Merge pull request #81 from davidz627/fix/saName

Improve deployment scripts, make service account JSON configurable by directory, not name

Author: k8s-ci-robot

Diff for: README.md

@@ -4,6 +4,10 @@ this drive in a production environment in its current state.
 
 DISCLAIMER: This is not an officially supported Google product
 
+Kubernetes Note: setup-cluster.yaml depends on the existence of cluster-roles
+system:csi-external-attacher and system:csi-external-provisioner which are in
+Kubernetes version 1.10.5+
+
 # GCP Compute Persistent Disk CSI Driver
 
 The GCP Compute Persistent Disk CSI Driver is a

Diff for: deploy/kubernetes/delete-driver.sh

@@ -1,5 +1,8 @@
 #!/bin/bash
 
+# This script will remove the GCP Compute Persistent Disk CSI Driver from the
+# currently available Kubernetes cluster
+
 set -o nounset
 set -o errexit
 

Diff for: deploy/kubernetes/deploy-driver.sh

@@ -1,5 +1,15 @@
 #!/bin/bash
 
+# This script will deploy the GCP Compute Persistent Disk CSI Driver to the
+# currently available Kubernetes cluster
+
+# Note: setup-cluster.yaml depends on the existence of cluster-roles
+# system:csi-external-attacher and system:csi-external-provisioner
+# which are in Kubernetes version 1.10.5+
+
+# Args:
+# GCE_PD_SA_DIR: Directory the service account key has been saved in (generated by setup-project.sh)
+
 set -o nounset
 set -o errexit
 
@@ -8,7 +18,7 @@ readonly KUBEDEPLOY="${PKGDIR}/deploy/kubernetes"
 
 if ! kubectl get secret cloud-sa;
 then
-  kubectl create secret generic cloud-sa --from-file="${SA_FILE}"
+  kubectl create secret generic cloud-sa --from-file="${GCE_PD_SA_DIR}/cloud-sa.json"
 fi
 
 # GKE Required Setup

Diff for: deploy/setup-project.sh

@@ -1,13 +1,26 @@
 #!/bin/bash
 
+# This script will setup the given project with a Service Account that has the correct
+# restricted permissions to run the gcp_compute_persistent_disk_csi_driver and download
+# the keys to a specified directory
+
+# WARNING: This script will delete and recreate the service accounts, bindings, and keys
+# associated with ${GCE_PD_SA_NAME}. Great care must be taken to not run the script
+# with a service account that is currently in use.
+
+# Args:
+# PROJECT: GCP project
+# GCE_PD_SA_NAME: Name of the service account to create
+# GCE_PD_SA_DIR: Directory to save the service account key
+
+
 set -o nounset
 set -o errexit
 
 readonly PKGDIR="${GOPATH}/src/sigs.k8s.io/gcp-compute-persistent-disk-csi-driver"
 readonly KUBEDEPLOY="${PKGDIR}/deploy/kubernetes"
-
-BIND_ROLES="roles/compute.storageAdmin roles/iam.serviceAccountUser projects/${PROJECT}/roles/gcp_compute_persistent_disk_csi_driver_custom_role"
-IAM_NAME="${GCEPD_SA_NAME}@${PROJECT}.iam.gserviceaccount.com"
+readonly BIND_ROLES="roles/compute.storageAdmin roles/iam.serviceAccountUser projects/${PROJECT}/roles/gcp_compute_persistent_disk_csi_driver_custom_role"
+readonly IAM_NAME="${GCE_PD_SA_NAME}@${PROJECT}.iam.gserviceaccount.com"
 
 # Create or Update Custom Role
 if gcloud iam roles describe gcp_compute_persistent_disk_csi_driver_custom_role --project "${PROJECT}";
@@ -22,8 +35,8 @@ else
 fi
 
 # Delete Service Account Key
-if [ -f $SA_FILE ]; then
-  rm "$SA_FILE"
+if [ -f "${GCE_PD_SA_DIR}/cloud-sa.json" ]; then
+  rm "${GCE_PD_SA_DIR}/cloud-sa.json"
 fi
 # Delete ALL EXISTING Bindings
 gcloud projects get-iam-policy "${PROJECT}" --format json > "${PKGDIR}/deploy/iam.json"
@@ -34,9 +47,9 @@ rm -f "${PKGDIR}/deploy/iam.json"
 gcloud iam service-accounts delete "${IAM_NAME}" --project "${PROJECT}" --quiet || true
 
 # Create new Service Account and Keys
-gcloud iam service-accounts create "${GCEPD_SA_NAME}" --project "${PROJECT}"
+gcloud iam service-accounts create "${GCE_PD_SA_NAME}" --project "${PROJECT}"
 for role in ${BIND_ROLES}
 do
   gcloud projects add-iam-policy-binding "${PROJECT}" --member serviceAccount:"${IAM_NAME}" --role ${role}
 done
-gcloud iam service-accounts keys create "${SA_FILE}" --iam-account "${IAM_NAME}" --project "${PROJECT}"
+gcloud iam service-accounts keys create "${GCE_PD_SA_DIR}/cloud-sa.json" --iam-account "${IAM_NAME}" --project "${PROJECT}"