Skip to content

Commit

Permalink
infra/gcp/bash: Add empower_file_promoter
Browse files Browse the repository at this point in the history 
Signed-off-by: Stephen Augustus <[email protected]>
  • Loading branch information
@justaugustus
justaugustus committed Sep 10, 2021
1 parent 655e07a commit 190c9d2
Showing 1 changed file with 25 additions and 7 deletions.
32 changes: 25 additions & 7 deletions infra/gcp/bash/lib.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,9 @@ readonly AUDITOR_INVOKER_SVCACCT="k8s-infra-gcr-auditor-invoker"
# This is the Cloud Run service name of the auditor.
readonly AUDITOR_SERVICE_NAME="cip-auditor"

# The service account name for the file promoter.
readonly FILE_PROMOTER_SVCACCT="k8s-infra-promoter"

# The service account name for the image promoter.
readonly IMAGE_PROMOTER_SVCACCT="k8s-infra-gcr-promoter"

Expand Down Expand Up @@ -389,6 +392,26 @@ function empower_group_to_admin_image_auditor() {
--role="roles/iam.serviceAccountUser"
}

# Grant full privileges to the file promoter bot
# $1: The GCP project
# $2: The GCS region (optional)
function empower_file_promoter() {
if [ $# -lt 1 ] || [ $# -gt 2 ] || [ -z "$1" ]; then
echo "empower_file_promoter(project, [region]) requires 1 or 2 arguments" >&2
return 1
fi
local project="$1"
local region="${2:-}"
local acct
acct=$(svc_acct_email "${project}" "${FILE_PROMOTER_SVCACCT}")

ensure_service_account "${project}" "${FILE_PROMOTER_SVCACCT}" "artifact promoter"

# TODO(kpromo): Determine if admin access is required here.
# ref: https://github.com/kubernetes-sigs/k8s-container-image-promoter/issues/413
empower_svcacct_to_write_gcs "${acct}" "${project}" "${region}"
}

# Grant full privileges to the GCR promoter bot
# $1: The GCP project
# $2: The GCR region (optional)
Expand All @@ -399,15 +422,10 @@ function empower_image_promoter() {
fi
local project="$1"
local region="${2:-}"
local acct=
local acct
acct=$(svc_acct_email "${project}" "${IMAGE_PROMOTER_SVCACCT}")

if ! gcloud --project "${project}" iam service-accounts describe "${acct}" >/dev/null 2>&1; then
gcloud --project "${project}" \
iam service-accounts create \
"${IMAGE_PROMOTER_SVCACCT}" \
--display-name="k8s-infra container image promoter"
fi
ensure_service_account "${project}" "${IMAGE_PROMOTER_SVCACCT}" "k8s-infra container image promoter"

empower_svcacct_to_admin_gcr "${acct}" "${project}" "${region}"
}
Expand Down

0 comments on commit 190c9d2

Please sign in to comment.