infra/gcp/main: add k8s-project-metrics special-case

[spiffxp]

Related:

• Starts work on Migrate test-infra metrics to wg-k8s-infra #1306
• Part of Migrate away from google.com gcp project k8s-gubernator #1308

k8s-metrics is a low-traffic GCS bucket for the project, setup permissions to trial moving it from one org to the other. The steps for this process are going to look something like:

• allow google.com prow to write to the new bucket
• allow humans to own the new bucket
• sync contents from old bucket to new bucket
• setup canary job on k8s-infra-prow-build-trusted that writes to the new
  bucket to confirm permissions are correct for:
  • executing bigquery queries that use the k8s-gubernator:builds dataset
  • writing to the new bucket
• remove canary job / move old job to k8s-infra-prow-build-trusted
• delete old bucket
• rename new bucket to old bucket

If the rename fails, we'll use the new bucket name and look into a redirect from old files.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [spiffxp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[spiffxp]

/cc @ameukam @dims
/cc @MushuEE @BenTheElder

[ameukam]

/lgtm
/hold
Remove hold when ready.

[dims]

/lgtm

[spiffxp]

/hold cancel

[spiffxp]

Ensuring prow special cases for: kubernetes-public
  Special case: ensuring k8s-infra-ci-robot-github-token accessible by k8s-infra-prow-build-trusted
  Special case: ensuring gs://k8s-metrics-canary exists for gs://k8s-metrics migration
    Creating gs://k8s-project-metrics/...
    Enabling Bucket Policy Only for gs://k8s-project-metrics...
    @@ -1,3 +1,5 @@
    +- member: allUsers
    +  role: roles/storage.objectViewer
     - member: projectEditor:kubernetes-public
       role: roles/storage.legacyBucketOwner
     - member: projectOwner:kubernetes-public
    Setting lifecycle configuration on gs://k8s-project-metrics/...
    @@ -1 +1 @@
    -gs://k8s-project-metrics/ has no lifecycle configuration.
    +{"rule": [{"action": {"type": "Delete"}, "condition": {"age": 365}}]}
    Updated IAM policy for project [kubernetes-public].
    @@ -8,6 +8,8 @@
       role: roles/logging.privateLogViewer
     - member: group:gke-security-groups@kubernetes.io
       role: roles/monitoring.viewer
    +- member: group:k8s-infra-artifact-admins@kubernetes.io
    +  role: roles/viewer
     - member: group:k8s-infra-aws-admins@kubernetes.io
       role: roles/viewer
     - member: group:k8s-infra-bigquery-admins@kubernetes.io
    @@ -1,5 +1,7 @@
     - member: allUsers
       role: roles/storage.objectViewer
    +- member: group:k8s-infra-artifact-admins@kubernetes.io
    +  role: roles/storage.objectAdmin
     - member: projectEditor:kubernetes-public
       role: roles/storage.legacyBucketOwner
     - member: projectOwner:kubernetes-public
    @@ -1,5 +1,7 @@
     - member: allUsers
       role: roles/storage.objectViewer
    +- member: group:k8s-infra-artifact-admins@kubernetes.io
    +  role: roles/storage.legacyBucketOwner
     - member: group:k8s-infra-artifact-admins@kubernetes.io
       role: roles/storage.objectAdmin
     - member: projectEditor:kubernetes-public
    @@ -4,6 +4,8 @@
       role: roles/storage.legacyBucketOwner
     - member: group:k8s-infra-artifact-admins@kubernetes.io
       role: roles/storage.objectAdmin
    +- member: group:k8s-infra-prow-oncall@kubernetes.io
    +  role: roles/storage.objectAdmin
     - member: projectEditor:kubernetes-public
       role: roles/storage.legacyBucketOwner
     - member: projectOwner:kubernetes-public
    @@ -4,6 +4,8 @@
       role: roles/storage.legacyBucketOwner
     - member: group:k8s-infra-artifact-admins@kubernetes.io
       role: roles/storage.objectAdmin
    +- member: group:k8s-infra-prow-oncall@kubernetes.io
    +  role: roles/storage.legacyBucketOwner
     - member: group:k8s-infra-prow-oncall@kubernetes.io
       role: roles/storage.objectAdmin
     - member: projectEditor:kubernetes-public
    @@ -14,3 +14,5 @@
       role: roles/storage.legacyBucketOwner
     - member: projectViewer:kubernetes-public
       role: roles/storage.legacyBucketReader
    +- member: serviceAccount:triage@k8s-gubernator.iam.gserviceaccount.com
    +  role: roles/storage.objectAdmin
    @@ -14,5 +14,7 @@
       role: roles/storage.legacyBucketOwner
     - member: projectViewer:kubernetes-public
       role: roles/storage.legacyBucketReader
    +- member: serviceAccount:triage@k8s-gubernator.iam.gserviceaccount.com
    +  role: roles/storage.legacyBucketWriter@@ -14,6 +14,8 @@
       role: roles/storage.legacyBucketOwner
     - member: projectViewer:kubernetes-public
       role: roles/storage.legacyBucketReader
    +- member: serviceAccount:k8s-metrics@k8s-infra-prow-build-trusted.iam.gserviceaccount.com
    +  role: roles/storage.objectAdmin
     - member: serviceAccount:triage@k8s-gubernator.iam.gserviceaccount.com
       role: roles/storage.legacyBucketWriter
     - member: serviceAccount:triage@k8s-gubernator.iam.gserviceaccount.com
    @@ -14,6 +14,8 @@
       role: roles/storage.legacyBucketOwner
     - member: projectViewer:kubernetes-public
       role: roles/storage.legacyBucketReader
    +- member: serviceAccount:k8s-metrics@k8s-infra-prow-build-trusted.iam.gserviceaccount.com
    +  role: roles/storage.legacyBucketWriter
     - member: serviceAccount:k8s-metrics@k8s-infra-prow-build-trusted.iam.gserviceaccount.com
       role: roles/storage.objectAdmin
     - member: serviceAccount:triage@k8s-gubernator.iam.gserviceaccount.com     - member: serviceAccount:triage@k8s-gubernator.iam.gserviceaccount.com
       role: roles/storage.objectAdmin