Setup prow CI (#2923)

* add config and plugins

* Add prow manifests

* Switch back to old cluster

* Add config for using only OWNERS files

.prowci/.gitignore

@@ -0,0 +1,3 @@
+# prow-related secrets
+hmac
+oauth

.prowci/Makefile

@@ -0,0 +1,26 @@
+prow: prow-config prow-secrets prow-services
+.PHONY: prow
+
+prow-config:
+	kubectl create cm config --from-file=config=config.yaml
+	kubectl create cm plugins --from-file=plugins=plugins.yaml
+.PHONY: prow-config
+
+prow-config-update:
+	kubectl create cm config --from-file=config=config.yaml -o yaml --dry-run | kubectl replace -f -
+	kubectl create cm plugins --from-file=plugins=plugins.yaml -o yaml --dry-run | kubectl replace -f -
+.PHONY: prow-config-update
+
+prow-secrets:
+	# hmac is used for encrypting Github webhook payloads.
+	kubectl create secret generic hmac-token --from-file=hmac
+	# oauth is used for merging PRs, adding/removing labels and comments.
+	kubectl create secret generic oauth-token --from-file=oauth
+.PHONY: prow-secrets
+
+prow-services:
+	kubectl create -f deck.yaml
+	kubectl create -f hook.yaml
+	kubectl create -f tide.yaml
+	kubectl create -f ingress.yaml
+.PHONY: prow-services

.prowci/README.md

@@ -0,0 +1,40 @@
+# Prow
+
+Prow is a CI system that offers various features such as rich Github automation,
+and running tests in Jenkins or on a Kubernetes cluster. You can read more about
+Prow in [upstream docs][0].
+
+## acs-engine setup
+
+Prow is optimized to run as a Kubernetes application. There are some pre-installation
+steps that need to happen in a new Kubernetes cluster before deploying Prow. These
+involve setting up an Ingress controller and a mechanism to do TLS. The [Azure docs][1]
+explain how to setup Ingress with TLS on top of a Kubernetes cluster in Azure.
+
+A Github webhook also needs to be setup in the repo that points to `dns-name/hook`.
+`dns-name` is the DNS name setup during the DNS configuration of the Ingress controller.
+The Github webhook also needs to send `application/json` type of payloads and use a
+secret. This secret is going to be used by Prow to decrypt the payload inside Kubernetes.
+
+Another secret that needs to be setup is a Github token from the bot account that is
+going to manage PRs and issues. The token needs the `repo` and `read:org` scopes
+enabled. The bot account also needs to be added as a collaborator in the repository
+it is going to manage.
+
+To automate the installation of Prow, store the webhook secret as `hmac` and the bot
+token as `oauth` inside the `.prowci` directory. Then, installing Prow involves
+running the following command:
+```
+make prow
+```
+
+## What is installed
+
+`hook` is installed that manages receiving webhooks from Github and reacting
+appropriately on Github. `deck` is installed as the Prow frontend. Last, `tide`
+is also installed that takes care of merging pull requests that pass all tests
+and satisfy a set of label requirements.
+
+
+[0]: https://github.com/kubernetes/test-infra/tree/master/prow#prow
+[1]: https://docs.microsoft.com/en-us/azure/aks/ingress

.prowci/config.yaml

@@ -0,0 +1,18 @@
+prowjob_namespace: default
+log_level: debug
+
+tide:
+  # target_url: http://ci-bot-aks-ingress.eastus.cloudapp.azure.com/tide.html
+  merge_method:
+    Azure/acs-engine: squash
+  queries:
+  - repos:
+    - Azure/acs-engine
+    labels:
+    - lgtm
+    - approved
+    missingLabels:
+    - needs-ok-to-test
+    - DO-NOT-MERGE
+    - do-not-merge/work-in-progress
+    - do-not-merge/hold

.prowci/deck.yaml

@@ -0,0 +1,55 @@
+apiVersion: v1
+kind: List
+items:
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: deck
+  spec:
+    selector:
+      app: prow
+      component: deck
+    ports:
+    - port: 80
+      targetPort: 8080
+    type: ClusterIP
+- apiVersion: apps/v1beta2
+  kind: Deployment
+  metadata:
+    name: deck
+    labels:
+      app: prow
+      component: deck
+  spec:
+    replicas: 1
+    selector:
+      matchLabels:
+        app: prow
+        component: deck
+    revisionHistoryLimit: 2
+    template:
+      metadata:
+        labels:
+          app: prow
+          component: deck
+      spec:
+        containers:
+        - name: deck
+          image: registry.svc.ci.openshift.org/ci/deck:latest
+          imagePullPolicy: IfNotPresent
+          args:
+          - --tide-url=http://tide/
+          - --hook-url=http://hook:8888/plugin-help
+          # defaults to --config-path=/etc/config/config
+          ports:
+            - name: http
+              # not configurable today, deck serves in 8080 
+              containerPort: 8080
+          volumeMounts:
+          - name: config
+            mountPath: /etc/config
+            readOnly: true
+        volumes:
+        - name: config
+          configMap:
+            name: config

.prowci/hook.yaml

@@ -0,0 +1,83 @@
+# Needs the hmac-token secret for decrypting webhook payloads.
+# Needs the oauth-token secret for manipulating Github PRs/issues.
+apiVersion: v1
+kind: List
+items:
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: hook
+    annotations:
+      prometheus.io/scrape: "true"
+      prometheus.io/port: "8888"
+  spec:
+    selector:
+      app: prow
+      component: hook
+    ports:
+    - port: 8888
+    type: ClusterIP
+- apiVersion: apps/v1beta2
+  kind: Deployment
+  metadata:
+    name: hook
+    labels:
+      app: prow
+      component: hook
+  spec:
+    replicas: 1
+    selector:
+      matchLabels:
+        app: prow
+        component: hook
+    revisionHistoryLimit: 2
+    template:
+      metadata:
+        labels:
+          app: prow
+          component: hook
+      spec:
+        containers:
+        - name: hook
+          image: registry.svc.ci.openshift.org/ci/hook:latest
+          imagePullPolicy: IfNotPresent
+          args:
+          - --dry-run=false
+          # defaults to --port=8888
+          # defaults to --github-token-file=/etc/github/oauth
+          # defaults to --hmac-secret-file=/etc/webhook/hmac
+          # defaults to --config-path=/etc/config/config
+          # defaults to --plugin-config=/etc/plugins/plugins
+          ports:
+            - name: http
+              containerPort: 8888
+          volumeMounts:
+          - name: hmac
+            mountPath: /etc/webhook
+            readOnly: true
+          - name: oauth
+            mountPath: /etc/github
+            readOnly: true
+          - name: config
+            mountPath: /etc/config
+            readOnly: true
+          - name: plugins
+            mountPath: /etc/plugins
+            readOnly: true
+          - name: tmp
+            mountPath: /tmp
+        volumes:
+        - name: hmac
+          secret:
+            secretName: hmac-token
+        - name: oauth
+          secret:
+            secretName: oauth-token
+        - name: config
+          configMap:
+            name: config
+        - name: plugins
+          configMap:
+            name: plugins
+        - name: tmp
+          emptyDir: {}

.prowci/ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: prow-ingress
+  annotations:
+    kubernetes.io/tls-acme: "true"
+    # nginx.ingress.kubernetes.io/rewrite-target: /
+spec:
+  tls:
+  - secretName: prow-tls
+    hosts:
+    - ci-bot-aks-ingress.eastus.cloudapp.azure.com
+  rules:
+  - host: ci-bot-aks-ingress.eastus.cloudapp.azure.com
+    http:
+      paths:
+      - path: /*
+        backend:
+          serviceName: deck
+          servicePort: 80
+      - path: /hook
+        backend:
+          serviceName: hook
+          servicePort: 8888

.prowci/plugins.yaml

@@ -0,0 +1,39 @@
+approve:
+- repos:
+  - Azure/acs-engine
+
+config_updater:
+  maps:
+    .prowci/config.yaml:
+      name: config
+    .prowci/plugins.yaml:
+      name: plugins
+
+label:
+  additional_labels:
+  - orchestrator/k8s
+  - orchestrator/openshift
+  - orchestrator/dcos
+  - orchestrator/swarm
+  - DO-NOT-MERGE
+
+owners:
+  skip_collaborators:
+  - Azure/acs-engine
+
+plugins:
+  Azure/acs-engine:
+  - approve
+  - assign
+  - cat
+  - config-updater
+  - dog
+  - help
+  - hold
+  - label
+  - lgtm
+  - lifecycle
+  - shrug
+  - size
+  - wip
+  - yuks

.prowci/tide.yaml

@@ -0,0 +1,90 @@
+apiVersion: v1
+kind: List
+items:
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: tide
+  spec:
+    selector:
+      app: prow
+      component: tide
+    ports:
+    - port: 80
+      targetPort: 8888
+    type: ClusterIP
+- apiVersion: apps/v1beta2
+  kind: Deployment
+  metadata:
+    name: tide
+    labels:
+      app: prow
+      component: tide
+  spec:
+    # Do not scale up.
+    replicas: 1
+    selector:
+      matchLabels:
+        app: prow
+        component: tide
+    strategy:
+      type: Recreate
+    template:
+      metadata:
+        labels:
+          app: prow
+          component: tide
+      spec:
+        serviceAccountName: tide
+        containers:
+        - name: tide
+          image: registry.svc.ci.openshift.org/ci/tide:latest
+          imagePullPolicy: IfNotPresent
+          args:
+          - --dry-run=false
+          # defaults to --github-token-file=/etc/github/oauth
+          # defaults to --config-path=/etc/config/config
+          ports:
+          - name: http
+            containerPort: 8888
+          volumeMounts:
+          - name: oauth
+            mountPath: /etc/github
+            readOnly: true
+          - name: config
+            mountPath: /etc/config
+            readOnly: true
+        volumes:
+        - name: oauth
+          secret:
+            secretName: oauth-token
+        - name: config
+          configMap:
+            name: config
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: tide
+- kind: Role
+  apiVersion: rbac.authorization.k8s.io/v1beta1
+  metadata:
+    name: tide
+  rules:
+    - apiGroups:
+        - "prow.k8s.io"
+      resources:
+        - prowjobs
+      verbs:
+        - create
+        - list
+- kind: RoleBinding
+  apiVersion: rbac.authorization.k8s.io/v1beta1
+  metadata:
+    name: tide
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: Role
+    name: tide
+  subjects:
+  - kind: ServiceAccount
+    name: tide