kube/secrets/rotate-keys-for-skia-corp-sa.sh - buildbot - Git at Google

 #!/bin/bash
 source ../kube/corp-config.sh

 set -o pipefail

 # Rotate the key for a service account. Create a new key, upload it to berglas,
 # delete all older keys, and then restart all services that depend on that key.
 #
 # Note that the service account name and secret name are the same, which is the
 # same assumption that add-service-account-from-stdin.sh makes.
 if [ $# -ne 3 ]; then
     echo "$0 <project id> <service-account-name> <restart>"
     echo "For example, to rotate the key for a service account in skia-public used by the emailservice: "
     echo ""
     echo "    $0 skia-public skia-emailservice deployment/emailservice"
     exit 1
 fi

 which jq > /dev/null
 if [ $? -ne 0 ]; then
   echo "jq needs to be installed"
   exit 1
 fi

 which berglas > /dev/null
 if [ $? -ne 0 ]; then
   echo "berglas needs to be installed:  go install github.com/GoogleCloudPlatform/berglas@latest"
   exit 1
 fi

 set -e
 set -x

 # This is fixed to skia-corp since all other clusters should be using workload
 # identity.
 CLUSTER="skia-corp"

 PROJECT="$1"; shift
 SECRET_NAME="$1"; shift
 RESTART="$1"; shift

 # Convert PROJECT to PROJECT_SUBDOMAIN, i.e. convert "google.com:skia-corp" to
 # "skia-corp.google.com", but leave "skia-public" alone.
 PROJECT_SUBDOMAIN=$(echo ${PROJECT} | sed 's#^\(.*\):\(.*\)$#\2.\1#g')

 EMAIL="${SECRET_NAME}@${PROJECT_SUBDOMAIN}.iam.gserviceaccount.com"

 REL=$(dirname "$0")

 source ${REL}/config.sh


 # Create new key.
 ${REL}/generate-new-key-for-service-account.sh ${PROJECT} ${CLUSTER} ${SECRET_NAME}

 # Push new key to cluster.
 ${REL}/apply-secret-to-cluster.sh ${CLUSTER} ${SECRET_NAME}

 # Remove all old keys

 # List all USER_MANAGED keys, remove the last one in the list (which is the most recent since
 # we sort by validBeforeTime), and then remove each of those keys.
 gcloud iam service-accounts keys list --project=${PROJECT} --iam-account="${EMAIL}" --format=json --filter=keyType=USER_MANAGED --sort-by=validBeforeTime | jq '.[:-1]' | jq .[].name | xargs -L 1 gcloud iam service-accounts keys delete --project=${PROJECT} --iam-account=${EMAIL}

 # Restart pods to pick up new keys."
 ${REL}/../attach.sh ${CLUSTER} kubectl rollout restart ${RESTART}
	#!/bin/bash
	source ../kube/corp-config.sh

	set -o pipefail

	# Rotate the key for a service account. Create a new key, upload it to berglas,
	# delete all older keys, and then restart all services that depend on that key.
	#
	# Note that the service account name and secret name are the same, which is the
	# same assumption that add-service-account-from-stdin.sh makes.
	if [ $# -ne 3 ]; then
	echo "$0 <project id> <service-account-name> <restart>"
	echo "For example, to rotate the key for a service account in skia-public used by the emailservice: "
	echo ""
	echo " $0 skia-public skia-emailservice deployment/emailservice"
	exit 1
	fi

	which jq > /dev/null
	if [ $? -ne 0 ]; then
	echo "jq needs to be installed"
	exit 1
	fi

	which berglas > /dev/null
	if [ $? -ne 0 ]; then
	echo "berglas needs to be installed: go install github.com/GoogleCloudPlatform/berglas@latest"
	exit 1
	fi

	set -e
	set -x

	# This is fixed to skia-corp since all other clusters should be using workload
	# identity.
	CLUSTER="skia-corp"

	PROJECT="$1"; shift
	SECRET_NAME="$1"; shift
	RESTART="$1"; shift

	# Convert PROJECT to PROJECT_SUBDOMAIN, i.e. convert "google.com:skia-corp" to
	# "skia-corp.google.com", but leave "skia-public" alone.
	PROJECT_SUBDOMAIN=$(echo ${PROJECT} \| sed 's#^\(.\):\(.\)$#\2.\1#g')

	EMAIL="${SECRET_NAME}@${PROJECT_SUBDOMAIN}.iam.gserviceaccount.com"

	REL=$(dirname "$0")

	source ${REL}/config.sh


	# Create new key.
	${REL}/generate-new-key-for-service-account.sh ${PROJECT} ${CLUSTER} ${SECRET_NAME}

	# Push new key to cluster.
	${REL}/apply-secret-to-cluster.sh ${CLUSTER} ${SECRET_NAME}

	# Remove all old keys

	# List all USER_MANAGED keys, remove the last one in the list (which is the most recent since
	# we sort by validBeforeTime), and then remove each of those keys.
	gcloud iam service-accounts keys list --project=${PROJECT} --iam-account="${EMAIL}" --format=json --filter=keyType=USER_MANAGED --sort-by=validBeforeTime \| jq '.[:-1]' \| jq .[].name \| xargs -L 1 gcloud iam service-accounts keys delete --project=${PROJECT} --iam-account=${EMAIL}

	# Restart pods to pick up new keys."
	${REL}/../attach.sh ${CLUSTER} kubectl rollout restart ${RESTART}