sigs.k8s.io/prow@v0.0.0-20240503223140-c5e374dc7eb1/pkg/make_prowjob_sa.sh (about)

     1  #!/usr/bin/env bash
     2  # Copyright 2021 The Kubernetes Authors.
     3  #
     4  # Licensed under the Apache License, Version 2.0 (the "License");
     5  # you may not use this file except in compliance with the License.
     6  # You may obtain a copy of the License at
     7  #
     8  #     http://www.apache.org/licenses/LICENSE-2.0
     9  #
    10  # Unless required by applicable law or agreed to in writing, software
    11  # distributed under the License is distributed on an "AS IS" BASIS,
    12  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  # See the License for the specific language governing permissions and
    14  # limitations under the License.
    15  
    16  # This script is used to create a new GCP service account with permissions need by pod utilities to upload job results to GCS.
    17  # ProwJobs can be configured to use this identity by associating the GCP SA with a K8s SA via workload identity, then
    18  # specifying `default_service_account_name: <K8s SA name>` in the decoration config (can be configured broadly with default decoration configs).
    19  # See github.com/kubernetes/test-infra/workload-identity/ for details about using WI.
    20  #
    21  # This script can also be used to grant the necessary permissions to an existing service account.
    22  # Just skip the first step when prompted.
    23  
    24  set -o errexit
    25  set -o nounset
    26  set -o pipefail
    27  
    28  PROJECT_ID="${PROJECT_ID:-}"            # GCP Project ID for the service account. e.g. "k8s-prow"
    29  BUCKET="${BUCKET:-}"                    # GCS bucket where job results live. e.g. "gs://k8s-prow"
    30  SA_NAME="${SA_NAME:-}"                  # e.g. "prowjob-default-sa"
    31  # Only needed for service account creation.
    32  SA_DISPLAY_NAME="${SA_DISPLAY_NAME:-}"  # e.g. "Default ProwJob SA"
    33  SA_DESCRIPTION="${SA_DESCRIPTION:-}"    # e.g. "Default SA for ProwJobs that upload to the shared job result bucket."
    34  
    35  SA="${SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"
    36  main() {
    37    parseArgs
    38  
    39    prompt "Create service account ${SA}" createSA
    40    prompt "Grant upload permissions for ${BUCKET} to ${SA}" authorizeUpload
    41  
    42    echo "All done!"
    43  }
    44  
    45  # Prep and check args.
    46  parseArgs() {
    47    for var in SA_NAME PROJECT_ID BUCKET; do
    48      if [[ -z "${!var}" ]]; then
    49        echo "Must specify ${var} environment variable (or specify a default in the script)."
    50        exit 2
    51      fi
    52      echo "${var}=${!var}"
    53    done
    54  }
    55  
    56  prompt() {
    57    local msg="$1" cmd="$2"
    58    echo
    59    read -r -n1 -p "$msg ? [y/n] "
    60    echo
    61  
    62    if [[ $REPLY =~ ^[Yy]$ ]]; then
    63      "$cmd"
    64    else
    65      echo "Skipping and continuing to next step..."
    66    fi
    67  }
    68  
    69  createSA() {
    70    gcloud beta iam service-accounts create \
    71      ${SA_NAME} \
    72      --project="${PROJECT_ID}" \
    73      --description="${SA_DESCRIPTION}" \
    74      --display-name="${SA_DISPLAY_NAME}"
    75  }
    76  
    77  authorizeUpload() {
    78    gsutil iam ch "serviceAccount:${SA}:roles/storage.objectAdmin" "${BUCKET}"
    79  }
    80  
    81  main "$@"