Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use gcloud secrets instead of git-crypt for groups #821

Merged
merged 2 commits into from
Apr 30, 2020
Merged

Use gcloud secrets instead of git-crypt for groups #821

merged 2 commits into from
Apr 30, 2020

Conversation

spiffxp
Copy link
Member

@spiffxp spiffxp commented Apr 30, 2020
edited
Loading

tl;dr make -C groups run no longer depends on git-crypt

This modifies groups/reconciler.go to use the secret manager API to access its service account key instead of a file, and removes the service account key from this repo.

There is a new group k8s-infra-group-admins@kubernetes.io that has access to the secret. To bootstrap us I created the secret, ran the reconciler, and ran the ensure-gsuite.sh script.

Since we're now using the secretmanager API, this adds support for it to our audit scripts

ref: #813

@spiffxp
Use gcloud secrets instead of git-crypt for groups
1a9384d 
I have already run the reconciler so that everyone else
should have access to the secret necessary to run the
reconciler
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Apr 30, 2020
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot requested review from bartsmykla and dims April 30, 2020 05:54
@k8s-ci-robot k8s-ci-robot added area/access Define who has access to what via IAM bindings, role bindings, policy, etc. wg/k8s-infra approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Apr 30, 2020
@spiffxp spiffxp mentioned this pull request Apr 30, 2020
Closed
@k8s-ci-robot k8s-ci-robot added the area/audit Audit of project resources, audit followup issues, code in audit/ label Apr 30, 2020
@stp-ip
Copy link
Member

stp-ip commented Apr 30, 2020

Awesome. Code looks good.

@bartsmykla
Copy link
Contributor

@spiffxp lgtm, the only thing we can also do is to remove the first line from the .gitattributes file, but I don't think it should block this PR.

/lgtm
/hold for @dims

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 30, 2020
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 30, 2020
cblecker
cblecker reviewed Apr 30, 2020
View reviewed changes
Copy link
Member

@cblecker cblecker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this. Tested locally

infra/gcp/ensure-gsuite.sh
else
color 6 "Empowering ${GSUITE_GROUP_ADMINS} to access the ${GSUITE_SVCACCT}_key secret"
gcloud --project="${PROJECT}" \
secrets add-iam-policy-binding "${GSUITE_SVCACCT}_key" \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of add, should this be a "set"?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a fair point. We haven't used set-iam-policy in these scripts yet. I'd like to do this as a followup as I have some groups reconciliation to do for some other PRs

@spiffxp
Copy link
Member Author

spiffxp commented Apr 30, 2020

/hold cancel
merging this so I can reconcile other groups

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 30, 2020
@spiffxp spiffxp mentioned this pull request Apr 30, 2020
Closed
@k8s-ci-robot k8s-ci-robot merged commit 7ecef2f into kubernetes:master Apr 30, 2020
@spiffxp spiffxp deleted the gcloud-secret-over-git-crypt branch April 30, 2020 15:58
@dims
Copy link
Member

dims commented Apr 30, 2020

LGTM

This was referenced May 7, 2020
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cblecker cblecker cblecker left review comments

@bartsmykla bartsmykla Awaiting requested review from bartsmykla

@dims dims Awaiting requested review from dims

Assignees

@bartsmykla bartsmykla

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/access Define who has access to what via IAM bindings, role bindings, policy, etc. area/audit Audit of project resources, audit followup issues, code in audit/ cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@spiffxp @k8s-ci-robot @stp-ip @bartsmykla @dims @cblecker