Issue
We currently have a GKE Internal Scalability Test that runs every day and tests against the OSS Agent Sandbox changes. The problem is, this test currently relies on a static OSS controller manifest which gets stale when new changes (including API, RBAC and controller changes) are pushed into the main branch of the OSS repository. We need a way to trigger the GKE internal scalability test whenever a new change is merged in the main branch of the OSS repository.
Suggested Solution: github webhook
The Trigger: A PR is merged to main in the OSS agent-sandbox repo.
The Webhook: GitHub sends an HTTP POST request (a Webhook) containing a JSON payload (the Git SHA, author, etc.) to a public URL.
The Bridge (Cloud Function): A small Google Cloud Function receives this webhook, verifies it's actually from GitHub, and republishes that JSON data onto an internal Google Pub/Sub topic.
The Activation: The internal Prow instance is subscribed to that topic. It sees the message, matches it to the scalability job, and launches the Prow pod immediately.
Permissioning
The cloud function will be setup in the same project where prow jobs are configured. In addition the secrets manager will also exist in the same project to pull the pre-generated webhook secret.
roles/pubsub.publisher - Allows the cloud function to send the "Trigger" message to the Pub/Sub topic.
roles/secretmanager.secretAccessor - Allows the function to pull the GITHUB_WEBHOOK_SECRET from Secret Manager to verify the signature.
roles/pubsub.subscriber - Ensure the internal Prow Service Account (the one running the sub component) has the roles/pubsub.subscriber role on the topic.
Issue
We currently have a GKE Internal Scalability Test that runs every day and tests against the OSS Agent Sandbox changes. The problem is, this test currently relies on a static OSS controller manifest which gets stale when new changes (including API, RBAC and controller changes) are pushed into the main branch of the OSS repository. We need a way to trigger the GKE internal scalability test whenever a new change is merged in the main branch of the OSS repository.
Suggested Solution: github webhook
The Trigger: A PR is merged to
mainin the OSS agent-sandbox repo.The Webhook: GitHub sends an HTTP POST request (a Webhook) containing a JSON payload (the Git SHA, author, etc.) to a public URL.
The Bridge (Cloud Function): A small Google Cloud Function receives this webhook, verifies it's actually from GitHub, and republishes that JSON data onto an internal Google Pub/Sub topic.
The Activation: The internal Prow instance is subscribed to that topic. It sees the message, matches it to the scalability job, and launches the Prow pod immediately.
Permissioning
The cloud function will be setup in the same project where prow jobs are configured. In addition the secrets manager will also exist in the same project to pull the pre-generated webhook secret.
roles/pubsub.publisher- Allows the cloud function to send the "Trigger" message to the Pub/Sub topic.roles/secretmanager.secretAccessor- Allows the function to pull theGITHUB_WEBHOOK_SECRETfrom Secret Manager to verify the signature.roles/pubsub.subscriber- Ensure the internal Prow Service Account (the one running the sub component) has theroles/pubsub.subscriberrole on the topic.