sigs.k8s.io/prow@v0.0.0-20240503223140-c5e374dc7eb1/pkg/gcloud-deployer-service-account.sh

sigs.k8s.io/prow@v0.0.0-20240503223140-c5e374dc7eb1/pkg/gcloud-deployer-service-account.sh (about)

     1  #!/usr/bin/env bash
     2  # Copyright 2019 The Kubernetes Authors.
     3  #
     4  # Licensed under the Apache License, Version 2.0 (the "License");
     5  # you may not use this file except in compliance with the License.
     6  # You may obtain a copy of the License at
     7  #
     8  #     http://www.apache.org/licenses/LICENSE-2.0
     9  #
    10  # Unless required by applicable law or agreed to in writing, software
    11  # distributed under the License is distributed on an "AS IS" BASIS,
    12  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  # See the License for the specific language governing permissions and
    14  # limitations under the License.
    15  
    16  set -o errexit
    17  set -o nounset
    18  set -o pipefail
    19  
    20  # This script will create a 'prow-deployer' GCP service account with permissions
    21  # to deploy to the GKE cluster and load a service account key into the cluster's
    22  # test-pods namespace. This should only be done when the Prow instance is using a
    23  # separate build cluster and only trusted jobs are running in the service cluster.
    24  # Setting up a deployer service account is necessary for Prow to update itself with
    25  # a postsubmit job.
    26  
    27  # To use, point your kubeconfig at the correct cluster context and specify gcp
    28  # PROJECT and service account DESCRIPTION environment variables. Optionally, one can
    29  # supply the PROJECT_BUILD variable to attach the iam policy to the build cluster project.
    30  
    31  # To enable prompts and run in "interactive" mode supply the "-i|--interactive" flag.
    32  # e.g.
    33  #  PROJECT="istio-testing" \
    34  #  PROJECT_BUILD="istio-prow-build" \
    35  #  DESCRIPTION="Used to deploy to the clusters in the istio-testing and istio-prow-build projects." \
    36  #  gcloud-deployer-service-account.sh --interactive
    37  
    38  # Globals:
    39  PROJECT_BUILD="${PROJECT_BUILD:=}"
    40  SERVICE_ACCOUNT="${SERVICE_ACCOUNT:=prow-deployer}"
    41  # PROJECT => "required"
    42  # DESCRIPTION => "required"
    43  
    44  # Options:
    45  INTERACTIVE=
    46  
    47  function cleanup() {
    48    # For security reasons, delete private key regardless of exit code.
    49    trap 'rm -f "$SERVICE_ACCOUNT-sa-key.json"' EXIT
    50  }
    51  
    52  function create_service_account() {
    53    prompt "Create service-account: \"$SERVICE_ACCOUNT\" in Project: \"$PROJECT\""
    54  
    55    # Create a service account for performing Prow deployments in a GCP project.
    56    gcloud beta iam service-accounts create $SERVICE_ACCOUNT --project="$PROJECT" --description="$DESCRIPTION" --display-name="Prow Self Deployer SA"
    57  
    58    # Add the `roles/container.admin` IAM policy binding to the service account in "service" cluster project.
    59    # https://cloud.google.com/kubernetes-engine/docs/how-to/iam#container.admin
    60    gcloud projects add-iam-policy-binding "$PROJECT" --member="serviceAccount:$SERVICE_ACCOUNT@$PROJECT.iam.gserviceaccount.com" --role "roles/container.admin"
    61  
    62    # Generate private key and attach to the service account.
    63    gcloud iam service-accounts keys create "$SERVICE_ACCOUNT-sa-key.json" --project="$PROJECT" --iam-account="$SERVICE_ACCOUNT@$PROJECT.iam.gserviceaccount.com"
    64  
    65    if [ "$PROJECT_BUILD" ]; then
    66      prompt "Apply iam policy to build Project: \"$PROJECT_BUILD\""
    67  
    68      # Add the `roles/container.admin` IAM policy binding to the service account in "build" cluster project.
    69      gcloud projects add-iam-policy-binding "$PROJECT_BUILD" --member="serviceAccount:$SERVICE_ACCOUNT@$PROJECT.iam.gserviceaccount.com" --role "roles/container.admin"
    70    fi
    71  }
    72  
    73  function create_secret() {
    74    prompt "Create cluster secret for Kube context: \"$(kubectl config current-context)\""
    75  
    76    # Deploy the service-account secret to the cluster in the current context.
    77    kubectl create secret generic -n test-pods "$SERVICE_ACCOUNT-service-account" --from-file="service-account.json=$SERVICE_ACCOUNT-sa-key.json"
    78  }
    79  
    80  function handle_options() {
    81    while [ $# -gt 0 ]; do
    82      case "$1" in
    83      -i | --interactive)
    84        INTERACTIVE=1
    85        shift
    86        ;;
    87      *)
    88        echo "Unknown option: $1" >&1
    89        exit 1
    90        ;;
    91      esac
    92    done
    93  }
    94  
    95  function prompt() {
    96    if [ "$INTERACTIVE" ]; then
    97      echo
    98      read -r -n1 -p "$1 ? [y/n] "
    99      echo
   100      if [[ ! $REPLY =~ ^[Yy]$ ]]; then
   101        exit 0
   102      fi
   103    fi
   104  }
   105  
   106  function main() {
   107    cleanup
   108    handle_options "$@"
   109    create_service_account
   110    create_secret
   111  }
   112  
   113  main "$@"