k8s.io/test-infra@v0.0.0-20240520184403-27c6b4c223d8/config/prow/cluster/starter/starter-s3.yaml (about) 1 # This file contains Kubernetes YAML files for the most important prow 2 # components. Don't edit resources in this file. Instead, pull them out into 3 # their own files. 4 --- 5 apiVersion: v1 6 kind: Namespace 7 metadata: 8 name: prow 9 --- 10 apiVersion: v1 11 kind: ConfigMap 12 metadata: 13 namespace: prow 14 name: plugins 15 data: 16 plugins.yaml: | 17 plugins: 18 $GITHUB_ORG: 19 plugins: 20 - approve 21 - assign 22 - blunderbuss 23 - cat 24 - dog 25 - help 26 - heart 27 - hold 28 - label 29 - lgtm 30 - trigger 31 - verify-owners 32 - wip 33 - yuks 34 --- 35 apiVersion: v1 36 kind: Secret 37 metadata: 38 namespace: prow 39 name: github-token 40 stringData: 41 cert: $GITHUB_TOKEN 42 appid: "$GITHUB_APP_ID" 43 --- 44 apiVersion: v1 45 kind: Secret 46 metadata: 47 namespace: prow 48 name: hmac-token 49 stringData: 50 # Generate via `openssl rand -hex 20`. This is the secret used in the GitHub webhook configuration 51 hmac: $HMAC_TOKEN 52 --- 53 apiVersion: v1 54 kind: Secret 55 metadata: 56 namespace: prow 57 name: minio-root-creds 58 stringData: 59 user: "$MINIO_ROOT_USER" 60 password: "$MINIO_ROOT_PASSWORD" 61 --- 62 apiVersion: v1 63 kind: ConfigMap 64 metadata: 65 namespace: prow 66 name: config 67 data: 68 config.yaml: | 69 prowjob_namespace: prow 70 pod_namespace: test-pods 71 72 in_repo_config: 73 enabled: 74 "*": true 75 76 deck: 77 spyglass: 78 gcs_browser_prefix: 'https://s3.console.aws.amazon.com/s3/buckets/' 79 lenses: 80 - lens: 81 name: metadata 82 required_files: 83 - ^(?:started|finished)\.json$ 84 optional_files: 85 - ^(?:podinfo|prowjob)\.json$ 86 - lens: 87 config: 88 name: buildlog 89 required_files: 90 - build-log.txt 91 - lens: 92 name: junit 93 required_files: 94 - .*/junit.*\.xml 95 - lens: 96 name: podinfo 97 required_files: 98 - podinfo.json 99 100 plank: 101 job_url_prefix_config: 102 "*": https://$PROW_HOST/view/ 103 report_templates: 104 '*': >- 105 [Full PR test history](https://$PROW_HOST/pr-history?org={{.Spec.Refs.Org}}&repo={{.Spec.Refs.Repo}}&pr={{with index .Spec.Refs.Pulls 0}}{{.Number}}{{end}}). 106 [Your PR dashboard](https://$PROW_HOST/pr?query=is:pr+state:open+author:{{with 107 index .Spec.Refs.Pulls 0}}{{.Author}}{{end}}). 108 default_decoration_config_entries: 109 - config: 110 gcs_configuration: 111 bucket: s3://prow-logs 112 path_strategy: explicit 113 github_api_endpoints: 114 - http://ghproxy 115 - https://api.github.com 116 github_app_id: "$GITHUB_APP_ID" 117 github_app_private_key_secret: 118 name: github-token 119 key: cert 120 s3_credentials_secret: s3-credentials 121 utility_images: 122 clonerefs: gcr.io/k8s-prow/clonerefs:v20240517-ea10bd814 123 entrypoint: gcr.io/k8s-prow/entrypoint:v20240517-ea10bd814 124 initupload: gcr.io/k8s-prow/initupload:v20240517-ea10bd814 125 sidecar: gcr.io/k8s-prow/sidecar:v20240517-ea10bd814 126 127 tide: 128 queries: 129 - labels: 130 - lgtm 131 - approved 132 missingLabels: 133 - needs-rebase 134 - do-not-merge/hold 135 - do-not-merge/work-in-progress 136 - do-not-merge/invalid-owners-file 137 orgs: 138 - $GITHUB_ORG 139 140 decorate_all_jobs: true 141 periodics: 142 - interval: 1m 143 agent: kubernetes 144 name: echo-test 145 spec: 146 containers: 147 - image: alpine 148 command: ["/bin/date"] 149 --- 150 apiVersion: apps/v1 151 kind: Deployment 152 metadata: 153 namespace: prow 154 name: hook 155 labels: 156 app: hook 157 spec: 158 replicas: 2 159 strategy: 160 type: RollingUpdate 161 rollingUpdate: 162 maxSurge: 1 163 maxUnavailable: 1 164 selector: 165 matchLabels: 166 app: hook 167 template: 168 metadata: 169 labels: 170 app: hook 171 spec: 172 serviceAccountName: "hook" 173 terminationGracePeriodSeconds: 180 174 containers: 175 - name: hook 176 image: gcr.io/k8s-prow/hook:v20240517-ea10bd814 177 imagePullPolicy: Always 178 args: 179 - --dry-run=false 180 - --config-path=/etc/config/config.yaml 181 - --github-endpoint=http://ghproxy 182 - --github-endpoint=https://api.github.com 183 - --github-app-id=$(GITHUB_APP_ID) 184 - --github-app-private-key-path=/etc/github/cert 185 env: 186 - name: GITHUB_APP_ID 187 valueFrom: 188 secretKeyRef: 189 name: github-token 190 key: appid 191 ports: 192 - name: http 193 containerPort: 8888 194 volumeMounts: 195 - name: hmac 196 mountPath: /etc/webhook 197 readOnly: true 198 - name: github-token 199 mountPath: /etc/github 200 readOnly: true 201 - name: config 202 mountPath: /etc/config 203 readOnly: true 204 - name: plugins 205 mountPath: /etc/plugins 206 readOnly: true 207 livenessProbe: 208 httpGet: 209 path: /healthz 210 port: 8081 211 initialDelaySeconds: 3 212 periodSeconds: 3 213 readinessProbe: 214 httpGet: 215 path: /healthz/ready 216 port: 8081 217 initialDelaySeconds: 10 218 periodSeconds: 3 219 timeoutSeconds: 600 220 volumes: 221 - name: hmac 222 secret: 223 secretName: hmac-token 224 - name: github-token 225 secret: 226 secretName: github-token 227 - name: config 228 configMap: 229 name: config 230 - name: plugins 231 configMap: 232 name: plugins 233 --- 234 apiVersion: v1 235 kind: Service 236 metadata: 237 namespace: prow 238 name: hook 239 spec: 240 selector: 241 app: hook 242 ports: 243 - port: 8888 244 --- 245 apiVersion: apps/v1 246 kind: Deployment 247 metadata: 248 namespace: prow 249 name: sinker 250 labels: 251 app: sinker 252 spec: 253 selector: 254 matchLabels: 255 app: sinker 256 replicas: 1 257 template: 258 metadata: 259 labels: 260 app: sinker 261 spec: 262 serviceAccountName: "sinker" 263 containers: 264 - name: sinker 265 image: gcr.io/k8s-prow/sinker:v20240517-ea10bd814 266 args: 267 - --config-path=/etc/config/config.yaml 268 - --dry-run=false 269 volumeMounts: 270 - name: config 271 mountPath: /etc/config 272 readOnly: true 273 volumes: 274 - name: config 275 configMap: 276 name: config 277 --- 278 apiVersion: apps/v1 279 kind: Deployment 280 metadata: 281 namespace: prow 282 name: deck 283 labels: 284 app: deck 285 spec: 286 replicas: 2 287 strategy: 288 type: RollingUpdate 289 rollingUpdate: 290 maxSurge: 1 291 maxUnavailable: 1 292 selector: 293 matchLabels: 294 app: deck 295 template: 296 metadata: 297 labels: 298 app: deck 299 spec: 300 serviceAccountName: "deck" 301 terminationGracePeriodSeconds: 30 302 containers: 303 - name: deck 304 image: gcr.io/k8s-prow/deck:v20240517-ea10bd814 305 args: 306 - --config-path=/etc/config/config.yaml 307 - --plugin-config=/etc/plugins/plugins.yaml 308 - --tide-url=http://tide/ 309 - --hook-url=http://hook:8888/plugin-help 310 - --github-endpoint=http://ghproxy 311 - --github-endpoint=https://api.github.com 312 - --github-graphql-endpoint=http://ghproxy/graphql 313 - --s3-credentials-file=/etc/s3-credentials/service-account.json 314 - --spyglass=true 315 - --github-app-id=$(GITHUB_APP_ID) 316 - --github-app-private-key-path=/etc/github/cert 317 env: 318 - name: GITHUB_APP_ID 319 valueFrom: 320 secretKeyRef: 321 name: github-token 322 key: appid 323 ports: 324 - name: http 325 containerPort: 8080 326 volumeMounts: 327 - name: config 328 mountPath: /etc/config 329 readOnly: true 330 - name: github-token 331 mountPath: /etc/github 332 readOnly: true 333 - name: plugins 334 mountPath: /etc/plugins 335 readOnly: true 336 - name: s3-credentials 337 mountPath: /etc/s3-credentials 338 readOnly: true 339 livenessProbe: 340 httpGet: 341 path: /healthz 342 port: 8081 343 initialDelaySeconds: 3 344 periodSeconds: 3 345 readinessProbe: 346 httpGet: 347 path: /healthz/ready 348 port: 8081 349 initialDelaySeconds: 10 350 periodSeconds: 3 351 timeoutSeconds: 600 352 volumes: 353 - name: config 354 configMap: 355 name: config 356 - name: github-token 357 secret: 358 secretName: github-token 359 - name: plugins 360 configMap: 361 name: plugins 362 - name: s3-credentials 363 secret: 364 secretName: s3-credentials 365 --- 366 apiVersion: v1 367 kind: Service 368 metadata: 369 namespace: prow 370 name: deck 371 spec: 372 selector: 373 app: deck 374 ports: 375 - port: 80 376 targetPort: 8080 377 --- 378 apiVersion: apps/v1 379 kind: Deployment 380 metadata: 381 namespace: prow 382 name: horologium 383 labels: 384 app: horologium 385 spec: 386 replicas: 1 # Do not scale up. 387 strategy: 388 type: Recreate 389 selector: 390 matchLabels: 391 app: horologium 392 template: 393 metadata: 394 labels: 395 app: horologium 396 spec: 397 serviceAccountName: "horologium" 398 terminationGracePeriodSeconds: 30 399 containers: 400 - name: horologium 401 image: gcr.io/k8s-prow/horologium:v20240517-ea10bd814 402 args: 403 - --dry-run=false 404 - --config-path=/etc/config/config.yaml 405 volumeMounts: 406 - name: config 407 mountPath: /etc/config 408 readOnly: true 409 volumes: 410 - name: config 411 configMap: 412 name: config 413 --- 414 apiVersion: apps/v1 415 kind: Deployment 416 metadata: 417 namespace: prow 418 name: tide 419 labels: 420 app: tide 421 spec: 422 replicas: 1 # Do not scale up. 423 strategy: 424 type: Recreate 425 selector: 426 matchLabels: 427 app: tide 428 template: 429 metadata: 430 labels: 431 app: tide 432 spec: 433 serviceAccountName: "tide" 434 containers: 435 - name: tide 436 image: gcr.io/k8s-prow/tide:v20240517-ea10bd814 437 args: 438 - --dry-run=false 439 - --config-path=/etc/config/config.yaml 440 - --github-endpoint=http://ghproxy 441 - --github-endpoint=https://api.github.com 442 - --github-graphql-endpoint=http://ghproxy/graphql 443 - --s3-credentials-file=/etc/s3-credentials/service-account.json 444 - --status-path=s3://tide/tide-status 445 - --history-uri=s3://tide/tide-history.json 446 - --github-app-id=$(GITHUB_APP_ID) 447 - --github-app-private-key-path=/etc/github/cert 448 env: 449 - name: GITHUB_APP_ID 450 valueFrom: 451 secretKeyRef: 452 name: github-token 453 key: appid 454 ports: 455 - name: http 456 containerPort: 8888 457 volumeMounts: 458 - name: github-token 459 mountPath: /etc/github 460 readOnly: true 461 - name: config 462 mountPath: /etc/config 463 readOnly: true 464 - name: s3-credentials 465 mountPath: /etc/s3-credentials 466 readOnly: true 467 volumes: 468 - name: github-token 469 secret: 470 secretName: github-token 471 - name: config 472 configMap: 473 name: config 474 - name: s3-credentials 475 secret: 476 secretName: s3-credentials 477 --- 478 apiVersion: v1 479 kind: Service 480 metadata: 481 namespace: prow 482 name: tide 483 spec: 484 selector: 485 app: tide 486 ports: 487 - port: 80 488 targetPort: 8888 489 --- 490 apiVersion: networking.k8s.io/v1 491 kind: Ingress 492 metadata: 493 namespace: prow 494 name: prow 495 annotations: 496 # Change this to your issuer when using cert-manager. Does 497 # nothing when not using cert-manager. 498 cert-manager.io/cluster-issuer: letsencrypt-staging 499 spec: 500 defaultBackend: 501 # specify the default backend for `ingress-gce` (https://cloud.google.com/kubernetes-engine/docs/concepts/ingress#default_backend) 502 service: 503 name: deck 504 port: 505 number: 80 506 rules: 507 - host: $PROW_HOST 508 http: 509 paths: 510 - path: / 511 pathType: Prefix 512 backend: 513 service: 514 name: deck 515 port: 516 number: 80 517 - path: /hook 518 pathType: Prefix 519 backend: 520 service: 521 name: hook 522 port: 523 number: 8888 524 --- 525 apiVersion: apps/v1 526 kind: Deployment 527 metadata: 528 name: statusreconciler 529 namespace: prow 530 labels: 531 app: statusreconciler 532 spec: 533 replicas: 1 534 selector: 535 matchLabels: 536 app: statusreconciler 537 template: 538 metadata: 539 labels: 540 app: statusreconciler 541 spec: 542 serviceAccountName: statusreconciler 543 terminationGracePeriodSeconds: 180 544 containers: 545 - name: statusreconciler 546 image: gcr.io/k8s-prow/status-reconciler:v20240517-ea10bd814 547 args: 548 - --dry-run=false 549 - --continue-on-error=true 550 - --plugin-config=/etc/plugins/plugins.yaml 551 - --config-path=/etc/config/config.yaml 552 - --github-endpoint=http://ghproxy 553 - --github-endpoint=https://api.github.com 554 - --s3-credentials-file=/etc/s3-credentials/service-account.json 555 - --status-path=s3://status-reconciler/status-reconciler-status 556 - --github-app-id=$(GITHUB_APP_ID) 557 - --github-app-private-key-path=/etc/github/cert 558 env: 559 - name: GITHUB_APP_ID 560 valueFrom: 561 secretKeyRef: 562 name: github-token 563 key: appid 564 volumeMounts: 565 - name: github-token 566 mountPath: /etc/github 567 readOnly: true 568 - name: config 569 mountPath: /etc/config 570 readOnly: true 571 - name: plugins 572 mountPath: /etc/plugins 573 readOnly: true 574 - name: s3-credentials 575 mountPath: /etc/s3-credentials 576 readOnly: true 577 volumes: 578 - name: github-token 579 secret: 580 secretName: github-token 581 - name: config 582 configMap: 583 name: config 584 - name: plugins 585 configMap: 586 name: plugins 587 - name: s3-credentials 588 secret: 589 secretName: s3-credentials 590 --- 591 apiVersion: v1 592 kind: Namespace 593 metadata: 594 name: test-pods 595 --- 596 kind: ServiceAccount 597 apiVersion: v1 598 metadata: 599 namespace: prow 600 name: "deck" 601 --- 602 kind: RoleBinding 603 apiVersion: rbac.authorization.k8s.io/v1 604 metadata: 605 namespace: prow 606 name: "deck" 607 roleRef: 608 apiGroup: rbac.authorization.k8s.io 609 kind: Role 610 name: "deck" 611 subjects: 612 - kind: ServiceAccount 613 name: "deck" 614 --- 615 kind: RoleBinding 616 apiVersion: rbac.authorization.k8s.io/v1 617 metadata: 618 namespace: test-pods 619 name: "deck" 620 roleRef: 621 apiGroup: rbac.authorization.k8s.io 622 kind: Role 623 name: "deck" 624 subjects: 625 - kind: ServiceAccount 626 name: "deck" 627 namespace: prow 628 --- 629 kind: Role 630 apiVersion: rbac.authorization.k8s.io/v1 631 metadata: 632 namespace: prow 633 name: "deck" 634 rules: 635 - apiGroups: 636 - "prow.k8s.io" 637 resources: 638 - prowjobs 639 verbs: 640 - get 641 - list 642 - watch 643 # Required when deck runs with `--rerun-creates-job=true` 644 # **Warning:** Only use this for non-public deck instances, this allows 645 # anyone with access to your Deck instance to create new Prowjobs 646 # - create 647 --- 648 kind: Role 649 apiVersion: rbac.authorization.k8s.io/v1 650 metadata: 651 namespace: test-pods 652 name: "deck" 653 rules: 654 - apiGroups: 655 - "" 656 resources: 657 - pods/log 658 verbs: 659 - get 660 --- 661 kind: ServiceAccount 662 apiVersion: v1 663 metadata: 664 namespace: prow 665 name: "horologium" 666 --- 667 kind: Role 668 apiVersion: rbac.authorization.k8s.io/v1 669 metadata: 670 namespace: prow 671 name: "horologium" 672 rules: 673 - apiGroups: 674 - "prow.k8s.io" 675 resources: 676 - prowjobs 677 verbs: 678 - create 679 - list 680 - watch 681 --- 682 kind: RoleBinding 683 apiVersion: rbac.authorization.k8s.io/v1 684 metadata: 685 namespace: prow 686 name: "horologium" 687 roleRef: 688 apiGroup: rbac.authorization.k8s.io 689 kind: Role 690 name: "horologium" 691 subjects: 692 - kind: ServiceAccount 693 name: "horologium" 694 --- 695 kind: ServiceAccount 696 apiVersion: v1 697 metadata: 698 namespace: prow 699 name: "sinker" 700 --- 701 kind: Role 702 apiVersion: rbac.authorization.k8s.io/v1 703 metadata: 704 namespace: prow 705 name: "sinker" 706 rules: 707 - apiGroups: 708 - "prow.k8s.io" 709 resources: 710 - prowjobs 711 verbs: 712 - delete 713 - list 714 - watch 715 - get 716 - apiGroups: 717 - coordination.k8s.io 718 resources: 719 - leases 720 resourceNames: 721 - prow-sinker-leaderlock 722 verbs: 723 - get 724 - update 725 - apiGroups: 726 - coordination.k8s.io 727 resources: 728 - leases 729 verbs: 730 - create 731 - apiGroups: 732 - "" 733 resources: 734 - configmaps 735 resourceNames: 736 - prow-sinker-leaderlock 737 verbs: 738 - get 739 - update 740 - apiGroups: 741 - "" 742 resources: 743 - configmaps 744 - events 745 verbs: 746 - create 747 --- 748 kind: Role 749 apiVersion: rbac.authorization.k8s.io/v1 750 metadata: 751 namespace: test-pods 752 name: "sinker" 753 rules: 754 - apiGroups: 755 - "" 756 resources: 757 - pods 758 verbs: 759 - delete 760 - list 761 - watch 762 - get 763 - patch 764 --- 765 kind: RoleBinding 766 apiVersion: rbac.authorization.k8s.io/v1 767 metadata: 768 namespace: prow 769 name: "sinker" 770 roleRef: 771 apiGroup: rbac.authorization.k8s.io 772 kind: Role 773 name: "sinker" 774 subjects: 775 - kind: ServiceAccount 776 name: "sinker" 777 --- 778 kind: RoleBinding 779 apiVersion: rbac.authorization.k8s.io/v1 780 metadata: 781 namespace: test-pods 782 name: "sinker" 783 roleRef: 784 apiGroup: rbac.authorization.k8s.io 785 kind: Role 786 name: "sinker" 787 subjects: 788 - kind: ServiceAccount 789 name: "sinker" 790 namespace: prow 791 --- 792 apiVersion: v1 793 kind: ServiceAccount 794 metadata: 795 namespace: prow 796 name: "hook" 797 --- 798 kind: Role 799 apiVersion: rbac.authorization.k8s.io/v1 800 metadata: 801 namespace: prow 802 name: "hook" 803 rules: 804 - apiGroups: 805 - "prow.k8s.io" 806 resources: 807 - prowjobs 808 verbs: 809 - create 810 - get 811 - list 812 - update 813 - apiGroups: 814 - "" 815 resources: 816 - configmaps 817 verbs: 818 - create 819 - get 820 - update 821 --- 822 kind: RoleBinding 823 apiVersion: rbac.authorization.k8s.io/v1 824 metadata: 825 namespace: prow 826 name: "hook" 827 roleRef: 828 apiGroup: rbac.authorization.k8s.io 829 kind: Role 830 name: "hook" 831 subjects: 832 - kind: ServiceAccount 833 name: "hook" 834 --- 835 apiVersion: v1 836 kind: ServiceAccount 837 metadata: 838 namespace: prow 839 name: "tide" 840 --- 841 kind: Role 842 apiVersion: rbac.authorization.k8s.io/v1 843 metadata: 844 namespace: prow 845 name: "tide" 846 rules: 847 - apiGroups: 848 - "prow.k8s.io" 849 resources: 850 - prowjobs 851 verbs: 852 - create 853 - list 854 - get 855 - watch 856 --- 857 kind: RoleBinding 858 apiVersion: rbac.authorization.k8s.io/v1 859 metadata: 860 namespace: prow 861 name: "tide" 862 roleRef: 863 apiGroup: rbac.authorization.k8s.io 864 kind: Role 865 name: "tide" 866 subjects: 867 - kind: ServiceAccount 868 name: "tide" 869 --- 870 apiVersion: v1 871 kind: ServiceAccount 872 metadata: 873 namespace: prow 874 name: "statusreconciler" 875 --- 876 kind: Role 877 apiVersion: rbac.authorization.k8s.io/v1 878 metadata: 879 namespace: prow 880 name: "statusreconciler" 881 rules: 882 - apiGroups: 883 - "prow.k8s.io" 884 resources: 885 - prowjobs 886 verbs: 887 - create 888 --- 889 kind: RoleBinding 890 apiVersion: rbac.authorization.k8s.io/v1 891 metadata: 892 namespace: prow 893 name: "statusreconciler" 894 roleRef: 895 apiGroup: rbac.authorization.k8s.io 896 kind: Role 897 name: "statusreconciler" 898 subjects: 899 - kind: ServiceAccount 900 name: "statusreconciler" 901 --- 902 kind: PersistentVolumeClaim 903 apiVersion: v1 904 metadata: 905 namespace: prow 906 labels: 907 app: ghproxy 908 name: ghproxy 909 spec: 910 accessModes: 911 - ReadWriteOnce 912 resources: 913 requests: 914 storage: 100Gi 915 --- 916 apiVersion: apps/v1 917 kind: Deployment 918 metadata: 919 namespace: prow 920 name: ghproxy 921 labels: 922 app: ghproxy 923 spec: 924 selector: 925 matchLabels: 926 app: ghproxy 927 strategy: 928 type: Recreate 929 # GHProxy does not support HA 930 replicas: 1 931 template: 932 metadata: 933 labels: 934 app: ghproxy 935 spec: 936 containers: 937 - name: ghproxy 938 image: gcr.io/k8s-prow/ghproxy:v20240517-ea10bd814 939 args: 940 - --cache-dir=/cache 941 - --cache-sizeGB=99 942 - --push-gateway=pushgateway 943 - --serve-metrics=true 944 ports: 945 - containerPort: 8888 946 volumeMounts: 947 - name: cache 948 mountPath: /cache 949 volumes: 950 - name: cache 951 persistentVolumeClaim: 952 claimName: ghproxy 953 --- 954 apiVersion: v1 955 kind: Service 956 metadata: 957 labels: 958 app: ghproxy 959 namespace: prow 960 name: ghproxy 961 spec: 962 ports: 963 - name: main 964 port: 80 965 protocol: TCP 966 targetPort: 8888 967 - name: metrics 968 port: 9090 969 selector: 970 app: ghproxy 971 type: ClusterIP 972 --- 973 apiVersion: apps/v1 974 kind: Deployment 975 metadata: 976 namespace: prow 977 name: prow-controller-manager 978 labels: 979 app: prow-controller-manager 980 spec: 981 replicas: 1 982 selector: 983 matchLabels: 984 app: prow-controller-manager 985 template: 986 metadata: 987 labels: 988 app: prow-controller-manager 989 spec: 990 serviceAccountName: prow-controller-manager 991 containers: 992 - name: prow-controller-manager 993 args: 994 - --dry-run=false 995 - --config-path=/etc/config/config.yaml 996 - --github-endpoint=http://ghproxy 997 - --github-endpoint=https://api.github.com 998 - --enable-controller=plank 999 - --github-app-id=$(GITHUB_APP_ID) 1000 - --github-app-private-key-path=/etc/github/cert 1001 env: 1002 - name: GITHUB_APP_ID 1003 valueFrom: 1004 secretKeyRef: 1005 name: github-token 1006 key: appid 1007 image: gcr.io/k8s-prow/prow-controller-manager:v20240517-ea10bd814 1008 volumeMounts: 1009 - name: github-token 1010 mountPath: /etc/github 1011 readOnly: true 1012 - name: config 1013 mountPath: /etc/config 1014 readOnly: true 1015 volumes: 1016 - name: github-token 1017 secret: 1018 secretName: github-token 1019 - name: config 1020 configMap: 1021 name: config 1022 --- 1023 apiVersion: v1 1024 kind: ServiceAccount 1025 metadata: 1026 namespace: prow 1027 name: prow-controller-manager 1028 --- 1029 kind: Role 1030 apiVersion: rbac.authorization.k8s.io/v1 1031 metadata: 1032 namespace: prow 1033 name: prow-controller-manager 1034 rules: 1035 - apiGroups: 1036 - "prow.k8s.io" 1037 resources: 1038 - prowjobs 1039 verbs: 1040 - get 1041 - list 1042 - watch 1043 - update 1044 - patch 1045 - apiGroups: 1046 - coordination.k8s.io 1047 resources: 1048 - leases 1049 resourceNames: 1050 - prow-controller-manager-leader-lock 1051 verbs: 1052 - get 1053 - update 1054 - apiGroups: 1055 - coordination.k8s.io 1056 resources: 1057 - leases 1058 verbs: 1059 - create 1060 - apiGroups: 1061 - "" 1062 resources: 1063 - configmaps 1064 resourceNames: 1065 - prow-controller-manager-leader-lock 1066 verbs: 1067 - get 1068 - update 1069 - apiGroups: 1070 - "" 1071 resources: 1072 - configmaps 1073 - events 1074 verbs: 1075 - create 1076 --- 1077 kind: Role 1078 apiVersion: rbac.authorization.k8s.io/v1 1079 metadata: 1080 namespace: test-pods 1081 name: prow-controller-manager 1082 rules: 1083 - apiGroups: 1084 - "" 1085 resources: 1086 - pods 1087 verbs: 1088 - create 1089 - delete 1090 - get 1091 - list 1092 - patch 1093 - watch 1094 --- 1095 kind: RoleBinding 1096 apiVersion: rbac.authorization.k8s.io/v1 1097 metadata: 1098 namespace: prow 1099 name: prow-controller-manager 1100 roleRef: 1101 apiGroup: rbac.authorization.k8s.io 1102 kind: Role 1103 name: prow-controller-manager 1104 subjects: 1105 - kind: ServiceAccount 1106 name: prow-controller-manager 1107 --- 1108 kind: RoleBinding 1109 apiVersion: rbac.authorization.k8s.io/v1 1110 metadata: 1111 namespace: test-pods 1112 name: prow-controller-manager 1113 roleRef: 1114 apiGroup: rbac.authorization.k8s.io 1115 kind: Role 1116 name: prow-controller-manager 1117 subjects: 1118 - kind: ServiceAccount 1119 name: prow-controller-manager 1120 namespace: prow 1121 --- 1122 apiVersion: apps/v1 1123 kind: Deployment 1124 metadata: 1125 namespace: prow 1126 name: crier 1127 labels: 1128 app: crier 1129 spec: 1130 replicas: 1 1131 selector: 1132 matchLabels: 1133 app: crier 1134 template: 1135 metadata: 1136 labels: 1137 app: crier 1138 spec: 1139 serviceAccountName: crier 1140 terminationGracePeriodSeconds: 30 1141 containers: 1142 - name: crier 1143 image: gcr.io/k8s-prow/crier:v20240517-ea10bd814 1144 args: 1145 - --blob-storage-workers=10 1146 - --config-path=/etc/config/config.yaml 1147 - --s3-credentials-file=/etc/s3-credentials/service-account.json 1148 - --github-endpoint=http://ghproxy 1149 - --github-endpoint=https://api.github.com 1150 - --github-workers=10 1151 - --kubernetes-blob-storage-workers=10 1152 - --github-app-id=$(GITHUB_APP_ID) 1153 - --github-app-private-key-path=/etc/github/cert 1154 env: 1155 - name: GITHUB_APP_ID 1156 valueFrom: 1157 secretKeyRef: 1158 name: github-token 1159 key: appid 1160 volumeMounts: 1161 - name: config 1162 mountPath: /etc/config 1163 readOnly: true 1164 - name: github-token 1165 mountPath: /etc/github 1166 readOnly: true 1167 - name: s3-credentials 1168 mountPath: /etc/s3-credentials 1169 readOnly: true 1170 volumes: 1171 - name: config 1172 configMap: 1173 name: config 1174 - name: github-token 1175 secret: 1176 secretName: github-token 1177 - name: s3-credentials 1178 secret: 1179 secretName: s3-credentials 1180 --- 1181 kind: ServiceAccount 1182 apiVersion: v1 1183 metadata: 1184 name: crier 1185 namespace: prow 1186 --- 1187 kind: Role 1188 apiVersion: rbac.authorization.k8s.io/v1 1189 metadata: 1190 namespace: prow 1191 name: crier 1192 rules: 1193 - apiGroups: 1194 - "prow.k8s.io" 1195 resources: 1196 - "prowjobs" 1197 verbs: 1198 - "get" 1199 - "watch" 1200 - "list" 1201 - "patch" 1202 --- 1203 kind: Role 1204 apiVersion: rbac.authorization.k8s.io/v1 1205 metadata: 1206 namespace: test-pods 1207 name: crier 1208 rules: 1209 - apiGroups: 1210 - "" 1211 resources: 1212 - "pods" 1213 - "events" 1214 verbs: 1215 - "get" 1216 - "list" 1217 - apiGroups: 1218 - "" 1219 resources: 1220 - "pods" 1221 verbs: 1222 - "patch" 1223 --- 1224 kind: RoleBinding 1225 apiVersion: rbac.authorization.k8s.io/v1 1226 metadata: 1227 name: crier 1228 namespace: prow 1229 roleRef: 1230 apiGroup: rbac.authorization.k8s.io 1231 kind: Role 1232 name: crier 1233 subjects: 1234 - kind: ServiceAccount 1235 name: crier 1236 namespace: prow 1237 --- 1238 kind: RoleBinding 1239 apiVersion: rbac.authorization.k8s.io/v1 1240 metadata: 1241 name: crier 1242 namespace: test-pods 1243 roleRef: 1244 apiGroup: rbac.authorization.k8s.io 1245 kind: Role 1246 name: crier 1247 subjects: 1248 - kind: ServiceAccount 1249 name: crier 1250 namespace: prow 1251 --- 1252 apiVersion: v1 1253 kind: PersistentVolumeClaim 1254 metadata: 1255 name: minio 1256 namespace: prow 1257 spec: 1258 accessModes: 1259 - ReadWriteOnce 1260 resources: 1261 requests: 1262 storage: 100Gi 1263 --- 1264 apiVersion: v1 1265 kind: Secret 1266 metadata: 1267 namespace: prow 1268 name: s3-credentials 1269 stringData: 1270 service-account.json: | 1271 { 1272 "region": "minio", 1273 "access_key": "$MINIO_ROOT_USER", 1274 "endpoint": "minio.prow.svc.cluster.local", 1275 "insecure": true, 1276 "s3_force_path_style": true, 1277 "secret_key": "$MINIO_ROOT_PASSWORD" 1278 } 1279 --- 1280 apiVersion: v1 1281 kind: Secret 1282 metadata: 1283 namespace: test-pods 1284 name: s3-credentials 1285 stringData: 1286 service-account.json: | 1287 { 1288 "region": "minio", 1289 "access_key": "$MINIO_ROOT_USER", 1290 "endpoint": "minio.prow.svc.cluster.local", 1291 "insecure": true, 1292 "s3_force_path_style": true, 1293 "secret_key": "$MINIO_ROOT_PASSWORD" 1294 } 1295 --- 1296 apiVersion: apps/v1 1297 kind: Deployment 1298 metadata: 1299 name: minio 1300 namespace: prow 1301 spec: 1302 selector: 1303 matchLabels: 1304 app: minio 1305 strategy: 1306 type: Recreate 1307 template: 1308 metadata: 1309 labels: 1310 app: minio 1311 spec: 1312 volumes: 1313 - name: data 1314 persistentVolumeClaim: 1315 claimName: minio 1316 initContainers: 1317 - name: bucket-creator 1318 image: alpine 1319 command: 1320 - mkdir 1321 - -p 1322 - /data/prow-logs 1323 - /data/tide 1324 - /data/status-reconciler 1325 volumeMounts: 1326 - name: data 1327 mountPath: "/data" 1328 containers: 1329 - name: minio 1330 volumeMounts: 1331 - name: data 1332 mountPath: "/data" 1333 image: minio/minio:latest 1334 args: 1335 - server 1336 - /data 1337 env: 1338 - name: MINIO_ROOT_USER 1339 valueFrom: 1340 secretKeyRef: 1341 name: minio-root-creds 1342 key: user 1343 - name: MINIO_ROOT_PASSWORD 1344 valueFrom: 1345 secretKeyRef: 1346 name: minio-root-creds 1347 key: password 1348 - name: MINIO_REGION_NAME 1349 value: minio 1350 ports: 1351 - containerPort: 9000 1352 readinessProbe: 1353 httpGet: 1354 path: /minio/health/ready 1355 port: 9000 1356 periodSeconds: 20 1357 livenessProbe: 1358 httpGet: 1359 path: /minio/health/live 1360 port: 9000 1361 --- 1362 apiVersion: v1 1363 kind: Service 1364 metadata: 1365 name: minio 1366 namespace: prow 1367 spec: 1368 type: ClusterIP 1369 ports: 1370 - port: 80 1371 targetPort: 9000 1372 protocol: TCP 1373 selector: 1374 app: minio