From 6731d488cd3a6cb9ed91c1245f258bd2cf646c43 Mon Sep 17 00:00:00 2001 From: Aaron Crickenberger Date: Wed, 30 Jun 2021 17:20:28 -0700 Subject: [PATCH 1/3] infra/gcp/lib_gcs: fix ensure_gcs_bucket_logging specifically - copy-pasta / too many args to gsutil logging get - silence diff used to check if logging must be updated --- infra/gcp/lib_gcs.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infra/gcp/lib_gcs.sh b/infra/gcp/lib_gcs.sh index f41752d409c..f0c01cdc2ec 100644 --- a/infra/gcp/lib_gcs.sh +++ b/infra/gcp/lib_gcs.sh @@ -71,9 +71,9 @@ function ensure_gcs_bucket_logging() { echo "{\"logBucket\": \"${K8S_INFRA_GCSLOGS_BUCKET}\", \"logObjectPrefix\": \"$bucket\"}" > "${intent}" gsutil logging get "${bucket}"> "${before}" - if ! diff "${intent}" "${before}"; then + if ! diff "${intent}" "${before}" >/dev/null; then gsutil logging set on -b "${K8S_INFRA_GCSLOGS_BUCKET}" -o "${bucket#gs://}" "${bucket}" - gsutil logging get on -b "${K8S_INFRA_GCSLOGS_BUCKET}" -o "${bucket#gs://}" "${bucket}" > "${after}" + gsutil logging get "${bucket}" > "${after}" diff_colorized "${before}" "${after}" fi } From c6802b49e45764ac542475dd24665c0d43b4c19a Mon Sep 17 00:00:00 2001 From: Aaron Crickenberger Date: Wed, 30 Jun 2021 17:22:24 -0700 Subject: [PATCH 2/3] infra/gcp/lib_gcs: silence auto-deletion check --- infra/gcp/lib_gcs.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/gcp/lib_gcs.sh b/infra/gcp/lib_gcs.sh index f0c01cdc2ec..33c79c52f3f 100644 --- a/infra/gcp/lib_gcs.sh +++ b/infra/gcp/lib_gcs.sh @@ -171,7 +171,7 @@ function ensure_gcs_bucket_auto_deletion() { echo "{\"rule\": [{\"action\": {\"type\": \"Delete\"}, \"condition\": {\"age\": ${auto_deletion_days}}}]}" > "${intent}" gsutil lifecycle get "${bucket}"> "${before}" - if ! diff "${intent}" "${before}"; then + if ! diff "${intent}" "${before}" >/dev/null; then gsutil lifecycle set "${intent}" "${bucket}" gsutil lifecycle get "${bucket}" > "${after}" diff_colorized "${before}" "${after}" From 7803a664ac2086ddb65a68516287df1fa3a6fe03 Mon Sep 17 00:00:00 2001 From: Aaron Crickenberger Date: Wed, 30 Jun 2021 18:27:10 -0700 Subject: [PATCH 3/3] infra/gcp/staging: no logging for -gcb bucket --- infra/gcp/ensure-staging-storage.sh | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/infra/gcp/ensure-staging-storage.sh b/infra/gcp/ensure-staging-storage.sh index 0045a154c3c..c0cbaaf7e1c 100755 --- a/infra/gcp/ensure-staging-storage.sh +++ b/infra/gcp/ensure-staging-storage.sh @@ -146,7 +146,7 @@ function ensure_staging_project() { # Ensure staging project GCS color 3 "Ensuring staging GCS bucket: ${staging_bucket}" - ensure_staging_gcs_bucket "${project}" "${staging_bucket}" "${writers}" 2>&1 | indent + ensure_staging_gcs_bucket "${project}" "${staging_bucket}" "${writers}" "true" 2>&1 | indent # Ensure staging project GCB @@ -164,19 +164,22 @@ function ensure_staging_project() { # Ensure the given GCS bucket exists in the given staging project # with auto-deletion enabled and appropriate permissions for the -# given group and GCS admins +# given group and GCS admins. If an optional fourth parameter is +# set to "true", access logging will be enabled. # # $1: The GCP project (e.g. k8s-staging-foo) # $2: The GCS bucket (e.g. gs://k8s-staging-foo) # $3: The group to grant write access (e.g. k8s-infra-staging-foo@kubernetes.io) +# [$4:] Enable access logs (e.g. "true", default: false) function ensure_staging_gcs_bucket() { - if [ $# != 3 ] || [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ]; then - echo "${FUNCNAME[0]}(project, gcs_bucket, writers) requires 3 arguments" >&2 + if [ $# -lt 3 ] || [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ]; then + echo "${FUNCNAME[0]}(project, gcs_bucket, writers, [logging]) requires at least 3 arguments" >&2 return 1 fi local project="${1}" local bucket="${2}" local writers="${3}" + local logging="${4:-false}" color 6 "Ensuring ${bucket} exists and is world readable in project: ${project}" ensure_public_gcs_bucket "${project}" "${bucket}" @@ -190,8 +193,10 @@ function ensure_staging_gcs_bucket() { color 6 "Ensuring ${writers} can write to ${bucket} in project: ${project}" empower_group_to_write_gcs_bucket "${writers}" "${bucket}" - # Ensure logging is turned on - ensure_gcs_bucket_logging "${bucket}" + if [ "${logging}" == "true" ]; then + color 6 "Ensuring GCS access logs enabled for ${bucket} in project: ${project}" + ensure_gcs_bucket_logging "${bucket}" + fi } # Ensure a GCR repo is provisioned in the given staging project, with @@ -219,7 +224,7 @@ function ensure_staging_gcr_repo() { color 6 "Ensuring GCR admins can admin GCR for project: ${project}" empower_gcr_admins "${project}" - color 6 "Ensuring logging on ${gcr_bucket} for GCR project: ${project}" + color 6 "Ensuring GCS access logs enabled for GCR bucket in project: ${project}" ensure_gcs_bucket_logging "${gcr_bucket}" }