From 9b24d142619fd2058415065b7e3ec3a11900b892 Mon Sep 17 00:00:00 2001 From: John Jacobs Date: Tue, 31 Jan 2023 09:06:36 -0800 Subject: [PATCH] Prow GitHub app migration part II (#290) Issue #, if available: https://github.com/aws-controllers-k8s/community/issues/1565 A 2nd attempt at deploying changes from https://github.com/aws-controllers-k8s/test-infra/pull/264, previously reverted in https://github.com/aws-controllers-k8s/test-infra/pull/289 Description of changes: Update Prow deployments to use a GitHub app instead of a GitHub personal access token. Also, includes addition of the ability to import an existing S3 bucket instead of trying to create one during the `cdk deploy`. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. --- infra/README.md | 55 +++- infra/bin/test-ci.ts | 8 +- infra/lib/charts/app-of-apps.yaml | 25 -- infra/lib/charts/flux-configuration.ts | 21 -- infra/lib/charts/flux.ts | 18 -- infra/lib/charts/namespace.ts | 24 -- infra/lib/charts/prow-secrets.ts | 76 ++++-- infra/lib/ci-cluster.ts | 243 +++++++++++------- infra/lib/log-bucket.ts | 21 +- infra/lib/prow-service-accounts.ts | 135 ++++++---- infra/lib/test-ci-stack.ts | 60 +++-- infra/test/test-ci.test.ts | 8 +- prow/config/Chart.yaml | 2 +- prow/config/templates/config-ConfigMap.yaml | 3 +- prow/config/templates/crier-Deployment.yaml | 8 +- prow/config/templates/deck-Deployment.yaml | 8 +- .../config/templates/github-token-Secret.yaml | 9 +- prow/config/templates/hmac-token-Secret.yaml | 4 +- prow/config/templates/hook-Deployment.yaml | 9 +- .../templates/horologium-Deployment.yaml | 1 - prow/config/templates/horologium-Role.yaml | 3 +- .../prow-controller-manager-Deployment.yaml | 9 +- prow/config/templates/sinker-Deployment.yaml | 1 - .../statusreconciler-Deployment.yaml | 9 +- prow/config/templates/tide-Deployment.yaml | 9 +- prow/config/values.yaml | 34 +-- prow/jobs/jinja/periodics/label_sync.jinja2 | 4 +- .../lifecycle_bot_periodic_close.jinja2 | 2 +- .../lifecycle_bot_periodic_rotten.jinja2 | 2 +- .../lifecycle_bot_periodic_stale.jinja2 | 2 +- .../jinja/postsubmits/codegen_release.jinja2 | 2 +- .../jinja/postsubmits/community_docs.jinja2 | 2 +- .../controller_bootstrap_update.jinja2 | 2 +- .../postsubmits/controller_release.jinja2 | 6 +- .../jinja/postsubmits/runtime_release.jinja2 | 2 +- prow/jobs/jobs.yaml | 200 +++++++------- 36 files changed, 584 insertions(+), 443 deletions(-) delete mode 100644 infra/lib/charts/app-of-apps.yaml delete mode 100644 infra/lib/charts/flux-configuration.ts delete mode 100644 infra/lib/charts/flux.ts delete mode 100644 infra/lib/charts/namespace.ts diff --git a/infra/README.md b/infra/README.md index 8f00967b..62154984 100644 --- a/infra/README.md +++ b/infra/README.md @@ -11,18 +11,57 @@ ## Deploying the CDK To deploy the CDK stacks, you must have the appropriate permissions to create -the CloudFormation stack and associated resources in a given AWS account. You -will also need: -- A personal access token for the [Prow bot account](https://github.com/kubernetes/test-infra/blob/master/prow/getting_started_deploy.md#github-bot-account) -- An HMAC token used to validate Github webhooks - - This can be generated using `openssl rand -hex 20` +the CloudFormation stack and associated resources in a given AWS account. + +You will also need to **manually** create and configure a GitHub app for Prow as [documented here](https://github.com/kubernetes-sigs/prow/blob/main/site/content/en/docs/getting-started-deploy.md#github-app). + +Once the GitHub app is configured, you will need three data elements from the app's settings page to pass to the CDK deployment: + +- The app ID +- The app's private RSA key (in PEM format) +- The app's configured webhook secret + - **_NOTE_**: you can generate a valid value for this using `openssl rand -hex 20` Use the following command to deploy the stack with the included requirements: ```bash -export BOT_PAT='' -export WEBHOOK_HMAC='' -export LOGS_BUCKET='' # Optional +export GITHUB_PAT= +export GITHUB_APP_ID= +export GITHUB_APP_PRIVATE_KEY= +export GITHUB_APP_CLIENT_ID= +export GITHUB_APP_WEBHOOK_SECRET= +export LOGS_BUCKET= # Optional +export LOGS_BUCKET_IMPORT=false # NOTE: optional, use this and set to true if you want to import an existing bucket + export AWS_DEFAULT_REGION=us-west-2 + +cd test-infra/infra cdk bootstrap cdk deploy ``` + +or, via command line arguments: +```bash +export AWS_DEFAULT_REGION=us-west-2 + +cd test-infra/infra +cdk bootstrap +cdk deploy \ + -c pat="" \ + -c app_id="" \ + -c client_id="" \ + -c app_private_key="" \ + -c app_webhook_secret="" \ + -c logs_bucket="" \ + -c logs_bucket_import= +``` + +An example: +```bash +export AWS_DEFAULT_REGION=us-west-2 +cd $GOPATH/src/github.com/aws-controllers-k8s/test-infra/infra +cdk bootstrap +cdk deploy -c pat="12345" -c app_id="123456" -c client_id="12345" \ + -c app_private_key="$(cat ./github_app_cert.pem)" \ + -c app_webhook_secret="081d23f783c016e91950c92a4fe4f87bfe61ca8b" \ + -c logs_bucket="ack-prow-logs-1234567890" +``` \ No newline at end of file diff --git a/infra/bin/test-ci.ts b/infra/bin/test-ci.ts index 7b03ef9c..af43f18e 100644 --- a/infra/bin/test-ci.ts +++ b/infra/bin/test-ci.ts @@ -20,9 +20,13 @@ new TestCIStack(app, 'TestCIStack', { /* For more information, see https://docs.aws.amazon.com/cdk/latest/guide/environments.html */ clusterConfig: { - botPersonalAccessToken: app.node.tryGetContext('bot_pat') || process.env.BOT_PAT, - webhookHMACToken: app.node.tryGetContext('webhook_hmac') || process.env.WEBHOOK_HMAC + personalAccessToken: app.node.tryGetContext('pat') || process.env.GITHUB_PAT, + appId: app.node.tryGetContext('app_id') || process.env.GITHUB_APP_ID, + appClientId: app.node.tryGetContext('client_id') || process.env.GITHUB_APP_CLIENT_ID, + appPrivateKey: app.node.tryGetContext('app_private_key') || process.env.GITHUB_APP_PRIVATE_KEY, + appWebhookSecret: app.node.tryGetContext('app_webhook_secret') || process.env.GITHUB_APP_WEBHOOK_SECRET }, logsBucketName: app.node.tryGetContext('logs_bucket') || process.env.LOGS_BUCKET, + logsBucketImport: app.node.tryGetContext('logs_bucket_import') || process.env.LOGS_BUCKET_IMPORT || false, pvreBucketName: app.node.tryGetContext('pvre_bucket') || process.env.PVRE_BUCKET, }); diff --git a/infra/lib/charts/app-of-apps.yaml b/infra/lib/charts/app-of-apps.yaml deleted file mode 100644 index f97a9169..00000000 --- a/infra/lib/charts/app-of-apps.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: GitRepository -metadata: - name: test-infra - namespace: flux-system -spec: - interval: 30s - ref: - branch: main - url: https://github.com/aws-controllers-k8s/test-infra ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: all-apps - namespace: flux-system -spec: - interval: 5m - sourceRef: - kind: GitRepository - name: test-infra - path: ./flux - prune: true - targetNamespace: flux-system - validation: client \ No newline at end of file diff --git a/infra/lib/charts/flux-configuration.ts b/infra/lib/charts/flux-configuration.ts deleted file mode 100644 index 3e2eab06..00000000 --- a/infra/lib/charts/flux-configuration.ts +++ /dev/null @@ -1,21 +0,0 @@ -import * as path from 'path'; -import * as cdk8s from 'cdk8s'; -import * as constructs from 'constructs'; - -export interface FluxConfigurationChartProps { -} - -export class FluxConfigurationChart extends cdk8s.Chart { - readonly flux: cdk8s.Include; - readonly appOfApps: cdk8s.Include; - - constructor(scope: constructs.Construct, id: string, props: FluxConfigurationChartProps) { - super(scope, id); - - const appOfAppsManifest = path.join(__dirname, "app-of-apps.yaml"); - // Must import externally, as it is a CRD - this.appOfApps = new cdk8s.Include(this, 'app-of-apps', { - url: appOfAppsManifest - }); - } -} \ No newline at end of file diff --git a/infra/lib/charts/flux.ts b/infra/lib/charts/flux.ts deleted file mode 100644 index b1b80859..00000000 --- a/infra/lib/charts/flux.ts +++ /dev/null @@ -1,18 +0,0 @@ -import * as cdk8s from 'cdk8s'; -import * as constructs from 'constructs'; - -export interface FluxChartProps { -} - -export class FluxChart extends cdk8s.Chart { - readonly flux: cdk8s.Include; - readonly appOfApps: cdk8s.Include; - - constructor(scope: constructs.Construct, id: string, props: FluxChartProps) { - super(scope, id); - - this.flux = new cdk8s.Include(this, 'flux', { - url: 'https://github.com/fluxcd/flux2/releases/download/v0.13.1/install.yaml' - }); - } -} \ No newline at end of file diff --git a/infra/lib/charts/namespace.ts b/infra/lib/charts/namespace.ts deleted file mode 100644 index b4918446..00000000 --- a/infra/lib/charts/namespace.ts +++ /dev/null @@ -1,24 +0,0 @@ -import * as cdk8s from 'cdk8s'; -import * as constructs from 'constructs'; -import * as kplus from 'cdk8s-plus-20'; - -export interface NamespaceChartProps { - readonly name: string; -} - -export class NamespaceChart extends cdk8s.Chart { - readonly botPATSecret: kplus.Secret; - readonly webhookHMACSecret: kplus.Secret; - - constructor(scope: constructs.Construct, id: string, props: NamespaceChartProps) { - super(scope, id); - - new cdk8s.ApiObject(this, `${props.name}-namespace`, { - apiVersion: "v1", - kind: "Namespace", - metadata: { - name: props.name - } - }); - } -} \ No newline at end of file diff --git a/infra/lib/charts/prow-secrets.ts b/infra/lib/charts/prow-secrets.ts index 8e802296..71da4ed4 100644 --- a/infra/lib/charts/prow-secrets.ts +++ b/infra/lib/charts/prow-secrets.ts @@ -3,27 +3,67 @@ import * as constructs from 'constructs'; import * as kplus from 'cdk8s-plus-20'; import { PROW_NAMESPACE, PROW_JOB_NAMESPACE } from '../test-ci-stack'; -export interface ProwSecretsChartProps { - readonly botPersonalAccessToken: string; - readonly webhookHMACToken: string; +export interface ProwGitHubSecretsChartProps { + readonly personalAccessToken: string; + readonly appId: string; + readonly appClientId: string; + readonly appPrivateKey: string; + readonly appWebhookSecret: string; } -export class ProwSecretsChart extends cdk8s.Chart { - readonly botPATSecret: kplus.Secret; - // github token to be used by prowjobs in PROW_JOB_NAMESPACE - readonly prowjobBotPATSecret: kplus.Secret; - readonly webhookHMACSecret: kplus.Secret; +export class ProwGitHubSecretsChart extends cdk8s.Chart { + readonly pat: kplus.Secret; + readonly prowjobPAT: kplus.Secret; - constructor(scope: constructs.Construct, id: string, props: ProwSecretsChartProps) { + readonly token: kplus.Secret; + // github client secret to be used by prowjobs in PROW_JOB_NAMESPACE + readonly prowjobToken: kplus.Secret; + readonly hmacToken: kplus.Secret; + + constructor(scope: constructs.Construct, id: string, props: ProwGitHubSecretsChartProps) { super(scope, id); - if (props.botPersonalAccessToken === undefined || props.webhookHMACToken === undefined) { - throw new Error(`Expected bot personal access token and webhook HMAC token to be specified`); + if ( + props.personalAccessToken === undefined || + props.appPrivateKey === undefined || + props.appClientId === undefined || + props.appWebhookSecret === undefined || + props.appId === undefined) { + throw new Error(`Expected: GitHub bot PAT, bot Webhook HMAC, app ID, client ID, app private key, & app webhook HMAC token`); + } + if (props.appPrivateKey.length < 1500) { + console.error("Found invalid app private key: ", props.appPrivateKey); + throw new Error(`Expected GitHub app private key to be in valid PEM format (and >= 1500 bytes)`); } - this.botPATSecret = new kplus.Secret(this, 'github-token', { + // a GitHub PAT for use by various scripts for deploying code to repos + this.pat = new kplus.Secret(this, 'github-pat-token', { + stringData: { + 'token': props.personalAccessToken + }, + metadata: { + name: 'github-pat-token', + namespace: PROW_NAMESPACE + } + }); + + // a GitHub PAT for use by various Prow jobs + this.prowjobPAT = new kplus.Secret(this, 'prowjob-github-pat-token', { + stringData: { + 'token': props.personalAccessToken + }, + metadata: { + name: 'prowjob-github-pat-token', + namespace: PROW_JOB_NAMESPACE + } + }); + + // three pieces of important data from the GitHub app: the private key, the app ID, and the client ID + this.token = new kplus.Secret(this, 'github-token', { stringData: { - 'token': props.botPersonalAccessToken + 'cert': props.appPrivateKey, + 'appid': props.appId, + 'clientid': props.appClientId }, metadata: { name: 'github-token', @@ -31,9 +71,11 @@ export class ProwSecretsChart extends cdk8s.Chart { } }); - this.prowjobBotPATSecret = new kplus.Secret(this, 'prowjob-github-token', { + this.prowjobToken = new kplus.Secret(this, 'prowjob-github-token', { stringData: { - 'token': props.botPersonalAccessToken + 'cert': props.appPrivateKey, + 'appid': props.appId, + 'clientid': props.appClientId }, metadata: { name: 'prowjob-github-token', @@ -41,9 +83,9 @@ export class ProwSecretsChart extends cdk8s.Chart { } }); - this.webhookHMACSecret = new kplus.Secret(this, 'hmac-token', { + this.hmacToken = new kplus.Secret(this, 'hmac-token', { stringData: { - 'hmac': props.webhookHMACToken + 'hmac': props.appWebhookSecret }, metadata: { name: 'hmac-token', diff --git a/infra/lib/ci-cluster.ts b/infra/lib/ci-cluster.ts index 2f196de8..edf9fe2b 100644 --- a/infra/lib/ci-cluster.ts +++ b/infra/lib/ci-cluster.ts @@ -1,25 +1,31 @@ -import * as cdk from '@aws-cdk/core'; -import * as eks from '@aws-cdk/aws-eks'; -import * as ec2 from '@aws-cdk/aws-ec2'; -import * as iam from '@aws-cdk/aws-iam'; -import * as cdk8s from 'cdk8s'; -import { policies as ALBPolicies } from './policies/aws-load-balancer-controller-policy'; -import { FluxConfigurationChart } from './charts/flux-configuration'; -import { ProwSecretsChart, ProwSecretsChartProps } from './charts/prow-secrets'; -import { NamespaceChart } from './charts/namespace'; -import { EXTERNAL_DNS_NAMESPACE, FLUX_NAMESPACE, PROW_JOB_NAMESPACE, PROW_NAMESPACE } from './test-ci-stack'; - -export type CIClusterCompileTimeProps = ProwSecretsChartProps; - -export type CIClusterRuntimeProps = { -}; +import * as path from "path"; +import * as cdk from "@aws-cdk/core"; +import * as eks from "@aws-cdk/aws-eks"; +import * as ec2 from "@aws-cdk/aws-ec2"; +import * as iam from "@aws-cdk/aws-iam"; +import * as cdk8s from "cdk8s"; +import { policies as ALBPolicies } from "./policies/aws-load-balancer-controller-policy"; +import { ProwGitHubSecretsChart, ProwGitHubSecretsChartProps } from "./charts/prow-secrets"; +import { + EXTERNAL_DNS_NAMESPACE, + FLUX_NAMESPACE, + PROW_JOB_NAMESPACE, + PROW_NAMESPACE, +} from "./test-ci-stack"; +import { KubernetesManifest } from "@aws-cdk/aws-eks"; +import { Chart } from "cdk8s"; + +export type CIClusterCompileTimeProps = ProwGitHubSecretsChartProps; + +export type CIClusterRuntimeProps = {}; export type CIClusterProps = CIClusterCompileTimeProps & CIClusterRuntimeProps; export class CICluster extends cdk.Construct { readonly testCluster: eks.Cluster; readonly testNodegroup: eks.Nodegroup; - readonly cdk8sApp: cdk8s.App = new cdk8s.App(); + + readonly namespaceManifests: eks.KubernetesManifest[]; constructor(scope: cdk.Construct, id: string, props: CIClusterProps) { super(scope, id); @@ -34,116 +40,169 @@ export class CICluster extends cdk.Construct { diskSize: 150, }) + this.namespaceManifests = [ + EXTERNAL_DNS_NAMESPACE, + PROW_JOB_NAMESPACE, + PROW_NAMESPACE, + ].map(this.createNamespace); + this.installProwRequirements(props); this.installFlux(); - this.installFluxConfiguration(); this.installExternalDNS(); this.installAWSLoadBalancer(); } createNamespace = (name: string) => { - return this.testCluster.addCdk8sChart(`${name}-namespace-chart`, - new NamespaceChart(this.cdk8sApp, `${name}Namespace`, { - name: name - })); - } + return new KubernetesManifest( + this.testCluster.stack, + `${name}-namespace-struct`, + { + cluster: this.testCluster, + manifest: [ + { + apiVersion: "v1", + kind: "Namespace", + metadata: { + name: name, + }, + }, + ], + } + ); + }; installFlux = () => { - const fluxChart = this.testCluster.addHelmChart('flux2', { - chart: 'flux2', - repository: 'https://fluxcd-community.github.io/helm-charts', + const fluxChart = this.testCluster.addHelmChart("flux2", { + chart: "flux2", + repository: "https://fluxcd-community.github.io/helm-charts", namespace: FLUX_NAMESPACE, createNamespace: true, - version: '0.19.2', + version: "0.19.2", values: {}, - }) - } + }); - installFluxConfiguration = () => { - const fluxConfigChart = this.testCluster.addCdk8sChart('flux-configuration', - new FluxConfigurationChart( - this.cdk8sApp, 'FluxConfiguration', {} - ) + const fluxBootstrap = this.testCluster.addManifest( + "FluxBootstrap", + ...[ + { + apiVersion: "source.toolkit.fluxcd.io/v1beta2", + kind: "GitRepository", + metadata: { + name: "test-infra", + namespace: "flux-system", + }, + spec: { + interval: "30s", + ref: { + branch: "main", + }, + url: "https://github.com/aws-controllers-k8s/test-infra", + }, + }, + { + apiVersion: "kustomize.toolkit.fluxcd.io/v1beta2", + kind: "Kustomization", + metadata: { + name: "all-apps", + namespace: "flux-system", + }, + spec: { + interval: "5m", + sourceRef: { + kind: "GitRepository", + name: "test-infra", + }, + path: "./flux", + prune: true, + targetNamespace: "flux-system", + validation: "client", + }, + }, + ] + ); + fluxBootstrap.node.addDependency(fluxChart); + }; + + installProwRequirements = (secretsProps: ProwGitHubSecretsChartProps) => { + const prowSecretsApp = new cdk8s.App(); + const prowSecretsChart = this.testCluster.addCdk8sChart( + "prow-secrets", + new ProwGitHubSecretsChart(prowSecretsApp, "ProwSecrets", secretsProps) ); - } - - installProwRequirements = (secretsProps: ProwSecretsChartProps) => { - let requiredNamespaces: eks.KubernetesManifest[] = - [PROW_NAMESPACE, PROW_JOB_NAMESPACE].map(this.createNamespace); - - const prowSecretsChart = - this.testCluster.addCdk8sChart('prow-secrets', - new ProwSecretsChart( - this.cdk8sApp, 'ProwSecrets', secretsProps - ) - ); // Ensure namespaces are created before secrets - prowSecretsChart.node.addDependency(...requiredNamespaces); - } + prowSecretsChart.node.addDependency(...this.namespaceManifests); + prowSecretsApp.charts.forEach((chart) => + chart.addDependency(...this.namespaceManifests) + ); + }; installExternalDNS = () => { - const externalDNSNamespace = this.createNamespace(EXTERNAL_DNS_NAMESPACE); - - const externalDNSServiceAccount = - this.testCluster.addServiceAccount('external-dns-service-account', { + const externalDNSServiceAccount = this.testCluster.addServiceAccount( + "external-dns-service-account", + { namespace: EXTERNAL_DNS_NAMESPACE, - }); - externalDNSServiceAccount.node.addDependency(externalDNSNamespace); - externalDNSServiceAccount.addToPrincipalPolicy(new iam.PolicyStatement({ - effect: iam.Effect.ALLOW, - actions: ["route53:ChangeResourceRecordSets"], - resources: ["arn:aws:route53:::hostedzone/*"] - })) - externalDNSServiceAccount.addToPrincipalPolicy(new iam.PolicyStatement({ - effect: iam.Effect.ALLOW, - actions: [ - "route53:ListHostedZones", - "route53:ListResourceRecordSets" - ], - resources: ["*"] - })); - - const helmChart = this.testCluster.addHelmChart('external-dns', { - chart: 'external-dns', - repository: 'https://charts.bitnami.com/bitnami', + } + ); + externalDNSServiceAccount.node.addDependency(...this.namespaceManifests); + + externalDNSServiceAccount.addToPrincipalPolicy( + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ["route53:ChangeResourceRecordSets"], + resources: ["arn:aws:route53:::hostedzone/*"], + }) + ); + externalDNSServiceAccount.addToPrincipalPolicy( + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + actions: ["route53:ListHostedZones", "route53:ListResourceRecordSets"], + resources: ["*"], + }) + ); + + const helmChart = this.testCluster.addHelmChart("external-dns", { + chart: "external-dns", + repository: "https://charts.bitnami.com/bitnami", namespace: EXTERNAL_DNS_NAMESPACE, - version: '4.11.1', + version: "6.12.0", values: { namespace: PROW_NAMESPACE, // Limit only to DNS in Prow sources: ["ingress"], policy: "upsert-only", serviceAccount: { create: false, - name: externalDNSServiceAccount.serviceAccountName + name: externalDNSServiceAccount.serviceAccountName, }, aws: { - zoneType: "public" - } - } + zoneType: "public", + }, + }, }); - helmChart.node.addDependency(externalDNSNamespace); - } + helmChart.node.addDependency(...this.namespaceManifests); + }; installAWSLoadBalancer = () => { - const serviceAccount = - this.testCluster.addServiceAccount('alb-service-account', { - namespace: 'kube-system', - }); - ALBPolicies.map(policy => serviceAccount.addToPrincipalPolicy(policy)) - - this.testCluster.addHelmChart('aws-load-balancer-controller', { - chart: 'aws-load-balancer-controller', - repository: 'https://aws.github.io/eks-charts', - namespace: 'kube-system', - version: '1.1.6', + const serviceAccount = this.testCluster.addServiceAccount( + "alb-service-account", + { + namespace: "kube-system", + } + ); + ALBPolicies.map((policy) => serviceAccount.addToPrincipalPolicy(policy)); + + this.testCluster.addHelmChart("aws-load-balancer-controller", { + chart: "aws-load-balancer-controller", + repository: "https://aws.github.io/eks-charts", + namespace: "kube-system", + version: "1.1.6", values: { clusterName: this.testCluster.clusterName, serviceAccount: { create: false, - name: serviceAccount.serviceAccountName - } - } + name: serviceAccount.serviceAccountName, + }, + }, }); - } + }; } diff --git a/infra/lib/log-bucket.ts b/infra/lib/log-bucket.ts index cdd1cc76..9a07b364 100644 --- a/infra/lib/log-bucket.ts +++ b/infra/lib/log-bucket.ts @@ -6,7 +6,8 @@ import { PROW_NAMESPACE } from './test-ci-stack'; import { RemovalPolicy } from '@aws-cdk/core'; export type LogBucketCompileProps = { - logsBucketName: string + logsBucketName: string; + logsBucketImport: boolean; } export type LogBucketRuntimeProps = { @@ -16,17 +17,23 @@ export type LogBucketRuntimeProps = { export type LogBucketProps = LogBucketCompileProps & LogBucketRuntimeProps; export class LogBucket extends cdk.Construct { - readonly bucket: s3.Bucket; + readonly bucket: s3.IBucket; readonly deploymentServiceAccountRole: eks.ServiceAccount; constructor(scope: cdk.Construct, id: string, props: LogBucketProps) { super(scope, id); - this.bucket = new s3.Bucket(this, 'LogsBucket', { - bucketName: props.logsBucketName || "ack-prow-logs-" + props.account, - encryption: s3.BucketEncryption.S3_MANAGED, - versioned: true - }); + let bucketName = props.logsBucketName || "ack-prow-logs-" + props.account; + if (props.logsBucketImport) { + this.bucket = s3.Bucket.fromBucketName(this, 'LogsBucket', bucketName); + } + else { + this.bucket = new s3.Bucket(this, 'LogsBucket', { + bucketName: bucketName, + encryption: s3.BucketEncryption.S3_MANAGED, + versioned: true + }); + } // Destroy bucket if name not specifically specified if (props.logsBucketName === undefined) { diff --git a/infra/lib/prow-service-accounts.ts b/infra/lib/prow-service-accounts.ts index fd0b8e9e..e25b68cc 100644 --- a/infra/lib/prow-service-accounts.ts +++ b/infra/lib/prow-service-accounts.ts @@ -1,8 +1,8 @@ -import * as cdk from '@aws-cdk/core'; -import * as eks from '@aws-cdk/aws-eks'; -import * as s3 from '@aws-cdk/aws-s3'; -import * as iam from '@aws-cdk/aws-iam'; -import { PROW_JOB_NAMESPACE, PROW_NAMESPACE } from './test-ci-stack'; +import * as cdk from "@aws-cdk/core"; +import * as eks from "@aws-cdk/aws-eks"; +import * as s3 from "@aws-cdk/aws-s3"; +import * as iam from "@aws-cdk/aws-iam"; +import { PROW_JOB_NAMESPACE, PROW_NAMESPACE } from "./test-ci-stack"; export type ProwServiceAccountsProps = { account: string; @@ -10,9 +10,11 @@ export type ProwServiceAccountsProps = { region: string; prowCluster: eks.Cluster; - tideStatusBucket: s3.Bucket; - presubmitsBucket: s3.Bucket; - postsubmitsBucket: s3.Bucket; + namespaceManifests: eks.KubernetesManifest[]; + + tideStatusBucket: s3.IBucket; + presubmitsBucket: s3.IBucket; + postsubmitsBucket: s3.IBucket; }; export class ProwServiceAccounts extends cdk.Construct { @@ -20,7 +22,11 @@ export class ProwServiceAccounts extends cdk.Construct { readonly presubmitJobServiceAccount: eks.ServiceAccount; readonly postsubmitJobServiceAccount: eks.ServiceAccount; - constructor(scope: cdk.Construct, id: string, props: ProwServiceAccountsProps) { + constructor( + scope: cdk.Construct, + id: string, + props: ProwServiceAccountsProps + ) { super(scope, id); // Necessary only when splitting control and data plane @@ -28,7 +34,7 @@ export class ProwServiceAccounts extends cdk.Construct { // actions: ["eks:DescribeCluster"], // resources: [props.prowCluster.clusterArn], // }); - + const tideStatusReconcilerAccessPolicy = new iam.PolicyStatement({ actions: ["s3:Get*", "s3:List*", "s3:Put*", "s3:DeleteObject"], resources: [ @@ -39,13 +45,13 @@ export class ProwServiceAccounts extends cdk.Construct { const preAssumeRolePolicy = new iam.PolicyStatement({ actions: ["sts:AssumeRole"], - resources: ["*"] + resources: ["*"], }); // Used to validate recommended-policy-arn in service controllers repository const preGetPolicyPolicy = new iam.PolicyStatement({ actions: ["iam:GetPolicy"], - resources: ["*"] + resources: ["*"], }); const preBucketAccessPolicy = new iam.PolicyStatement({ @@ -74,10 +80,10 @@ export class ProwServiceAccounts extends cdk.Construct { "ecr-public:DescribeImages", "ecr-public:DescribeImageTags", "ecr-public:GetRepositoryCatalogData", - "ecr-public:GetRegistryCatalogData" + "ecr-public:GetRegistryCatalogData", ], - resources: ["*"] - }) + resources: ["*"], + }); const postBucketAccessPolicy = new iam.PolicyStatement({ actions: ["s3:Get*", "s3:List*", "s3:Put*", "s3:DeleteObject"], @@ -101,7 +107,7 @@ export class ProwServiceAccounts extends cdk.Construct { "ecr-public:PutImage", "ecr-public:ListTagsForResource", "ecr-public:PutRegistryCatalogData", - "ecr-public:BatchCheckLayerAvailability" + "ecr-public:BatchCheckLayerAvailability", ], resources: [ `arn:${props.stackPartition}:ecr-public::${props.account}:registry/*`, @@ -111,22 +117,18 @@ export class ProwServiceAccounts extends cdk.Construct { const postEcrPublicAllResourcePolicy = new iam.PolicyStatement({ actions: ["ecr-public:GetAuthorizationToken"], - resources: [ - "*", - ], + resources: ["*"], }); const postStsPolicy = new iam.PolicyStatement({ actions: ["sts:GetServiceBearerToken"], - resources: [ - "*", - ], + resources: ["*"], }); // Assumes the Role in service team's account to access soak EKS cluster const postAssumeRolePolicy = new iam.PolicyStatement({ actions: ["sts:AssumeRole"], - resources: ["*"] + resources: ["*"], }); const postParamStoreAccessPolicy = new iam.PolicyStatement({ @@ -138,56 +140,85 @@ export class ProwServiceAccounts extends cdk.Construct { // Service account for each of the Prow deployments // TODO(RedbackThomson): Split by service and assign individual permissions to each - this.deploymentServiceAccount = props.prowCluster.addServiceAccount('ProwDeploymentServiceAccount', { - namespace: PROW_NAMESPACE, - name: "prow-deployment-service-account" - }); + this.deploymentServiceAccount = props.prowCluster.addServiceAccount( + "ProwDeploymentServiceAccount", + { + namespace: PROW_NAMESPACE, + name: "prow-deployment-service-account", + } + ); + this.deploymentServiceAccount.node.addDependency( + ...props.namespaceManifests + ); // this.deploymentServiceAccount.addToPrincipalPolicy(dataplaneAccessPolicy); - this.deploymentServiceAccount.addToPrincipalPolicy(tideStatusReconcilerAccessPolicy); + this.deploymentServiceAccount.addToPrincipalPolicy( + tideStatusReconcilerAccessPolicy + ); this.deploymentServiceAccount.addToPrincipalPolicy(preBucketAccessPolicy); this.deploymentServiceAccount.addToPrincipalPolicy(postBucketAccessPolicy); - new cdk.CfnOutput(scope, 'DeploymentServiceAccountRoleOutput', { + new cdk.CfnOutput(scope, "DeploymentServiceAccountRoleOutput", { value: this.deploymentServiceAccount.role.roleName, - exportName: 'DeploymentServiceAccountRoleName', - description: 'Role ARN for the Prow deployments service account' + exportName: "DeploymentServiceAccountRoleName", + description: "Role ARN for the Prow deployments service account", }); // Service account for presubmit jobs - this.presubmitJobServiceAccount = props.prowCluster.addServiceAccount('PreSubmitJobServiceAccount', { - namespace: PROW_JOB_NAMESPACE, - name: "pre-submit-service-account" - }); + this.presubmitJobServiceAccount = props.prowCluster.addServiceAccount( + "PreSubmitJobServiceAccount", + { + namespace: PROW_JOB_NAMESPACE, + name: "pre-submit-service-account", + } + ); + this.presubmitJobServiceAccount.node.addDependency( + ...props.namespaceManifests + ); this.presubmitJobServiceAccount.addToPrincipalPolicy(preAssumeRolePolicy); this.presubmitJobServiceAccount.addToPrincipalPolicy(preGetPolicyPolicy); this.presubmitJobServiceAccount.addToPrincipalPolicy(preBucketAccessPolicy); - this.presubmitJobServiceAccount.addToPrincipalPolicy(preParamStoreAccessPolicy); - this.presubmitJobServiceAccount.addToPrincipalPolicy(preECRPublicReadOnlyPolicy) - - new cdk.CfnOutput(scope, 'PreSubmitServiceAccountRoleOutput', { + this.presubmitJobServiceAccount.addToPrincipalPolicy( + preParamStoreAccessPolicy + ); + this.presubmitJobServiceAccount.addToPrincipalPolicy( + preECRPublicReadOnlyPolicy + ); + + new cdk.CfnOutput(scope, "PreSubmitServiceAccountRoleOutput", { value: this.presubmitJobServiceAccount.role.roleName, - exportName: 'PreSubmitServiceAccountRoleName', - description: 'Role ARN for the Prow presubmit jobs\' service account' + exportName: "PreSubmitServiceAccountRoleName", + description: "Role ARN for the Prow presubmit jobs' service account", }); // Service account for postsubmit jobs - this.postsubmitJobServiceAccount = props.prowCluster.addServiceAccount('PostSubmitJobServiceAccount', { - namespace: PROW_JOB_NAMESPACE, - name: "post-submit-service-account" - }); - this.postsubmitJobServiceAccount.addToPrincipalPolicy(postBucketAccessPolicy); + this.postsubmitJobServiceAccount = props.prowCluster.addServiceAccount( + "PostSubmitJobServiceAccount", + { + namespace: PROW_JOB_NAMESPACE, + name: "post-submit-service-account", + } + ); + this.postsubmitJobServiceAccount.node.addDependency( + ...props.namespaceManifests + ); + this.postsubmitJobServiceAccount.addToPrincipalPolicy( + postBucketAccessPolicy + ); this.postsubmitJobServiceAccount.addToPrincipalPolicy(postEcrPublicPolicy); - this.postsubmitJobServiceAccount.addToPrincipalPolicy(postEcrPublicAllResourcePolicy); + this.postsubmitJobServiceAccount.addToPrincipalPolicy( + postEcrPublicAllResourcePolicy + ); this.postsubmitJobServiceAccount.addToPrincipalPolicy(postStsPolicy); this.postsubmitJobServiceAccount.addToPrincipalPolicy(postAssumeRolePolicy); - this.postsubmitJobServiceAccount.addToPrincipalPolicy(postParamStoreAccessPolicy); - new cdk.CfnOutput(scope, 'PostSubmitServiceAccountRoleOutput', { + this.postsubmitJobServiceAccount.addToPrincipalPolicy( + postParamStoreAccessPolicy + ); + new cdk.CfnOutput(scope, "PostSubmitServiceAccountRoleOutput", { value: this.postsubmitJobServiceAccount.role.roleName, - exportName: 'PostSubmitServiceAccountRoleName', - description: 'Role ARN for the Prow postsubmit jobs\' service account' + exportName: "PostSubmitServiceAccountRoleName", + description: "Role ARN for the Prow postsubmit jobs' service account", }); - } } diff --git a/infra/lib/test-ci-stack.ts b/infra/lib/test-ci-stack.ts index 58d01a15..db45b76a 100644 --- a/infra/lib/test-ci-stack.ts +++ b/infra/lib/test-ci-stack.ts @@ -1,49 +1,57 @@ -import * as cdk from '@aws-cdk/core'; -import { CICluster, CIClusterCompileTimeProps } from './ci-cluster'; -import { LogBucket, LogBucketCompileProps } from './log-bucket'; -import { ClusterSSM, ClusterSSMCompileProps } from './ssm'; -import { ProwServiceAccounts } from './prow-service-accounts'; +import * as cdk from "@aws-cdk/core"; +import { CICluster, CIClusterCompileTimeProps } from "./ci-cluster"; +import { LogBucket, LogBucketCompileProps } from "./log-bucket"; +import { ClusterSSM, ClusterSSMCompileProps } from "./ssm"; +import { ProwServiceAccounts } from "./prow-service-accounts"; export const PROW_NAMESPACE = "prow"; export const PROW_JOB_NAMESPACE = "test-pods"; export const EXTERNAL_DNS_NAMESPACE = "external-dns"; export const FLUX_NAMESPACE = "flux-system"; -export type TestCIStackProps = cdk.StackProps & LogBucketCompileProps & ClusterSSMCompileProps & { - clusterConfig: CIClusterCompileTimeProps -}; +export type TestCIStackProps = cdk.StackProps & + LogBucketCompileProps & + ClusterSSMCompileProps & { + clusterConfig: CIClusterCompileTimeProps; + }; export class TestCIStack extends cdk.Stack { constructor(scope: cdk.Construct, id: string, props: TestCIStackProps) { super(scope, id, props); - const logsBucket = new LogBucket(this, 'LogBucketConstruct', { + const logsBucket = new LogBucket(this, "LogBucketConstruct", { ...props, - account: this.account - }) + account: this.account, + }); - const testCluster = new CICluster(this, 'CIClusterConstruct', { - ...props.clusterConfig + const testCluster = new CICluster(this, "CIClusterConstruct", { + ...props.clusterConfig, }); - const clusterSSM = new ClusterSSM(this, 'CIClusterSSM', { + const clusterSSM = new ClusterSSM(this, "CIClusterSSM", { ...props, account: this.account, region: this.region, cluster: testCluster.testCluster, - nodes: testCluster.testNodegroup - }) - - const prowServiceAccounts = new ProwServiceAccounts(this, 'ProwServiceAccountsConstruct', { - account: this.account, - stackPartition: this.partition, - region: this.region, - - prowCluster: testCluster.testCluster, - tideStatusBucket: logsBucket.bucket, - presubmitsBucket: logsBucket.bucket, - postsubmitsBucket: logsBucket.bucket, + nodes: testCluster.testNodegroup, }); + + const prowServiceAccounts = new ProwServiceAccounts( + this, + "ProwServiceAccountsConstruct", + { + account: this.account, + stackPartition: this.partition, + region: this.region, + + prowCluster: testCluster.testCluster, + namespaceManifests: testCluster.namespaceManifests, + + tideStatusBucket: logsBucket.bucket, + presubmitsBucket: logsBucket.bucket, + postsubmitsBucket: logsBucket.bucket, + } + ); prowServiceAccounts.node.addDependency(testCluster); } } diff --git a/infra/test/test-ci.test.ts b/infra/test/test-ci.test.ts index e9eeb64d..bbc17b76 100644 --- a/infra/test/test-ci.test.ts +++ b/infra/test/test-ci.test.ts @@ -7,10 +7,14 @@ test('Empty Stack', () => { // WHEN const stack = new TestCI.TestCIStack(app, 'MyTestStack', { clusterConfig: { - botPersonalAccessToken: "abc123", - webhookHMACToken: "def456" + appId: "12345", + appPrivateKey: "abc123", + appWebhookSecret: "def456", + appClientId: "1234567890", + personalAccessToken: "987654321" }, logsBucketName: "my-log-bucket", + logsBucketImport: false, pvreBucketName: undefined }); // THEN diff --git a/prow/config/Chart.yaml b/prow/config/Chart.yaml index 1e186c9d..2494d9f6 100644 --- a/prow/config/Chart.yaml +++ b/prow/config/Chart.yaml @@ -2,5 +2,5 @@ apiVersion: v2 name: prow-config description: Configuration for the ACK Prow cluster type: application -version: 0.1.11 +version: 0.2.0 appVersion: "1.16.0" diff --git a/prow/config/templates/config-ConfigMap.yaml b/prow/config/templates/config-ConfigMap.yaml index 10ca6f77..e7c6b3ac 100644 --- a/prow/config/templates/config-ConfigMap.yaml +++ b/prow/config/templates/config-ConfigMap.yaml @@ -15,7 +15,6 @@ apiVersion: v1 kind: ConfigMap metadata: - namespace: prow name: config data: config.yaml: | @@ -148,4 +147,4 @@ data: - name: cgroup hostPath: path: /sys/fs/cgroup - type: Directory \ No newline at end of file + type: Directory diff --git a/prow/config/templates/crier-Deployment.yaml b/prow/config/templates/crier-Deployment.yaml index db6c106d..b6da39b8 100644 --- a/prow/config/templates/crier-Deployment.yaml +++ b/prow/config/templates/crier-Deployment.yaml @@ -45,6 +45,11 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name + - name: GITHUB_APP_ID + valueFrom: + secretKeyRef: + name: github-token + key: appid image: {{ .Values.crier.image }} args: - --blob-storage-workers=10 @@ -53,9 +58,10 @@ spec: - --s3-credentials-file=/etc/s3-credentials/service-account.json - --github-endpoint=http://ghproxy - --github-endpoint=https://api.github.com - - --github-token-path=/etc/github/token - --github-workers=10 - --kubernetes-blob-storage-workers=10 + - --github-app-id=$(GITHUB_APP_ID) + - --github-app-private-key-path=/etc/github/cert volumeMounts: - name: config mountPath: /etc/config diff --git a/prow/config/templates/deck-Deployment.yaml b/prow/config/templates/deck-Deployment.yaml index 8be00f22..a5d6527d 100644 --- a/prow/config/templates/deck-Deployment.yaml +++ b/prow/config/templates/deck-Deployment.yaml @@ -50,6 +50,11 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name + - name: GITHUB_APP_ID + valueFrom: + secretKeyRef: + name: github-token + key: appid image: {{ .Values.deck.image }} args: - --config-path=/etc/config/config.yaml @@ -57,13 +62,14 @@ spec: - --plugin-config=/etc/plugins/plugins.yaml - --tide-url=http://tide/ - --hook-url=http://hook:8888/plugin-help - - --github-token-path=/etc/github/token - --github-endpoint=http://ghproxy - --github-endpoint=https://api.github.com - --github-graphql-endpoint=http://ghproxy/graphql - --plugin-config=/etc/plugins/plugins.yaml - --s3-credentials-file=/etc/s3-credentials/service-account.json - --spyglass=true + - --github-app-id=$(GITHUB_APP_ID) + - --github-app-private-key-path=/etc/github/cert ports: - name: http containerPort: 8080 diff --git a/prow/config/templates/github-token-Secret.yaml b/prow/config/templates/github-token-Secret.yaml index fadb0e66..23b5fe1d 100644 --- a/prow/config/templates/github-token-Secret.yaml +++ b/prow/config/templates/github-token-Secret.yaml @@ -12,11 +12,14 @@ # See the License for the specific language governing permissions and # limitations under the License. -{{ if .Values.githubToken.secret.create }} +{{ if .Values.githubApp.secret.create }} apiVersion: v1 kind: Secret metadata: name: github-token -data: - token: {{ .Values.githubToken.token | b64enc | quote }} +stringData: + # this is the "private key" saved after setting up the Github App + cert: {{ .Values.githubApp.cert}} + # this is the "App ID" saved after setting up the Github App + appid: {{ .Values.githubApp.appId }} {{ end }} \ No newline at end of file diff --git a/prow/config/templates/hmac-token-Secret.yaml b/prow/config/templates/hmac-token-Secret.yaml index 94439d2b..2b8ac282 100644 --- a/prow/config/templates/hmac-token-Secret.yaml +++ b/prow/config/templates/hmac-token-Secret.yaml @@ -12,11 +12,11 @@ # See the License for the specific language governing permissions and # limitations under the License. -{{ if .Values.hmacToken.secret.create }} +{{ if .Values.githubWebhookToken.secret.create }} apiVersion: v1 kind: Secret metadata: name: hmac-token data: - hmac: {{ .Values.hmacToken.hmac | b64enc | quote }} + hmac: {{ .Values.githubWebhookToken.hmac | b64enc | quote }} {{ end }} \ No newline at end of file diff --git a/prow/config/templates/hook-Deployment.yaml b/prow/config/templates/hook-Deployment.yaml index 7f1fe905..6b7052f8 100644 --- a/prow/config/templates/hook-Deployment.yaml +++ b/prow/config/templates/hook-Deployment.yaml @@ -50,16 +50,21 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name + - name: GITHUB_APP_ID + valueFrom: + secretKeyRef: + name: github-token + key: appid image: {{ .Values.hook.image }} imagePullPolicy: Always args: - --dry-run={{ .Values.dryRun }} - - --deck-url=http://deck/ - --config-path=/etc/config/config.yaml - --job-config-path=/etc/job-config - - --github-token-path=/etc/github/token - --github-endpoint=http://ghproxy - --github-endpoint=https://api.github.com + - --github-app-id=$(GITHUB_APP_ID) + - --github-app-private-key-path=/etc/github/cert ports: - name: http containerPort: 8888 diff --git a/prow/config/templates/horologium-Deployment.yaml b/prow/config/templates/horologium-Deployment.yaml index 0bb39184..3294b262 100644 --- a/prow/config/templates/horologium-Deployment.yaml +++ b/prow/config/templates/horologium-Deployment.yaml @@ -50,7 +50,6 @@ spec: image: {{ .Values.horologium.image }} args: - --dry-run={{ .Values.dryRun }} - - --deck-url=http://deck/ - --config-path=/etc/config/config.yaml - --job-config-path=/etc/job-config volumeMounts: diff --git a/prow/config/templates/horologium-Role.yaml b/prow/config/templates/horologium-Role.yaml index 7ccde95d..e11bc7b8 100644 --- a/prow/config/templates/horologium-Role.yaml +++ b/prow/config/templates/horologium-Role.yaml @@ -23,4 +23,5 @@ rules: - prowjobs verbs: - create - - list \ No newline at end of file + - list + - watch \ No newline at end of file diff --git a/prow/config/templates/prow-controller-manager-Deployment.yaml b/prow/config/templates/prow-controller-manager-Deployment.yaml index a14412f2..e775b65e 100644 --- a/prow/config/templates/prow-controller-manager-Deployment.yaml +++ b/prow/config/templates/prow-controller-manager-Deployment.yaml @@ -44,15 +44,20 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name + - name: GITHUB_APP_ID + valueFrom: + secretKeyRef: + name: github-token + key: appid args: - --dry-run={{ .Values.dryRun }} - - --deck-url=http://deck/ - --config-path=/etc/config/config.yaml - --job-config-path=/etc/job-config - - --github-token-path=/etc/github/token - --github-endpoint=http://ghproxy - --github-endpoint=https://api.github.com - --enable-controller=plank + - --github-app-id=$(GITHUB_APP_ID) + - --github-app-private-key-path=/etc/github/cert image: {{ .Values.prowControllerManager.image }} volumeMounts: - name: github-token diff --git a/prow/config/templates/sinker-Deployment.yaml b/prow/config/templates/sinker-Deployment.yaml index 2b01c6b3..053fcb3c 100644 --- a/prow/config/templates/sinker-Deployment.yaml +++ b/prow/config/templates/sinker-Deployment.yaml @@ -48,7 +48,6 @@ spec: args: - --config-path=/etc/config/config.yaml - --job-config-path=/etc/job-config - - --deck-url=http://deck/ volumeMounts: - name: config mountPath: /etc/config diff --git a/prow/config/templates/statusreconciler-Deployment.yaml b/prow/config/templates/statusreconciler-Deployment.yaml index 1ec082b1..33a3011f 100644 --- a/prow/config/templates/statusreconciler-Deployment.yaml +++ b/prow/config/templates/statusreconciler-Deployment.yaml @@ -39,19 +39,24 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name + - name: GITHUB_APP_ID + valueFrom: + secretKeyRef: + name: github-token + key: appid image: {{ .Values.statusreconciler.image }} args: - --dry-run={{ .Values.dryRun }} - - --deck-url=http://deck/ - --continue-on-error=true - --plugin-config=/etc/plugins/plugins.yaml - --config-path=/etc/config/config.yaml - --job-config-path=/etc/job-config - - --github-token-path=/etc/github/token - --github-endpoint=http://ghproxy - --github-endpoint=https://api.github.com - --s3-credentials-file=/etc/s3-credentials/service-account.json - --status-path=s3://{{ .Values.prow.tideStatusReconcilerBucketName }}/status-reconciler-status + - --github-app-id=$(GITHUB_APP_ID) + - --github-app-private-key-path=/etc/github/cert volumeMounts: - name: github-token mountPath: /etc/github diff --git a/prow/config/templates/tide-Deployment.yaml b/prow/config/templates/tide-Deployment.yaml index a98fdfe4..52a3a8f0 100644 --- a/prow/config/templates/tide-Deployment.yaml +++ b/prow/config/templates/tide-Deployment.yaml @@ -46,13 +46,18 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name + - name: GITHUB_APP_ID + valueFrom: + secretKeyRef: + name: github-token + key: appid image: {{ .Values.tide.image }} args: - --dry-run={{ .Values.dryRun }} - - --deck-url=http://deck/ - --config-path=/etc/config/config.yaml - --job-config-path=/etc/job-config - - --github-token-path=/etc/github/token + - --github-app-id=$(GITHUB_APP_ID) + - --github-app-private-key-path=/etc/github/cert - --github-endpoint=http://ghproxy - --github-endpoint=https://api.github.com - --github-graphql-endpoint=http://ghproxy/graphql diff --git a/prow/config/values.yaml b/prow/config/values.yaml index 3ecd7298..38080ea8 100644 --- a/prow/config/values.yaml +++ b/prow/config/values.yaml @@ -19,14 +19,14 @@ ingress: crier: scrapeMetrics: false - image: gcr.io/k8s-prow/crier:v20210422-d12e80af3e + image: gcr.io/k8s-prow/crier:v20221121-dfec9ce18d serviceAccount: create: false name: '' deck: scrapeMetrics: false - image: gcr.io/k8s-prow/deck:v20210422-d12e80af3e + image: gcr.io/k8s-prow/deck:v20221121-dfec9ce18d service: type: 'ClusterIP' serviceAccount: @@ -35,12 +35,12 @@ deck: ghproxy: scrapeMetrics: false - image: gcr.io/k8s-prow/ghproxy:v20210422-d12e80af3e + image: gcr.io/k8s-prow/ghproxy:v20221121-dfec9ce18d volumeSize: 100 hook: scrapeMetrics: false - image: gcr.io/k8s-prow/hook:v20210422-d12e80af3e + image: gcr.io/k8s-prow/hook:v20221121-dfec9ce18d service: type: 'LoadBalancer' serviceAccount: @@ -49,44 +49,46 @@ hook: horologium: scrapeMetrics: false - image: gcr.io/k8s-prow/horologium:v20210422-d12e80af3e + image: gcr.io/k8s-prow/horologium:v20221121-dfec9ce18d serviceAccount: create: false name: '' prowControllerManager: scrapeMetrics: false - image: gcr.io/k8s-prow/prow-controller-manager:v20210422-d12e80af3e + image: gcr.io/k8s-prow/prow-controller-manager:v20221121-dfec9ce18d serviceAccount: create: false name: '' sinker: scrapeMetrics: false - image: gcr.io/k8s-prow/sinker:v20210422-d12e80af3e + image: gcr.io/k8s-prow/sinker:v20221121-dfec9ce18d serviceAccount: create: false name: '' statusreconciler: - image: gcr.io/k8s-prow/status-reconciler:v20210422-d12e80af3e + image: gcr.io/k8s-prow/status-reconciler:v20221121-dfec9ce18d serviceAccount: create: false name: '' tide: scrapeMetrics: false - image: gcr.io/k8s-prow/tide:v20210422-d12e80af3e + image: gcr.io/k8s-prow/tide:v20221121-dfec9ce18d serviceAccount: create: false name: '' -githubToken: +githubApp: secret: create: false - token: '' + appId: '' + clientId: '' + cert: '' -hmacToken: +githubWebhookToken: secret: create: false hmac: '' @@ -96,7 +98,7 @@ s3Credentials: create: true utility_images: - clonerefs: gcr.io/k8s-prow/clonerefs:v20210422-d12e80af3e - entrypoint: gcr.io/k8s-prow/entrypoint:v20210422-d12e80af3e - initupload: gcr.io/k8s-prow/initupload:v20210422-d12e80af3e - sidecar: gcr.io/k8s-prow/sidecar:v20210422-d12e80af3e + clonerefs: gcr.io/k8s-prow/clonerefs:v20221121-dfec9ce18d + entrypoint: gcr.io/k8s-prow/entrypoint:v20221121-dfec9ce18d + initupload: gcr.io/k8s-prow/initupload:v20221121-dfec9ce18d + sidecar: gcr.io/k8s-prow/sidecar:v20221121-dfec9ce18d diff --git a/prow/jobs/jinja/periodics/label_sync.jinja2 b/prow/jobs/jinja/periodics/label_sync.jinja2 index 22d0cc99..fe5d4538 100644 --- a/prow/jobs/jinja/periodics/label_sync.jinja2 +++ b/prow/jobs/jinja/periodics/label_sync.jinja2 @@ -16,7 +16,7 @@ - --config=/etc/config/labels.yaml - --confirm=true - --orgs=aws-controllers-k8s - - --token=/etc/github/oauth + - --token=/etc/github/token - --github-endpoint=http://ghproxy - --github-endpoint=https://api.github.com - --debug @@ -30,7 +30,7 @@ volumes: - name: github-token secret: - secretName: prowjob-github-token + secretName: prowjob-github-pat-token - name: config configMap: name: label-config \ No newline at end of file diff --git a/prow/jobs/jinja/periodics/lifecycle_bot_periodic_close.jinja2 b/prow/jobs/jinja/periodics/lifecycle_bot_periodic_close.jinja2 index c1dcb66b..200f0be9 100644 --- a/prow/jobs/jinja/periodics/lifecycle_bot_periodic_close.jinja2 +++ b/prow/jobs/jinja/periodics/lifecycle_bot_periodic_close.jinja2 @@ -29,4 +29,4 @@ volumes: - name: github-token secret: - secretName: prowjob-github-token \ No newline at end of file + secretName: prowjob-github-pat-token \ No newline at end of file diff --git a/prow/jobs/jinja/periodics/lifecycle_bot_periodic_rotten.jinja2 b/prow/jobs/jinja/periodics/lifecycle_bot_periodic_rotten.jinja2 index b0376200..cd2a002e 100644 --- a/prow/jobs/jinja/periodics/lifecycle_bot_periodic_rotten.jinja2 +++ b/prow/jobs/jinja/periodics/lifecycle_bot_periodic_rotten.jinja2 @@ -31,4 +31,4 @@ volumes: - name: github-token secret: - secretName: prowjob-github-token \ No newline at end of file + secretName: prowjob-github-pat-token \ No newline at end of file diff --git a/prow/jobs/jinja/periodics/lifecycle_bot_periodic_stale.jinja2 b/prow/jobs/jinja/periodics/lifecycle_bot_periodic_stale.jinja2 index e5066d0f..ca612f4d 100644 --- a/prow/jobs/jinja/periodics/lifecycle_bot_periodic_stale.jinja2 +++ b/prow/jobs/jinja/periodics/lifecycle_bot_periodic_stale.jinja2 @@ -31,4 +31,4 @@ volumes: - name: github-token secret: - secretName: prowjob-github-token \ No newline at end of file + secretName: prowjob-github-pat-token \ No newline at end of file diff --git a/prow/jobs/jinja/postsubmits/codegen_release.jinja2 b/prow/jobs/jinja/postsubmits/codegen_release.jinja2 index 5605bd4c..ddbafe1b 100644 --- a/prow/jobs/jinja/postsubmits/codegen_release.jinja2 +++ b/prow/jobs/jinja/postsubmits/codegen_release.jinja2 @@ -24,7 +24,7 @@ - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" diff --git a/prow/jobs/jinja/postsubmits/community_docs.jinja2 b/prow/jobs/jinja/postsubmits/community_docs.jinja2 index e9f33561..4a5174d6 100644 --- a/prow/jobs/jinja/postsubmits/community_docs.jinja2 +++ b/prow/jobs/jinja/postsubmits/community_docs.jinja2 @@ -18,7 +18,7 @@ - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" diff --git a/prow/jobs/jinja/postsubmits/controller_bootstrap_update.jinja2 b/prow/jobs/jinja/postsubmits/controller_bootstrap_update.jinja2 index 943f27ee..8ff32b67 100644 --- a/prow/jobs/jinja/postsubmits/controller_bootstrap_update.jinja2 +++ b/prow/jobs/jinja/postsubmits/controller_bootstrap_update.jinja2 @@ -16,7 +16,7 @@ - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" diff --git a/prow/jobs/jinja/postsubmits/controller_release.jinja2 b/prow/jobs/jinja/postsubmits/controller_release.jinja2 index bcddcaa5..5bc0670e 100644 --- a/prow/jobs/jinja/postsubmits/controller_release.jinja2 +++ b/prow/jobs/jinja/postsubmits/controller_release.jinja2 @@ -64,7 +64,7 @@ - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -90,7 +90,7 @@ - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -123,7 +123,7 @@ - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" diff --git a/prow/jobs/jinja/postsubmits/runtime_release.jinja2 b/prow/jobs/jinja/postsubmits/runtime_release.jinja2 index a15087f2..8343eb17 100644 --- a/prow/jobs/jinja/postsubmits/runtime_release.jinja2 +++ b/prow/jobs/jinja/postsubmits/runtime_release.jinja2 @@ -19,7 +19,7 @@ - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" diff --git a/prow/jobs/jobs.yaml b/prow/jobs/jobs.yaml index 3568b124..5144ce7a 100644 --- a/prow/jobs/jobs.yaml +++ b/prow/jobs/jobs.yaml @@ -1,5 +1,5 @@ # Autogenerated. Do NOT update Manually. -# Last generated on 2023-01-26 15:30:09.178218. +# Last generated on 2023-01-26 15:57:42.205097. periodics: - name: label-sync labels: @@ -19,7 +19,7 @@ periodics: - --config=/etc/config/labels.yaml - --confirm=true - --orgs=aws-controllers-k8s - - --token=/etc/github/oauth + - --token=/etc/github/token - --github-endpoint=http://ghproxy - --github-endpoint=https://api.github.com - --debug @@ -33,7 +33,7 @@ periodics: volumes: - name: github-token secret: - secretName: prowjob-github-token + secretName: prowjob-github-pat-token - name: config configMap: name: label-config @@ -68,7 +68,7 @@ periodics: volumes: - name: github-token secret: - secretName: prowjob-github-token + secretName: prowjob-github-pat-token - name: periodic-rotten interval: 6h decorate: true @@ -102,7 +102,7 @@ periodics: volumes: - name: github-token secret: - secretName: prowjob-github-token + secretName: prowjob-github-pat-token - name: periodic-stale interval: 6h decorate: true @@ -136,7 +136,7 @@ periodics: volumes: - name: github-token secret: - secretName: prowjob-github-token + secretName: prowjob-github-pat-token postsubmits: aws-controllers-k8s/code-generator: - name: auto-generate-controllers @@ -282,7 +282,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -399,7 +399,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -545,7 +545,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -685,7 +685,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -711,7 +711,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -744,7 +744,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -885,7 +885,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -911,7 +911,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -944,7 +944,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -1085,7 +1085,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -1111,7 +1111,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -1144,7 +1144,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -1285,7 +1285,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -1311,7 +1311,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -1344,7 +1344,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -1485,7 +1485,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -1511,7 +1511,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -1544,7 +1544,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -1685,7 +1685,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -1711,7 +1711,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -1744,7 +1744,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -1885,7 +1885,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -1911,7 +1911,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -1944,7 +1944,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -2085,7 +2085,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -2111,7 +2111,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -2144,7 +2144,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -2285,7 +2285,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -2311,7 +2311,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -2344,7 +2344,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -2485,7 +2485,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -2511,7 +2511,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -2544,7 +2544,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -2685,7 +2685,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -2711,7 +2711,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -2744,7 +2744,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -2885,7 +2885,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -2911,7 +2911,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -2944,7 +2944,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -3085,7 +3085,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -3111,7 +3111,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -3144,7 +3144,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -3485,7 +3485,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -3511,7 +3511,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -3544,7 +3544,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -3685,7 +3685,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -3711,7 +3711,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -3744,7 +3744,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -3885,7 +3885,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -3911,7 +3911,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -3944,7 +3944,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -4085,7 +4085,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -4111,7 +4111,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -4144,7 +4144,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -4285,7 +4285,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -4311,7 +4311,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -4344,7 +4344,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -4485,7 +4485,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -4511,7 +4511,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -4544,7 +4544,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -4685,7 +4685,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -4711,7 +4711,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -4744,7 +4744,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -4885,7 +4885,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -4911,7 +4911,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -4944,7 +4944,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -5085,7 +5085,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -5111,7 +5111,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -5144,7 +5144,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -5285,7 +5285,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -5311,7 +5311,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -5344,7 +5344,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -5485,7 +5485,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -5511,7 +5511,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -5544,7 +5544,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -5685,7 +5685,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -5711,7 +5711,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -5744,7 +5744,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -5885,7 +5885,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -5911,7 +5911,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -5944,7 +5944,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -6085,7 +6085,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -6111,7 +6111,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -6144,7 +6144,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -6285,7 +6285,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -6311,7 +6311,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -6344,7 +6344,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -6485,7 +6485,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -6511,7 +6511,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -6544,7 +6544,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -6685,7 +6685,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -6711,7 +6711,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -6744,7 +6744,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot" @@ -6864,7 +6864,7 @@ postsubmits: - name: GITHUB_TOKEN valueFrom: secretKeyRef: - name: prowjob-github-token + name: prowjob-github-pat-token key: token - name: GITHUB_ACTOR value: "ack-bot"