k8s.io/test-infra@v0.0.0-20240520184403-27c6b4c223d8/config/jobs/kubernetes/sig-k8s-infra/trusted/releng/releng-trusted.yaml

postsubmits:
  kubernetes/k8s.io:
  - name: post-k8sio-file-promo
    cluster: k8s-infra-prow-build-trusted
    decorate: true
    run_if_changed: '^artifacts\/(filestores|manifests)\/.*\/*.yaml'
    # Never run more than 1 job at a time. This is because we don't want to run
    # into a case where an older manifest PR merge gets run last (after a newer
    # one).
    max_concurrency: 1
    branches:
    - ^main$
    spec:
      serviceAccountName: k8s-infra-promoter
      containers:
      - image: registry.k8s.io/artifact-promoter/kpromo:v4.0.5-0
        command:
        - /kpromo
        args:
        - run
        - files
        - --manifests=/home/prow/go/src/github.com/kubernetes/k8s.io/artifacts/
        - --confirm
    annotations:
      testgrid-dashboards: sig-release-releng-blocking, sig-k8s-infra-k8sio
      testgrid-alert-email: k8s-infra-alerts@kubernetes.io, release-managers+alerts@kubernetes.io
      testgrid-num-failures-to-alert: '2'
  - name: post-k8sio-image-promo
    cluster: k8s-infra-prow-build-trusted
    decorate: true
    decoration_config:
      timeout: 4h
    run_if_changed: 'registry.k8s.io/((images/.*/images\.yaml)|(manifests/.*/promoter-manifest\.yaml))'
    # Never run more than 1 job at a time. This is because we don't want to run
    # into a case where an older manifest PR merge gets run last (after a newer
    # one).
    max_concurrency: 1
    # Run only 1 of image promotion postsubmit and periodic at the same time.
    # This is an important step to ensure that we avoid issues of running promotion
    # twice in parallel, such as double signing images.
    job_queue_name: "k8sio-image-promo"
    branches:
    - ^main$
    spec:
      serviceAccountName: k8s-infra-gcr-promoter
      containers:
      - image: registry.k8s.io/artifact-promoter/kpromo:v4.0.5-0
        command:
        - /kpromo
        args:
        - cip
        - --thin-manifest-dir=/home/prow/go/src/github.com/kubernetes/k8s.io/registry.k8s.io
        - --use-prow-manifest-diff
        - --confirm
        - --certificate-identity-regexp=(krel-staging@k8s-releng-prod.iam.gserviceaccount.com)|(krel-trust@k8s-releng-prod.iam.gserviceaccount.com)
        - --certificate-oidc-issuer=https://accounts.google.com
        env:
        - name: GOMAXPROCS
          value: "7"
        resources:
          # request most of one node 🚀
          requests:
            cpu: 7
            memory: "40Gi"
          limits:
            cpu: 7
            memory: "40Gi"
    annotations:
      testgrid-dashboards: sig-release-releng-blocking, sig-k8s-infra-k8sio
      testgrid-alert-email: k8s-infra-alerts@kubernetes.io, release-managers+alerts@kubernetes.io
      testgrid-num-failures-to-alert: '2'

  kubernetes-sigs/promo-tools:
  # This job is a canary job to test promoting the image promoter before
  # rolling changes out to production instances
  - name: post-promo-tools-image-promo-canary
    cluster: k8s-infra-prow-build-trusted
    decorate: true
    run_if_changed: 'canary/((images/.*/images\.yaml)|(manifests/.*/promoter-manifest\.yaml))'
    # Never run more than 1 job at a time. This is because we don't want to run
    # into a case where an older manifest PR merge gets run last (after a newer
    # one).
    max_concurrency: 1
    branches:
    - ^main$
    spec:
      serviceAccountName: k8s-infra-gcr-promoter
      containers:
      - image: gcr.io/k8s-staging-artifact-promoter/kpromo:latest-canary
        imagePullPolicy: Always
        command:
        - /kpromo
        args:
        - cip
        - --thin-manifest-dir=/home/prow/go/src/github.com/kubernetes-sigs/promo-tools/canary
        - --confirm
    annotations:
      testgrid-dashboards: sig-release-releng-informing
      testgrid-alert-email: release-managers+alerts@kubernetes.io
      testgrid-num-failures-to-alert: '2'

periodics:
- interval: 1h
  cluster: k8s-infra-prow-build-trusted
  max_concurrency: 1
  name: ci-k8sio-file-promo
  decorate: true
  extra_refs:
  - org: kubernetes
    repo: k8s.io
    base_ref: main
  spec:
    serviceAccountName: k8s-infra-promoter
    containers:
    - image: registry.k8s.io/artifact-promoter/kpromo:v4.0.5-0
      command:
      - /kpromo
      args:
      - run
      - files
      - --manifests=/home/prow/go/src/github.com/kubernetes/k8s.io/artifacts/
      - --confirm
  annotations:
    testgrid-dashboards: sig-release-releng-blocking, sig-k8s-infra-k8sio
    testgrid-alert-email: k8s-infra-alerts@kubernetes.io, release-managers+alerts@kubernetes.io
    testgrid-num-failures-to-alert: '2'
  rerun_auth_config:
    github_team_slugs:
      - org: kubernetes
        slug: release-managers

# Copy artifacts to mirrors (periodic drift correction)
- interval: 1h
  cluster: k8s-infra-prow-build-trusted
  max_concurrency: 1
  name: ci-k8sio-file-promo-mirrors
  decorate: true
  extra_refs:
  - org: kubernetes
    repo: k8s.io
    base_ref: main
  spec:
    serviceAccountName: k8s-infra-promoter
    containers:
    - name: promote-to-mirrors
      image: registry.k8s.io/artifact-promoter/kpromo:v4.0.5-0
      command:
      - /kpromo
      args:
      - run
      - files
      - --manifests=/home/prow/go/src/github.com/kubernetes/k8s.io/artifacts/mirroring
      - --confirm
      - --use-service-account
      env:
        - name: AWS_ROLE_ARN
          value: arn:aws:iam::354561287328:role/artifacts.k8s.io_s3writer
        - name: AWS_WEB_IDENTITY_TOKEN_FILE
          value: /var/run/secrets/aws-iam-token/serviceaccount/token
        - name: AWS_REGION
          value: us-east-1
      resources:
        # We hash files as we upload them, so take a whole core
        requests:
          cpu: 1
          memory: "2Gi"
        limits:
          cpu: 1
          memory: "2Gi"
      volumeMounts:
        - mountPath: /var/run/secrets/aws-iam-token/serviceaccount
          name: aws-iam-token
          readOnly: true
    - name: promote-to-mirrors-staging
      image: registry.k8s.io/artifact-promoter/kpromo:v4.0.5-0
      command:
      - /kpromo
      args:
      - run
      - files
      - --manifests=/home/prow/go/src/github.com/kubernetes/k8s.io/artifacts/mirroring-staging
      - --confirm
      - --use-service-account
      env:
        - name: AWS_ROLE_ARN
          value: arn:aws:iam::354561287328:role/artifacts.k8s.io_s3writer
        - name: AWS_WEB_IDENTITY_TOKEN_FILE
          value: /var/run/secrets/aws-iam-token/serviceaccount/token
        - name: AWS_REGION
          value: us-east-1
      resources:
        # We hash files as we upload them, so take a whole core
        requests:
          cpu: 1
          memory: "2Gi"
        limits:
          cpu: 1
          memory: "2Gi"
      volumeMounts:
        - mountPath: /var/run/secrets/aws-iam-token/serviceaccount
          name: aws-iam-token
          readOnly: true
    volumes:
    - name: aws-iam-token
      projected:
        defaultMode: 420
        sources:
        - serviceAccountToken:
            audience: sts.amazonaws.com
            expirationSeconds: 86400
            path: token
  annotations:
    testgrid-dashboards: sig-release-releng-blocking, sig-k8s-infra-k8sio
    #testgrid-alert-email: k8s-infra-alerts@kubernetes.io, release-managers+alerts@kubernetes.io
    #testgrid-num-failures-to-alert: '2'
  rerun_auth_config:
    github_team_slugs:
      - org: kubernetes
        slug: release-managers

# ci-k8sio-image-promo runs daily as a backstop on top of the postsubmit
# ~midnight pacific
- cron: '0 7 * * *'
  cluster: k8s-infra-prow-build-trusted
  max_concurrency: 1
  # Run only 1 of image promotion postsubmit and periodic at the same time.
  # This is an important step to ensure that we avoid issues of running promotion
  # twice in parallel, such as double signing images.
  job_queue_name: "k8sio-image-promo"
  # This name is the "job name", passed in as "--job=NAME" for mkpj.
  name: ci-k8sio-image-promo
  # Enable Pod Utilities.
  # See https://git.k8s.io/test-infra/prow/pod-utilities.md.
  decorate: true
  extra_refs:
  # We clone the below repo automatically (via Pod Utilities), and get dropped
  # into /home/prow/go/src/github.com/kubernetes/k8s.io.
  - org: kubernetes
    repo: k8s.io
    base_ref: main
  spec:
    # The k8s-artifacts-prod name was chosen in
    # https://github.com/kubernetes/k8s.io/pull/695.
    serviceAccountName: k8s-infra-gcr-promoter
    containers:
    - image: registry.k8s.io/artifact-promoter/kpromo:v4.0.5-0
      command:
      - /kpromo
      args:
      - cip
      - --thin-manifest-dir=/home/prow/go/src/github.com/kubernetes/k8s.io/registry.k8s.io
      - --confirm
      - --certificate-identity-regexp=(krel-staging@k8s-releng-prod.iam.gserviceaccount.com)|(krel-trust@k8s-releng-prod.iam.gserviceaccount.com)
      - --certificate-oidc-issuer=https://accounts.google.com
      env:
      - name: GOMAXPROCS
        value: "7"
      resources:
        # request most of one node 🚀
        requests:
          cpu: 7
          memory: "40Gi"
        limits:
          cpu: 7
          memory: "40Gi"
  annotations:
    testgrid-dashboards: sig-release-releng-blocking, sig-k8s-infra-k8sio
    testgrid-alert-email: k8s-infra-alerts@kubernetes.io, release-managers+alerts@kubernetes.io
    testgrid-num-failures-to-alert: '2'
  rerun_auth_config:
    github_team_slugs:
      - org: kubernetes
        slug: release-managers

# This job is a canary job to test promoting the image promoter before
# rolling changes out to production instances
- interval: 1h
  cluster: k8s-infra-prow-build-trusted
  max_concurrency: 1
  name: ci-promo-tools-image-promo-canary
  decorate: true
  extra_refs:
  - org: kubernetes-sigs
    repo: promo-tools
    base_ref: main
  spec:
    serviceAccountName: k8s-infra-gcr-promoter
    containers:
    - image: gcr.io/k8s-staging-artifact-promoter/kpromo:latest-canary
      imagePullPolicy: Always
      command:
      - /kpromo
      args:
      - cip
      - --thin-manifest-dir=/home/prow/go/src/github.com/kubernetes-sigs/promo-tools/canary
      - --confirm
      - --log-level=debug
      - --certificate-identity-regexp=(keyless@projectsigstore.iam.gserviceaccount.com)|(krel-trust@k8s-releng-prod.iam.gserviceaccount.com)
      - --certificate-oidc-issuer=https://accounts.google.com
  annotations:
    testgrid-dashboards: sig-release-releng-informing
    testgrid-alert-email: release-managers+alerts@kubernetes.io
    testgrid-num-failures-to-alert: '2'
  rerun_auth_config:
    github_team_slugs:
      - org: kubernetes
        slug: release-managers

- interval: 4h
  cluster: k8s-infra-prow-build-trusted
  max_concurrency: 1
  name: ci-k8sio-gcr-prod-backup
  decorate: true
  extra_refs:
  - org: kubernetes
    repo: k8s.io
    base_ref: main
  spec:
    serviceAccountName: k8s-infra-gcr-promoter-bak
    containers:
    - image: gcr.io/k8s-staging-releng/releng-ci:latest-go1.20-bookworm
      imagePullPolicy: Always
      command:
      - infra/gcp/bash/backup_tools/backup.sh
      env:
      # The backup script needs GOPATH to be explicitly defined.
      - name: GOPATH
        value: /go
  annotations:
    testgrid-dashboards: sig-release-releng-blocking
    testgrid-alert-email: k8s-infra-alerts@kubernetes.io, release-managers+alerts@kubernetes.io
    testgrid-num-failures-to-alert: '2'
  rerun_auth_config:
    github_team_slugs:
      - org: kubernetes
        slug: release-managers

- interval: 6h
  name: ci-fast-forward
  cluster: k8s-infra-prow-build-trusted
  decorate: true
  spec:
    serviceAccountName: gcb-builder
    containers:
    - image: gcr.io/k8s-staging-releng/k8s-ci-builder:latest-default
      imagePullPolicy: Always
      command:
      - wrapper.sh
      - /krel
      - fast-forward
      - --non-interactive
      - --submit
      - --nomock
      resources:
        requests:
          cpu: 4
          memory: "8Gi"
        limits:
          cpu: 4
          memory: "8Gi"
  rerun_auth_config:
    github_team_slugs:
      - org: kubernetes
        slug: release-managers
  annotations:
    testgrid-alert-email: release-managers+alerts@kubernetes.io
    testgrid-dashboards: sig-release-releng-blocking
    testgrid-tab-name: git-repo-kubernetes-fast-forward

- interval: 6h
  name: ci-fast-forward-website
  cluster: k8s-infra-prow-build-trusted
  decorate: true
  spec:
    serviceAccountName: gcb-builder
    containers:
    - image: gcr.io/k8s-staging-releng/k8s-ci-builder:latest-default
      imagePullPolicy: Always
      command:
      - wrapper.sh
      - /krel
      - fast-forward
      - --non-interactive
      - --submit
      - --github-org=kubernetes
      - --github-repo=website
      # TODO: enable no mock after a few runs to check
      # - --nomock
      resources:
        requests:
          cpu: 4
          memory: "8Gi"
        limits:
          cpu: 4
          memory: "8Gi"
  rerun_auth_config:
    github_team_slugs:
      - org: kubernetes
        slug: release-managers
  annotations:
    testgrid-alert-email: release-managers+alerts@kubernetes.io
    testgrid-dashboards: sig-release-releng-informing
    testgrid-tab-name: git-repo-kubernetes-website-fast-forward

- name: periodic-release-verify-image-signatures
  cluster: k8s-infra-prow-build-trusted
  interval: 4h
  annotations:
    testgrid-alert-email: release-managers+alerts@kubernetes.io
    testgrid-dashboards: sig-release-releng-informing
    testgrid-tab-name: verify-image-signatures
  decorate: true
  spec:
    containers:
    - image: gcr.io/k8s-staging-artifact-promoter/kpromo:v4.0.1-0
      imagePullPolicy: Always
      command:
        - /kpromo
        - --from-days=7
      args:
        - sigcheck
  rerun_auth_config:
    github_team_slugs:
      - org: kubernetes
        slug: release-managers