From dccb82a4ba13e9d8c63678db02c10b676ccb077a Mon Sep 17 00:00:00 2001
From: Aaron Crickenberger <spiffxp@gmail.com>
Date: Wed, 28 Jul 2021 10:02:18 -0700
Subject: [PATCH] infra/gcp: allow prow trusted cluster use of
 k8s-infra-ci-robot

---
 .../test-pods/test-pods-externalsecrets.yaml   | 13 +++++++++++++
 infra/gcp/ensure-main-project.sh               | 18 ++++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/resources/test-pods/test-pods-externalsecrets.yaml b/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/resources/test-pods/test-pods-externalsecrets.yaml
index 7871111ce5d..c680c523e0d 100644
--- a/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/resources/test-pods/test-pods-externalsecrets.yaml
+++ b/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/resources/test-pods/test-pods-externalsecrets.yaml
@@ -38,3 +38,16 @@ spec:
   - key: k8s-triage-robot-github-token # The name of the GSM Secret
     name: token                        # The key to write to in the Kubernetes Secret
     version: latest                    # The version of the GSM Secret
+---
+apiVersion: kubernetes-client.io/v1
+kind: ExternalSecret
+metadata:
+  name: k8s-infra-ci-robot-github-token
+  namespace: test-pods
+spec:
+  backendType: gcpSecretsManager
+  projectId: kubernetes-public
+  data:
+  - key: k8s-infra-ci-robot-github-token # The name of the GSM Secret
+    name: token                          # The key to write to in the Kubernetes Secret
+    version: latest                      # The version of the GSM Secret
diff --git a/infra/gcp/ensure-main-project.sh b/infra/gcp/ensure-main-project.sh
index ea4f060d961..b9b5eb3c212 100755
--- a/infra/gcp/ensure-main-project.sh
+++ b/infra/gcp/ensure-main-project.sh
@@ -368,6 +368,21 @@ function ensure_aaa_external_secrets() {
     done
 }
 
+# Special-case IAM bindings that are necessary for k8s-infra prow or
+# its build clusters to operate on resources within the given project
+function ensure_prow_special_cases {
+    if [ $# -ne 1 ] || [ -z "$1" ]; then
+        echo "${FUNCNAME[0]}(project) requires 1 argument" >&2
+        return 1
+    fi
+    local project="${1}"
+    color 6 "Special case: ensuring k8s-infra-ci-robot-github-token accessible by k8s-infra-prow-build-trusted"
+    local principal secret
+    principal="serviceAccount:$(svc_acct_email "k8s-infra-prow-build-trusted" "kubernetes-external-secrets")"
+    secret=$(secret_full_name "${project}" "k8s-infra-ci-robot-github-token")
+    ensure_secret_role_binding "${secret}" "${principal}" "roles/secretmanager.secretAccessor"
+}
+
 function ensure_main_project() {
     if [ $# -ne 1 ] || [ -z "$1" ]; then
         echo "${FUNCNAME[0]}(gcp_project) requires 1 argument" >&2
@@ -423,6 +438,9 @@ function ensure_main_project() {
     color 6 "Ensuring secrets destined for apps in 'aaa' exist in: ${project}"
     ensure_aaa_external_secrets "${project}" 2>&1 | indent
 
+    color 6 "Ensuring prow special cases for: ${project}"
+    ensure_prow_special_cases "${project}" 2>&1 | indent
+
     color 6 "Ensuring biquery configured for billing and access by appropriate groups in: ${project}"
     ensure_billing_bigquery "${project}" 2>&1 | indent