GCB for staging #356
GCB for staging #356
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
If we're OK to clear retention, I can do that manually once and then remove that entirely. |
infra/gcp/lib.sh
Outdated
| --member "serviceAccount:${PROW_SVCACCT}" \ | ||
| --role roles/cloudbuild.builds.builder | ||
|
|
||
| # Allow prow to access build logs. |
There was a problem hiding this comment.
tiny nit: objectViewer allows prow to access build logs; objectCreator allows it to provide the build source to GCB
thockin
force-pushed
the
gcb-for-staging
branch
from
95d4d02 to
1f36397
Compare
|
comment update coming
…On Thu, Sep 5, 2019 at 5:05 PM Katharine Berry ***@***.***> wrote:
***@***.**** commented on this pull request.
lib.sh/ensure-staging-storage.sh changes LGTM; I have no idea about the
ensure-main-project.sh ones.
------------------------------
In infra/gcp/lib.sh
<#356 (comment)>:
> +# $2: The GCS scratch bucket
+function empower_prow() {
+ if [ $# -lt 2 -o -z "$1" -o -z "$2" ]; then
+ echo "empower_prow(project, bucket) requires 2 arguments" >&2
+ return 1
+ fi
+ project="$1"
+ bucket="$2"
+
+ # Allow prow to trigger builds.
+ gcloud \
+ projects add-iam-policy-binding "${project}" \
+ --member "serviceAccount:${PROW_SVCACCT}" \
+ --role roles/cloudbuild.builds.builder
+
+ # Allow prow to access build logs.
tiny nit: objectViewer allows prow to access build logs; objectCreator
allows it to provide the build source to GCB
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#356?email_source=notifications&email_token=ABKWAVCZ5MRYNTENLDJAHFDQIGNGJA5CNFSM4IUDQTZ2YY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCD3KQMY#pullrequestreview-284600371>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABKWAVGTRQVOXCL5QFOTJDTQIGNGJANCNFSM4IUDQTZQ>
.
|
k8s-ci-robot
added
the
lgtm
|
/hold I will run the retention clear once and then remove it from here, once I get ACK from someone like @justinsb |
k8s-ci-robot
added
the
do-not-merge/hold
|
/approve (in principle, looks like vince and katharine has done in-depth reviews) |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dims The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
infra/gcp/ensure-staging-storage.sh
Outdated
| BUCKET="gs://${PROJECT}" | ||
| # The names of the buckets | ||
| STAGING_BUCKET="gs://${PROJECT}" | ||
| SCRATCH_BUCKET="gs://${PROJECT}-scratch" |
There was a problem hiding this comment.
Wasn't clear what scratch was for. Reading context I can see it's for prow logs (I believe), but would be good to have a comment to that effect.
There was a problem hiding this comment.
@justinsb It's actually for uploading source tarballs for the GCB builds
There was a problem hiding this comment.
It does both of those things!
|
lgtm also! Only one nit that the purpose of the scratch buckets wasn't obvious |
|
Maybe we should call it -gcb or something? Is that name coded into the GCB
config in your repo?
…On Wed, Sep 11, 2019 at 6:53 AM Jason DeTiberus ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In infra/gcp/ensure-staging-storage.sh
<#356 (comment)>:
>
# The GCP project name.
PROJECT="k8s-staging-${REPO}"
# The group that can write to this staging repo.
***@***.***"
- # The name of the bucket
- BUCKET="gs://${PROJECT}"
+ # The names of the buckets
+ STAGING_BUCKET="gs://${PROJECT}"
+ SCRATCH_BUCKET="gs://${PROJECT}-scratch"
@justinsb <https://github.com/justinsb> It's actually for uploading
source tarballs for the GCB builds
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#356?email_source=notifications&email_token=ABKWAVAA44RG5XX3AEUXP3DQJDZ4NA5CNFSM4IUDQTZ2YY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCEMFKVQ#discussion_r323253945>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABKWAVFPXZXANYUTESNTLU3QJDZ4NANCNFSM4IUDQTZQ>
.
|
thockin
force-pushed
the
gcb-for-staging
branch
from
1f36397 to
45db157
Compare
k8s-ci-robot
removed
the
lgtm
|
I added a comment, but maybe renaming it is better. @Katharine - where is the "foo-scratch" name used? |
|
@thockin It's used in the test-infra configs: https://github.com/kubernetes/test-infra/blob/master/config/jobs/image-pushing/k8s-staging-cluster-api.yaml#L20 There is no other reference to it. Renaming to -gcb or similar seems fine to me. |
The terraform code will handle this.
Enable GCB API. Create a scratch bucket for logs and stuff. Allow the prow svcacct to trigger builds and log. Remove retention policy for staging buckets (not needed for most and disallowed for GCB scratch) After this change, a small prow PR and a YAML file in your repo and you can pos-submit build and push to staging GCR without human hands touching it.
thockin
force-pushed
the
gcb-for-staging
branch
from
45db157 to
b2aa075
Compare
|
Great. I have renamed it here. Upon LGTM, I will run it for all stagings, PR a change to test-infra to change ref, and when that merges, remove the old scratch bucket |
thockin
removed
the
do-not-merge/hold
|
hold is removed |
|
Giving it another look |
k8s-ci-robot
added
the
lgtm
|
@thockin @dims @Katharine sounds like we need to coordinate the running of this updated script and getting the prow job updated. |
|
Running now to make the new buckets. Once that is done, we can coordinate prow config PR before removing the -scratch bucket |
|
All staging projects have been activated, GCB enabled, buckets created. Game on. |
Enable GCB builds for staging repos
Enable GCB API.
Create a scratch bucket for logs and stuff.
Allow the prow svcacct to trigger builds and log.
Remove retention policy for staging buckets (not needed for most and
disallowed for GCB scratch)
After this change, a small prow PR and a YAML file in your repo and you
can post-submit build and push to staging GCR without human hands
touching it.