Deploy openshift-eng/ship-hook to app.ci

[petr-muller]

Deploys openshift-eng/ship-hook as a Prow external plugin on the app.ci cluster. This adds a Deployment, Service, ServiceAccount, ConfigMap, and ServiceMonitor in the ci namespace, and registers ship-hook as an org-level external plugin for the openshift organization. The CI build and image promotion is set up in #78840.

🤖 Generated with Claude Code

This PR deploys the openshift-eng/ship-hook service to the app.ci cluster and wires it into Prow as an external plugin for the openshift org. Image build/promotion was configured in PR #78840.

What this changes in practical terms

• Installs ship-hook into app.ci (namespace: ci) so it can receive GitHub webhooks and act as an external Prow plugin for openshift.
• Registers ship-hook in the openshift Prow plugin config so Prow will forward pull_request, issue_comment, and pull_request_review events to the service.

Cluster manifests and runtime

• ServiceAccount: ci/ship-hook.
• ConfigMap: ci/ship-hook-config containing config.yaml that enables the ready-for-humans plugin for openshift/repos sippy and origin.
• Service: ci/ship-hook (ClusterIP) selecting app: prow, component: ship-hook
  • Ports: main (80 → container 8888), metrics (9090 → container 9090).
• Deployment: ci/ship-hook
  • replicas: 2 with Keel annotations for automated image updates.
  • image: quay-proxy.ci.openshift.org/openshift/ci:ci_ship-hook_latest (Always pull).
  • Container args include HMAC secret path, GitHub endpoints, GITHUB_APP_ID (from secret openshift-prow-github-app), GitHub app private key path, and config path.
  • Volume mounts:
    • github-webhook-credentials → /etc/webhook (secret github-webhook-credentials)
    • openshift-prow-github-app → /etc/github (secret openshift-prow-github-app)
    • ship-hook-config → /etc/ship-hook (ConfigMap)
  • Security: runAsNonRoot, allowPrivilegeEscalation: false, readOnlyRootFilesystem, seccomp RuntimeDefault, drop ALL capabilities.
  • Resources: requests 100m CPU / 128Mi memory; limits 500m CPU / 256Mi memory.
  • Health probes: liveness /healthz and readiness /healthz/ready on port 8081.
  • Pod anti-affinity preferred across hostnames.

Monitoring

• ServiceMonitor: monitoring.coreos.com/v1 ServiceMonitor named ship-hook in namespace ci
  • Selects services with labels app: prow, component: ship-hook
  • Scrapes port named metrics over HTTP every 30s.

Prow configuration

• core-services/prow/02_config/openshift/_pluginconfig.yaml: adds external_plugins.openshift entry:
  • name: ship-hook, endpoint: http://ship-hook
  • events: [pull_request, issue_comment, pull_request_review]

Effect

• ship-hook will run on app.ci, be discoverable by Prometheus, and receive PR, comment, and review events from Prow for the openshift organization using the specified secrets and ConfigMap-driven plugin configuration.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8aeb804a-54b7-47c9-abe9-83a9c3fbcfef

📥 Commits

Reviewing files that changed from the base of the PR and between 019bf9b and 6522465.

📒 Files selected for processing (3)

• clusters/app.ci/openshift-user-workload-monitoring/ship-hook_servicemonitor.yaml
• clusters/app.ci/prow/03_deployment/ship-hook.yaml
• core-services/prow/02_config/openshift/_pluginconfig.yaml

🚧 Files skipped from review as they are similar to previous changes (3)

• core-services/prow/02_config/openshift/_pluginconfig.yaml
• clusters/app.ci/openshift-user-workload-monitoring/ship-hook_servicemonitor.yaml
• clusters/app.ci/prow/03_deployment/ship-hook.yaml

---

Walkthrough

Adds a new ship-hook Prow component: Kubernetes resources (ServiceAccount, ConfigMap, Service, Deployment), registers it as an external plugin for the openshift org, and adds a ServiceMonitor to scrape its metrics.

Changes

ship-hook Component Deployment and Configuration

Layer / File(s)	Summary
Data / Config clusters/app.ci/prow/03_deployment/ship-hook.yaml	Adds ConfigMap ship-hook-config containing config.yaml enabling ready-for-humans for openshift.repos.sippy and origin.
Identity / RBAC clusters/app.ci/prow/03_deployment/ship-hook.yaml	Adds ServiceAccount ship-hook in namespace ci.
Networking / Service clusters/app.ci/prow/03_deployment/ship-hook.yaml	Adds Service ship-hook (ClusterIP) selecting app: prow, component: ship-hook; ports main (80→8888) and metrics (9090→9090).
Runtime / Deployment clusters/app.ci/prow/03_deployment/ship-hook.yaml	Adds Deployment ship-hook (replicas: 2) with image quay-proxy.ci.openshift.org/openshift/ci:ci_ship-hook_latest, args/env (including GITHUB_APP_ID from secret), secret/config mounts, strict securityContext, resource requests/limits, pod anti-affinity, and liveness/readiness probes on port 8081.
Plugin Wiring core-services/prow/02_config/openshift/_pluginconfig.yaml	Registers ship-hook as an external plugin for the openshift org with endpoint: http://ship-hook and events pull_request, issue_comment, pull_request_review.
Monitoring clusters/app.ci/openshift-user-workload-monitoring/ship-hook_servicemonitor.yaml	Adds ServiceMonitor ship-hook in namespace ci, selecting app: prow, component: ship-hook, with a single HTTP scrape endpoint on port metrics and interval: 30s; metadata labels include prow-app: ship-hook.

sequenceDiagram
  actor GitHub
  participant Prow
  participant ShipHook
  participant Prometheus

  GitHub->>Prow: Send webhook events (pull_request, issue_comment, pull_request_review)
  Prow->>ShipHook: Forward event to external plugin endpoint (http://ship-hook)
  ShipHook->>GitHub: Optional GitHub API calls (e.g., checks, comments)
  Prometheus->>ShipHook: Scrape /metrics on port 9090 (interval 30s)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Deploy openshift-eng/ship-hook to app.ci' directly and clearly summarizes the main change: deploying ship-hook to the app.ci cluster, matching the PR's primary objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR adds Kubernetes manifests and Prow configuration files only. No Ginkgo test files are present. The custom check for stable and deterministic test names is not applicable.
Test Structure And Quality	✅ Passed	Custom check not applicable. PR contains only YAML configuration files (ServiceMonitor, Kubernetes manifests, Prow plugin config). No Ginkgo test code is present in this PR.
Microshift Test Compatibility	✅ Passed	PR adds Kubernetes configuration files to deploy ship-hook, not e2e tests. The MicroShift test compatibility check is not applicable since no Ginkgo e2e tests were added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds Kubernetes manifests and plugin config, not Ginkgo e2e tests. SNO compatibility check applies only to new e2e test code. No test files were added.
Topology-Aware Scheduling Compatibility	✅ Passed	Deployment uses preferred pod anti-affinity with 2 replicas. No required affinity, control-plane selectors, or blocking constraints detected.
Ote Binary Stdout Contract	✅ Passed	PR contains only Kubernetes YAML manifests. No source code, tests, or OTE binary code modified. The check only applies to source code, not infrastructure config.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. All changes are Kubernetes/Prow deployment manifests and configuration files, making the IPv6/disconnected network test compatibility check not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: petr-muller
Once this PR has been reviewed and has the lgtm label, please assign psalajova for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• clusters/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

clusters/app.ci/prow/03_deployment/ship-hook.yaml (1)

80-80: 💤 Low value

Consider reducing log verbosity once ship-hook is stable.

Debug logging (--log-level=debug) is appropriate for initial deployment and troubleshooting, but you may want to reduce it to info or warning once the plugin is stable to minimize log volume.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@clusters/app.ci/prow/03_deployment/ship-hook.yaml` at line 80, The deployment
currently sets ship-hook's CLI flag "--log-level=debug" which is very verbose;
update the args for the ship-hook container in the manifest to a lower verbosity
such as "--log-level=info" (or "--log-level=warning") once stable by replacing
the "--log-level=debug" entry in ship-hook.yaml so the ship-hook process starts
with the reduced log level.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@clusters/app.ci/prow/03_deployment/ship-hook.yaml`:
- Around line 74-129: The ship-hook container spec lacks a securityContext to
restrict privileges; update the container named "ship-hook" to include a
securityContext that enforces non-root execution (e.g., runAsNonRoot: true and
runAsUser with a non-zero UID), disables privilege escalation
(allowPrivilegeEscalation: false), drops all capabilities (capabilities: drop:
["ALL"]), makes the root filesystem read-only (readOnlyRootFilesystem: true) and
sets a seccompProfile (e.g., type: RuntimeDefault) to harden the pod.

---

Nitpick comments:
In `@clusters/app.ci/prow/03_deployment/ship-hook.yaml`:
- Line 80: The deployment currently sets ship-hook's CLI flag
"--log-level=debug" which is very verbose; update the args for the ship-hook
container in the manifest to a lower verbosity such as "--log-level=info" (or
"--log-level=warning") once stable by replacing the "--log-level=debug" entry in
ship-hook.yaml so the ship-hook process starts with the reduced log level.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: d59888ad-5efb-497e-acc7-1a22a95653c9

📥 Commits

Reviewing files that changed from the base of the PR and between 35ace66 and 156f94b.

📒 Files selected for processing (3)

• clusters/app.ci/openshift-user-workload-monitoring/ship-hook_servicemonitor.yaml
• clusters/app.ci/prow/03_deployment/ship-hook.yaml
• core-services/prow/02_config/openshift/_pluginconfig.yaml

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@petr-muller: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

@petr-muller: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.