ci-k8sio-audit periodic job

[hh]

Fixes kubernetes/k8s.io#244

Developing using https://github.com/kubernetes/test-infra/blob/master/prow/build_test_update.md#using-pj-on-kindsh

[k8s-ci-robot]

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.
• If you have done the above and are still having issues with the CLA being reported as unsigned, please log a ticket with the Linux Foundation Helpdesk: https://support.linuxfoundation.org/
• Should you encounter any issues with the Linux Foundation Helpdesk, send a message to the backup e-mail support address at: login-issues@jira.linuxfoundation.org

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[hh]

I’m trying to use ./config/pj-on-kind.sh to verify a job that needs to use gcloud. It will eventually run in run in the k8s-infra-prow-build-trusted cluster and
use the k8s-infra-gcp-auditor GCP service account via workload identity. I’m trying to figure how how to pass my own GCP , gcloud auth login generated creds into the local prow job so it has access to run gcloud w/ audit permissions.... will cross post this to #sig-testing in slack.

[spiffxp]

Some suggestions

[spiffxp]

I would change these while you're iterating on this job

[spiffxp]

As a start, you could have this job fail if there are changes to commit, and pass if there are none

[hh]

I may swing back around to that. Trying to get a full run to ensure all the tooling works.

[hh]

/retitle ci-k8sio-audit periodic job

[spiffxp]

Some suggestions

[spiffxp]

periodic jobs will have the working directory set to the root of the repo specified by the first ref in extra_refs (if specified)

ref: https://github.com/kubernetes/test-infra/blob/master/prow/pod-utilities.md

[hh]

Thanks, that's useful!

[spiffxp]

This should correspond to the GH_USER being used, and I would advise we not use k8s.ci.robot

[spiffxp]

not blocking but what's the purpose of the PROW_INSTANCE_NAME substitution?

[hh]

It's a bit of copy-pasta from here:

test-infra/prow/cmd/autobump/autobump.sh

Lines 29 to 31 in ff516b7

	# Set this to something more specific if the repo hosts multiple Prow instances.
	# Must be a valid to use as part of a git branch name. (e.g. no spaces)
	PROW_INSTANCE_NAME="${PROW_INSTANCE_NAME:-prow}"

Possibly not necessary as I don't expect there to be multiple FORK_GH_BRANCH, but I suspect this repo does host multiple prow instances.

[spiffxp]

I need to double check if we have this. If we don't, I suggest we not use k8s-ci-robot, and for the short-term use a user under your control (using fejta-bot as the model, which is not an org member)

[hh]

Hmm... I'm not sure how to load secrets like this into the production prow instance.
I generated an oauth-token for @cncf-ci and can send that in a secure way as soon as I learn how. :)

[spiffxp]

Suggested change

	secretName: oauth-token
	secretName: cncf-ci-github-token

gcloud secrets versions access \
  --project=k8s-infra-prow-build-trusted \
  --secret=cncf-ci-github-token \
  latest | \
    kubectl --context=gke_k8s-infra-prow-build-trusted_us-central1_prow-build-trusted \
      apply -f -

secret/cncf-ci-github-token created

[hh]

Created a google secret in the format of a k8s secret in the test-pods namespace:

kubectl create secret  --dry-run=client \
  -n test-pods \
  generic cncf-ci-github-token \
  --from-literal=token=${GH_TOKEN} \
  -o yaml \
| gcloud secrets versions add \
  --project=k8s-infra-prow-build-trusted \
  cncf-ci-github-token \
  --data-file=-

Created version [1] of the secret [cncf-ci-github-token].

[spiffxp]

Added the secret @hh transferred to me via secret manager, job needs some config updates to match name of/in the secret

[spiffxp]

Suggested change

	secretName: oauth-token
	secretName: cncf-ci-github-token

gcloud secrets versions access \
  --project=k8s-infra-prow-build-trusted \
  --secret=cncf-ci-github-token \
  latest | \
    kubectl --context=gke_k8s-infra-prow-build-trusted_us-central1_prow-build-trusted \
      apply -f -

secret/cncf-ci-github-token created

[spiffxp]

Suggested change

	GH_TOKEN=$(cat /etc/github-token/oauth)
	GH_TOKEN=$(cat /etc/github-token/token)

[hh]

Fixed in 7663f60

[spiffxp]

/approve
/lgtm
/wg k8s-infra
/sig testing

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hh, spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• config/jobs/kubernetes/wg-k8s-infra/trusted/OWNERS [spiffxp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

@hh: Updated the job-config configmap in namespace default at cluster test-infra-trusted using the following files:

• key wg-k8s-infra-trusted.yaml using file config/jobs/kubernetes/wg-k8s-infra/trusted/wg-k8s-infra-trusted.yaml

In response to this:

Fixes kubernetes/k8s.io#244

Developing using https://github.com/kubernetes/test-infra/blob/master/prow/build_test_update.md#using-pj-on-kindsh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[spiffxp]

https://prow.k8s.io/view/gs/kubernetes-jenkins/logs/ci-k8sio-audit/1359969296511406080

d'oh, this should have been main not master, my bad for missing this on review