k8s.io/test-infra@v0.0.0-20240520184403-27c6b4c223d8/config/prow/cluster/starter/starter-s3-kind.yaml (about) 1 # This file contains Kubernetes YAML files for the most important prow 2 # components. Don't edit resources in this file. Instead, pull them out into 3 # their own files. 4 --- 5 apiVersion: v1 6 kind: Namespace 7 metadata: 8 name: prow 9 --- 10 apiVersion: v1 11 kind: ConfigMap 12 metadata: 13 namespace: prow 14 name: plugins 15 data: 16 plugins.yaml: | 17 plugins: 18 $GITHUB_REPO: 19 plugins: 20 - approve 21 - assign 22 - blunderbuss 23 - cat 24 - dog 25 - help 26 - heart 27 - hold 28 - label 29 - lgtm 30 - trigger 31 - verify-owners 32 - wip 33 - yuks 34 --- 35 apiVersion: v1 36 kind: Secret 37 metadata: 38 namespace: prow 39 name: github-token 40 stringData: 41 cert: $GITHUB_TOKEN 42 appid: "$GITHUB_APP_ID" 43 --- 44 apiVersion: v1 45 kind: Secret 46 metadata: 47 namespace: prow 48 name: hmac-token 49 stringData: 50 # Generate via `openssl rand -hex 20`. This is the secret used in the GitHub webhook configuration 51 hmac: $HMAC_TOKEN 52 --- 53 apiVersion: v1 54 kind: Secret 55 metadata: 56 namespace: prow 57 name: minio-root-creds 58 stringData: 59 user: "$MINIO_ROOT_USER" 60 password: "$MINIO_ROOT_PASSWORD" 61 --- 62 apiVersion: v1 63 kind: ConfigMap 64 metadata: 65 namespace: prow 66 name: config 67 data: 68 config.yaml: | 69 prowjob_namespace: prow 70 pod_namespace: test-pods 71 72 in_repo_config: 73 enabled: 74 "*": true 75 76 deck: 77 spyglass: 78 lenses: 79 - lens: 80 name: metadata 81 required_files: 82 - started.json|finished.json 83 - lens: 84 config: 85 name: buildlog 86 required_files: 87 - build-log.txt 88 - lens: 89 name: junit 90 required_files: 91 - .*/junit.*\.xml 92 - lens: 93 name: podinfo 94 required_files: 95 - podinfo.json 96 97 plank: 98 job_url_prefix_config: 99 "*": http://$LOCAL_IP:30002/view/ 100 report_templates: 101 '*': >- 102 [Full PR test history](http://$LOCAL_IP:30002/pr-history?org={{.Spec.Refs.Org}}&repo={{.Spec.Refs.Repo}}&pr={{with index .Spec.Refs.Pulls 0}}{{.Number}}{{end}}). 103 [Your PR dashboard](http://$LOCAL_IP:30002/pr?query=is:pr+state:open+author:{{with 104 index .Spec.Refs.Pulls 0}}{{.Author}}{{end}}). 105 default_decoration_config_entries: 106 - config: 107 gcs_configuration: 108 bucket: s3://prow-logs 109 path_strategy: explicit 110 github_api_endpoints: 111 - http://ghproxy 112 - https://api.github.com 113 github_app_id: "$GITHUB_APP_ID" 114 github_app_private_key_secret: 115 name: github-token 116 key: cert 117 s3_credentials_secret: s3-credentials 118 utility_images: 119 clonerefs: gcr.io/k8s-prow/clonerefs:latest 120 entrypoint: gcr.io/k8s-prow/entrypoint:latest 121 initupload: gcr.io/k8s-prow/initupload:latest 122 sidecar: gcr.io/k8s-prow/sidecar:latest 123 124 tide: 125 queries: 126 - labels: 127 - lgtm 128 - approved 129 missingLabels: 130 - needs-rebase 131 - do-not-merge/hold 132 - do-not-merge/work-in-progress 133 - do-not-merge/invalid-owners-file 134 repos: 135 - $GITHUB_REPO 136 137 decorate_all_jobs: true 138 periodics: 139 - interval: 1m 140 agent: kubernetes 141 name: echo-test 142 spec: 143 containers: 144 - image: alpine 145 command: ["/bin/date"] 146 --- 147 apiVersion: v1 148 kind: ConfigMap 149 metadata: 150 namespace: prow 151 name: job-config 152 data: 153 job-config.yaml: | 154 presubmits: 155 $GITHUB_REPO: 156 - name: presubmit-echo-test 157 decorate: true 158 always_run: true 159 spec: 160 containers: 161 - image: alpine 162 command: ["/bin/date"] 163 --- 164 apiVersion: apps/v1 165 kind: Deployment 166 metadata: 167 namespace: prow 168 name: hook 169 labels: 170 app: hook 171 spec: 172 replicas: 1 173 strategy: 174 type: RollingUpdate 175 rollingUpdate: 176 maxSurge: 1 177 maxUnavailable: 1 178 selector: 179 matchLabels: 180 app: hook 181 template: 182 metadata: 183 labels: 184 app: hook 185 spec: 186 serviceAccountName: "hook" 187 terminationGracePeriodSeconds: 180 188 containers: 189 - name: hook 190 image: gcr.io/k8s-prow/hook:latest 191 imagePullPolicy: Always 192 args: 193 - --dry-run=false 194 - --config-path=/etc/config/config.yaml 195 - --github-endpoint=http://ghproxy 196 - --github-endpoint=https://api.github.com 197 - --github-app-id=$(GITHUB_APP_ID) 198 - --github-app-private-key-path=/etc/github/cert 199 - --job-config-path=/etc/job-config 200 env: 201 - name: GITHUB_APP_ID 202 valueFrom: 203 secretKeyRef: 204 name: github-token 205 key: appid 206 ports: 207 - name: http 208 containerPort: 8888 209 volumeMounts: 210 - name: hmac 211 mountPath: /etc/webhook 212 readOnly: true 213 - name: github-token 214 mountPath: /etc/github 215 readOnly: true 216 - name: config 217 mountPath: /etc/config 218 readOnly: true 219 - name: plugins 220 mountPath: /etc/plugins 221 readOnly: true 222 - name: job-config 223 mountPath: /etc/job-config 224 readOnly: true 225 livenessProbe: 226 httpGet: 227 path: /healthz 228 port: 8081 229 initialDelaySeconds: 3 230 periodSeconds: 3 231 readinessProbe: 232 httpGet: 233 path: /healthz/ready 234 port: 8081 235 initialDelaySeconds: 10 236 periodSeconds: 3 237 timeoutSeconds: 600 238 volumes: 239 - name: hmac 240 secret: 241 secretName: hmac-token 242 - name: github-token 243 secret: 244 secretName: github-token 245 - name: config 246 configMap: 247 name: config 248 - name: plugins 249 configMap: 250 name: plugins 251 - name: job-config 252 configMap: 253 name: job-config 254 --- 255 apiVersion: v1 256 kind: Service 257 metadata: 258 labels: 259 app: hook 260 name: hook 261 namespace: prow 262 spec: 263 type: LoadBalancer 264 selector: 265 app: hook 266 ports: 267 - 268 name: hook-1 269 port: 8888 270 targetPort: 8888 271 nodePort: 30001 272 --- 273 apiVersion: apps/v1 274 kind: Deployment 275 metadata: 276 namespace: prow 277 name: sinker 278 labels: 279 app: sinker 280 spec: 281 selector: 282 matchLabels: 283 app: sinker 284 replicas: 1 285 template: 286 metadata: 287 labels: 288 app: sinker 289 spec: 290 serviceAccountName: "sinker" 291 containers: 292 - name: sinker 293 image: gcr.io/k8s-prow/sinker:latest 294 args: 295 - --config-path=/etc/config/config.yaml 296 - --dry-run=false 297 - --job-config-path=/etc/job-config 298 volumeMounts: 299 - name: config 300 mountPath: /etc/config 301 readOnly: true 302 - name: job-config 303 mountPath: /etc/job-config 304 readOnly: true 305 volumes: 306 - name: config 307 configMap: 308 name: config 309 - name: job-config 310 configMap: 311 name: job-config 312 --- 313 apiVersion: apps/v1 314 kind: Deployment 315 metadata: 316 namespace: prow 317 name: deck 318 labels: 319 app: deck 320 spec: 321 replicas: 1 322 strategy: 323 type: RollingUpdate 324 rollingUpdate: 325 maxSurge: 1 326 maxUnavailable: 1 327 selector: 328 matchLabels: 329 app: deck 330 template: 331 metadata: 332 labels: 333 app: deck 334 spec: 335 serviceAccountName: "deck" 336 terminationGracePeriodSeconds: 30 337 containers: 338 - name: deck 339 image: gcr.io/k8s-prow/deck:latest 340 args: 341 - --config-path=/etc/config/config.yaml 342 - --plugin-config=/etc/plugins/plugins.yaml 343 - --tide-url=http://tide/ 344 - --hook-url=http://hook:8888/plugin-help 345 - --github-endpoint=http://ghproxy 346 - --github-endpoint=https://api.github.com 347 - --github-graphql-endpoint=http://ghproxy/graphql 348 - --s3-credentials-file=/etc/s3-credentials/service-account.json 349 - --spyglass=true 350 - --github-app-id=$(GITHUB_APP_ID) 351 - --github-app-private-key-path=/etc/github/cert 352 - --job-config-path=/etc/job-config 353 env: 354 - name: GITHUB_APP_ID 355 valueFrom: 356 secretKeyRef: 357 name: github-token 358 key: appid 359 ports: 360 - name: http 361 containerPort: 8080 362 volumeMounts: 363 - name: config 364 mountPath: /etc/config 365 readOnly: true 366 - name: job-config 367 mountPath: /etc/job-config 368 readOnly: true 369 - name: github-token 370 mountPath: /etc/github 371 readOnly: true 372 - name: plugins 373 mountPath: /etc/plugins 374 readOnly: true 375 - name: s3-credentials 376 mountPath: /etc/s3-credentials 377 readOnly: true 378 livenessProbe: 379 httpGet: 380 path: /healthz 381 port: 8081 382 initialDelaySeconds: 3 383 periodSeconds: 3 384 readinessProbe: 385 httpGet: 386 path: /healthz/ready 387 port: 8081 388 initialDelaySeconds: 10 389 periodSeconds: 3 390 timeoutSeconds: 600 391 volumes: 392 - name: config 393 configMap: 394 name: config 395 - name: github-token 396 secret: 397 secretName: github-token 398 - name: plugins 399 configMap: 400 name: plugins 401 - name: s3-credentials 402 secret: 403 secretName: s3-credentials 404 - name: job-config 405 configMap: 406 name: job-config 407 --- 408 apiVersion: v1 409 kind: Service 410 metadata: 411 labels: 412 app: deck 413 name: deck 414 namespace: prow 415 spec: 416 type: LoadBalancer 417 selector: 418 app: deck 419 ports: 420 - 421 name: deck-1 422 port: 80 423 targetPort: 8080 424 nodePort: 30002 425 --- 426 apiVersion: apps/v1 427 kind: Deployment 428 metadata: 429 namespace: prow 430 name: horologium 431 labels: 432 app: horologium 433 spec: 434 replicas: 1 # Do not scale up. 435 strategy: 436 type: Recreate 437 selector: 438 matchLabels: 439 app: horologium 440 template: 441 metadata: 442 labels: 443 app: horologium 444 spec: 445 serviceAccountName: "horologium" 446 terminationGracePeriodSeconds: 30 447 containers: 448 - name: horologium 449 image: gcr.io/k8s-prow/horologium:latest 450 args: 451 - --dry-run=false 452 - --config-path=/etc/config/config.yaml 453 - --job-config-path=/etc/job-config 454 volumeMounts: 455 - name: config 456 mountPath: /etc/config 457 readOnly: true 458 - name: job-config 459 mountPath: /etc/job-config 460 readOnly: true 461 volumes: 462 - name: config 463 configMap: 464 name: config 465 - name: job-config 466 configMap: 467 name: job-config 468 --- 469 apiVersion: apps/v1 470 kind: Deployment 471 metadata: 472 namespace: prow 473 name: tide 474 labels: 475 app: tide 476 spec: 477 replicas: 1 # Do not scale up. 478 strategy: 479 type: Recreate 480 selector: 481 matchLabels: 482 app: tide 483 template: 484 metadata: 485 labels: 486 app: tide 487 spec: 488 serviceAccountName: "tide" 489 containers: 490 - name: tide 491 image: gcr.io/k8s-prow/tide:latest 492 args: 493 - --dry-run=false 494 - --config-path=/etc/config/config.yaml 495 - --github-endpoint=http://ghproxy 496 - --github-endpoint=https://api.github.com 497 - --github-graphql-endpoint=http://ghproxy/graphql 498 - --s3-credentials-file=/etc/s3-credentials/service-account.json 499 - --status-path=s3://tide/tide-status 500 - --history-uri=s3://tide/tide-history.json 501 - --github-app-id=$(GITHUB_APP_ID) 502 - --github-app-private-key-path=/etc/github/cert 503 - --job-config-path=/etc/job-config 504 env: 505 - name: GITHUB_APP_ID 506 valueFrom: 507 secretKeyRef: 508 name: github-token 509 key: appid 510 ports: 511 - name: http 512 containerPort: 8888 513 volumeMounts: 514 - name: github-token 515 mountPath: /etc/github 516 readOnly: true 517 - name: config 518 mountPath: /etc/config 519 readOnly: true 520 - name: job-config 521 mountPath: /etc/job-config 522 readOnly: true 523 - name: s3-credentials 524 mountPath: /etc/s3-credentials 525 readOnly: true 526 volumes: 527 - name: github-token 528 secret: 529 secretName: github-token 530 - name: config 531 configMap: 532 name: config 533 - name: s3-credentials 534 secret: 535 secretName: s3-credentials 536 - name: job-config 537 configMap: 538 name: job-config 539 --- 540 apiVersion: v1 541 kind: Service 542 metadata: 543 namespace: prow 544 name: tide 545 spec: 546 selector: 547 app: tide 548 ports: 549 - port: 80 550 targetPort: 8888 551 --- 552 apiVersion: apps/v1 553 kind: Deployment 554 metadata: 555 name: statusreconciler 556 namespace: prow 557 labels: 558 app: statusreconciler 559 spec: 560 replicas: 1 561 selector: 562 matchLabels: 563 app: statusreconciler 564 template: 565 metadata: 566 labels: 567 app: statusreconciler 568 spec: 569 serviceAccountName: statusreconciler 570 terminationGracePeriodSeconds: 180 571 containers: 572 - name: statusreconciler 573 image: gcr.io/k8s-prow/status-reconciler:latest 574 args: 575 - --dry-run=false 576 - --continue-on-error=true 577 - --plugin-config=/etc/plugins/plugins.yaml 578 - --config-path=/etc/config/config.yaml 579 - --github-endpoint=http://ghproxy 580 - --github-endpoint=https://api.github.com 581 - --s3-credentials-file=/etc/s3-credentials/service-account.json 582 - --status-path=s3://status-reconciler/status-reconciler-status 583 - --github-app-id=$(GITHUB_APP_ID) 584 - --github-app-private-key-path=/etc/github/cert 585 - --job-config-path=/etc/job-config 586 env: 587 - name: GITHUB_APP_ID 588 valueFrom: 589 secretKeyRef: 590 name: github-token 591 key: appid 592 volumeMounts: 593 - name: github-token 594 mountPath: /etc/github 595 readOnly: true 596 - name: config 597 mountPath: /etc/config 598 readOnly: true 599 - name: job-config 600 mountPath: /etc/job-config 601 readOnly: true 602 - name: plugins 603 mountPath: /etc/plugins 604 readOnly: true 605 - name: s3-credentials 606 mountPath: /etc/s3-credentials 607 readOnly: true 608 volumes: 609 - name: github-token 610 secret: 611 secretName: github-token 612 - name: config 613 configMap: 614 name: config 615 - name: plugins 616 configMap: 617 name: plugins 618 - name: s3-credentials 619 secret: 620 secretName: s3-credentials 621 - name: job-config 622 configMap: 623 name: job-config 624 --- 625 apiVersion: v1 626 kind: Namespace 627 metadata: 628 name: test-pods 629 --- 630 kind: ServiceAccount 631 apiVersion: v1 632 metadata: 633 namespace: prow 634 name: "deck" 635 --- 636 kind: RoleBinding 637 apiVersion: rbac.authorization.k8s.io/v1 638 metadata: 639 namespace: prow 640 name: "deck" 641 roleRef: 642 apiGroup: rbac.authorization.k8s.io 643 kind: Role 644 name: "deck" 645 subjects: 646 - kind: ServiceAccount 647 name: "deck" 648 --- 649 kind: RoleBinding 650 apiVersion: rbac.authorization.k8s.io/v1 651 metadata: 652 namespace: test-pods 653 name: "deck" 654 roleRef: 655 apiGroup: rbac.authorization.k8s.io 656 kind: Role 657 name: "deck" 658 subjects: 659 - kind: ServiceAccount 660 name: "deck" 661 namespace: prow 662 --- 663 kind: Role 664 apiVersion: rbac.authorization.k8s.io/v1 665 metadata: 666 namespace: prow 667 name: "deck" 668 rules: 669 - apiGroups: 670 - "prow.k8s.io" 671 resources: 672 - prowjobs 673 verbs: 674 - get 675 - list 676 - watch 677 # Required when deck runs with `--rerun-creates-job=true` 678 # **Warning:** Only use this for non-public deck instances, this allows 679 # anyone with access to your Deck instance to create new Prowjobs 680 # - create 681 --- 682 kind: Role 683 apiVersion: rbac.authorization.k8s.io/v1 684 metadata: 685 namespace: test-pods 686 name: "deck" 687 rules: 688 - apiGroups: 689 - "" 690 resources: 691 - pods/log 692 verbs: 693 - get 694 --- 695 kind: ServiceAccount 696 apiVersion: v1 697 metadata: 698 namespace: prow 699 name: "horologium" 700 --- 701 kind: Role 702 apiVersion: rbac.authorization.k8s.io/v1 703 metadata: 704 namespace: prow 705 name: "horologium" 706 rules: 707 - apiGroups: 708 - "prow.k8s.io" 709 resources: 710 - prowjobs 711 verbs: 712 - create 713 - list 714 - watch 715 --- 716 kind: RoleBinding 717 apiVersion: rbac.authorization.k8s.io/v1 718 metadata: 719 namespace: prow 720 name: "horologium" 721 roleRef: 722 apiGroup: rbac.authorization.k8s.io 723 kind: Role 724 name: "horologium" 725 subjects: 726 - kind: ServiceAccount 727 name: "horologium" 728 --- 729 kind: ServiceAccount 730 apiVersion: v1 731 metadata: 732 namespace: prow 733 name: "sinker" 734 --- 735 kind: Role 736 apiVersion: rbac.authorization.k8s.io/v1 737 metadata: 738 namespace: prow 739 name: "sinker" 740 rules: 741 - apiGroups: 742 - "prow.k8s.io" 743 resources: 744 - prowjobs 745 verbs: 746 - delete 747 - list 748 - watch 749 - get 750 - apiGroups: 751 - coordination.k8s.io 752 resources: 753 - leases 754 resourceNames: 755 - prow-sinker-leaderlock 756 verbs: 757 - get 758 - update 759 - apiGroups: 760 - coordination.k8s.io 761 resources: 762 - leases 763 verbs: 764 - create 765 - apiGroups: 766 - "" 767 resources: 768 - configmaps 769 resourceNames: 770 - prow-sinker-leaderlock 771 verbs: 772 - get 773 - update 774 - apiGroups: 775 - "" 776 resources: 777 - configmaps 778 - events 779 verbs: 780 - create 781 --- 782 kind: Role 783 apiVersion: rbac.authorization.k8s.io/v1 784 metadata: 785 namespace: test-pods 786 name: "sinker" 787 rules: 788 - apiGroups: 789 - "" 790 resources: 791 - pods 792 verbs: 793 - delete 794 - list 795 - watch 796 - get 797 - patch 798 --- 799 kind: RoleBinding 800 apiVersion: rbac.authorization.k8s.io/v1 801 metadata: 802 namespace: prow 803 name: "sinker" 804 roleRef: 805 apiGroup: rbac.authorization.k8s.io 806 kind: Role 807 name: "sinker" 808 subjects: 809 - kind: ServiceAccount 810 name: "sinker" 811 --- 812 kind: RoleBinding 813 apiVersion: rbac.authorization.k8s.io/v1 814 metadata: 815 namespace: test-pods 816 name: "sinker" 817 roleRef: 818 apiGroup: rbac.authorization.k8s.io 819 kind: Role 820 name: "sinker" 821 subjects: 822 - kind: ServiceAccount 823 name: "sinker" 824 namespace: prow 825 --- 826 apiVersion: v1 827 kind: ServiceAccount 828 metadata: 829 namespace: prow 830 name: "hook" 831 --- 832 kind: Role 833 apiVersion: rbac.authorization.k8s.io/v1 834 metadata: 835 namespace: prow 836 name: "hook" 837 rules: 838 - apiGroups: 839 - "prow.k8s.io" 840 resources: 841 - prowjobs 842 verbs: 843 - create 844 - get 845 - list 846 - update 847 - apiGroups: 848 - "" 849 resources: 850 - configmaps 851 verbs: 852 - create 853 - get 854 - update 855 --- 856 kind: RoleBinding 857 apiVersion: rbac.authorization.k8s.io/v1 858 metadata: 859 namespace: prow 860 name: "hook" 861 roleRef: 862 apiGroup: rbac.authorization.k8s.io 863 kind: Role 864 name: "hook" 865 subjects: 866 - kind: ServiceAccount 867 name: "hook" 868 --- 869 apiVersion: v1 870 kind: ServiceAccount 871 metadata: 872 namespace: prow 873 name: "tide" 874 --- 875 kind: Role 876 apiVersion: rbac.authorization.k8s.io/v1 877 metadata: 878 namespace: prow 879 name: "tide" 880 rules: 881 - apiGroups: 882 - "prow.k8s.io" 883 resources: 884 - prowjobs 885 verbs: 886 - create 887 - list 888 - get 889 - watch 890 --- 891 kind: RoleBinding 892 apiVersion: rbac.authorization.k8s.io/v1 893 metadata: 894 namespace: prow 895 name: "tide" 896 roleRef: 897 apiGroup: rbac.authorization.k8s.io 898 kind: Role 899 name: "tide" 900 subjects: 901 - kind: ServiceAccount 902 name: "tide" 903 --- 904 apiVersion: v1 905 kind: ServiceAccount 906 metadata: 907 namespace: prow 908 name: "statusreconciler" 909 --- 910 kind: Role 911 apiVersion: rbac.authorization.k8s.io/v1 912 metadata: 913 namespace: prow 914 name: "statusreconciler" 915 rules: 916 - apiGroups: 917 - "prow.k8s.io" 918 resources: 919 - prowjobs 920 verbs: 921 - create 922 --- 923 kind: RoleBinding 924 apiVersion: rbac.authorization.k8s.io/v1 925 metadata: 926 namespace: prow 927 name: "statusreconciler" 928 roleRef: 929 apiGroup: rbac.authorization.k8s.io 930 kind: Role 931 name: "statusreconciler" 932 subjects: 933 - kind: ServiceAccount 934 name: "statusreconciler" 935 --- 936 kind: PersistentVolumeClaim 937 apiVersion: v1 938 metadata: 939 namespace: prow 940 labels: 941 app: ghproxy 942 name: ghproxy 943 spec: 944 accessModes: 945 - ReadWriteOnce 946 resources: 947 requests: 948 storage: 5Gi 949 --- 950 apiVersion: apps/v1 951 kind: Deployment 952 metadata: 953 namespace: prow 954 name: ghproxy 955 labels: 956 app: ghproxy 957 spec: 958 selector: 959 matchLabels: 960 app: ghproxy 961 strategy: 962 type: Recreate 963 # GHProxy does not support HA 964 replicas: 1 965 template: 966 metadata: 967 labels: 968 app: ghproxy 969 spec: 970 containers: 971 - name: ghproxy 972 image: gcr.io/k8s-prow/ghproxy:latest 973 args: 974 - --cache-dir=/cache 975 - --cache-sizeGB=5 976 - --push-gateway=pushgateway 977 - --serve-metrics=true 978 ports: 979 - containerPort: 8888 980 volumeMounts: 981 - name: cache 982 mountPath: /cache 983 volumes: 984 - name: cache 985 persistentVolumeClaim: 986 claimName: ghproxy 987 --- 988 apiVersion: v1 989 kind: Service 990 metadata: 991 labels: 992 app: ghproxy 993 namespace: prow 994 name: ghproxy 995 spec: 996 ports: 997 - name: main 998 port: 80 999 protocol: TCP 1000 targetPort: 8888 1001 - name: metrics 1002 port: 9090 1003 selector: 1004 app: ghproxy 1005 type: ClusterIP 1006 --- 1007 apiVersion: apps/v1 1008 kind: Deployment 1009 metadata: 1010 namespace: prow 1011 name: prow-controller-manager 1012 labels: 1013 app: prow-controller-manager 1014 spec: 1015 replicas: 1 1016 selector: 1017 matchLabels: 1018 app: prow-controller-manager 1019 template: 1020 metadata: 1021 labels: 1022 app: prow-controller-manager 1023 spec: 1024 serviceAccountName: prow-controller-manager 1025 containers: 1026 - name: prow-controller-manager 1027 args: 1028 - --dry-run=false 1029 - --config-path=/etc/config/config.yaml 1030 - --github-endpoint=http://ghproxy 1031 - --github-endpoint=https://api.github.com 1032 - --enable-controller=plank 1033 - --github-app-id=$(GITHUB_APP_ID) 1034 - --github-app-private-key-path=/etc/github/cert 1035 - --job-config-path=/etc/job-config 1036 env: 1037 - name: GITHUB_APP_ID 1038 valueFrom: 1039 secretKeyRef: 1040 name: github-token 1041 key: appid 1042 image: gcr.io/k8s-prow/prow-controller-manager:latest 1043 volumeMounts: 1044 - name: github-token 1045 mountPath: /etc/github 1046 readOnly: true 1047 - name: config 1048 mountPath: /etc/config 1049 readOnly: true 1050 - name: job-config 1051 mountPath: /etc/job-config 1052 readOnly: true 1053 volumes: 1054 - name: github-token 1055 secret: 1056 secretName: github-token 1057 - name: config 1058 configMap: 1059 name: config 1060 - name: job-config 1061 configMap: 1062 name: job-config 1063 --- 1064 apiVersion: v1 1065 kind: ServiceAccount 1066 metadata: 1067 namespace: prow 1068 name: prow-controller-manager 1069 --- 1070 kind: Role 1071 apiVersion: rbac.authorization.k8s.io/v1 1072 metadata: 1073 namespace: prow 1074 name: prow-controller-manager 1075 rules: 1076 - apiGroups: 1077 - "prow.k8s.io" 1078 resources: 1079 - prowjobs 1080 verbs: 1081 - get 1082 - list 1083 - watch 1084 - update 1085 - patch 1086 - apiGroups: 1087 - coordination.k8s.io 1088 resources: 1089 - leases 1090 resourceNames: 1091 - prow-controller-manager-leader-lock 1092 verbs: 1093 - get 1094 - update 1095 - apiGroups: 1096 - coordination.k8s.io 1097 resources: 1098 - leases 1099 verbs: 1100 - create 1101 - apiGroups: 1102 - "" 1103 resources: 1104 - configmaps 1105 resourceNames: 1106 - prow-controller-manager-leader-lock 1107 verbs: 1108 - get 1109 - update 1110 - apiGroups: 1111 - "" 1112 resources: 1113 - configmaps 1114 - events 1115 verbs: 1116 - create 1117 --- 1118 kind: Role 1119 apiVersion: rbac.authorization.k8s.io/v1 1120 metadata: 1121 namespace: test-pods 1122 name: prow-controller-manager 1123 rules: 1124 - apiGroups: 1125 - "" 1126 resources: 1127 - pods 1128 verbs: 1129 - create 1130 - delete 1131 - get 1132 - list 1133 - patch 1134 - watch 1135 --- 1136 kind: RoleBinding 1137 apiVersion: rbac.authorization.k8s.io/v1 1138 metadata: 1139 namespace: prow 1140 name: prow-controller-manager 1141 roleRef: 1142 apiGroup: rbac.authorization.k8s.io 1143 kind: Role 1144 name: prow-controller-manager 1145 subjects: 1146 - kind: ServiceAccount 1147 name: prow-controller-manager 1148 --- 1149 kind: RoleBinding 1150 apiVersion: rbac.authorization.k8s.io/v1 1151 metadata: 1152 namespace: test-pods 1153 name: prow-controller-manager 1154 roleRef: 1155 apiGroup: rbac.authorization.k8s.io 1156 kind: Role 1157 name: prow-controller-manager 1158 subjects: 1159 - kind: ServiceAccount 1160 name: prow-controller-manager 1161 namespace: prow 1162 --- 1163 apiVersion: apps/v1 1164 kind: Deployment 1165 metadata: 1166 namespace: prow 1167 name: crier 1168 labels: 1169 app: crier 1170 spec: 1171 replicas: 1 1172 selector: 1173 matchLabels: 1174 app: crier 1175 template: 1176 metadata: 1177 labels: 1178 app: crier 1179 spec: 1180 serviceAccountName: crier 1181 terminationGracePeriodSeconds: 30 1182 containers: 1183 - name: crier 1184 image: gcr.io/k8s-prow/crier:latest 1185 args: 1186 - --blob-storage-workers=2 1187 - --config-path=/etc/config/config.yaml 1188 - --s3-credentials-file=/etc/s3-credentials/service-account.json 1189 - --github-endpoint=http://ghproxy 1190 - --github-endpoint=https://api.github.com 1191 - --github-workers=2 1192 - --kubernetes-blob-storage-workers=2 1193 - --github-app-id=$(GITHUB_APP_ID) 1194 - --github-app-private-key-path=/etc/github/cert 1195 env: 1196 - name: GITHUB_APP_ID 1197 valueFrom: 1198 secretKeyRef: 1199 name: github-token 1200 key: appid 1201 volumeMounts: 1202 - name: config 1203 mountPath: /etc/config 1204 readOnly: true 1205 - name: github-token 1206 mountPath: /etc/github 1207 readOnly: true 1208 - name: job-config 1209 mountPath: /etc/job-config 1210 readOnly: true 1211 - name: s3-credentials 1212 mountPath: /etc/s3-credentials 1213 readOnly: true 1214 volumes: 1215 - name: config 1216 configMap: 1217 name: config 1218 - name: github-token 1219 secret: 1220 secretName: github-token 1221 - name: s3-credentials 1222 secret: 1223 secretName: s3-credentials 1224 - name: job-config 1225 configMap: 1226 name: job-config 1227 --- 1228 kind: ServiceAccount 1229 apiVersion: v1 1230 metadata: 1231 name: crier 1232 namespace: prow 1233 --- 1234 kind: Role 1235 apiVersion: rbac.authorization.k8s.io/v1 1236 metadata: 1237 namespace: prow 1238 name: crier 1239 rules: 1240 - apiGroups: 1241 - "prow.k8s.io" 1242 resources: 1243 - "prowjobs" 1244 verbs: 1245 - "get" 1246 - "watch" 1247 - "list" 1248 - "patch" 1249 --- 1250 kind: Role 1251 apiVersion: rbac.authorization.k8s.io/v1 1252 metadata: 1253 namespace: test-pods 1254 name: crier 1255 rules: 1256 - apiGroups: 1257 - "" 1258 resources: 1259 - "pods" 1260 - "events" 1261 verbs: 1262 - "get" 1263 - "list" 1264 - apiGroups: 1265 - "" 1266 resources: 1267 - "pods" 1268 verbs: 1269 - "patch" 1270 --- 1271 kind: RoleBinding 1272 apiVersion: rbac.authorization.k8s.io/v1 1273 metadata: 1274 name: crier 1275 namespace: prow 1276 roleRef: 1277 apiGroup: rbac.authorization.k8s.io 1278 kind: Role 1279 name: crier 1280 subjects: 1281 - kind: ServiceAccount 1282 name: crier 1283 namespace: prow 1284 --- 1285 kind: RoleBinding 1286 apiVersion: rbac.authorization.k8s.io/v1 1287 metadata: 1288 name: crier 1289 namespace: test-pods 1290 roleRef: 1291 apiGroup: rbac.authorization.k8s.io 1292 kind: Role 1293 name: crier 1294 subjects: 1295 - kind: ServiceAccount 1296 name: crier 1297 namespace: prow 1298 --- 1299 apiVersion: v1 1300 kind: PersistentVolumeClaim 1301 metadata: 1302 name: minio 1303 namespace: prow 1304 spec: 1305 accessModes: 1306 - ReadWriteOnce 1307 resources: 1308 requests: 1309 storage: 5Gi 1310 --- 1311 apiVersion: v1 1312 kind: Secret 1313 metadata: 1314 namespace: prow 1315 name: s3-credentials 1316 stringData: 1317 service-account.json: | 1318 { 1319 "region": "minio", 1320 "access_key": "$MINIO_ROOT_USER", 1321 "endpoint": "minio.prow.svc.cluster.local:9000", 1322 "insecure": true, 1323 "s3_force_path_style": true, 1324 "secret_key": "$MINIO_ROOT_PASSWORD" 1325 } 1326 --- 1327 apiVersion: v1 1328 kind: Secret 1329 metadata: 1330 namespace: test-pods 1331 name: s3-credentials 1332 stringData: 1333 service-account.json: | 1334 { 1335 "region": "minio", 1336 "access_key": "$MINIO_ROOT_USER", 1337 "endpoint": "minio.prow.svc.cluster.local:9000", 1338 "insecure": true, 1339 "s3_force_path_style": true, 1340 "secret_key": "$MINIO_ROOT_PASSWORD" 1341 } 1342 --- 1343 apiVersion: apps/v1 1344 kind: Deployment 1345 metadata: 1346 name: minio 1347 namespace: prow 1348 spec: 1349 selector: 1350 matchLabels: 1351 app: minio 1352 strategy: 1353 type: Recreate 1354 template: 1355 metadata: 1356 labels: 1357 app: minio 1358 spec: 1359 volumes: 1360 - name: data 1361 persistentVolumeClaim: 1362 claimName: minio 1363 initContainers: 1364 - name: bucket-creator 1365 image: alpine 1366 command: 1367 - mkdir 1368 - -p 1369 - /data/prow-logs 1370 - /data/tide 1371 - /data/status-reconciler 1372 volumeMounts: 1373 - name: data 1374 mountPath: "/data" 1375 containers: 1376 - name: minio 1377 volumeMounts: 1378 - name: data 1379 mountPath: "/data" 1380 image: minio/minio:latest 1381 args: 1382 - server 1383 - /data 1384 env: 1385 - name: MINIO_ROOT_USER 1386 valueFrom: 1387 secretKeyRef: 1388 name: minio-root-creds 1389 key: user 1390 - name: MINIO_ROOT_PASSWORD 1391 valueFrom: 1392 secretKeyRef: 1393 name: minio-root-creds 1394 key: password 1395 - name: MINIO_REGION_NAME 1396 value: minio 1397 - name: MINIO_CONSOLE_ADDRESS 1398 value: ":9001" 1399 ports: 1400 - containerPort: 9001 1401 - containerPort: 9000 1402 readinessProbe: 1403 httpGet: 1404 path: /minio/health/ready 1405 port: 9000 1406 periodSeconds: 20 1407 livenessProbe: 1408 httpGet: 1409 path: /minio/health/live 1410 port: 9000 1411 --- 1412 apiVersion: v1 1413 kind: Service 1414 metadata: 1415 labels: 1416 app: minio 1417 name: minio 1418 namespace: prow 1419 spec: 1420 type: LoadBalancer 1421 selector: 1422 app: minio 1423 ports: 1424 - 1425 name: minio-1 1426 port: 9001 1427 targetPort: 9001 1428 nodePort: 30003 1429 - 1430 name: minio-2 1431 port: 9000 1432 targetPort: 9000