Skip to content

Commit

Permalink
Add serviceaccount to prod GCS buckets
Browse files Browse the repository at this point in the history 
The serviceaccount can be used for automation purposes, for example in
GitHub actions when publishing releases.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
  • Loading branch information
@saschagrunert
saschagrunert committed Oct 19, 2023
1 parent 9bf9931 commit 2e3c6c1
Showing 1 changed file with 19 additions and 3 deletions.
22 changes: 19 additions & 3 deletions infra/gcp/bash/ensure-prod-storage.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,8 @@ readonly ALL_PROD_PROJECTS
# This is a list of all prod GCS buckets, but only their trailing "name". Each
# name will get a GCS bucket called "k8s-artifacts-${name}", and write access
# will be granted to the group "k8s-infra-push-${name}@kubernetes.io", which
# must already exist.
# must already exist. Additionally, a service account "k8s-infra-push-bot" will
# be created which can be used for automation purposes.
#
ALL_PROD_BUCKETS=(
"csi"
Expand Down Expand Up @@ -250,13 +251,28 @@ function ensure_all_prod_projects() {

# Create all prod GCS buckets.
function ensure_all_prod_buckets() {
local sa_name="k8s-infra-push-bot"
local sa_email="${sa_name}@${PROD_PROJECT}.iam.gserviceaccount.com"
local principal="serviceAccount:${sa_email}"

color 6 "Ensuring ${sa_email} exists and can write to prod buckets in project: ${PROD_PROJECT}"
ensure_service_account \
"${PROD_PROJECT}" \
"${sa_name}" \
"used by automation to push artifacts to prod buckets in ${PROD_PROJECT}"

for sfx in "${ALL_PROD_BUCKETS[@]}"; do
color 6 "Ensuring the GCS bucket: gs://k8s-artifacts-${sfx}"
bucket="gs://k8s-artifacts-${sfx}"

color 6 "Ensuring the GCS bucket: ${bucket}"
ensure_prod_gcs_bucket \
"${PROD_PROJECT}" \
"gs://k8s-artifacts-${sfx}" \
"${bucket}" \
"k8s-infra-push-${sfx}@kubernetes.io" \
| indent

ensure_gcs_role_binding "${bucket}" "${principal}" "objectCreator"
ensure_gcs_role_binding "${bucket}" "${principal}" "objectViewer"
done
}

Expand Down

0 comments on commit 2e3c6c1

Please sign in to comment.