From 4169e60115a1690248c2bda518a79b2383b9d7ce Mon Sep 17 00:00:00 2001
From: Erick Fejta <fejta@google.com>
Date: Thu, 16 Jan 2020 16:33:57 -0800
Subject: [PATCH] Declare some trusted service accounts

---
 prow/cluster/BUILD.bazel                  |  1 +
 prow/cluster/trusted_serviceaccounts.yaml | 42 +++++++++++++++++++++++
 2 files changed, 43 insertions(+)
 create mode 100644 prow/cluster/trusted_serviceaccounts.yaml

diff --git a/prow/cluster/BUILD.bazel b/prow/cluster/BUILD.bazel
index 746f8a450f6d..f197d140f1d7 100644
--- a/prow/cluster/BUILD.bazel
+++ b/prow/cluster/BUILD.bazel
@@ -61,6 +61,7 @@ release(
     component("tide", "service", "deployment"),
     component("tls-ing", "ingress"),
     component("tot", "service", "deployment"),
+    component("trusted_serviceaccounts", MULTI_KIND),
     component(
         "tune-sysctls",
         "daemonset",
diff --git a/prow/cluster/trusted_serviceaccounts.yaml b/prow/cluster/trusted_serviceaccounts.yaml
new file mode 100644
index 000000000000..c1bcef4705b1
--- /dev/null
+++ b/prow/cluster/trusted_serviceaccounts.yaml
@@ -0,0 +1,42 @@
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: resultstore@k8s-prow.iam.gserviceaccount.com
+  name: resultstore
+  namespace: test-pods
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: pusher@k8s-prow.iam.gserviceaccount.com
+  name: pusher
+  namespace: test-pods
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: testgrid-config-updater@k8s-testgrid.iam.gserviceaccount.com
+  name: testgrid-config-updater
+  namespace: test-pods
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: deployer@k8s-prow.iam.gserviceaccount.com
+  name: deployer
+  namespace: test-pods
+---
+# TODO(fejta): https://github.com/kubernetes/test-infra/issues/15806
+# * Run experiment/workload-identity/bind-service-accounts.sh on the above
+# * Config service account on job
+# Do the same for the following:
+# k8s-artifacts-graveyard-service-account
+# k8s-artifacts-prod-bak-service-account
+# k8s-artifacts-prod-service-account
+# k8s-gcr-prod-service-account
+# service-account