Add deployment scripts for the chatbot

smarterclayton · smarterclayton · commit 17dd95417d63 · 2018-11-19T18:37:17.000-05:00
Store the secrets, decribe the configuration, and ensure the slack bot has access
to exec into pods in the installer namespaces.
diff --git a/Makefile b/Makefile
@@ -158,6 +158,9 @@ prow-artifacts:
 	oc apply -n ci -f ci-operator/infra/src-cache-origin.yaml
 .PHONY: prow-artifacts
 
+prow-ci-chat-bot:
+	$(MAKE) apply WHAT=ci-operator/infra/openshift/ci-chat-bot/deploy.yaml
+
 prow-release-controller:
 	oc create imagestream origin-release -o yaml --dry-run | oc apply -f - -n openshift
 	oc create imagestream origin-v4.0 -o yaml --dry-run | oc apply -f - -n openshift
diff --git a/ci-operator/SECRETS.md b/ci-operator/SECRETS.md
@@ -122,6 +122,17 @@ For each master, the `jenkins-credentials-${master_url}` secret holds the
 password for the Jenkins user in the `password` key. For the `ci.dev` master,
 a client cert, key and CA cert are also present for client authentication.
 
+
+### Slack Bot Credentials
+
+The following Slack bots have their Slack API tokens for the CoreOS Slack organization
+stored on the cluster
+
+ - cluster-bot as `ci-chat-bot-slack-token`
+
+This token is granted access to talk to the Slack API for automation purposes.
+
+
 ## Secret Regeneration
 
 In order to regenerate the secrets in the case of an emergency, a CI admin can
diff --git a/ci-operator/infra/openshift/ci-chat-bot/README.md b/ci-operator/infra/openshift/ci-chat-bot/README.md
@@ -0,0 +1,12 @@
+ci-chat-bot
+===========
+
+Source code for the controller is at https://github.com/openshift/ci-chat-bot
+
+The chat bot uses the CI system to launch clusters via ProwJobs, reusing the same infrastructure
+as our CI environments to make reproducing current flakes as painless as possible. It leverages
+the jobs defined in `ci-operator/jobs/openshift/release/openshift-release-periodics.yaml` to
+launch those clusters, and relies on Prow to tear down the cluster afterwards.
+
+The bot token is managed as a secret in bitwarden and it uses similar permissions to the release
+controller to launch new ProwJobs and extract content from their clusters.
diff --git a/ci-operator/infra/openshift/ci-chat-bot/deploy.yaml b/ci-operator/infra/openshift/ci-chat-bot/deploy.yaml
@@ -0,0 +1,92 @@
+kind: List
+apiVersion: v1
+items:
+- kind: Role
+  apiVersion: authorization.openshift.io/v1
+  metadata:
+    name: ci-chat-bot-prowjob
+    namespace: ci
+  rules:
+  - apiGroups:
+    - ""
+    resources:
+    - pods
+    verbs:
+    - get
+  - apiGroups:
+    - prow.k8s.io
+    resources:
+    - prowjobs
+    verbs:
+    - get
+    - list
+    - watch
+    - create
+    - delete
+    - update
+    - patch
+
+- kind: RoleBinding
+  apiVersion: rbac.authorization.k8s.io/v1
+  metadata:
+    name: ci-chat-bot-binding-prowjob
+    namespace: ci
+  roleRef:
+    kind: Role
+    name: ci-chat-bot-prowjob
+  subjects:
+  - kind: ServiceAccount
+    namespace: ci
+    name: ci-chat-bot
+
+# deploy the bot
+- kind: ServiceAccount
+  apiVersion: v1
+  metadata:
+    name: ci-chat-bot
+    namespace: ci
+- kind: Deployment
+  apiVersion: apps/v1
+  metadata:
+    name: ci-chat-bot
+    namespace: ci
+    annotations:
+      image.openshift.io/triggers: '[{"from":{"kind":"ImageStreamTag","name":"ci-chat-bot:latest"},"fieldPath":"spec.template.spec.containers[?(@.name==\"bot\")].image"}]'
+  spec:
+    selector:
+      matchLabels:
+        app: ci-chat-bot
+    template:
+      metadata:
+        labels:
+          app: ci-chat-bot
+      spec:
+        serviceAccountName: ci-chat-bot
+        volumes:
+        - name: prow-config
+          configMap:
+            name: config
+        - name: job-config
+          configMap:
+            name: job-config
+            items: 
+            - key: openshift-release-periodics.yaml
+              path: openshift-release-periodics.yaml
+        containers:
+        - name: bot
+          image: ci-chat-bot:latest
+          volumeMounts:
+          - name: prow-config
+            mountPath: /etc/prow/
+          - name: job-config
+            mountPath: /etc/jobs/
+          env:
+          - name: BOT_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: ci-chat-bot-slack-token
+                key: token
+          command:
+          - /usr/bin/ci-chat-bot
+          - --prow-config=/etc/prow/config.yaml
+          - --job-config=/etc/jobs/openshift-release-periodics.yaml
diff --git a/ci-operator/populate-secrets-from-bitwarden.sh b/ci-operator/populate-secrets-from-bitwarden.sh
@@ -102,6 +102,11 @@ for login in "openshift-bot" "openshift-build-robot" "openshift-cherrypick-robot
 	oc label secret "github-credentials-${login}" "ci.openshift.io/managed=true"
 done
 
+# Configuration for Slack ci-chat-bot is stored under "Token"
+# and the key value is "token" in the secret
+oc create secret generic ci-chat-bot-slack-token "$( format_field_value ci-chat-bot-slack-token "Token" "token" )"
+oc label secret "ci-chat-bot-slack-token" "ci.openshift.io/managed=true"
+
 # Configuration for GitHub OAuth Apps are stored
 # as an opaque field "Client Configuration"
 oc create secret generic github-app-credentials "$( format_field_value deck-ci.svc.ci.openshift.org "Client Configuration" "config.json" )"
diff --git a/ci-operator/templates/openshift/installer/cluster-launch-installer-e2e.yaml b/ci-operator/templates/openshift/installer/cluster-launch-installer-e2e.yaml
@@ -35,6 +35,18 @@ objects:
   subjects:
   - kind: SystemGroup
     name: system:unauthenticated
+# Give edit access to a known bot
+- kind: RoleBinding
+  apiVersion: authorization.openshift.io/v1
+  metadata:
+    name: ${JOB_NAME_SAFE}-namespace-editors
+    namespace: ${NAMESPACE}
+  roleRef:
+    name: edit
+  subjects:
+  - kind: ServiceAccount
+    namespace: ci
+    name: ci-chat-bot
 
 # The e2e pod spins up a cluster, runs e2e tests, and then cleans up the cluster.
 - kind: Pod
