Add staging gcp project for zeitgeist

[cpanato]

we need to start releasing and promoting the artifacts we generate in the zeitgeist project (https://github.com/kubernetes-sigs/zeitgeist)

so we need to create a staging gcp project with bucket for that :)

Related to https://github.com/kubernetes-sigs/zeitgeist/issues/324

/assign @ameukam @saschagrunert @puerco cc @justaugustus @kubernetes/release-engineering

[saschagrunert]

@ameukam @dims PTAL for approval

[ameukam]

/lgtm /approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ameukam, cpanato, saschagrunert, xmudrii

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• ~~OWNERS~~ [ameukam]
• ~~groups/OWNERS~~ [ameukam]

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

[ameukam]

Done.

Details

./ensure-staging-storage.sh zeitgeist` Ensuring staging projects... Configuring staging project: k8s-staging-zeitgeist Ensuring project exists: k8s-staging-zeitgeist Ensuring [email protected] are project viewers Ensuring necessary enabled services staging project: k8s-staging-zeitgeist Ensuring disabled services for staging project: k8s-staging-zeitgeist Ensuring containeranalysis service agent binding removed for staging project: k8s-staging-zeitgeist Ensuring serviceAccount:k8s-infra-gcr-vuln-scanning@k8s-artifacts-prod.iam.gserviceaccount.com can view vulnernability scanning results for project: k8s-staging-zeitgeist Ensuring staging GCR repo: gcr.io/k8s-staging-zeitgeist Ensuring a GCR repo exists for project: k8s-staging-zeitgeist Using default tag: latest latest: Pulling from pause Digest: sha256:a78c2d6208eff9b672de43f880093100050983047b7b0afe0217d3656e1b0d5f Status: Image is up to date for k8s.gcr.io/pause:latest k8s.gcr.io/pause:latest Using default tag: latest The push refers to repository [gcr.io/k8s-staging-zeitgeist/ceci-nest-pas-une-image] 5f70bf18a086: Preparing e16a89738269: Preparing 5f70bf18a086: Preparing 5f70bf18a086: Layer already exists e16a89738269: Pushed latest: digest: sha256:ec3ca3ee90e4dafde96c83232b30f17b5e8992ff35479d0661b8f4ff2f21bf74 size: 938 WARNING: Successfully resolved tag to sha256, but it is recommended to use sha256 directly. Digests: - gcr.io/k8s-staging-zeitgeist/ceci-nest-pas-une-image@sha256:ec3ca3ee90e4dafde96c83232b30f17b5e8992ff35479d0661b8f4ff2f21bf74 Associated tags: - latest Tags: - gcr.io/k8s-staging-zeitgeist/ceci-nest-pas-une-image:latest Deleted [gcr.io/k8s-staging-zeitgeist/ceci-nest-pas-une-image:latest]. Deleted [gcr.io/k8s-staging-zeitgeist/ceci-nest-pas-une-image@sha256:ec3ca3ee90e4dafde96c83232b30f17b5e8992ff35479d0661b8f4ff2f21bf74]. Enabling Bucket Policy Only for gs://artifacts.k8s-staging-zeitgeist.appspot.com... gs://artifacts.k8s-staging-zeitgeist.appspot.com/ @@ -1,3 +1,5 @@ +- member: allUsers + role: roles/storage.objectViewer - member: projectEditor:k8s-staging-zeitgeist role: roles/storage.legacyBucketOwner - member: projectOwner:k8s-staging-zeitgeist Ensuring [email protected] can write to GCR for project: k8s-staging-zeitgeist gs://artifacts.k8s-staging-zeitgeist.appspot.com/ @@ -1,5 +1,7 @@ - member: allUsers role: roles/storage.objectViewer +- member: group:[email protected] + role: roles/storage.objectAdmin - member: projectEditor:k8s-staging-zeitgeist role: roles/storage.legacyBucketOwner - member: projectOwner:k8s-staging-zeitgeist gs://artifacts.k8s-staging-zeitgeist.appspot.com/ @@ -1,5 +1,7 @@ - member: allUsers role: roles/storage.objectViewer +- member: group:[email protected] + role: roles/storage.legacyBucketWriter - member: group:[email protected] role: roles/storage.objectAdmin - member: projectEditor:k8s-staging-zeitgeist Ensuring GCR admins can admin GCR for project: k8s-staging-zeitgeist Updated IAM policy for project [k8s-staging-zeitgeist]. @@ -1,3 +1,5 @@ +- member: group:[email protected] + role: roles/viewer - member: group:[email protected] role: roles/viewer - member: serviceAccount:[email protected] gs://artifacts.k8s-staging-zeitgeist.appspot.com/ @@ -1,5 +1,7 @@ - member: allUsers role: roles/storage.objectViewer +- member: group:[email protected] + role: roles/storage.objectAdmin - member: group:[email protected] role: roles/storage.legacyBucketWriter - member: group:[email protected] gs://artifacts.k8s-staging-zeitgeist.appspot.com/ @@ -1,5 +1,7 @@ - member: allUsers role: roles/storage.objectViewer +- member: group:[email protected] + role: roles/storage.legacyBucketOwner - member: group:[email protected] role: roles/storage.objectAdmin - member: group:[email protected] Ensuring GCS access logs enabled for GCR bucket in project: k8s-staging-zeitgeist Enabling logging on gs://artifacts.k8s-staging-zeitgeist.appspot.com/... @@ -1 +1 @@ -gs://artifacts.k8s-staging-zeitgeist.appspot.com/ has no logging configuration. +{"logBucket": "k8s-infra-artifacts-gcslogs", "logObjectPrefix": "artifacts.k8s-staging-zeitgeist.appspot.com"} Ensuring staging GCS bucket: gs://k8s-staging-zeitgeist Ensuring gs://k8s-staging-zeitgeist exists and is world readable in project: k8s-staging-zeitgeist Creating gs://k8s-staging-zeitgeist/... Enabling Bucket Policy Only for gs://k8s-staging-zeitgeist... gs://k8s-staging-zeitgeist/ @@ -1,3 +1,5 @@ +- member: allUsers + role: roles/storage.objectViewer - member: projectEditor:k8s-staging-zeitgeist role: roles/storage.legacyBucketOwner - member: projectOwner:k8s-staging-zeitgeist Ensuring gs://k8s-staging-zeitgeist has auto-deletion of 60 days Setting lifecycle configuration on gs://k8s-staging-zeitgeist/... @@ -1 +1 @@ -gs://k8s-staging-zeitgeist/ has no lifecycle configuration. +{"rule": [{"action": {"type": "Delete"}, "condition": {"age": 60}}]} Ensuring GCS admins can admin gs://k8s-staging-zeitgeist in project: k8s-staging-zeitgeist gs://k8s-staging-zeitgeist/ @@ -1,5 +1,7 @@ - member: allUsers role: roles/storage.objectViewer +- member: group:[email protected] + role: roles/storage.objectAdmin - member: projectEditor:k8s-staging-zeitgeist role: roles/storage.legacyBucketOwner - member: projectOwner:k8s-staging-zeitgeist gs://k8s-staging-zeitgeist/ @@ -1,5 +1,7 @@ - member: allUsers role: roles/storage.objectViewer +- member: group:[email protected] + role: roles/storage.legacyBucketOwner - member: group:[email protected] role: roles/storage.objectAdmin - member: projectEditor:k8s-staging-zeitgeist Ensuring [email protected] can write to gs://k8s-staging-zeitgeist in project: k8s-staging-zeitgeist gs://k8s-staging-zeitgeist/ @@ -4,6 +4,8 @@ role: roles/storage.legacyBucketOwner - member: group:[email protected] role: roles/storage.objectAdmin +- member: group:[email protected] + role: roles/storage.objectAdmin - member: projectEditor:k8s-staging-zeitgeist role: roles/storage.legacyBucketOwner - member: projectOwner:k8s-staging-zeitgeist gs://k8s-staging-zeitgeist/ @@ -4,6 +4,8 @@ role: roles/storage.legacyBucketOwner - member: group:[email protected] role: roles/storage.objectAdmin +- member: group:[email protected] + role: roles/storage.legacyBucketWriter - member: group:[email protected] role: roles/storage.objectAdmin - member: projectEditor:k8s-staging-zeitgeist Ensuring GCS access logs enabled for gs://k8s-staging-zeitgeist in project: k8s-staging-zeitgeist Enabling logging on gs://k8s-staging-zeitgeist/... @@ -1 +1 @@ -gs://k8s-staging-zeitgeist/ has no logging configuration. +{"logBucket": "k8s-infra-artifacts-gcslogs", "logObjectPrefix": "k8s-staging-zeitgeist"} Ensuring staging GCB Ensuring staging bucket: gs://k8s-staging-zeitgeist-gcb Ensuring gs://k8s-staging-zeitgeist-gcb exists and is world readable in project: k8s-staging-zeitgeist Creating gs://k8s-staging-zeitgeist-gcb/... Enabling Bucket Policy Only for gs://k8s-staging-zeitgeist-gcb... gs://k8s-staging-zeitgeist-gcb/ @@ -1,3 +1,5 @@ +- member: allUsers + role: roles/storage.objectViewer - member: projectEditor:k8s-staging-zeitgeist role: roles/storage.legacyBucketOwner - member: projectOwner:k8s-staging-zeitgeist Ensuring gs://k8s-staging-zeitgeist-gcb has auto-deletion of 60 days Setting lifecycle configuration on gs://k8s-staging-zeitgeist-gcb/... @@ -1 +1 @@ -gs://k8s-staging-zeitgeist-gcb/ has no lifecycle configuration. +{"rule": [{"action": {"type": "Delete"}, "condition": {"age": 60}}]} Ensuring GCS admins can admin gs://k8s-staging-zeitgeist-gcb in project: k8s-staging-zeitgeist gs://k8s-staging-zeitgeist-gcb/ @@ -1,5 +1,7 @@ - member: allUsers role: roles/storage.objectViewer +- member: group:[email protected] + role: roles/storage.objectAdmin - member: projectEditor:k8s-staging-zeitgeist role: roles/storage.legacyBucketOwner - member: projectOwner:k8s-staging-zeitgeist gs://k8s-staging-zeitgeist-gcb/ @@ -1,5 +1,7 @@ - member: allUsers role: roles/storage.objectViewer +- member: group:[email protected] + role: roles/storage.legacyBucketOwner - member: group:[email protected] role: roles/storage.objectAdmin - member: projectEditor:k8s-staging-zeitgeist Ensuring [email protected] can write to gs://k8s-staging-zeitgeist-gcb in project: k8s-staging-zeitgeist gs://k8s-staging-zeitgeist-gcb/ @@ -4,6 +4,8 @@ role: roles/storage.legacyBucketOwner - member: group:[email protected] role: roles/storage.objectAdmin +- member: group:[email protected] + role: roles/storage.objectAdmin - member: projectEditor:k8s-staging-zeitgeist role: roles/storage.legacyBucketOwner - member: projectOwner:k8s-staging-zeitgeist gs://k8s-staging-zeitgeist-gcb/ @@ -4,6 +4,8 @@ role: roles/storage.legacyBucketOwner - member: group:[email protected] role: roles/storage.objectAdmin +- member: group:[email protected] + role: roles/storage.legacyBucketWriter - member: group:[email protected] role: roles/storage.objectAdmin - member: projectEditor:k8s-staging-zeitgeist Ensuring [email protected] can use GCB in project: k8s-staging-zeitgeist Updated IAM policy for project [k8s-staging-zeitgeist]. @@ -1,5 +1,7 @@ - member: group:[email protected] role: roles/viewer +- member: group:[email protected] + role: roles/cloudbuild.builds.editor - member: group:[email protected] role: roles/viewer - member: serviceAccount:[email protected] Updated IAM policy for project [k8s-staging-zeitgeist]. @@ -2,6 +2,8 @@ role: roles/viewer - member: group:[email protected] role: roles/cloudbuild.builds.editor +- member: group:[email protected] + role: roles/serviceusage.serviceUsageConsumer - member: group:[email protected] role: roles/viewer - member: serviceAccount:[email protected] Ensuring [email protected] can use GCB in project: k8s-staging-zeitgeist Updated IAM policy for project [k8s-staging-zeitgeist]. @@ -8,6 +8,8 @@ role: roles/viewer - member: serviceAccount:[email protected] role: roles/cloudbuild.builds.builder +- member: serviceAccount:[email protected] + role: roles/cloudbuild.builds.builder - member: serviceAccount:k8s-infra-gcr-vuln-scanning@k8s-artifacts-prod.iam.gserviceaccount.com role: roles/containeranalysis.occurrences.viewer - member: serviceAccount:[email protected] gs://k8s-staging-zeitgeist-gcb/ @@ -14,3 +14,5 @@ role: roles/storage.legacyBucketOwner - member: projectViewer:k8s-staging-zeitgeist role: roles/storage.legacyBucketReader +- member: serviceAccount:[email protected] + role: roles/storage.objectCreator gs://k8s-staging-zeitgeist-gcb/ @@ -16,3 +16,5 @@ role: roles/storage.legacyBucketReader - member: serviceAccount:[email protected] role: roles/storage.objectCreator +- member: serviceAccount:[email protected] + role: roles/storage.objectViewer Configuring special cases for Release Managers Empowering [email protected] as project viewers in k8s-staging-artifact-promoter Empowering [email protected] as project viewers in k8s-staging-build-image Empowering [email protected] as project viewers in k8s-staging-ci-images Empowering [email protected] as project viewers in k8s-staging-cip-test Empowering [email protected] as project viewers in k8s-staging-experimental Empowering [email protected] as project viewers in k8s-staging-kubernetes Empowering kubernetes-release-test GCB service account to admin GCR Empowering [email protected] as project viewers in k8s-staging-releng Empowering [email protected] as project viewers in k8s-staging-releng-test Empowering [email protected] as project viewers in k8s-staging-publishing-bot Done

[cpanato]

thanks! will continue the work <3