kubernetes
diff --git a/‎infra/gcp/terraform/k8s-infra-prow/iam.tf
Lines changed: 28 additions & 0 deletions b/‎infra/gcp/terraform/k8s-infra-prow/iam.tf
Lines changed: 28 additions & 0 deletions
diff --git a/‎kubernetes/gke-utility/argocd/clusters.yaml
Lines changed: 26 additions & 0 deletions b/‎kubernetes/gke-utility/argocd/clusters.yaml
Lines changed: 26 additions & 0 deletions
diff --git a/‎kubernetes/ibm-s390x/OWNERS
Lines changed: 16 additions & 0 deletions b/‎kubernetes/ibm-s390x/OWNERS
Lines changed: 16 additions & 0 deletions
diff --git a/‎kubernetes/ibm-s390x/helm/external-secrets.yaml
Lines changed: 133 additions & 0 deletions b/‎kubernetes/ibm-s390x/helm/external-secrets.yaml
Lines changed: 133 additions & 0 deletions
diff --git a/‎kubernetes/ibm-s390x/helm/kyverno.yaml
Lines changed: 10 additions & 0 deletions b/‎kubernetes/ibm-s390x/helm/kyverno.yaml
Lines changed: 10 additions & 0 deletions
diff --git a/‎kubernetes/ibm-s390x/prow/boskos-janitor.yaml
Lines changed: 35 additions & 0 deletions b/‎kubernetes/ibm-s390x/prow/boskos-janitor.yaml
Lines changed: 35 additions & 0 deletions
diff --git a/‎kubernetes/ibm-s390x/prow/boskos-reaper.yaml
Lines changed: 23 additions & 0 deletions b/‎kubernetes/ibm-s390x/prow/boskos-reaper.yaml
Lines changed: 23 additions & 0 deletions
diff --git a/‎kubernetes/ibm-s390x/prow/boskos-resources-configmap.yaml
Lines changed: 11 additions & 0 deletions b/‎kubernetes/ibm-s390x/prow/boskos-resources-configmap.yaml
Lines changed: 11 additions & 0 deletions
diff --git a/‎kubernetes/ibm-s390x/prow/boskos.yaml
Lines changed: 90 additions & 0 deletions b/‎kubernetes/ibm-s390x/prow/boskos.yaml
Lines changed: 90 additions & 0 deletions
@@ -173,3 +173,31 @@ resource "google_iam_workload_identity_pool_provider" "ppc64le" {
     jwks_json         = data.http.ppc64le_jwks.response_body
   }
 }
+
+data "http" "s390x_issuer" {
+  url      = "https://d7b2a019-eu-de.lb.appdomain.cloud:6443/.well-known/openid-configuration"
+  insecure = true
+}
+
+data "http" "s390x_jwks" {
+  url      = "https://d7b2a019-eu-de.lb.appdomain.cloud:6443/openid/v1/jwks"
+  insecure = true
+}
+
+resource "google_iam_workload_identity_pool_provider" "s390x" {
+  workload_identity_pool_id          = google_iam_workload_identity_pool.ibm_clusters.workload_identity_pool_id
+  project                            = module.project.project_id
+  workload_identity_pool_provider_id = "s390x"
+
+  attribute_mapping = {
+    "google.subject"                 = "\"ns/\" + assertion['kubernetes.io']['namespace'] + \"/sa/\" + assertion['kubernetes.io']['serviceaccount']['name']"
+    "attribute.namespace"            = "assertion['kubernetes.io']['namespace']"
+    "attribute.service_account_name" = "assertion['kubernetes.io']['serviceaccount']['name']"
+    "attribute.pod"                  = "assertion['kubernetes.io']['pod']['name']"
+  }
+  oidc {
+    allowed_audiences = ["sts.googleapis.com"]
+    issuer_uri        = jsondecode(data.http.s390xx_issuer.response_body)["issuer"]
+    jwks_json         = data.http.s390x_jwks.response_body
+  }
+}
@@ -96,6 +96,32 @@ spec:
     kind: ClusterSecretStore
     name: k8s-infra-prow
 ---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: ibm-s390x
+spec:
+  target:
+    template:
+      engineVersion: v2
+      data:
+        name: ibm-s90x
+        server: https://d7b2a019-eu-de.lb.appdomain.cloud:6443
+        config: "{{ .config }}"
+      metadata:
+        labels:
+          clusterType: prow
+          environment: prod
+          prowNamespace: test-pods
+          cloud: ibm
+  data:
+    - remoteRef:
+        key: ibm-s390x-argo-secret
+      secretKey: config
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: k8s-infra-prow
+---
 apiVersion: v1
 kind: Secret
 metadata:
 
@@ -0,0 +1,16 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+approvers:
+- mkumatag
+- Prajyot-Parab
+- Rajalakshmi-Girish
+
+reviewers:
+- mkumatag
+- Prajyot-Parab
+- Rajalakshmi-Girish
+
+labels:
+- sig/k8s-infra
+- area/infra
+- area/infra/ibmcloud
@@ -0,0 +1,133 @@
+extraObjects:
+  - apiVersion: external-secrets.io/v1beta1
+    kind: ClusterSecretStore
+    metadata:
+      name: k8s-infra-prow-build
+    spec:
+      provider:
+        gcpsm:
+          projectID: k8s-infra-prow-build
+  # - apiVersion: external-secrets.io/v1beta1
+  #   kind: ClusterSecretStore
+  #   metadata:
+  #     name: secretstore-ibm-k8s
+  #   spec:
+  #     provider:
+  #       ibm:
+  #         serviceUrl: "https://3297fd32-6322-45e2-af3f-00b1a5af3565.us-south.secrets-manager.appdomain.cloud"
+  #         auth:
+  #           secretRef:
+  #             secretApiKeySecretRef:
+  #               name: ibm-sm-apikey
+  #               key: API_KEY
+  #               namespace: external-secrets
+  # - apiVersion: external-secrets.io/v1beta1
+  #   kind: ExternalSecret
+  #   metadata:
+  #     name: ibm-sm-apikey
+  #   spec:
+  #     data:
+  #       - remoteRef:
+  #           key: ibm-sm-apikey
+  #         secretKey: API_KEY
+  #     secretStoreRef:
+  #       kind: ClusterSecretStore
+  #       name: k8s-infra-prow-build
+  - apiVersion: v1
+    kind: ConfigMap
+    metadata:
+      name: google-adc
+    data:
+      adc.json: |
+        {
+          "universe_domain": "googleapis.com",
+          "type": "external_account",
+          "audience": "//iam.googleapis.com/projects/16065310909/locations/global/workloadIdentityPools/ibm-clusters/providers/s390x",
+          "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
+          "token_url": "https://sts.googleapis.com/v1/token",
+          "credential_source": {
+            "file": "/var/run/secrets/google-iam-token/serviceaccount/token",
+            "format": {
+              "type": "text"
+            }
+          }
+        }
+  # - apiVersion: external-secrets.io/v1beta1
+  #   kind: ExternalSecret
+  #   metadata:
+  #     name: secret-rotator-api-key
+  #   spec:
+  #     refreshInterval: 60m
+  #     secretStoreRef:
+  #       name: secretstore-ibm-k8s
+  #       kind: ClusterSecretStore
+  #     target:
+  #       name: secret-rotator-api-key
+  #       creationPolicy: Owner
+  #     data:
+  #       - secretKey: api-key
+  #         remoteRef:
+  #           key: iam_credentials/2067d245-e61c-11b2-2c5a-b2be281ea4b8
+  # - apiVersion: batch/v1
+  #   kind: CronJob
+  #   metadata:
+  #     name: ibmcloud-secret-rotator
+  #     labels:
+  #       app: ibmcloud-secret-rotator
+  #   spec:
+  #     schedule: "0 */2 * * *"
+  #     jobTemplate:
+  #       spec:
+  #         template:
+  #           spec:
+  #             containers:
+  #             - name: rotator-container
+  #               image: public.ecr.aws/docker/library/golang:1.24
+  #               imagePullPolicy: Always
+  #               command:
+  #               - /bin/bash
+  #               args:
+  #               - -c
+  #               - |
+  #                 set -o errexit
+  #                 set -o nounset
+  #                 set -o pipefail
+
+  #                 go install sigs.k8s.io/provider-ibmcloud-test-infra/secret-manager@71ef4d8
+  #                 secret-manager rotate --instance-id 3297fd32-6322-45e2-af3f-00b1a5af3565 --labels rotate:true --confirm
+  #               env:
+  #               - name: IBMCLOUD_ENV_FILE
+  #                 value: "/home/.ibmcloud/api-key"
+  #               volumeMounts:
+  #               - name: credentials
+  #                 mountPath: /home/.ibmcloud
+  #             restartPolicy: OnFailure
+  #             volumes:
+  #             - name: credentials
+  #               secret:
+  #                 secretName: secret-rotator-api-key
+
+extraVolumes:
+  - name: google-iam-token
+    projected:
+      defaultMode: 420
+      sources:
+        - serviceAccountToken:
+            audience: sts.googleapis.com
+            expirationSeconds: 86400
+            path: token
+  - name: google-adc
+    configMap:
+      name: google-adc
+
+extraEnv:
+  - name: GOOGLE_APPLICATION_CREDENTIALS
+    value: /etc/google/adc.json
+
+extraVolumeMounts:
+  - mountPath: /var/run/secrets/google-iam-token/serviceaccount
+    name: google-iam-token
+    readOnly: true
+  - mountPath: /etc/google
+    name: google-adc
+    readOnly: true
@@ -0,0 +1,10 @@
+---
+webhooksCleanup:
+  image:
+    repository: registry.k8s.io/kubectl
+    tag: v1.32.3
+
+policyReportsCleanup:
+  image:
+    repository: registry.k8s.io/kubectl
+    tag: v1.32.3
@@ -0,0 +1,35 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: boskos-ibmcloud-janitor
+  labels:
+    app: boskos-ibmcloud-janitor
+spec:
+  replicas: 2 # 2 distributed janitor instances
+  selector:
+    matchLabels:
+      app: boskos-ibmcloud-janitor
+  template:
+    metadata:
+      labels:
+        app: boskos-ibmcloud-janitor
+    spec:
+      terminationGracePeriodSeconds: 300
+      containers:
+        - name: boskos-ibmcloud-janitor
+          image: gcr.io/k8s-staging-boskos/ibmcloud-janitor-boskos:v20250612-e9e5322
+          args:
+            - --boskos-url=http://boskos.test-pods.svc.cluster.local.
+            - --resource-type=powervs
+            - --ignore-api-key=true
+            - --account-id=efa47ec6fd45473a9e1fd6b7b8363f5c
+          env:
+          - name: IBMCLOUD_ENV_FILE # TODO: explore on how to read key from the file instead of env var
+            value: "/home/.ibmcloud/api-key"
+          volumeMounts:
+            - name: credentials
+              mountPath: /home/.ibmcloud
+      volumes:
+        - name: credentials
+          secret:
+            secretName: boskos-janitor-api-key
@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: boskos-reaper
+  labels:
+    app: boskos-reaper
+spec:
+  selector:
+    matchLabels:
+      app: boskos-reaper
+  replicas: 1 # one canonical source of resources
+  template:
+    metadata:
+      labels:
+        app: boskos-reaper
+    spec:
+      terminationGracePeriodSeconds: 30
+      containers:
+        - name: boskos-reaper
+          image: gcr.io/k8s-staging-boskos/reaper:v20250612-e9e5322
+          args:
+            - --boskos-url=http://boskos.test-pods.svc.cluster.local.
+            - --resource-type=powervs
@@ -0,0 +1,11 @@
+apiVersion: v1
+data:
+  config: |
+    resources:
+    - names:
+      - k8s-s390x-test-vpc
+      state: dirty
+      type: vpc-service
+kind: ConfigMap
+metadata:
+  name: resources
@@ -0,0 +1,90 @@
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: boskos
+rules:
+  - apiGroups: ["boskos.k8s.io"]
+    verbs: ["*"]
+    resources: ["*"]
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: boskos
+  namespace: test-pods
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: boskos
+subjects:
+  - kind: ServiceAccount
+    name: boskos
+    namespace: test-pods
+roleRef:
+  kind: ClusterRole
+  name: boskos
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: boskos
+  namespace: test-pods
+spec:
+  replicas: 1 # one canonical source of resources
+  selector:
+    matchLabels:
+      app: boskos
+  template:
+    metadata:
+      labels:
+        app: boskos
+      namespace: test-pods
+    spec:
+      serviceAccountName: boskos
+      terminationGracePeriodSeconds: 30
+      containers:
+        - name: boskos
+          image: gcr.io/k8s-staging-boskos/boskos:v20250612-e9e5322
+          args:
+            - --config=/etc/config/config
+            - --namespace=test-pods
+          ports:
+            - containerPort: 8080
+              protocol: TCP
+          volumeMounts:
+            - name: boskos-config
+              mountPath: /etc/config
+              readOnly: true
+      volumes:
+        - name: boskos-config
+          configMap:
+            name: resources
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: boskos
+  namespace: test-pods
+spec:
+  selector:
+    app: boskos
+  ports:
+    - name: default
+      protocol: TCP
+      port: 80
+      targetPort: 8080