From e3f5a4f402bf2216e6c69c29fe172e08f539aefa Mon Sep 17 00:00:00 2001 From: Christie Wilson Date: Thu, 31 Oct 2019 15:22:20 -0400 Subject: [PATCH] =?UTF-8?q?Add=20script=20for=20setting=20up=20GCP=20proje?= =?UTF-8?q?ct=20permissions=20=F0=9F=94=92?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In https://github.com/tektoncd/pipeline/issues/1500 @vdemeester wanted to be able to access our boskos projects to try to debug it but I had been lazy and not given everyone access b/c there are so many of them. I didn't want to do it (lazy) but then I realized that a script would make it easy! So I wrote this script; it doesn't have any tests or automation yet but eventually we could execute it as part of a Tekton pipeline and use it to make sure permissions are always what we expect. --- README.md | 5 +++- addpermissions.py | 75 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 79 insertions(+), 1 deletion(-) create mode 100755 addpermissions.py diff --git a/README.md b/README.md index f2649f3be..b8ac009f7 100644 --- a/README.md +++ b/README.md @@ -3,16 +3,19 @@ This repo holds configuration for infrastructure used across the tektoncd org 🏗️: - Automation runs [in the tektoncd GCP project](gcp.md) +- The script [addpermissions.py](addpermissions.py) gives users access to + [the GCP projects](gcp.md) - [Prow](prow/README.md) is used for [pull request automation]((https://github.com/tektoncd/community/blob/master/process.md#reviews)) - [Ingress](prow/README.md#ingress) configuration for access via `tekton.dev` - [Gubernator](gubernator/README.md) is used for holding and displaying [Prow](prow/README.md) logs - [Boskos](boskos/README.md) is used to control a pool of GCP projects which end to end tests can run against + ## Support If you need support, reach out [in the tektoncd slack](https://github.com/tektoncd/community/blob/master/contact.md#slack) via the `#plumbing` channel. [Members of the Tekton governing board](goverance.md) -[have access to the underlying resources](https://github.com/tektoncd/community/blob/master/governance.md#permissions-and-access). \ No newline at end of file +[have access to the underlying resources](https://github.com/tektoncd/community/blob/master/governance.md#permissions-and-access). diff --git a/addpermissions.py b/addpermissions.py new file mode 100755 index 000000000..db539a661 --- /dev/null +++ b/addpermissions.py @@ -0,0 +1,75 @@ +#!/usr/bin/env python3 + +""" +addpermissions.py gives users access to the Tekton GCP projects + +In order to interact with GCP resources +(https://github.com/tektoncd/plumbing/blob/master/gcp.md) +folks sometimes need to be able to do actions like push images and view +a project in the web console. + +This script will add the permissions allowed to folks on the governing board +(https://github.com/tektoncd/community/blob/master/governance.md#permissions-and-access) +to all GCP projects. + + +This script requires the `gcloud` command line tool and the python +`PyYaml` library. +""" +import argparse +import shlex +import shutil +import subprocess +import sys +import urllib.request +import yaml +from typing import List + + +ROLES = ( + "roles/container.admin", + "roles/iam.serviceAccountUser", + "roles/storage.admin", + "roles/viewer", +) +KNOWN_PROJECTS = ( + "tekton-releases", + "tekton-nightly", +) +BOSKOS_CONFIG_URL = "https://raw.githubusercontent.com/tektoncd/plumbing/master/boskos/boskos-config.yaml" + + +def gcloud_required() -> None: + if shutil.which("gcloud") is None: + sys.stderr.write("gcloud binary is required; https://cloud.google.com/sdk/install") + sys.exit(1) + + +def add_to_all_projects(user: str, projects: List[str]) -> None: + for project in projects: + for role in ROLES: + subprocess.check_call(shlex.split( + "gcloud projects add-iam-policy-binding {} --member user:{} --role {}".format(project, user, role) + )) + + +def parse_boskos_projects() -> List[str]: + config = urllib.request.urlopen(BOSKOS_CONFIG_URL).read() + c = yaml.load(config) + nested_config = c["data"]["config"] + cc = yaml.load(nested_config) + return cc["resources"][0]["names"] + + +if __name__ == '__main__': + arg_parser = argparse.ArgumentParser( + description="Give a user access to all plumbing resources") + arg_parser.add_argument("--user", type=str, required=True, + help="The name of the user's account, usually their email address") + args = arg_parser.parse_args() + + gcloud_required() + + boskos_projects = parse_boskos_projects() + add_to_all_projects(args.user, list(KNOWN_PROJECTS) + boskos_projects) +