From 225131494934109dc587e12563b65f7b3c32656f Mon Sep 17 00:00:00 2001
From: Aaron Crickenberger <spiffxp@google.com>
Date: Mon, 8 Feb 2021 18:34:12 -0500
Subject: [PATCH] Setup gcb-builder-releng-test SA for k8s-infra-prow-build

Try to converge on a consistent naming pattern:
- k8s-infra-staging-foo@kubernetes.io group
- k8s-staging-foo project
- gcb-builder-foo service account in k8s-staging-foo project
- gcb-builder-foo service account usable by prow
---
 .../resources/build-serviceaccounts.yaml      |  4 +--
 infra/gcp/ensure-main-project.sh              | 13 --------
 infra/gcp/ensure-staging-storage.sh           | 32 +++++++++++++++----
 3 files changed, 28 insertions(+), 21 deletions(-)

diff --git a/infra/gcp/clusters/projects/k8s-infra-prow-build/prow-build/resources/build-serviceaccounts.yaml b/infra/gcp/clusters/projects/k8s-infra-prow-build/prow-build/resources/build-serviceaccounts.yaml
index f92c6289fea..688b2c53213 100644
--- a/infra/gcp/clusters/projects/k8s-infra-prow-build/prow-build/resources/build-serviceaccounts.yaml
+++ b/infra/gcp/clusters/projects/k8s-infra-prow-build/prow-build/resources/build-serviceaccounts.yaml
@@ -11,6 +11,6 @@ kind: ServiceAccount
 apiVersion: v1
 metadata:
   annotations:
-    iam.gke.io/gcp-service-account: k8s-infra-staging-releng-test@k8s-infra-prow-build.iam.gserviceaccount.com
-  name: k8s-infra-staging-releng-test
+    iam.gke.io/gcp-service-account: gcb-builder-releng-test@k8s-staging-releng-test.iam.gserviceaccount.com
+  name: gcb-builder-releng-test
   namespace: test-pods
diff --git a/infra/gcp/ensure-main-project.sh b/infra/gcp/ensure-main-project.sh
index 3490a9a4be0..7cb20544dfd 100755
--- a/infra/gcp/ensure-main-project.sh
+++ b/infra/gcp/ensure-main-project.sh
@@ -154,19 +154,6 @@ empower_ksa_to_svcacct \
     "${PROJECT}" \
     "$(svc_acct_email "${PROJECT}" "k8s-infra-dns-updater")"
 
-color 6 "Ensuring the k8s-infra-staging-releng-test serviceaccount exists"
-ensure_service_account \
-    "${PROJECT}" \
-    "k8s-infra-staging-releng-test" \
-    "k8s-infra releng test"
-
-color 6 -n "Empowering k8s-infra-staging-releng-test serviceaccount to be used on"
-color 6 " build cluster"
-empower_ksa_to_svcacct \
-    "k8s-infra-prow-build.svc.id.goog[test-pods/k8s-infra-staging-releng-test]" \
-    "${PROJECT}" \
-    "$(svc_acct_email "${PROJECT}" "k8s-infra-staging-releng-test")"
-
 color 6 "Empowering ${DNS_GROUP}"
 gcloud projects add-iam-policy-binding "${PROJECT}" \
     --member "group:${DNS_GROUP}" \
diff --git a/infra/gcp/ensure-staging-storage.sh b/infra/gcp/ensure-staging-storage.sh
index 1e8a43a4afc..92f8f14d23d 100755
--- a/infra/gcp/ensure-staging-storage.sh
+++ b/infra/gcp/ensure-staging-storage.sh
@@ -296,12 +296,32 @@ color 6 "Configuring special case for k8s-staging-ci-images"
 
 # Special case: In order for pull-release-image-* to run on k8s-infra-prow-build,
 #               it needs write access to gcr.io/k8s-staging-releng-test. For now,
-#               we will grant the prow-build service account write access. Longer
-#               term we would prefer service accounts per project, and restrictions
-#               on which jobs can use which service accounts.
+
 color 6 "Configuring special case for k8s-staging-releng-test"
 (
-    PROJECT="k8s-staging-releng-test"
-    SERVICE_ACCOUNT=$(svc_acct_email "k8s-infra-prow-build" "k8s-infra-staging-releng-test")
-    empower_svcacct_to_write_gcr "${SERVICE_ACCOUNT}" "${PROJECT}"
+    STAGING="releng-test"
+    PROJECT="k8s-staging-${STAGING}"
+    SERVICE_ACCOUNT_NAME="gcb-builder-${STAGING}"
+    SERVICE_ACCOUNT_EMAIL=$(svc_acct_email "${PROJECT}" "${SERVICE_ACCOUNT_NAME}")
+
+    color 6 "Ensuring ${SERVICE_ACCOUNT_EMAIL} serviceaccount exists"
+    ensure_service_account \
+      "${PROJECT}" \
+      "${SERVICE_ACCOUNT_NAME}" \
+      "used by k8s-infra-prow-build to trigger GCB, write to GCR for ${PROJECT}"
+
+    color 6 "Empowering ${SERVICE_ACCOUNT_EMAIL} to write to GCR for ${PROJECT}"
+    empower_svcacct_to_write_gcr "${SERVICE_ACCOUNT_EMAIL}" "${PROJECT}"
+
+    color 6 "Empowering ${SERVICE_ACCOUNT_EMAIL} to trigger GCB for ${PROJECT}"
+    gcloud \
+      projects add-iam-policy-binding "${PROJECT}" \
+      --member "serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
+      --role roles/cloudbuild.builds.builder
+
+    color 6 "Empowering ${SERVICE_ACCOUNT_EMAIL} to be used by k8s-infra-prow-build cluster"
+    empower_ksa_to_svcacct \
+        "k8s-infra-prow-build.svc.id.goog[test-pods/${SERVICE_ACCOUNT_NAME}]" \
+        "${PROJECT}" \
+        "${SERVICE_ACCOUNT_EMAIL}"
 )