---
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: default
  name: "hook"
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: "hook"
rules:
  - apiGroups:
      - "prow.k8s.io"
    resources:
      - prowjobs
    verbs:
      - create
      - get
      - list
      - update
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - create
      - get
      - update
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: "hook"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: "hook"
subjects:
- kind: ServiceAccount
  name: "hook"
---
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: default
  name: hook
  labels:
    app: hook
spec:
  replicas: 2
  selector:
    matchLabels:
      app: hook
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
  template:
    metadata:
      labels:
        app: hook
    spec:
      serviceAccountName: "hook"
      terminationGracePeriodSeconds: 180
      containers:
      - name: hook
        image: gcr.io/k8s-prow/hook:v20240805-37a08f946
        imagePullPolicy: Always
        args:
        - --github-endpoint=http://ghproxy
        - --github-endpoint=https://api.github.com
        - --github-token-path=/etc/github/oauth
        - --dry-run=false
        - --plugin-config=/etc/plugins/plugins.yaml
        - --config-path=/etc/config/config.yaml
        - --job-config-path=/etc/job-config
        ports:
          - name: http
            containerPort: 8888
          - name: metrics
            containerPort: 9090
        resources:
          limits:
            cpu: 100m
            memory: 256M
          requests:
            cpu: 100m
            memory: 256M
        volumeMounts:
        - name: hmac
          mountPath: /etc/webhook
          readOnly: true
        - name: oauth
          mountPath: /etc/github
          readOnly: true
        - name: config
          mountPath: /etc/config
          readOnly: true
        - name: job-config
          mountPath: /etc/job-config
          readOnly: true
        - name: plugins
          mountPath: /etc/plugins
          readOnly: true
        livenessProbe:
          httpGet:
            path: /healthz
            port: 8081
          initialDelaySeconds: 3
          periodSeconds: 3
        readinessProbe:
          httpGet:
            path: /healthz/ready
            port: 8081
          initialDelaySeconds: 10
          periodSeconds: 3
          timeoutSeconds: 600
      volumes:
      - name: hmac
        secret:
          secretName: hmac-token
      - name: oauth
        secret:
          secretName: oauth-token
      - name: config
        configMap:
          name: config
      - name: job-config
        configMap:
          name: job-config
      - name: plugins
        configMap:
          name: plugins
      nodeSelector:
        Archtype: "x86"
---
apiVersion: v1
kind: Service
metadata:
  namespace: default
  name: hook
  labels:
    app: hook
spec:
  selector:
    app: hook
  ports:
  - name: main
    port: 8888
  - name: metrics
    port: 9090
  type: NodePort