Merge pull request kubernetes#414 from thockin/master

All staging owners to use GCB
Katharine · Oct 23, 2019 · 5066ce0 · 5066ce0
2 parents 83b8640 + 684baad
commit 5066ce0
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/infra/gcp/ensure-staging-storage.sh b/infra/gcp/ensure-staging-storage.sh
@@ -141,6 +141,10 @@ for REPO; do
     color 6 "Enabling the GCB API"
     enable_api "${PROJECT}" cloudbuild.googleapis.com
 
+    # Let sub-project writers use GCB.
+    color 6 "Empowering ${WRITERS} as GCB editors"
+    empower_group_for_gcb "${PROJECT}" "${WRITERS}"
+
     # Let prow trigger builds and access the scratch bucket
     color 6 "Empowering Prow"
     empower_prow "${PROJECT}" "${GCB_BUCKET}"

diff --git a/infra/gcp/lib.sh b/infra/gcp/lib.sh
@@ -260,6 +260,23 @@ function empower_group_as_viewer() {
         --role roles/viewer
 }
 
+# Grant GCB admin privileges to a principal
+# $1: The GCP project
+# $2: The group email
+function empower_group_for_gcb() {
+    if [ $# -lt 2 -o -z "$1" -o -z "$2" ]; then
+        echo "empower_group_for_gcb(project, group) requires 2 arguments" >&2
+        return 1
+    fi
+    project="$1"
+    group="$2"
+
+    gcloud \
+        projects add-iam-policy-binding "${project}" \
+        --member "group:${group}" \
+        --role roles/cloudbuild.builds.editor
+}
+
 # Grant privileges to prow in a staging project
 # $1: The GCP project
 # $2: The GCS scratch bucket