Skip to content

Commit f307a12

Browse files
upodroidupodroid
committed
add ppc64le cluster to prow
1 parent 7064604 commit f307a12

21 files changed

+1285
-805
lines changed

infra/gcp/terraform/k8s-infra-prow/iam.tf

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -138,3 +138,37 @@ resource "google_pubsub_topic_iam_binding" "read_binding" {
138138
"serviceAccount:[email protected]",
139139
]
140140
}
141+
142+
# https://cloud.google.com/iam/docs/workload-identity-federation-with-kubernetes#kubernetes
143+
resource "google_iam_workload_identity_pool" "ibm_clusters" {
144+
project = module.project.project_id
145+
workload_identity_pool_id = "ibm-clusters"
146+
}
147+
148+
data "http" "ppc64le_issuer" {
149+
url = "https://73725434-jp-osa.lb.appdomain.cloud:6443/.well-known/openid-configuration"
150+
insecure = true
151+
}
152+
153+
data "http" "ppc64le_jwks" {
154+
url = "https://73725434-jp-osa.lb.appdomain.cloud:6443/openid/v1/jwks"
155+
insecure = true
156+
}
157+
158+
resource "google_iam_workload_identity_pool_provider" "ppc64le" {
159+
workload_identity_pool_id = google_iam_workload_identity_pool.ibm_clusters.workload_identity_pool_id
160+
project = module.project.project_id
161+
workload_identity_pool_provider_id = "ppc64le"
162+
163+
attribute_mapping = {
164+
"google.subject" = "\"ns/\" + assertion['kubernetes.io']['namespace'] + \"/sa/\" + assertion['kubernetes.io']['serviceaccount']['name']"
165+
"attribute.namespace" = "assertion['kubernetes.io']['namespace']"
166+
"attribute.service_account_name" = "assertion['kubernetes.io']['serviceaccount']['name']"
167+
"attribute.pod" = "assertion['kubernetes.io']['pod']['name']"
168+
}
169+
oidc {
170+
allowed_audiences = ["sts.googleapis.com"]
171+
issuer_uri = jsondecode(data.http.ppc64le_issuer.response_body)["issuer"]
172+
jwks_json = data.http.ppc64le_jwks.response_body
173+
}
174+
}

infra/gcp/terraform/k8s-infra-prow/provider.tf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -25,11 +25,11 @@ terraform {
2525
required_providers {
2626
google = {
2727
source = "hashicorp/google"
28-
version = "~> 5.25.0"
28+
version = "~> 5.45.2"
2929
}
3030
google-beta = {
3131
source = "hashicorp/google-beta"
32-
version = "~> 5.25.0"
32+
version = "~> 5.45.2"
3333
}
3434
}
3535
}

infra/gcp/terraform/k8s-infra-prow/vpc.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ limitations under the License.
1616

1717
module "vpc" {
1818
source = "terraform-google-modules/network/google"
19-
version = "~> 9"
19+
version = "~> 9.3"
2020

2121
project_id = module.project.project_id
2222
network_name = "prow"

kubernetes/gke-prow/prow/crier.yaml

Lines changed: 154 additions & 147 deletions
Original file line numberDiff line numberDiff line change
@@ -32,136 +32,143 @@ spec:
3232
serviceAccountName: crier
3333
terminationGracePeriodSeconds: 30
3434
containers:
35-
- name: crier
36-
image: us-docker.pkg.dev/k8s-infra-prow/images/crier:v20250224-355743344
37-
args:
38-
- --blob-storage-workers=1
39-
- --config-path=/etc/config/config.yaml
40-
- --github-endpoint=http://ghproxy
41-
- --github-endpoint=https://api.github.com
42-
- --github-token-path=/etc/github/oauth
43-
- --github-workers=5
44-
- --job-config-path=/etc/job-config
45-
- --kubernetes-blob-storage-workers=1
46-
- --slack-token-file=/etc/slack/token
47-
- --slack-workers=1
48-
env:
49-
# Use KUBECONFIG envvar rather than --kubeconfig flag in order to provide multiple configs to merge.
50-
- name: KUBECONFIG
51-
value: "/etc/kubeconfig-k8s-infra-prow/kubeconfig:/etc/kubeconfig-k8s-infra-prow-build/kubeconfig:/etc/kubeconfig-k8s-infra-prow-build-trusted/kubeconfig:/etc/kubeconfig-k8s-infra-aks-prow-build/kubeconfig:/etc/kubeconfig-eks-prow-build-cluster/kubeconfig:/etc/kubeconfig-k8s-infra-kops-prow-build/kubeconfig"
52-
# AWS_ variables needed to assume role to access the prow-build-cluster EKS cluster.
53-
- name: AWS_ROLE_ARN
54-
value: arn:aws:iam::468814281478:role/Prow-EKS-Admin
55-
- name: AWS_WEB_IDENTITY_TOKEN_FILE
56-
value: /var/run/secrets/aws-iam-token/serviceaccount/token
57-
- name: AWS_REGION
58-
value: us-east-2
59-
# Azure variables needed to authenticate to AKS clusters with Azure AD Integration
60-
- name: AZURE_CLIENT_ID # AZURE_CLIENT_ID is being overloaded with Azure Workload ID
61-
value: "cabf5f22-ec7e-4e84-9e35-c02e57ca555d"
62-
- name: AZURE_SUBSCRIPTION_ID
63-
value: "0e46bd28-a80f-4d3a-8200-d9eb8d80cb2e"
64-
- name: AZURE_TENANT_ID
65-
value: "097f89a0-9286-43d2-9a1a-08f1d49b1af8"
66-
- name: AZURE_FEDERATED_TOKEN_FILE
67-
value: "/var/run/secrets/azure-token/serviceaccount/token"
68-
ports:
69-
- name: metrics
70-
containerPort: 9090
71-
volumeMounts:
72-
- mountPath: /etc/kubeconfig-k8s-infra-prow
73-
name: kubeconfig-k8s-infra-prow
74-
readOnly: true
75-
- mountPath: /etc/kubeconfig-k8s-infra-prow-build
76-
name: kubeconfig-k8s-infra-prow-build
77-
readOnly: true
78-
- mountPath: /etc/kubeconfig-k8s-infra-prow-build-trusted
79-
name: kubeconfig-k8s-infra-prow-build-trusted
80-
readOnly: true
81-
- mountPath: /etc/kubeconfig-k8s-infra-aks-prow-build
82-
name: kubeconfig-k8s-infra-aks-prow-build
83-
readOnly: true
84-
- mountPath: /etc/kubeconfig-eks-prow-build-cluster
85-
name: kubeconfig-eks-prow-build-cluster
86-
readOnly: true
87-
- mountPath: /etc/kubeconfig-k8s-infra-kops-prow-build
88-
name: kubeconfig-k8s-infra-kops-prow-build
89-
readOnly: true
35+
- name: crier
36+
image: us-docker.pkg.dev/k8s-infra-prow/images/crier:v20250224-355743344
37+
args:
38+
- --blob-storage-workers=1
39+
- --config-path=/etc/config/config.yaml
40+
- --github-endpoint=http://ghproxy
41+
- --github-endpoint=https://api.github.com
42+
- --github-token-path=/etc/github/oauth
43+
- --github-workers=5
44+
- --job-config-path=/etc/job-config
45+
- --kubernetes-blob-storage-workers=1
46+
- --slack-token-file=/etc/slack/token
47+
- --slack-workers=1
48+
env:
49+
# Use KUBECONFIG envvar rather than --kubeconfig flag in order to provide multiple configs to merge.
50+
- name: KUBECONFIG
51+
value: "/etc/kubeconfig-k8s-infra-prow/kubeconfig:/etc/kubeconfig-k8s-infra-prow-build/kubeconfig:/etc/kubeconfig-k8s-infra-prow-build-trusted/kubeconfig:/etc/kubeconfig-k8s-infra-aks-prow-build/kubeconfig:/etc/kubeconfig-eks-prow-build-cluster/kubeconfig:/etc/kubeconfig-k8s-infra-kops-prow-build/kubeconfig:/etc/k8s-infra-ppc64le-prow-build-kubeconfig/kubeconfig"
52+
# AWS_ variables needed to assume role to access the prow-build-cluster EKS cluster.
53+
- name: AWS_ROLE_ARN
54+
value: arn:aws:iam::468814281478:role/Prow-EKS-Admin
55+
- name: AWS_WEB_IDENTITY_TOKEN_FILE
56+
value: /var/run/secrets/aws-iam-token/serviceaccount/token
57+
- name: AWS_REGION
58+
value: us-east-2
59+
# Azure variables needed to authenticate to AKS clusters with Azure AD Integration
60+
- name: AZURE_CLIENT_ID # AZURE_CLIENT_ID is being overloaded with Azure Workload ID
61+
value: "cabf5f22-ec7e-4e84-9e35-c02e57ca555d"
62+
- name: AZURE_SUBSCRIPTION_ID
63+
value: "0e46bd28-a80f-4d3a-8200-d9eb8d80cb2e"
64+
- name: AZURE_TENANT_ID
65+
value: "097f89a0-9286-43d2-9a1a-08f1d49b1af8"
66+
- name: AZURE_FEDERATED_TOKEN_FILE
67+
value: "/var/run/secrets/azure-token/serviceaccount/token"
68+
ports:
69+
- name: metrics
70+
containerPort: 9090
71+
volumeMounts:
72+
- mountPath: /etc/kubeconfig-k8s-infra-prow
73+
name: kubeconfig-k8s-infra-prow
74+
readOnly: true
75+
- mountPath: /etc/kubeconfig-k8s-infra-prow-build
76+
name: kubeconfig-k8s-infra-prow-build
77+
readOnly: true
78+
- mountPath: /etc/kubeconfig-k8s-infra-prow-build-trusted
79+
name: kubeconfig-k8s-infra-prow-build-trusted
80+
readOnly: true
81+
- mountPath: /etc/kubeconfig-k8s-infra-aks-prow-build
82+
name: kubeconfig-k8s-infra-aks-prow-build
83+
readOnly: true
84+
- mountPath: /etc/kubeconfig-eks-prow-build-cluster
85+
name: kubeconfig-eks-prow-build-cluster
86+
readOnly: true
87+
- mountPath: /etc/kubeconfig-k8s-infra-kops-prow-build
88+
name: kubeconfig-k8s-infra-kops-prow-build
89+
readOnly: true
90+
- mountPath: /etc/k8s-infra-ppc64le-prow-build-kubeconfig
91+
name: kubeconfig-k8s-infra-ppc64le-prow-build
92+
readOnly: true
93+
- name: config
94+
mountPath: /etc/config
95+
readOnly: true
96+
- name: job-config
97+
mountPath: /etc/job-config
98+
readOnly: true
99+
- name: oauth
100+
mountPath: /etc/github
101+
readOnly: true
102+
- name: slack
103+
mountPath: /etc/slack
104+
readOnly: true
105+
# AWS IAM token needed to assume role to access the prow-build-cluster EKS cluster.
106+
- name: aws-iam-token
107+
mountPath: /var/run/secrets/aws-iam-token/serviceaccount
108+
readOnly: true
109+
# Azure Token needed for workload identity
110+
- name: azure-token
111+
mountPath: "/var/run/secrets/azure-token/serviceaccount"
112+
readOnly: true
113+
volumes:
90114
- name: config
91-
mountPath: /etc/config
92-
readOnly: true
115+
configMap:
116+
name: config
93117
- name: job-config
94-
mountPath: /etc/job-config
95-
readOnly: true
118+
configMap:
119+
name: job-config
96120
- name: oauth
97-
mountPath: /etc/github
98-
readOnly: true
121+
secret:
122+
secretName: oauth-token
99123
- name: slack
100-
mountPath: /etc/slack
101-
readOnly: true
124+
secret:
125+
secretName: slack-token
126+
- name: kubeconfig-k8s-infra-prow
127+
secret:
128+
defaultMode: 420
129+
secretName: kubeconfig-k8s-infra-prow
130+
- name: kubeconfig-k8s-infra-prow-build
131+
secret:
132+
defaultMode: 420
133+
secretName: kubeconfig-k8s-infra-prow-build
134+
- name: kubeconfig-k8s-infra-prow-build-trusted
135+
secret:
136+
defaultMode: 420
137+
secretName: kubeconfig-k8s-infra-prow-build-trusted
138+
- name: kubeconfig-k8s-infra-aks-prow-build
139+
secret:
140+
defaultMode: 420
141+
secretName: kubeconfig-k8s-infra-aks-prow-build
142+
- name: kubeconfig-eks-prow-build-cluster
143+
secret:
144+
defaultMode: 420
145+
secretName: kubeconfig-eks-prow-build-cluster
146+
- name: kubeconfig-k8s-infra-kops-prow-build
147+
secret:
148+
defaultMode: 420
149+
secretName: kubeconfig-k8s-infra-kops-prow-build
150+
- name: kubeconfig-k8s-infra-ppc64le-prow-build
151+
secret:
152+
defaultMode: 420
153+
secretName: kubeconfig-k8s-infra-ppc64le-prow-build
102154
# AWS IAM token needed to assume role to access the prow-build-cluster EKS cluster.
103155
- name: aws-iam-token
104-
mountPath: /var/run/secrets/aws-iam-token/serviceaccount
105-
readOnly: true
156+
projected:
157+
defaultMode: 420
158+
sources:
159+
- serviceAccountToken:
160+
audience: sts.amazonaws.com
161+
expirationSeconds: 86400
162+
path: token
106163
# Azure Token needed for workload identity
107164
- name: azure-token
108-
mountPath: "/var/run/secrets/azure-token/serviceaccount"
109-
readOnly: true
110-
volumes:
111-
- name: config
112-
configMap:
113-
name: config
114-
- name: job-config
115-
configMap:
116-
name: job-config
117-
- name: oauth
118-
secret:
119-
secretName: oauth-token
120-
- name: slack
121-
secret:
122-
secretName: slack-token
123-
- name: kubeconfig-k8s-infra-prow
124-
secret:
125-
defaultMode: 420
126-
secretName: kubeconfig-k8s-infra-prow
127-
- name: kubeconfig-k8s-infra-prow-build
128-
secret:
129-
defaultMode: 420
130-
secretName: kubeconfig-k8s-infra-prow-build
131-
- name: kubeconfig-k8s-infra-prow-build-trusted
132-
secret:
133-
defaultMode: 420
134-
secretName: kubeconfig-k8s-infra-prow-build-trusted
135-
- name: kubeconfig-k8s-infra-aks-prow-build
136-
secret:
137-
defaultMode: 420
138-
secretName: kubeconfig-k8s-infra-aks-prow-build
139-
- name: kubeconfig-eks-prow-build-cluster
140-
secret:
141-
defaultMode: 420
142-
secretName: kubeconfig-eks-prow-build-cluster
143-
- name: kubeconfig-k8s-infra-kops-prow-build
144-
secret:
145-
defaultMode: 420
146-
secretName: kubeconfig-k8s-infra-kops-prow-build
147-
# AWS IAM token needed to assume role to access the prow-build-cluster EKS cluster.
148-
- name: aws-iam-token
149-
projected:
150-
defaultMode: 420
151-
sources:
152-
- serviceAccountToken:
153-
audience: sts.amazonaws.com
154-
expirationSeconds: 86400
155-
path: token
156-
# Azure Token needed for workload identity
157-
- name: azure-token
158-
projected:
159-
defaultMode: 420
160-
sources:
161-
- serviceAccountToken:
162-
expirationSeconds: 86400
163-
path: token
164-
audience: api://AzureADTokenExchange
165+
projected:
166+
defaultMode: 420
167+
sources:
168+
- serviceAccountToken:
169+
expirationSeconds: 86400
170+
path: token
171+
audience: api://AzureADTokenExchange
165172
---
166173
apiVersion: v1
167174
kind: Service
@@ -191,29 +198,29 @@ metadata:
191198
namespace: default
192199
name: crier
193200
rules:
194-
- apiGroups:
195-
- "prow.k8s.io"
196-
resources:
197-
- "prowjobs"
198-
verbs:
199-
- "get"
200-
- "watch"
201-
- "list"
202-
- "patch"
203-
- apiGroups:
204-
- ""
205-
resources:
206-
- "pods"
207-
- "events"
208-
verbs:
209-
- "get"
210-
- "list"
211-
- apiGroups:
212-
- ""
213-
resources:
214-
- "pods"
215-
verbs:
216-
- "patch"
201+
- apiGroups:
202+
- "prow.k8s.io"
203+
resources:
204+
- "prowjobs"
205+
verbs:
206+
- "get"
207+
- "watch"
208+
- "list"
209+
- "patch"
210+
- apiGroups:
211+
- ""
212+
resources:
213+
- "pods"
214+
- "events"
215+
verbs:
216+
- "get"
217+
- "list"
218+
- apiGroups:
219+
- ""
220+
resources:
221+
- "pods"
222+
verbs:
223+
- "patch"
217224
---
218225
kind: RoleBinding
219226
apiVersion: rbac.authorization.k8s.io/v1
@@ -224,5 +231,5 @@ roleRef:
224231
kind: Role
225232
name: crier
226233
subjects:
227-
- kind: ServiceAccount
228-
name: crier
234+
- kind: ServiceAccount
235+
name: crier

0 commit comments

Comments
 (0)