Manage Google Group memberships via API

[cblecker]

If we use the kubernetes.io gsuite, we should be able to manage group creation and membership via an API.

We should be able to create a service account, and then delegate it the following scopes via domain-wide delegation:

• https://www.googleapis.com/auth/admin.directory.group: https://developers.google.com/admin-sdk/directory/v1/guides/delegation
• https://www.googleapis.com/auth/apps.groups.settings: https://developers.google.com/admin-sdk/groups-settings/auth

With these, we should be able to script creation of groups, administer their settings, and modify membership of them. It appears that we should be able to do this just with Gsuite Basic, without adding on any extra options/services/cost.

It appears there are also SDK libraries to get started:
https://godoc.org/google.golang.org/api/admin/directory/v1
https://godoc.org/google.golang.org/api/groupssettings/v1

[spiffxp]

I know Christoph ended up starting a steering@ thread, my main question is what are next steps

[spiffxp]

/assign @cblecker

[spiffxp]

/assign @dims
investigate how to recreate all of the groups we want from command line

migrate over groups enumerated in #206

save gitops-model for later (similar to dns)

[spiffxp]

I have created a [email protected] account, assigned to a "Group Admin" role, and given credentials to @dims

The intent is for this to be temporary / exploratory to prove we can do what we want via API. We should follow up with a more constrained account that has exactly what we need.

/assign
@dims and @cblecker can tap me if more is needed

[dims]

@cblecker in the API that creates new groups, there is no support for switching on Allow members outside your organization toggle that is available in the UI.
https://developers.google.com/admin-sdk/directory/v1/reference/groups/insert

[dims]

So we will have to create the groups by hand (with that option on) and then script the add/delete of members.

[cblecker]

@dims: that's because that setting is in the OTHER API I mentioned at the top: https://developers.google.com/admin-sdk/groups-settings/manage 🤦‍♂

I don't know WHY Google had to split it up into two different API schemes, but yeah.

[dims]

ah! thanks @cblecker

[spiffxp]

I walked through https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account for a client_id @dims provided to me

[dims]

WIP is here #248 it uses the service account @spiffxp minted. all the APIs i need (so far!) are working. will hammer out a yaml structure and turn the WIP into something we can use.

Anyone else wants to be able to run the commands, please send me your GPG key, i used git-crypt to encrypt the json for the service account (see the PR above), at the moment it's me and @cblecker who can decrypt the file.

[dims]

The scoped needed so far for the service account are

https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.group.member
https://www.googleapis.com/auth/apps.groups.settings

in english ..

[dims]

• add new group
• delete old group
• add folks to group
• delete folks from group

all works!

[spiffxp]

wg-k8s-infra-api-test@ renamed to wg-k8s-infra-api@

[spiffxp]

I once again walked through https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account for a client_id @dims provided to me, granting the following scopes

https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.group.member
https://www.googleapis.com/auth/apps.groups.settings

[spiffxp]

Script is now runnable, two of us can run it: @dims and @cblecker (list of people who have gpg keys in repo)

[spiffxp]

/close

[k8s-ci-robot]

@spiffxp: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.