Script adding a GCR staging repo #186
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
As promised on Friday, the script. |
k8s-ci-robot
added
the
size/L
|
Related to #158 |
| gcloud \ | ||
| projects add-iam-policy-binding "${PROJECT}" \ | ||
| --member "group:${ADMINS}" \ | ||
| --role roles/viewer |
There was a problem hiding this comment.
do we just want admins as 'viewers'? what about 'owners'?
There was a problem hiding this comment.
They only need project viewer for the UI to work. They have bucket admin for the specific buckets.
We're trying to keep untra-limited perms when possible.
There was a problem hiding this comment.
who is going to manage the projects? just who create them?
There was a problem hiding this comment.
the set of people who can create projects is very small and should, itself be governed by a googlegroup
| # Grant repo writers access to write. | ||
| color 6 "Granting bucket objectAdmin to ${WRITERS}" | ||
| gsutil iam ch "group:${WRITERS}:objectAdmin" "gs://${BUCKET}" | ||
| color 6 "Granting bucket legacyBucketReader to ${WRITERS}" |
There was a problem hiding this comment.
do we need 'legacyBucketReader'?
are we going to store GCS buckets as well or just GCR?
There was a problem hiding this comment.
without buckets.list it didn't work, and there doesn't seem to be a role that includes that permission that isn't "legacy" (and I didn't want to make a custom role, though we could, I guess...)
There was a problem hiding this comment.
you are right, the other alternative is 'roles/storage.admin'
|
LGTM as side note, we should also document somewhere who is going to own the groups like 'k8s-infra-gcr-staging-${REPO}@googlegroups.com', probably another google group? |
|
/assign @justinsb Justin, can you please peek? |
|
I am working on a quick followup commit to age-out old data |
|
PTAL at last commit, too |
| BILLING="018801-93540E-22A20E" | ||
|
|
||
| # Make the project, if needed | ||
| if ! gcloud projects describe "${PROJECT}" >/dev/null 2>&1; then |
There was a problem hiding this comment.
What happens if this project name happens to be an unrelated 3rd party?
There was a problem hiding this comment.
You won't be able to list those. I don't see a way to only list projects under a specific org - do you know of one? Assuming you have a project with this name pattern in your scope, something else will fail. Or if you have project admin, maybe it won't fail.
We could require this create to happen, which makes the scripts not re-runnable. We could add flags to say --project-exists or something. Is that worth the effort?
gcr/add-staging-repo.sh
Outdated
| docker tag k8s.gcr.io/pause "gcr.io/${PROJECT}/pause" | ||
| docker push "gcr.io/${PROJECT}/pause" | ||
| gcloud --project "${PROJECT}" \ | ||
| container images delete --quiet "gcr.io/${PROJECT}/pause:latest" |
There was a problem hiding this comment.
Scary! Worth tagging gcr.io/${PROJECT}/ceci-nest-pas-une-image or some other thing that isn't important?
There was a problem hiding this comment.
hahah, sure. In next push
|
Two paranoid suggestions, but lgtm /lgtm |
k8s-ci-robot
added
the
lgtm
thockin
force-pushed
the
script-gcr-staging
branch
from
3434cd8 to
d9ef140
Compare
k8s-ci-robot
removed
the
lgtm
|
New push is up with image name change. Other is unresolved. Launch and iterate? |
|
thanks for adding the age-out. +1 to launch/iterate /approve leaving |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dims The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
We could check the project existence with:
gcloud projects describe k8s-staging-coredns --flatten='parent[]'
--format='csv[no-heading](type, id)' | grep ^organization, | cut -f2 -d,
and match that against the
…On Thu, Feb 14, 2019 at 11:48 AM Javier B Perez ***@***.***> wrote:
***@***.**** approved this pull request.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#186 (review)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFVgVMy8-RihnH4dOrzLRPLvc9yT7RWMks5vNb1-gaJpZM4a1Nvd>
.
|
|
Pushed with that added. @justinsb should be placated now...
…On Thu, Feb 14, 2019 at 2:45 PM Tim Hockin ***@***.***> wrote:
We could check the project existence with:
gcloud projects describe k8s-staging-coredns --flatten='parent[]'
--format='csv[no-heading](type, id)' | grep ^organization, | cut -f2 -d,
and match that against the
On Thu, Feb 14, 2019 at 11:48 AM Javier B Perez ***@***.***>
wrote:
> ***@***.**** approved this pull request.
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <#186 (review)>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AFVgVMy8-RihnH4dOrzLRPLvc9yT7RWMks5vNb1-gaJpZM4a1Nvd>
> .
>
|
thockin
force-pushed
the
script-gcr-staging
branch
from
2842c2b to
20ee04c
Compare
|
ping for lgtm |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
No description provided.