From 3f8a870416584824194950f867ccfe2f9563e79a Mon Sep 17 00:00:00 2001
From: Chao <chaodai@google.com>
Date: Thu, 1 Apr 2021 10:24:28 -0700
Subject: [PATCH] External manager: add a placeholder yaml and update
 instructions to make things clearer

---
 config/prow/cluster/BUILD.bazel                      | 1 +
 config/prow/cluster/kubernetes_external_secrets.yaml | 2 ++
 prow/prow_secrets.md                                 | 9 +++++++--
 3 files changed, 10 insertions(+), 2 deletions(-)
 create mode 100644 config/prow/cluster/kubernetes_external_secrets.yaml

diff --git a/config/prow/cluster/BUILD.bazel b/config/prow/cluster/BUILD.bazel
index 85a793e37d49..e1537cb36204 100644
--- a/config/prow/cluster/BUILD.bazel
+++ b/config/prow/cluster/BUILD.bazel
@@ -68,6 +68,7 @@ release(
     component("tls-ing", "ingress"),
     component("tot", "service", "deployment"),  # TODO(fejta): delete tot
     component("trusted_serviceaccounts", MULTI_KIND),
+    component("kubernetes_external_secrets", MULTI_KIND),
     component(
         "tune-sysctls",
         "daemonset",
diff --git a/config/prow/cluster/kubernetes_external_secrets.yaml b/config/prow/cluster/kubernetes_external_secrets.yaml
new file mode 100644
index 000000000000..dc7e7dfb2f8a
--- /dev/null
+++ b/config/prow/cluster/kubernetes_external_secrets.yaml
@@ -0,0 +1,2 @@
+# This is a place holder for adding kubernetes external secrets, please add the
+# ExternalSecret CR here, separated by `---`.
diff --git a/prow/prow_secrets.md b/prow/prow_secrets.md
index a395610817c0..3f5b5fd9ca18 100644
--- a/prow/prow_secrets.md
+++ b/prow/prow_secrets.md
@@ -28,7 +28,9 @@ deployment once this PR is merged.
 
 ## Usage (Prow clients)
 
-This is performed by prow serving/build cluster clients.
+This is performed by prow serving/build cluster clients. Note that the GCP
+project mentioned here doesn't have to, and normally is not the same GCP project
+where the prow service/build clusters are located.
 
 1. In the GCP project that stores secrets with google secret manager, grant the
    `roles/secretmanager.viewer` and `roles/secretmanager.secretAccessor`
@@ -37,7 +39,10 @@ This is performed by prow serving/build cluster clients.
    gcloud beta secrets add-iam-policy-binding <my-gsm-secret-name> --member="serviceAccount:<same-service-account-for-workload-identity>" --role=<role> --project=<my-gsm-secret-project>
    ```
    The above command ensures that the service account used by prow can only
-   access the secret name `<my-gsm-secret-name>` in the GCP project owned by clients.
+   access the secret name `<my-gsm-secret-name>` in the GCP project owned by
+   clients. The service account used for prow.k8s.io is defined in
+   [`trusted_serviceaccounts.yaml`](https://github.com/kubernetes/test-infra/blob/1b2153ebe2809727a45c5b930647b2a3609dd7e7/config/prow/cluster/trusted_serviceaccounts.yaml#L46)
+
 2. Create secret in google secret manager
 3. Create kubernetes external secrets custom resource by:
    ```