releng: Add ensure-release-projects to grant rights to Release Managers

Establishes rights to GCS, GCB, and KMS for Release Managers
- Admins: release-managers-admins@
- Writers: release-managers-private@
- Viewers: release-managers@

Signed-off-by: Stephen Augustus <[email protected]>

Author: justaugustus

infra/gcp/ensure-release-projects.sh

@@ -0,0 +1,137 @@
+#!/usr/bin/env bash
+#
+# Copyright 2019 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This script is used to ensure Release Managers have the appropriate access
+# to SIG Release GCP projects.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+SCRIPT_DIR=$(dirname "${BASH_SOURCE[0]}")
+. "${SCRIPT_DIR}/lib.sh"
+
+function usage() {
+    echo "usage: $0 [project...]" > /dev/stderr
+    echo "example:" > /dev/stderr
+    echo "  $0 # do all release projects" > /dev/stderr
+    echo "  $0 k8s-staging-release-test # just do one" > /dev/stderr
+    echo > /dev/stderr
+}
+
+# NB: Please keep this sorted.
+PROJECTS=(
+    k8s-staging-release-test
+    k8s-release-test-prod
+)
+
+if [ $# = 0 ]; then
+    # default to all release projects
+    set -- "${PROJECTS[@]}"
+fi
+
+ADMINS="[email protected]"
+WRITERS="[email protected]"
+VIEWERS="[email protected]"
+
+for PROJECT; do
+    color 3 "Configuring: ${REPO}"
+
+    # The names of the buckets
+    STAGING_BUCKET="gs://${PROJECT}" # used by humans
+    GCB_BUCKET="gs://${PROJECT}-gcb" # used by GCB
+    ALL_BUCKETS=("${STAGING_BUCKET}" "${GCB_BUCKET}")
+
+    # Make the project, if needed
+    color 6 "Ensuring project exists: ${PROJECT}"
+    ensure_project "${PROJECT}"
+
+    for group in ${ADMINS} ${WRITERS} ${VIEWERS}; do
+        # Enable admins to use the UI
+        color 6 "Empowering ${group} as project viewers"
+        empower_group_as_viewer "${PROJECT}" "${group}"
+    done
+
+    # Every project gets a GCR repo
+
+    # Enable container registry APIs
+    color 6 "Enabling the container registry API"
+    enable_api "${PROJECT}" containerregistry.googleapis.com
+
+    # Push an image to trigger the bucket to be created
+    color 6 "Ensuring the registry exists and is readable"
+    ensure_gcr_repo "${PROJECT}"
+
+    # Enable GCR admins
+    color 6 "Empowering GCR admins"
+    empower_gcr_admins "${PROJECT}"
+
+    # Enable GCR writers
+    for group in ${ADMINS} ${WRITERS}; do
+        color 6 "Empowering ${group} to GCR"
+        empower_group_to_gcr "${PROJECT}" "${group}"
+    done
+
+    # Every project gets some GCS buckets
+
+    # Enable GCS APIs
+    color 6 "Enabling the GCS API"
+    enable_api "${PROJECT}" storage-component.googleapis.com
+
+    for BUCKET in "${ALL_BUCKETS[@]}"; do
+        color 3 "Configuring bucket: ${BUCKET}"
+
+        # Create the bucket
+        color 6 "Ensuring the bucket exists and is world readable"
+        ensure_public_gcs_bucket "${PROJECT}" "${BUCKET}"
+
+        # Enable admins on the bucket
+        color 6 "Empowering GCS admins"
+        empower_gcs_admins "${PROJECT}" "${BUCKET}"
+
+        # Enable writers on the bucket
+        for group in ${ADMINS} ${WRITERS}; do
+            color 6 "Empowering ${group} to GCS"
+            empower_group_to_gcs_bucket "${group}" "${BUCKET}"
+        done
+    done
+
+    # Enable GCB and Prow to build and push images.
+
+    # Enable GCB APIs
+    color 6 "Enabling the GCB API"
+    enable_api "${PROJECT}" cloudbuild.googleapis.com
+
+    # Let project writers use GCB.
+    for group in ${ADMINS} ${WRITERS}; do
+        color 6 "Empowering ${group} as GCB editors"
+        empower_group_for_gcb "${PROJECT}" "${group}"
+    done
+
+    # Let prow trigger builds and access the scratch bucket
+    color 6 "Empowering Prow"
+    empower_prow "${PROJECT}" "${GCB_BUCKET}"
+
+    # Enable KMS APIs
+    color 6 "Enabling the KMS API"
+    enable_api "${PROJECT}" cloudkms.googleapis.com
+
+    # Let project admins use KMS.
+    color 6 "Empowering ${ADMINS} as KMS admins"
+    empower_group_for_kms "${PROJECT}" "${ADMINS}"
+
+    color 6 "Done"
+done

infra/gcp/lib.sh

@@ -287,6 +287,23 @@ function empower_group_for_gcb() {
         --role roles/serviceusage.serviceUsageConsumer
 }
 
+# Grant KMS admin privileges to a principal
+# $1: The GCP project
+# $2: The group email
+function empower_group_for_kms() {
+    if [ $# -lt 2 -o -z "$1" -o -z "$2" ]; then
+        echo "empower_group_for_kms(project, group) requires 2 arguments" >&2
+        return 1
+    fi
+    project="$1"
+    group="$2"
+
+    gcloud \
+        projects add-iam-policy-binding "${project}" \
+        --member "group:${group}" \
+        --role roles/cloudkms.admin
+}
+
 # Grant privileges to prow in a staging project
 # $1: The GCP project
 # $2: The GCS scratch bucket