diff --git a/infra/gcp/terraform/k8s-infra-prow/buckets.tf b/infra/gcp/terraform/k8s-infra-prow/buckets.tf index a567e62dc03..0be5cd38c7a 100644 --- a/infra/gcp/terraform/k8s-infra-prow/buckets.tf +++ b/infra/gcp/terraform/k8s-infra-prow/buckets.tf @@ -16,7 +16,7 @@ limitations under the License. module "gcb_bucket" { source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" - version = "~> 5" + version = "~> 11.0" name = "k8s-infra-prow-gcb" project_id = module.project.project_id diff --git a/infra/gcp/terraform/k8s-infra-prow/gke.tf b/infra/gcp/terraform/k8s-infra-prow/gke.tf index 36ce50dd2ac..c027befa41b 100644 --- a/infra/gcp/terraform/k8s-infra-prow/gke.tf +++ b/infra/gcp/terraform/k8s-infra-prow/gke.tf @@ -17,7 +17,7 @@ limitations under the License. // WARNING, MAKE SURE YOU DON"T DESTROY THESE CLUSTERS ACCIDENTALLY module "prow" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster" - version = "~> 30.2" + version = "~> 37.1" project_id = module.project.project_id name = "prow" region = "us-central1" @@ -73,7 +73,7 @@ module "prow" { module "utility_cluster" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster" - version = "~> 30.2" + version = "~> 37.1" project_id = module.project.project_id name = "utility" region = "us-central1" diff --git a/infra/gcp/terraform/k8s-infra-prow/iam.tf b/infra/gcp/terraform/k8s-infra-prow/iam.tf index 6faf06c7483..33851a14112 100644 --- a/infra/gcp/terraform/k8s-infra-prow/iam.tf +++ b/infra/gcp/terraform/k8s-infra-prow/iam.tf @@ -173,3 +173,31 @@ resource "google_iam_workload_identity_pool_provider" "ppc64le" { jwks_json = data.http.ppc64le_jwks.response_body } } + +data "http" "s390x_issuer" { + url = "https://d7b2a019-eu-de.lb.appdomain.cloud:6443/.well-known/openid-configuration" + insecure = true +} + +data "http" "s390x_jwks" { + url = "https://d7b2a019-eu-de.lb.appdomain.cloud:6443/openid/v1/jwks" + insecure = true +} + +resource "google_iam_workload_identity_pool_provider" "s390x" { + workload_identity_pool_id = google_iam_workload_identity_pool.ibm_clusters.workload_identity_pool_id + project = module.project.project_id + workload_identity_pool_provider_id = "s390x" + + attribute_mapping = { + "google.subject" = "\"ns/\" + assertion['kubernetes.io']['namespace'] + \"/sa/\" + assertion['kubernetes.io']['serviceaccount']['name']" + "attribute.namespace" = "assertion['kubernetes.io']['namespace']" + "attribute.service_account_name" = "assertion['kubernetes.io']['serviceaccount']['name']" + "attribute.pod" = "assertion['kubernetes.io']['pod']['name']" + } + oidc { + allowed_audiences = ["sts.googleapis.com"] + issuer_uri = jsondecode(data.http.s390x_issuer.response_body)["issuer"] + jwks_json = data.http.s390x_jwks.response_body + } +} diff --git a/infra/gcp/terraform/k8s-infra-prow/main.tf b/infra/gcp/terraform/k8s-infra-prow/main.tf index 2b246bc365f..c8ceb7699a3 100644 --- a/infra/gcp/terraform/k8s-infra-prow/main.tf +++ b/infra/gcp/terraform/k8s-infra-prow/main.tf @@ -16,7 +16,7 @@ limitations under the License. module "project" { source = "terraform-google-modules/project-factory/google" - version = "~> 14.5" + version = "~> 18.0" name = "k8s-infra-prow" project_id = "k8s-infra-prow" diff --git a/infra/gcp/terraform/k8s-infra-prow/provider.tf b/infra/gcp/terraform/k8s-infra-prow/provider.tf index 5598696d076..7a9d8dba6ef 100644 --- a/infra/gcp/terraform/k8s-infra-prow/provider.tf +++ b/infra/gcp/terraform/k8s-infra-prow/provider.tf @@ -15,7 +15,7 @@ limitations under the License. */ terraform { - required_version = "1.6.5" + required_version = "1.10.5" backend "gcs" { bucket = "k8s-infra-tf-prow-clusters" @@ -25,11 +25,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "~> 5.45.2" + version = "~> 6.45.0" } google-beta = { source = "hashicorp/google-beta" - version = "~> 5.45.2" + version = "~> 6.45.0" } } } diff --git a/infra/gcp/terraform/k8s-infra-prow/vpc.tf b/infra/gcp/terraform/k8s-infra-prow/vpc.tf index 23f90d9574d..7105e655a0c 100644 --- a/infra/gcp/terraform/k8s-infra-prow/vpc.tf +++ b/infra/gcp/terraform/k8s-infra-prow/vpc.tf @@ -16,7 +16,7 @@ limitations under the License. module "vpc" { source = "terraform-google-modules/network/google" - version = "~> 9.3" + version = "~> 11.1" project_id = module.project.project_id network_name = "prow" diff --git a/kubernetes/gke-utility/argocd/clusters.yaml b/kubernetes/gke-utility/argocd/clusters.yaml index 43258ea3bd7..6adcdf08a5e 100644 --- a/kubernetes/gke-utility/argocd/clusters.yaml +++ b/kubernetes/gke-utility/argocd/clusters.yaml @@ -96,6 +96,32 @@ spec: kind: ClusterSecretStore name: k8s-infra-prow --- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: ibm-s390x +spec: + target: + template: + engineVersion: v2 + data: + name: ibm-s90x + server: https://d7b2a019-eu-de.lb.appdomain.cloud:6443 + config: "{{ .config }}" + metadata: + labels: + clusterType: prow + environment: prod + prowNamespace: test-pods + cloud: ibm + data: + - remoteRef: + key: ibm-s390x-argo-secret + secretKey: config + secretStoreRef: + kind: ClusterSecretStore + name: k8s-infra-prow +--- apiVersion: v1 kind: Secret metadata: diff --git a/kubernetes/ibm-s390x/OWNERS b/kubernetes/ibm-s390x/OWNERS new file mode 100644 index 00000000000..3eba2623c05 --- /dev/null +++ b/kubernetes/ibm-s390x/OWNERS @@ -0,0 +1,16 @@ +# See the OWNERS docs at https://go.k8s.io/owners + +approvers: +- mkumatag +- Prajyot-Parab +- Rajalakshmi-Girish + +reviewers: +- mkumatag +- Prajyot-Parab +- Rajalakshmi-Girish + +labels: +- sig/k8s-infra +- area/infra +- area/infra/ibmcloud diff --git a/kubernetes/ibm-s390x/helm/external-secrets.yaml b/kubernetes/ibm-s390x/helm/external-secrets.yaml new file mode 100644 index 00000000000..5f6f7cf17f4 --- /dev/null +++ b/kubernetes/ibm-s390x/helm/external-secrets.yaml @@ -0,0 +1,133 @@ +extraObjects: + - apiVersion: external-secrets.io/v1beta1 + kind: ClusterSecretStore + metadata: + name: k8s-infra-prow-build + spec: + provider: + gcpsm: + projectID: k8s-infra-prow-build + # - apiVersion: external-secrets.io/v1beta1 + # kind: ClusterSecretStore + # metadata: + # name: secretstore-ibm-k8s + # spec: + # provider: + # ibm: + # serviceUrl: "https://3297fd32-6322-45e2-af3f-00b1a5af3565.us-south.secrets-manager.appdomain.cloud" + # auth: + # secretRef: + # secretApiKeySecretRef: + # name: ibm-sm-apikey + # key: API_KEY + # namespace: external-secrets + # - apiVersion: external-secrets.io/v1beta1 + # kind: ExternalSecret + # metadata: + # name: ibm-sm-apikey + # spec: + # data: + # - remoteRef: + # key: ibm-sm-apikey + # secretKey: API_KEY + # secretStoreRef: + # kind: ClusterSecretStore + # name: k8s-infra-prow-build + - apiVersion: v1 + kind: ConfigMap + metadata: + name: google-adc + data: + adc.json: | + { + "universe_domain": "googleapis.com", + "type": "external_account", + "audience": "//iam.googleapis.com/projects/16065310909/locations/global/workloadIdentityPools/ibm-clusters/providers/s390x", + "subject_token_type": "urn:ietf:params:oauth:token-type:jwt", + "token_url": "https://sts.googleapis.com/v1/token", + "credential_source": { + "file": "/var/run/secrets/google-iam-token/serviceaccount/token", + "format": { + "type": "text" + } + } + } + # - apiVersion: external-secrets.io/v1beta1 + # kind: ExternalSecret + # metadata: + # name: secret-rotator-api-key + # spec: + # refreshInterval: 60m + # secretStoreRef: + # name: secretstore-ibm-k8s + # kind: ClusterSecretStore + # target: + # name: secret-rotator-api-key + # creationPolicy: Owner + # data: + # - secretKey: api-key + # remoteRef: + # key: iam_credentials/2067d245-e61c-11b2-2c5a-b2be281ea4b8 + # - apiVersion: batch/v1 + # kind: CronJob + # metadata: + # name: ibmcloud-secret-rotator + # labels: + # app: ibmcloud-secret-rotator + # spec: + # schedule: "0 */2 * * *" + # jobTemplate: + # spec: + # template: + # spec: + # containers: + # - name: rotator-container + # image: public.ecr.aws/docker/library/golang:1.24 + # imagePullPolicy: Always + # command: + # - /bin/bash + # args: + # - -c + # - | + # set -o errexit + # set -o nounset + # set -o pipefail + + # go install sigs.k8s.io/provider-ibmcloud-test-infra/secret-manager@71ef4d8 + # secret-manager rotate --instance-id 3297fd32-6322-45e2-af3f-00b1a5af3565 --labels rotate:true --confirm + # env: + # - name: IBMCLOUD_ENV_FILE + # value: "/home/.ibmcloud/api-key" + # volumeMounts: + # - name: credentials + # mountPath: /home/.ibmcloud + # restartPolicy: OnFailure + # volumes: + # - name: credentials + # secret: + # secretName: secret-rotator-api-key + +extraVolumes: + - name: google-iam-token + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + audience: sts.googleapis.com + expirationSeconds: 86400 + path: token + - name: google-adc + configMap: + name: google-adc + +extraEnv: + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /etc/google/adc.json + +extraVolumeMounts: + - mountPath: /var/run/secrets/google-iam-token/serviceaccount + name: google-iam-token + readOnly: true + - mountPath: /etc/google + name: google-adc + readOnly: true diff --git a/kubernetes/ibm-s390x/helm/kyverno.yaml b/kubernetes/ibm-s390x/helm/kyverno.yaml new file mode 100644 index 00000000000..546e66f194e --- /dev/null +++ b/kubernetes/ibm-s390x/helm/kyverno.yaml @@ -0,0 +1,10 @@ +--- +webhooksCleanup: + image: + repository: registry.k8s.io/kubectl + tag: v1.32.3 + +policyReportsCleanup: + image: + repository: registry.k8s.io/kubectl + tag: v1.32.3 diff --git a/kubernetes/ibm-s390x/prow/boskos-janitor.yaml b/kubernetes/ibm-s390x/prow/boskos-janitor.yaml new file mode 100644 index 00000000000..31d1777260b --- /dev/null +++ b/kubernetes/ibm-s390x/prow/boskos-janitor.yaml @@ -0,0 +1,35 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: boskos-ibmcloud-janitor + labels: + app: boskos-ibmcloud-janitor +spec: + replicas: 2 # 2 distributed janitor instances + selector: + matchLabels: + app: boskos-ibmcloud-janitor + template: + metadata: + labels: + app: boskos-ibmcloud-janitor + spec: + terminationGracePeriodSeconds: 300 + containers: + - name: boskos-ibmcloud-janitor + image: gcr.io/k8s-staging-boskos/ibmcloud-janitor-boskos:v20250612-e9e5322 + args: + - --boskos-url=http://boskos.test-pods.svc.cluster.local. + - --resource-type=powervs + - --ignore-api-key=true + - --account-id=efa47ec6fd45473a9e1fd6b7b8363f5c + env: + - name: IBMCLOUD_ENV_FILE # TODO: explore on how to read key from the file instead of env var + value: "/home/.ibmcloud/api-key" + volumeMounts: + - name: credentials + mountPath: /home/.ibmcloud + volumes: + - name: credentials + secret: + secretName: boskos-janitor-api-key diff --git a/kubernetes/ibm-s390x/prow/boskos-reaper.yaml b/kubernetes/ibm-s390x/prow/boskos-reaper.yaml new file mode 100644 index 00000000000..56ed9c27178 --- /dev/null +++ b/kubernetes/ibm-s390x/prow/boskos-reaper.yaml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: boskos-reaper + labels: + app: boskos-reaper +spec: + selector: + matchLabels: + app: boskos-reaper + replicas: 1 # one canonical source of resources + template: + metadata: + labels: + app: boskos-reaper + spec: + terminationGracePeriodSeconds: 30 + containers: + - name: boskos-reaper + image: gcr.io/k8s-staging-boskos/reaper:v20250612-e9e5322 + args: + - --boskos-url=http://boskos.test-pods.svc.cluster.local. + - --resource-type=powervs diff --git a/kubernetes/ibm-s390x/prow/boskos-resources-configmap.yaml b/kubernetes/ibm-s390x/prow/boskos-resources-configmap.yaml new file mode 100644 index 00000000000..03b3bac61a6 --- /dev/null +++ b/kubernetes/ibm-s390x/prow/boskos-resources-configmap.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +data: + config: | + resources: + - names: + - k8s-s390x-test-vpc + state: dirty + type: vpc-service +kind: ConfigMap +metadata: + name: resources diff --git a/kubernetes/ibm-s390x/prow/boskos.yaml b/kubernetes/ibm-s390x/prow/boskos.yaml new file mode 100644 index 00000000000..e6a4cc86caa --- /dev/null +++ b/kubernetes/ibm-s390x/prow/boskos.yaml @@ -0,0 +1,90 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: boskos +rules: + - apiGroups: ["boskos.k8s.io"] + verbs: ["*"] + resources: ["*"] +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: boskos + namespace: test-pods +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: boskos +subjects: + - kind: ServiceAccount + name: boskos + namespace: test-pods +roleRef: + kind: ClusterRole + name: boskos + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: boskos + namespace: test-pods +spec: + replicas: 1 # one canonical source of resources + selector: + matchLabels: + app: boskos + template: + metadata: + labels: + app: boskos + namespace: test-pods + spec: + serviceAccountName: boskos + terminationGracePeriodSeconds: 30 + containers: + - name: boskos + image: gcr.io/k8s-staging-boskos/boskos:v20250612-e9e5322 + args: + - --config=/etc/config/config + - --namespace=test-pods + ports: + - containerPort: 8080 + protocol: TCP + volumeMounts: + - name: boskos-config + mountPath: /etc/config + readOnly: true + volumes: + - name: boskos-config + configMap: + name: resources +--- +apiVersion: v1 +kind: Service +metadata: + name: boskos + namespace: test-pods +spec: + selector: + app: boskos + ports: + - name: default + protocol: TCP + port: 80 + targetPort: 8080 diff --git a/kubernetes/ibm-s390x/prow/crds/boskos.yaml b/kubernetes/ibm-s390x/prow/crds/boskos.yaml new file mode 100644 index 00000000000..c5ba1a25714 --- /dev/null +++ b/kubernetes/ibm-s390x/prow/crds/boskos.yaml @@ -0,0 +1,139 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: dynamicresourcelifecycles.boskos.k8s.io + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/boskos/pull/105 +spec: + group: boskos.k8s.io + names: + kind: DRLCObject + listKind: DRLCObjectList + plural: dynamicresourcelifecycles + singular: dynamicresourcelifecycle + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + additionalPrinterColumns: + - name: Type + type: string + description: The dynamic resource type. + jsonPath: .spec.config.type + - name: Min-Count + type: integer + description: The minimum count requested. + jsonPath: .spec.min-count + - name: Max-Count + type: integer + description: The maximum count requested. + jsonPath: .spec.max-count + schema: + openAPIV3Schema: + description: Defines the lifecycle of a dynamic resource. All + Resource of a given type will be constructed using the same + configuration + type: object + properties: + spec: + type: object + properties: + state: + type: string + max-count: + description: Maxiumum number of resources expected. This + maximum may be temporarily exceeded while resources are in + the process of being deleted, though this is only expected + when MaxCount is lowered. + type: integer + format: int32 + min-count: + description: Minimum number of resources to be used as a + buffer. Resources in the process of being deleted and + cleaned up are included in this count. + type: integer + format: int32 + lifespan: + description: Lifespan of a resource, time after which the + resource should be reset + type: integer + format: int64 + config: + description: Config information about how to create the + object + type: object + properties: + type: + description: The dynamic resource type + type: string + content: + type: string + needs: + description: Define the resource needs to create the object + type: object + x-kubernetes-preserve-unknown-fields: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: resources.boskos.k8s.io + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/boskos/pull/105 +spec: + group: boskos.k8s.io + names: + kind: ResourceObject + listKind: ResourceObjectList + plural: resources + singular: resource + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + additionalPrinterColumns: + - name: Type + type: string + description: The resource type. + jsonPath: .spec.type + - name: State + type: string + description: The current state of the resource. + jsonPath: .status.state + - name: Owner + type: string + description: The current owner of the resource. + jsonPath: .status.owner + - name: Last-Updated + type: date + jsonPath: .status.lastUpdate + schema: + openAPIV3Schema: + description: Abstracts any resource type that can be tracked by boskos + type: object + properties: + spec: + description: Holds information that are not likely to change + type: object + properties: + type: + type: string + status: + description: Holds information that are likely to change + type: object + properties: + state: + type: string + owner: + type: string + lastUpdate: + type: string + format: date-time + userData: + type: object + x-kubernetes-preserve-unknown-fields: true + expirationDate: + type: string + format: date-time +--- diff --git a/kubernetes/ibm-s390x/prow/kustomization.yaml b/kubernetes/ibm-s390x/prow/kustomization.yaml new file mode 100644 index 00000000000..b50cb4a8805 --- /dev/null +++ b/kubernetes/ibm-s390x/prow/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: test-pods + +resources: + - boskos-janitor.yaml + - boskos-reaper.yaml + - boskos-resources-configmap.yaml + - boskos.yaml + - kyverno.yaml + - limit-range.yaml + - secrets.yaml + - oidc.yaml + - test-pods-poddisruptionbudget.yaml diff --git a/kubernetes/ibm-s390x/prow/kyverno.yaml b/kubernetes/ibm-s390x/prow/kyverno.yaml new file mode 100644 index 00000000000..e83a564796f --- /dev/null +++ b/kubernetes/ibm-s390x/prow/kyverno.yaml @@ -0,0 +1,52 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: insert-gcp-credentials +spec: + rules: + - name: add-creds + match: + any: + - resources: + kinds: + - Pod + preconditions: + any: + - key: '{{request.object.metadata.labels."created-by-prow" || ""}}' + operator: Equals + value: "true" + mutate: + patchStrategicMerge: + spec: + initContainers: + # pod order matters + - name: clonerefs + - (name): "initupload" + # prow passes the json path directly, uncomment this once the feature is disabled in prow + # env: + # - name: GOOGLE_APPLICATION_CREDENTIALS + # value: /secrets/gcs/service-account.json + volumeMounts: + - mountPath: /var/run/secrets/google-iam-token/serviceaccount + name: google-iam-token + readOnly: true + containers: + - name: test + - (name): sidecar + # prow passes the json path directly, uncomment this once the feature is disabled in prow + # env: + # - name: GOOGLE_APPLICATION_CREDENTIALS + # value: /secrets/gcs/service-account.json + volumeMounts: + - mountPath: /var/run/secrets/google-iam-token/serviceaccount + name: google-iam-token + readOnly: true + volumes: + - name: google-iam-token + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + audience: sts.googleapis.com + expirationSeconds: 86400 + path: token diff --git a/kubernetes/ibm-s390x/prow/limit-range.yaml b/kubernetes/ibm-s390x/prow/limit-range.yaml new file mode 100644 index 00000000000..26730355346 --- /dev/null +++ b/kubernetes/ibm-s390x/prow/limit-range.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: LimitRange +metadata: + name: cpu-limit-range +spec: + limits: + - defaultRequest: + cpu: 250m + type: Container +--- +apiVersion: v1 +kind: LimitRange +metadata: + name: mem-limit-range +spec: + limits: + - defaultRequest: + memory: 1Gi + type: Container diff --git a/kubernetes/ibm-s390x/prow/oidc.yaml b/kubernetes/ibm-s390x/prow/oidc.yaml new file mode 100644 index 00000000000..18646757fe9 --- /dev/null +++ b/kubernetes/ibm-s390x/prow/oidc.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: service-account-issuer-discovery-unauthenticated +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:service-account-issuer-discovery +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:unauthenticated diff --git a/kubernetes/ibm-s390x/prow/secrets.yaml b/kubernetes/ibm-s390x/prow/secrets.yaml new file mode 100644 index 00000000000..9fd4a1692fb --- /dev/null +++ b/kubernetes/ibm-s390x/prow/secrets.yaml @@ -0,0 +1,75 @@ +apiVersion: v1 +kind: Secret +metadata: + name: service-account + namespace: test-pods +stringData: + service-account.json: | + { + "universe_domain": "googleapis.com", + "type": "external_account", + "audience": "//iam.googleapis.com/projects/16065310909/locations/global/workloadIdentityPools/ibm-clusters/providers/s390x", + "subject_token_type": "urn:ietf:params:oauth:token-type:jwt", + "token_url": "https://sts.googleapis.com/v1/token", + "credential_source": { + "file": "/var/run/secrets/google-iam-token/serviceaccount/token", + "format": { + "type": "text" + } + } + } + +# --- +# apiVersion: external-secrets.io/v1beta1 +# kind: ExternalSecret +# metadata: +# name: prow-job-api-key +# namespace: test-pods +# spec: +# refreshInterval: 30m +# secretStoreRef: +# name: secretstore-ibm-k8s +# kind: ClusterSecretStore +# target: +# name: prow-job-api-key +# creationPolicy: Owner +# data: +# - secretKey: key +# remoteRef: +# key: iam_credentials/32412dc3-aa99-d54d-4b9b-7b33a8c741a3 +# --- +# apiVersion: external-secrets.io/v1beta1 +# kind: ExternalSecret +# metadata: +# name: prow-job-ssh-private-key +# namespace: test-pods +# spec: +# refreshInterval: 60m +# secretStoreRef: +# name: secretstore-ibm-k8s +# kind: ClusterSecretStore +# target: +# name: prow-job-ssh-private-key +# creationPolicy: Owner +# data: +# - secretKey: ssh-privatekey +# remoteRef: +# key: 72d8039f-6cfc-1bbf-ba8e-d85985b42ee0 +# --- +# apiVersion: external-secrets.io/v1beta1 +# kind: ExternalSecret +# metadata: +# name: boskos-janitor-api-key +# namespace: test-pods +# spec: +# refreshInterval: 60m +# secretStoreRef: +# name: secretstore-ibm-k8s +# kind: ClusterSecretStore +# target: +# name: boskos-janitor-api-key +# creationPolicy: Owner +# data: +# - secretKey: api-key +# remoteRef: +# key: iam_credentials/51518fbd-1667-f811-99ba-72688fd6c703 diff --git a/kubernetes/ibm-s390x/prow/test-pods-poddisruptionbudget.yaml b/kubernetes/ibm-s390x/prow/test-pods-poddisruptionbudget.yaml new file mode 100644 index 00000000000..94ed107f674 --- /dev/null +++ b/kubernetes/ibm-s390x/prow/test-pods-poddisruptionbudget.yaml @@ -0,0 +1,30 @@ +# Copyright 2020 The Kubernetes Authors All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# The purpose of the PodDisruptionBudget here is to never allow evicting pods created by prow. +# Eviction of pods can happen for one of two reasons: +# * Cluster autoscaler downscaling +# * Someome/Something using `kubectl drain` +# +# It is still possible to delete the pods via a normal delete call. See https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/#the-eviction-api + +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: prow-pods +spec: + maxUnavailable: 0 + selector: + matchLabels: + created-by-prow: "true"