From e9c9deec60ee9581901b38fde7936ad4a4dd1513 Mon Sep 17 00:00:00 2001 From: Michalis Kargakis Date: Thu, 24 May 2018 00:53:53 +0200 Subject: [PATCH] Setup prow CI (#2923) * add config and plugins * Add prow manifests * Switch back to old cluster * Add config for using only OWNERS files --- .prowci/.gitignore | 3 ++ .prowci/Makefile | 26 +++++++++++++ .prowci/README.md | 40 ++++++++++++++++++++ .prowci/config.yaml | 18 +++++++++ .prowci/deck.yaml | 55 +++++++++++++++++++++++++++ .prowci/hook.yaml | 83 ++++++++++++++++++++++++++++++++++++++++ .prowci/ingress.yaml | 24 ++++++++++++ .prowci/plugins.yaml | 39 +++++++++++++++++++ .prowci/tide.yaml | 90 ++++++++++++++++++++++++++++++++++++++++++++ 9 files changed, 378 insertions(+) create mode 100644 .prowci/.gitignore create mode 100644 .prowci/Makefile create mode 100644 .prowci/README.md create mode 100644 .prowci/config.yaml create mode 100644 .prowci/deck.yaml create mode 100644 .prowci/hook.yaml create mode 100644 .prowci/ingress.yaml create mode 100644 .prowci/plugins.yaml create mode 100644 .prowci/tide.yaml diff --git a/.prowci/.gitignore b/.prowci/.gitignore new file mode 100644 index 000000000..f095525b2 --- /dev/null +++ b/.prowci/.gitignore @@ -0,0 +1,3 @@ +# prow-related secrets +hmac +oauth diff --git a/.prowci/Makefile b/.prowci/Makefile new file mode 100644 index 000000000..7952884fb --- /dev/null +++ b/.prowci/Makefile @@ -0,0 +1,26 @@ +prow: prow-config prow-secrets prow-services +.PHONY: prow + +prow-config: + kubectl create cm config --from-file=config=config.yaml + kubectl create cm plugins --from-file=plugins=plugins.yaml +.PHONY: prow-config + +prow-config-update: + kubectl create cm config --from-file=config=config.yaml -o yaml --dry-run | kubectl replace -f - + kubectl create cm plugins --from-file=plugins=plugins.yaml -o yaml --dry-run | kubectl replace -f - +.PHONY: prow-config-update + +prow-secrets: + # hmac is used for encrypting Github webhook payloads. + kubectl create secret generic hmac-token --from-file=hmac + # oauth is used for merging PRs, adding/removing labels and comments. + kubectl create secret generic oauth-token --from-file=oauth +.PHONY: prow-secrets + +prow-services: + kubectl create -f deck.yaml + kubectl create -f hook.yaml + kubectl create -f tide.yaml + kubectl create -f ingress.yaml +.PHONY: prow-services diff --git a/.prowci/README.md b/.prowci/README.md new file mode 100644 index 000000000..ca8bf092b --- /dev/null +++ b/.prowci/README.md @@ -0,0 +1,40 @@ +# Prow + +Prow is a CI system that offers various features such as rich Github automation, +and running tests in Jenkins or on a Kubernetes cluster. You can read more about +Prow in [upstream docs][0]. + +## acs-engine setup + +Prow is optimized to run as a Kubernetes application. There are some pre-installation +steps that need to happen in a new Kubernetes cluster before deploying Prow. These +involve setting up an Ingress controller and a mechanism to do TLS. The [Azure docs][1] +explain how to setup Ingress with TLS on top of a Kubernetes cluster in Azure. + +A Github webhook also needs to be setup in the repo that points to `dns-name/hook`. +`dns-name` is the DNS name setup during the DNS configuration of the Ingress controller. +The Github webhook also needs to send `application/json` type of payloads and use a +secret. This secret is going to be used by Prow to decrypt the payload inside Kubernetes. + +Another secret that needs to be setup is a Github token from the bot account that is +going to manage PRs and issues. The token needs the `repo` and `read:org` scopes +enabled. The bot account also needs to be added as a collaborator in the repository +it is going to manage. + +To automate the installation of Prow, store the webhook secret as `hmac` and the bot +token as `oauth` inside the `.prowci` directory. Then, installing Prow involves +running the following command: +``` +make prow +``` + +## What is installed + +`hook` is installed that manages receiving webhooks from Github and reacting +appropriately on Github. `deck` is installed as the Prow frontend. Last, `tide` +is also installed that takes care of merging pull requests that pass all tests +and satisfy a set of label requirements. + + +[0]: https://github.com/kubernetes/test-infra/tree/master/prow#prow +[1]: https://docs.microsoft.com/en-us/azure/aks/ingress \ No newline at end of file diff --git a/.prowci/config.yaml b/.prowci/config.yaml new file mode 100644 index 000000000..f0aa01004 --- /dev/null +++ b/.prowci/config.yaml @@ -0,0 +1,18 @@ +prowjob_namespace: default +log_level: debug + +tide: + # target_url: http://ci-bot-aks-ingress.eastus.cloudapp.azure.com/tide.html + merge_method: + Azure/acs-engine: squash + queries: + - repos: + - Azure/acs-engine + labels: + - lgtm + - approved + missingLabels: + - needs-ok-to-test + - DO-NOT-MERGE + - do-not-merge/work-in-progress + - do-not-merge/hold diff --git a/.prowci/deck.yaml b/.prowci/deck.yaml new file mode 100644 index 000000000..f559f8781 --- /dev/null +++ b/.prowci/deck.yaml @@ -0,0 +1,55 @@ +apiVersion: v1 +kind: List +items: +- apiVersion: v1 + kind: Service + metadata: + name: deck + spec: + selector: + app: prow + component: deck + ports: + - port: 80 + targetPort: 8080 + type: ClusterIP +- apiVersion: apps/v1beta2 + kind: Deployment + metadata: + name: deck + labels: + app: prow + component: deck + spec: + replicas: 1 + selector: + matchLabels: + app: prow + component: deck + revisionHistoryLimit: 2 + template: + metadata: + labels: + app: prow + component: deck + spec: + containers: + - name: deck + image: registry.svc.ci.openshift.org/ci/deck:latest + imagePullPolicy: IfNotPresent + args: + - --tide-url=http://tide/ + - --hook-url=http://hook:8888/plugin-help + # defaults to --config-path=/etc/config/config + ports: + - name: http + # not configurable today, deck serves in 8080 + containerPort: 8080 + volumeMounts: + - name: config + mountPath: /etc/config + readOnly: true + volumes: + - name: config + configMap: + name: config diff --git a/.prowci/hook.yaml b/.prowci/hook.yaml new file mode 100644 index 000000000..1c28f27d5 --- /dev/null +++ b/.prowci/hook.yaml @@ -0,0 +1,83 @@ +# Needs the hmac-token secret for decrypting webhook payloads. +# Needs the oauth-token secret for manipulating Github PRs/issues. +apiVersion: v1 +kind: List +items: +- apiVersion: v1 + kind: Service + metadata: + name: hook + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8888" + spec: + selector: + app: prow + component: hook + ports: + - port: 8888 + type: ClusterIP +- apiVersion: apps/v1beta2 + kind: Deployment + metadata: + name: hook + labels: + app: prow + component: hook + spec: + replicas: 1 + selector: + matchLabels: + app: prow + component: hook + revisionHistoryLimit: 2 + template: + metadata: + labels: + app: prow + component: hook + spec: + containers: + - name: hook + image: registry.svc.ci.openshift.org/ci/hook:latest + imagePullPolicy: IfNotPresent + args: + - --dry-run=false + # defaults to --port=8888 + # defaults to --github-token-file=/etc/github/oauth + # defaults to --hmac-secret-file=/etc/webhook/hmac + # defaults to --config-path=/etc/config/config + # defaults to --plugin-config=/etc/plugins/plugins + ports: + - name: http + containerPort: 8888 + volumeMounts: + - name: hmac + mountPath: /etc/webhook + readOnly: true + - name: oauth + mountPath: /etc/github + readOnly: true + - name: config + mountPath: /etc/config + readOnly: true + - name: plugins + mountPath: /etc/plugins + readOnly: true + - name: tmp + mountPath: /tmp + volumes: + - name: hmac + secret: + secretName: hmac-token + - name: oauth + secret: + secretName: oauth-token + - name: config + configMap: + name: config + - name: plugins + configMap: + name: plugins + - name: tmp + emptyDir: {} diff --git a/.prowci/ingress.yaml b/.prowci/ingress.yaml new file mode 100644 index 000000000..d25d9c7df --- /dev/null +++ b/.prowci/ingress.yaml @@ -0,0 +1,24 @@ +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: prow-ingress + annotations: + kubernetes.io/tls-acme: "true" + # nginx.ingress.kubernetes.io/rewrite-target: / +spec: + tls: + - secretName: prow-tls + hosts: + - ci-bot-aks-ingress.eastus.cloudapp.azure.com + rules: + - host: ci-bot-aks-ingress.eastus.cloudapp.azure.com + http: + paths: + - path: /* + backend: + serviceName: deck + servicePort: 80 + - path: /hook + backend: + serviceName: hook + servicePort: 8888 diff --git a/.prowci/plugins.yaml b/.prowci/plugins.yaml new file mode 100644 index 000000000..efcdb24d5 --- /dev/null +++ b/.prowci/plugins.yaml @@ -0,0 +1,39 @@ +approve: +- repos: + - Azure/acs-engine + +config_updater: + maps: + .prowci/config.yaml: + name: config + .prowci/plugins.yaml: + name: plugins + +label: + additional_labels: + - orchestrator/k8s + - orchestrator/openshift + - orchestrator/dcos + - orchestrator/swarm + - DO-NOT-MERGE + +owners: + skip_collaborators: + - Azure/acs-engine + +plugins: + Azure/acs-engine: + - approve + - assign + - cat + - config-updater + - dog + - help + - hold + - label + - lgtm + - lifecycle + - shrug + - size + - wip + - yuks diff --git a/.prowci/tide.yaml b/.prowci/tide.yaml new file mode 100644 index 000000000..d15970deb --- /dev/null +++ b/.prowci/tide.yaml @@ -0,0 +1,90 @@ +apiVersion: v1 +kind: List +items: +- apiVersion: v1 + kind: Service + metadata: + name: tide + spec: + selector: + app: prow + component: tide + ports: + - port: 80 + targetPort: 8888 + type: ClusterIP +- apiVersion: apps/v1beta2 + kind: Deployment + metadata: + name: tide + labels: + app: prow + component: tide + spec: + # Do not scale up. + replicas: 1 + selector: + matchLabels: + app: prow + component: tide + strategy: + type: Recreate + template: + metadata: + labels: + app: prow + component: tide + spec: + serviceAccountName: tide + containers: + - name: tide + image: registry.svc.ci.openshift.org/ci/tide:latest + imagePullPolicy: IfNotPresent + args: + - --dry-run=false + # defaults to --github-token-file=/etc/github/oauth + # defaults to --config-path=/etc/config/config + ports: + - name: http + containerPort: 8888 + volumeMounts: + - name: oauth + mountPath: /etc/github + readOnly: true + - name: config + mountPath: /etc/config + readOnly: true + volumes: + - name: oauth + secret: + secretName: oauth-token + - name: config + configMap: + name: config +- apiVersion: v1 + kind: ServiceAccount + metadata: + name: tide +- kind: Role + apiVersion: rbac.authorization.k8s.io/v1beta1 + metadata: + name: tide + rules: + - apiGroups: + - "prow.k8s.io" + resources: + - prowjobs + verbs: + - create + - list +- kind: RoleBinding + apiVersion: rbac.authorization.k8s.io/v1beta1 + metadata: + name: tide + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: tide + subjects: + - kind: ServiceAccount + name: tide