CD prow config using tekton

Define an event listener that triggers a tekton task that deploys
prow configurations on a target k8s cluster / namespace from a
give git repo / path.

Move cronjobs into a cronjobs folder and add docs for each of them.

Closes #1

prow/extra.yaml

@@ -0,0 +1,25 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: config-map-updater
+rules:
+- apiGroups: ["*"]
+  resources: ["configmaps"]
+  verbs: ["get", "list", "patch", "update"]
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: prow-config-bot
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: prow-config-bot-config-map-updater
+subjects:
+- kind: ServiceAccount
+  name: prow-config-bot
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: config-map-updater

tekton/README.md

@@ -12,3 +12,15 @@ Resources are organised in folders:
 - The [resources](resources/README.md) folder contains Tekton resources used for
   various automation tasks: building container images, doing releases,
   maintaining the GitHub org and more.
+
+# Secrets
+
+Some of the resources require secrets to operate.
+- `GitHub` secrets: `bot-token-github` used for syncing label configuration and
+  org configuration requires, `github-token` used to create a draft release
+- `GCP` secrets: `nightly-account` is used by nightly releases to push releases
+  to the nightly bucket. It's a token for service account
+  `release-right-meow@tekton-releases.iam.gserviceaccount.com`.
+  `release-secret` is used by Tekton Pipeline to push pipeline artifacts to a
+  GCS bucket. It's also used to push images built by cron trigger (or Mario)
+  to the image registry on GCP.

tekton/config/README.md → tekton/cronjobs/README.md

@@ -1,11 +1,8 @@
 # Tekton Deployment Config
 
-This folder holds kustomize overlays, that can be used to deploy resources
-defined in the tekton folder.
-
-For now this is only used to maintain cron job configurations. To add a new
-cron job to be deployed to the `dogfooding` cluster, create a folder and add
-a kustomization.yaml into it, along with the cronjob overlay.
+This folder holds kustomize overlays, that are used to maintain cron job configurations. To add a new cron job to be deployed to the `dogfooding`
+cluster, create a folder and add a kustomization.yaml into it, along with the
+cronjob overlay.
 
 There are two base cronjbs available:
 * `nightly-image-build-cron-base` which can be used to build container images
@@ -18,7 +15,7 @@ Example folders structure:
 ```
 tekton
 ├── README.md
-├── config
+├── cronjobs
 │   ├── README.md
 │   ├── nightly-image-build-cron-base
 │   │   ├── kustomization.yaml

tekton/cronjobs/hub-image-nightly-build-cron/README.md

@@ -0,0 +1,2 @@
+Cron Job to build a container image with `hub` installed.
+The image is published daily to [gcr.io/tekton-releases/dogfooding/hub:latest](gcr.io/tekton-releases/dogfooding/hub:latest).

tekton/cronjobs/ko-gcloud-image-nightly-build-cron/README.md

@@ -0,0 +1,2 @@
+Cron Job to build a container image with `ko` and `gcloud` installed.
+The image is published daily to [gcr.io/tekton-releases/dogfooding/ko:gcloud-latest](gcr.io/tekton-releases/dogfooding/ko:gcloud-latest).

tekton/cronjobs/ko-image-nightly-build-cron/README.md

@@ -0,0 +1,2 @@
+Cron Job to build a container image with `ko` installed.
+The image is published daily to [gcr.io/tekton-releases/dogfooding/ko:gcloud-latest](gcr.io/tekton-releases/dogfooding/ko:latest).

tekton/cronjobs/kubectl-image-nightly-build-cron/README.md

@@ -0,0 +1,2 @@
+Cron Job to build a container image with `kubectl` installed.
+The image is published daily to [gcr.io/tekton-releases/dogfooding/kubectl:latest](gcr.io/tekton-releases/dogfooding/kubectl:latest).

tekton/cronjobs/kubectl-image-nightly-build-cron/cronjob.yaml

@@ -0,0 +1,24 @@
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: image-build-cron-trigger
+spec:
+  schedule: "0 2 * * *"
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: trigger
+            env:
+            - name: SINK_URL
+              value: el-image-builder.default.svc.cluster.local:8080
+            - name: GIT_REPOSITORY
+              value: github.com/tekton/plumbing
+            - name: GIT_REVISION
+              value: master
+            - name: TARGET_IMAGE
+              value: gcr.io/tekton-releases/dogfooding/kubectl:latest
+            - name: CONTEXT_PATH
+              value: tekton/images/kubectl

tekton/cronjobs/kubectl-image-nightly-build-cron/kustomization.yaml

@@ -0,0 +1,5 @@
+bases:
+- ../nightly-image-build-cron-base
+patchesStrategicMerge:
+- cronjob.yaml
+nameSuffix: "-kubectl"

tekton/cronjobs/nightly-image-build-cron-base/README.md

@@ -0,0 +1 @@
+Cron Job template to build container images.

tekton/cronjobs/nightly-release-cron-base/README.md

@@ -0,0 +1 @@
+Cron Job template to trigger nightly releases.

tekton/cronjobs/pipeline-nightly-release-cron/README.md

@@ -0,0 +1,2 @@
+Cron Job to trigger the Tekton Pipeline nightly build.
+Results are published to https://storage.cloud.google.com/tekton-releases-nightly/pipeline/latest/release.yaml

tekton/cronjobs/pipeline-test-runner-build-cron/README.md

@@ -0,0 +1,2 @@
+Cron Job to build the `test-runner` container image used for CI/CD.
+The image is published daily to [gcr.io/tekton-releases/dogfooding/test-runner:latest](gcr.io/tekton-releases/dogfooding/test-runner:latest).

tekton/cronjobs/prow-config-cd-hourly-cron/README.md

@@ -0,0 +1 @@
+Cron Job to hourly deploy Prow configuration, from the plumbing repo, to the Prow instance in the `prow` cluster; if changes are detected.

tekton/cronjobs/prow-config-cd-hourly-cron/cronjob.yaml

@@ -0,0 +1,26 @@
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: resource-cd-trigger
+spec:
+  schedule: "12 * * * *"
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: trigger
+            env:
+              - name: SINK_URL
+                value: "http://el-prow-config-deployer.default.svc.cluster.local:8080"
+              - name: GIT_REPOSITORY
+                value: "github.com/tektoncd/plumbing"
+              - name: GIT_REVISION
+                value: "master"
+              - name: CONFIG_PATH
+                value: "prow/config.yaml"
+              - name: NAMESPACE
+                value: "default"
+              - name: CLUSTER_RESOURCE
+                value: "prow-cluster-config-bot"

tekton/cronjobs/prow-config-cd-hourly-cron/kustomization.yaml

@@ -0,0 +1,5 @@
+bases:
+- ../resource-cd-cron-base
+patchesStrategicMerge:
+- cronjob.yaml
+nameSuffix: "-prow-config"

tekton/cronjobs/resource-cd-cron-base/README.md

@@ -0,0 +1 @@
+Cron Job template to deploy resources from a folder to a cluster.

tekton/cronjobs/resource-cd-cron-base/kustomization.yaml

@@ -0,0 +1,4 @@
+commonLabels:
+  app: tekton.plumbing
+resources:
+- trigger-resource-cd.yaml

tekton/cronjobs/resource-cd-cron-base/trigger-resource-cd.yaml

@@ -0,0 +1,61 @@
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: resource-cd-trigger
+spec:
+  schedule: "12 * * * *" # Houly at *:12
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          volumes:
+          - name: workspace
+            emptyDir: {}
+          containers:
+          - name: trigger
+            image: curlimages/curl
+            command:
+              - /bin/sh
+            args:
+              - -ce
+              - |
+                cat <<EOF > /workspace/post-body.json
+                {
+                  "gitRepository": "$GIT_REPOSITORY",
+                  "gitRevision": "$GIT_REVISION",
+                  "configPath": "$CONFIG_PATH",
+                  "namespace": "$NAMESPACE",
+                  "clusterResource": "$CLUSTER_RESOURCE"
+                }
+                EOF
+                curl -d @/workspace/post-body.json $SINK_URL
+            volumeMounts:
+            - mountPath: /workspace
+              name: workspace
+            env:
+              - name: SINK_URL
+                value: "sink-url"
+              - name: GIT_REPOSITORY
+                value: "github.com/tektoncd/plumbing"
+              - name: GIT_REVISION
+                value: "master"
+              - name: CONFIG_PATH
+                value: "config/"
+              - name: NAMESPACE
+                value: "default"
+              - name: CLUSTER_RESOURCE
+                value: "not-a-real-cluster"
+          restartPolicy: Never

tekton/cronjobs/skopeo-image-nightly-build-cron/README.md

@@ -0,0 +1,2 @@
+Cron Job to build a container image with `skopeo` installed.
+The image is published daily to [gcr.io/tekton-releases/dogfooding/skopeo:latest](gcr.io/tekton-releases/dogfooding/skopeo:latest).

tekton/cronjobs/tkn-image-nightly-build-cron/README.md

@@ -0,0 +1,2 @@
+Cron Job to build a container image with `tkn` installed.
+The image is published daily to [gcr.io/tekton-releases/dogfooding/tkn:latest](gcr.io/tekton-releases/dogfooding/tkn:latest).

tekton/images/kubectl/Dockerfile

@@ -0,0 +1,21 @@
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+FROM alpine:3.10
+LABEL maintainer "Tekton Authors <tekton-dev@googlegroups.com>"
+
+RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/*
+RUN update-ca-certificates
+
+ARG KUBECTL_VERSION=1.16.2
+RUN wget -O/usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v$KUBECTL_VERSION/bin/linux/amd64/kubectl; chmod +x /usr/local/bin/kubectl

tekton/images/tkn/Dockerfile

@@ -1,4 +1,4 @@
-# Copyright 2018 The Tekton Authors
+# Copyright 2019 The Tekton Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -15,4 +15,5 @@ FROM alpine:3.10
 LABEL maintainer "Tekton Authors <tekton-dev@googlegroups.com>"
 
 ARG TKN_VERSION=0.6.0
+
 RUN wget -O- https://github.com/tektoncd/cli/releases/download/v${TKN_VERSION}/tkn_${TKN_VERSION}_Linux_x86_64.tar.gz | tar zxf - -C /usr/local/bin

tekton/resources/cd/prow-config-cd.yaml

@@ -0,0 +1,117 @@
+apiVersion: tekton.dev/v1alpha1
+kind: TriggerBinding
+metadata:
+  name: trigger-to-deploy-prow-config
+spec:
+  params:
+  - name: gitRepository
+    value: $(body.gitRepository)
+  - name: gitRevision
+    value: $(body.gitRevision)
+  - name: configPath
+    value: $(body.configPath)
+  - name: namespace
+    value: $(body.namespace)
+  - name: clusterResource
+    value: $(body.clusterResource)
+---
+apiVersion: tekton.dev/v1alpha1
+kind: EventListener
+metadata:
+  name: prow-config-deployer
+spec:
+  serviceAccountName: release-right-meow
+  triggers:
+    - name: trigger
+      bindings:
+        - name: trigger-to-deploy-prow-config
+      template:
+        name: deploy-prow-config
+---
+apiVersion: tekton.dev/v1alpha1
+kind: TriggerTemplate
+metadata:
+  name: deploy-prow-config
+spec:
+  params:
+  - name: gitRepository
+    description: URL of the repository that holds the prow configuration
+  - name: gitRevision
+    description: Git revision
+  - name: namespace
+    description: Namespace to deploy to in the target cluster
+  - name: configPath
+    description: Path in the git repo that holds prow configs
+  - name: clusterResource
+    description: Name of the cluster resource that points to the target cluster
+  resourcetemplates:
+  - apiVersion: tekton.dev/v1alpha1
+    kind: PipelineResource
+    metadata:
+      name: git-source-$(uid)
+    spec:
+      type: git
+      params:
+      - name: revision
+        value: $(params.gitRevision)
+      - name: url
+        value: https://$(params.gitRepository)
+  - apiVersion: tekton.dev/v1alpha1
+    kind: TaskRun
+    metadata:
+      name: deploy-prow-config-$(uid)
+    spec:
+      taskSpec:
+        inputs:
+          params:
+          - name: configPath
+            description: Path in the git repo that holds prow configs
+          - name: namespace
+            description: Namespace to deploy to in the target cluster
+          resources:
+          - name: source
+            type: git
+          - name: prow-cluster
+            type: cluster
+        stepTemplate:
+          env:
+          - name: KUBECONFIG
+            value: /workspace/$(inputs.resources.prow-cluster.name)/kubeconfig
+        steps:
+        - name: fetch-current-config
+          image: gcr.io/tekton-releases/dogfooding/kubectl
+          script: |
+            #!/bin/sh
+            set -ex
+            kubectl get configmap config -o template --template='{{ index .data "config.yaml" }}' \
+              > /workspace/config.yaml
+        - name: deploy
+          image: gcr.io/tekton-releases/dogfooding/kubectl
+          script: |
+            #!/bin/sh
+            set -ex
+            echo "diff [current-config] [new config]"
+            has_diff=0
+            diff /workspace/config.yaml $(inputs.resources.source.path)/$(inputs.params.configPath) || has_diff=1
+            if [ $has_diff -eq 0 ]; then
+              echo "No change in config detected. Nothing to be done."
+              exit 0
+            fi
+            # Apply configuration changes
+            kubectl create configmap config \
+              --from-file=config.yaml=$(inputs.resources.source.path)/$(inputs.params.configPath) \
+              --dry-run -o yaml | \
+              kubectl replace configmap config -n $(inputs.params.namespace) -f -
+      inputs:
+        params:
+        - name: configPath
+          value: $(params.configPath)
+        - name: namespace
+          value: $(params.namespace)
+        resources:
+        - name: source
+          resourceRef:
+            name: git-source-$(uid)
+        - name: prow-cluster
+          resourceRef:
+            name: $(params.clusterResource)

tekton/resources/kustomization.yaml

@@ -9,3 +9,4 @@ resources:
 - release/save-release-logs.yaml
 - release/test_tekton_release.yaml
 - pipeline-nightly-release/pipeline-nightly-build-trigger.yaml
+- cd/prow-config-cd.yaml