Merge pull request #553 from thockin/gcs-for-cni

Create a GCS bucket for CNI artifacts
kubernetes · Jan 28, 2020 · c72a701 · c72a701
2 parents 9be75de + 41ca3df
commit c72a701
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 26 deletions.
diff --git a/groups/groups.yaml b/groups/groups.yaml
@@ -287,6 +287,17 @@ groups:
       - spiffxp@google.com
       - thockin@google.com
 
+  - email-id: k8s-infra-push-cni@kubernetes.io
+    name: k8s-infra-push-cni
+    description: |-
+      ACL for pushing CNI artifacts
+    settings:
+      ReconcileMembers: "true"
+    members:
+      - dcbw@redhat.com
+      - stephen.k8s@agst.us
+      - thockin@google.com
+
   - email-id: k8s-infra-rbac-cert-manager@kubernetes.io
     name: k8s-infra-rbac-cert-manager
     description: |-

diff --git a/infra/gcp/ensure-prod-storage.sh b/infra/gcp/ensure-prod-storage.sh
@@ -90,6 +90,9 @@ ALL_PROD_PROJECTS=(
 # Regions for prod.
 PROD_REGIONS=(us eu asia)
 
+# Minimum time we expect to keep prod artifacts.
+PROD_RETENTION="10y"
+
 # Make the projects, if needed
 for prj in "${ALL_PROD_PROJECTS[@]}"; do
     color 6 "Ensuring project exists: ${prj}"
@@ -126,8 +129,7 @@ for prj in "${ALL_PROD_PROJECTS[@]}"; do
     ensure_public_gcs_bucket "${prj}" "gs://${prj}"
 
     color 6 "Ensuring the GCS bucket retention policy is set: ${prj}"
-    RETENTION="10y"
-    ensure_gcs_bucket_retention "gs://${prj}" "${RETENTION}"
+    ensure_gcs_bucket_retention "gs://${prj}" "${PROD_RETENTION}"
 
     color 6 "Empowering GCS admins: ${prj}"
     empower_gcs_admins "${prj}" "gs://${prj}"
@@ -143,6 +145,20 @@ upload_gcs_static_content \
     "gs://${PROD_PROJECT}" \
     "${SCRIPT_DIR}/static/prod-storage"
 
+# Special case: grant the push groups access to their buckets.
+# This is for serving CNI artifacts.  We need a new bucket for this because
+# there's no concept of permissions on a "subdirectory" of a bucket.  So until we
+# have a promoter for k8s-artifacts-prod, we do this.
+CNI_BUCKET="k8s-artifacts-cni"
+CNI_GROUP="k8s-infra-push-cni@kubernetes.io"
+color 6 "Ensuring the CNI GCS bucket exists and is readable"
+ensure_public_gcs_bucket "${PROD_PROJECT}" "gs://${CNI_BUCKET}"
+color 6 "Ensuring the CNI GCS bucket retention policy is set"
+ensure_gcs_bucket_retention "gs://${CNI_BUCKET}" "${PROD_RETENTION}"
+color 6 "Empowering GCS admins to CNI"
+empower_gcs_admins "${PROD_PROJECT}" "gs://${CNI_BUCKET}"
+empower_group_to_write_gcs_bucket "${CNI_GROUP}" "gs://${CNI_BUCKET}"
+
 # Special case: grant the image promoter testing group access to their fake
 # prod projects.
 empower_group_to_fake_prod \

diff --git a/infra/gcp/ensure-release-projects.sh b/infra/gcp/ensure-release-projects.sh
@@ -105,7 +105,7 @@ for PROJECT; do
         # Enable writers on the bucket
         for group in ${ADMINS} ${WRITERS}; do
             color 6 "Empowering ${group} to GCS"
-            empower_group_to_gcs_bucket "${group}" "${BUCKET}"
+            empower_group_to_write_gcs_bucket "${group}" "${BUCKET}"
         done
     done
 

diff --git a/infra/gcp/ensure-staging-storage.sh b/infra/gcp/ensure-staging-storage.sh
@@ -141,7 +141,7 @@ for REPO; do
 
       # Enable writers on the bucket
       color 6 "Empowering ${WRITERS} to GCS"
-      empower_group_to_gcs_bucket "${WRITERS}" "${BUCKET}"
+      empower_group_to_write_gcs_bucket "${WRITERS}" "${BUCKET}"
     done
 
     # Enable GCB and Prow to build and push images.

diff --git a/infra/gcp/lib.sh b/infra/gcp/lib.sh
@@ -347,16 +347,8 @@ function empower_gcr_admins() {
     region="${2:-}"
     bucket=$(gcs_bucket_for_gcr "${project}" "${region}")
 
-    # Grant project viewer so the UI will work.
     empower_group_as_viewer "${project}" "${GCR_ADMINS}"
-
-    # Grant admins access to do admin stuff.
-    gsutil iam ch \
-        "group:${GCR_ADMINS}:objectAdmin" \
-        "${bucket}"
-    gsutil iam ch \
-        "group:${GCR_ADMINS}:legacyBucketOwner" \
-        "${bucket}"
+    empower_group_to_admin_gcs_bucket "${GCR_ADMINS}" "${bucket}"
 }
 
 # Grant full privileges to GCS admins
@@ -370,16 +362,8 @@ function empower_gcs_admins() {
     project="${1}"
     bucket="${2}"
 
-    # Grant project viewer so the UI will work.
     empower_group_as_viewer "${project}" "${GCS_ADMINS}"
-
-    # Grant admins access to do admin stuff.
-    gsutil iam ch \
-        "group:${GCS_ADMINS}:objectAdmin" \
-        "${bucket}"
-    gsutil iam ch \
-        "group:${GCS_ADMINS}:legacyBucketOwner" \
-        "${bucket}"
+    empower_group_to_admin_gcs_bucket "${GCS_ADMINS}" "${bucket}"
 }
 
 # Grant GCR write privileges to a group
@@ -396,6 +380,20 @@ function empower_group_to_gcr() {
     region="${3:-}"
     bucket=$(gcs_bucket_for_gcr "${project}" "${region}")
 
+    empower_group_to_write_gcs_bucket "${group}" "${bucket}"
+}
+
+# Grant write privileges on a bucket to a group
+# $1: The googlegroups group
+# $2: The bucket
+function empower_group_to_write_gcs_bucket() {
+    if [ $# -lt 2 -o -z "$1" -o -z "$2" ]; then
+        echo "empower_group_to_write_gcs_bucket(group_name, bucket) requires 2 arguments" >&2
+        return 1
+    fi
+    group="$1"
+    bucket="$2"
+
     gsutil iam ch \
         "group:${group}:objectAdmin" \
         "${bucket}"
@@ -404,12 +402,12 @@ function empower_group_to_gcr() {
         "${bucket}"
 }
 
-# Grant write privileges on a bucket to a group
+# Grant admin privileges on a bucket to a group
 # $1: The googlegroups group
 # $2: The bucket
-function empower_group_to_gcs_bucket() {
+function empower_group_to_admin_gcs_bucket() {
     if [ $# -lt 2 -o -z "$1" -o -z "$2" ]; then
-        echo "empower_group_to_gcs_bucket(group_name, bucket) requires 2 arguments" >&2
+        echo "empower_group_to_admin_gcs_bucket(group_name, bucket) requires 2 arguments" >&2
         return 1
     fi
     group="$1"
@@ -419,7 +417,7 @@ function empower_group_to_gcs_bucket() {
         "group:${group}:objectAdmin" \
         "${bucket}"
     gsutil iam ch \
-        "group:${group}:legacyBucketReader" \
+        "group:${group}:legacyBucketOwner" \
         "${bucket}"
 }