diff --git a/pkg/webreg/webreg.go b/pkg/webreg/webreg.go index a41ae14dcb5..9d059e772c2 100644 --- a/pkg/webreg/webreg.go +++ b/pkg/webreg/webreg.go @@ -2459,9 +2459,93 @@ const privateRepositoriesPage = `

Private Repositories

-All of ci-operator/config/openshift-priv is autogenerated with private-prow-configs-mirror from corresponding content in ci-operator/config/openshift, and should not be manually edited. -For example, see release#10382. - +OpenShift CI supports setting up CI jobs for private repositories mainly to +allow temporary non-public development on the forks of the otherwise public +repositories. The CI jobs executed for these forks are not shown in the public +Deck instance, and all their artifacts are not public. Access to these jobs is +limited to engineers who need it. +

+ +

+Unfortunately, such access cannot be granted to developers of other private +repositories. Therefore, OpenShift CI only allows setting up public CI +jobs for private repositories -- the logs and artifacts executed for such +private repository will be public. Only set up such jobs when you are +absolutely sure your jobs would not leak any sensitive information. +

+ +

+To allow the CI jobs to access a private repo, drop a following file to the +directory in openshift/release holding the ci-operator +configuration for your repository (usually ci-operator/config/$org/$repo): +

+ +.config.prowgen +{{ yamlSyntax (index . "privateRepoProwgenConfigExample") }} + +

openshift-priv organization

+ +

+The openshift-priv organization holds private forks of selected +repositories. The purpose of these forks is to allow temporary non-public +development. Their presence, content, settings, and all CI configuration are +managed automatically. +

+ +

+Automated tools manage all CI configuration for repositories in openshift-priv +organization. Humans should not change any CI configuration related to these +repositories. All manual changes to this configuration will be overwritten. +

+ +

Involved Repositories

+ +

+The set of repositories that are managed automatically in openshift-priv +is dynamic and consists of the following two subsets: +

+ +
    +
  1. Repositories with existing CI configuration promoting images to the ocp/4.X + namespace (same criteria like for enrollment into the centralized release + branch management)
    2. +
  2. Repositories explicitly listed in the + allowlist
    3. +
+ +

Automation Architecture

+ +When a repository is identified to be included in openshift-priv +by having the appropriate promoting configuration or by being present in the +allowlist, the following jobs and tools maintain the existence, repository +settings, repository content, and all necessary CI configuration of the fork in +openshift-priv: + +
    +
  1. The periodic-auto-private-org-peribolos-sync + job runs the private-org-peribolos-sync + tool to maintain the GitHub settings for the fork. These settings are asynchronously + consumed by the periodic-org-sync + job running the peribolos + tool to create the fork on GitHub and maintain its settings.
    2. +
  2. The periodic-openshift-release-private-org-sync + job runs the private-org-sync + tool to synchronize the git content of the fork with the source repository.
    3. +
  3. The periodic-prow-auto-config-brancher + runs the ci-operator-config-mirror + tool to create and maintain the CI configuration for the fork (ci-operator + configuration files). The same job then generates the CI jobs from the ci-operator + files. This has a caveat of not carrying over handcrafted (non-generated) + jobs and also manual changes to the generated jobs.
    4. +
  4. The periodic-prow-auto-config-brancher + also runs the private-prow-configs-mirror + tool to mirror the repository-specific Prow configuration, like merging + criteria, plugin enablement, etc.
    5. +
+` + +const privateRepoProwgenConfigExample = `private: true +expose: true ` const quotasAndLeasesPage = `

How are Cloud Quota and Aggregate Concurrency Limits Handled?

@@ -3024,6 +3108,7 @@ func helpHandler(subPath string, w http.ResponseWriter, _ *http.Request) { data["makeNewRepoExample"] = makeNewRepoExample helpTemplate, err = helpFuncs.Parse(releasePage) case "/private-repositories": + data["privateRepoProwgenConfigExample"] = privateRepoProwgenConfigExample helpTemplate, err = helpFuncs.Parse(privateRepositoriesPage) case "/examples": helpTemplate, err = helpFuncs.Parse(examplesPage)