-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
github-jira-proxy, prow, plugin: add plugin that checks github webhooks #3516
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good for a start @avlitman - comments inline.
Maybe @brianmcarey can chime in here on how we should configure the ingress rule - and what else is necessary to get it reachable from external sources.
github/ci/prow-deploy/files/jobs/kubevirt/project-infra/project-infra-postsubmits.yaml
Outdated
Show resolved
Hide resolved
@@ -0,0 +1,20 @@ | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can consume from your own GitHub repository for a start. Other than that, this folder is reserved for proper external prow plugins, which the code here doesn't match (yet). Having said that, you can either build from your public repo in the images
Dockerfile, or move your code to the robots
folder.
@@ -546,6 +546,10 @@ external_plugins: | |||
endpoint: http://referee:9900 | |||
events: | |||
- issue_comment | |||
- name: github-jira-proxy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be removed until the code matches the setup for a proper external plugin.
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
e9a3d4d
to
2b60454
Compare
github/ci/prow-deploy/kustom/base/manifests/local/github-jira-proxy-deployment.yaml
Outdated
Show resolved
Hide resolved
github/ci/prow-deploy/kustom/base/manifests/local/github-jira-proxy-deployment.yaml
Show resolved
Hide resolved
github/ci/prow-deploy/kustom/base/manifests/local/github-jira-proxy-deployment.yaml
Show resolved
Hide resolved
github/ci/prow-deploy/kustom/base/manifests/local/github-jira-proxy-deployment.yaml
Show resolved
Hide resolved
github/ci/prow-deploy/kustom/base/manifests/local/github-jira-proxy-deployment.yaml
Outdated
Show resolved
Hide resolved
/uncc @davidvossel @vladikr |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good @avlitman - I think it would be worth adding your pod to this list so that it is checked in the prow-deploy presubmit -
- name: wait for prow pods to be ready |
494a794
to
fe14a8d
Compare
Added (: |
@avlitman looks like your pod is failing to reach a running state for some reason - https://prow.ci.kubevirt.io/view/gs/kubevirt-prow/pr-logs/pull/kubevirt_project-infra/3516/pull-project-infra-prow-deploy-test/1829076461068226560 You should be able to run a test deploy against a kubevirtci cluster to check out why. You probably need ansible installed though. |
So just install ansible and run it from my laptop? |
The test env may be missing the necessary secrets to start the pod - I will try to run it here locally to see and let you know. |
Much appreciated! does it make sense to push changes to this pr to see if |
It justs the one job so you should be ok to push whatever changes you want - the lane is pretty quick too so you wouldn't be generating too much load. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes it looks like it is missing a couple of secrets for the testing env
Warning FailedMount 30s (x9 over 2m38s) kubelet MountVolume.SetUp failed for volume "github-webhook-secret" : secret "github-webhook-secret" not found
Warning FailedMount 30s (x9 over 2m38s) kubelet MountVolume.SetUp failed for volume "jira-webhook-url" : secret "jira-webhook-url" not found
You can add dummy secrets here for testing - https://github.com/kubevirt/project-infra/blob/main/github/ci/prow-deploy/vars/kubevirtci-testing/secrets.yml
4a0c234
to
707f44d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good @avlitman - just a couple of questions on the ingress.
- prow.ci.kubevirt.io | ||
secretName: github-jira-proxy-tls | ||
rules: | ||
- host: prow.ci.kubevirt.io |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We will need to use a different host name here as prow.ci.kubevirt.io
is already in use by prow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed in both places
pathType: Prefix | ||
backend: | ||
service: | ||
name: github-jira-proxy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be github-jira-proxy-service
as that is what the service is named below?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also can you add some details to the PR description on why we want to add this.
Signed-off-by: avlitman <alitman@redhat.com>
707f44d
to
eaeb657
Compare
@brianmcarey thanks a lot brian- fixed all your comments (: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/hold
This service should not be hosted on the kubevirt control plane cluster as there is still a risk of the mentioned secrets leaking.
What this PR does / why we need it:
This pr added in order to make sure jira webhook secret url is private and no reachable by github repo maintainers outside of redhat.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Jira-ticket: https://issues.redhat.com/browse/CNV-45739
Special notes for your reviewer:
this service needs to have a public URL github can reach.
Checklist
This checklist is not enforcing, but it's a reminder of items that could be relevant to every PR.
Approvers are expected to review this list.
Release note: