infra/gcp/main: add k8s-metrics-canary special-case

k8s-metrics is a low-traffic GCS bucket for the project, setup
permissions to trial moving it from one org to the other. The steps for
this process are going to look something like:

- allow google.com prow to write to the new bucket
- allow humans to own the new bucket
- sync contents from old bucket to new bucket
- setup canary job on k8s-infra-prow-build-trusted that writes to the new
  bucket to confirm permissions are correct for executing bigquery
  queries that use the k8s-gubernator:builds dataset and writing to the
  new bucket
- remove canary job / move old job to k8s-infra-prow-build-trusted
- delete old bucket
- rename new bucket to old bucket

infra/gcp/ensure-main-project.sh

@@ -396,11 +396,36 @@ function ensure_prow_special_cases {
         return 1
     fi
     local project="${1}"
+
+    local bucket principal secret
+
     color 6 "Special case: ensuring k8s-infra-ci-robot-github-token accessible by k8s-infra-prow-build-trusted"
-    local principal secret
     principal="serviceAccount:$(svc_acct_email "k8s-infra-prow-build-trusted" "kubernetes-external-secrets")"
     secret=$(secret_full_name "${project}" "k8s-infra-ci-robot-github-token")
-    ensure_secret_role_binding "${secret}" "${principal}" "roles/secretmanager.secretAccessor"
+    ensure_secret_role_binding "${secret}" "${principal}" "roles/secretmanager.secretAccessor" 2>&1 | indent
+
+    color 6 "Special case: ensuring gs://k8s-metrics-canary exists for gs://k8s-metrics migration"
+    (
+      bucket="gs://k8s-metrics-canary"
+      owners="k8s-infra-prow-oncall@kubernetes.io"
+      local old_service_account="triage@k8s-gubernator.iam.gserviceaccount.com"
+
+      ensure_public_gcs_bucket "${project}" "${bucket}"
+      ensure_gcs_bucket_auto_deletion "${bucket}" "365" # match gs://k8s-metrics
+      # GCS admins can admin all GCS buckets
+      empower_gcs_admins "${project}" "${bucket}"
+      # bucket owners can admin this bucket
+      empower_group_to_admin_gcs_bucket "${owners}" "${bucket}"
+      # TODO(spiffxp): copy pasted to flip to ensure_removed when migrated
+      # k8s-prow-builds can write to this bucket
+      principal="serviceAccount:${old_service_account}"
+      ensure_gcs_role_binding "${bucket}" "${principal}" "objectAdmin"
+      ensure_gcs_role_binding "${bucket}" "${principal}" "legacyBucketWriter"
+      # k8s-infra-prow-build-trusted can write to this bucket
+      principal="serviceAccount:$(svc_acc_email "k8s-infra-prow-build-trusted" "k8s-metrics")"
+      ensure_gcs_role_binding "${bucket}" "${principal}" "objectAdmin"
+      ensure_gcs_role_binding "${bucket}" "${principal}" "legacyBucketWriter"
+    ) 2>&1 | indent
 }
 
 function ensure_main_project() {