Skip to content

Commit 4122ab0

Browse files
justaugustusjustaugustus
committed
releng: Add new projects for staging/releasing Kubernetes
Here we add three new projects: - k8s-staging-kubernetes - k8s-staging-release - k8s-release-admin k8s-staging-kubernetes will be the official project for staging and releasing Kubernetes. k8s-staging-release will be used to staging Release Engineering images. k8s-release-admin will be a limited-scope near-prod project for Release Admins (Stephen, Tim, Caleb), which will contain KMS keys to be leveraged during staging and release. We take the opportunity here to descope the majority of ensure-release-projects.sh, so it only configures settings for the k8s-release-admin GCP project now. Staging release project settings have been moved into the ensure-staging-storage.sh script. Signed-off-by: Stephen Augustus <[email protected]>
1 parent ae3147c commit 4122ab0

File tree

11 files changed

+124
-84
lines changed

11 files changed

+124
-84
lines changed

OWNERS_ALIASES

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,3 +11,21 @@ aliases:
1111
- dims
1212
- justaugustus
1313
- listx
14+
release-engineering-approvers:
15+
- calebamiles # subproject owner
16+
- dougm # Patch Release Team
17+
- feiskyer # Patch Release Team
18+
- hoegaarden # Patch Release Team
19+
- idealhack # Patch Release Team
20+
- justaugustus # subproject owner / Patch Release Team
21+
- tpepper # subproject owner / Patch Release Team
22+
release-engineering-reviewers:
23+
- calebamiles # subproject owner
24+
- cpanato # Branch Manager
25+
- dougm # Patch Release Team
26+
- feiskyer # Patch Release Team
27+
- hoegaarden # Patch Release Team
28+
- idealhack # Patch Release Team
29+
- justaugustus # subproject owner / Patch Release Team
30+
- saschagrunert # Branch Manager
31+
- tpepper # subproject owner / Patch Release Team

groups/groups.yaml

Lines changed: 22 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -719,6 +719,16 @@ groups:
719719
- [email protected]
720720
- [email protected]
721721

722+
- email-id: [email protected]
723+
name: k8s-infra-staging-kubernetes
724+
description: |-
725+
ACL for staging Kubernetes
726+
settings:
727+
ReconcileMembers: "true"
728+
members:
729+
# TODO(justaugustus): Add editors group after k8s.gcr.io domain flip
730+
- [email protected]
731+
722732
- email-id: [email protected]
723733
name: k8s-infra-staging-kube-state-metrics
724734
description: |-
@@ -793,20 +803,29 @@ groups:
793803
- [email protected]
794804
- [email protected]
795805

806+
- email-id: [email protected]
807+
name: k8s-infra-staging-release
808+
description: |-
809+
ACL for staging release
810+
settings:
811+
ReconcileMembers: "true"
812+
members:
813+
- [email protected]
814+
- [email protected]
815+
796816
- email-id: [email protected]
797817
name: k8s-infra-staging-release-test
798818
description: |-
799819
ACL for staging release-test
800820
settings:
801821
ReconcileMembers: "true"
802822
members:
803-
- [email protected]
823+
- [email protected]
824+
- [email protected]
804825
- [email protected]
805826
- [email protected]
806827
- [email protected]
807-
- [email protected]
808828
- [email protected]
809-
- [email protected]
810829

811830
- email-id: [email protected]
812831
name: k8s-infra-staging-scl-image-builder

infra/gcp/ensure-release-projects.sh

Lines changed: 9 additions & 81 deletions
Original file line numberDiff line numberDiff line change
@@ -14,8 +14,8 @@
1414
# See the License for the specific language governing permissions and
1515
# limitations under the License.
1616

17-
# This script is used to ensure Release Managers have the appropriate access
18-
# to SIG Release GCP projects.
17+
# This script is used to ensure Release Engineering subproject owners have the
18+
# appropriate access to SIG Release prod GCP projects (k8s-release-admin).
1919

2020
set -o errexit
2121
set -o nounset
@@ -28,110 +28,38 @@ function usage() {
2828
echo "usage: $0 [project...]" > /dev/stderr
2929
echo "example:" > /dev/stderr
3030
echo " $0 # do all release projects" > /dev/stderr
31-
echo " $0 k8s-staging-release-test # just do one" > /dev/stderr
31+
echo " $0 k8s-release-admin # just do one" > /dev/stderr
3232
echo > /dev/stderr
3333
}
3434

3535
# NB: Please keep this sorted.
3636
PROJECTS=(
37-
k8s-staging-release-test
38-
k8s-release-test-prod
37+
k8s-release-admin
3938
)
4039

4140
if [ $# = 0 ]; then
4241
# default to all release projects
4342
set -- "${PROJECTS[@]}"
4443
fi
4544

46-
ADMINS="[email protected]"
47-
WRITERS="[email protected]"
48-
VIEWERS="[email protected]"
49-
5045
for PROJECT; do
5146
color 3 "Configuring: ${PROJECT}"
5247

53-
# The names of the buckets
54-
STAGING_BUCKET="gs://${PROJECT}" # used by humans
55-
GCB_BUCKET="gs://${PROJECT}-gcb" # used by GCB
56-
ALL_BUCKETS=("${STAGING_BUCKET}" "${GCB_BUCKET}")
57-
5848
# Make the project, if needed
5949
color 6 "Ensuring project exists: ${PROJECT}"
6050
ensure_project "${PROJECT}"
6151

62-
for group in ${ADMINS} ${WRITERS} ${VIEWERS}; do
63-
# Enable admins to use the UI
64-
color 6 "Empowering ${group} as project viewers"
65-
empower_group_as_viewer "${PROJECT}" "${group}"
66-
done
67-
68-
# Every project gets a GCR repo
69-
70-
# Enable container registry APIs
71-
color 6 "Enabling the container registry API"
72-
enable_api "${PROJECT}" containerregistry.googleapis.com
73-
74-
# Push an image to trigger the bucket to be created
75-
color 6 "Ensuring the registry exists and is readable"
76-
ensure_gcr_repo "${PROJECT}"
77-
78-
# Enable GCR admins
79-
color 6 "Empowering GCR admins"
80-
empower_gcr_admins "${PROJECT}"
81-
82-
# Enable GCR writers
83-
for group in ${ADMINS} ${WRITERS}; do
84-
color 6 "Empowering ${group} to GCR"
85-
empower_group_to_gcr "${PROJECT}" "${group}"
86-
done
87-
88-
# Every project gets some GCS buckets
89-
90-
# Enable GCS APIs
91-
color 6 "Enabling the GCS API"
92-
enable_api "${PROJECT}" storage-component.googleapis.com
93-
94-
for BUCKET in "${ALL_BUCKETS[@]}"; do
95-
color 3 "Configuring bucket: ${BUCKET}"
96-
97-
# Create the bucket
98-
color 6 "Ensuring the bucket exists and is world readable"
99-
ensure_public_gcs_bucket "${PROJECT}" "${BUCKET}"
100-
101-
# Enable admins on the bucket
102-
color 6 "Empowering GCS admins"
103-
empower_gcs_admins "${PROJECT}" "${BUCKET}"
104-
105-
# Enable writers on the bucket
106-
for group in ${ADMINS} ${WRITERS}; do
107-
color 6 "Empowering ${group} to GCS"
108-
empower_group_to_write_gcs_bucket "${group}" "${BUCKET}"
109-
done
110-
done
111-
112-
# Enable GCB and Prow to build and push images.
113-
114-
# Enable GCB APIs
115-
color 6 "Enabling the GCB API"
116-
enable_api "${PROJECT}" cloudbuild.googleapis.com
117-
118-
# Let project writers use GCB.
119-
for group in ${ADMINS} ${WRITERS}; do
120-
color 6 "Empowering ${group} as GCB editors"
121-
empower_group_for_gcb "${PROJECT}" "${group}"
122-
done
123-
124-
# Let prow trigger builds and access the scratch bucket
125-
color 6 "Empowering Prow"
126-
empower_prow "${PROJECT}" "${GCB_BUCKET}"
52+
# Enable admins to use the UI
53+
color 6 "Empowering ${RELEASE_ADMINS} as project viewers"
54+
empower_group_as_viewer "${PROJECT}" "${RELEASE_ADMINS}"
12755

12856
# Enable KMS APIs
12957
color 6 "Enabling the KMS API"
13058
enable_api "${PROJECT}" cloudkms.googleapis.com
13159

13260
# Let project admins use KMS.
133-
color 6 "Empowering ${ADMINS} as KMS admins"
134-
empower_group_for_kms "${PROJECT}" "${ADMINS}"
61+
color 6 "Empowering ${RELEASE_ADMINS} as KMS admins"
62+
empower_group_for_kms "${PROJECT}" "${RELEASE_ADMINS}"
13563

13664
color 6 "Done"
13765
done

infra/gcp/ensure-staging-storage.sh

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -59,12 +59,14 @@ STAGING_PROJECTS=(
5959
kops
6060
kube-state-metrics
6161
kubeadm
62+
kubernetes
6263
metrics-server
6364
multitenancy
6465
nfd
6566
npd
6667
provider-azure
6768
publishing-bot
69+
release
6870
release-test
6971
scl-image-builder
7072
service-apis
@@ -103,6 +105,13 @@ for REPO; do
103105
color 6 "Empowering ${WRITERS} as project viewers"
104106
empower_group_as_viewer "${PROJECT}" "${WRITERS}"
105107

108+
# Enable Release Manager Associates view access to
109+
# Release Engineering projects
110+
if [[ $REPO == "kubernetes" ]] || [[ $REPO == "release" ]] || [[ $REPO == "release-test" ]]; then
111+
color 6 "Empowering ${RELEASE_VIEWERS} as project viewers"
112+
empower_group_as_viewer "${PROJECT}" "${RELEASE_VIEWERS}"
113+
fi
114+
106115
# Every project gets a GCR repo
107116

108117
# Enable container registry APIs
@@ -161,5 +170,19 @@ for REPO; do
161170
color 6 "Empowering Prow"
162171
empower_prow "${PROJECT}" "${GCB_BUCKET}"
163172

173+
# TODO(justaugustus): Remove once k8s-release-admin is configured and
174+
# KMS assets have been transferred over.
175+
if [[ $PROJECT == "k8s-staging-release-test" ]]; then
176+
# Enable KMS APIs
177+
color 6 "Enabling the KMS API"
178+
enable_api "${PROJECT}" cloudkms.googleapis.com
179+
180+
RELEASE_ADMINS="[email protected]"
181+
182+
# Let project admins use KMS.
183+
color 6 "Empowering ${RELEASE_ADMINS} as KMS admins"
184+
empower_group_for_kms "${PROJECT}" "${RELEASE_ADMINS}"
185+
fi
186+
164187
color 6 "Done"
165188
done

infra/gcp/lib.sh

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,14 @@ PROW_SVCACCT="[email protected]"
5757
GCP_ORG="758905017065" # kubernetes.io
5858
GCP_BILLING="018801-93540E-22A20E"
5959

60+
# Release Engineering umbrella groups
61+
# - admins - edit and KMS access (Release Engineering subproject owners)
62+
# - managers - access to run stage/release jobs (Patch Release Team / Branch Managers)
63+
# - viewers - view access to Release Engineering projects (Release Manager Associates)
64+
RELEASE_ADMINS="[email protected]"
65+
RELEASE_MANAGERS="[email protected]"
66+
RELEASE_VIEWERS="[email protected]"
67+
6068
# Get the GCS bucket name that backs a GCR repo.
6169
# $1: The GCR repo (same as the GCP project name)
6270
# $2: The GCR region (optional)

k8s.gcr.io/images/k8s-staging-kubernetes/OWNERS

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
# See the OWNERS docs at https://go.k8s.io/owners
2+
3+
options:
4+
no_parent_owners: true
5+
approvers:
6+
- release-engineering-approvers
7+
reviewers:
8+
- release-engineering-reviewers
9+
10+
labels:
11+
- sig/release
12+
- area/release-eng

k8s.gcr.io/images/k8s-staging-kubernetes/images.yaml

Whitespace-only changes.

k8s.gcr.io/images/k8s-staging-release/OWNERS

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
# See the OWNERS docs at https://go.k8s.io/owners
2+
3+
options:
4+
no_parent_owners: true
5+
approvers:
6+
- release-engineering-approvers
7+
reviewers:
8+
- release-engineering-reviewers
9+
10+
labels:
11+
- sig/release
12+
- area/release-eng

k8s.gcr.io/images/k8s-staging-release/images.yaml

Whitespace-only changes.

k8s.gcr.io/manifests/k8s-staging-kubernetes/promoter-manifest.yaml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
# google group for gcr.io/k8s-staging-kubernetes is [email protected]
2+
registries:
3+
- name: gcr.io/k8s-staging-kubernetes
4+
src: true
5+
- name: us.gcr.io/k8s-artifacts-prod
6+
service-account: k8s-infra-gcr-promoter@k8s-artifacts-prod.iam.gserviceaccount.com
7+
- name: eu.gcr.io/k8s-artifacts-prod
8+
service-account: k8s-infra-gcr-promoter@k8s-artifacts-prod.iam.gserviceaccount.com
9+
- name: asia.gcr.io/k8s-artifacts-prod
10+
service-account: k8s-infra-gcr-promoter@k8s-artifacts-prod.iam.gserviceaccount.com

0 commit comments

Comments
 (0)