Skip to content

Commit f73e208

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #879 from pwschuurman/skip-sa-generation
Add CREATE_SA_KEY flag to deploy/setup-project.sh
2 parents 78aa30c + 5fccecd commit f73e208

File tree

1 file changed

+17
-8
lines changed

1 file changed

+17
-8
lines changed

deploy/setup-project.sh

+17-8
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,8 @@
1414
# GCE_PD_SA_NAME: Name of the service account to create
1515
# GCE_PD_SA_DIR: Directory to save the service account key
1616
# ENABLE_KMS: If true, it will enable Cloud KMS and configure IAM ACLs.
17-
17+
# CREATE_SA_KEY: (Optional) If true, creates a new service account key and
18+
# exports it if creating a new service account
1819

1920
set -o nounset
2021
set -o errexit
@@ -25,9 +26,15 @@ source "${PKGDIR}/deploy/common.sh"
2526

2627
ensure_var PROJECT
2728
ensure_var GCE_PD_SA_NAME
28-
ensure_var GCE_PD_SA_DIR
2929
ensure_var ENABLE_KMS
3030

31+
# Allow the user to pass CREATE_SA_KEY=false to skip the SA key creation
32+
# Ensure the SA directory set, if we're creating the SA_KEY
33+
CREATE_SA_KEY="${CREATE_SA_KEY:-true}"
34+
if [ "${CREATE_SA_KEY}" = true ]; then
35+
ensure_var GCE_PD_SA_DIR
36+
fi
37+
3138
# If the project id includes the org name in the format "org-name:project", the
3239
# gCloud api will format the project part of the iam email domain as
3340
# "project.org-name"
@@ -60,11 +67,14 @@ fi
6067

6168
if [ "${CREATE_SA}" = true ];
6269
then
63-
# Delete Service Account Key
64-
if [ -f "${GCE_PD_SA_DIR}/cloud-sa.json" ];
65-
then
66-
rm "${GCE_PD_SA_DIR}/cloud-sa.json"
70+
# Delete Service Account Key, if applicable
71+
if [ "${CREATE_SA_KEY}" = true ]; then
72+
if [ -f "${GCE_PD_SA_DIR}/cloud-sa.json" ];
73+
then
74+
rm "${GCE_PD_SA_DIR}/cloud-sa.json"
75+
fi
6776
fi
77+
6878
# Delete ALL EXISTING Bindings
6979
gcloud projects get-iam-policy "${PROJECT}" --format json > "${PKGDIR}/deploy/iam.json"
7080
sed -i "/serviceAccount:${IAM_NAME}/d" "${PKGDIR}/deploy/iam.json"
@@ -103,9 +113,8 @@ then
103113
gcloud projects add-iam-policy-binding "${PROJECT}" --member serviceAccount:"service-${PROJECT_NUMBER}@compute-system.iam.gserviceaccount.com" --role "roles/cloudkms.cryptoKeyEncrypterDecrypter"
104114
fi
105115

106-
107116
# Export key if needed
108-
if [ "${CREATE_SA}" = true ];
117+
if [ "${CREATE_SA}" = true ] && [ "${CREATE_SA_KEY}" = true ];
109118
then
110119
gcloud iam service-accounts keys create "${GCE_PD_SA_DIR}/cloud-sa.json" --iam-account "${IAM_NAME}" --project "${PROJECT}"
111120
fi

0 commit comments

Comments
 (0)