From 4c9e6d2295598f0ffc543f7181bbc1086154170a Mon Sep 17 00:00:00 2001
From: Stephen Augustus <saugustus@vmware.com>
Date: Fri, 20 Nov 2020 17:31:47 -0500
Subject: [PATCH 1/2] Establish a staging repository for mirroring Docker Hub
 images

Primary owners: Release Managers under the Release Engineering
                subproject of SIG Release.

Shared ownership across:
- SIG Release
- SIG Testing
- WG K8s Infra

Signed-off-by: Stephen Augustus <saugustus@vmware.com>
---
 groups/sig-release/groups.yaml                  | 17 +++++++++++++++++
 infra/gcp/ensure-staging-storage.sh             |  2 ++
 k8s.gcr.io/images/k8s-staging-mirror/OWNERS     | 15 +++++++++++++++
 .../images/k8s-staging-mirror/images.yaml       |  1 +
 .../k8s-staging-mirror/promoter-manifest.yaml   | 10 ++++++++++
 5 files changed, 45 insertions(+)
 create mode 100644 k8s.gcr.io/images/k8s-staging-mirror/OWNERS
 create mode 100644 k8s.gcr.io/images/k8s-staging-mirror/images.yaml
 create mode 100644 k8s.gcr.io/manifests/k8s-staging-mirror/promoter-manifest.yaml

diff --git a/groups/sig-release/groups.yaml b/groups/sig-release/groups.yaml
index ae615dc3863..62af1847e9c 100644
--- a/groups/sig-release/groups.yaml
+++ b/groups/sig-release/groups.yaml
@@ -150,6 +150,23 @@ groups:
     members:
       - k8s-infra-release-editors@kubernetes.io
 
+  - email-id: k8s-infra-staging-mirror@kubernetes.io
+    name: k8s-infra-staging-mirror
+    description: |-
+      ACL for staging mirror images
+
+      This project is used to stage images mirrored from Docker Hub.
+    settings:
+      ReconcileMembers: "true"
+    members:
+      - k8s-infra-release-editors@kubernetes.io
+      - bentheelder@google.com # SIG Testing Chair
+      # wg-k8s-infra-oncall
+      - cblecker@gmail.com
+      - davanum@gmail.com
+      - spiffxp@google.com
+      - thockin@google.com
+
   - email-id: k8s-infra-staging-releng@kubernetes.io
     name: k8s-infra-staging-releng
     description: |-
diff --git a/infra/gcp/ensure-staging-storage.sh b/infra/gcp/ensure-staging-storage.sh
index e19b04df6b3..e7da985fbed 100755
--- a/infra/gcp/ensure-staging-storage.sh
+++ b/infra/gcp/ensure-staging-storage.sh
@@ -86,6 +86,7 @@ STAGING_PROJECTS=(
     kubernetes
     kustomize
     metrics-server
+    mirror
     multitenancy
     networking
     nfd
@@ -106,6 +107,7 @@ STAGING_PROJECTS=(
 
 RELEASE_STAGING_PROJECTS=(
     kubernetes
+    mirror
     releng
 )
 
diff --git a/k8s.gcr.io/images/k8s-staging-mirror/OWNERS b/k8s.gcr.io/images/k8s-staging-mirror/OWNERS
new file mode 100644
index 00000000000..6f8c36e1da6
--- /dev/null
+++ b/k8s.gcr.io/images/k8s-staging-mirror/OWNERS
@@ -0,0 +1,15 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+options:
+  no_parent_owners: true
+approvers:
+  - sig-release-leads
+  - sig-testing-leads
+  - release-engineering-approvers
+  - wg-k8s-infra-leads
+reviewers:
+  - release-engineering-reviewers
+
+labels:
+  - sig/release
+  - area/release-eng
diff --git a/k8s.gcr.io/images/k8s-staging-mirror/images.yaml b/k8s.gcr.io/images/k8s-staging-mirror/images.yaml
new file mode 100644
index 00000000000..09a8acf3f91
--- /dev/null
+++ b/k8s.gcr.io/images/k8s-staging-mirror/images.yaml
@@ -0,0 +1 @@
+# NO IMAGES YET
diff --git a/k8s.gcr.io/manifests/k8s-staging-mirror/promoter-manifest.yaml b/k8s.gcr.io/manifests/k8s-staging-mirror/promoter-manifest.yaml
new file mode 100644
index 00000000000..754586c0ebd
--- /dev/null
+++ b/k8s.gcr.io/manifests/k8s-staging-mirror/promoter-manifest.yaml
@@ -0,0 +1,10 @@
+# google group for gcr.io/k8s-staging-mirror is k8s-infra-staging-mirror@kubernetes.io
+registries:
+- name: gcr.io/k8s-staging-mirror
+  src: true
+- name: us.gcr.io/k8s-artifacts-prod/mirror
+  service-account: k8s-infra-gcr-promoter@k8s-artifacts-prod.iam.gserviceaccount.com
+- name: eu.gcr.io/k8s-artifacts-prod/mirror
+  service-account: k8s-infra-gcr-promoter@k8s-artifacts-prod.iam.gserviceaccount.com
+- name: asia.gcr.io/k8s-artifacts-prod/mirror
+  service-account: k8s-infra-gcr-promoter@k8s-artifacts-prod.iam.gserviceaccount.com

From 754294995f7b7554045fbe8d48d6b4e053a03045 Mon Sep 17 00:00:00 2001
From: Stephen Augustus <saugustus@vmware.com>
Date: Fri, 20 Nov 2020 18:24:13 -0500
Subject: [PATCH 2/2] releng: IAM grant to k8s-infra-google-build-admins for
 Docker Hub mirror

Signed-off-by: Stephen Augustus <saugustus@vmware.com>
---
 OWNERS_ALIASES                              |  5 ++++
 groups/sig-release/groups.yaml              | 28 ++++++++++++++++-----
 k8s.gcr.io/images/k8s-staging-mirror/OWNERS |  1 +
 3 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES
index 30ccce6ba4c..7d0887f66e7 100644
--- a/OWNERS_ALIASES
+++ b/OWNERS_ALIASES
@@ -168,6 +168,11 @@ aliases:
     - nikhita
     - parispittman
 ## BEGIN CUSTOM CONTENT
+  build-admins:
+    - amwat
+    - BenTheElder
+    - MushuEE
+    - spiffxp
   build-image-approvers:
     - BenTheElder
     - cblecker
diff --git a/groups/sig-release/groups.yaml b/groups/sig-release/groups.yaml
index 62af1847e9c..fce76e63b74 100644
--- a/groups/sig-release/groups.yaml
+++ b/groups/sig-release/groups.yaml
@@ -20,6 +20,22 @@ groups:
       - sayan.chowdhury2012@gmail.com # 1.20 Bug Triage Shadow
       - v@gor.io # 1.20 Bug Triage Lead
 
+  - email-id: k8s-infra-google-build-admins@kubernetes.io
+    name: k8s-infra-google-build-admins
+    description: |-
+      ACL for Google Build Admins (edit access to Docker Hub mirror, view
+      access to Release GCP projects)
+
+      https://git.k8s.io/sig-release/release-managers.md#build-admins
+    settings:
+      ReconcileMembers: "true"
+    members:
+      - k8s-infra-release-editors@kubernetes.io
+      - amwat@google.com
+      - bentheelder@google.com
+      - mushuee@google.com
+      - spiffxp@google.com
+
   - email-id: k8s-infra-release-admins@kubernetes.io
     name: k8s-infra-release-admins
     description: |-
@@ -59,6 +75,7 @@ groups:
       ReconcileMembers: "true"
     members:
       - k8s-infra-release-editors@kubernetes.io
+      - k8s-infra-google-build-admins@kubernetes.io
       - ameukam@gmail.com
       - gianarb92@gmail.com
       - gveronicalg@gmail.com
@@ -160,12 +177,11 @@ groups:
       ReconcileMembers: "true"
     members:
       - k8s-infra-release-editors@kubernetes.io
-      - bentheelder@google.com # SIG Testing Chair
-      # wg-k8s-infra-oncall
-      - cblecker@gmail.com
-      - davanum@gmail.com
-      - spiffxp@google.com
-      - thockin@google.com
+      - k8s-infra-google-build-admins@kubernetes.io
+      - cblecker@gmail.com # wg-k8s-infra-oncall
+      - davanum@gmail.com # wg-k8s-infra-oncall
+      - spiffxp@google.com # wg-k8s-infra-oncall
+      - thockin@google.com # wg-k8s-infra-oncall
 
   - email-id: k8s-infra-staging-releng@kubernetes.io
     name: k8s-infra-staging-releng
diff --git a/k8s.gcr.io/images/k8s-staging-mirror/OWNERS b/k8s.gcr.io/images/k8s-staging-mirror/OWNERS
index 6f8c36e1da6..dbf43866ce8 100644
--- a/k8s.gcr.io/images/k8s-staging-mirror/OWNERS
+++ b/k8s.gcr.io/images/k8s-staging-mirror/OWNERS
@@ -7,6 +7,7 @@ approvers:
   - sig-testing-leads
   - release-engineering-approvers
   - wg-k8s-infra-leads
+  - build-admins
 reviewers:
   - release-engineering-reviewers