Merge pull request #1620 from cpanato/svcacc-k8s-infra-staging-releng…

…-test releng: setup service account to be used in prow build to access gcb
kubernetes · Feb 8, 2021 · 40cb5e7 · 40cb5e7
2 parents 44fdc38 + 1955428
commit 40cb5e7
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 0 deletions.
diff --git a/...cp/clusters/projects/k8s-infra-prow-build/prow-build/resources/build-serviceaccounts.yaml b/...cp/clusters/projects/k8s-infra-prow-build/prow-build/resources/build-serviceaccounts.yaml
@@ -6,3 +6,11 @@ metadata:
     iam.gke.io/gcp-service-account: [email protected]
   name: prow-build
   namespace: test-pods
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: k8s-infra-staging-releng-test@k8s-infra-prow-build.iam.gserviceaccount.com
+  name: k8s-infra-staging-releng-test
+  namespace: test-pods
diff --git a/infra/gcp/ensure-main-project.sh b/infra/gcp/ensure-main-project.sh
@@ -154,6 +154,19 @@ empower_ksa_to_svcacct \
     "${PROJECT}" \
     "$(svc_acct_email "${PROJECT}" "k8s-infra-dns-updater")"
 
+color 6 "Ensuring the k8s-infra-staging-releng-test serviceaccount exists"
+ensure_service_account \
+    "${PROJECT}" \
+    "k8s-infra-staging-releng-test" \
+    "k8s-infra releng test"
+
+color 6 -n "Empowering k8s-infra-staging-releng-test serviceaccount to be used on"
+color 6 " build cluster"
+empower_ksa_to_svcacct \
+    "k8s-infra-prow-build.svc.id.goog[test-pods/k8s-infra-staging-releng-test]" \
+    "${PROJECT}" \
+    "$(svc_acct_email "${PROJECT}" "k8s-infra-staging-releng-test")"
+
 color 6 "Empowering ${DNS_GROUP}"
 gcloud projects add-iam-policy-binding "${PROJECT}" \
     --member "group:${DNS_GROUP}" \

diff --git a/infra/gcp/ensure-staging-storage.sh b/infra/gcp/ensure-staging-storage.sh
@@ -293,3 +293,15 @@ color 6 "Configuring special case for k8s-staging-ci-images"
     SERVICE_ACCOUNT=$(svc_acct_email "k8s-infra-prow-build" "prow-build")
     empower_svcacct_to_write_gcr "${SERVICE_ACCOUNT}" "${PROJECT}"
 )
+
+# Special case: In order for pull-release-image-* to run on k8s-infra-prow-build,
+#               it needs write access to gcr.io/k8s-staging-releng-test. For now,
+#               we will grant the prow-build service account write access. Longer
+#               term we would prefer service accounts per project, and restrictions
+#               on which jobs can use which service accounts.
+color 6 "Configuring special case for k8s-staging-releng-test"
+(
+    PROJECT="k8s-staging-releng-test"
+    SERVICE_ACCOUNT=$(svc_acct_email "k8s-infra-prow-build" "k8s-infra-staging-releng-test")
+    empower_svcacct_to_write_gcr "${SERVICE_ACCOUNT}" "${PROJECT}"
+)