migrate away from test-infra-trusted build cluster
#32432
Comments
ameukam
added
the
kind/cleanup
k8s-ci-robot
added
the
needs-sig
|
/assign @michelle192837 |
k8s-ci-robot
added
sig/testing
no point migrating this, we'll just shut it down when prow is migrated and instead people can posted in #testing-ops in slack. we should actually probably proactively stop advertising @test-infra-oncall to the broader project.
.... uhhhh this one I'm not sure, because we have to be able to publish to testgrid's config bucket .... migrating testgrid is another fun topic The image publishing jobs we should be able to move over. |
|
re: ci-test-infra-update-slack-oncall: Ah, that's easier then. re: post-test-infra-upload-testgrid-config: I think this should be doable. I have not gone through the full details, but imo thanks to config merger merging configs for TestGrid from multiple locations, we can stand up a new config upload job in community-owned infra, verify the uploaded config in the new location is the same as the old, and swap the config location used in the TestGrid instance overall. |
|
On the K8s infra side we're going to need a bucket for this to start then, cc @upodroid @ameukam for thoughts.
Not sure how these didn't wind up getting migrated yet ... looks like this is part of k8s-testimages kubernetes/k8s.io#1523 I don't see evidence that we're actually using these images in Kubernetes and we should probably just delete them. Prow has built in known-hosts handlinmg in clonerefs these days, I don't think we need these anymore. |
|
Sorry for the delay, I'm looking into this and some of the other unmigrated jobs today. |
|
in #32808 the list should be clearer now, a lot of these are related to running prow so that's fine, but some are pushing images and that's concerning, we should either eliminate or migrate them. |
|
here's one #32812 |
SIG Contribex:
Not trusted cluster, but the other non-migrated jobs with test-infra in the name (there could be more) ...
|
|
Janitor jobs: won't be migrated, will be turned down.
I'm guessing renconcile hmacs needs to be considered as part of control plane migration, along with definitely branchprotector. |
|
#32814 will remove the
|
These are used as the base images for building Prow images (https://cs.k8s.io/?q=gcr.io%2Fk8s-prow%2Fgit&i=nope&files=&excludeFiles=&repos=). I think we can replace the git image with alpine, but |
Several of these push images that aren't used and should be turned down (post-test-infra-push-test-gubernator, post-test-infra-push-bazel, post-test-infra-push-gcloud-terraform, post-test-infra-push-gencred).
|
|
Discussed offline: for |
we should probably use something else, we generally prefer to use e.g. debian/distroless for kubernetes base images, for licensing reasons (alpine/busybox) and alignment on patching etc. |
|
I'm working on tempelis |
|
Sorry for the late response. I can confirm that |
|
https://github.com/kubernetes-sigs/prow/blob/main/.ko.yaml +1 for building a unified base image for prow that has git, the kubectl auth plugins for our cloud vendors |
|
We can migrate that job to the community cluster and update the .ko.yaml references |
|
We can do something similar to the distroless-iptables image in k/release. |
|
tempelis will be done after #32946 |
Switch the image bases to use those built in k8s-staging-test-infra instead. Ref kubernetes/test-infra#32432.
|
TestGrid upload progress:
(And these do have contents): Now following the config merger instructions at https://github.com/kubernetes/test-infra/blob/master/testgrid/merging.md#config-merger. I'll have a few PRs out for those. |
|
Remaining from my list above:
post-test-infra-push-alpine just needs minor cleanup, then it can be deleted. (And last bit of cleanup, move all the new image push jobs to the image-pushes dashboard and remove '-canary' from the job name). |
|
post-test-infra-push-alpine and post-test-infra-push-git I think we can delete for the reasoning above. The minor cleanup isn't blocking removing the old jobs. |
|
lol I lied, the misc-image canary is working fine. I'll switch those uses over today. I'm still not seeing new Prow images uploaded to the new location though. (https://prow.k8s.io/view/gs/kubernetes-jenkins/logs/post-k8s-infra-prow-images/1818232059856949248, https://storage.googleapis.com/kubernetes-jenkins/logs/post-k8s-infra-prow-images/1818232059856949248/artifacts/build.log for the build log). Since it's doing something similar to the misc-images push job, I might update it to be similar and see if that fixes it. |
|
Sorry about the confusion, the Prow images job has been working the whole time and I was just confused. (More detail in kubernetes-sigs/prow#217 (comment)). Anyways, remaining updates are:
I'll leave submission of those to Monday, but those should handle the last test-infra jobs that I think we're actually handling? |
Of those, I think we might need reconcile-hmacs to move along with the new prow deployment? Otherwise I think rest should probably be spun down just ahead of migrating prow, and remain in the meantime to keep the legacy instance humming. #33129 covers the janitor jobs. |
|
We only have these six left now:
|
BenTheElder
added
the
lifecycle/active
Yes that does not need to migrate assuming that the K8s-Infra Prow is using a GitHub App to manage webhooks (rather than manually configuring them per org or repo) . IIRC someone confirmed this in the last SIG-Testing meeting. The other decisions SGTM as well. |
|
Now done thanks to Ben: #33352 |
There are a few jobs running on the
test-infra-trustedwe should either migrate tok8s-infra-prow-build-trustedor remove:The text was updated successfully, but these errors were encountered: