blob: a507017feb2a220dc0d12ae8b8bd3804f629fb97 [file] [log] [blame]
source ../kube/
set -o pipefail
# Rotate the key for a service account. Create a new key, upload it to berglas,
# delete all older keys, and then restart all services that depend on that key.
# Note that the service account name and secret name are the same, which is the
# same assumption that makes.
if [ $# -ne 3 ]; then
echo "$0 <project id> <service-account-name> <restart>"
echo "For example, to rotate the key for a service account in skia-public used by the emailservice: "
echo ""
echo " $0 skia-public skia-emailservice deployment/emailservice"
exit 1
which jq > /dev/null
if [ $? -ne 0 ]; then
echo "jq needs to be installed"
exit 1
which berglas > /dev/null
if [ $? -ne 0 ]; then
echo "berglas needs to be installed: go install"
exit 1
set -e
set -x
# This is fixed to skia-corp since all other clusters should be using workload
# identity.
PROJECT="$1"; shift
SECRET_NAME="$1"; shift
RESTART="$1"; shift
# Convert PROJECT to PROJECT_SUBDOMAIN, i.e. convert "" to
# "", but leave "skia-public" alone.
PROJECT_SUBDOMAIN=$(echo ${PROJECT} | sed 's#^\(.*\):\(.*\)$#\2.\1#g')
REL=$(dirname "$0")
source ${REL}/
# Create new key.
# Push new key to cluster.
# Remove all old keys
# List all USER_MANAGED keys, remove the last one in the list (which is the most recent since
# we sort by validBeforeTime), and then remove each of those keys.
gcloud iam service-accounts keys list --project=${PROJECT} --iam-account="${EMAIL}" --format=json --filter=keyType=USER_MANAGED --sort-by=validBeforeTime | jq '.[:-1]' | jq .[].name | xargs -L 1 gcloud iam service-accounts keys delete --project=${PROJECT} --iam-account=${EMAIL}
# Restart pods to pick up new keys."
${REL}/../ ${CLUSTER} kubectl rollout restart ${RESTART}