Ensure GCS release bucket has public-read defacl

[ixdy]

We do this rather than copying artifacts with the public-read ACL,
since doing so will remove any owner ACLs.

x-ref #195.

I haven't checked all of the Jenkins GCS buckets yet, so this may likely break some builds until those buckets are fixed.

cc @zmerlynn @rmmh @david-mcmahon @saad-ali

[david-mcmahon]

Prefer local definitions up top. Less clutter in the logic.

[david-mcmahon]

s/definitions/declarations

[ixdy]

Done.

[david-mcmahon]

This can be logrun'd (no -s) to capture in the log.

[ixdy]

Done.

[ixdy]

$ gsutil defacl get gs://kubernetes-release | jq -r '.[] | select(.entity == "allUsers") | .role'
READER
$ gsutil defacl get gs://kubernetes-release-dev | jq -r '.[] | select(.entity == "allUsers") | .role'
READER
$ gsutil defacl get gs://kubernetes-release-pull | jq -r '.[] | select(.entity == "allUsers") | .role'
READER
$ gsutil defacl get gs://kubernetes-federation-release | jq -r '.[] | select(.entity == "allUsers") | .role'
AccessDeniedException: 403 Forbidden
$ gsutil defacl get gs://kubernetes-federation-release-1-4 | jq -r '.[] | select(.entity == "allUsers") | .role'
AccessDeniedException: 403 Forbidden
$ gsutil defacl get gs://kubernetes-federation-release-1-5 | jq -r '.[] | select(.entity == "allUsers") | .role'
AccessDeniedException: 403 Forbidden

@madhusudancs can you check the federation buckets as above to see if the defacls are OK?

@david-mcmahon @saad-ali @jessfraz anago mock mode may fail once this is merged, since the gs://kubernetes-release-$USER bucket created previously might be missing the allUsers: READER defacl.
To fix, you can either delete the existing gs://kubernetes-release-$USER bucket (if there's nothing of value in it), or you can update the defacl:

gsutil defacl ch -u AllUsers:R "gs://kubernetes-release-$USER"

EDIT 2016-11-15 18:17: shorter command

[ixdy]

@madhusudancs never mind, I was auth'd to the wrong account.

$ gsutil defacl get gs://kubernetes-federation-release | jq -r '.[] | select(.entity == "allUsers") | .role'
$ gsutil defacl get gs://kubernetes-federation-release-1-4 | jq -r '.[] | select(.entity == "allUsers") | .role'
$ gsutil defacl get gs://kubernetes-federation-release-1-5 | jq -r '.[] | select(.entity == "allUsers") | .role'

I will fix.

Interestingly, this probably explains why kubernetes/test-infra#990 only affected the federation release: the other release buckets have a public-read defacl set, so the gsutil acl ch wasn't really necessary for them, and so if some artifacts were missed due to eventual consistency, they were already publicly readable anyway. This wasn't true for the federation buckets.

[ixdy]

All fixed. Merging.

[ixdy]

I hate Jenkins.

/var/lib/jenkins/workspace/kubernetes-build/_tmp/release.git/lib/releaselib.sh: line 394: jq: command not found

FYI @apelisse

[madhusudancs]

@ixdy interesting. This PR makes the ACLs for federation buckets consistent with everything else right?

[ixdy]

@madhusudancs I think the owner settings on the federation buckets is still different.

[madhusudancs]

@ixdy Oh! I looked at the owner settings of kubernetes-jenkins. I will leave federation buckets' settings as it is for now because I don't fully understand the settings of kubernetes-jenkins and I don't want to blindly copy paste them.