Merge pull request #1061 from spiffxp/empower-prow-viewers

Create a prow.viewer custom org role
kubernetes · Jul 24, 2020 · 2ca6276 · 2ca6276
2 parents 0d432af + 2fb1f55
commit 2ca6276
Show file tree

Hide file tree

Showing 4 changed files with 379 additions and 1 deletion.
diff --git a/infra/gcp/clusters/projects/k8s-infra-prow-build/prow-build/main.tf b/infra/gcp/clusters/projects/k8s-infra-prow-build/prow-build/main.tf
@@ -46,6 +46,14 @@ resource "google_project_iam_member" "k8s_infra_prow_oncall" {
   member  = "group:k8s-infra-prow-oncall@kubernetes.io"
 }
 
+// Ensure k8s-infra-prow-viewers@kuberentes.io has prow.viewer access to this project
+resource "google_project_iam_member" "k8s_infra_prow_viewers" {
+  project = local.project_id
+  # TODO: use data resource to get org role name instead of hardcode
+  role    = "organizations/758905017065/roles/prow.viewer"
+  member  = "group:k8s-infra-prow-viewers@kubernetes.io"
+}
+
 // Create GCP SA for pods
 resource "google_service_account" "prow_build_cluster_sa" {
   project      = local.project_id

diff --git a/infra/gcp/ensure-e2e-projects.sh b/infra/gcp/ensure-e2e-projects.sh
@@ -32,6 +32,12 @@ function usage() {
     echo > /dev/stderr
 }
 
+## setup custom role for prow troubleshooting
+color 6 "Ensuring custom org role prow.viewer role exists"
+(
+    ensure_custom_org_role_from_file "prow.viewer" "${SCRIPT_DIR}/roles/prow.viewer.yaml"
+) 2>&1 | indent
+
 ## setup service accounts and ips for the prow build cluster
 
 PROW_BUILD_SVCACCT=$(svc_acct_email "k8s-infra-prow-build" "prow-build")
@@ -133,7 +139,7 @@ for prj; do
     gcloud \
       projects add-iam-policy-binding "${prj}" \
       --member "group:k8s-infra-prow-viewers@kubernetes.io" \
-      --role roles/viewer
+      --role $(custom_org_role_name "prow.viewer")
 
     if [[ "${prj}" =~ k8s-infra-e2e.*scale ]]; then
       color 6 "Empower k8s-infra-sig-scalability-oncall@kubernetes.io to admin e2e project: ${prj}"

diff --git a/infra/gcp/lib.sh b/infra/gcp/lib.sh
@@ -610,3 +610,39 @@ function ensure_custom_iam_role() {
             --permissions "${permissions}"
     fi
 }
+
+# Ensure that custom IAM role exists and is in sync with definition in file
+# Arguments:
+#   $1:  The role name (e.g. "prow.viewer")
+#   $2:  The file (e.g. "/path/to/file.yaml")
+function ensure_custom_org_role_from_file() {
+    if [ ! $# -eq 2 -o -z "$1" -o -z "$2" ]; then
+        echo "ensure_custom_org_role_from_file(name, file) requires 2 arguments" >&2
+        return 1
+    fi
+
+    local org="${GCP_ORG}"
+    local name="${1}"
+    local file="${2}"
+
+    if ! gcloud iam roles describe "${name}" --organization "${org}" \
+        >/dev/null 2>&1
+    then
+      # be noisy when creating a role
+      gcloud iam roles create "${name}" --organization "${org}" --file "${file}"
+    else
+      # be quiet when updating, only output name of role
+      gcloud iam roles update "${name}" --organization "${org}" --file "${file}" | grep ^name:
+    fi
+}
+
+function custom_org_role_name() {
+    if [ ! $# -eq 1 -o -z "$1" ]; then
+        echo "custom_org_role_name(name) requires 1 arguments" >&2
+        return 1
+    fi
+
+    local name="${1}"
+
+    echo "organizations/${GCP_ORG}/roles/${name}"
+}