From d68d628473386eca799e0304212bc8203557a753 Mon Sep 17 00:00:00 2001 From: Arnaud Meukam Date: Wed, 16 Jun 2021 23:53:04 +0200 Subject: [PATCH] add k8s-infra-prow Add kubernetes manifests for k8s-infra-prow Move ghproxy to cluster folder Add configuration for k8s-infra-prow Add plugins configuration for k8s-infra-prow Ensure deploy.sh targets cluster folder Add ingress and GKE managed certificate Add a Makefile for prow config and plugins deployments. Add a Makefile with commands allowing to update prow config and plugins once changes are merged. Create and Add Github HMAC Token to GCP Secrets Manager of project kubernetes-public. Create Github OAuth config and add it to GCP Secrets Manager. Fix yamllint --- apps/prow/Makefile | 29 ++++ .../100_prowjob_customresourcedefinition.yaml | 95 +++++++++++++ apps/prow/cluster/crier_deployment.yaml | 80 +++++++++++ apps/prow/cluster/crier_rbac.yaml | 66 +++++++++ apps/prow/cluster/crier_service.yaml | 13 ++ apps/prow/cluster/deck_deployment.yaml | 128 ++++++++++++++++++ apps/prow/cluster/deck_rbac.yaml | 43 ++++++ apps/prow/cluster/deck_service.yaml | 33 +++++ .../{ => cluster}/ghproxy_deployment.yaml | 0 apps/prow/{ => cluster}/ghproxy_rbac.yaml | 14 +- apps/prow/cluster/hook_deployment.yaml | 99 ++++++++++++++ apps/prow/cluster/hook_rbac.yaml | 44 ++++++ apps/prow/cluster/hook_service.yaml | 31 +++++ apps/prow/cluster/horologium_deployment.yaml | 63 +++++++++ apps/prow/cluster/horologium_rbac.yaml | 32 +++++ apps/prow/cluster/horologium_service.yaml | 13 ++ apps/prow/cluster/prow-externalsecrets.yaml | 82 +++++++++++ .../prow_controller_manager_deployment.yaml | 71 ++++++++++ .../cluster/prow_controller_manager_rbac.yaml | 92 +++++++++++++ .../prow_controller_manager_service.yaml | 27 ++++ apps/prow/cluster/prow_ingress.yaml | 26 ++++ .../prow/cluster/prow_managedcertificate.yaml | 8 ++ apps/prow/cluster/sinker_deployment.yaml | 54 ++++++++ apps/prow/cluster/sinker_rbac.yaml | 75 ++++++++++ apps/prow/cluster/sinker_service.yaml | 27 ++++ .../cluster/statusreconciler_deployment.yaml | 80 +++++++++++ apps/prow/cluster/statusreconciler_rbac.yaml | 31 +++++ apps/prow/cluster/tide_deployment.yaml | 77 +++++++++++ apps/prow/cluster/tide_rbac.yaml | 36 +++++ apps/prow/cluster/tide_service.yaml | 30 ++++ apps/prow/config.yaml | 117 ++++++++++++++++ apps/prow/deploy.sh | 2 +- apps/prow/plugins.yaml | 55 ++++++++ apps/prow/prow-externalsecrets.yaml | 34 ----- .../prowjobs/kubernetes/k8s.io/periodics.yaml | 23 ++++ groups/sig-security/groups.yaml | 1 - infra/gcp/ensure-main-project.sh | 3 + 37 files changed, 1689 insertions(+), 45 deletions(-) create mode 100644 apps/prow/Makefile create mode 100644 apps/prow/cluster/100_prowjob_customresourcedefinition.yaml create mode 100644 apps/prow/cluster/crier_deployment.yaml create mode 100644 apps/prow/cluster/crier_rbac.yaml create mode 100644 apps/prow/cluster/crier_service.yaml create mode 100644 apps/prow/cluster/deck_deployment.yaml create mode 100644 apps/prow/cluster/deck_rbac.yaml create mode 100644 apps/prow/cluster/deck_service.yaml rename apps/prow/{ => cluster}/ghproxy_deployment.yaml (100%) rename apps/prow/{ => cluster}/ghproxy_rbac.yaml (82%) create mode 100644 apps/prow/cluster/hook_deployment.yaml create mode 100644 apps/prow/cluster/hook_rbac.yaml create mode 100644 apps/prow/cluster/hook_service.yaml create mode 100644 apps/prow/cluster/horologium_deployment.yaml create mode 100644 apps/prow/cluster/horologium_rbac.yaml create mode 100644 apps/prow/cluster/horologium_service.yaml create mode 100644 apps/prow/cluster/prow-externalsecrets.yaml create mode 100644 apps/prow/cluster/prow_controller_manager_deployment.yaml create mode 100644 apps/prow/cluster/prow_controller_manager_rbac.yaml create mode 100644 apps/prow/cluster/prow_controller_manager_service.yaml create mode 100644 apps/prow/cluster/prow_ingress.yaml create mode 100644 apps/prow/cluster/prow_managedcertificate.yaml create mode 100644 apps/prow/cluster/sinker_deployment.yaml create mode 100644 apps/prow/cluster/sinker_rbac.yaml create mode 100644 apps/prow/cluster/sinker_service.yaml create mode 100644 apps/prow/cluster/statusreconciler_deployment.yaml create mode 100644 apps/prow/cluster/statusreconciler_rbac.yaml create mode 100644 apps/prow/cluster/tide_deployment.yaml create mode 100644 apps/prow/cluster/tide_rbac.yaml create mode 100644 apps/prow/cluster/tide_service.yaml create mode 100644 apps/prow/config.yaml create mode 100644 apps/prow/plugins.yaml delete mode 100644 apps/prow/prow-externalsecrets.yaml create mode 100644 apps/prow/prowjobs/kubernetes/k8s.io/periodics.yaml diff --git a/apps/prow/Makefile b/apps/prow/Makefile new file mode 100644 index 00000000000..7f473aa486a --- /dev/null +++ b/apps/prow/Makefile @@ -0,0 +1,29 @@ +# Copyright 2021 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +SHELL := /usr/bin/env bash + +# These are the usual GKE variables. +PROJECT ?= kubernetes-public +REGION ?= us-central1 +CLUSTER ?= aaa + +get-cluster-credentials: + gcloud container clusters get-credentials "$(CLUSTER)" --project="$(PROJECT)" --region="$(REGION) + +update-config: get-cluster-credentials + kubectl create configmap config --from-file=config.yaml=config.yaml --dry-run -o yaml | kubectl replace configmap config -f - + +update-plugins: get-cluster-credentials + kubectl create configmap plugins --from-file=plugins.yaml=plugins.yaml --dry-run -o yaml | kubectl replace configmap plugins -f - diff --git a/apps/prow/cluster/100_prowjob_customresourcedefinition.yaml b/apps/prow/cluster/100_prowjob_customresourcedefinition.yaml new file mode 100644 index 00000000000..ca59bf5ea66 --- /dev/null +++ b/apps/prow/cluster/100_prowjob_customresourcedefinition.yaml @@ -0,0 +1,95 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: prowjobs.prow.k8s.io + annotations: + "api-approved.kubernetes.io": "https://github.com/kubernetes/test-infra/pull/8669" +spec: + group: prow.k8s.io + names: + kind: ProwJob + singular: prowjob + plural: prowjobs + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + properties: + max_concurrency: + type: integer + minimum: 0 + type: + type: string + enum: + - "presubmit" + - "postsubmit" + - "periodic" + - "batch" + status: + type: object + x-kubernetes-preserve-unknown-fields: true + properties: + state: + type: string + enum: + - "triggered" + - "pending" + - "success" + - "failure" + - "aborted" + - "error" + anyOf: + - not: + properties: + state: + enum: + - "success" + - "failure" + - "error" + - required: + - completionTime + additionalPrinterColumns: + - name: Job + type: string + description: The name of the job being run. + jsonPath: .spec.job + - name: BuildId + type: string + description: The ID of the job being run. + jsonPath: .status.build_id + - name: Type + type: string + description: The type of job being run. + jsonPath: .spec.type + - name: Org + type: string + description: The org for which the job is running. + jsonPath: .spec.refs.org + - name: Repo + type: string + description: The repo for which the job is running. + jsonPath: .spec.refs.repo + - name: Pulls + type: string + description: The pulls for which the job is running. + jsonPath: ".spec.refs.pulls[*].number" + - name: StartTime + type: date + description: When the job started running. + jsonPath: .status.startTime + - name: CompletionTime + type: date + description: When the job finished running. + jsonPath: .status.completionTime + - name: State + description: The state of the job. + type: string + jsonPath: .status.state diff --git a/apps/prow/cluster/crier_deployment.yaml b/apps/prow/cluster/crier_deployment.yaml new file mode 100644 index 00000000000..bf59a18f06e --- /dev/null +++ b/apps/prow/cluster/crier_deployment.yaml @@ -0,0 +1,80 @@ +# Copyright 2021 The Kubernetes Authors All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: prow + name: crier + labels: + app: crier +spec: + replicas: 1 + selector: + matchLabels: + app: crier + template: + metadata: + labels: + app: crier + spec: + serviceAccountName: crier + terminationGracePeriodSeconds: 30 + containers: + - name: crier + image: gcr.io/k8s-prow/crier:v20210407-51f95c2d52 + args: + - --blob-storage-workers=1 + - --config-path=/etc/config/config.yaml + - --github-endpoint=http://ghproxy.prow.svc.cluster.local + - --github-endpoint=https://api.github.com + - --github-token-path=/etc/github/token + - --github-workers=5 + - --job-config-path=/etc/job-config + - --kubeconfig=/etc/kubeconfig/config + - --kubernetes-blob-storage-workers=1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + privileged: false + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /etc/kubeconfig + name: kubeconfig + readOnly: true + - name: config + mountPath: /etc/config + readOnly: true + - name: job-config + mountPath: /etc/job-config + readOnly: true + - name: token + mountPath: /etc/github + readOnly: true + volumes: + - name: config + configMap: + name: config + - name: job-config + configMap: + name: job-config + - name: github-token + secret: + secretName: k8s-infra-ci-robot-github-token + - name: kubeconfig + secret: + defaultMode: 420 + secretName: k8s-infra-build-clusters-config diff --git a/apps/prow/cluster/crier_rbac.yaml b/apps/prow/cluster/crier_rbac.yaml new file mode 100644 index 00000000000..38ccf8dc70f --- /dev/null +++ b/apps/prow/cluster/crier_rbac.yaml @@ -0,0 +1,66 @@ +# Copyright 2021 The Kubernetes Authors All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + annotations: + iam.gke.io/gcp-service-account: k8s-infra-prow@kubernetes-public.iam.gserviceaccount.com + name: crier + namespace: prow +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: crier +rules: +- apiGroups: + - "prow.k8s.io" + resources: + - "prowjobs" + verbs: + - "get" + - "watch" + - "list" + - "patch" +- apiGroups: + - "" + resources: + - "pods" + - "events" + verbs: + - "get" + - "list" +- apiGroups: + - "" + resources: + - "pods" + verbs: + - "patch" +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: crier-namespaced + namespace: prow +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: crier +subjects: +- kind: ServiceAccount + name: crier + namespace: prow diff --git a/apps/prow/cluster/crier_service.yaml b/apps/prow/cluster/crier_service.yaml new file mode 100644 index 00000000000..a5f4f084486 --- /dev/null +++ b/apps/prow/cluster/crier_service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: crier + namespace: prow + name: crier +spec: + ports: + - name: metrics + port: 9090 + selector: + app: crier diff --git a/apps/prow/cluster/deck_deployment.yaml b/apps/prow/cluster/deck_deployment.yaml new file mode 100644 index 00000000000..3d074618e95 --- /dev/null +++ b/apps/prow/cluster/deck_deployment.yaml @@ -0,0 +1,128 @@ +# Copyright 2021 The Kubernetes Authors All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: prow + name: deck + labels: + app: deck +spec: + replicas: 3 + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + selector: + matchLabels: + app: deck + template: + metadata: + labels: + app: deck + spec: + serviceAccountName: deck + terminationGracePeriodSeconds: 30 + containers: + - name: deck + image: gcr.io/k8s-prow/deck:v20210407-51f95c2d52 + imagePullPolicy: Always + ports: + - name: http + containerPort: 8080 + args: + - --config-path=/etc/config/config.yaml + - --cookie-secret=/etc/cookie/secret + - --github-token-path=/etc/github/token + - --github-endpoint=http://ghproxy.prow.svc.cluster.local + - --github-endpoint=https://api.github.com + - --github-oauth-config-file=/etc/githuboauth/secret + - --hook-url=http://hook:8888/plugin-help + - --kubeconfig=/etc/kubeconfig/config + - --job-config-path=/etc/job-config + - --oauth-url=/github-login + - --plugin-config=/etc/plugins/plugins.yaml + - --redirect-http-to=k8s-infra-prow.k8s.io + - --rerun-creates-job + - --spyglass=true + - --tide-url=http://tide/ + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + privileged: false + readOnlyRootFilesystem: true + volumeMounts: + - name: oauth-config + mountPath: /etc/githuboauth + readOnly: true + - name: cookie-secret + mountPath: /etc/cookie + readOnly: true + - mountPath: /etc/kubeconfig + name: kubeconfig + readOnly: true + - name: config + mountPath: /etc/config + readOnly: true + - name: job-config + mountPath: /etc/job-config + readOnly: true + - name: github-token + mountPath: /etc/github + readOnly: true + - name: plugins + mountPath: /etc/plugins + readOnly: true + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 3 + periodSeconds: 3 + readinessProbe: + httpGet: + path: /healthz/ready + port: 8081 + initialDelaySeconds: 10 + periodSeconds: 3 + timeoutSeconds: 600 + volumes: + - name: oauth-config + secret: + defaultMode: 420 + secretName: k8s-infra-prow-github-oauth-config + - name: github-token + secret: + defaultMode: 420 + secretName: k8s-infra-ci-robot-github-token + - name: cookie-secret + secret: + secretName: k8s-infra-prow-cookie + - name: kubeconfig + secret: + defaultMode: 420 + secretName: k8s-infra-build-clusters-config + - name: config + configMap: + name: config + - name: job-config + configMap: + name: job-config + - name: plugins + configMap: + name: plugins diff --git a/apps/prow/cluster/deck_rbac.yaml b/apps/prow/cluster/deck_rbac.yaml new file mode 100644 index 00000000000..618b0d5894a --- /dev/null +++ b/apps/prow/cluster/deck_rbac.yaml @@ -0,0 +1,43 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + iam.gke.io/gcp-service-account: k8s-infra-prow@kubernetes-public.iam.gserviceaccount.com + namespace: prow + name: deck +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: deck +rules: +- apiGroups: + - "prow.k8s.io" + resources: + - prowjobs + verbs: + - get + - list + - watch + # Required when deck runs with `--rerun-creates-job=true` + - create +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: deck +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: deck +subjects: +- kind: ServiceAccount + name: deck diff --git a/apps/prow/cluster/deck_service.yaml b/apps/prow/cluster/deck_service.yaml new file mode 100644 index 00000000000..edbf412ee70 --- /dev/null +++ b/apps/prow/cluster/deck_service.yaml @@ -0,0 +1,33 @@ +# Copyright 2021 The Kubernetes Authors All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Service +metadata: + annotations: + cloud.google.com/neg: '{"ingress": true}' # Creates a NEG after an Ingress is created + labels: + app: deck + name: deck + namespace: prow +spec: + selector: + app: deck + ports: + - name: main + port: 80 + targetPort: 8080 + - name: metrics + port: 9090 + type: ClusterIP diff --git a/apps/prow/ghproxy_deployment.yaml b/apps/prow/cluster/ghproxy_deployment.yaml similarity index 100% rename from apps/prow/ghproxy_deployment.yaml rename to apps/prow/cluster/ghproxy_deployment.yaml diff --git a/apps/prow/ghproxy_rbac.yaml b/apps/prow/cluster/ghproxy_rbac.yaml similarity index 82% rename from apps/prow/ghproxy_rbac.yaml rename to apps/prow/cluster/ghproxy_rbac.yaml index 0e8c6e58fd8..47332fa3dd9 100644 --- a/apps/prow/ghproxy_rbac.yaml +++ b/apps/prow/cluster/ghproxy_rbac.yaml @@ -12,12 +12,8 @@ # See the License for the specific language governing permissions and # limitations under the License. ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: ghproxy - namespace: prow - labels: - app: prow - component: ghproxy + apiVersion: v1 + kind: serviceAccount + metadata: + name: ghproxy + namespace: prow diff --git a/apps/prow/cluster/hook_deployment.yaml b/apps/prow/cluster/hook_deployment.yaml new file mode 100644 index 00000000000..daa69e53700 --- /dev/null +++ b/apps/prow/cluster/hook_deployment.yaml @@ -0,0 +1,99 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: prow + name: hook + labels: + app: hook +spec: + replicas: 4 + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + selector: + matchLabels: + app: hook + template: + metadata: + labels: + app: hook + spec: + serviceAccountName: hook + terminationGracePeriodSeconds: 180 + containers: + - name: hook + image: gcr.io/k8s-prow/hook:v20210407-51f95c2d52 + imagePullPolicy: Always + args: + - --config-path=/etc/config/config.yaml + - --dry-run=false + - --github-endpoint=http://ghproxy.prow.svc.cluster.local + - --github-endpoint=https://api.github.com + - --github-token-path=/etc/github/token + - --job-config-path=/etc/job-config + - --kubeconfig=/etc/kubeconfig/config + ports: + - name: http + containerPort: 8888 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + privileged: false + readOnlyRootFilesystem: true + volumeMounts: + - name: hmac + mountPath: /etc/webhook + readOnly: true + - name: github-token + mountPath: /etc/github + readOnly: true + - name: config + mountPath: /etc/config + readOnly: true + - name: job-config + mountPath: /etc/job-config + readOnly: true + - name: plugins + mountPath: /etc/plugins + readOnly: true + - name: kubeconfig + mountPath: /etc/kubeconfig + readOnly: true + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 3 + periodSeconds: 3 + readinessProbe: + httpGet: + path: /healthz/ready + port: 8081 + initialDelaySeconds: 10 + periodSeconds: 3 + timeoutSeconds: 600 + volumes: + - name: hmac + secret: + secretName: hmac-token + - name: github-token + secret: + defaultMode: 420 + secretName: k8s-infra-ci-robot-github-token + - name: kubeconfig + secret: + defaultMode: 420 + secretName: k8s-infra-build-clusters-config + - name: config + configMap: + name: config + - name: job-config + configMap: + name: job-config + - name: plugins + configMap: + name: plugins diff --git a/apps/prow/cluster/hook_rbac.yaml b/apps/prow/cluster/hook_rbac.yaml new file mode 100644 index 00000000000..7941f13331d --- /dev/null +++ b/apps/prow/cluster/hook_rbac.yaml @@ -0,0 +1,44 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + iam.gke.io/gcp-service-account: k8s-infra-prow@kubernetes-public.iam.gserviceaccount.com + namespace: prow + name: "hook" +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: "hook" +rules: + - apiGroups: + - "prow.k8s.io" + resources: + - prowjobs + verbs: + - create + - get + - list + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - get + - update +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: "hook" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "hook" +subjects: +- kind: ServiceAccount + name: "hook" diff --git a/apps/prow/cluster/hook_service.yaml b/apps/prow/cluster/hook_service.yaml new file mode 100644 index 00000000000..22d69ed5adc --- /dev/null +++ b/apps/prow/cluster/hook_service.yaml @@ -0,0 +1,31 @@ +# Copyright 2021 The Kubernetes Authors All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Service +metadata: + annotations: + cloud.google.com/neg: '{"ingress": true}' # Creates a NEG after an Ingress is created + labels: + app: hook + name: hook + namespace: prow +spec: + selector: + app: hook + ports: + - name: main + port: 8888 + - name: metrics + port: 9090 diff --git a/apps/prow/cluster/horologium_deployment.yaml b/apps/prow/cluster/horologium_deployment.yaml new file mode 100644 index 00000000000..6c4c9d22c31 --- /dev/null +++ b/apps/prow/cluster/horologium_deployment.yaml @@ -0,0 +1,63 @@ +# Copyright 2021 The Kubernetes Authors All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: prow + name: horologium + labels: + app: horologium +spec: + replicas: 1 # Do not scale up. + strategy: + type: Recreate + selector: + matchLabels: + app: horologium + template: + metadata: + labels: + app: horologium + spec: + serviceAccountName: horologium + terminationGracePeriodSeconds: 30 + containers: + - name: horologium + image: gcr.io/k8s-prow/horologium:v20210407-51f95c2d52 + args: + - --config-path=/etc/config/config.yaml + - --dry-run=false + - --job-config-path=/etc/job-config + volumeMounts: + - name: config + mountPath: /etc/config + readOnly: true + - name: job-config + mountPath: /etc/job-config + readOnly: true + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + privileged: false + readOnlyRootFilesystem: true + volumes: + - name: config + configMap: + name: config + - name: job-config + configMap: + name: job-config diff --git a/apps/prow/cluster/horologium_rbac.yaml b/apps/prow/cluster/horologium_rbac.yaml new file mode 100644 index 00000000000..8c5d06aef32 --- /dev/null +++ b/apps/prow/cluster/horologium_rbac.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: prow + name: "horologium" +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: "horologium" +rules: + - apiGroups: + - "prow.k8s.io" + resources: + - prowjobs + verbs: + - create + - list +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: "horologium" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "horologium" +subjects: +- kind: ServiceAccount + name: "horologium" diff --git a/apps/prow/cluster/horologium_service.yaml b/apps/prow/cluster/horologium_service.yaml new file mode 100644 index 00000000000..5a96515c6ee --- /dev/null +++ b/apps/prow/cluster/horologium_service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: horologium + namespace: prow + name: horologium +spec: + ports: + - name: metrics + port: 9090 + selector: + app: horologium diff --git a/apps/prow/cluster/prow-externalsecrets.yaml b/apps/prow/cluster/prow-externalsecrets.yaml new file mode 100644 index 00000000000..164ea8da3ac --- /dev/null +++ b/apps/prow/cluster/prow-externalsecrets.yaml @@ -0,0 +1,82 @@ +# This is a place holder for adding kubernetes external secrets, please add the +# ExternalSecret CR here, separated by `---`. +--- +# Github OAuth config (owned by k8s-infra-ci-robot) synchronized from GCP Secrets Manager +apiVersion: kubernetes-client.io/v1 +kind: ExternalSecret +metadata: + name: k8s-infra-prow-github-oauth-config + namespace: prow + labels: + app: prow +spec: + backendType: gcpSecretsManager + projectId: kubernetes-public + data: + - key: k8s-infra-prow-github-oauth-config # The name of the GSM Secret + name: secret # The key to write to in the Kubernetes Secret + version: latest # The version of the GSM Secret +--- +# Github Token synchronized from GCP Secrets Manager +apiVersion: kubernetes-client.io/v1 +kind: ExternalSecret +metadata: + name: k8s-infra-ci-robot-github-token + namespace: prow + labels: + app: prow +spec: + backendType: gcpSecretsManager + projectId: kubernetes-public + data: + - key: k8s-infra-ci-robot-github-token # The name of the GSM Secret + name: token # The key to write to in the Kubernetes Secret + version: latest # The version of the GSM Secret +--- +# Kubeconfigs of build clusters synchronized from GCP Secrets Manager +apiVersion: kubernetes-client.io/v1 +kind: ExternalSecret +metadata: + name: k8s-infra-build-clusters-kubeconfig + namespace: prow + labels: + app: prow +spec: + backendType: gcpSecretsManager + projectId: kubernetes-public + data: + - key: k8s-infra-build-clusters-kubeconfig # The name of the GSM Secret + name: kubeconfig # The key to write to in the Kubernetes Secret + version: latest # The version of the GSM Secret +--- +# Cookie store used for CSRF protection from GCP Secrets Manager +apiVersion: kubernetes-client.io/v1 +kind: ExternalSecret +metadata: + name: k8s-infra-prow-cookie + namespace: prow + labels: + app: prow +spec: + backendType: gcpSecretsManager + projectId: kubernetes-public + data: + - key: k8s-infra-prow-cookie # The name of the GSM Secret + name: secret # The key to write to in the Kubernetes Secret + version: latest # The version of the GSM Secret +--- +# Github HMAC token synchronized from GCP Secrets Manager +apiVersion: kubernetes-client.io/v1 +kind: ExternalSecret +metadata: + name: k8s-infra-prow-hmac-token + namespace: prow + labels: + app: prow +spec: + backendType: gcpSecretsManager + projectId: kubernetes-public + data: + - key: k8s-infra-prow-hmac-token # The name of the GSM Secret + name: hmac # The key to write to in the Kubernetes Secret + version: latest # The version of the GSM Secret diff --git a/apps/prow/cluster/prow_controller_manager_deployment.yaml b/apps/prow/cluster/prow_controller_manager_deployment.yaml new file mode 100644 index 00000000000..825ca118fb3 --- /dev/null +++ b/apps/prow/cluster/prow_controller_manager_deployment.yaml @@ -0,0 +1,71 @@ +# Copyright 2020 The Kubernetes Authors All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: prow + name: prow-controller-manager + labels: + app: prow-controller-manager +spec: + # Mutually exclusive with plank. Only one of them may have more than zero replicas. + replicas: 1 + revisionHistoryLimit: 2 + selector: + matchLabels: + app: prow-controller-manager + template: + metadata: + labels: + app: prow-controller-manager + spec: + serviceAccountName: prow-controller-manager + containers: + - name: prow-controller-manager + image: gcr.io/k8s-prow/prow-controller-manager:v20210407-51f95c2d52 + args: + - --config-path=/etc/config/config.yaml + - --dry-run=false + - --enable-controller=plank + - --job-config-path=/etc/job-config + - --kubeconfig=/etc/kubeconfig/config + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + privileged: false + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /etc/kubeconfig + name: kubeconfig + readOnly: true + - name: config + mountPath: /etc/config + readOnly: true + - name: job-config + mountPath: /etc/job-config + readOnly: true + volumes: + - name: kubeconfig + secret: + defaultMode: 420 + secretName: k8s-infra-build-clusters-config + - name: config + configMap: + name: config + - name: job-config + configMap: + name: job-config diff --git a/apps/prow/cluster/prow_controller_manager_rbac.yaml b/apps/prow/cluster/prow_controller_manager_rbac.yaml new file mode 100644 index 00000000000..a78a4c70811 --- /dev/null +++ b/apps/prow/cluster/prow_controller_manager_rbac.yaml @@ -0,0 +1,92 @@ +# Copyright 2020 The Kubernetes Authors All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: prow + name: "prow-controller-manager" +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: "prow-controller-manager" +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - prow-controller-manager-leader-lock + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +- apiGroups: + - "" + resources: + - configmaps + resourceNames: + - prow-controller-manager-leader-lock + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + - events + verbs: + - create +- apiGroups: + - prow.k8s.io + resources: + - prowjobs + verbs: + - get + - update + - list + - watch + - update + - patch +- apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - list + - watch + - get + - patch +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: "prow-controller-manager" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "prow-controller-manager" +subjects: +- kind: ServiceAccount + name: "prow-controller-manager" diff --git a/apps/prow/cluster/prow_controller_manager_service.yaml b/apps/prow/cluster/prow_controller_manager_service.yaml new file mode 100644 index 00000000000..9a0c79471b8 --- /dev/null +++ b/apps/prow/cluster/prow_controller_manager_service.yaml @@ -0,0 +1,27 @@ +# Copyright 2020 The Kubernetes Authors All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Service +metadata: + labels: + app: prow-controller-manager + namespace: prow + name: prow-controller-manager +spec: + ports: + - name: metrics + port: 9090 + selector: + app: prow-controller-manager diff --git a/apps/prow/cluster/prow_ingress.yaml b/apps/prow/cluster/prow_ingress.yaml new file mode 100644 index 00000000000..f1b3cc6ec23 --- /dev/null +++ b/apps/prow/cluster/prow_ingress.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: k8s-infra-prow-k8s-io + namespace: prow + annotations: + kubernetes.io/ingress.class: "gce" + kubernetes.io/ingress.global-static-ip-name: k8s-infra-prow + networking.gke.io/managed-certificates: k8s-infra-prow-k8s-io +spec: + rules: + - host: k8s-infra-prow.k8s.io + http: + paths: + - path: /* + backend: + service: + name: deck + port: + number: 80 + - path: /hook + backend: + service: + name: hook + port: + number: 8888 diff --git a/apps/prow/cluster/prow_managedcertificate.yaml b/apps/prow/cluster/prow_managedcertificate.yaml new file mode 100644 index 00000000000..19b67a96fd4 --- /dev/null +++ b/apps/prow/cluster/prow_managedcertificate.yaml @@ -0,0 +1,8 @@ +apiVersion: networking.gke.io/v1 +kind: ManagedCertificate +metadata: + name: k8s-infra-prow-k8s-io + namespace: prow +spec: + domains: + - k8s-infra-prow.k8s.io diff --git a/apps/prow/cluster/sinker_deployment.yaml b/apps/prow/cluster/sinker_deployment.yaml new file mode 100644 index 00000000000..d5d0cac9c17 --- /dev/null +++ b/apps/prow/cluster/sinker_deployment.yaml @@ -0,0 +1,54 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: prow + name: sinker + labels: + app: sinker +spec: + replicas: 1 + selector: + matchLabels: + app: sinker + template: + metadata: + labels: + app: sinker + spec: + serviceAccountName: sinker + containers: + - name: sinker + args: + - --config-path=/etc/config/config.yaml + - --dry-run=false + - --job-config-path=/etc/job-config + - --kubeconfig=/etc/kubeconfig/config + image: gcr.io/k8s-prow/sinker:v20210407-51f95c2d52 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + privileged: false + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /etc/kubeconfig + name: kubeconfig + readOnly: true + - name: config + mountPath: /etc/config + readOnly: true + - name: job-config + mountPath: /etc/job-config + readOnly: true + volumes: + - name: kubeconfig + secret: + defaultMode: 420 + secretName: k8s-infra-build-clusters-config + - name: config + configMap: + name: config + - name: job-config + configMap: + name: job-config diff --git a/apps/prow/cluster/sinker_rbac.yaml b/apps/prow/cluster/sinker_rbac.yaml new file mode 100644 index 00000000000..d00e2297323 --- /dev/null +++ b/apps/prow/cluster/sinker_rbac.yaml @@ -0,0 +1,75 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: prow + name: "sinker" +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: "sinker" +rules: + - apiGroups: + - "prow.k8s.io" + resources: + - prowjobs + verbs: + - delete + - list + - watch + - get + - apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - prow-sinker-leaderlock + verbs: + - get + - update + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - prow-sinker-leaderlock + verbs: + - get + - update + - apiGroups: + - "" + resources: + - configmaps + - events + verbs: + - create + - apiGroups: + - "" + resources: + - pods + verbs: + - delete + - list + - watch + - get + - patch +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: "sinker" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "sinker" +subjects: +- kind: ServiceAccount + name: "sinker" diff --git a/apps/prow/cluster/sinker_service.yaml b/apps/prow/cluster/sinker_service.yaml new file mode 100644 index 00000000000..ccd39e2b3ff --- /dev/null +++ b/apps/prow/cluster/sinker_service.yaml @@ -0,0 +1,27 @@ +# Copyright 2021 The Kubernetes Authors All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Service +metadata: + labels: + app: sinker + namespace: prow + name: sinker +spec: + ports: + - name: metrics + port: 9090 + selector: + app: sinker diff --git a/apps/prow/cluster/statusreconciler_deployment.yaml b/apps/prow/cluster/statusreconciler_deployment.yaml new file mode 100644 index 00000000000..1586b8da613 --- /dev/null +++ b/apps/prow/cluster/statusreconciler_deployment.yaml @@ -0,0 +1,80 @@ +# Copyright 2021 The Kubernetes Authors All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: prow + name: statusreconciler + labels: + app: statusreconciler +spec: + replicas: 1 + selector: + matchLabels: + app: statusreconciler + template: + metadata: + labels: + app: statusreconciler + spec: + serviceAccountName: statusreconciler + terminationGracePeriodSeconds: 180 + containers: + - name: statusreconciler + image: gcr.io/k8s-prow/status-reconciler:v20210407-51f95c2d52 + imagePullPolicy: Always + args: + - --config-path=/etc/config/config.yaml + - --continue-on-error=true + - --dry-run=false + - --github-token-path=/etc/github/token + - --github-endpoint=http://ghproxy.prow.svc.cluster.local + - --github-endpoint=https://api.github.com + - --job-config-path=/etc/job-config + - --plugin-config=/etc/plugins/plugins.yaml + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + privileged: false + readOnlyRootFilesystem: true + volumeMounts: + - name: github-token + mountPath: /etc/github + readOnly: true + - name: config + mountPath: /etc/config + readOnly: true + - name: job-config + mountPath: /etc/job-config + readOnly: true + - name: plugins + mountPath: /etc/plugins + readOnly: true + volumes: + - name: github-token + secret: + defaultMode: 420 + secretName: k8s-infra-ci-robot-github-token + - name: config + configMap: + name: config + - name: job-config + configMap: + name: job-config + - name: plugins + configMap: + name: plugins diff --git a/apps/prow/cluster/statusreconciler_rbac.yaml b/apps/prow/cluster/statusreconciler_rbac.yaml new file mode 100644 index 00000000000..1e119a68376 --- /dev/null +++ b/apps/prow/cluster/statusreconciler_rbac.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: prow + name: statusreconciler +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: statusreconciler +rules: + - apiGroups: + - "prow.k8s.io" + resources: + - prowjobs + verbs: + - create +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: statusreconciler +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: statusreconciler +subjects: +- kind: ServiceAccount + name: statusreconciler diff --git a/apps/prow/cluster/tide_deployment.yaml b/apps/prow/cluster/tide_deployment.yaml new file mode 100644 index 00000000000..0166b4b72db --- /dev/null +++ b/apps/prow/cluster/tide_deployment.yaml @@ -0,0 +1,77 @@ +# Copyright 2021 The Kubernetes Authors All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: prow + name: tide + labels: + app: tide +spec: + replicas: 1 # Do not scale up. + strategy: + type: Recreate + selector: + matchLabels: + app: tide + template: + metadata: + labels: + app: tide + spec: + serviceAccountName: tide + containers: + - name: tide + image: gcr.io/k8s-prow/tide:v20210407-51f95c2d52 + args: + - --config-path=/etc/config/config.yaml + - --dry-run=false + - --github-endpoint=http://ghproxy.prow.svc.cluster.local + - --github-endpoint=https://api.github.com + - --github-token-path=/etc/github/token + - --job-config-path=/etc/job-config + - --history-uri=gs://k8s-infra-prow-results/tide-history.json + - --status-path=gs://k8s-infra-prow-results/tide-status-checkpoint.yaml + ports: + - name: http + containerPort: 8888 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + privileged: false + readOnlyRootFilesystem: true + volumeMounts: + - name: github-token + mountPath: /etc/github + readOnly: true + - name: config + mountPath: /etc/config + readOnly: true + - name: job-config + mountPath: /etc/job-config + readOnly: true + volumes: + - name: github-token + secret: + defaultMode: 420 + secretName: k8s-infra-ci-robot-github-token + - name: config + configMap: + name: config + - name: job-config + configMap: + name: job-config diff --git a/apps/prow/cluster/tide_rbac.yaml b/apps/prow/cluster/tide_rbac.yaml new file mode 100644 index 00000000000..0cb179728b2 --- /dev/null +++ b/apps/prow/cluster/tide_rbac.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + iam.gke.io/gcp-service-account: k8s-infra-prow@kubernetes-public.iam.gserviceaccount.com + namespace: prow + name: tide +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: tide +rules: + - apiGroups: + - "prow.k8s.io" + resources: + - prowjobs + verbs: + - create + - list + - get + - watch +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: tide +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: tide +subjects: +- kind: ServiceAccount + name: tide diff --git a/apps/prow/cluster/tide_service.yaml b/apps/prow/cluster/tide_service.yaml new file mode 100644 index 00000000000..8d51371618c --- /dev/null +++ b/apps/prow/cluster/tide_service.yaml @@ -0,0 +1,30 @@ +# Copyright 2021 The Kubernetes Authors All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Service +metadata: + labels: + app: tide + namespace: prow + name: tide +spec: + selector: + app: tide + ports: + - name: main + port: 80 + targetPort: 8888 + - name: metrics + port: 9090 diff --git a/apps/prow/config.yaml b/apps/prow/config.yaml new file mode 100644 index 00000000000..341435663ad --- /dev/null +++ b/apps/prow/config.yaml @@ -0,0 +1,117 @@ +# config.yaml +prowjob_namespace: prow +pod_namespace: k8s-infra-test-pods +log_level: debug + +plank: + job_url_template: 'https://k8s-infra-prow.k8s.io/view/gs/k8s-infra-prow-results/{{if eq .Spec.Type "presubmit"}}pr-logs/pull{{else if eq .Spec.Type "batch"}}pr-logs/pull{{else}}logs{{end}}{{if .Spec.Refs}}{{if ne .Spec.Refs.Org ""}}/{{.Spec.Refs.Org}}_{{.Spec.Refs.Repo}}{{end}}{{end}}{{if eq .Spec.Type "presubmit"}}/{{with index .Spec.Refs.Pulls 0}}{{.Number}}{{end}}{{else if eq .Spec.Type "batch"}}/batch{{end}}/{{.Spec.Job}}/{{.Status.BuildID}}/' + report_templates: + '*': '[Full PR test history](https://k8s-infra-prow.k8s.io/pr-history?org={{.Spec.Refs.Org}}&repo={{.Spec.Refs.Repo}}&pr={{with index .Spec.Refs.Pulls 0}}{{.Number}}{{end}}). [Your PR dashboard](https://k8s-infra-prow.k8s.io/pr?query=is%3Apr%20state%3Aopen%20author%3A{{with index .Spec.Refs.Pulls 0}}{{.Author}}{{end}}).' + job_url_prefix_config: + '*': https://k8s-infra-prow.k8s.io/view/gs/ + pod_pending_timeout: 15m + pod_unscheduled_timeout: 5m + default_decoration_configs: + '*': + timeout: 2h + grace_period: 15s + utility_images: + clonerefs: "gcr.io/k8s-prow/clonerefs:v20200423-af610499d" + initupload: "gcr.io/k8s-prow/initupload:v20200423-af610499d" + entrypoint: "gcr.io/k8s-prow/entrypoint:v20200423-af610499d" + sidecar: "gcr.io/k8s-prow/sidecar:v20200423-af610499d" + gcs_configuration: + bucket: k8s-infra-prow-results + path_strategy: explicit + # k8s-infra-prow@kubernetes-public.iam.gserviceaccount.com on projects/kubernetes-public/clusters/aaa + gcs_credentials_secret: "" #Usage of workloadIdentity + resources: + clonerefs: + requests: + cpu: 100m + initupload: + requests: + cpu: 100m + place_entrypoint: + requests: + cpu: 100m + sidecar: + requests: + cpu: 100m + +sinker: + resync_period: 1m + max_prowjob_age: 48h + max_pod_age: 48h + terminated_pod_ttl: 30m + +github_reporter: + job_types_to_report: + - presubmit + - postsubmit + +tide: + sync_period: 1m + queries: + - repos: + - kubernetes/k8s.io + labels: + - lgtm + - approved + - a-label-that-does-not-exist + missingLabels: + - do-not-merge/hold + - do-not-merge/work-in-progress + pr_status_base_urls: + '*': https://k8s-infra-prow.k8s.io/pr + +deck: + branding: + logo: 'https://raw.githubusercontent.com/cncf/artwork/master/projects/kubernetes/icon/color/kubernetes-icon-color.svg' + favicon: 'https://kubernetes.io/images/favicon.png' + spyglass: + size_limit: 100000000 # 100MB + gcs_browser_prefix: https://gcsweb.k8s.io/gcs/ + testgrid_config: gs://k8s-testgrid/config + testgrid_root: https://testgrid.k8s.io/ + lenses: + - lens: + name: metadata + required_files: + - started.json|finished.json + optional_files: + - podinfo.json + - lens: + name: buildlog + required_files: + - build-log.txt + - lens: + name: junit + required_files: + - artifacts/junit.*\.xml + - lens: + name: coverage + required_files: + - artifacts/filtered.cov + optional_files: + - artifacts/filtered.html + - lens: + name: podinfo + required_files: + - podinfo.json + tide_update_period: 1s + rerun_auth_configs: + kubernetes/k8s.io: + github_users: + - wg-k8s-infra-leads + +presets: +# enable GOPROXY by default +- env: + - name: GOPROXY + value: "https://proxy.golang.org" +- labels: + preset-dind-enabled: "true" + env: + - name: DOCKER_IN_DOCKER_ENABLED + value: "true" diff --git a/apps/prow/deploy.sh b/apps/prow/deploy.sh index 6c148775554..26a2a9890f2 100755 --- a/apps/prow/deploy.sh +++ b/apps/prow/deploy.sh @@ -47,4 +47,4 @@ fi # deploy kubernetes resources pushd "${SCRIPT_ROOT}" >/dev/null -kubectl --context="${context}" --namespace="${namespace}" apply -f . +kubectl --context="${context}" --namespace="${namespace}" apply -Rf cluster/ diff --git a/apps/prow/plugins.yaml b/apps/prow/plugins.yaml new file mode 100644 index 00000000000..9b4438eadf3 --- /dev/null +++ b/apps/prow/plugins.yaml @@ -0,0 +1,55 @@ +# Plugin configuration +--- + +approve: +- repos: + - kubernetes/k8s.io + lgtm_acts_as_approve: true + require_self_approval: false + +lgtm: +- repos: + - kubernetes/k8s.io + review_acts_as_lgtm: true + +config_updater: + maps: + prow/config.yaml: + name: config + clusters: + k8s-infra-prow-build-trusted: + - prow + prow/plugins.yaml: + name: plugins + clusters: + k8s-infra-prow-build-trusted: + - prow + prow/prowjobs/**/*.yaml: + name: job-config + gzip: true + clusters: + k8s-infra-prow-build: + - k8s-infra-test-pods + k8s-infra-prow-build-trusted: + - k8s-infra-test-pods + +plugins: + kubernetes/k8s.io: + plugins: + - approve + - assign + - config-updater + - help + - hold + - invalidcommitmsg + - label + - lgtm + - lifecycle + # - owners-label + - shrug + - size + - skip + - trigger + - wip + # - verify-owners + - yuks diff --git a/apps/prow/prow-externalsecrets.yaml b/apps/prow/prow-externalsecrets.yaml deleted file mode 100644 index f227f632889..00000000000 --- a/apps/prow/prow-externalsecrets.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# This is a place holder for adding kubernetes external secrets, please add the -# ExternalSecret CR here, separated by `---`. ---- -# Github Token synchronized from GCP Secrets Manager -apiVersion: kubernetes-client.io/v1 -kind: ExternalSecret -metadata: - name: k8s-infra-ci-robot-github-token - namespace: prow - labels: - app: prow -spec: - backendType: gcpSecretsManager - projectId: kubernetes-public - data: - - key: k8s-infra-ci-robot-github-token # The name of the GSM Secret - name: token # The key to write to in the Kubernetes Secret - version: latest # The version of the GSM Secret ---- -# Kubeconfigs of build clusters synchronized from GCP Secrets Manager -apiVersion: kubernetes-client.io/v1 -kind: ExternalSecret -metadata: - name: k8s-infra-build-clusters-kubeconfig - namespace: prow - labels: - app: prow -spec: - backendType: gcpSecretsManager - projectId: kubernetes-public - data: - - key: k8s-infra-build-clusters-kubeconfig # The name of the GSM Secret - name: kubeconfig # The key to write to in the Kubernetes Secret - version: latest # The version of the GSM Secret diff --git a/apps/prow/prowjobs/kubernetes/k8s.io/periodics.yaml b/apps/prow/prowjobs/kubernetes/k8s.io/periodics.yaml new file mode 100644 index 00000000000..d24278c8191 --- /dev/null +++ b/apps/prow/prowjobs/kubernetes/k8s.io/periodics.yaml @@ -0,0 +1,23 @@ +periodics: +- cron: "*/5 * * * *" # Every 5 minutes + name: k8s-infra-prow-heartbeat + decorate: true + cluster: k8s-infra-prow-build + extra_refs: + - org: kubernetes + repo: k8s.io + base_ref: main + spec: + containers: + - image: gcr.io/k8s-staging-infra-tools/k8s-infra:latest + command: + - "echo" + args: + - "Everything is fine!" + resources: + limits: + cpu: 100m + memory: 512Mi + requests: + cpu: 100m + memory: 512Mi diff --git a/groups/sig-security/groups.yaml b/groups/sig-security/groups.yaml index af12236bf5a..72a041bfa7f 100644 --- a/groups/sig-security/groups.yaml +++ b/groups/sig-security/groups.yaml @@ -18,4 +18,3 @@ groups: - pushkarj.at.work@gmail.com members: - security-release-team@kubernetes.io - diff --git a/infra/gcp/ensure-main-project.sh b/infra/gcp/ensure-main-project.sh index 81345dae880..3210e0b9507 100755 --- a/infra/gcp/ensure-main-project.sh +++ b/infra/gcp/ensure-main-project.sh @@ -355,6 +355,9 @@ function ensure_aaa_external_secrets() { k8s-infra-build-clusters-kubeconfig k8s-infra-ci-robot-github-account-password k8s-infra-ci-robot-github-token + k8s-infra-prow-cookie + k8s-infra-prow-github-oauth-config + k8s-infra-prow-hmac-token ) local slack_infra_secrets=( recaptcha