Merge pull request #2403 from spiffxp/use-k8s-infra-ci-robot-in-trusted

infra/gcp: allow prow trusted cluster use of k8s-infra-ci-robot
kubernetes · Jul 28, 2021 · 7ea4d2f · 7ea4d2f
2 parents f7fb63f + dccb82a
commit 7ea4d2f
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 0 deletions.
diff --git a/...-prow-build-trusted/prow-build-trusted/resources/test-pods/test-pods-externalsecrets.yaml b/...-prow-build-trusted/prow-build-trusted/resources/test-pods/test-pods-externalsecrets.yaml
@@ -38,3 +38,16 @@ spec:
   - key: k8s-triage-robot-github-token # The name of the GSM Secret
     name: token                        # The key to write to in the Kubernetes Secret
     version: latest                    # The version of the GSM Secret
+---
+apiVersion: kubernetes-client.io/v1
+kind: ExternalSecret
+metadata:
+  name: k8s-infra-ci-robot-github-token
+  namespace: test-pods
+spec:
+  backendType: gcpSecretsManager
+  projectId: kubernetes-public
+  data:
+  - key: k8s-infra-ci-robot-github-token # The name of the GSM Secret
+    name: token                          # The key to write to in the Kubernetes Secret
+    version: latest                      # The version of the GSM Secret
diff --git a/infra/gcp/ensure-main-project.sh b/infra/gcp/ensure-main-project.sh
@@ -368,6 +368,21 @@ function ensure_aaa_external_secrets() {
     done
 }
 
+# Special-case IAM bindings that are necessary for k8s-infra prow or
+# its build clusters to operate on resources within the given project
+function ensure_prow_special_cases {
+    if [ $# -ne 1 ] || [ -z "$1" ]; then
+        echo "${FUNCNAME[0]}(project) requires 1 argument" >&2
+        return 1
+    fi
+    local project="${1}"
+    color 6 "Special case: ensuring k8s-infra-ci-robot-github-token accessible by k8s-infra-prow-build-trusted"
+    local principal secret
+    principal="serviceAccount:$(svc_acct_email "k8s-infra-prow-build-trusted" "kubernetes-external-secrets")"
+    secret=$(secret_full_name "${project}" "k8s-infra-ci-robot-github-token")
+    ensure_secret_role_binding "${secret}" "${principal}" "roles/secretmanager.secretAccessor"
+}
+
 function ensure_main_project() {
     if [ $# -ne 1 ] || [ -z "$1" ]; then
         echo "${FUNCNAME[0]}(gcp_project) requires 1 argument" >&2
@@ -423,6 +438,9 @@ function ensure_main_project() {
     color 6 "Ensuring secrets destined for apps in 'aaa' exist in: ${project}"
     ensure_aaa_external_secrets "${project}" 2>&1 | indent
 
+    color 6 "Ensuring prow special cases for: ${project}"
+    ensure_prow_special_cases "${project}" 2>&1 | indent
+
     color 6 "Ensuring biquery configured for billing and access by appropriate groups in: ${project}"
     ensure_billing_bigquery "${project}" 2>&1 | indent