This instruction provides the steps required to deploy your own Prow on a forked repository for test and development purposes.
NOTE: The following instructions assume that you are signed in to the Google Cloud project with administrative rights and that you have the
$GOPATH
already set.
Install the following tools:
- Kubernetes 1.10+ on Google Kubernetes Engine (GKE)
- kubectl to communicate with Kubernetes
- gcloud to communicate with Google Cloud Platform (GCP)
- OpenSSL
-
Export these variables:
export PROJECT={project-name} export CLUSTER_NAME={cluster-name} export ZONE={zone-name}
-
When you communicate for the first time with Google Cloud, set the context to your Google Cloud project. Run this command:
gcloud config set project $PROJECT
-
Run the
provision-cluster.sh
script or follow this instruction to provision a new cluster on GKE. Make sure that kubectl points to the correct cluster. For GKE, run the following command:gcloud container clusters get-credentials $CLUSTER_NAME --zone=$ZONE --project=$PROJECT
Create a separate GitHub account which serves as a bot account that triggers the Prow comments that you enter in the pull request. If the Prow bot account is the same as the account that creates a job-triggering comment, the job is not triggered.
Add the bot account to the collaborators on your forked repository and set it with push access rights. The bot account must accept your invitation.
Set an OAuth2 token that has the read and write access to the bot account.
To generate a new token, go to the Settings tab of a given GitHub account and click Developer Settings. Choose Personal Access Token and Generate New Token. In the new window, select all scopes and click Generate token.
You can set the token either as an environment variable named OAUTH
or provide it during the installation process when prompted.
For the purpose of the installation, you must have a set of service accounts and secret files created on Google Cloud Storage (GCS).
NOTE: For details, see the Prow Secrets Management document that explains step by step how to create all required GCS resources.
-
Create two buckets on GCS, one for storing Secrets and the second for storing logs.
NOTE: The bucket for storing logs is used in Prow by the Plank component. This reference is defined in the
config.yaml
file. This bucket is also used in Prow by Spyglass to display the logs. To make it publicly accessible, assign Storage Object Viewer and Storage Legacy Bucket Reader roles toallUsers
. -
Create the following service accounts, role bindings, and private keys. Encrypt them using Key Management Service (KMS), and upload them to your Secret storage bucket:
- sa-gke-kyma-integration with roles that allow the account to manage Kubernetes clusters and their resources:
- Compute Admin (
roles/compute.admin
) - Kubernetes Engine Admin (
roles/container.admin
) - Kubernetes Engine Cluster Admin (
roles/container.clusterAdmin
) - DNS Administrator (
roles/dns.admin
) - Service Account User (
roles/iam.serviceAccountUser
) - Storage Admin (
roles/storage.admin
)
- sa-vm-kyma-integration with roles that allow the account to provision virtual machines:
- Compute Instance Admin (beta) (
roles/compute.instanceAdmin
) - Compute OS Admin Login (
roles/compute.osAdminLogin
) - Service Account User (
roles/iam.serviceAccountUser
)
- Compute Instance Admin (beta) (
- sa-gcs-plank with the role that allows the account to store objects in a bucket:
- Storage Object Admin (
roles/storage.objectAdmin
)
- Storage Object Admin (
- sa-gcr-push with the role that allows the account to push images to Google Container Repository:
- Storage Admin (
roles/storage.admin
)
- Storage Admin (
- kyma-bot-npm-token which is a token for publishing npm packages
Follow these steps to install Prow:
- Export these environment variables:
- BUCKET_NAME is a GCS bucket in the Google Cloud project that stores Prow Secrets.
- KEYRING_NAME is the KMS key ring.
- ENCRYPTION_KEY_NAME is the key name in the key ring that is used for data encryption.
- KUBECONFIG is a path to a
kubeconfig
file. - PROJECT is a Gcloud project name.
- GOOGLE_APPLICATION_CREDENTIALS is a path to a service account file. This service account requires KMS and storage roles.
The account files are encrypted with the ENCRYPTION_KEY_NAME key from KEYRING_NAME and are stored in BUCKET_NAME.
- Go to the
development
folder and run the following script to start the installation process:
./install-prow.sh
NOTE: The scripts prompts you to enter your OAuth2 token.
This script performs the following steps to install Prow:
- Deploy the NGINX Ingress Controller.
- Create a ClusterRoleBinding.
- Create a HMAC token used for GitHub webhooks.
- Create Secrets for HMAC and OAuth2 used by Prow.
- Deploy Prow components using the
starter.yaml
file from theprow/cluster
directory. - Add annotations for the Prow Ingress to make it work with the NGINX Ingress Controller.
Verify if the Prow installation was successful.
-
Check if all Pods are up and running:
kubectl get pods
-
Check if the Deck is accessible from outside of the cluster:
kubectl get ingress ing
Copy the address of the ingress
ing
and open it in a browser to display the Prow status on the dashboard.
After Prow installs successfully, you must configure the webhook to enable the GitHub repository to send events to Prow.
When you use the install-prow.sh
script to install Prow on your cluster, the list of plugins and configuration is empty. You can configure Prow by specifying the config.yaml
and plugins.yaml
files, and adding job definitions to the jobs
directory.
The config.yaml
file contains the basic Prow configuration. When you create a particular ProwJob, it uses the Preset definitions from this file. See the example of such a file here.
For more details, see the Kubernetes documentation.
The plugins.yaml
file contains the list of plugins you enable on a given repository. See the example of such a file here.
For more details, see the Kubernetes documentation.
You can define a test presubmit job for a component. However, remember to adjust its definition in the yaml
file to point to your forked repository instead of the original repository.
For details on how to define a presubmit job, see the Migration Guide.
To check if the plugins.yaml
, config.yaml
, and jobs configuration files are correct, run the validate-config.sh {plugins_file_path} {config_file_path} {jobs_dir_path}
script. For example, run:
./validate-config.sh ../prow/plugins.yaml ../prow/config.yaml ../prow/jobs
If the files are configured correctly, upload the files on a cluster.
-
Use the
update-plugins.sh {file_path}
script to apply plugin changes on a cluster../update-plugins.sh ../prow/plugins.yaml
-
Use the
update-config.sh {file_path}
script to apply Prow configuration on a cluster../update-config.sh ../prow/config.yaml
-
Use the
update-jobs.sh {jobs_dir_path}
script to apply jobs configuration on a cluster../update-jobs.sh ../prow/jobs
After you complete the required configuration, you can test the uploaded plugins and configuration. You can also create your own job pipeline and test it against the forked repository.
To clean up everything created by the installation script, run the removal script:
./remove-prow.sh