k8s.io/test-infra@v0.0.0-20240520184403-27c6b4c223d8/config/prow/cluster/starter/starter-gcs.yaml (about) 1 # This file contains Kubernetes YAML files for the most important prow 2 # components. Don't edit resources in this file. Instead, pull them out into 3 # their own files. 4 --- 5 apiVersion: v1 6 kind: Namespace 7 metadata: 8 name: prow 9 --- 10 apiVersion: v1 11 kind: ConfigMap 12 metadata: 13 namespace: prow 14 name: plugins 15 data: 16 plugins.yaml: | 17 plugins: 18 $GITHUB_ORG: 19 plugins: 20 - approve 21 - assign 22 - blunderbuss 23 - cat 24 - dog 25 - help 26 - heart 27 - hold 28 - label 29 - lgtm 30 - trigger 31 - verify-owners 32 - wip 33 - yuks 34 --- 35 apiVersion: v1 36 kind: Secret 37 metadata: 38 namespace: prow 39 name: github-token 40 stringData: 41 cert: $GITHUB_TOKEN 42 appid: "$GITHUB_APP_ID" 43 --- 44 apiVersion: v1 45 kind: Secret 46 metadata: 47 namespace: prow 48 name: hmac-token 49 stringData: 50 # Generate via `openssl rand -hex 20`. This is the secret used in the GitHub webhook configuration 51 hmac: $HMAC_TOKEN 52 --- 53 apiVersion: v1 54 kind: ConfigMap 55 metadata: 56 namespace: prow 57 name: config 58 data: 59 config.yaml: | 60 prowjob_namespace: prow 61 pod_namespace: test-pods 62 63 in_repo_config: 64 enabled: 65 "*": true 66 67 deck: 68 spyglass: 69 lenses: 70 - lens: 71 name: metadata 72 required_files: 73 - ^(?:started|finished)\.json$ 74 optional_files: 75 - ^(?:podinfo|prowjob)\.json$ 76 - lens: 77 config: 78 name: buildlog 79 required_files: 80 - build-log.txt 81 - lens: 82 name: junit 83 required_files: 84 - .*/junit.*\.xml 85 - lens: 86 name: podinfo 87 required_files: 88 - podinfo.json 89 90 plank: 91 job_url_prefix_config: 92 "*": https://$PROW_HOST/view/ 93 report_templates: 94 '*': >- 95 [Full PR test history](https://$PROW_HOST/pr-history?org={{.Spec.Refs.Org}}&repo={{.Spec.Refs.Repo}}&pr={{with index .Spec.Refs.Pulls 0}}{{.Number}}{{end}}). 96 [Your PR dashboard](https://$PROW_HOST/pr?query=is:pr+state:open+author:{{with 97 index .Spec.Refs.Pulls 0}}{{.Author}}{{end}}). 98 default_decoration_config_entries: 99 - config: 100 gcs_configuration: 101 bucket: gs://your-bucket-name 102 path_strategy: explicit 103 gcs_credentials_secret: gcs-credentials 104 github_api_endpoints: 105 - http://ghproxy 106 - https://api.github.com 107 github_app_id: "$GITHUB_APP_ID" 108 github_app_private_key_secret: 109 name: github-token 110 key: cert 111 utility_images: 112 clonerefs: gcr.io/k8s-prow/clonerefs:v20240517-ea10bd814 113 entrypoint: gcr.io/k8s-prow/entrypoint:v20240517-ea10bd814 114 initupload: gcr.io/k8s-prow/initupload:v20240517-ea10bd814 115 sidecar: gcr.io/k8s-prow/sidecar:v20240517-ea10bd814 116 117 tide: 118 queries: 119 - labels: 120 - lgtm 121 - approved 122 missingLabels: 123 - needs-rebase 124 - do-not-merge/hold 125 - do-not-merge/work-in-progress 126 - do-not-merge/invalid-owners-file 127 orgs: 128 - $GITHUB_ORG 129 130 decorate_all_jobs: true 131 periodics: 132 - interval: 1m 133 agent: kubernetes 134 name: echo-test 135 spec: 136 containers: 137 - image: alpine 138 command: ["/bin/date"] 139 --- 140 apiVersion: apps/v1 141 kind: Deployment 142 metadata: 143 namespace: prow 144 name: hook 145 labels: 146 app: hook 147 spec: 148 replicas: 2 149 strategy: 150 type: RollingUpdate 151 rollingUpdate: 152 maxSurge: 1 153 maxUnavailable: 1 154 selector: 155 matchLabels: 156 app: hook 157 template: 158 metadata: 159 labels: 160 app: hook 161 spec: 162 serviceAccountName: "hook" 163 terminationGracePeriodSeconds: 180 164 containers: 165 - name: hook 166 image: gcr.io/k8s-prow/hook:v20240517-ea10bd814 167 imagePullPolicy: Always 168 args: 169 - --dry-run=false 170 - --config-path=/etc/config/config.yaml 171 - --github-endpoint=http://ghproxy 172 - --github-endpoint=https://api.github.com 173 - --github-app-id=$(GITHUB_APP_ID) 174 - --github-app-private-key-path=/etc/github/cert 175 env: 176 - name: GITHUB_APP_ID 177 valueFrom: 178 secretKeyRef: 179 name: github-token 180 key: appid 181 ports: 182 - name: http 183 containerPort: 8888 184 volumeMounts: 185 - name: hmac 186 mountPath: /etc/webhook 187 readOnly: true 188 - name: github-token 189 mountPath: /etc/github 190 readOnly: true 191 - name: config 192 mountPath: /etc/config 193 readOnly: true 194 - name: plugins 195 mountPath: /etc/plugins 196 readOnly: true 197 livenessProbe: 198 httpGet: 199 path: /healthz 200 port: 8081 201 initialDelaySeconds: 3 202 periodSeconds: 3 203 readinessProbe: 204 httpGet: 205 path: /healthz/ready 206 port: 8081 207 initialDelaySeconds: 10 208 periodSeconds: 3 209 timeoutSeconds: 600 210 volumes: 211 - name: hmac 212 secret: 213 secretName: hmac-token 214 - name: github-token 215 secret: 216 secretName: github-token 217 - name: config 218 configMap: 219 name: config 220 - name: plugins 221 configMap: 222 name: plugins 223 --- 224 apiVersion: v1 225 kind: Service 226 metadata: 227 namespace: prow 228 name: hook 229 spec: 230 selector: 231 app: hook 232 ports: 233 - port: 8888 234 type: NodePort 235 --- 236 apiVersion: apps/v1 237 kind: Deployment 238 metadata: 239 namespace: prow 240 name: sinker 241 labels: 242 app: sinker 243 spec: 244 selector: 245 matchLabels: 246 app: sinker 247 replicas: 1 248 template: 249 metadata: 250 labels: 251 app: sinker 252 spec: 253 serviceAccountName: "sinker" 254 containers: 255 - name: sinker 256 image: gcr.io/k8s-prow/sinker:v20240517-ea10bd814 257 args: 258 - --config-path=/etc/config/config.yaml 259 - --dry-run=false 260 volumeMounts: 261 - name: config 262 mountPath: /etc/config 263 readOnly: true 264 volumes: 265 - name: config 266 configMap: 267 name: config 268 --- 269 apiVersion: apps/v1 270 kind: Deployment 271 metadata: 272 namespace: prow 273 name: deck 274 labels: 275 app: deck 276 spec: 277 replicas: 2 278 strategy: 279 type: RollingUpdate 280 rollingUpdate: 281 maxSurge: 1 282 maxUnavailable: 1 283 selector: 284 matchLabels: 285 app: deck 286 template: 287 metadata: 288 labels: 289 app: deck 290 spec: 291 serviceAccountName: "deck" 292 terminationGracePeriodSeconds: 30 293 containers: 294 - name: deck 295 image: gcr.io/k8s-prow/deck:v20240517-ea10bd814 296 args: 297 - --config-path=/etc/config/config.yaml 298 - --plugin-config=/etc/plugins/plugins.yaml 299 - --tide-url=http://tide/ 300 - --hook-url=http://hook:8888/plugin-help 301 - --github-endpoint=http://ghproxy 302 - --github-endpoint=https://api.github.com 303 - --github-graphql-endpoint=http://ghproxy/graphql 304 - --spyglass=true 305 - --github-app-id=$(GITHUB_APP_ID) 306 - --github-app-private-key-path=/etc/github/cert 307 env: 308 - name: GITHUB_APP_ID 309 valueFrom: 310 secretKeyRef: 311 name: github-token 312 key: appid 313 ports: 314 - name: http 315 containerPort: 8080 316 volumeMounts: 317 - name: config 318 mountPath: /etc/config 319 readOnly: true 320 - name: github-token 321 mountPath: /etc/github 322 readOnly: true 323 - name: plugins 324 mountPath: /etc/plugins 325 readOnly: true 326 - name: gcs-credentials 327 mountPath: /etc/gcs-credentials 328 readOnly: true 329 livenessProbe: 330 httpGet: 331 path: /healthz 332 port: 8081 333 initialDelaySeconds: 3 334 periodSeconds: 3 335 readinessProbe: 336 httpGet: 337 path: /healthz/ready 338 port: 8081 339 initialDelaySeconds: 10 340 periodSeconds: 3 341 timeoutSeconds: 600 342 volumes: 343 - name: config 344 configMap: 345 name: config 346 - name: github-token 347 secret: 348 secretName: github-token 349 - name: plugins 350 configMap: 351 name: plugins 352 - name: gcs-credentials 353 secret: 354 secretName: gcs-credentials 355 --- 356 apiVersion: v1 357 kind: Service 358 metadata: 359 namespace: prow 360 name: deck 361 spec: 362 selector: 363 app: deck 364 ports: 365 - port: 80 366 targetPort: 8080 367 type: NodePort 368 --- 369 apiVersion: apps/v1 370 kind: Deployment 371 metadata: 372 namespace: prow 373 name: horologium 374 labels: 375 app: horologium 376 spec: 377 replicas: 1 # Do not scale up. 378 strategy: 379 type: Recreate 380 selector: 381 matchLabels: 382 app: horologium 383 template: 384 metadata: 385 labels: 386 app: horologium 387 spec: 388 serviceAccountName: "horologium" 389 terminationGracePeriodSeconds: 30 390 containers: 391 - name: horologium 392 image: gcr.io/k8s-prow/horologium:v20240517-ea10bd814 393 args: 394 - --dry-run=false 395 - --config-path=/etc/config/config.yaml 396 volumeMounts: 397 - name: config 398 mountPath: /etc/config 399 readOnly: true 400 volumes: 401 - name: config 402 configMap: 403 name: config 404 --- 405 apiVersion: apps/v1 406 kind: Deployment 407 metadata: 408 namespace: prow 409 name: tide 410 labels: 411 app: tide 412 spec: 413 replicas: 1 # Do not scale up. 414 strategy: 415 type: Recreate 416 selector: 417 matchLabels: 418 app: tide 419 template: 420 metadata: 421 labels: 422 app: tide 423 spec: 424 serviceAccountName: "tide" 425 containers: 426 - name: tide 427 image: gcr.io/k8s-prow/tide:v20240517-ea10bd814 428 args: 429 - --dry-run=false 430 - --config-path=/etc/config/config.yaml 431 - --github-endpoint=http://ghproxy 432 - --github-endpoint=https://api.github.com 433 - --github-graphql-endpoint=http://ghproxy/graphql 434 - --gcs-credentials-file=/etc/gcs-credentials/service-account.json 435 - --status-path=gs://your-bucket-name/tide-status 436 - --history-uri=gs://your-bucket-name/tide-history.json 437 - --github-app-id=$(GITHUB_APP_ID) 438 - --github-app-private-key-path=/etc/github/cert 439 env: 440 - name: GITHUB_APP_ID 441 valueFrom: 442 secretKeyRef: 443 name: github-token 444 key: appid 445 ports: 446 - name: http 447 containerPort: 8888 448 volumeMounts: 449 - name: github-token 450 mountPath: /etc/github 451 readOnly: true 452 - name: config 453 mountPath: /etc/config 454 readOnly: true 455 - name: gcs-credentials 456 mountPath: /etc/gcs-credentials 457 readOnly: true 458 volumes: 459 - name: github-token 460 secret: 461 secretName: github-token 462 - name: config 463 configMap: 464 name: config 465 - name: gcs-credentials 466 secret: 467 secretName: gcs-credentials 468 --- 469 apiVersion: v1 470 kind: Service 471 metadata: 472 namespace: prow 473 name: tide 474 spec: 475 selector: 476 app: tide 477 ports: 478 - port: 80 479 targetPort: 8888 480 type: NodePort 481 --- 482 apiVersion: networking.k8s.io/v1 483 kind: Ingress 484 metadata: 485 namespace: prow 486 name: prow 487 annotations: 488 # Change this to your issuer when using cert-manager. Does 489 # nothing when not using cert-manager. 490 cert-manager.io/cluster-issuer: letsencrypt-staging 491 spec: 492 defaultBackend: 493 # specify the default backend for `ingress-gce` (https://cloud.google.com/kubernetes-engine/docs/concepts/ingress#default_backend) 494 service: 495 name: deck 496 port: 497 number: 80 498 rules: 499 - host: $PROW_HOST 500 http: 501 paths: 502 - path: / 503 pathType: ImplementationSpecific 504 backend: 505 service: 506 name: deck 507 port: 508 number: 80 509 - path: /hook 510 pathType: ImplementationSpecific 511 backend: 512 service: 513 name: hook 514 port: 515 number: 8888 516 --- 517 apiVersion: apps/v1 518 kind: Deployment 519 metadata: 520 name: statusreconciler 521 namespace: prow 522 labels: 523 app: statusreconciler 524 spec: 525 replicas: 1 526 selector: 527 matchLabels: 528 app: statusreconciler 529 template: 530 metadata: 531 labels: 532 app: statusreconciler 533 spec: 534 serviceAccountName: statusreconciler 535 terminationGracePeriodSeconds: 180 536 containers: 537 - name: statusreconciler 538 image: gcr.io/k8s-prow/status-reconciler:v20240517-ea10bd814 539 args: 540 - --dry-run=false 541 - --continue-on-error=true 542 - --plugin-config=/etc/plugins/plugins.yaml 543 - --config-path=/etc/config/config.yaml 544 - --github-endpoint=http://ghproxy 545 - --github-endpoint=https://api.github.com 546 - --gcs-credentials-file=/etc/gcs-credentials/service-account.json 547 - --status-path=gs://your-bucket-name/status-reconciler-status 548 - --github-app-id=$(GITHUB_APP_ID) 549 - --github-app-private-key-path=/etc/github/cert 550 env: 551 - name: GITHUB_APP_ID 552 valueFrom: 553 secretKeyRef: 554 name: github-token 555 key: appid 556 volumeMounts: 557 - name: github-token 558 mountPath: /etc/github 559 readOnly: true 560 - name: config 561 mountPath: /etc/config 562 readOnly: true 563 - name: plugins 564 mountPath: /etc/plugins 565 readOnly: true 566 - name: gcs-credentials 567 mountPath: /etc/gcs-credentials 568 readOnly: true 569 volumes: 570 - name: github-token 571 secret: 572 secretName: github-token 573 - name: config 574 configMap: 575 name: config 576 - name: plugins 577 configMap: 578 name: plugins 579 - name: gcs-credentials 580 secret: 581 secretName: gcs-credentials 582 --- 583 apiVersion: v1 584 kind: Namespace 585 metadata: 586 name: test-pods 587 --- 588 kind: ServiceAccount 589 apiVersion: v1 590 metadata: 591 namespace: prow 592 name: "deck" 593 --- 594 kind: RoleBinding 595 apiVersion: rbac.authorization.k8s.io/v1 596 metadata: 597 namespace: prow 598 name: "deck" 599 roleRef: 600 apiGroup: rbac.authorization.k8s.io 601 kind: Role 602 name: "deck" 603 subjects: 604 - kind: ServiceAccount 605 name: "deck" 606 --- 607 kind: RoleBinding 608 apiVersion: rbac.authorization.k8s.io/v1 609 metadata: 610 namespace: test-pods 611 name: "deck" 612 roleRef: 613 apiGroup: rbac.authorization.k8s.io 614 kind: Role 615 name: "deck" 616 subjects: 617 - kind: ServiceAccount 618 name: "deck" 619 namespace: prow 620 --- 621 kind: Role 622 apiVersion: rbac.authorization.k8s.io/v1 623 metadata: 624 namespace: prow 625 name: "deck" 626 rules: 627 - apiGroups: 628 - "prow.k8s.io" 629 resources: 630 - prowjobs 631 verbs: 632 - get 633 - list 634 - watch 635 # Required when deck runs with `--rerun-creates-job=true` 636 # **Warning:** Only use this for non-public deck instances, this allows 637 # anyone with access to your Deck instance to create new Prowjobs 638 # - create 639 --- 640 kind: Role 641 apiVersion: rbac.authorization.k8s.io/v1 642 metadata: 643 namespace: test-pods 644 name: "deck" 645 rules: 646 - apiGroups: 647 - "" 648 resources: 649 - pods/log 650 verbs: 651 - get 652 --- 653 kind: ServiceAccount 654 apiVersion: v1 655 metadata: 656 namespace: prow 657 name: "horologium" 658 --- 659 kind: Role 660 apiVersion: rbac.authorization.k8s.io/v1 661 metadata: 662 namespace: prow 663 name: "horologium" 664 rules: 665 - apiGroups: 666 - "prow.k8s.io" 667 resources: 668 - prowjobs 669 verbs: 670 - create 671 - list 672 - watch 673 --- 674 kind: RoleBinding 675 apiVersion: rbac.authorization.k8s.io/v1 676 metadata: 677 namespace: prow 678 name: "horologium" 679 roleRef: 680 apiGroup: rbac.authorization.k8s.io 681 kind: Role 682 name: "horologium" 683 subjects: 684 - kind: ServiceAccount 685 name: "horologium" 686 --- 687 kind: ServiceAccount 688 apiVersion: v1 689 metadata: 690 namespace: prow 691 name: "sinker" 692 --- 693 kind: Role 694 apiVersion: rbac.authorization.k8s.io/v1 695 metadata: 696 namespace: prow 697 name: "sinker" 698 rules: 699 - apiGroups: 700 - "prow.k8s.io" 701 resources: 702 - prowjobs 703 verbs: 704 - delete 705 - list 706 - watch 707 - get 708 - apiGroups: 709 - coordination.k8s.io 710 resources: 711 - leases 712 resourceNames: 713 - prow-sinker-leaderlock 714 verbs: 715 - get 716 - update 717 - apiGroups: 718 - coordination.k8s.io 719 resources: 720 - leases 721 verbs: 722 - create 723 - apiGroups: 724 - "" 725 resources: 726 - configmaps 727 resourceNames: 728 - prow-sinker-leaderlock 729 verbs: 730 - get 731 - update 732 - apiGroups: 733 - "" 734 resources: 735 - configmaps 736 - events 737 verbs: 738 - create 739 --- 740 kind: Role 741 apiVersion: rbac.authorization.k8s.io/v1 742 metadata: 743 namespace: test-pods 744 name: "sinker" 745 rules: 746 - apiGroups: 747 - "" 748 resources: 749 - pods 750 verbs: 751 - delete 752 - list 753 - watch 754 - get 755 - patch 756 --- 757 kind: RoleBinding 758 apiVersion: rbac.authorization.k8s.io/v1 759 metadata: 760 namespace: prow 761 name: "sinker" 762 roleRef: 763 apiGroup: rbac.authorization.k8s.io 764 kind: Role 765 name: "sinker" 766 subjects: 767 - kind: ServiceAccount 768 name: "sinker" 769 --- 770 kind: RoleBinding 771 apiVersion: rbac.authorization.k8s.io/v1 772 metadata: 773 namespace: test-pods 774 name: "sinker" 775 roleRef: 776 apiGroup: rbac.authorization.k8s.io 777 kind: Role 778 name: "sinker" 779 subjects: 780 - kind: ServiceAccount 781 name: "sinker" 782 namespace: prow 783 --- 784 apiVersion: v1 785 kind: ServiceAccount 786 metadata: 787 namespace: prow 788 name: "hook" 789 --- 790 kind: Role 791 apiVersion: rbac.authorization.k8s.io/v1 792 metadata: 793 namespace: prow 794 name: "hook" 795 rules: 796 - apiGroups: 797 - "prow.k8s.io" 798 resources: 799 - prowjobs 800 verbs: 801 - create 802 - get 803 - list 804 - update 805 - apiGroups: 806 - "" 807 resources: 808 - configmaps 809 verbs: 810 - create 811 - get 812 - update 813 --- 814 kind: RoleBinding 815 apiVersion: rbac.authorization.k8s.io/v1 816 metadata: 817 namespace: prow 818 name: "hook" 819 roleRef: 820 apiGroup: rbac.authorization.k8s.io 821 kind: Role 822 name: "hook" 823 subjects: 824 - kind: ServiceAccount 825 name: "hook" 826 --- 827 apiVersion: v1 828 kind: ServiceAccount 829 metadata: 830 namespace: prow 831 name: "tide" 832 --- 833 kind: Role 834 apiVersion: rbac.authorization.k8s.io/v1 835 metadata: 836 namespace: prow 837 name: "tide" 838 rules: 839 - apiGroups: 840 - "prow.k8s.io" 841 resources: 842 - prowjobs 843 verbs: 844 - create 845 - list 846 - get 847 - watch 848 --- 849 kind: RoleBinding 850 apiVersion: rbac.authorization.k8s.io/v1 851 metadata: 852 namespace: prow 853 name: "tide" 854 roleRef: 855 apiGroup: rbac.authorization.k8s.io 856 kind: Role 857 name: "tide" 858 subjects: 859 - kind: ServiceAccount 860 name: "tide" 861 --- 862 apiVersion: v1 863 kind: ServiceAccount 864 metadata: 865 namespace: prow 866 name: "statusreconciler" 867 --- 868 kind: Role 869 apiVersion: rbac.authorization.k8s.io/v1 870 metadata: 871 namespace: prow 872 name: "statusreconciler" 873 rules: 874 - apiGroups: 875 - "prow.k8s.io" 876 resources: 877 - prowjobs 878 verbs: 879 - create 880 --- 881 kind: RoleBinding 882 apiVersion: rbac.authorization.k8s.io/v1 883 metadata: 884 namespace: prow 885 name: "statusreconciler" 886 roleRef: 887 apiGroup: rbac.authorization.k8s.io 888 kind: Role 889 name: "statusreconciler" 890 subjects: 891 - kind: ServiceAccount 892 name: "statusreconciler" 893 --- 894 kind: PersistentVolumeClaim 895 apiVersion: v1 896 metadata: 897 namespace: prow 898 labels: 899 app: ghproxy 900 name: ghproxy 901 spec: 902 accessModes: 903 - ReadWriteOnce 904 resources: 905 requests: 906 storage: 100Gi 907 --- 908 apiVersion: apps/v1 909 kind: Deployment 910 metadata: 911 namespace: prow 912 name: ghproxy 913 labels: 914 app: ghproxy 915 spec: 916 selector: 917 matchLabels: 918 app: ghproxy 919 strategy: 920 type: Recreate 921 # GHProxy does not support HA 922 replicas: 1 923 template: 924 metadata: 925 labels: 926 app: ghproxy 927 spec: 928 containers: 929 - name: ghproxy 930 image: gcr.io/k8s-prow/ghproxy:v20240517-ea10bd814 931 args: 932 - --cache-dir=/cache 933 - --cache-sizeGB=99 934 - --push-gateway=pushgateway 935 - --serve-metrics=true 936 ports: 937 - containerPort: 8888 938 volumeMounts: 939 - name: cache 940 mountPath: /cache 941 volumes: 942 - name: cache 943 persistentVolumeClaim: 944 claimName: ghproxy 945 --- 946 apiVersion: v1 947 kind: Service 948 metadata: 949 labels: 950 app: ghproxy 951 namespace: prow 952 name: ghproxy 953 spec: 954 ports: 955 - name: main 956 port: 80 957 protocol: TCP 958 targetPort: 8888 959 - name: metrics 960 port: 9090 961 selector: 962 app: ghproxy 963 type: ClusterIP 964 --- 965 apiVersion: apps/v1 966 kind: Deployment 967 metadata: 968 namespace: prow 969 name: prow-controller-manager 970 labels: 971 app: prow-controller-manager 972 spec: 973 replicas: 1 974 selector: 975 matchLabels: 976 app: prow-controller-manager 977 template: 978 metadata: 979 labels: 980 app: prow-controller-manager 981 spec: 982 serviceAccountName: prow-controller-manager 983 containers: 984 - name: prow-controller-manager 985 args: 986 - --dry-run=false 987 - --config-path=/etc/config/config.yaml 988 - --github-endpoint=http://ghproxy 989 - --github-endpoint=https://api.github.com 990 - --enable-controller=plank 991 - --github-app-id=$(GITHUB_APP_ID) 992 - --github-app-private-key-path=/etc/github/cert 993 env: 994 - name: GITHUB_APP_ID 995 valueFrom: 996 secretKeyRef: 997 name: github-token 998 key: appid 999 image: gcr.io/k8s-prow/prow-controller-manager:v20240517-ea10bd814 1000 volumeMounts: 1001 - name: github-token 1002 mountPath: /etc/github 1003 readOnly: true 1004 - name: config 1005 mountPath: /etc/config 1006 readOnly: true 1007 volumes: 1008 - name: github-token 1009 secret: 1010 secretName: github-token 1011 - name: config 1012 configMap: 1013 name: config 1014 --- 1015 apiVersion: v1 1016 kind: ServiceAccount 1017 metadata: 1018 namespace: prow 1019 name: prow-controller-manager 1020 --- 1021 kind: Role 1022 apiVersion: rbac.authorization.k8s.io/v1 1023 metadata: 1024 namespace: prow 1025 name: prow-controller-manager 1026 rules: 1027 - apiGroups: 1028 - "prow.k8s.io" 1029 resources: 1030 - prowjobs 1031 verbs: 1032 - get 1033 - list 1034 - watch 1035 - update 1036 - patch 1037 - apiGroups: 1038 - coordination.k8s.io 1039 resources: 1040 - leases 1041 resourceNames: 1042 - prow-controller-manager-leader-lock 1043 verbs: 1044 - get 1045 - update 1046 - apiGroups: 1047 - coordination.k8s.io 1048 resources: 1049 - leases 1050 verbs: 1051 - create 1052 - apiGroups: 1053 - "" 1054 resources: 1055 - configmaps 1056 resourceNames: 1057 - prow-controller-manager-leader-lock 1058 verbs: 1059 - get 1060 - update 1061 - apiGroups: 1062 - "" 1063 resources: 1064 - configmaps 1065 - events 1066 verbs: 1067 - create 1068 --- 1069 kind: Role 1070 apiVersion: rbac.authorization.k8s.io/v1 1071 metadata: 1072 namespace: test-pods 1073 name: prow-controller-manager 1074 rules: 1075 - apiGroups: 1076 - "" 1077 resources: 1078 - pods 1079 verbs: 1080 - create 1081 - delete 1082 - get 1083 - list 1084 - patch 1085 - watch 1086 --- 1087 kind: RoleBinding 1088 apiVersion: rbac.authorization.k8s.io/v1 1089 metadata: 1090 namespace: prow 1091 name: prow-controller-manager 1092 roleRef: 1093 apiGroup: rbac.authorization.k8s.io 1094 kind: Role 1095 name: prow-controller-manager 1096 subjects: 1097 - kind: ServiceAccount 1098 name: prow-controller-manager 1099 --- 1100 kind: RoleBinding 1101 apiVersion: rbac.authorization.k8s.io/v1 1102 metadata: 1103 namespace: test-pods 1104 name: prow-controller-manager 1105 roleRef: 1106 apiGroup: rbac.authorization.k8s.io 1107 kind: Role 1108 name: prow-controller-manager 1109 subjects: 1110 - kind: ServiceAccount 1111 name: prow-controller-manager 1112 namespace: prow 1113 --- 1114 apiVersion: apps/v1 1115 kind: Deployment 1116 metadata: 1117 namespace: prow 1118 name: crier 1119 labels: 1120 app: crier 1121 spec: 1122 replicas: 1 1123 selector: 1124 matchLabels: 1125 app: crier 1126 template: 1127 metadata: 1128 labels: 1129 app: crier 1130 spec: 1131 serviceAccountName: crier 1132 terminationGracePeriodSeconds: 30 1133 containers: 1134 - name: crier 1135 image: gcr.io/k8s-prow/crier:v20240517-ea10bd814 1136 args: 1137 - --blob-storage-workers=10 1138 - --config-path=/etc/config/config.yaml 1139 - --gcs-credentials-file=/etc/gcs-credentials/service-account.json 1140 - --github-endpoint=http://ghproxy 1141 - --github-endpoint=https://api.github.com 1142 - --github-workers=10 1143 - --kubernetes-blob-storage-workers=10 1144 - --github-app-id=$(GITHUB_APP_ID) 1145 - --github-app-private-key-path=/etc/github/cert 1146 env: 1147 - name: GITHUB_APP_ID 1148 valueFrom: 1149 secretKeyRef: 1150 name: github-token 1151 key: appid 1152 volumeMounts: 1153 - name: config 1154 mountPath: /etc/config 1155 readOnly: true 1156 - name: github-token 1157 mountPath: /etc/github 1158 readOnly: true 1159 - name: gcs-credentials 1160 mountPath: /etc/gcs-credentials 1161 readOnly: true 1162 volumes: 1163 - name: config 1164 configMap: 1165 name: config 1166 - name: github-token 1167 secret: 1168 secretName: github-token 1169 - name: gcs-credentials 1170 secret: 1171 secretName: gcs-credentials 1172 --- 1173 kind: ServiceAccount 1174 apiVersion: v1 1175 metadata: 1176 name: crier 1177 namespace: prow 1178 --- 1179 kind: Role 1180 apiVersion: rbac.authorization.k8s.io/v1 1181 metadata: 1182 namespace: prow 1183 name: crier 1184 rules: 1185 - apiGroups: 1186 - "prow.k8s.io" 1187 resources: 1188 - "prowjobs" 1189 verbs: 1190 - "get" 1191 - "watch" 1192 - "list" 1193 - "patch" 1194 --- 1195 kind: Role 1196 apiVersion: rbac.authorization.k8s.io/v1 1197 metadata: 1198 namespace: test-pods 1199 name: crier 1200 rules: 1201 - apiGroups: 1202 - "" 1203 resources: 1204 - "pods" 1205 - "events" 1206 verbs: 1207 - "get" 1208 - "list" 1209 - apiGroups: 1210 - "" 1211 resources: 1212 - "pods" 1213 verbs: 1214 - "patch" 1215 --- 1216 kind: RoleBinding 1217 apiVersion: rbac.authorization.k8s.io/v1 1218 metadata: 1219 name: crier 1220 namespace: prow 1221 roleRef: 1222 apiGroup: rbac.authorization.k8s.io 1223 kind: Role 1224 name: crier 1225 subjects: 1226 - kind: ServiceAccount 1227 name: crier 1228 namespace: prow 1229 --- 1230 kind: RoleBinding 1231 apiVersion: rbac.authorization.k8s.io/v1 1232 metadata: 1233 name: crier 1234 namespace: test-pods 1235 roleRef: 1236 apiGroup: rbac.authorization.k8s.io 1237 kind: Role 1238 name: crier 1239 subjects: 1240 - kind: ServiceAccount 1241 name: crier 1242 namespace: prow