Refresh infra scripts to address audit followups, reduce output noise

[spiffxp]

I've run these a few times locally and the results are showing up in audit PRs, so I should probably share what I'm working on.

Will update this description to link to issues these fixes resolve once I've taken care of the WIP commits

Should allow us to address #1675

• Running K8S_INFRA_ENSURE_ONLY_SERVICES_WILL_FORCE_DISABLE=true ./infra/gcp/ensure-staging-storage.sh should disable all of the unexpected services. I plan on doing a first pass without that set to get a log of which projects would have which services disabled first.

Fixes #299

• Any new projects going forward will have the user:foo roles/owner binding removed immediately after the project is created. I plan on running ./infra/gcp/*.sh to ensure the roles/owner binding is removed for all existing projects.

See individual commits for details

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [spiffxp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[spiffxp]

I ran ./infra/gcp/prow/ensure-e2e-projects.sh as of 22e6015

[spiffxp]

I ran K8S_INFRA_ENSURE_ONLY_SERVICES_WILL_FORCE_DISABLE=true ./infra/gcp/ensure-staging-storage.sh e2e-test-images as of 22e6015 to confirm services were disabled (I know this is at least one project I accidentally enabled a bunch of services on while navigating through GCP's UI as an org admin)

[spiffxp]

I ran ./infra/gcp/prow/ensure-main-project.sh as of 22e6015

[spiffxp]

Ran ./infra/gcp/ensure-staging-storage.sh, script terminated at sig-storage

Configuring staging: sig-storage
  Ensuring project exists: k8s-staging-sig-storage
  ERROR: (gcloud.projects.remove-iam-policy-binding) Resource in projects [k8s-staging-sig-storage:setIamPolicy] is the subject of a conflict: There were concurrent policy changes. Please retry the whole read-modify-write with exponential backoff.

[spiffxp]

Continued with ./infra/gcp/ensure-staging-storage.sh sig-storage sp-operator storage-migrator txtdirect

[spiffxp]

Going to disable extraneous services in staging projects as listed in #1675 (comment)

export PLAN_URL=https://gist.githubusercontent.com/spiffxp/1cbf779d7dc1c025a445b91909f55bf7/raw/49971cd6699c4dace4f47fcba8c068c212e0ad2e/k8s-staging-service-disable-plan.yaml 
K8S_INFRA_ENSURE_ONLY_SERVICES_WILL_FORCE_DISABLE=true \
  ./ensure-staging-storage.sh \
  $(curl -s "${PLAN_URL}" \
    | yq -r 'keys | .[]' \
    | sed -e 's/k8s-staging-//g')

[spiffxp]

Extraneous services in k8s-staging-* projects have been disabled, see https://gist.github.com/spiffxp/1cbf779d7dc1c025a445b91909f55bf7 for log output

[spiffxp]

As of 5357b89 I ran the following:

• ./infra/gcp/ensure-conformance-storage.sh
• ./infra/gcp/ensure-gsuite.sh
• ./infra/gcp/ensure-organization.sh (using roles refreshed via ./infra/gcp/roles/generate-role-yaml.sh)
• ./infra/gcp/ensure-release-projects.sh
• ./infra/gcp/ensure-releng.sh

Earlier (see comments above), I ran:

• ./infra/gcp/prow/ensure-e2e-projects.sh
• ./infra/gcp/ensure-main-project.sh
• ./infra/gcp/ensure-staging-storage.sh (with K8S_INFRA_ENSURE_ONLY_SERVICES_WILL_FORCE_DISABLE=true for some after manual review)

I didn't touch them as part of this PR, but for grins (and mostly to close #299), I also ran:

• ./infra/gcp/ensure-prod-storage.sh
• ./infra/gcp/ensure-static-ips.sh

[ameukam]

/lgtm
/hold
Remove at your convenience.

[spiffxp]

Taking one last look at latest audit PR results before removing hold #1874

[spiffxp]

/hold cancel
/assign @thockin
if you want to review post-merge

[spiffxp]

Related to refactoring infra/gcp, ref: #516