Skip to content

audit: unbreak ci-k8sio-audit job #2104

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
k8s-ci-robot merged 2 commits into from
May 27, 2021
Merged

audit: unbreak ci-k8sio-audit job #2104

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5cb1a86
audit: unbreak ci runs of audit
spiffxp May 25, 2021
ef43779
audit: add create-or-update-audit-pr.sh
spiffxp May 27, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 47 additions & 9 deletions audit/audit-gcp.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,24 +20,62 @@ set -o pipefail

REPO_ROOT=$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd -P)
readonly REPO_ROOT
. "${REPO_ROOT}/infra/gcp/lib.sh"

readonly KUBERNETES_IO_GCP_ORG="${GCP_ORG}"
# TODO: Including this automatically calls verify_prereqs, which looks for yq,
# which is not present in gcr.io/k8s-staging-releng/releng-ci:latest, the
# image used to run this script at present. Update to use an image that
# does have it installed, or at least pip3. In the meantime, copy-paste
# the indent function.
# . "${REPO_ROOT}/infra/gcp/lib.sh"

# ensure_gnu_sed
# Determines which sed binary is gnu-sed on linux/darwin
#
# Sets:
# SED: The name of the gnu-sed binary
#
function ensure_gnu_sed() {
sed_help="$(LANG=C sed --help 2>&1 || true)"
if echo "${sed_help}" | grep -q "GNU\|BusyBox"; then
SED="sed"
elif command -v gsed &>/dev/null; then
SED="gsed"
else
>&2 echo "Failed to find GNU sed as sed or gsed. If you are on Mac: brew install gnu-sed"
return 1
fi
export SED
}

# Indent each line of stdin.
# example: <command> 2>&1 | indent
function indent() {
${SED} -u 's/^/ /'
}

readonly AUDIT_DIR="${REPO_ROOT}/audit"
readonly KUBERNETES_IO_GCP_ORG="758905017065" # kubernetes.io

# TODO: this should maybe just be a call to verify_prereqs from lib_util.sh,
# but that currently enforces presence of `yq` which I'm not sure is
# present on the image used by the prowjob that runs this script
# TODO: this should delegate to verify_prereqs from infra/gcp/lib_util.sh once
# we can guarantee this runs in an image with `yq` and/or pip3 installed
function ensure_dependencies() {
# indent relies on sed -u which isn't available in macOS's sed
if ! ensure_gnu_sed; then
exit 1
fi

if ! command -v jq &>/dev/null; then
>&2 echo "jq not found. Please install: https://stedolan.github.io/jq/download/"
exit 1
echo "jq not found. Please install: https://stedolan.github.io/jq/download/" >&2
exit 1
fi

# the 'bq show' command is called as a hack to dodge the config prompts that bq presents
# the first time it is run. A newline is passed to stdin to skip the prompt for default project
# when the service account in use has access to multiple projects.
bq show <<< $'\n' >/dev/null
if ! bq show <<< $'\n' >/dev/null; then
# ignore errors from bq while doing this hack
true
fi

# right now most of this script assumes it's been run within the audit dir
pushd "${AUDIT_DIR}" >/dev/null
Expand Down Expand Up @@ -313,7 +351,7 @@ function audit_k8s_infra_gcp() {
echo "Removing all existing GCP project audit files"
remove_all_gcp_project_audit_files 2>&1 | indent

echo "Exporting GCP organization: ${organization}"
echo "Exporting GCP organization: ${KUBERNETES_IO_GCP_ORG}"
audit_gcp_organization "${KUBERNETES_IO_GCP_ORG}" 2>&1 | indent

# TODO: this will miss projects that are under folders
Expand Down
80 changes: 80 additions & 0 deletions audit/create-or-update-audit-pr.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
#!/usr/bin/env bash

# Copyright 2021 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Run the audit script and create or update a PR containing any changes

# NOTE: This is intended to run on k8s-infra-prow-build-trusted as
# k8s-infra-gcp-auditor@kubernetes-public.iam.gserviceaccount.com

# TODO: Running locally is a work in progress, there are assumptions
# made about the environment in which this runs:
# - must have certain env vars present
# - must have kubernetes/test-infra in a certain location
# - must be able to build kubernetes/test-infra
# - must have gcloud already authenticated as someone who has the
# custom org role "audit.viewer"

set -o errexit
set -o nounset
set -o pipefail

GH_USER=cncf-ci
GH_NAME="CNCF CI Bot"
GH_EMAIL="cncf-ci@ii.coop"
FORK_GH_REPO=k8s.io
FORK_GH_BRANCH=autoaudit-${PROW_INSTANCE_NAME:-prow}

echo "Ensure git configured" >&2
git config user.name "${GH_NAME}"
git config user.email "${GH_EMAIL}"

echo "Ensure gcloud creds are working" >&2
gcloud config list

echo "Running Audit Script to dump GCP configuration to yaml" >&2
pushd ./audit
bash ./audit-gcp.sh
popd

echo "Determining whether there are changes to push" >&2
git add --all audit
git commit -m "audit: update as of $(date +%Y-%m-%d)"
git remote add fork "https://github.com/${GH_USER}/${FORK_GH_BRANCH}"
if git fetch fork "${FORK_GH_BRANCH}"; then
if git diff --quiet HEAD "fork/${FORK_GH_BRANCH}" -- audit; then
echo "No new changes to push, exiting early..." >&2
exit
fi
fi

echo "Generating pr-creator binary from k/test-infra/robots" >&2
pushd ../../kubernetes/test-infra
go build -o /workspace/pr-creator robots/pr-creator/main.go
popd

echo "Pushing commit to github.com/${GH_USER}/${FORK_GH_REPO}..." >&2
GH_TOKEN=$(cat /etc/github-token/token)
git push -f "https://${GH_USER}:${GH_TOKEN}@github.com/${GH_USER}/${FORK_GH_REPO}" "HEAD:${FORK_GH_BRANCH}" 2>/dev/null

echo "Creating or updating PR to merge ${GH_USER}:${FORK_GH_BRANCH} into kubernetes:main..." >&2
/workspace/pr-creator \
--github-token-path=/etc/github-token/token \
--org=kubernetes --repo=k8s.io --branch=main \
--source="${GH_USER}:${FORK_GH_BRANCH}" \
--head-branch="${FORK_GH_BRANCH}" \
--title="audit: update as of $(date +%Y-%m-%d)" \
--body="Audit Updates wg-k8s-infra" \
--confirm
2 changes: 1 addition & 1 deletion infra/gcp/lib_util.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ function verify_prereqs() {
>&2 echo "jq not found. Please install: https://stedolan.github.io/jq/download/"
exit 1
fi
# generate-role-yaml relies on this
# generate-role-yaml, lib_iam, lib_gcs, lib_services rely on this
# opting for https://kislyuk.github.io/yq/ over https://github.com/mikefarah/yq due to
# parity with jq, but may be worth reconsidering
if ! command -v yq &>/dev/null; then
Expand Down