Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OSS prow uses GitHub app for authenticating #1171

Closed
chaodaiG opened this issue Oct 6, 2021 · 5 comments
Closed

OSS prow uses GitHub app for authenticating #1171

chaodaiG opened this issue Oct 6, 2021 · 5 comments

Comments

@chaodaiG
Copy link
Member

chaodaiG commented Oct 6, 2021

OSS prow currently uses bot personal access token(PAT) for authentication with GitHub APIs, which has a global rate limit of 5000 per hour. This is not very well scalable with many tenants. Switching over to GitHub app will get a rate limit per installation, which would greatly increase the rate limit exhaustion problem we have seen lately
This was referenced Oct 6, 2021
Merged
Merged
@chaodaiG
Copy link
Member Author

chaodaiG commented Oct 12, 2021
edited

The migration can be done one org/repo at a time, there are two steps:

  1. Install Google OSS Prow app on corresponding org/repo https://github.com/apps/google-oss-prow
  2. Register the org/repo to be handled by prow deployments that use GH app for authentication, example PR Opt in looker for GitHub app authentication #1184

The org/repo with managed webhooks are the targets for migration:

  • google/http_pattern_matcher
  • google/bms-toolkit
  • googleforgames/agones
  • grpc-ecosystem/grpc-httpjson-transcoding
  • GoogleCloudPlatform/artifact-registry-apt-transport
  • GoogleCloudPlatform/artifact-registry-yum-plugin
  • GoogleCloudPlatform/compute-image-tools
  • GoogleCloudPlatform/elcarro-oracle-operator
  • GoogleCloudPlatform/esp-v2
  • GoogleCloudPlatform/guest-agent
  • GoogleCloudPlatform/guest-configs
  • GoogleCloudPlatform/guest-diskexpand
  • GoogleCloudPlatform/guest-logging-go
  • GoogleCloudPlatform/guest-oslogin
  • GoogleCloudPlatform/guest-test-infra
  • GoogleCloudPlatform/k8s-cloud-provider
  • GoogleCloudPlatform/osconfig
  • GoogleCloudPlatform/oss-test-infra
  • GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp
  • GoogleCloudPlatform/testgrid
  • kubeflow
  • looker
  • GoogleCloudPlatform/blueprints
  • chaotoppicks

Note:

  • Once the app is installed, webhook from the org/repo will be sent to prow. So for google and GoogleCloudPlatform, it is recommended to install on repo level instead of org level to avoid unnecessary webhooks.
  • There is no reason to panic if the webhook is configured on the org level by accident, the webhooks are only processed when:
    • Plugins are defined for the org
    • (AND) prow deployment says --github-enabled-org=<ORG>

This was referenced Oct 28, 2021
Closed
Closed
chaodaiG added a commit to chaodaiG/oss-test-infra that referenced this issue Oct 29, 2021
@chaodaiG
testgrid repo uses github app for authentication
830ff07 
This is part of GoogleCloudPlatform#1171, I have requested installation of all repos under GoogleCloudPlatform that are currently using prow, and so far it seems like they are all approved. Trying this out on testgrid repo, will migrate others all at once if this proves to be working
@chaodaiG chaodaiG mentioned this issue Oct 29, 2021
Merged
chaodaiG added a commit to chaodaiG/oss-test-infra that referenced this issue Oct 29, 2021
@chaodaiG
testgrid repo uses github app for authentication
412af86 
This is part of GoogleCloudPlatform#1171, I have requested installation of all repos under GoogleCloudPlatform that are currently using prow, and so far it seems like they are all approved. Trying this out on testgrid repo, will migrate others all at once if this proves to be working
@chaodaiG chaodaiG mentioned this issue Nov 9, 2021
Merged
@chaodaiG
Copy link
Member Author

chaodaiG commented Nov 10, 2021
edited

So far all orgs/repos have been migrated over to use GitHub app, crier, hook, and tide work well with Github now. Remaining work:

- Sub. Fix needed from upstream kubernetes/test-infra#24316

@chaodaiG
Copy link
Member Author

Sub just migrated with the fix #1313 , and it seems working fine so far

@chaodaiG
Copy link
Member Author

chaodaiG commented Dec 7, 2021

Will mark this issue as fixed, since deck migration is not super critical at this point. Will revisit when it becomes necessary

/close

@google-oss-prow
Copy link
Contributor

@chaodaiG: Closing this issue.

In response to this:

Will mark this issue as fixed, since deck migration is not super critical at this point. Will revisit when it becomes necessary

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@chaodaiG