So I was curious about Prow...

August 09, 2020 - blogging beginner

Prow is a CI/CD system used in the Kubernetes repositories. I know it for the ChatOps feature which I found very cool and fun. I decided to give it a try myself and see it in action.

Prerequisites

A working Kubernetes cluster with internet access
A GCP account
A GitHub account

Installation

Prow can be found in Kubernetes' test-infra repository (here). The first thing to do is to clone the repo:

git clone https://github.com/kubernetes/test-infra.git

After that we need to set up an access to GitHub for Prow by creating an access token. The required scope are as follows.

repo:status
public_repo

Next, we need to create two secrets to be used by Prow. One is hmac-token that's going to be used to validate webhooks

openssl rand -hex 20 > hmac-token
kubetl create secret generic hmac-token --from-file=hmac=./hmac-token

And the other is the github-token for the bot account

echo 'insert-github-token-here' > github-token
kubetl create secret generic github-token --from-file=token=./github-token

Next, we're going to update the sample manifest that we're going to use. There are two sample manifests, one with minio as blog storage (starter-s3.yaml) and the other one that uses GCS (starter-gcs.yaml). I decided to use the one with GCS.

With both sample manifests there are things that we need to adjust, those are:

GitHub token, replace <<insert-token-here>>
hmac token, replace << insert-hmac-token-here >>
domain, replace << your-domain.com >>
GitHub organization, replace << your_github_org >>
Prow artifacts bucket, replace gs://bucket-name
Tide's GCS bucket, replace gs://tide/
Statusreconciler's GCS bucket, replace gs://status-reconciler/

Then we need to provide the buckets and a service account to be used by Prow:

$ gcloud iam service-accounts create prow-gcs-publisher
$ identifier="$(gcloud iam service-accounts list --filter 'name:prow-gcs-publisher' --format 'value(email)')"
$ gsutil mb gs://prow-artifacts-bucket-name/ 
$ gsutil mb gs://tide-bucket-name/ 
$ gsutil mb gs://status-reconciler-bucket-name/ 
$ gsutil iam ch allUsers:objectViewer gs://prow-artifacts-bucket-name 
$ gsutil iam ch allUsers:objectViewer gs://tide-bucket-name
$ gsutil iam ch allUsers:objectViewer gs://status-reconciler-bucket-name
$ gsutil iam ch "serviceAccount:${identifier}:objectAdmin" gs://prow-artifacts 
$ gsutil iam ch "serviceAccount:${identifier}:objectAdmin" gs://tide-bucket-name  
$ gsutil iam ch "serviceAccount:${identifier}:objectAdmin" gs://status-reconciler-bucket-name
$ gcloud iam service-accounts keys create --iam-account "${identifier}" service-account.json 
$ kubectl -n test-pods create secret generic gcs-credentials --from-file=service-account.json 
$ kubectl -n prow create secret generic gcs-credentials --from-file=service-account.json

Next is adding Prow components to the cluster:

kubectl apply -f config/prow/cluster/starter-gcs.yaml

If things goes well we should be able to our external address.

kubectl get -n prow ingress prow
NAME   CLASS    HOSTS                     ADDRESS               	PORTS     AGE
prow   <none>   prow.<<yourdomain.com>>   an.ip.addr.ess          80, 443   22d

Once we get the address we can go to the address to see Prow's deck. We should see that there's an "echo-test" job, if it is completed there'd be a green check-mark next to it which means Prow is ready to serve.

alt text

Next thing we need to do is to add the webhook to GitHub:

Go to repo and click Settings -> Webhooks, and click Add webhook.
Use the address we get before as the Payload URL, it should be something like this http://an.ip.addr.ess/hook
Change the Content type to application/json
Use the hmac-token we generated before as the Secret
Change the trigger to Send me everything
Click Add webhook

We should be all set with that.

Usage

Didn't I say that Prow is known for ChatOps, did I? Let's take a look into that. Create a new PR in the repo that's set up before, and try using the commands /meow or /woof to send some furballs to our PR.

alt text

Cool, right? There's more to that. We can see the list of plugins available for Prow by visiting our Prow's plugins catalog.

http://prow.<< your-domain.com >>/plugins

alt text

To add more plugins or remove unused plugins, simply edit the prow ConfigMap and add or remove the plugins.

apiVersion: v1
kind: ConfigMap
metadata:
  namespace: prow
  name: plugins
data:
  plugins.yaml: |
    plugins:
      evanap/hello:
      - approve
      - assign
      - blunderbuss
      - cat
      - dog
      - help
      - heart
      - hold
      - label
      - goose # honks the PR
      - override
      - shrug
      - owners-label
      - lifecycle
      - lgtm
      - trigger
      - verify-owners
      - wip
      - yuks

It's not the easiest CI/CD platform to set up, but once it's up and running it's all cool and easy, plus the plugins feature is a nice thing to add more functions to the platform. And we get to use ChatOps, which is nice.