Merge pull request #22970 from spiffxp/split-k8s-infra-trusted-jobs

config: split wg-k8s-infra trusted jobs/dashboards up, add apps jobs

config/jobs/kubernetes/wg-k8s-infra/trusted/sig-security-trusted.yaml

@@ -0,0 +1,57 @@
+periodics:
+#  Periodic CI job for running snyk scans against k/k master
+# - It installs snyk CLI and requires 'snyk-token' secret available
+#   in test infra with key name 'SNYK_TOKEN'. This secret is used to
+#   populate env var 'SNYK_TOKEN', required for snyk CLI auth.
+# - Licenses and few false positive deps (eg version '0.0.0') are
+#   filtered from the snyk scan results.
+- name: ci-kubernetes-snyk-master
+  interval: 6h
+  cluster: k8s-infra-prow-build-trusted
+  decorate: true
+  extra_refs:
+  - org: kubernetes
+    repo: kubernetes
+    base_ref: master
+    path_alias: k8s.io/kubernetes
+  spec:
+    containers:
+    - image: golang
+      envFrom:
+      - secretRef:
+          # secret key should be defined as SNYK_TOKEN
+          name: snyk-token
+      command:
+      - /bin/bash
+      args:
+      - -c
+      - |
+        set -euo pipefail
+        apt update && apt -y install jq
+        wget -q -O /usr/local/bin/snyk https://github.com/snyk/snyk/releases/download/v1.605.0/snyk-linux && chmod +x /usr/local/bin/snyk
+        mkdir -p "${ARTIFACTS}"
+        if [ -z "${SNYK_TOKEN}" ]; then
+          echo "SNYK_TOKEN env var is not set, required for snyk scan"
+          exit 1
+        fi
+        echo "Running snyk scan .."
+        EXIT_CODE=0
+        RESULT_UNFILTERED=$(snyk test --json) || EXIT_CODE=$?
+        if [ $EXIT_CODE -gt 1 ]; then
+          echo "Failed to run snyk scan with exit code $EXIT_CODE . Error message: $RESULT_UNFILTERED"
+          exit 1
+        fi
+        RESULT=$(echo $RESULT_UNFILTERED | jq \
+        '{vulnerabilities: .vulnerabilities | map(select((.type != "license") and (.version !=  "0.0.0"))) | select(length > 0) }')
+        if [[ ${RESULT} ]]; then
+          echo "Vulnerability filtering failed"
+          exit 1
+        else
+          echo "Scan completed"
+        fi
+  annotations:
+    testgrid-create-test-group: "true"
+    testgrid-alert-email: [email protected]
+    testgrid-num-failures-to-alert: '1'
+    testgrid-dashboards: sig-security-snyk-scan
+    description: Run snyk scan on k/k master periodically

config/jobs/kubernetes/wg-k8s-infra/trusted/wg-k8s-infra-apps.sh

@@ -0,0 +1,80 @@
+#!/usr/bin/env bash
+# Copyright 2021 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# generates wg-k8s-infra app deployment job configs
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+SCRIPT_DIR=$(dirname "${BASH_SOURCE[0]}")
+
+readonly OUTPUT="${SCRIPT_DIR}/wg-k8s-infra-apps.yaml"
+# list of subdirs in kubernetes/k8s.io/apps
+readonly APPS=(
+    gcsweb
+    k8s-io
+    kubernetes-external-secrets
+    node-perf-dash
+    perfdash
+    prow
+    publishing-bot
+    sippy
+    slack-infra
+    triageparty-release
+)
+
+cat >"${OUTPUT}" <<EOF
+# DO NOT EDIT. Automatically generated by $0
+
+postsubmits:
+  kubernetes/k8s.io:
+EOF
+
+for app in "${APPS[@]}"; do
+    cat >>"${OUTPUT}" <<EOF
+    - name: post-k8sio-deploy-app-${app}
+      cluster: k8s-infra-prow-build-trusted
+      decorate: true
+      max_concurrency: 1
+      # intended for ignoring changes to README.md or OWNERS
+      run_if_changed: '^apps\/${app}\/(.*.yaml|deploy.sh)$'
+      branches:
+        - ^main$
+      annotations:
+        testgrid-create-test-group: 'true'
+        testgrid-dashboards: wg-k8s-infra-apps
+        testgrid-description: 'runs https://git.k8s.io/k8s.io/apps/${app}/deploy.sh if files change in kubernetes/k8s.io/apps/${app}'
+        testgrid-alert-email: k8s-infra-rbac-${app}[email protected], [email protected]
+        testgrid-num-failures-to-alert: '1'
+      rerun_auth_config:
+        github_team_slugs:
+        # proxy for wg-k8s-infra-oncall
+        - org: kubernetes
+          slug: wg-k8s-infra-leads
+        # proxy for test-infra-oncall
+        - org: kubernetes
+          slug: test-infra-admins
+        # TODO: sig-specific team in charge of this app
+        # - org: kubernetes
+        #   slug: sig-foo-bar
+      spec:
+        serviceAccountName: prow-deployer
+        containers:
+        - image: gcr.io/k8s-staging-infra-tools/k8s-infra:latest
+          command:
+          - ./apps/${app}/deploy.sh
+EOF
+done