Going Beyond CI/CD with Prow

Transcript

1. Going Beyond CI/CD with Prow @leodido

2. Leonardo Di Donato Open Source Software Engineer Falco Maintainer @leodido

   2 extra points to who spots the meaning of this Italian hand-gesture! Whoami!

3. A timeline always works fine Falco created to parse libsinsp

   events! May 2016 Accepted as a CNCF incubation level hosted project Jan 2020 Sysdig Inc. donated Falco to the CNCF Oct 2018 3 May 2019 Falco Community Calls start! @leodido

4. Drama! 4 ❏ CI was built on top of Travis

   CI ❏ Barely working ❏ Flaky ❏ Falco drivers building & testing infrastructure not public ❏ Internal Jenkins @leodido

5. More drama! 5 ❏ PRs merged even when GitHub status

   checks not passing ❏ No clear ownership ❏ Missing PRs reviews ❏ Some policies there but… ❏ Not easily discoverable & auditable ❏ Zero enforcement ❏ Zero automation ❏ The list goes on... @leodido

6. No blame. Just solutions.™ We had some constraints… ❏ No

   time to build a custom CI/CD system from scratch ❏ No time to create an automatic policy enforcer ❏ Team of 2 While the main focus was to: ❏ Write eBPF ❏ Write C/C++ code @leodido

7. How Kubernetes does? @leodido

8. Prow Way more than CI/CD. ❏ GitHub ChatOps ❏ Define

   and enforce policies ❏ Auto-merge bot ❏ OSS ❣ @leodido

9. CRDs ❏ Custom controllers ❏ Resource management Pods ❏ Scheduling

   ❏ Lifecycle ❏ A bunch of containers ConfigMaps ❏ Auditable ❏ Configurations Secrets ❏ Credentials management 9 Built for Kubernetes. On Kubernetes. @leodido

10. Poiana stops the drama! 10 More time spent in Falco

    coding. Healthier OSS Auditable policies. Clear rules. Templated processes. Auto enforcement. Community More contributors. More projects. @leodido

11. Prow Architecture ❏ ProwJob custom resource ❏ Horologium ❏ Hook

    ❏ Plank ❏ Deck ❏ Tide ❏ Sinker ❏ Crier @leodido

12. ProwJobs ❏ Life of a ProwJob ❏ Custom resource ❏

    Custom controllers ❏ Types ❏ presubmit ❏ postsubmit ❏ batch ❏ periodic @leodido

13. @leodido Plank Controller that manages the lifecycle of jobs. Plank

    Job X POD Pods API API ProwJobs Prow Cluster Build Cluster Horologium Periodic jobs… gh:falcosecurity/test-infra/pull/78

14. Hook kubernetes/test-infra/prow/hook @leodido GitHub Hook cat trigger goose webhooks /meow

    /retest /honk

15. @leodido Plugins for everybody kubernetes/test-infra/prow/plugins ❏ config_updater ❏ trigger ❏

    approve, lgtm ❏ hold, wip ❏ ...

16. @leodido ProwJob definition Deck Build logs

17. Tide @leodido Overrides! These prevent a PR on Falco to

    be merged in! Poiana requires these labels to put a Falco PR in merge queue!

18. Sinker garbage collector ❏ > 48 hours completed jobs (customisable)

    ❏ > 30 min completed pods (customisable) @leodido Crier 1. Detects ProwJob status changes 2. Reports them ❏ Gerrit ❏ Pubsub ❏ GitHub ❏ Slack Disable report feature of Plank! (--skip-report=true) More at test-infra/prow/cmd/crier

19. Workflow

20. I want it too! GitHub Bot Account go get -u

    k8s.io/test-infra/experiment/update-hook update-hook --hmac-path=path/to/hmac/secret \ --github-token-path=path/to/oauth/secret \ --hook-url http://1.2.3.4/hook --repo my_organization --confirm=true Become a YAML developer ❏ Write access to the repos ❏ Owner access for the org(s) ❏ Create access token with repo:status + public_repo scopes ❏ admin:org_hook if handling GitHub org 1. Create the YAML manifests, cluster role bindings… 2. Create the secrets from tokens (hmac + oauth2) 3. Apply them on your Kubernetes cluster Install the webhook 1 2 3 getting started guide @leodido

21. falcosecurity/test-infra/prow a.k.a @poiana

22. Bring Your Own Prow Plugin STEPS 1. Write a Go

    server! 2. Wrap it into a docker image 3. Kubernetes service and deployment 4. kubectl apply -f them! 5. Add it to your Prow cluster external_plugins: <org>/<repo>: - name: <name> endpoint: http://<name>.default.svc.cluster.local events: - issue_comment RESOURCES ❏ custom external plugin intro ❏ phony test utility ❏ help helpers ❏ k8s.io/test-infra/prow/pluginhelp ❏ k8s.io/test-infra/prow/pluginhelp/exter nalplugins ❏ GitHub client and utilities ❏ k8s.io/test-infra/prow/github ❏ config agent and secrets ❏ k8s.io/test-infra/prow/config/secret ❏ k8s.io/test-infra/prow/config ❏ flag helpers ❏ k8s.io/test-infra/pkg/flagutil ❏ k8s.io/test-infra/prow/flagutil @leodido

23. Read The Source Code leodido/saymyname-prow-plugin @leodido

24. @leodido

25. Speculations about the future! ❏ Enable the Prow GitHub API

    proxy ❏ Falco Drivers Test Grid through ProwJobs ❏ Code Coverage ❏ Code Linting ❏ Custom plugin for externals CI ❏ Spyglass ❏ Plugin that automatically creates a release PR when a milestone is done ❏ Periodic job to cleanup old unused Falco version and prebuilt Falco drivers ❏ ... 25 @leodido

26. Questions and feedback welcome 26 Thanks! ❏ twitter.com/leodido ❏ github.com/leodido

    ❏ github.com/falcosecurity/falco ❏ slack.k8s.io, #falco channel ❏ github.com/falcosecurity/test-infra ❏ github.com/kubernetes/test-infra ❏ thanks to Apulia for inspiration @leodido