From 891d1bae2cc3898dd6749197a63a8b25e2156860 Mon Sep 17 00:00:00 2001 From: Mustafa Gezen Date: Sun, 30 Oct 2022 04:26:52 +0100 Subject: [PATCH] Prow deployment manifests --- infrastructure/prow/BUILD.bazel | 0 infrastructure/prow/configmaps.yaml | 127 ++++++ infrastructure/prow/deployments.yaml | 518 +++++++++++++++++++++++ infrastructure/prow/namespaces.yaml | 12 + infrastructure/prow/pvcs.yaml | 14 + infrastructure/prow/rolebindings.yaml | 162 +++++++ infrastructure/prow/roles.yaml | 262 ++++++++++++ infrastructure/prow/secrets.yaml | 41 ++ infrastructure/prow/serviceaccounts.yaml | 64 +++ infrastructure/prow/services.yaml | 54 +++ infrastructure/prow/virtualservice.yaml | 29 ++ 11 files changed, 1283 insertions(+) create mode 100644 infrastructure/prow/BUILD.bazel create mode 100644 infrastructure/prow/configmaps.yaml create mode 100644 infrastructure/prow/deployments.yaml create mode 100644 infrastructure/prow/namespaces.yaml create mode 100644 infrastructure/prow/pvcs.yaml create mode 100644 infrastructure/prow/rolebindings.yaml create mode 100644 infrastructure/prow/roles.yaml create mode 100644 infrastructure/prow/secrets.yaml create mode 100644 infrastructure/prow/serviceaccounts.yaml create mode 100644 infrastructure/prow/services.yaml create mode 100644 infrastructure/prow/virtualservice.yaml diff --git a/infrastructure/prow/BUILD.bazel b/infrastructure/prow/BUILD.bazel new file mode 100644 index 00000000..e69de29b diff --git a/infrastructure/prow/configmaps.yaml b/infrastructure/prow/configmaps.yaml new file mode 100644 index 00000000..88956144 --- /dev/null +++ b/infrastructure/prow/configmaps.yaml @@ -0,0 +1,127 @@ +# Updated using inrepoconfig, initial should be uncommented +# --- +# apiVersion: v1 +# kind: ConfigMap +# metadata: +# namespace: prow +# name: plugins +# data: +# plugins.yaml: | +# plugins: +# rocky-linux/peridot: +# plugins: +# - approve +# - assign +# - blunderbuss +# - cat +# - config-updater +# - dog +# - help +# - heart +# - hold +# - label +# - lgtm +# - trigger +# - verify-owners +# - wip +# - yuks +# config_updater: +# maps: +# config/prow/config.yaml: +# name: config +# config/prow/plugins.yaml: +# name: plugins +# config/jobs/**/*.{yaml,yml}: +# name: job-config +# gzip: true +# --- +# apiVersion: v1 +# kind: ConfigMap +# metadata: +# namespace: prow +# name: config +# data: +# config.yaml: | +# prowjob_namespace: prow +# pod_namespace: test-pods +# allowed_clusters: +# rocky-linux/peridot: +# - default +# deck: +# spyglass: +# lenses: +# - lens: +# name: metadata +# required_files: +# - started.json|finished.json +# - lens: +# config: +# name: buildlog +# required_files: +# - build-log.txt +# - lens: +# name: junit +# required_files: +# - bazel-testlogs/.*/test.xml +# - lens: +# name: podinfo +# required_files: +# - podinfo.json +# plank: +# job_url_prefix_config: +# "*": https://prow.build.resf.org/view/ +# report_templates: +# '*': >- +# [Full PR test history](https://prow.build.resf.org/pr-history?org={{.Spec.Refs.Org}}&repo={{.Spec.Refs.Repo}}&pr={{with index .Spec.Refs.Pulls 0}}{{.Number}}{{end}}). +# [Your PR dashboard](https://prow.build.resf.org/pr?query=is:pr+state:open+author:{{with +# index .Spec.Refs.Pulls 0}}{{.Author}}{{end}}). +# default_decoration_configs: +# "*": +# gcs_configuration: +# bucket: s3://resf-prod-prow-logs +# path_strategy: explicit +# s3_credentials_secret: s3-credentials +# utility_images: +# clonerefs: gcr.io/k8s-prow/clonerefs:v20221028-a8625c1f93 +# entrypoint: gcr.io/k8s-prow/entrypoint:v20221028-a8625c1f93 +# initupload: gcr.io/k8s-prow/initupload:v20221028-a8625c1f93 +# sidecar: gcr.io/k8s-prow/sidecar:v20221028-a8625c1f93 +# tide: +# queries: +# - labels: +# - lgtm +# - approved +# missingLabels: +# - needs-rebase +# - do-not-merge/hold +# - do-not-merge/work-in-progress +# - do-not-merge/invalid-owners-file +# repos: +# - rocky-linux/peridot +# decorate_all_jobs: true +# presubmits: +# rocky-linux/peridot: +# - name: pull-peridot-validate-prow-yaml +# run_if_changed: '^(config/prow/(config|plugins).yaml$|config/jobs/.*.yaml$)' +# decorate: true +# spec: +# containers: +# - image: gcr.io/k8s-prow/checkconfig:v20221028-a8625c1f93 +# command: +# - checkconfig +# args: +# - --config-path=config/prow/config.yaml +# - --job-config-path=config/jobs +# - --plugin-config=config/prow/plugins.yaml +# - --strict +# +# - name: pull-peridot-unit-test +# branches: +# - main +# always_run: true +# decorate: true +# spec: +# containers: +# - image: alpine +# command: +# - /bin/date diff --git a/infrastructure/prow/deployments.yaml b/infrastructure/prow/deployments.yaml new file mode 100644 index 00000000..ab3c49b9 --- /dev/null +++ b/infrastructure/prow/deployments.yaml @@ -0,0 +1,518 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: prow + name: hook + labels: + app: hook +spec: + replicas: 2 + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + selector: + matchLabels: + app: hook + template: + metadata: + labels: + app: hook + spec: + serviceAccountName: "hook" + terminationGracePeriodSeconds: 180 + containers: + - name: hook + image: gcr.io/k8s-prow/hook:v20221028-a8625c1f93 + imagePullPolicy: Always + args: + - --dry-run=false + - --config-path=/etc/config/config.yaml + - --github-endpoint=http://ghproxy + - --github-endpoint=https://api.github.com + - --github-app-id=$(GITHUB_APP_ID) + - --github-app-private-key-path=/etc/github/cert + env: + - name: GITHUB_APP_ID + valueFrom: + secretKeyRef: + name: github-token + key: appid + ports: + - name: http + containerPort: 8888 + volumeMounts: + - name: hmac + mountPath: /etc/webhook + readOnly: true + - name: github-token + mountPath: /etc/github + readOnly: true + - name: config + mountPath: /etc/config + readOnly: true + - name: plugins + mountPath: /etc/plugins + readOnly: true + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 3 + periodSeconds: 3 + readinessProbe: + httpGet: + path: /healthz/ready + port: 8081 + initialDelaySeconds: 10 + periodSeconds: 3 + timeoutSeconds: 600 + volumes: + - name: hmac + secret: + secretName: hmac-token + - name: github-token + secret: + secretName: github-token + - name: config + configMap: + name: config + - name: plugins + configMap: + name: plugins +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: prow + name: sinker + labels: + app: sinker +spec: + selector: + matchLabels: + app: sinker + replicas: 1 + template: + metadata: + labels: + app: sinker + spec: + serviceAccountName: "sinker" + containers: + - name: sinker + image: gcr.io/k8s-prow/sinker:v20221028-a8625c1f93 + args: + - --config-path=/etc/config/config.yaml + - --dry-run=false + volumeMounts: + - name: config + mountPath: /etc/config + readOnly: true + volumes: + - name: config + configMap: + name: config +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: prow + name: deck + labels: + app: deck +spec: + replicas: 2 + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + selector: + matchLabels: + app: deck + template: + metadata: + labels: + app: deck + spec: + serviceAccountName: "deck" + terminationGracePeriodSeconds: 30 + containers: + - name: deck + image: gcr.io/k8s-prow/deck:v20221028-a8625c1f93 + args: + - --config-path=/etc/config/config.yaml + - --plugin-config=/etc/plugins/plugins.yaml + - --tide-url=http://tide/ + - --hook-url=http://hook:8888/plugin-help + - --github-endpoint=http://ghproxy + - --github-endpoint=https://api.github.com + - --github-graphql-endpoint=http://ghproxy/graphql + - --s3-credentials-file=/etc/s3-credentials/service-account.json + - --spyglass=true + - --github-app-id=$(GITHUB_APP_ID) + - --github-app-private-key-path=/etc/github/cert + env: + - name: GITHUB_APP_ID + valueFrom: + secretKeyRef: + name: github-token + key: appid + ports: + - name: http + containerPort: 8080 + volumeMounts: + - name: config + mountPath: /etc/config + readOnly: true + - name: github-token + mountPath: /etc/github + readOnly: true + - name: plugins + mountPath: /etc/plugins + readOnly: true + - name: s3-credentials + mountPath: /etc/s3-credentials + readOnly: true + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 3 + periodSeconds: 3 + readinessProbe: + httpGet: + path: /healthz/ready + port: 8081 + initialDelaySeconds: 10 + periodSeconds: 3 + timeoutSeconds: 600 + volumes: + - name: config + configMap: + name: config + - name: github-token + secret: + secretName: github-token + - name: plugins + configMap: + name: plugins + - name: s3-credentials + secret: + secretName: s3-credentials +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: prow + name: horologium + labels: + app: horologium +spec: + replicas: 1 # Do not scale up. + strategy: + type: Recreate + selector: + matchLabels: + app: horologium + template: + metadata: + labels: + app: horologium + spec: + serviceAccountName: "horologium" + terminationGracePeriodSeconds: 30 + containers: + - name: horologium + image: gcr.io/k8s-prow/horologium:v20221028-a8625c1f93 + args: + - --dry-run=false + - --config-path=/etc/config/config.yaml + volumeMounts: + - name: config + mountPath: /etc/config + readOnly: true + volumes: + - name: config + configMap: + name: config +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: prow + name: tide + labels: + app: tide +spec: + replicas: 1 # Do not scale up. + strategy: + type: Recreate + selector: + matchLabels: + app: tide + template: + metadata: + labels: + app: tide + spec: + serviceAccountName: "tide" + containers: + - name: tide + image: gcr.io/k8s-prow/tide:v20221028-a8625c1f93 + args: + - --dry-run=false + - --config-path=/etc/config/config.yaml + - --github-endpoint=http://ghproxy + - --github-endpoint=https://api.github.com + - --github-graphql-endpoint=http://ghproxy/graphql + - --s3-credentials-file=/etc/s3-credentials/service-account.json + - --status-path=s3://resf-prod-prow-tide/tide-status + - --history-uri=s3://resf-prod-prow-tide/tide-history.json + - --github-app-id=$(GITHUB_APP_ID) + - --github-app-private-key-path=/etc/github/cert + env: + - name: GITHUB_APP_ID + valueFrom: + secretKeyRef: + name: github-token + key: appid + ports: + - name: http + containerPort: 8888 + volumeMounts: + - name: github-token + mountPath: /etc/github + readOnly: true + - name: config + mountPath: /etc/config + readOnly: true + - name: s3-credentials + mountPath: /etc/s3-credentials + readOnly: true + volumes: + - name: github-token + secret: + secretName: github-token + - name: config + configMap: + name: config + - name: s3-credentials + secret: + secretName: s3-credentials +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: statusreconciler + namespace: prow + labels: + app: statusreconciler +spec: + replicas: 1 + selector: + matchLabels: + app: statusreconciler + template: + metadata: + labels: + app: statusreconciler + spec: + serviceAccountName: statusreconciler + terminationGracePeriodSeconds: 180 + containers: + - name: statusreconciler + image: gcr.io/k8s-prow/status-reconciler:v20221028-a8625c1f93 + args: + - --dry-run=false + - --continue-on-error=true + - --plugin-config=/etc/plugins/plugins.yaml + - --config-path=/etc/config/config.yaml + - --github-endpoint=http://ghproxy + - --github-endpoint=https://api.github.com + - --s3-credentials-file=/etc/s3-credentials/service-account.json + - --status-path=s3://resf-prod-prow-status-reconciler/status-reconciler-status + - --github-app-id=$(GITHUB_APP_ID) + - --github-app-private-key-path=/etc/github/cert + env: + - name: GITHUB_APP_ID + valueFrom: + secretKeyRef: + name: github-token + key: appid + volumeMounts: + - name: github-token + mountPath: /etc/github + readOnly: true + - name: config + mountPath: /etc/config + readOnly: true + - name: plugins + mountPath: /etc/plugins + readOnly: true + - name: s3-credentials + mountPath: /etc/s3-credentials + readOnly: true + volumes: + - name: github-token + secret: + secretName: github-token + - name: config + configMap: + name: config + - name: plugins + configMap: + name: plugins + - name: s3-credentials + secret: + secretName: s3-credentials +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: prow + name: ghproxy + labels: + app: ghproxy +spec: + selector: + matchLabels: + app: ghproxy + strategy: + type: Recreate + # GHProxy does not support HA + replicas: 1 + template: + metadata: + labels: + app: ghproxy + spec: + containers: + - name: ghproxy + image: gcr.io/k8s-prow/ghproxy:v20221028-a8625c1f93 + args: + - --cache-dir=/cache + - --cache-sizeGB=99 + - --serve-metrics=true + ports: + - containerPort: 8888 + volumeMounts: + - name: cache + mountPath: /cache + volumes: + - name: cache + persistentVolumeClaim: + claimName: ghproxy +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: prow + name: prow-controller-manager + labels: + app: prow-controller-manager +spec: + replicas: 1 + selector: + matchLabels: + app: prow-controller-manager + template: + metadata: + labels: + app: prow-controller-manager + spec: + serviceAccountName: prow-controller-manager + containers: + - name: prow-controller-manager + args: + - --dry-run=false + - --config-path=/etc/config/config.yaml + - --github-endpoint=http://ghproxy + - --github-endpoint=https://api.github.com + - --enable-controller=plank + - --github-app-id=$(GITHUB_APP_ID) + - --github-app-private-key-path=/etc/github/cert + env: + - name: GITHUB_APP_ID + valueFrom: + secretKeyRef: + name: github-token + key: appid + image: gcr.io/k8s-prow/prow-controller-manager:v20221028-a8625c1f93 + volumeMounts: + - name: github-token + mountPath: /etc/github + readOnly: true + - name: config + mountPath: /etc/config + readOnly: true + volumes: + - name: github-token + secret: + secretName: github-token + - name: config + configMap: + name: config +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: prow + name: crier + labels: + app: crier +spec: + replicas: 1 + selector: + matchLabels: + app: crier + template: + metadata: + labels: + app: crier + spec: + serviceAccountName: crier + terminationGracePeriodSeconds: 30 + containers: + - name: crier + image: gcr.io/k8s-prow/crier:v20221028-a8625c1f93 + args: + - --blob-storage-workers=10 + - --config-path=/etc/config/config.yaml + - --s3-credentials-file=/etc/s3-credentials/service-account.json + - --github-endpoint=http://ghproxy + - --github-endpoint=https://api.github.com + - --github-workers=10 + - --kubernetes-blob-storage-workers=10 + - --github-app-id=$(GITHUB_APP_ID) + - --github-app-private-key-path=/etc/github/cert + env: + - name: GITHUB_APP_ID + valueFrom: + secretKeyRef: + name: github-token + key: appid + volumeMounts: + - name: config + mountPath: /etc/config + readOnly: true + - name: github-token + mountPath: /etc/github + readOnly: true + - name: s3-credentials + mountPath: /etc/s3-credentials + readOnly: true + volumes: + - name: config + configMap: + name: config + - name: github-token + secret: + secretName: github-token + - name: s3-credentials + secret: + secretName: s3-credentials +--- diff --git a/infrastructure/prow/namespaces.yaml b/infrastructure/prow/namespaces.yaml new file mode 100644 index 00000000..026b906a --- /dev/null +++ b/infrastructure/prow/namespaces.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: prow + labels: + istio-injection: enabled +--- +apiVersion: v1 +kind: Namespace +metadata: + name: test-pods diff --git a/infrastructure/prow/pvcs.yaml b/infrastructure/prow/pvcs.yaml new file mode 100644 index 00000000..36144407 --- /dev/null +++ b/infrastructure/prow/pvcs.yaml @@ -0,0 +1,14 @@ +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + namespace: prow + labels: + app: ghproxy + name: ghproxy +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 100Gi diff --git a/infrastructure/prow/rolebindings.yaml b/infrastructure/prow/rolebindings.yaml new file mode 100644 index 00000000..1a2c021b --- /dev/null +++ b/infrastructure/prow/rolebindings.yaml @@ -0,0 +1,162 @@ +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: "deck" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "deck" +subjects: + - kind: ServiceAccount + name: "deck" +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: test-pods + name: "deck" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "deck" +subjects: + - kind: ServiceAccount + name: "deck" + namespace: prow +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: "horologium" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "horologium" +subjects: + - kind: ServiceAccount + name: "horologium" +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: "sinker" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "sinker" +subjects: + - kind: ServiceAccount + name: "sinker" +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: test-pods + name: "sinker" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "sinker" +subjects: + - kind: ServiceAccount + name: "sinker" + namespace: prow +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: "hook" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "hook" +subjects: + - kind: ServiceAccount + name: "hook" +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: "tide" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "tide" +subjects: + - kind: ServiceAccount + name: "tide" +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: "statusreconciler" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "statusreconciler" +subjects: + - kind: ServiceAccount + name: "statusreconciler" +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: prow-controller-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: prow-controller-manager +subjects: + - kind: ServiceAccount + name: prow-controller-manager +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: test-pods + name: prow-controller-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: prow-controller-manager +subjects: + - kind: ServiceAccount + name: prow-controller-manager + namespace: prow +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: crier + namespace: prow +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: crier +subjects: + - kind: ServiceAccount + name: crier + namespace: prow +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: crier + namespace: test-pods +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: crier +subjects: + - kind: ServiceAccount + name: crier + namespace: prow + diff --git a/infrastructure/prow/roles.yaml b/infrastructure/prow/roles.yaml new file mode 100644 index 00000000..81c5223c --- /dev/null +++ b/infrastructure/prow/roles.yaml @@ -0,0 +1,262 @@ +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: "deck" +rules: + - apiGroups: + - "prow.k8s.io" + resources: + - prowjobs + verbs: + - get + - list + - watch +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: test-pods + name: "deck" +rules: + - apiGroups: + - "" + resources: + - pods/log + verbs: + - get +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: "horologium" +rules: + - apiGroups: + - "prow.k8s.io" + resources: + - prowjobs + verbs: + - create + - list + - watch +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: "sinker" +rules: + - apiGroups: + - "prow.k8s.io" + resources: + - prowjobs + verbs: + - delete + - list + - watch + - get + - apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - prow-sinker-leaderlock + verbs: + - get + - update + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - prow-sinker-leaderlock + verbs: + - get + - update + - apiGroups: + - "" + resources: + - configmaps + - events + verbs: + - create +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: test-pods + name: "sinker" +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - delete + - list + - watch + - get + - patch +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: "hook" +rules: + - apiGroups: + - "prow.k8s.io" + resources: + - prowjobs + verbs: + - create + - get + - list + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - get + - update +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: "tide" +rules: + - apiGroups: + - "prow.k8s.io" + resources: + - prowjobs + verbs: + - create + - list + - get + - watch +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: "statusreconciler" +rules: + - apiGroups: + - "prow.k8s.io" + resources: + - prowjobs + verbs: + - create +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: prow-controller-manager +rules: + - apiGroups: + - "prow.k8s.io" + resources: + - prowjobs + verbs: + - get + - list + - watch + - update + - patch + - apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - prow-controller-manager-leader-lock + verbs: + - get + - update + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - prow-controller-manager-leader-lock + verbs: + - get + - update + - apiGroups: + - "" + resources: + - configmaps + - events + verbs: + - create +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: test-pods + name: prow-controller-manager +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - delete + - list + - watch + - create + - patch +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: prow + name: crier +rules: + - apiGroups: + - "prow.k8s.io" + resources: + - "prowjobs" + verbs: + - "get" + - "watch" + - "list" + - "patch" +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: test-pods + name: crier +rules: + - apiGroups: + - "" + resources: + - "pods" + - "events" + verbs: + - "get" + - "list" + - apiGroups: + - "" + resources: + - "pods" + verbs: + - "patch" diff --git a/infrastructure/prow/secrets.yaml b/infrastructure/prow/secrets.yaml new file mode 100644 index 00000000..6d7189bd --- /dev/null +++ b/infrastructure/prow/secrets.yaml @@ -0,0 +1,41 @@ +--- +# Get this from Github +# apiVersion: v1 +# kind: Secret +# metadata: +# namespace: prow +# name: github-token +# stringData: +# cert: <> +# appid: <> +# --- +# Generate this manually +# apiVersion: v1 +# kind: Secret +# metadata: +# namespace: prow +# name: hmac-token +# stringData: +# # Generate via `openssl rand -hex 20`. This is the secret used in the GitHub webhook configuration +# hmac: << insert-hmac-token-here >> +apiVersion: v1 +kind: Secret +metadata: + namespace: prow + name: s3-credentials +stringData: + service-account.json: | + { + "region": "us-east-2" + } +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: test-pods + name: s3-credentials +stringData: + service-account.json: | + { + "region": "us-east-2" + } diff --git a/infrastructure/prow/serviceaccounts.yaml b/infrastructure/prow/serviceaccounts.yaml new file mode 100644 index 00000000..bdf4a64f --- /dev/null +++ b/infrastructure/prow/serviceaccounts.yaml @@ -0,0 +1,64 @@ +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + namespace: prow + name: "deck" + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::893168113496:role/resf-prow-peridot +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + namespace: prow + name: "horologium" + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::893168113496:role/resf-prow-peridot +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + namespace: prow + name: "sinker" + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::893168113496:role/resf-prow-peridot +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: prow + name: "hook" + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::893168113496:role/resf-prow-peridot +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: prow + name: "tide" + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::893168113496:role/resf-prow-peridot +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: prow + name: "statusreconciler" + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::893168113496:role/resf-prow-peridot +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: prow + name: prow-controller-manager + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::893168113496:role/resf-prow-peridot +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: crier + namespace: prow + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::893168113496:role/resf-prow-peridot diff --git a/infrastructure/prow/services.yaml b/infrastructure/prow/services.yaml new file mode 100644 index 00000000..008325f3 --- /dev/null +++ b/infrastructure/prow/services.yaml @@ -0,0 +1,54 @@ +--- +apiVersion: v1 +kind: Service +metadata: + namespace: prow + name: hook +spec: + selector: + app: hook + ports: + - port: 8888 +--- +apiVersion: v1 +kind: Service +metadata: + namespace: prow + name: deck +spec: + selector: + app: deck + ports: + - port: 80 + targetPort: 8080 +--- +apiVersion: v1 +kind: Service +metadata: + namespace: prow + name: tide +spec: + selector: + app: tide + ports: + - port: 80 + targetPort: 8888 +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: ghproxy + namespace: prow + name: ghproxy +spec: + ports: + - name: main + port: 80 + protocol: TCP + targetPort: 8888 + - name: metrics + port: 9090 + selector: + app: ghproxy + type: ClusterIP diff --git a/infrastructure/prow/virtualservice.yaml b/infrastructure/prow/virtualservice.yaml new file mode 100644 index 00000000..e79b5a27 --- /dev/null +++ b/infrastructure/prow/virtualservice.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: prow + namespace: prow + annotations: + external-dns.alpha.kubernetes.io/target: ingress.build.resf.org +spec: + gateways: + - istio-system/base-gateway-public + hosts: + - prow.build.resf.org + http: + - name: hook + match: + - uri: + prefix: "/hook" + route: + - destination: + host: hook.prow.svc.cluster.local + port: + number: 8888 + - name: deck + route: + - destination: + host: deck.prow.svc.cluster.local + port: + number: 80