Add gcs public bucket for prow staging logs.

Following prow [documentation](https://github.com/kubernetes/test-infra/blob/master/prow/getting_started_deploy.md#configure-a-gcs-buckethttps://github.com/kubernetes/test-infra/blob/master/prow/getting_started_deploy.md#configure-a-gcs-bucket) guidance : Create a GCS bucket for tide history and build logs. Create a service account and grant admin access to the bucket. Create a service account key and add the generated key to Secret Manager. Signed-off-by: Arnaud Meukam <[email protected]>
kubernetes · Dec 21, 2020 · 2e49fc0 · 2e49fc0
1 parent e85b729
commit 2e49fc0
Showing 1 changed file with 44 additions and 0 deletions.
diff --git a/infra/gcp/ensure-main-project.sh b/infra/gcp/ensure-main-project.sh
@@ -57,6 +57,11 @@ CLUSTER_USERS_GROUP="[email protected]"
 # The DNS admins group.
 DNS_GROUP="[email protected]"
 
+# Buckets for the logs of prow
+PROW_BUCKETS=(
+    k8s-prow-staging-logs
+)
+
 color 6 "Ensuring project exists: ${PROJECT}"
 ensure_project "${PROJECT}"
 
@@ -84,6 +89,45 @@ enable_api "${PROJECT}" secretmanager.googleapis.com
 color 6 "Ensuring the cluster terraform-state bucket exists"
 ensure_private_gcs_bucket "${PROJECT}" "gs://${CLUSTER_TERRAFORM_BUCKET}"
 
+
+color 6 "Ensuring all the prow buckets exist"
+for bucket in "${PROW_BUCKETS[@]}"; do
+    color 6 "Ensuring bucket ${bucket} exists."
+    ensure_public_gcs_bucket "${PROJECT}" "gs://${bucket}"
+
+    SERVICE_ACCOUNT_NAME="sa-${bucket}"
+    SERVICE_ACCOUNT_EMAIL="$(svc_acct_email "${PROJECT}" \
+        "${SERVICE_ACCOUNT_NAME}")"
+    SECRET_ID="${SERVICE_ACCOUNT_NAME}-key"
+    TMP_DIR=$(mktemp -d "/tmp/${SERVICE_ACCOUNT_NAME}.XXXXXX")
+    KEY_FILE="${TMP_DIR}/key.json"
+
+    color 6 "Creating service account: ${SERVICE_ACCOUNT_NAME}"
+    ensure_service_account \
+        "${PROJECT}" \
+        "${SERVICE_ACCOUNT_NAME}" \
+        "${SERVICE_ACCOUNT_NAME}"
+
+    color 6 "Empowering service account: ${SERVICE_ACCOUNT_NAME}"
+    empower_svcacct_to_write_gcs_bucket "${SERVICE_ACCOUNT_EMAIL}" "gs://${bucket}"
+
+    color 6 "Creating private key for service account: ${SERVICE_ACCOUNT_NAME}"
+    gcloud iam service-accounts keys create "${KEY_FILE}" \
+        --project "${PROJECT}" \
+        --iam-account "${SERVICE_ACCOUNT_EMAIL}"
+
+    color 6 "Creating secret to store private key"
+    gcloud secrets create "${SECRET_ID}" \
+        --project "${PROJECT}" \
+        --replication-policy "automatic"
+
+    color 6 "Adding private key to secret ${SECRET_ID}"
+    gcloud secrets versions add "${SECRET_ID}" \
+        --project "${PROJECT}" \
+        --data-file "${KEY_FILE}"
+
+done 2>&1 | indent
+
 color 6 "Empowering BigQuery admins"
 gcloud projects add-iam-policy-binding "${PROJECT}" \
     --member "group:${BQ_ADMINS_GROUP}" \