docs about machine config and ingress

containers/buildkite-premerge-debian/pre-checkout

@@ -17,4 +17,6 @@
 # checked out from your SCM provider
 
 set -e
+# Convert https://github.com/llvm-premerge-tests/llvm-project.git -> llvm-project
+# to use the same directory for fork and origin.
 BUILDKITE_BUILD_CHECKOUT_PATH="${BUILDKITE_BUILD_PATH}/$(echo $BUILDKITE_REPO | sed -E "s#.*/([^/]*)#\1#" | sed "s/.git$//")"

docs/development.md

@@ -2,6 +2,10 @@
 - [Phabricator integration](#phabricator-integration)
 - [Buildkite pipelines](#buildkite-pipelines)
 - [Life of a pre-merge check](#life-of-a-pre-merge-check)
+- [Cluster parts](#cluster-parts)
+  * [Ingress and public addresses](#ingress-and-public-addresses)
+  * [Linux agents](#linux-agents)
+  * [Windows agents](#windows-agents)
 - [Enabled projects and project detection](#enabled-projects-and-project-detection)
 - [Agent machines](#agent-machines)
 - [Compilation caching](#compilation-caching)
@@ -82,6 +86,40 @@ branches older than 30 days.
 builds and tests changes on Linux and Windows agents. Then it uploads a
 combined result to Phabricator.
 
+# Cluster parts
+
+## Ingress and public addresses
+
+https://build.llvm-merge-guard.org/ URL points to [phabricator
+proxy](../phabricator-proxy) application.
+
+We use NGINX ingress for Kubernetes and Let's Encrypt certificate manager.
+Follow up to date docs to install [reverse
+proxy](https://kubernetes.github.io/ingress-nginx/deploy/#gce-gke) and
+[certificate
+manager](http://docs.cert-manager.io/en/latest/getting-started/install/kubernetes.html).
+
+Access to the service is restricted with basic HTTP auth. It's configured with
+k8s secret 'http-auth' in 'buildkite' namespace (see [how to update
+auth](playbooks.md#update-http-auth-credentials))
+
+llvm-merge-guard.org domain is managed by [Google
+Domains](https://domains.google.com/).
+
+## Linux agents
+
+- docker image [buildkite-premerge-debian](../containers/buildkite-premerge-debian).
+
+- [Kubernetes manifests](../kubernetes/buildkite).
+
+## Windows agents
+
+- docker image [agent-windows-buildkite](../containers/agent-windows-buildkite).
+
+- VMs are manually managed and updated, use RDP to access.
+
+- there is an 'windows development' VM to do Windows-related development.
+
 # Enabled projects and project detection
 
 To reduce build times and mask unrelated problems, we're only building and

docs/playbooks.md

@@ -8,6 +8,7 @@
   * [Testing scripts locally](#testing-scripts-locally)
   * [Custom environment variables](#custom-environment-variables)
   * [Testing changes before merging](#testing-changes-before-merging)
+- [Update HTTP auth credentials](#update-http-auth-credentials)
 - [Phabricator integration](#phabricator-integration)
   * [Herald](#herald)
   * [Harbormaster](#harbormaster)
@@ -199,6 +200,20 @@ It's recommended to test even smallest changes before committing them to the `ma
    `scripts_branch="my-feature"` (see also "Custom environment variables" for other options above). To test "premerge-tests" pipeline pick an existing build and copy parameters from it, omitting "ph_target_phid", namely: "ph_build_id", "ph_buildable_diff", "ph_buildable_revision", "ph_initiator_phid" and "scripts_branch" variables.
 1. Wait for build to complete and maybe attach a link to it to your PR.
 
+# Update HTTP auth credentials
+
+To update e.g. buildkite http-auth:
+```shell script
+kubectl get secret http-auth -n buildkite -o yaml
+# base64 decode it's data to 'auth'.
+echo <data/auth from yaml> | base64 --decode > auth
+# add / update passwords
+htpasswd -b auth <user> <pass> 
+# update secret
+kubectl delete secret http-auth -n buildkite
+kubectl create secret generic http-auth -n buildkite --from-file=./auth
+```
+
 # Phabricator integration
 
 The general flow for builds on Phabricator is: