releng: Add new projects for staging/releasing Kubernetes #624
Conversation
k8s-ci-robot
added
cncf-cla: yes
justaugustus
force-pushed
the
release-prod
branch
from
3f60c69
to
2dcc47d
Compare
|
/sig release |
|
@justaugustus: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
sig/release
| echo "usage: $0 [project...]" > /dev/stderr | ||
| echo "example:" > /dev/stderr | ||
| echo " $0 # do all release projects" > /dev/stderr | ||
| echo " $0 k8s-staging-release-test # just do one" > /dev/stderr |
There was a problem hiding this comment.
Should this be k8s-staging-kubernetes ?
There was a problem hiding this comment.
@listx -- It was just the usage example, but I've updated for consistency.
justaugustus
force-pushed
the
release-prod
branch
from
2dcc47d
to
53acfbd
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
FTR - some discussion on slack about whether we want 1 project for everything or a separate release project and a normal "staging" |
thockin
added
the
do-not-merge/hold
justaugustus
force-pushed
the
release-prod
branch
from
53acfbd
to
0181271
Compare
k8s-ci-robot
removed
the
lgtm
justaugustus
changed the title
justaugustus
force-pushed
the
release-prod
branch
2 times, most recently
from
4122ab0
to
44425e3
Compare
|
Do we need this for 1.18? i still need to digest this @justaugustus |
|
@dims -- Yes. As a happy consequence of the k8s.gcr.io domain flip (tentative: April 1st, essentially immediately after the 1.18.0 release), we'll need to modify anago and the surrounding libraries to point to K8s Infra, which means we have to kick the tires on K8s Infra staging as much as possible before then (during 1.18.0 dev cycle). I've begun that work here, but am currently blocked on this PR. |
|
/lgtm Let's wait for @thockin ...! |
k8s-ci-robot
added
the
lgtm
|
No objections to this from me |
infra/gcp/ensure-staging-storage.sh
Outdated
| @@ -103,6 +105,13 @@ for REPO; do | |||
| color 6 "Empowering ${WRITERS} as project viewers" | |||
| empower_group_as_viewer "${PROJECT}" "${WRITERS}" | |||
|
|
|||
| # Enable Release Manager Associates view access to | |||
There was a problem hiding this comment.
I'd rather pull these out as special-case blocks at the end, as in ensure-prod-storage.sh
infra/gcp/ensure-staging-storage.sh
Outdated
| @@ -161,5 +170,19 @@ for REPO; do | |||
| color 6 "Empowering Prow" | |||
| empower_prow "${PROJECT}" "${GCB_BUCKET}" | |||
|
|
|||
| # TODO(justaugustus): Remove once k8s-release-admin is configured and | |||
There was a problem hiding this comment.
what is "k8s-release-admin" here? A group? A project?
justaugustus
force-pushed
the
release-prod
branch
from
7d9403a
to
38a7499
Compare
k8s-ci-robot
removed
the
lgtm
|
@thockin --
|
justaugustus
force-pushed
the
release-prod
branch
from
38a7499
to
abfdde2
Compare
Here we add three new projects: - k8s-staging-kubernetes - k8s-staging-releng - k8s-releng-prod k8s-staging-kubernetes will be the official project for staging and releasing Kubernetes. k8s-staging-releng will be used to stage Release Engineering images. k8s-releng-prod will be a limited-scope near-prod project for Release Admins (Stephen, Tim, Caleb), which will contain KMS keys to be leveraged during staging and release. We add ensure-releng.sh, which configures the new k8s-release-admin GCP project now and grants KMS admin access to k8s-infra-release-admins. Staging release project settings have been replicated in the ensure-staging-storage.sh script. Signed-off-by: Stephen Augustus <saugustus@vmware.com>
|
Everything LGTM except:
|
justaugustus
force-pushed
the
release-prod
branch
from
abfdde2
to
05d3e72
Compare
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: justaugustus, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
thockin
removed
the
do-not-merge/hold
|
Thanks for the reviews, y'all! |
|
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
activated |
As part of the vanity image domain flip, @kubernetes/release-engineering / @kubernetes/release-managers will need a new project to stage artifacts to.
Namely, the images referenced in k/release/release-engineering/artifacts.md:
While we're sorting out exactly how we'd like that to work, I'd like to keep access scoped to only the @kubernetes/sig-release-admins, opening that up once the new flow is documented.
Here we add a new script,ensure-release-prod-projects.sh, which is a copy ofensure-release-projects.shwith the writer and viewer groups removed.Here we add three new projects:
k8s-staging-kubernetesk8s-staging-relengk8s-releng-prodk8s-staging-kuberneteswill be the official project for staging and releasing Kubernetes.k8s-staging-relengwill be used to stage Release Engineering images.k8s-releng-prodwill be a limited-scope near-prod project for Release Admins (Stephen, Tim, Caleb), which will contain KMS keys to be leveraged during staging and release.We add
ensure-releng.sh, which configures the new k8s-releng-prodGCP project now and grants KMS admin access to k8s-infra-release-admins.
Staging release project settings have been replicated in the
ensure-staging-storage.shscript.Signed-off-by: Stephen Augustus saugustus@vmware.com
/assign @thockin @listx
cc: @tpepper
ref: kubernetes/release#911, #623, kubernetes/release#270