# This file contains Kubernetes YAML files for the most important prow # components. Don't edit resources in this file. Instead, pull them out into # their own files. --- apiVersion: v1 kind: Namespace metadata: name: prow --- apiVersion: v1 kind: ConfigMap metadata: namespace: prow name: plugins data: plugins.yaml: | plugins: $GITHUB_ORG: plugins: - approve - assign - blunderbuss - cat - dog - help - heart - hold - label - lgtm - trigger - verify-owners - wip - yuks --- apiVersion: v1 kind: Secret metadata: namespace: prow name: github-token stringData: cert: $GITHUB_TOKEN appid: "$GITHUB_APP_ID" --- apiVersion: v1 kind: Secret metadata: namespace: prow name: hmac-token stringData: # Generate via `openssl rand -hex 20`. This is the secret used in the GitHub webhook configuration hmac: $HMAC_TOKEN --- apiVersion: v1 kind: Secret metadata: namespace: prow name: minio-root-creds stringData: user: "$MINIO_ROOT_USER" password: "$MINIO_ROOT_PASSWORD" --- apiVersion: v1 kind: ConfigMap metadata: namespace: prow name: config data: config.yaml: | prowjob_namespace: prow pod_namespace: test-pods in_repo_config: enabled: "*": true deck: spyglass: gcs_browser_prefix: 'https://s3.console.aws.amazon.com/s3/buckets/' lenses: - lens: name: metadata required_files: - ^(?:started|finished)\.json$ optional_files: - ^(?:podinfo|prowjob)\.json$ - lens: config: name: buildlog required_files: - build-log.txt - lens: name: junit required_files: - .*/junit.*\.xml - lens: name: podinfo required_files: - podinfo.json plank: job_url_prefix_config: "*": https://$PROW_HOST/view/ report_templates: '*': >- [Full PR test history](https://$PROW_HOST/pr-history?org={{.Spec.Refs.Org}}&repo={{.Spec.Refs.Repo}}&pr={{with index .Spec.Refs.Pulls 0}}{{.Number}}{{end}}). [Your PR dashboard](https://$PROW_HOST/pr?query=is:pr+state:open+author:{{with index .Spec.Refs.Pulls 0}}{{.Author}}{{end}}). default_decoration_config_entries: - config: gcs_configuration: bucket: s3://prow-logs path_strategy: explicit github_api_endpoints: - http://ghproxy - https://api.github.com github_app_id: "$GITHUB_APP_ID" github_app_private_key_secret: name: github-token key: cert s3_credentials_secret: s3-credentials utility_images: clonerefs: gcr.io/k8s-prow/clonerefs:v20240503-28485f4e6 entrypoint: gcr.io/k8s-prow/entrypoint:v20240503-28485f4e6 initupload: gcr.io/k8s-prow/initupload:v20240503-28485f4e6 sidecar: gcr.io/k8s-prow/sidecar:v20240503-28485f4e6 tide: queries: - labels: - lgtm - approved missingLabels: - needs-rebase - do-not-merge/hold - do-not-merge/work-in-progress - do-not-merge/invalid-owners-file orgs: - $GITHUB_ORG decorate_all_jobs: true periodics: - interval: 1m agent: kubernetes name: echo-test spec: containers: - image: alpine command: ["/bin/date"] --- apiVersion: apps/v1 kind: Deployment metadata: namespace: prow name: hook labels: app: hook spec: replicas: 2 strategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 1 selector: matchLabels: app: hook template: metadata: labels: app: hook spec: serviceAccountName: "hook" terminationGracePeriodSeconds: 180 containers: - name: hook image: gcr.io/k8s-prow/hook:v20240503-28485f4e6 imagePullPolicy: Always args: - --dry-run=false - --config-path=/etc/config/config.yaml - --github-endpoint=http://ghproxy - --github-endpoint=https://api.github.com - --github-app-id=$(GITHUB_APP_ID) - --github-app-private-key-path=/etc/github/cert env: - name: GITHUB_APP_ID valueFrom: secretKeyRef: name: github-token key: appid ports: - name: http containerPort: 8888 volumeMounts: - name: hmac mountPath: /etc/webhook readOnly: true - name: github-token mountPath: /etc/github readOnly: true - name: config mountPath: /etc/config readOnly: true - name: plugins mountPath: /etc/plugins readOnly: true livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 3 periodSeconds: 3 readinessProbe: httpGet: path: /healthz/ready port: 8081 initialDelaySeconds: 10 periodSeconds: 3 timeoutSeconds: 600 volumes: - name: hmac secret: secretName: hmac-token - name: github-token secret: secretName: github-token - name: config configMap: name: config - name: plugins configMap: name: plugins --- apiVersion: v1 kind: Service metadata: namespace: prow name: hook spec: selector: app: hook ports: - port: 8888 --- apiVersion: apps/v1 kind: Deployment metadata: namespace: prow name: sinker labels: app: sinker spec: selector: matchLabels: app: sinker replicas: 1 template: metadata: labels: app: sinker spec: serviceAccountName: "sinker" containers: - name: sinker image: gcr.io/k8s-prow/sinker:v20240503-28485f4e6 args: - --config-path=/etc/config/config.yaml - --dry-run=false volumeMounts: - name: config mountPath: /etc/config readOnly: true volumes: - name: config configMap: name: config --- apiVersion: apps/v1 kind: Deployment metadata: namespace: prow name: deck labels: app: deck spec: replicas: 2 strategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 1 selector: matchLabels: app: deck template: metadata: labels: app: deck spec: serviceAccountName: "deck" terminationGracePeriodSeconds: 30 containers: - name: deck image: gcr.io/k8s-prow/deck:v20240503-28485f4e6 args: - --config-path=/etc/config/config.yaml - --plugin-config=/etc/plugins/plugins.yaml - --tide-url=http://tide/ - --hook-url=http://hook:8888/plugin-help - --github-endpoint=http://ghproxy - --github-endpoint=https://api.github.com - --github-graphql-endpoint=http://ghproxy/graphql - --s3-credentials-file=/etc/s3-credentials/service-account.json - --spyglass=true - --github-app-id=$(GITHUB_APP_ID) - --github-app-private-key-path=/etc/github/cert env: - name: GITHUB_APP_ID valueFrom: secretKeyRef: name: github-token key: appid ports: - name: http containerPort: 8080 volumeMounts: - name: config mountPath: /etc/config readOnly: true - name: github-token mountPath: /etc/github readOnly: true - name: plugins mountPath: /etc/plugins readOnly: true - name: s3-credentials mountPath: /etc/s3-credentials readOnly: true livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 3 periodSeconds: 3 readinessProbe: httpGet: path: /healthz/ready port: 8081 initialDelaySeconds: 10 periodSeconds: 3 timeoutSeconds: 600 volumes: - name: config configMap: name: config - name: github-token secret: secretName: github-token - name: plugins configMap: name: plugins - name: s3-credentials secret: secretName: s3-credentials --- apiVersion: v1 kind: Service metadata: namespace: prow name: deck spec: selector: app: deck ports: - port: 80 targetPort: 8080 --- apiVersion: apps/v1 kind: Deployment metadata: namespace: prow name: horologium labels: app: horologium spec: replicas: 1 # Do not scale up. strategy: type: Recreate selector: matchLabels: app: horologium template: metadata: labels: app: horologium spec: serviceAccountName: "horologium" terminationGracePeriodSeconds: 30 containers: - name: horologium image: gcr.io/k8s-prow/horologium:v20240503-28485f4e6 args: - --dry-run=false - --config-path=/etc/config/config.yaml volumeMounts: - name: config mountPath: /etc/config readOnly: true volumes: - name: config configMap: name: config --- apiVersion: apps/v1 kind: Deployment metadata: namespace: prow name: tide labels: app: tide spec: replicas: 1 # Do not scale up. strategy: type: Recreate selector: matchLabels: app: tide template: metadata: labels: app: tide spec: serviceAccountName: "tide" containers: - name: tide image: gcr.io/k8s-prow/tide:v20240503-28485f4e6 args: - --dry-run=false - --config-path=/etc/config/config.yaml - --github-endpoint=http://ghproxy - --github-endpoint=https://api.github.com - --github-graphql-endpoint=http://ghproxy/graphql - --s3-credentials-file=/etc/s3-credentials/service-account.json - --status-path=s3://tide/tide-status - --history-uri=s3://tide/tide-history.json - --github-app-id=$(GITHUB_APP_ID) - --github-app-private-key-path=/etc/github/cert env: - name: GITHUB_APP_ID valueFrom: secretKeyRef: name: github-token key: appid ports: - name: http containerPort: 8888 volumeMounts: - name: github-token mountPath: /etc/github readOnly: true - name: config mountPath: /etc/config readOnly: true - name: s3-credentials mountPath: /etc/s3-credentials readOnly: true volumes: - name: github-token secret: secretName: github-token - name: config configMap: name: config - name: s3-credentials secret: secretName: s3-credentials --- apiVersion: v1 kind: Service metadata: namespace: prow name: tide spec: selector: app: tide ports: - port: 80 targetPort: 8888 --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: namespace: prow name: prow annotations: # Change this to your issuer when using cert-manager. Does # nothing when not using cert-manager. cert-manager.io/cluster-issuer: letsencrypt-staging spec: defaultBackend: # specify the default backend for `ingress-gce` (https://cloud.google.com/kubernetes-engine/docs/concepts/ingress#default_backend) service: name: deck port: number: 80 rules: - host: $PROW_HOST http: paths: - path: / pathType: Prefix backend: service: name: deck port: number: 80 - path: /hook pathType: Prefix backend: service: name: hook port: number: 8888 --- apiVersion: apps/v1 kind: Deployment metadata: name: statusreconciler namespace: prow labels: app: statusreconciler spec: replicas: 1 selector: matchLabels: app: statusreconciler template: metadata: labels: app: statusreconciler spec: serviceAccountName: statusreconciler terminationGracePeriodSeconds: 180 containers: - name: statusreconciler image: gcr.io/k8s-prow/status-reconciler:v20240503-28485f4e6 args: - --dry-run=false - --continue-on-error=true - --plugin-config=/etc/plugins/plugins.yaml - --config-path=/etc/config/config.yaml - --github-endpoint=http://ghproxy - --github-endpoint=https://api.github.com - --s3-credentials-file=/etc/s3-credentials/service-account.json - --status-path=s3://status-reconciler/status-reconciler-status - --github-app-id=$(GITHUB_APP_ID) - --github-app-private-key-path=/etc/github/cert env: - name: GITHUB_APP_ID valueFrom: secretKeyRef: name: github-token key: appid volumeMounts: - name: github-token mountPath: /etc/github readOnly: true - name: config mountPath: /etc/config readOnly: true - name: plugins mountPath: /etc/plugins readOnly: true - name: s3-credentials mountPath: /etc/s3-credentials readOnly: true volumes: - name: github-token secret: secretName: github-token - name: config configMap: name: config - name: plugins configMap: name: plugins - name: s3-credentials secret: secretName: s3-credentials --- apiVersion: v1 kind: Namespace metadata: name: test-pods --- kind: ServiceAccount apiVersion: v1 metadata: namespace: prow name: "deck" --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: prow name: "deck" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: "deck" subjects: - kind: ServiceAccount name: "deck" --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: test-pods name: "deck" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: "deck" subjects: - kind: ServiceAccount name: "deck" namespace: prow --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: prow name: "deck" rules: - apiGroups: - "prow.k8s.io" resources: - prowjobs verbs: - get - list - watch # Required when deck runs with `--rerun-creates-job=true` # **Warning:** Only use this for non-public deck instances, this allows # anyone with access to your Deck instance to create new Prowjobs # - create --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: test-pods name: "deck" rules: - apiGroups: - "" resources: - pods/log verbs: - get --- kind: ServiceAccount apiVersion: v1 metadata: namespace: prow name: "horologium" --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: prow name: "horologium" rules: - apiGroups: - "prow.k8s.io" resources: - prowjobs verbs: - create - list - watch --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: prow name: "horologium" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: "horologium" subjects: - kind: ServiceAccount name: "horologium" --- kind: ServiceAccount apiVersion: v1 metadata: namespace: prow name: "sinker" --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: prow name: "sinker" rules: - apiGroups: - "prow.k8s.io" resources: - prowjobs verbs: - delete - list - watch - get - apiGroups: - coordination.k8s.io resources: - leases resourceNames: - prow-sinker-leaderlock verbs: - get - update - apiGroups: - coordination.k8s.io resources: - leases verbs: - create - apiGroups: - "" resources: - configmaps resourceNames: - prow-sinker-leaderlock verbs: - get - update - apiGroups: - "" resources: - configmaps - events verbs: - create --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: test-pods name: "sinker" rules: - apiGroups: - "" resources: - pods verbs: - delete - list - watch - get - patch --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: prow name: "sinker" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: "sinker" subjects: - kind: ServiceAccount name: "sinker" --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: test-pods name: "sinker" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: "sinker" subjects: - kind: ServiceAccount name: "sinker" namespace: prow --- apiVersion: v1 kind: ServiceAccount metadata: namespace: prow name: "hook" --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: prow name: "hook" rules: - apiGroups: - "prow.k8s.io" resources: - prowjobs verbs: - create - get - list - update - apiGroups: - "" resources: - configmaps verbs: - create - get - update --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: prow name: "hook" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: "hook" subjects: - kind: ServiceAccount name: "hook" --- apiVersion: v1 kind: ServiceAccount metadata: namespace: prow name: "tide" --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: prow name: "tide" rules: - apiGroups: - "prow.k8s.io" resources: - prowjobs verbs: - create - list - get - watch --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: prow name: "tide" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: "tide" subjects: - kind: ServiceAccount name: "tide" --- apiVersion: v1 kind: ServiceAccount metadata: namespace: prow name: "statusreconciler" --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: prow name: "statusreconciler" rules: - apiGroups: - "prow.k8s.io" resources: - prowjobs verbs: - create --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: prow name: "statusreconciler" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: "statusreconciler" subjects: - kind: ServiceAccount name: "statusreconciler" --- kind: PersistentVolumeClaim apiVersion: v1 metadata: namespace: prow labels: app: ghproxy name: ghproxy spec: accessModes: - ReadWriteOnce resources: requests: storage: 100Gi --- apiVersion: apps/v1 kind: Deployment metadata: namespace: prow name: ghproxy labels: app: ghproxy spec: selector: matchLabels: app: ghproxy strategy: type: Recreate # GHProxy does not support HA replicas: 1 template: metadata: labels: app: ghproxy spec: containers: - name: ghproxy image: gcr.io/k8s-prow/ghproxy:v20240503-28485f4e6 args: - --cache-dir=/cache - --cache-sizeGB=99 - --push-gateway=pushgateway - --serve-metrics=true ports: - containerPort: 8888 volumeMounts: - name: cache mountPath: /cache volumes: - name: cache persistentVolumeClaim: claimName: ghproxy --- apiVersion: v1 kind: Service metadata: labels: app: ghproxy namespace: prow name: ghproxy spec: ports: - name: main port: 80 protocol: TCP targetPort: 8888 - name: metrics port: 9090 selector: app: ghproxy type: ClusterIP --- apiVersion: apps/v1 kind: Deployment metadata: namespace: prow name: prow-controller-manager labels: app: prow-controller-manager spec: replicas: 1 selector: matchLabels: app: prow-controller-manager template: metadata: labels: app: prow-controller-manager spec: serviceAccountName: prow-controller-manager containers: - name: prow-controller-manager args: - --dry-run=false - --config-path=/etc/config/config.yaml - --github-endpoint=http://ghproxy - --github-endpoint=https://api.github.com - --enable-controller=plank - --github-app-id=$(GITHUB_APP_ID) - --github-app-private-key-path=/etc/github/cert env: - name: GITHUB_APP_ID valueFrom: secretKeyRef: name: github-token key: appid image: gcr.io/k8s-prow/prow-controller-manager:v20240503-28485f4e6 volumeMounts: - name: github-token mountPath: /etc/github readOnly: true - name: config mountPath: /etc/config readOnly: true volumes: - name: github-token secret: secretName: github-token - name: config configMap: name: config --- apiVersion: v1 kind: ServiceAccount metadata: namespace: prow name: prow-controller-manager --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: prow name: prow-controller-manager rules: - apiGroups: - "prow.k8s.io" resources: - prowjobs verbs: - get - list - watch - update - patch - apiGroups: - coordination.k8s.io resources: - leases resourceNames: - prow-controller-manager-leader-lock verbs: - get - update - apiGroups: - coordination.k8s.io resources: - leases verbs: - create - apiGroups: - "" resources: - configmaps resourceNames: - prow-controller-manager-leader-lock verbs: - get - update - apiGroups: - "" resources: - configmaps - events verbs: - create --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: test-pods name: prow-controller-manager rules: - apiGroups: - "" resources: - pods verbs: - create - delete - get - list - patch - watch --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: prow name: prow-controller-manager roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: prow-controller-manager subjects: - kind: ServiceAccount name: prow-controller-manager --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: test-pods name: prow-controller-manager roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: prow-controller-manager subjects: - kind: ServiceAccount name: prow-controller-manager namespace: prow --- apiVersion: apps/v1 kind: Deployment metadata: namespace: prow name: crier labels: app: crier spec: replicas: 1 selector: matchLabels: app: crier template: metadata: labels: app: crier spec: serviceAccountName: crier terminationGracePeriodSeconds: 30 containers: - name: crier image: gcr.io/k8s-prow/crier:v20240503-28485f4e6 args: - --blob-storage-workers=10 - --config-path=/etc/config/config.yaml - --s3-credentials-file=/etc/s3-credentials/service-account.json - --github-endpoint=http://ghproxy - --github-endpoint=https://api.github.com - --github-workers=10 - --kubernetes-blob-storage-workers=10 - --github-app-id=$(GITHUB_APP_ID) - --github-app-private-key-path=/etc/github/cert env: - name: GITHUB_APP_ID valueFrom: secretKeyRef: name: github-token key: appid volumeMounts: - name: config mountPath: /etc/config readOnly: true - name: github-token mountPath: /etc/github readOnly: true - name: s3-credentials mountPath: /etc/s3-credentials readOnly: true volumes: - name: config configMap: name: config - name: github-token secret: secretName: github-token - name: s3-credentials secret: secretName: s3-credentials --- kind: ServiceAccount apiVersion: v1 metadata: name: crier namespace: prow --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: prow name: crier rules: - apiGroups: - "prow.k8s.io" resources: - "prowjobs" verbs: - "get" - "watch" - "list" - "patch" --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: test-pods name: crier rules: - apiGroups: - "" resources: - "pods" - "events" verbs: - "get" - "list" - apiGroups: - "" resources: - "pods" verbs: - "patch" --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: crier namespace: prow roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: crier subjects: - kind: ServiceAccount name: crier namespace: prow --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: crier namespace: test-pods roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: crier subjects: - kind: ServiceAccount name: crier namespace: prow --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: minio namespace: prow spec: accessModes: - ReadWriteOnce resources: requests: storage: 100Gi --- apiVersion: v1 kind: Secret metadata: namespace: prow name: s3-credentials stringData: service-account.json: | { "region": "minio", "access_key": "$MINIO_ROOT_USER", "endpoint": "minio.prow.svc.cluster.local", "insecure": true, "s3_force_path_style": true, "secret_key": "$MINIO_ROOT_PASSWORD" } --- apiVersion: v1 kind: Secret metadata: namespace: test-pods name: s3-credentials stringData: service-account.json: | { "region": "minio", "access_key": "$MINIO_ROOT_USER", "endpoint": "minio.prow.svc.cluster.local", "insecure": true, "s3_force_path_style": true, "secret_key": "$MINIO_ROOT_PASSWORD" } --- apiVersion: apps/v1 kind: Deployment metadata: name: minio namespace: prow spec: selector: matchLabels: app: minio strategy: type: Recreate template: metadata: labels: app: minio spec: volumes: - name: data persistentVolumeClaim: claimName: minio initContainers: - name: bucket-creator image: alpine command: - mkdir - -p - /data/prow-logs - /data/tide - /data/status-reconciler volumeMounts: - name: data mountPath: "/data" containers: - name: minio volumeMounts: - name: data mountPath: "/data" image: minio/minio:latest args: - server - /data env: - name: MINIO_ROOT_USER valueFrom: secretKeyRef: name: minio-root-creds key: user - name: MINIO_ROOT_PASSWORD valueFrom: secretKeyRef: name: minio-root-creds key: password - name: MINIO_REGION_NAME value: minio ports: - containerPort: 9000 readinessProbe: httpGet: path: /minio/health/ready port: 9000 periodSeconds: 20 livenessProbe: httpGet: path: /minio/health/live port: 9000 --- apiVersion: v1 kind: Service metadata: name: minio namespace: prow spec: type: ClusterIP ports: - port: 80 targetPort: 9000 protocol: TCP selector: app: minio