k8s.io/test-infra@v0.0.0-20240520184403-27c6b4c223d8/config/prow/cluster/starter/starter-azure.yaml (about) 1 # This file contains Kubernetes YAML files for the most important prow 2 # components. Don't edit resources in this file. Instead, pull them out into 3 # their own files. 4 --- 5 apiVersion: v1 6 kind: Namespace 7 metadata: 8 name: prow 9 --- 10 apiVersion: v1 11 kind: ConfigMap 12 metadata: 13 namespace: prow 14 name: plugins 15 data: 16 plugins.yaml: | 17 plugins: 18 $GITHUB_ORG: 19 plugins: 20 - approve 21 - assign 22 - blunderbuss 23 - cat 24 - dog 25 - help 26 - heart 27 - hold 28 - label 29 - lgtm 30 - trigger 31 - verify-owners 32 - wip 33 - yuks 34 --- 35 apiVersion: v1 36 kind: Secret 37 metadata: 38 namespace: prow 39 name: github-token 40 stringData: 41 cert: $GITHUB_TOKEN 42 appid: "$GITHUB_APP_ID" 43 --- 44 apiVersion: v1 45 kind: Secret 46 metadata: 47 namespace: prow 48 name: hmac-token 49 stringData: 50 # Generate via `openssl rand -hex 20`. This is the secret used in the GitHub webhook configuration 51 hmac: $HMAC_TOKEN 52 --- 53 apiVersion: v1 54 kind: Secret 55 metadata: 56 namespace: prow 57 name: minio-root-creds 58 stringData: 59 user: "$AZURE_STORAGE_ACCOUNT_USER" 60 password: "$AZURE_STORAGE_ACCOUNT_PASSWORD" 61 --- 62 apiVersion: v1 63 kind: ConfigMap 64 metadata: 65 namespace: prow 66 name: config 67 data: 68 config.yaml: | 69 prowjob_namespace: prow 70 pod_namespace: test-pods 71 72 in_repo_config: 73 enabled: 74 "*": true 75 76 deck: 77 spyglass: 78 lenses: 79 - lens: 80 name: metadata 81 required_files: 82 - ^(?:started|finished)\.json$ 83 optional_files: 84 - ^(?:podinfo|prowjob)\.json$ 85 - lens: 86 config: 87 name: buildlog 88 required_files: 89 - build-log.txt 90 - lens: 91 name: junit 92 required_files: 93 - .*/junit.*\.xml 94 - lens: 95 name: podinfo 96 required_files: 97 - podinfo.json 98 99 plank: 100 job_url_prefix_config: 101 "*": https://$PROW_HOST/view/ 102 report_templates: 103 '*': >- 104 [Full PR test history](https://$PROW_HOST/pr-history?org={{.Spec.Refs.Org}}&repo={{.Spec.Refs.Repo}}&pr={{with index .Spec.Refs.Pulls 0}}{{.Number}}{{end}}). 105 [Your PR dashboard](https://$PROW_HOST/pr?query=is:pr+state:open+author:{{with 106 index .Spec.Refs.Pulls 0}}{{.Author}}{{end}}). 107 default_decoration_config_entries: 108 - config: 109 gcs_configuration: 110 bucket: s3://prow-logs 111 path_strategy: explicit 112 github_api_endpoints: 113 - http://ghproxy 114 - https://api.github.com 115 github_app_id: "$GITHUB_APP_ID" 116 github_app_private_key_secret: 117 name: github-token 118 key: cert 119 s3_credentials_secret: s3-credentials 120 utility_images: 121 clonerefs: gcr.io/k8s-prow/clonerefs:v20240517-ea10bd814 122 entrypoint: gcr.io/k8s-prow/entrypoint:v20240517-ea10bd814 123 initupload: gcr.io/k8s-prow/initupload:v20240517-ea10bd814 124 sidecar: gcr.io/k8s-prow/sidecar:v20240517-ea10bd814 125 126 tide: 127 queries: 128 - labels: 129 - lgtm 130 - approved 131 missingLabels: 132 - needs-rebase 133 - do-not-merge/hold 134 - do-not-merge/work-in-progress 135 - do-not-merge/invalid-owners-file 136 orgs: 137 - $GITHUB_ORG 138 139 decorate_all_jobs: true 140 periodics: 141 - interval: 1m 142 agent: kubernetes 143 name: echo-test 144 spec: 145 containers: 146 - image: alpine 147 command: ["/bin/date"] 148 --- 149 apiVersion: apps/v1 150 kind: Deployment 151 metadata: 152 namespace: prow 153 name: hook 154 labels: 155 app: hook 156 spec: 157 replicas: 2 158 strategy: 159 type: RollingUpdate 160 rollingUpdate: 161 maxSurge: 1 162 maxUnavailable: 1 163 selector: 164 matchLabels: 165 app: hook 166 template: 167 metadata: 168 labels: 169 app: hook 170 spec: 171 serviceAccountName: "hook" 172 terminationGracePeriodSeconds: 180 173 containers: 174 - name: hook 175 image: gcr.io/k8s-prow/hook:v20240517-ea10bd814 176 imagePullPolicy: Always 177 args: 178 - --dry-run=false 179 - --config-path=/etc/config/config.yaml 180 - --github-endpoint=http://ghproxy 181 - --github-endpoint=https://api.github.com 182 - --github-app-id=$(GITHUB_APP_ID) 183 - --github-app-private-key-path=/etc/github/cert 184 env: 185 - name: GITHUB_APP_ID 186 valueFrom: 187 secretKeyRef: 188 name: github-token 189 key: appid 190 ports: 191 - name: http 192 containerPort: 8888 193 volumeMounts: 194 - name: hmac 195 mountPath: /etc/webhook 196 readOnly: true 197 - name: github-token 198 mountPath: /etc/github 199 readOnly: true 200 - name: config 201 mountPath: /etc/config 202 readOnly: true 203 - name: plugins 204 mountPath: /etc/plugins 205 readOnly: true 206 livenessProbe: 207 httpGet: 208 path: /healthz 209 port: 8081 210 initialDelaySeconds: 3 211 periodSeconds: 3 212 readinessProbe: 213 httpGet: 214 path: /healthz/ready 215 port: 8081 216 initialDelaySeconds: 10 217 periodSeconds: 3 218 timeoutSeconds: 600 219 volumes: 220 - name: hmac 221 secret: 222 secretName: hmac-token 223 - name: github-token 224 secret: 225 secretName: github-token 226 - name: config 227 configMap: 228 name: config 229 - name: plugins 230 configMap: 231 name: plugins 232 --- 233 apiVersion: v1 234 kind: Service 235 metadata: 236 namespace: prow 237 name: hook 238 spec: 239 selector: 240 app: hook 241 ports: 242 - port: 8888 243 --- 244 apiVersion: apps/v1 245 kind: Deployment 246 metadata: 247 namespace: prow 248 name: sinker 249 labels: 250 app: sinker 251 spec: 252 selector: 253 matchLabels: 254 app: sinker 255 replicas: 1 256 template: 257 metadata: 258 labels: 259 app: sinker 260 spec: 261 serviceAccountName: "sinker" 262 containers: 263 - name: sinker 264 image: gcr.io/k8s-prow/sinker:v20240517-ea10bd814 265 args: 266 - --config-path=/etc/config/config.yaml 267 - --dry-run=false 268 volumeMounts: 269 - name: config 270 mountPath: /etc/config 271 readOnly: true 272 volumes: 273 - name: config 274 configMap: 275 name: config 276 --- 277 apiVersion: apps/v1 278 kind: Deployment 279 metadata: 280 namespace: prow 281 name: deck 282 labels: 283 app: deck 284 spec: 285 replicas: 2 286 strategy: 287 type: RollingUpdate 288 rollingUpdate: 289 maxSurge: 1 290 maxUnavailable: 1 291 selector: 292 matchLabels: 293 app: deck 294 template: 295 metadata: 296 labels: 297 app: deck 298 spec: 299 serviceAccountName: "deck" 300 terminationGracePeriodSeconds: 30 301 containers: 302 - name: deck 303 image: gcr.io/k8s-prow/deck:v20240517-ea10bd814 304 args: 305 - --config-path=/etc/config/config.yaml 306 - --plugin-config=/etc/plugins/plugins.yaml 307 - --tide-url=http://tide/ 308 - --hook-url=http://hook:8888/plugin-help 309 - --github-endpoint=http://ghproxy 310 - --github-endpoint=https://api.github.com 311 - --github-graphql-endpoint=http://ghproxy/graphql 312 - --s3-credentials-file=/etc/s3-credentials/service-account.json 313 - --spyglass=true 314 - --github-app-id=$(GITHUB_APP_ID) 315 - --github-app-private-key-path=/etc/github/cert 316 env: 317 - name: GITHUB_APP_ID 318 valueFrom: 319 secretKeyRef: 320 name: github-token 321 key: appid 322 ports: 323 - name: http 324 containerPort: 8080 325 volumeMounts: 326 - name: config 327 mountPath: /etc/config 328 readOnly: true 329 - name: github-token 330 mountPath: /etc/github 331 readOnly: true 332 - name: plugins 333 mountPath: /etc/plugins 334 readOnly: true 335 - name: s3-credentials 336 mountPath: /etc/s3-credentials 337 readOnly: true 338 livenessProbe: 339 httpGet: 340 path: /healthz 341 port: 8081 342 initialDelaySeconds: 3 343 periodSeconds: 3 344 readinessProbe: 345 httpGet: 346 path: /healthz/ready 347 port: 8081 348 initialDelaySeconds: 10 349 periodSeconds: 3 350 timeoutSeconds: 600 351 volumes: 352 - name: config 353 configMap: 354 name: config 355 - name: github-token 356 secret: 357 secretName: github-token 358 - name: plugins 359 configMap: 360 name: plugins 361 - name: s3-credentials 362 secret: 363 secretName: s3-credentials 364 --- 365 apiVersion: v1 366 kind: Service 367 metadata: 368 namespace: prow 369 name: deck 370 spec: 371 selector: 372 app: deck 373 ports: 374 - port: 80 375 targetPort: 8080 376 --- 377 apiVersion: apps/v1 378 kind: Deployment 379 metadata: 380 namespace: prow 381 name: horologium 382 labels: 383 app: horologium 384 spec: 385 replicas: 1 # Do not scale up. 386 strategy: 387 type: Recreate 388 selector: 389 matchLabels: 390 app: horologium 391 template: 392 metadata: 393 labels: 394 app: horologium 395 spec: 396 serviceAccountName: "horologium" 397 terminationGracePeriodSeconds: 30 398 containers: 399 - name: horologium 400 image: gcr.io/k8s-prow/horologium:v20240517-ea10bd814 401 args: 402 - --dry-run=false 403 - --config-path=/etc/config/config.yaml 404 volumeMounts: 405 - name: config 406 mountPath: /etc/config 407 readOnly: true 408 volumes: 409 - name: config 410 configMap: 411 name: config 412 --- 413 apiVersion: apps/v1 414 kind: Deployment 415 metadata: 416 namespace: prow 417 name: tide 418 labels: 419 app: tide 420 spec: 421 replicas: 1 # Do not scale up. 422 strategy: 423 type: Recreate 424 selector: 425 matchLabels: 426 app: tide 427 template: 428 metadata: 429 labels: 430 app: tide 431 spec: 432 serviceAccountName: "tide" 433 containers: 434 - name: tide 435 image: gcr.io/k8s-prow/tide:v20240517-ea10bd814 436 args: 437 - --dry-run=false 438 - --config-path=/etc/config/config.yaml 439 - --github-endpoint=http://ghproxy 440 - --github-endpoint=https://api.github.com 441 - --github-graphql-endpoint=http://ghproxy/graphql 442 - --s3-credentials-file=/etc/s3-credentials/service-account.json 443 - --status-path=s3://tide/tide-status 444 - --history-uri=s3://tide/tide-history.json 445 - --github-app-id=$(GITHUB_APP_ID) 446 - --github-app-private-key-path=/etc/github/cert 447 env: 448 - name: GITHUB_APP_ID 449 valueFrom: 450 secretKeyRef: 451 name: github-token 452 key: appid 453 ports: 454 - name: http 455 containerPort: 8888 456 volumeMounts: 457 - name: github-token 458 mountPath: /etc/github 459 readOnly: true 460 - name: config 461 mountPath: /etc/config 462 readOnly: true 463 - name: s3-credentials 464 mountPath: /etc/s3-credentials 465 readOnly: true 466 volumes: 467 - name: github-token 468 secret: 469 secretName: github-token 470 - name: config 471 configMap: 472 name: config 473 - name: s3-credentials 474 secret: 475 secretName: s3-credentials 476 --- 477 apiVersion: v1 478 kind: Service 479 metadata: 480 namespace: prow 481 name: tide 482 spec: 483 selector: 484 app: tide 485 ports: 486 - port: 80 487 targetPort: 8888 488 --- 489 apiVersion: networking.k8s.io/v1 490 kind: Ingress 491 metadata: 492 namespace: prow 493 name: prow 494 annotations: 495 # Change this to your issuer when using cert-manager. Does 496 # nothing when not using cert-manager. 497 cert-manager.io/cluster-issuer: letsencrypt-staging 498 spec: 499 defaultBackend: 500 # specify the default backend for `ingress-gce` (https://cloud.google.com/kubernetes-engine/docs/concepts/ingress#default_backend) 501 service: 502 name: deck 503 port: 504 number: 80 505 rules: 506 - host: $PROW_HOST 507 http: 508 paths: 509 - path: / 510 pathType: Prefix 511 backend: 512 service: 513 name: deck 514 port: 515 number: 80 516 - path: /hook 517 pathType: Prefix 518 backend: 519 service: 520 name: hook 521 port: 522 number: 8888 523 --- 524 apiVersion: apps/v1 525 kind: Deployment 526 metadata: 527 name: statusreconciler 528 namespace: prow 529 labels: 530 app: statusreconciler 531 spec: 532 replicas: 1 533 selector: 534 matchLabels: 535 app: statusreconciler 536 template: 537 metadata: 538 labels: 539 app: statusreconciler 540 spec: 541 serviceAccountName: statusreconciler 542 terminationGracePeriodSeconds: 180 543 containers: 544 - name: statusreconciler 545 image: gcr.io/k8s-prow/status-reconciler:v20240517-ea10bd814 546 args: 547 - --dry-run=false 548 - --continue-on-error=true 549 - --plugin-config=/etc/plugins/plugins.yaml 550 - --config-path=/etc/config/config.yaml 551 - --github-endpoint=http://ghproxy 552 - --github-endpoint=https://api.github.com 553 - --s3-credentials-file=/etc/s3-credentials/service-account.json 554 - --status-path=s3://status-reconciler/status-reconciler-status 555 - --github-app-id=$(GITHUB_APP_ID) 556 - --github-app-private-key-path=/etc/github/cert 557 env: 558 - name: GITHUB_APP_ID 559 valueFrom: 560 secretKeyRef: 561 name: github-token 562 key: appid 563 volumeMounts: 564 - name: github-token 565 mountPath: /etc/github 566 readOnly: true 567 - name: config 568 mountPath: /etc/config 569 readOnly: true 570 - name: plugins 571 mountPath: /etc/plugins 572 readOnly: true 573 - name: s3-credentials 574 mountPath: /etc/s3-credentials 575 readOnly: true 576 volumes: 577 - name: github-token 578 secret: 579 secretName: github-token 580 - name: config 581 configMap: 582 name: config 583 - name: plugins 584 configMap: 585 name: plugins 586 - name: s3-credentials 587 secret: 588 secretName: s3-credentials 589 --- 590 apiVersion: v1 591 kind: Namespace 592 metadata: 593 name: test-pods 594 --- 595 kind: ServiceAccount 596 apiVersion: v1 597 metadata: 598 namespace: prow 599 name: "deck" 600 --- 601 kind: RoleBinding 602 apiVersion: rbac.authorization.k8s.io/v1 603 metadata: 604 namespace: prow 605 name: "deck" 606 roleRef: 607 apiGroup: rbac.authorization.k8s.io 608 kind: Role 609 name: "deck" 610 subjects: 611 - kind: ServiceAccount 612 name: "deck" 613 --- 614 kind: RoleBinding 615 apiVersion: rbac.authorization.k8s.io/v1 616 metadata: 617 namespace: test-pods 618 name: "deck" 619 roleRef: 620 apiGroup: rbac.authorization.k8s.io 621 kind: Role 622 name: "deck" 623 subjects: 624 - kind: ServiceAccount 625 name: "deck" 626 namespace: prow 627 --- 628 kind: Role 629 apiVersion: rbac.authorization.k8s.io/v1 630 metadata: 631 namespace: prow 632 name: "deck" 633 rules: 634 - apiGroups: 635 - "prow.k8s.io" 636 resources: 637 - prowjobs 638 verbs: 639 - get 640 - list 641 - watch 642 # Required when deck runs with `--rerun-creates-job=true` 643 # **Warning:** Only use this for non-public deck instances, this allows 644 # anyone with access to your Deck instance to create new Prowjobs 645 # - create 646 --- 647 kind: Role 648 apiVersion: rbac.authorization.k8s.io/v1 649 metadata: 650 namespace: test-pods 651 name: "deck" 652 rules: 653 - apiGroups: 654 - "" 655 resources: 656 - pods/log 657 verbs: 658 - get 659 --- 660 kind: ServiceAccount 661 apiVersion: v1 662 metadata: 663 namespace: prow 664 name: "horologium" 665 --- 666 kind: Role 667 apiVersion: rbac.authorization.k8s.io/v1 668 metadata: 669 namespace: prow 670 name: "horologium" 671 rules: 672 - apiGroups: 673 - "prow.k8s.io" 674 resources: 675 - prowjobs 676 verbs: 677 - create 678 - list 679 - watch 680 --- 681 kind: RoleBinding 682 apiVersion: rbac.authorization.k8s.io/v1 683 metadata: 684 namespace: prow 685 name: "horologium" 686 roleRef: 687 apiGroup: rbac.authorization.k8s.io 688 kind: Role 689 name: "horologium" 690 subjects: 691 - kind: ServiceAccount 692 name: "horologium" 693 --- 694 kind: ServiceAccount 695 apiVersion: v1 696 metadata: 697 namespace: prow 698 name: "sinker" 699 --- 700 kind: Role 701 apiVersion: rbac.authorization.k8s.io/v1 702 metadata: 703 namespace: prow 704 name: "sinker" 705 rules: 706 - apiGroups: 707 - "prow.k8s.io" 708 resources: 709 - prowjobs 710 verbs: 711 - delete 712 - list 713 - watch 714 - get 715 - apiGroups: 716 - coordination.k8s.io 717 resources: 718 - leases 719 resourceNames: 720 - prow-sinker-leaderlock 721 verbs: 722 - get 723 - update 724 - apiGroups: 725 - coordination.k8s.io 726 resources: 727 - leases 728 verbs: 729 - create 730 - apiGroups: 731 - "" 732 resources: 733 - configmaps 734 resourceNames: 735 - prow-sinker-leaderlock 736 verbs: 737 - get 738 - update 739 - apiGroups: 740 - "" 741 resources: 742 - configmaps 743 - events 744 verbs: 745 - create 746 --- 747 kind: Role 748 apiVersion: rbac.authorization.k8s.io/v1 749 metadata: 750 namespace: test-pods 751 name: "sinker" 752 rules: 753 - apiGroups: 754 - "" 755 resources: 756 - pods 757 verbs: 758 - delete 759 - list 760 - watch 761 - get 762 - patch 763 --- 764 kind: RoleBinding 765 apiVersion: rbac.authorization.k8s.io/v1 766 metadata: 767 namespace: prow 768 name: "sinker" 769 roleRef: 770 apiGroup: rbac.authorization.k8s.io 771 kind: Role 772 name: "sinker" 773 subjects: 774 - kind: ServiceAccount 775 name: "sinker" 776 --- 777 kind: RoleBinding 778 apiVersion: rbac.authorization.k8s.io/v1 779 metadata: 780 namespace: test-pods 781 name: "sinker" 782 roleRef: 783 apiGroup: rbac.authorization.k8s.io 784 kind: Role 785 name: "sinker" 786 subjects: 787 - kind: ServiceAccount 788 name: "sinker" 789 namespace: prow 790 --- 791 apiVersion: v1 792 kind: ServiceAccount 793 metadata: 794 namespace: prow 795 name: "hook" 796 --- 797 kind: Role 798 apiVersion: rbac.authorization.k8s.io/v1 799 metadata: 800 namespace: prow 801 name: "hook" 802 rules: 803 - apiGroups: 804 - "prow.k8s.io" 805 resources: 806 - prowjobs 807 verbs: 808 - create 809 - get 810 - list 811 - update 812 - apiGroups: 813 - "" 814 resources: 815 - configmaps 816 verbs: 817 - create 818 - get 819 - update 820 --- 821 kind: RoleBinding 822 apiVersion: rbac.authorization.k8s.io/v1 823 metadata: 824 namespace: prow 825 name: "hook" 826 roleRef: 827 apiGroup: rbac.authorization.k8s.io 828 kind: Role 829 name: "hook" 830 subjects: 831 - kind: ServiceAccount 832 name: "hook" 833 --- 834 apiVersion: v1 835 kind: ServiceAccount 836 metadata: 837 namespace: prow 838 name: "tide" 839 --- 840 kind: Role 841 apiVersion: rbac.authorization.k8s.io/v1 842 metadata: 843 namespace: prow 844 name: "tide" 845 rules: 846 - apiGroups: 847 - "prow.k8s.io" 848 resources: 849 - prowjobs 850 verbs: 851 - create 852 - list 853 - get 854 - watch 855 --- 856 kind: RoleBinding 857 apiVersion: rbac.authorization.k8s.io/v1 858 metadata: 859 namespace: prow 860 name: "tide" 861 roleRef: 862 apiGroup: rbac.authorization.k8s.io 863 kind: Role 864 name: "tide" 865 subjects: 866 - kind: ServiceAccount 867 name: "tide" 868 --- 869 apiVersion: v1 870 kind: ServiceAccount 871 metadata: 872 namespace: prow 873 name: "statusreconciler" 874 --- 875 kind: Role 876 apiVersion: rbac.authorization.k8s.io/v1 877 metadata: 878 namespace: prow 879 name: "statusreconciler" 880 rules: 881 - apiGroups: 882 - "prow.k8s.io" 883 resources: 884 - prowjobs 885 verbs: 886 - create 887 --- 888 kind: RoleBinding 889 apiVersion: rbac.authorization.k8s.io/v1 890 metadata: 891 namespace: prow 892 name: "statusreconciler" 893 roleRef: 894 apiGroup: rbac.authorization.k8s.io 895 kind: Role 896 name: "statusreconciler" 897 subjects: 898 - kind: ServiceAccount 899 name: "statusreconciler" 900 --- 901 kind: PersistentVolumeClaim 902 apiVersion: v1 903 metadata: 904 namespace: prow 905 labels: 906 app: ghproxy 907 name: ghproxy 908 spec: 909 accessModes: 910 - ReadWriteOnce 911 resources: 912 requests: 913 storage: 100Gi 914 --- 915 apiVersion: apps/v1 916 kind: Deployment 917 metadata: 918 namespace: prow 919 name: ghproxy 920 labels: 921 app: ghproxy 922 spec: 923 selector: 924 matchLabels: 925 app: ghproxy 926 strategy: 927 type: Recreate 928 # GHProxy does not support HA 929 replicas: 1 930 template: 931 metadata: 932 labels: 933 app: ghproxy 934 spec: 935 containers: 936 - name: ghproxy 937 image: gcr.io/k8s-prow/ghproxy:v20240517-ea10bd814 938 args: 939 - --cache-dir=/cache 940 - --cache-sizeGB=99 941 - --push-gateway=pushgateway 942 - --serve-metrics=true 943 ports: 944 - containerPort: 8888 945 volumeMounts: 946 - name: cache 947 mountPath: /cache 948 volumes: 949 - name: cache 950 persistentVolumeClaim: 951 claimName: ghproxy 952 --- 953 apiVersion: v1 954 kind: Service 955 metadata: 956 labels: 957 app: ghproxy 958 namespace: prow 959 name: ghproxy 960 spec: 961 ports: 962 - name: main 963 port: 80 964 protocol: TCP 965 targetPort: 8888 966 - name: metrics 967 port: 9090 968 selector: 969 app: ghproxy 970 type: ClusterIP 971 --- 972 apiVersion: apps/v1 973 kind: Deployment 974 metadata: 975 namespace: prow 976 name: prow-controller-manager 977 labels: 978 app: prow-controller-manager 979 spec: 980 replicas: 1 981 selector: 982 matchLabels: 983 app: prow-controller-manager 984 template: 985 metadata: 986 labels: 987 app: prow-controller-manager 988 spec: 989 serviceAccountName: prow-controller-manager 990 containers: 991 - name: prow-controller-manager 992 args: 993 - --dry-run=false 994 - --config-path=/etc/config/config.yaml 995 - --github-endpoint=http://ghproxy 996 - --github-endpoint=https://api.github.com 997 - --enable-controller=plank 998 - --github-app-id=$(GITHUB_APP_ID) 999 - --github-app-private-key-path=/etc/github/cert 1000 env: 1001 - name: GITHUB_APP_ID 1002 valueFrom: 1003 secretKeyRef: 1004 name: github-token 1005 key: appid 1006 image: gcr.io/k8s-prow/prow-controller-manager:v20240517-ea10bd814 1007 volumeMounts: 1008 - name: github-token 1009 mountPath: /etc/github 1010 readOnly: true 1011 - name: config 1012 mountPath: /etc/config 1013 readOnly: true 1014 volumes: 1015 - name: github-token 1016 secret: 1017 secretName: github-token 1018 - name: config 1019 configMap: 1020 name: config 1021 --- 1022 apiVersion: v1 1023 kind: ServiceAccount 1024 metadata: 1025 namespace: prow 1026 name: prow-controller-manager 1027 --- 1028 kind: Role 1029 apiVersion: rbac.authorization.k8s.io/v1 1030 metadata: 1031 namespace: prow 1032 name: prow-controller-manager 1033 rules: 1034 - apiGroups: 1035 - "prow.k8s.io" 1036 resources: 1037 - prowjobs 1038 verbs: 1039 - get 1040 - list 1041 - watch 1042 - update 1043 - patch 1044 - apiGroups: 1045 - coordination.k8s.io 1046 resources: 1047 - leases 1048 resourceNames: 1049 - prow-controller-manager-leader-lock 1050 verbs: 1051 - get 1052 - update 1053 - apiGroups: 1054 - coordination.k8s.io 1055 resources: 1056 - leases 1057 verbs: 1058 - create 1059 - apiGroups: 1060 - "" 1061 resources: 1062 - configmaps 1063 resourceNames: 1064 - prow-controller-manager-leader-lock 1065 verbs: 1066 - get 1067 - update 1068 - apiGroups: 1069 - "" 1070 resources: 1071 - configmaps 1072 - events 1073 verbs: 1074 - create 1075 --- 1076 kind: Role 1077 apiVersion: rbac.authorization.k8s.io/v1 1078 metadata: 1079 namespace: test-pods 1080 name: prow-controller-manager 1081 rules: 1082 - apiGroups: 1083 - "" 1084 resources: 1085 - pods 1086 verbs: 1087 - create 1088 - delete 1089 - get 1090 - list 1091 - patch 1092 - watch 1093 --- 1094 kind: RoleBinding 1095 apiVersion: rbac.authorization.k8s.io/v1 1096 metadata: 1097 namespace: prow 1098 name: prow-controller-manager 1099 roleRef: 1100 apiGroup: rbac.authorization.k8s.io 1101 kind: Role 1102 name: prow-controller-manager 1103 subjects: 1104 - kind: ServiceAccount 1105 name: prow-controller-manager 1106 --- 1107 kind: RoleBinding 1108 apiVersion: rbac.authorization.k8s.io/v1 1109 metadata: 1110 namespace: test-pods 1111 name: prow-controller-manager 1112 roleRef: 1113 apiGroup: rbac.authorization.k8s.io 1114 kind: Role 1115 name: prow-controller-manager 1116 subjects: 1117 - kind: ServiceAccount 1118 name: prow-controller-manager 1119 namespace: prow 1120 --- 1121 apiVersion: apps/v1 1122 kind: Deployment 1123 metadata: 1124 namespace: prow 1125 name: crier 1126 labels: 1127 app: crier 1128 spec: 1129 replicas: 1 1130 selector: 1131 matchLabels: 1132 app: crier 1133 template: 1134 metadata: 1135 labels: 1136 app: crier 1137 spec: 1138 serviceAccountName: crier 1139 terminationGracePeriodSeconds: 30 1140 containers: 1141 - name: crier 1142 image: gcr.io/k8s-prow/crier:v20240517-ea10bd814 1143 args: 1144 - --blob-storage-workers=10 1145 - --config-path=/etc/config/config.yaml 1146 - --s3-credentials-file=/etc/s3-credentials/service-account.json 1147 - --github-endpoint=http://ghproxy 1148 - --github-endpoint=https://api.github.com 1149 - --github-workers=10 1150 - --kubernetes-blob-storage-workers=10 1151 - --github-app-id=$(GITHUB_APP_ID) 1152 - --github-app-private-key-path=/etc/github/cert 1153 env: 1154 - name: GITHUB_APP_ID 1155 valueFrom: 1156 secretKeyRef: 1157 name: github-token 1158 key: appid 1159 volumeMounts: 1160 - name: config 1161 mountPath: /etc/config 1162 readOnly: true 1163 - name: github-token 1164 mountPath: /etc/github 1165 readOnly: true 1166 - name: s3-credentials 1167 mountPath: /etc/s3-credentials 1168 readOnly: true 1169 volumes: 1170 - name: config 1171 configMap: 1172 name: config 1173 - name: github-token 1174 secret: 1175 secretName: github-token 1176 - name: s3-credentials 1177 secret: 1178 secretName: s3-credentials 1179 --- 1180 kind: ServiceAccount 1181 apiVersion: v1 1182 metadata: 1183 name: crier 1184 namespace: prow 1185 --- 1186 kind: Role 1187 apiVersion: rbac.authorization.k8s.io/v1 1188 metadata: 1189 namespace: prow 1190 name: crier 1191 rules: 1192 - apiGroups: 1193 - "prow.k8s.io" 1194 resources: 1195 - "prowjobs" 1196 verbs: 1197 - "get" 1198 - "watch" 1199 - "list" 1200 - "patch" 1201 --- 1202 kind: Role 1203 apiVersion: rbac.authorization.k8s.io/v1 1204 metadata: 1205 namespace: test-pods 1206 name: crier 1207 rules: 1208 - apiGroups: 1209 - "" 1210 resources: 1211 - "pods" 1212 - "events" 1213 verbs: 1214 - "get" 1215 - "list" 1216 - apiGroups: 1217 - "" 1218 resources: 1219 - "pods" 1220 verbs: 1221 - "patch" 1222 --- 1223 kind: RoleBinding 1224 apiVersion: rbac.authorization.k8s.io/v1 1225 metadata: 1226 name: crier 1227 namespace: prow 1228 roleRef: 1229 apiGroup: rbac.authorization.k8s.io 1230 kind: Role 1231 name: crier 1232 subjects: 1233 - kind: ServiceAccount 1234 name: crier 1235 namespace: prow 1236 --- 1237 kind: RoleBinding 1238 apiVersion: rbac.authorization.k8s.io/v1 1239 metadata: 1240 name: crier 1241 namespace: test-pods 1242 roleRef: 1243 apiGroup: rbac.authorization.k8s.io 1244 kind: Role 1245 name: crier 1246 subjects: 1247 - kind: ServiceAccount 1248 name: crier 1249 namespace: prow 1250 --- 1251 apiVersion: v1 1252 kind: Secret 1253 metadata: 1254 namespace: prow 1255 name: s3-credentials 1256 stringData: 1257 service-account.json: | 1258 { 1259 "region": "minio", 1260 "access_key": "$AZURE_STORAGE_ACCOUNT_USER", 1261 "endpoint": "minio.prow.svc.cluster.local", 1262 "insecure": true, 1263 "s3_force_path_style": true, 1264 "secret_key": "$AZURE_STORAGE_ACCOUNT_PASSWORD" 1265 } 1266 --- 1267 apiVersion: v1 1268 kind: Secret 1269 metadata: 1270 namespace: test-pods 1271 name: s3-credentials 1272 stringData: 1273 service-account.json: | 1274 { 1275 "region": "minio", 1276 "access_key": "$AZURE_STORAGE_ACCOUNT_USER", 1277 "endpoint": "minio.prow.svc.cluster.local", 1278 "insecure": true, 1279 "s3_force_path_style": true, 1280 "secret_key": "$AZURE_STORAGE_ACCOUNT_PASSWORD" 1281 } 1282 --- 1283 apiVersion: apps/v1 1284 kind: Deployment 1285 metadata: 1286 name: minio 1287 namespace: prow 1288 spec: 1289 selector: 1290 matchLabels: 1291 app: minio 1292 strategy: 1293 type: Recreate 1294 template: 1295 metadata: 1296 labels: 1297 app: minio 1298 spec: 1299 containers: 1300 - name: minio 1301 image: minio/minio:latest 1302 args: 1303 - gateway 1304 - azure 1305 - --console-address=:0.0.0.0:$MINIO_CONSOLE_PORT 1306 env: 1307 - name: MINIO_ROOT_USER 1308 valueFrom: 1309 secretKeyRef: 1310 name: minio-root-creds 1311 key: user 1312 - name: MINIO_ROOT_PASSWORD 1313 valueFrom: 1314 secretKeyRef: 1315 name: minio-root-creds 1316 key: password 1317 - name: MINIO_REGION_NAME 1318 value: minio 1319 ports: 1320 - containerPort: 9000 1321 readinessProbe: 1322 httpGet: 1323 path: /minio/health/ready 1324 port: 9000 1325 periodSeconds: 20 1326 livenessProbe: 1327 httpGet: 1328 path: /minio/health/live 1329 port: 9000 1330 --- 1331 apiVersion: v1 1332 kind: Service 1333 metadata: 1334 name: minio 1335 namespace: prow 1336 spec: 1337 type: ClusterIP 1338 ports: 1339 - port: 80 1340 targetPort: 9000 1341 protocol: TCP 1342 selector: 1343 app: minio 1344 --- 1345 apiVersion: v1 1346 kind: Service 1347 metadata: 1348 name: minio-console 1349 namespace: prow 1350 spec: 1351 type: NodePort 1352 ports: 1353 - port: 8003 1354 targetPort: $MINIO_CONSOLE_PORT 1355 protocol: TCP 1356 selector: 1357 app: minio