Improve deployment scripts, make SA directory configuarable instead of name

davidz627 · davidz627 · commit 0bfc950f9fae · 2018-08-01T15:19:50.000-07:00
diff --git a/deploy/kubernetes/delete-driver.sh b/deploy/kubernetes/delete-driver.sh
@@ -1,5 +1,8 @@
 #!/bin/bash
 
+# This script will remove the GCP Compute Persistent Disk CSI Driver from the
+# currently available Kubernetes cluster
+
 set -o nounset
 set -o errexit
 
diff --git a/deploy/kubernetes/deploy-driver.sh b/deploy/kubernetes/deploy-driver.sh
@@ -1,5 +1,11 @@
 #!/bin/bash
 
+# This script will deploy the GCP Compute Persistent Disk CSI Driver to the
+# currently available Kubernetes cluster
+
+# Args:
+# GCE_PD_SA_DIR: Directory the service account key has been saved in (generated by setup-project.sh)
+
 set -o nounset
 set -o errexit
 
@@ -8,7 +14,7 @@ readonly KUBEDEPLOY="${PKGDIR}/deploy/kubernetes"
 
 if ! kubectl get secret cloud-sa;
 then
-  kubectl create secret generic cloud-sa --from-file="${SA_FILE}"
+  kubectl create secret generic cloud-sa --from-file="${GCE_PD_SA_DIR}/cloud-sa.json"
 fi
 
 # GKE Required Setup
diff --git a/deploy/setup-project.sh b/deploy/setup-project.sh
@@ -1,13 +1,26 @@
 #!/bin/bash
 
+# This script will setup the given project with a Service Account that has the correct
+# restricted permissions to run the gcp_compute_persistent_disk_csi_driver and download
+# the keys to a specified directory
+
+# WARNING: This script will delete and recreate all service accounts, bindings, and keys.
+# Great care must be taken to not run the script with a service account that is currently
+# in use.
+
+# Args:
+# PROJECT: GCP project
+# GCE_PD_SA_NAME: Name of the service account to create
+# GCE_PD_SA_DIR: Directory to save the service account key
+
+
 set -o nounset
 set -o errexit
 
 readonly PKGDIR="${GOPATH}/src/sigs.k8s.io/gcp-compute-persistent-disk-csi-driver"
 readonly KUBEDEPLOY="${PKGDIR}/deploy/kubernetes"
-
-BIND_ROLES="roles/compute.storageAdmin roles/iam.serviceAccountUser projects/${PROJECT}/roles/gcp_compute_persistent_disk_csi_driver_custom_role"
-IAM_NAME="${GCEPD_SA_NAME}@${PROJECT}.iam.gserviceaccount.com"
+readonly BIND_ROLES="roles/compute.storageAdmin roles/iam.serviceAccountUser projects/${PROJECT}/roles/gcp_compute_persistent_disk_csi_driver_custom_role"
+readonly IAM_NAME="${GCE_PD_SA_NAME}@${PROJECT}.iam.gserviceaccount.com"
 
 # Create or Update Custom Role
 if gcloud iam roles describe gcp_compute_persistent_disk_csi_driver_custom_role --project "${PROJECT}";
@@ -22,8 +35,8 @@ else
 fi
 
 # Delete Service Account Key
-if [ -f $SA_FILE ]; then
-  rm "$SA_FILE"
+if [ -f "${GCE_PD_SA_DIR}/cloud-sa.json" ]; then
+  rm "${GCE_PD_SA_DIR}/cloud-sa.json"
 fi
 # Delete ALL EXISTING Bindings
 gcloud projects get-iam-policy "${PROJECT}" --format json > "${PKGDIR}/deploy/iam.json"
@@ -34,9 +47,9 @@ rm -f "${PKGDIR}/deploy/iam.json"
 gcloud iam service-accounts delete "${IAM_NAME}" --project "${PROJECT}" --quiet || true
 
 # Create new Service Account and Keys
-gcloud iam service-accounts create "${GCEPD_SA_NAME}" --project "${PROJECT}"
+gcloud iam service-accounts create "${GCE_PD_SA_NAME}" --project "${PROJECT}"
 for role in ${BIND_ROLES}
 do
   gcloud projects add-iam-policy-binding "${PROJECT}" --member serviceAccount:"${IAM_NAME}" --role ${role}
 done
-gcloud iam service-accounts keys create "${SA_FILE}" --iam-account "${IAM_NAME}" --project "${PROJECT}"
+gcloud iam service-accounts keys create "${GCE_PD_SA_DIR}/cloud-sa.json" --iam-account "${IAM_NAME}" --project "${PROJECT}"
