releng: Add new projects for staging/releasing Kubernetes

Here we add three new projects:
- k8s-staging-kubernetes
- k8s-staging-release
- k8s-release-admin

k8s-staging-kubernetes will be the official project for staging and
releasing Kubernetes.

k8s-staging-release will be used to stage Release Engineering images.

k8s-release-admin will be a limited-scope near-prod project for Release
Admins (Stephen, Tim, Caleb), which will contain KMS keys to be
leveraged during staging and release.

We add ensure-release-kms.sh, which configures the new k8s-release-admin
GCP project now and grants KMS admin access to k8s-infra-release-admins.

Staging release project settings have been replicated in the
ensure-staging-storage.sh script.

Signed-off-by: Stephen Augustus <[email protected]>

Author: justaugustus

OWNERS_ALIASES

@@ -11,3 +11,21 @@ aliases:
     - dims
     - justaugustus
     - listx
+  release-engineering-approvers:
+    - calebamiles # subproject owner
+    - dougm # Patch Release Team
+    - feiskyer # Patch Release Team
+    - hoegaarden # Patch Release Team
+    - idealhack # Patch Release Team
+    - justaugustus # subproject owner / Patch Release Team
+    - tpepper # subproject owner / Patch Release Team
+  release-engineering-reviewers:
+    - calebamiles # subproject owner
+    - cpanato # Branch Manager
+    - dougm # Patch Release Team
+    - feiskyer # Patch Release Team
+    - hoegaarden # Patch Release Team
+    - idealhack # Patch Release Team
+    - justaugustus # subproject owner / Patch Release Team
+    - saschagrunert # Branch Manager
+    - tpepper # subproject owner / Patch Release Team

groups/groups.yaml

@@ -719,6 +719,16 @@ groups:
       - [email protected]
       - [email protected]
 
+  - email-id: [email protected]
+    name: k8s-infra-staging-kubernetes
+    description: |-
+      ACL for staging Kubernetes
+    settings:
+      ReconcileMembers: "true"
+    members:
+      # TODO(justaugustus): Add editors group after k8s.gcr.io domain flip
+      - [email protected]
+
   - email-id: [email protected]
     name: k8s-infra-staging-kube-state-metrics
     description: |-
@@ -793,20 +803,29 @@ groups:
       - [email protected]
       - [email protected]
 
+  - email-id: [email protected]
+    name: k8s-infra-staging-release
+    description: |-
+      ACL for staging release
+    settings:
+      ReconcileMembers: "true"
+    members:
+      - [email protected]
+      - [email protected]
+
   - email-id: [email protected]
     name: k8s-infra-staging-release-test
     description: |-
       ACL for staging release-test
     settings:
       ReconcileMembers: "true"
     members:
-      - [email protected]
+      - [email protected]
+      - [email protected]
       - [email protected]
       - [email protected]
       - [email protected]
-      - [email protected]
       - [email protected]
-      - [email protected]
 
   - email-id: [email protected]
     name: k8s-infra-staging-scl-image-builder

infra/gcp/ensure-release-kms.sh

@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+#
+# Copyright 2019 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This script is used to ensure Release Engineering subproject owners have the
+# appropriate access to SIG Release prod GCP projects.
+#
+# Projects:
+# - k8s-release-admin - Stores KMS objects which other release projects will
+#                       be granted permission to decrypt e.g., GITHUB_TOKEN
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+SCRIPT_DIR=$(dirname "${BASH_SOURCE[0]}")
+. "${SCRIPT_DIR}/lib.sh"
+
+function usage() {
+    echo "usage: $0 [project...]" > /dev/stderr
+    echo "example:" > /dev/stderr
+    echo "  $0 # do all release projects" > /dev/stderr
+    echo "  $0 k8s-release-admin # just do one" > /dev/stderr
+    echo > /dev/stderr
+}
+
+# NB: Please keep this sorted.
+PROJECTS=(
+    k8s-release-admin
+)
+
+if [ $# = 0 ]; then
+    # default to all release projects
+    set -- "${PROJECTS[@]}"
+fi
+
+for PROJECT; do
+    color 3 "Configuring: ${PROJECT}"
+
+    # Make the project, if needed
+    color 6 "Ensuring project exists: ${PROJECT}"
+    ensure_project "${PROJECT}"
+
+    # Enable admins to use the UI
+    color 6 "Empowering ${RELEASE_ADMINS} as project viewers"
+    empower_group_as_viewer "${PROJECT}" "${RELEASE_ADMINS}"
+
+    # Enable KMS APIs
+    color 6 "Enabling the KMS API"
+    enable_api "${PROJECT}" cloudkms.googleapis.com
+
+    # Let project admins use KMS.
+    color 6 "Empowering ${RELEASE_ADMINS} as KMS admins"
+    empower_group_for_kms "${PROJECT}" "${RELEASE_ADMINS}"
+
+    color 6 "Done"
+done

infra/gcp/ensure-staging-storage.sh

@@ -59,12 +59,14 @@ STAGING_PROJECTS=(
     kops
     kube-state-metrics
     kubeadm
+    kubernetes
     metrics-server
     multitenancy
     nfd
     npd
     provider-azure
     publishing-bot
+    release
     release-test
     scl-image-builder
     service-apis
@@ -103,6 +105,13 @@ for REPO; do
     color 6 "Empowering ${WRITERS} as project viewers"
     empower_group_as_viewer "${PROJECT}" "${WRITERS}"
 
+    # Enable Release Manager Associates view access to
+    # Release Engineering projects
+    if [[ $REPO == "kubernetes" ]] || [[ $REPO == "release" ]] || [[ $REPO == "release-test" ]]; then
+        color 6 "Empowering ${RELEASE_VIEWERS} as project viewers"
+        empower_group_as_viewer "${PROJECT}" "${RELEASE_VIEWERS}"
+    fi
+
     # Every project gets a GCR repo
 
     # Enable container registry APIs
@@ -161,5 +170,19 @@ for REPO; do
     color 6 "Empowering Prow"
     empower_prow "${PROJECT}" "${GCB_BUCKET}"
 
+    # TODO(justaugustus): Remove once k8s-release-admin is configured and
+    #                     KMS assets have been transferred over.
+    if [[ $PROJECT == "k8s-staging-release-test" ]]; then
+        # Enable KMS APIs
+        color 6 "Enabling the KMS API"
+        enable_api "${PROJECT}" cloudkms.googleapis.com
+
+        RELEASE_ADMINS="[email protected]"
+
+        # Let project admins use KMS.
+        color 6 "Empowering ${RELEASE_ADMINS} as KMS admins"
+        empower_group_for_kms "${PROJECT}" "${RELEASE_ADMINS}"
+    fi
+
     color 6 "Done"
 done

infra/gcp/lib.sh

@@ -57,6 +57,14 @@ PROW_SVCACCT="[email protected]"
 GCP_ORG="758905017065" # kubernetes.io
 GCP_BILLING="018801-93540E-22A20E"
 
+# Release Engineering umbrella groups
+# - admins - edit and KMS access (Release Engineering subproject owners)
+# - managers - access to run stage/release jobs (Patch Release Team / Branch Managers)
+# - viewers - view access to Release Engineering projects (Release Manager Associates)
+RELEASE_ADMINS="[email protected]"
+RELEASE_MANAGERS="[email protected]"
+RELEASE_VIEWERS="[email protected]"
+
 # Get the GCS bucket name that backs a GCR repo.
 # $1: The GCR repo (same as the GCP project name)
 # $2: The GCR region (optional)

k8s.gcr.io/images/k8s-staging-kubernetes/OWNERS

@@ -0,0 +1,16 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+options:
+  no_parent_owners: true
+approvers:
+  - release-engineering-approvers
+  - cblecker
+  - dims
+  - listx
+  - thockin
+reviewers:
+  - release-engineering-reviewers
+
+labels:
+  - sig/release
+  - area/release-eng

k8s.gcr.io/images/k8s-staging-kubernetes/images.yaml

@@ -0,0 +1,12 @@
+### ATTENTION ###
+# k8s-staging-kubernetes is the staging container registry for ROOT level k8s.gcr.io images.
+# Image promotion for this project is restricted to Release Managers.
+#
+# The following images are managed within this project:
+# - cloud-controller-manager
+# - conformance (will likely be moved to another staging project)
+# - hyperkube (to be deprecated in a future release)
+# - kube-apiserver
+# - kube-controller-manager
+# - kube-proxy
+# - kube-scheduler

k8s.gcr.io/images/k8s-staging-release/OWNERS

@@ -0,0 +1,16 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+options:
+  no_parent_owners: true
+approvers:
+  - release-engineering-approvers
+  - cblecker
+  - dims
+  - listx
+  - thockin
+reviewers:
+  - release-engineering-reviewers
+
+labels:
+  - sig/release
+  - area/release-eng

k8s.gcr.io/images/k8s-staging-release/images.yaml

@@ -0,0 +1,23 @@
+### ATTENTION ###
+# k8s-staging-kubernetes is the staging container registry for ROOT level k8s.gcr.io images.
+# Image promotion for this project is restricted to Release Managers.
+#
+# The following images are managed within this project:
+# - cloud-controller-manager
+# - conformance (will likely be moved to another staging project)
+# - hyperkube (to be deprecated in a future release)
+# - kube-apiserver
+# - kube-controller-manager
+# - kube-proxy
+# - kube-scheduler
+#
+# google group for gcr.io/k8s-staging-kubernetes is [email protected]
+registries:
+- name: gcr.io/k8s-staging-kubernetes
+  src: true
+- name: us.gcr.io/k8s-artifacts-prod
+  service-account: k8s-infra-gcr-promoter@k8s-artifacts-prod.iam.gserviceaccount.com
+- name: eu.gcr.io/k8s-artifacts-prod
+  service-account: k8s-infra-gcr-promoter@k8s-artifacts-prod.iam.gserviceaccount.com
+- name: asia.gcr.io/k8s-artifacts-prod
+  service-account: k8s-infra-gcr-promoter@k8s-artifacts-prod.iam.gserviceaccount.com