new(ci): run update-kernels daily.

[FedeDP]

What type of PR is this?

/kind feature

Any specific area of the project related to this PR?

/area ci

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #

Refs falcosecurity/test-infra#1255

Special notes for your reviewer:

[FedeDP]

/hold

[incertum]

This would be an amazing improvement! Thanks for getting this PR up @FedeDP!

[leogr]

Ok for me

[FedeDP]

Also, it would be great if we removed the kernels branch protection, and allow the update-kernels job to automatically push to the branch, instead of opening a PR.
This way, we reduce the number of PRs to be approved before drivers get built to just 1, the test-infra one.

This can be done in a follow up PR of course.

[incertum]

Also, it would be great if we removed the kernels branch protection, and allow the update-kernels job to automatically push to the branch, instead of opening a PR. This way, we reduce the number of PRs to be approved before drivers get built to just 1, the test-infra one.

This can be done in a follow up PR of course.

Ohhh I now realize how this is done. Hmm I understand we can't change it over night, but perhaps we can just invoke the kernel crawler cron job from test-infra and the kernelrelease build yamls will only exists within the CI job, no PRs or approvals at all. Any other solution that accomplishes full automation will work as well.

[maxgio92]

/approve

(let's coordinate on this for unlocking it :) )

[maxgio92]

I agree with @incertum, we could evaluate @FedeDP a way to avoid the "double PR" (one to update kernels.json, and one to update DBG config) pipeline, without pushing directly to long-living branches.

[FedeDP]

without pushing directly to long-living branches.

we can just invoke the kernel crawler cron job from test-infra and the kernelrelease build yamls will only exists within the CI job

Please remember that our dbg is not the only consumer of the kernel crawler output jsons.
Ie: we need to push the jsons somewhere. And this means that we can only trigger the update-dbg job on post-submit.

The only real workaround would be to let update-dbg job also crawl the latest kernels and push the list somewhere (eg: s3 bucket) and have the website over there just like we do for the drivers one.
While this would reduce number of approvals to 1 (and we could finally rebase kernel-crawler repo removing any reference to the big jsons in its history to reduce the repo size, fixing falcosecurity/test-infra#1118), i don't really like the idea that the producer of the jsons is also the consumer.
Anyway, that would work fine.
In the process, we might want to drop the last_run_distro trick since the new dbg-go impl takes a few seconds to generate dbg configs. (Otherwise we would need to push an updated last_run_distro.txt to s3 too!).

[incertum]

@FedeDP thanks for the additional context!

Would it be possible to have 2 streams?

The existing workflow for all remaining use cases.

A fast runner so to say that constantly crawls and builds kernel drivers. Hard requirement would be full automation, no PRs. Something like this fast runner is what I have for custom kernels and it has never failed me.

[FedeDP]

Hard requirement would be full automation

Full automation would be a bit hard to achieve, we would need to completely trust the process; ie: it would mean that test-infra update-dbg job should directly push to master, i don't really like this.
I think that a single PR on test-infra is already good to go!

Would it be possible to have 2 streams?

I think if we move the current kernel-crawler site onto download.falco.org just like we do for drivers (and it makes sense because it gets nearer to them) and the big jsons too, we can run it daily directly from test-infra that will:

• generate new jsons
• push them to s3
• use directly them to generate dbg-configs
• open a PR against test-infra with updated dbg-configs

WDYT?
dbg-go tool needs a bit of adaption, ie: i'd add a new option to directly pass a json to generate dbg configs against.

[maxgio92]

I'd propose an alternative option for the publishing of the kernel list.

In order to:

• Remove a PR that in this case would be needed to approve the merge of the updated crawled kernel list file to the kernels branch, and
• Not to remove branch protection

we could generate the list on the fly in the GH actions pipeline, and publish it directly to the GH page.

This way, we'd achieve the following:

• The list would not reside in Git, removing risks from escalation with GH users
• The only allowed actor with write access to the list would be the GH action of the kernel-crawler repository
• Consumers can keep working with the crawled result as the page would be public.

The drawback I see is that:

• The DBG configurations update (update-dbg ProwJob) would miss the trigger, that right now is based on new changes in the kernels Git branch.

But we could overcome this con by running it as a Prow cronjob. It would be less efficient, but dbg-go is smart enough to skip Driverkit configurations that have not changed (thus skipping unneeded PRs).

WDYT?

[FedeDP]

I like this idea @maxgio92 ! Much cleaner, even if we would need to move update-dbg job to cron since we would miss the post-submit trigger.
Anyway, great feedback and great idea, thank you!

[incertum]

+1 @maxgio92 thanks for the more concrete outline and yes I also don't see a problem with the planned cron jobs in this regard in test-infra.

[FedeDP]

We don't support single input anymore:

• since dbg-go is super quick to generate dbg configs (a matter of seconds)
• since we will run the crawler daily
  we have no more needs for it.

[FedeDP]

We will directly deploy pages without pushing anything to any branch.

[FedeDP]

We checkout default branch that now has the index.html file.

[FedeDP]

We use site folder as root for the pages deployment.

[FedeDP]

This file was completely copy/pasted by the kernels branch.

[FedeDP]

This now points to a local (relative) file.

[FedeDP]

Same as above.

[maxgio92]

/cc

[maxgio92]

/approve

🚀

[FedeDP]

/unhold

[FedeDP]

Let's test this!