From 704d9991b07701fbc9928927d616e2a87f066c10 Mon Sep 17 00:00:00 2001 From: Abhijeet Dargude Date: Wed, 16 Oct 2024 11:08:38 +0000 Subject: [PATCH 1/4] ensure prow-build can operate secret manager secrets --- infra/gcp/bash/prow/ensure-e2e-projects.sh | 14 +++++++++++++- infra/gcp/terraform/k8s-infra-prow/main.tf | 3 ++- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/infra/gcp/bash/prow/ensure-e2e-projects.sh b/infra/gcp/bash/prow/ensure-e2e-projects.sh index 4b25cce0fef..7d29b9a3847 100755 --- a/infra/gcp/bash/prow/ensure-e2e-projects.sh +++ b/infra/gcp/bash/prow/ensure-e2e-projects.sh @@ -72,7 +72,8 @@ function ensure_e2e_project() { file.googleapis.com \ logging.googleapis.com \ monitoring.googleapis.com \ - storage-component.googleapis.com + storage-component.googleapis.com \ + secretmanager.googleapis.com # TODO: this is what prow.k8s.io uses today, but seems overprivileged, we # could consider using a more limited custom IAM role instead @@ -112,6 +113,17 @@ function ensure_e2e_project() { "serviceAccount:${PROW_BUILD_SVCACCT}" \ "roles/iam.serviceAccountUser" + # Ensure GCP Default Compute Service Account can administer Secret Manager secrets + ensure_project_role_binding "${prj}" \ + "serviceAccount:${PROW_BUILD_SVCACCT}" \ + "roles/secretmanager.admin" + + # Ensure GCP Default Compute Engine Service Agent Account can manage Secret Manager Secrets + ensure_project_role_binding "${prj}" \ + "serviceAccount:service-${project_number}@compute-system.iam.gserviceaccount.com" \ + "roles/secretmanager.admin" + + # TODO: this is what prow.k8s.io uses today, but seems overprivileged, we # could consider using a more limited custom IAM role instead color 6 "Empower boskos-janitor service account to clean e2e project: ${prj}" diff --git a/infra/gcp/terraform/k8s-infra-prow/main.tf b/infra/gcp/terraform/k8s-infra-prow/main.tf index 4ff357d81d0..2b0b091c2d9 100644 --- a/infra/gcp/terraform/k8s-infra-prow/main.tf +++ b/infra/gcp/terraform/k8s-infra-prow/main.tf @@ -40,6 +40,7 @@ module "project" { "certificatemanager.googleapis.com", "artifactregistry.googleapis.com", "secretmanager.googleapis.com", - "cloudbuild.googleapis.com" + "cloudbuild.googleapis.com", + "secretmanager.googleapis.com", ] } From 86740561d313daf4055aa27ede048d2e09b19cbd Mon Sep 17 00:00:00 2001 From: Abhijeet Dargude <144316709+dargudear-google@users.noreply.github.com> Date: Fri, 25 Oct 2024 09:43:32 +0530 Subject: [PATCH 2/4] Update infra/gcp/bash/prow/ensure-e2e-projects.sh Co-authored-by: Arnaud M. --- infra/gcp/bash/prow/ensure-e2e-projects.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infra/gcp/bash/prow/ensure-e2e-projects.sh b/infra/gcp/bash/prow/ensure-e2e-projects.sh index 7d29b9a3847..4d2d121352a 100755 --- a/infra/gcp/bash/prow/ensure-e2e-projects.sh +++ b/infra/gcp/bash/prow/ensure-e2e-projects.sh @@ -72,8 +72,8 @@ function ensure_e2e_project() { file.googleapis.com \ logging.googleapis.com \ monitoring.googleapis.com \ - storage-component.googleapis.com \ - secretmanager.googleapis.com + secretmanager.googleapis.com \ + storage-component.googleapis.com # TODO: this is what prow.k8s.io uses today, but seems overprivileged, we # could consider using a more limited custom IAM role instead From 38840a3fe67787f8192af71f4f64b0038bcbe738 Mon Sep 17 00:00:00 2001 From: Abhijeet Dargude Date: Fri, 25 Oct 2024 04:23:17 +0000 Subject: [PATCH 3/4] Remove duplicate entry for secretmanager --- infra/gcp/terraform/k8s-infra-prow/main.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/infra/gcp/terraform/k8s-infra-prow/main.tf b/infra/gcp/terraform/k8s-infra-prow/main.tf index 2b0b091c2d9..4ff357d81d0 100644 --- a/infra/gcp/terraform/k8s-infra-prow/main.tf +++ b/infra/gcp/terraform/k8s-infra-prow/main.tf @@ -40,7 +40,6 @@ module "project" { "certificatemanager.googleapis.com", "artifactregistry.googleapis.com", "secretmanager.googleapis.com", - "cloudbuild.googleapis.com", - "secretmanager.googleapis.com", + "cloudbuild.googleapis.com" ] } From 4da328b2f4ad383aef2637060c9bc98d7950ca0d Mon Sep 17 00:00:00 2001 From: Abhijeet Dargude Date: Mon, 28 Oct 2024 13:49:47 +0000 Subject: [PATCH 4/4] Remove permission for compute service account. --- infra/gcp/bash/prow/ensure-e2e-projects.sh | 6 ------ 1 file changed, 6 deletions(-) diff --git a/infra/gcp/bash/prow/ensure-e2e-projects.sh b/infra/gcp/bash/prow/ensure-e2e-projects.sh index 4d2d121352a..359db190a92 100755 --- a/infra/gcp/bash/prow/ensure-e2e-projects.sh +++ b/infra/gcp/bash/prow/ensure-e2e-projects.sh @@ -118,12 +118,6 @@ function ensure_e2e_project() { "serviceAccount:${PROW_BUILD_SVCACCT}" \ "roles/secretmanager.admin" - # Ensure GCP Default Compute Engine Service Agent Account can manage Secret Manager Secrets - ensure_project_role_binding "${prj}" \ - "serviceAccount:service-${project_number}@compute-system.iam.gserviceaccount.com" \ - "roles/secretmanager.admin" - - # TODO: this is what prow.k8s.io uses today, but seems overprivileged, we # could consider using a more limited custom IAM role instead color 6 "Empower boskos-janitor service account to clean e2e project: ${prj}"