Add documentation for using Tekton with Prow 🙌 #13974
Conversation
k8s-ci-robot
added
do-not-merge/invalid-commit-message
|
Hi @bobcatfish. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-ok-to-test
k8s-ci-robot
added
size/L
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: bobcatfish The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
bobcatfish
force-pushed
the
pipeline_docs
branch
from
04bd227 to
a8a9b96
Compare
I understand issue closing but I am curious why @-ing is not okay :O |
bobcatfish
force-pushed
the
pipeline_docs
branch
from
a8a9b96 to
a6c702b
Compare
k8s-ci-robot
removed
the
do-not-merge/invalid-commit-message
|
Whoever is on the other side of the at-mention will get a notification every time:
It ends up being pretty spammy :) |
| @@ -0,0 +1,33 @@ | |||
| kind: Deployment | |||
There was a problem hiding this comment.
There is already a deployment in pipeline_deployment.yaml. I am wondering wha's the reason to not reuse it.
There was a problem hiding this comment.
https://github.com/kubernetes/test-infra/blob/master/prow/cluster/pipeline_deployment.yaml uses some other configuration: a secret called build-cluster so in order to use it as is, these instructions would have to explain how to set that up - and since it's optional, I don't think they should? (or maybe by default folks should use --build-cluster=/etc/build-cluster/cluster? I dont actually know what this does 😅 )
There was a problem hiding this comment.
That flag is for running the jobs in a different cluster.
I think it is too misleading to include these deployment files in the prow/cluster directory. With the exception of starter.yaml (which we should probably move) all of the files under prow/cluster are deployed to the prow.k8s.io instance, but the files you've added wouldn't work for our instance.
It looks like this is a more detailed version of prow/cmd/pipeline/dev.yaml. Consider updating that file or adding this one to that directory.
There was a problem hiding this comment.
I see, it can be actually pointed to the same cluster. It's true there is an additional configuration step to set up that secret.
Maybe it shouldn't fail with an error if the provided file is empty/missing. Sounds like a warnings message and use the same cluster is more appropriate in that case.
There was a problem hiding this comment.
It looks like this is a more detailed version of prow/cmd/pipeline/dev.yaml. Consider updating that file or adding this one to that directory.
Ah I didn't even see dev.yaml! For now I've moved these examples into cmd/pipeline and cmd/crier
| @@ -0,0 +1,40 @@ | |||
| apiVersion: apps/v1 | |||
| kind: Deployment | |||
There was a problem hiding this comment.
There is a deployment for crier in crier_deployment.yaml. I am wondering what's the reason to not reuse it.
There was a problem hiding this comment.
Similar to above comment about pipeline_deployment.yaml, https://github.com/kubernetes/test-infra/blob/master/prow/cluster/crier_deployment.yaml includes an optional job-config configmap
There was a problem hiding this comment.
As with the pipeline controller, this change would prevent crier from working properly on out instance so including it in prow/cluster is kind of misleading.
If you want to add a set of deployment files for a Prow instance that only uses tekton, consider grouping those in a separate directory to make it clear what the purpose is and so that users know what components they actually need to deploy (e.g. sinker and at least one of hook, horologium, or the gerrit adapter will be needed to actually trigger jobs.)
There was a problem hiding this comment.
Ah, I see that in the docs you have the user first follow getting_started_deploy.md so hook, horologium, etc will already be deployed.
prow/tekton.md
Outdated
|
|
||
| ``` | ||
|
|
||
| ### Install Tekton Pipelines |
There was a problem hiding this comment.
I am not sure but I think this step needs to be before installing the controller because the controller expects the PipelineRun CRD to be already installed in order to be able to start watching it.
There was a problem hiding this comment.
kk i can try to make that more clear
| trigger: # Required by versions 0.2.0 - v0.3.1 of Tekton Pipelines | ||
| type: manual | ||
| pipelineRef: | ||
| name: special-pipeline # Use the Tekton Pipeline called `special-pipeline` |
There was a problem hiding this comment.
I think the serviceAccount needs also to be defined. It should be the Tekton's service account with the GitHub token linked to it. I am not sure that service account is used by default by the Tekton controller.
There was a problem hiding this comment.
It should be the Tekton's service account with the GitHub token linked to it.
Maybe you can explain more about what this service account would be doing? You can optionally provide a serviceAccount to a PipelineRun but that just makes it available to executing Tasks if they need it (e.g. to push to an image registry).
Re the GitHub token, if the PipelineRun was trying to push something to GitHub for example, if you wanted to use the PullRequest resource and push to GitHub from the Pipeline itself, you'd need to provide a secret in the PipelineResource
TL;DR it depends on what the PipelineRun is doing - I can add a link to the PipelineRun docs and try to make that more clear here.
I am not sure that service account is used by default by the Tekton controller.
The controller uses the tekton-pipelines-controller service account by default (https://github.com/tektoncd/pipeline/blob/master/config/controller.yaml#L28) - but pods that execute as part of a PipelineRun would use the default service account of the namespace by default, unless serviceAccount or serviceAccounts are specified
There was a problem hiding this comment.
I've added a link to the PipelineRun docs right below this and mentioned ServiceAccounts!
There was a problem hiding this comment.
I mean this service account https://github.com/tektoncd/pipeline/blob/master/docs/auth.md#basic-authentication-git, but pointing to the doc is enough if someone needs to configure it. Thanks for adding that!
bobcatfish
force-pushed
the
pipeline_docs
branch
from
a6c702b to
5a26cc2
Compare
|
I made some changes, lemme know what you think @ccojocar ! Also let me know what you want to do about the differences between those example yaml files :S |
| @@ -0,0 +1,33 @@ | |||
| kind: Deployment | |||
There was a problem hiding this comment.
That flag is for running the jobs in a different cluster.
I think it is too misleading to include these deployment files in the prow/cluster directory. With the exception of starter.yaml (which we should probably move) all of the files under prow/cluster are deployed to the prow.k8s.io instance, but the files you've added wouldn't work for our instance.
It looks like this is a more detailed version of prow/cmd/pipeline/dev.yaml. Consider updating that file or adding this one to that directory.
| @@ -0,0 +1,40 @@ | |||
| apiVersion: apps/v1 | |||
| kind: Deployment | |||
There was a problem hiding this comment.
As with the pipeline controller, this change would prevent crier from working properly on out instance so including it in prow/cluster is kind of misleading.
If you want to add a set of deployment files for a Prow instance that only uses tekton, consider grouping those in a separate directory to make it clear what the purpose is and so that users know what components they actually need to deploy (e.g. sinker and at least one of hook, horologium, or the gerrit adapter will be needed to actually trigger jobs.)
prow/tekton.md
Outdated
| **Warning** | ||
|
|
||
| Prow users may expect to see logs from their `PipelineRuns` be visible in | ||
| Gubernator, however this functionality is not supported yet, and logs must be |
There was a problem hiding this comment.
Gubernator is deprecated in favor of Spyglass. It might be more accurate to note that pipeline prowjobs cannot be decorated with the pod utilities so job logs, metadata, and artifacts are not uploaded to GCS.
| @@ -0,0 +1,40 @@ | |||
| apiVersion: apps/v1 | |||
| kind: Deployment | |||
There was a problem hiding this comment.
Ah, I see that in the docs you have the user first follow getting_started_deploy.md so hook, horologium, etc will already be deployed.
| skip_report: false | ||
| pipeline_run_spec: # Template for creation of the `PipelineRun` | ||
| trigger: # Required by versions 0.2.0 - v0.3.1 of Tekton Pipelines | ||
| type: manual |
There was a problem hiding this comment.
If this is required should we have the pipeline prow controller add it if it isn't present?
There was a problem hiding this comment.
that would work! even better tho would be to update the version of Pipelines that Prow is using tho - this field is deprecated
prow/tekton.md
Outdated
| rerun_command: "/run do-the-pipeline" | ||
| trigger: "(?m)^/run do-the-pipeline,?(\\s+|$)" | ||
| always_run: true | ||
| skip_report: false |
There was a problem hiding this comment.
nit: I'd omit the skip_report, rerun_command, and trigger fields. They aren't necessary if you are ok with using /test do-the-pipeline to trigger the job.
prow/tekton.md
Outdated
| * `pipelineRef` - Refers to a | ||
| [`Pipeline`](#create-and-apply-pipelines-and-tasks) that must exist for the | ||
| `PipelineRun` to be able to execute | ||
| * [`PROW_IMPLICIT_GIT_REF`] - Using this special |
There was a problem hiding this comment.
It is probably worth noting that we also support PROW_EXTRA_GIT_REF_0, PROW_EXTRA_GIT_REF_1, etc. if the ProwJob specifies extraRefs e.g.
test-infra/config/jobs/kubernetes/test-infra/test-infra-trusted.yaml
Lines 677 to 680 in 6eb5baa
There was a problem hiding this comment.
thanks for mentioning this, this saved my life when I went to use this for periodic jobs XD
prow/tekton.md
Outdated
| 1. [Setting up Pipelines with Prow](#setting-up-pipelines-with-prow) | ||
| 2. [Configuring a `tekton-pipeline` job](#configuring-a-tekton-pipeline-job) | ||
|
|
||
| **Warning** |
There was a problem hiding this comment.
The other caveat is that git pipelineresources are currently not garbage collected. (I think we can fix this by updating the pipelineresources with owner references after the pipelinerun is created.)
There was a problem hiding this comment.
I implemented this initially in the controller and it worked well, but I was asked to remove it due to the multi-cluster build support. Referencing the ProwJob is problematic when the builds are executed in a different cluster but I don't see an issue with a reference to the PipelineRun.
There was a problem hiding this comment.
Added a warning about this! Btw tektoncd/pipeline#544 is about this and it looks like this will be addressed in tektoncd/pipeline#872 (which was your request originally @cjwagner!) - you'd have to update Prow to be able to embed PipelineResources tho :)
This commit adds the beginning of some usage documentation about how to get Tekton and Prow working. I wouldn't have been able to do this without JoelSpeed's guidance in kubernetes#13874 (comment) Thanks JoelSpeed!!! ❤️ I was able to follow along with these docs and get Tekton + Prow running for `tektoncd` itself: tektoncd/plumbing#66 🎉 This is being done for kubernetes#13874
bobcatfish
force-pushed
the
pipeline_docs
branch
from
5a26cc2 to
48be47e
Compare
k8s-ci-robot
added
the
area/prow/crier
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
| - --github-workers=1 | ||
| - --config-path=/etc/config/config.yaml | ||
| - --github-endpoint=http://ghproxy | ||
| - --github-endpoint=https://api.github.com |
There was a problem hiding this comment.
The instructions you provided don't include setting up ghproxy so the --github-endpoint flags will make every request fail on the first attempt. I'd suggest removing them both.
| labels: | ||
| app: crier | ||
| spec: | ||
| # Using the service account defined in prow/cluster/pipeline_rbac.yaml |
There was a problem hiding this comment.
| # Using the service account defined in prow/cluster/pipeline_rbac.yaml | |
| # Using the service account defined in prow/cluster/crier_rbac.yaml |
| ## Setting up Pipelines with Prow | ||
|
|
||
| 1. [Setup and configure Prow itself](getting_started_deploy.md) | ||
| 2. [Install Tekton Pipelines](#install-tekton) |
There was a problem hiding this comment.
| 2. [Install Tekton Pipelines](#install-tekton) | |
| 2. [Install Tekton Pipelines](#install-tekton-pipelines) |
|
@bobcatfish will you have time to address these nits? It's too bad to delay merging for small stuff... |
| can start, and in order to be able to execute [Tekton Pipelines](https://github.com/tektoncd/pipeline, | ||
| you also need to install and setup Tekton Pipelines itself. | ||
|
|
||
| [Prow is currently compatible with versions 0.2.0 - 0.3.1 of Tekton Pipelines](https://github.com/kubernetes/test-infra/issues/13948) |
|
At this rate I don't think I'm getting back to this anytime soon :( Hopefully what I wrote can still be helpful if someone else can take this on later! |
|
Did any documentation on Prow + Tekton ever happen? I couldnt find anything |
This commit adds the beginning of some usage documentation about how to
get Tekton and Prow working. I think there's probably more to add but I hope this can
be a good starting point!
Please let me know if the docs or the examples should be in different locations, I basically just tried to guess and pick something but am happy to move things around!
I wouldn't have been able to do this without @JoelSpeed's guidance in
#13874 (comment)
Thanks @JoelSpeed!!! ❤️
I was able to follow along with these docs and get Tekton + Prow running
for
tektoncditself: tektoncd/plumbing#66 🎉Fixes #13874 (and maybe tektoncd/pipeline#1187 as well?)