slack-infra: add slack-moderator-words config

[nikhita]

ref:

• PR adding slack-moderator-words - slack/bot: add moderate words bot kubernetes-sigs/slack-infra#41
• updates to slack-moderator-words to push the image - slack-moderator-words: update configs and add to variants.yaml kubernetes-sigs/slack-infra#43

This PR adds config for slack-moderator-words to slack-infra.

/hold
Need to do a few thing before we can merge this.

• Push the slack-moderator-words image - slack-moderator-words: update configs and add to variants.yaml kubernetes-sigs/slack-infra#43 needs to merge
• Update the config in this PR to the versioned image (ref: postsubmit job)
• Add the slack-moderator-words-config secret

/cc @ameukam @jeefy @mrbobbytables @cpanato

/assign @ameukam
Arnaud -- since you've done most of the work for setting up slack-infra, can you help with this PR? 🙏

[spiffxp]

/retest
kubernetes/test-infra#20962 merged

[cpanato]

/lgtm

we might want to publish a tag besides the latest one :)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cpanato, nikhita

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [nikhita]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[nikhita]

we might want to publish a tag besides the latest one :)

Yup, will update the config once kubernetes-sigs/slack-infra#43 merges and the image is pushed :)

[ameukam]

/lgtm
/hold
Feel free to unhold where you're ready. :-)

[spiffxp]

We chatted about getting secrets provisioned for this in slack https://kubernetes.slack.com/archives/CCK68P2Q2/p1614088645006800

As I understand it, someone from slack admins needs to provision the actual tokens etc.

They then need to go into secret manager as kubernetes Secret manifests, preferably named the same as the secret (ref: https://github.com/kubernetes/k8s.io/tree/main/slack-infra#how-to-deploy)

# $ gcloud secrets versions access latest --secret=recaptcha --project=kubernetes-public
apiVersion: v1
data:
  REDACTED: REDACTED
kind: Secret
metadata:
  name: recaptcha
type: Opaque

Existing secrets are setup so k8s-infra-rbac-slack-infra@ can write to them

# $ for s in $(gcloud secrets list --filter=labels.app=slack-infra --format="value(name)" --project=kubernetes-public); do echo '#' $s; gcloud secrets get-iam-policy $s --project=kubernetes-public; done
# recaptcha
bindings:
- members:
  - group:k8s-infra-rbac-slack-infra@kubernetes.io
  role: roles/secretmanager.admin
etag: BwWmrSbOXUQ=
version: 1
# ... etc ...

[spiffxp]

So, let's get you a secret to write to:

$ gcloud secrets create slack-moderator-words-config --labels=app=slack-infra --project=kubernetes-public
Created secret [slack-moderator-words-config].
$ gcloud secrets add-iam-policy-binding slack-moderator-words-config --project=kubernetes-public --member=group:k8s-infra-rbac-slack-infra@kubernetes.io --role=roles/secretmanager.admin
Updated IAM policy for secret [slack-moderator-words-config].
bindings:
- members:
  - group:k8s-infra-rbac-slack-infra@kubernetes.io
  role: roles/secretmanager.admin
etag: BwW8CaRABBs=
version: 1

To write to it once you've got your file with whatever you need provisioned by slack admins

kubectl create secret --dry-run=client generic slack-moderator-words-config --from-file=path/to/your/file -o yaml |\
  gcloud secrets versions add --project=kubernetes-public slack-moderator-words-config --data-file=-

[alvaroaleman]

Suggested change

	message: "May I suggest \"all\" instead when addessing a group of people? Thank you. :slightly_smiling_face:"
	message: "May I suggest \"all\" instead of \"guys\" when addessing a group of people? Thank you. :slightly_smiling_face:"

[nikhita]

Done 👍

Also, confirming that the bot won't be triggered if it's a message created by the bot itself: https://github.com/kubernetes-sigs/slack-infra/blob/8525eb3de12c51a07444398ed1ba06e416d3b9ba/slack-moderator-words/events.go#L76-L79

[ameukam]

/lgtm

[nikhita]

As I understand it, someone from slack admins needs to provision the actual tokens etc.

Created #1719 to grant access to @mrbobbytables (slack admin, contribex co-chair), @jeefy (slack admin, slack-infra owner) and myself (contribex TL)

[cpanato]

/lgtm

[spiffxp]

Checking back in here, AFAIK secrets and access groups are all in place and you're good to go.

For followup on my end, I've created #1731 to track documenting secret management

[nikhita]

I haven't had cycles to revisit this but will try to get this to the finish line by EOW.

[cpanato]

/hold cancel

[spiffxp]

First noticed by @ameukam, the secret had the wrong name

# gcloud secrets versions access 2 --secret=slack-moderator-words-config --project=kubernetes-public | yq -y '.data |= with_entries(.value="REDACTED")'
apiVersion: v1
data:
  config.json: REDACTED
kind: Secret
metadata:
  name: slack-event-log-config
type: Opaque

So, updated

$ gcloud secrets versions access latest --secret=slack-moderator-words-config --project=kubernetes-public \
  | yq -y '.metadata.name = "slack-moderator-words-config"' \
  | gcloud secrets versions add slack-moderator-words-config --project=kubernetes-public --data-file=-
Created version [3] of the secret [slack-moderator-words-config].

Now looks like

# $ gcloud secrets versions access latest --secret=slack-moderator-words-config --project=kubernetes-public | yq -y '.data |= with_entries(.value="REDACTED")'
apiVersion: v1
data:
  config.json: REDACTED
kind: Secret
metadata:
  name: slack-moderator-words-config
type: Opaque