before?

/sig release
/release eng
/priority important-soon
AFAIK nobody has noticed this is down yet. I remember Tim mentioning something about silencing slack alerts a while back due to general nosie level
/assign @spiffxp
I did the oops, I feel pretty responsible for addressing it. That said, this might be a good opportunity for someone from @kubernetes/release-engineering to refresh knowledge on how this is supposed to be wired up and why.

[spiffxp]

/kind bug

[spiffxp]

This is blocking a merged PR from deploying properly, ref: #1966 (comment)

[spiffxp]

What is supposed to create this?

• The name but not the project is declared here:

  k8s.io/infra/gcp/lib.sh

  Line 51 in 9216eda

  AUDITOR_SVCACCT="k8s-infra-gcr-auditor"

• The account is created for a given project by empower_artifact_auditor(project) here:

  k8s.io/infra/gcp/lib.sh

  Lines 399 to 404 in 9216eda

  	if ! gcloud --project "${project}" iam service-accounts describe "${acct}" >/dev/null 2>&1; then
  	gcloud --project "${project}" \
  	iam service-accounts create \
  	"${AUDITOR_SVCACCT}" \
  	--display-name="k8s-infra container image auditor"
  	fi

  • This block should be changed to a call to ensure_service_account(project, name,display_name) from lib_iam.sh
• It looks like ensure-prod-storage.sh should be creating this account:

  k8s.io/infra/gcp/ensure-prod-storage.sh

  Line 323 in 163acfd

  empower_artifact_auditor "${PROD_PROJECT}"

  • But this script crashed right after "Empowering artifact-admins to release prod auditor" which is the line before
• So it's probably a matter of swapping the order so empower_artifact_auditor is called before empower_group_to_admin_artifact_auditor