Merge pull request #3968 from upodroid/deploy-ar

Deploy Artifact Registry to Production Project

Author: k8s-ci-robot

infra/gcp/bash/ensure-prod-storage.sh

@@ -79,6 +79,8 @@ readonly PROD_PROJECT_SERVICES=(
     containerregistry.googleapis.com
     # prod projects host binaries in GCS
     storage-component.googleapis.com
+    # prod projects host containers in AR
+    artifactregistry.googleapis.com
 )
 
 readonly PROD_PROJECT_DISABLED_SERVICES=(
@@ -87,7 +89,9 @@ readonly PROD_PROJECT_DISABLED_SERVICES=(
 )
 
 # Regions for prod GCR.
-PROD_REGIONS=(us eu asia)
+GCR_PROD_REGIONS=(us eu asia)
+# Regions for prod AR.
+AR_PROD_REGIONS=(asia-east1 asia-south1 asia-northeast1 asia-northeast2 australia-southeast1 europe-north1 europe-southeast1 europe-west1 europe-west2 europe-west4 europe-west8 europe-west9 southamerica-west1 us-central1 us-east1 us-east4 us-east5 us-south1 us-west1 us-west2)
 
 # Minimum time we expect to keep prod GCS artifacts.
 PROD_RETENTION="10y"
@@ -102,8 +106,8 @@ function ensure_prod_gcr() {
     fi
     local project="${1}"
 
-    color 6 "Ensuring prod GCR for regions: ${PROD_REGIONS[*]}"
-    for region in "${PROD_REGIONS[@]}"; do
+    color 6 "Ensuring prod GCR for regions: ${GCR_PROD_REGIONS[*]}"
+    for region in "${GCR_PROD_REGIONS[@]}"; do
         local gcr_bucket="gs://${region}.artifacts.${project}.appspot.com"
 
         color 3 "region: ${region}"
@@ -121,6 +125,33 @@ function ensure_prod_gcr() {
     done 2>&1 | indent
 }
 
+# Make a prod AR repository and grant access to it.
+#
+# $1: The GCP project name (GCR names == project names)
+function ensure_prod_ar() {
+    if [ $# != 1 ] || [ -z "$1" ]; then
+        echo "ensure_prod_ar(project) requires 1 argument" >&2
+        return 1
+    fi
+    local project="${1}"
+    local serviceaccount
+
+    color 6 "Ensuring prod AR registry for locations: ${AR_PROD_REGIONS[*]}"
+    for region in "${AR_PROD_REGIONS[@]}"; do
+
+        color 3 "region: ${region}"
+        color 6 "Ensuring an AR repo exists in location: ${region} for project: ${project}"
+        ensure_ar_repo "${project}" "${region}"
+
+        color 6 "Ensuring GCR admins can admin AR in location: ${region} for project: ${project}"
+        empower_ar_admins "${project}" "${region}"
+        
+        color 6 "Empowering image promoter with roles/artifactregistry.repoAdmin in project: ${project}"
+        serviceaccount=$(svc_acct_email "${project}" "${IMAGE_PROMOTER_SVCACCT}")
+        ensure_project_role_binding "${project}" "serviceAccount:$serviceaccount" "artifactregistry.repoAdmin"
+    done 2>&1 | indent
+}
+
 # Make a prod GCS bucket and grant access to it.  We need whole buckets for
 # this because we want to grant minimal permissions, but there's no concept of
 # permissions on a "subdirectory" of a bucket.  If we had a GCS promoter akin
@@ -175,7 +206,7 @@ function empower_group_to_fake_prod() {
     empower_group_as_viewer "${project}" "${group}"
 
     color 6 "Empowering $group for GCR in $project"
-    for r in "${PROD_REGIONS[@]}"; do
+    for r in "${GCR_PROD_REGIONS[@]}"; do
         color 3 "region $r"
         empower_group_to_write_gcr "${group}" "${project}" "${r}"
     done
@@ -198,15 +229,18 @@ function ensure_all_prod_projects() {
         color 6 "Ensuring project exists: ${prj}"
         ensure_project "${prj}"
 
-        color 6 "Ensuring Services to host and analyze aritfacts: ${prj}"
+        color 6 "Ensuring Services to host and analyze artifacts: ${prj}"
         ensure_services "${prj}" "${PROD_PROJECT_SERVICES[@]}" 2>&1 | indent
 
         color 6 "Ensuring disabled services for prod project: ${prj}"
         ensure_disabled_services "${prj}" "${PROD_PROJECT_DISABLED_SERVICES[@]}" 2>&1 | indent
 
-        color 6 "Ensuring the GCR repository: ${prj}"
+        color 6 "Ensuring the GCR repositories: ${prj}"
         ensure_prod_gcr "${prj}" 2>&1 | indent
 
+        color 6 "Ensuring the AR repositories: ${prj}"
+        ensure_prod_ar "${prj}" 2>&1 | indent
+
         color 6 "Ensuring the GCS bucket: gs://${prj}"
         ensure_prod_gcs_bucket "${prj}" "gs://${prj}" 2>&1 | indent
     done
@@ -289,7 +323,7 @@ function ensure_all_prod_special_cases() {
     # real $PRODBAK_PROJECT).  We don't want this same power for the non-test
     # backup system, so a compromised promoter can't nuke backups.
     color 6 "Empowering backup-test-prod promoter to backup-test-prod GCR"
-    for r in "${PROD_REGIONS[@]}"; do
+    for r in "${GCR_PROD_REGIONS[@]}"; do
         color 3 "region $r"
         empower_svcacct_to_write_gcr \
             "$(svc_acct_email "${GCR_BACKUP_TEST_PRODBAK_PROJECT}" "${IMAGE_PROMOTER_SVCACCT}")" \

infra/gcp/bash/lib.sh

@@ -44,6 +44,7 @@ trap 'cleanup_tmpdir' EXIT
 . "$(dirname "${BASH_SOURCE[0]}")/lib_gcs.sh"
 
 # order doesn't matter here, so keep sorted
+. "$(dirname "${BASH_SOURCE[0]}")/lib_ar.sh"
 . "$(dirname "${BASH_SOURCE[0]}")/lib_gcr.sh"
 . "$(dirname "${BASH_SOURCE[0]}")/lib_gsm.sh"
 . "$(dirname "${BASH_SOURCE[0]}")/lib_services.sh"

infra/gcp/bash/lib_ar.sh

@@ -0,0 +1,102 @@
+#!/usr/bin/env bash
+
+# Copyright 2022 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Artifact Registry utility functions
+#
+# This is intended to be very general-purpose and "low-level".  Higher-level
+# policy does not belong here.
+#
+# This MUST NOT be used directly. Source it via lib.sh instead.
+
+# Grant write privileges on a AR to a group
+# $1: The googlegroups group email
+# $2: The GCP project
+# $3: The AR region
+function empower_group_to_write_ar() {
+    if [ $# -lt 3 ] || [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ]; then
+        echo "empower_group_to_write_ar(group_name, project, location) requires 3 arguments" >&2
+        return 1
+    fi
+    local group="$1"
+    local project="$2"
+    local location="$3"
+
+    ensure_repository_role_binding "images" "${group}" "artifactregistry.repoAdmin" "${project}" "${location}"
+}
+
+function ensure_public_ar_registry() {
+    if [ $# -lt 2 ] || [ -z "$1" ] || [ -z "$2" ]; then
+        echo "${FUNCNAME[0]}(project, location) requires 2 arguments" >&2
+        return 1
+    fi
+    local project="$1"
+    local location="$2"
+
+    ensure_repository_role_binding "images" "allUsers" "artifactregistry.reader" "${project}" "${location}"
+}
+
+function empower_ar_admins() {
+    # Reusing GCR Admins groups
+    if [ $# -lt 2 ] || [ -z "$1" ] || [ -z "$2" ]; then
+        echo "empower_ar_admins(project, location) requires 2 arguments" >&2
+        return 1
+    fi
+    local project="$1"
+    local location="$2"
+
+    ensure_repository_role_binding "images" "group:${GCR_ADMINS}" "artifactregistry.admin" "${project}" "${location}"
+}
+
+# Ensure the AR registry exists and is world-readable.
+# $1: The GCP project
+# $2: The AR location (optional)
+function ensure_ar_repo() {
+    if [ $# -lt 2 ] || [ -z "$1" ] || [ -z "$2" ]; then
+        echo "ensure_ar_repo(project, location) requires 2 arguments" >&2
+        return 1
+    fi
+    local project="$1"
+    local location="$2"
+    # AR Repos will always be called images. Format LOCATION-docker.pkg.dev/PROJECT_ID/images/foobar:latest
+    if ! gcloud artifacts repositories describe images --location="${location}" --project="${project}" >/dev/null 2>&1; then
+        gcloud artifacts repositories create images \
+            --repository-format=docker \
+            --location="${location}" \
+            --project="${project}"
+    fi
+
+    ensure_public_ar_registry "${project}" "${location}"
+}
+
+# Ensure that IAM binding is present for repositories
+# Arguments:
+#   $1:  The repository name (e.g. "images")
+#   $2:  The principal (e.g. "group:[email protected]")
+#   $3:  The role name (e.g. "roles/storage.objectAdmin")
+#   $4:  The project (e.g. "k8s-artifacts-prod")
+#   $5:  The location (e.g. "europe")
+function ensure_ar_repository_role_binding() {
+    if [ ! $# -eq 5 ] || [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ] || [ -z "$4" ] || [ -z "$5" ]; then
+        echo "ensure_ar_repository_role_binding(repository, principal, role, project, location) requires 5 arguments" >&2
+        return 1
+    fi
+
+    local repository="${1}"
+    local principal="${2}"
+    local role="${3}"
+
+    _ensure_resource_role_binding "artifacts repositories" "${repository}" "${principal}" "${role}" "${project}" "${location}"
+}

infra/gcp/bash/lib_iam.sh

@@ -197,7 +197,7 @@ function ensure_project_role_binding() {
     _ensure_resource_role_binding "projects" "${project}" "${principal}" "${role}"
 }
 
-# Ensure that IAM binding is present for project
+# Ensure that IAM binding is present for secrets
 # Arguments:
 #   $1:  The fully qualified secret id (e.g. "projects/k8s-infra-foo/secrets/my-secret-id")
 #   $2:  The principal (e.g. "group:[email protected]")
@@ -435,7 +435,7 @@ function _format_iam_policy() {
 #  [$5]: (Optional) the id of the project hosting the resource (e.g. "k8s-infra-foo")
 function _ensure_resource_role_binding() {
     if [ $# -lt 4 ] || [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ] || [ -z "$4" ]; then
-        echo "${FUNCNAME[0]}(resource, id, principal, role, [project]) requires at least 4 arguments" >&2
+        echo "${FUNCNAME[0]}(resource, id, principal, role, [project], [location]) requires at least 4 arguments" >&2
         return 1
     fi
 
@@ -444,12 +444,17 @@ function _ensure_resource_role_binding() {
     local principal="${3}"
     local role="${4}"
     local project="${5:-""}"
+    local location="${6:-""}"
 
     local flags=()
     if [ -n "${project}" ]; then
       flags+=(--project "${project}")
     fi
 
+    if [ -n "${location}" ]; then
+      flags+=(--location "${location}")
+    fi
+
     local before="${TMPDIR}/iam-bind.before.yaml"
     local after="${TMPDIR}/iam-bind.after.yaml"