add pull-k8sio-backup presubmit check #15398
Conversation
k8s-ci-robot
added
do-not-merge/hold
listx
force-pushed
the
backup-presubmit-test
branch
from
12a8e65 to
e99f047
Compare
k8s-ci-robot
added
size/S
|
/assign @cjwagner |
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
|
Oops, forgot that I need to provide the secret for this job to work. Re-holding... /hold Assigning to test-infra oncall: |
k8s-ci-robot
added
the
do-not-merge/hold
| volumes: | ||
| - name: creds | ||
| secret: | ||
| secretName: k8s-gcr-backup-test-prod-bak-service-account |
There was a problem hiding this comment.
Is it safe to have these credentials used in a presubmit and hosted on the untrusted build cluster? You should assume that any presubmit job can mount and use credentials in that cluster.
There was a problem hiding this comment.
Yes --- the cred will only ever have write access to the ephemeral test resources an GCP.
| # Check that changes to backup scripts are valid. | ||
| - name: pull-k8sio-backup | ||
| decorate: true | ||
| skip_report: false |
There was a problem hiding this comment.
This is the default, you can omit it.
| - name: pull-k8sio-backup | ||
| decorate: true | ||
| skip_report: false | ||
| run_if_changed: 'infra/gcp/backup_tools/.*' |
There was a problem hiding this comment.
nit: ^infra/gcp/backup_tools/ probably more closely matches what you want.
| - image: gcr.io/k8s-testimages/kubekins-e2e:v20191124-4beb966-1.17 | ||
| command: | ||
| - infra/gcp/backup_tools/backup_test.sh | ||
| env: |
There was a problem hiding this comment.
I think your indentation is off starting on this line.
There was a problem hiding this comment.
The other comments can be ignored, but I'm pretty sure this won't work as you expect.
There was a problem hiding this comment.
For the record, I suppose it's troublesome that the presubmit checks passed regardless.
There was a problem hiding this comment.
It is a known issue, but I haven't addressed it out of fear that strictly parsing pod specs will fail if new fields that Prow doesn't know about are used. It may not be a legitimate concern though, it is kind of hard for me to tell if that would actually be a common problem. It may be fine if
- new podspec fields aren't used much in prowjobs
- we keep this dependency up to date and continue to keep prow.k8s.io up to date:
Lines 1448 to 1456 in 44c22ec
This checks the backup_tools scripts by testing them. Specifically, it
runs the backup_test.sh script, which performs the backup from
us.gcr.io/k8s-gcr-backup-test-prod
to
us.gcr.io/k8s-gcr-backup-test-prod-bak
for a set of chosen images. Both this test and the real backup logic in
backup_prod.sh share the same "build_gcrane" and "copy_with_date"
functions --- the main difference is the repositories where the backups
happen and the images that are backed up.
listx
force-pushed
the
backup-presubmit-test
branch
from
e99f047 to
85fcf2a
Compare
|
@cjwagner PTAL |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cjwagner, listx The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
|
@listx: Updated the
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This checks the backup_tools scripts by testing them. Specifically, it
runs the backup_test.sh script, which performs the backup from
for a set of chosen images. Both this test and the real backup logic in
backup_prod.sh share the same "build_gcrane" and "copy_with_date"
functions --- the main difference is the repositories where the backups
happen and the images that are backed up.
NOTE: I need to provide the test-environment secret
k8s-gcr-backup-test-prod-bak-service-account(i.e.,k8s-infra-gcr-promoter@k8s-gcr-backup-test-prod-bak.iam.gserviceaccount.com) for this job to work./hold
/cc @thockin @dims @justinsb