From 1955428a0d5da3e24089d8bb721d4f5eae3526c5 Mon Sep 17 00:00:00 2001 From: Carlos Panato Date: Sun, 7 Feb 2021 14:07:24 +0100 Subject: [PATCH] releng: setup service account to be used in prow build to access gcb --- .../prow-build/resources/build-serviceaccounts.yaml | 8 ++++++++ infra/gcp/ensure-main-project.sh | 13 +++++++++++++ infra/gcp/ensure-staging-storage.sh | 12 ++++++++++++ 3 files changed, 33 insertions(+) diff --git a/infra/gcp/clusters/projects/k8s-infra-prow-build/prow-build/resources/build-serviceaccounts.yaml b/infra/gcp/clusters/projects/k8s-infra-prow-build/prow-build/resources/build-serviceaccounts.yaml index 417b0febba2..f92c6289fea 100644 --- a/infra/gcp/clusters/projects/k8s-infra-prow-build/prow-build/resources/build-serviceaccounts.yaml +++ b/infra/gcp/clusters/projects/k8s-infra-prow-build/prow-build/resources/build-serviceaccounts.yaml @@ -6,3 +6,11 @@ metadata: iam.gke.io/gcp-service-account: prow-build@k8s-infra-prow-build.iam.gserviceaccount.com name: prow-build namespace: test-pods +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + annotations: + iam.gke.io/gcp-service-account: k8s-infra-staging-releng-test@k8s-infra-prow-build.iam.gserviceaccount.com + name: k8s-infra-staging-releng-test + namespace: test-pods diff --git a/infra/gcp/ensure-main-project.sh b/infra/gcp/ensure-main-project.sh index 7cb20544dfd..3490a9a4be0 100755 --- a/infra/gcp/ensure-main-project.sh +++ b/infra/gcp/ensure-main-project.sh @@ -154,6 +154,19 @@ empower_ksa_to_svcacct \ "${PROJECT}" \ "$(svc_acct_email "${PROJECT}" "k8s-infra-dns-updater")" +color 6 "Ensuring the k8s-infra-staging-releng-test serviceaccount exists" +ensure_service_account \ + "${PROJECT}" \ + "k8s-infra-staging-releng-test" \ + "k8s-infra releng test" + +color 6 -n "Empowering k8s-infra-staging-releng-test serviceaccount to be used on" +color 6 " build cluster" +empower_ksa_to_svcacct \ + "k8s-infra-prow-build.svc.id.goog[test-pods/k8s-infra-staging-releng-test]" \ + "${PROJECT}" \ + "$(svc_acct_email "${PROJECT}" "k8s-infra-staging-releng-test")" + color 6 "Empowering ${DNS_GROUP}" gcloud projects add-iam-policy-binding "${PROJECT}" \ --member "group:${DNS_GROUP}" \ diff --git a/infra/gcp/ensure-staging-storage.sh b/infra/gcp/ensure-staging-storage.sh index b430f74100a..1e8a43a4afc 100755 --- a/infra/gcp/ensure-staging-storage.sh +++ b/infra/gcp/ensure-staging-storage.sh @@ -293,3 +293,15 @@ color 6 "Configuring special case for k8s-staging-ci-images" SERVICE_ACCOUNT=$(svc_acct_email "k8s-infra-prow-build" "prow-build") empower_svcacct_to_write_gcr "${SERVICE_ACCOUNT}" "${PROJECT}" ) + +# Special case: In order for pull-release-image-* to run on k8s-infra-prow-build, +# it needs write access to gcr.io/k8s-staging-releng-test. For now, +# we will grant the prow-build service account write access. Longer +# term we would prefer service accounts per project, and restrictions +# on which jobs can use which service accounts. +color 6 "Configuring special case for k8s-staging-releng-test" +( + PROJECT="k8s-staging-releng-test" + SERVICE_ACCOUNT=$(svc_acct_email "k8s-infra-prow-build" "k8s-infra-staging-releng-test") + empower_svcacct_to_write_gcr "${SERVICE_ACCOUNT}" "${PROJECT}" +)