feat(charts/prow): add kubeconfig secret support (#632)

Signed-off-by: wuhuizuo <[email protected]>
PingCAP-QE · Jul 2, 2023 · 1a5f70c · 1a5f70c
1 parent 93b33da
commit 1a5f70c
Show file tree

Hide file tree

Showing 11 changed files with 166 additions and 58 deletions.
diff --git a/charts/prow/Chart.yaml b/charts/prow/Chart.yaml
@@ -21,7 +21,7 @@ type: application
 # time you make changes to the chart and its templates,
 # including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: "0.9.3"
+version: "0.9.4"
 
 # This is the version number of the application being deployed.
 # This version number should be incremented each time you make changes to the

diff --git a/charts/prow/templates/components/crier/deployment.yaml b/charts/prow/templates/components/crier/deployment.yaml
@@ -70,24 +70,35 @@ spec:
               mountPath: /etc/persistent-credentials
               readOnly: true
             {{- end }}
+            {{- if .Values.crier.kubeconfigSecret }}
+            - mountPath: /etc/kubeconfig
+              name: kubeconfig
+              readOnly: true
+            {{- end }}
           resources:
             {{- toYaml .Values.crier.resources | nindent 12 }}
 
       volumes:
-      - name: prow-config
-        configMap:
-            name: {{ default (printf "%s-config" (include "prow.fullname" .)) .Values.prow.configs.prow.configMapName }}
-      - name: prow-jobs
-        configMap:
-            name: {{ default (printf "%s-job" (include "prow.fullname" .)) .Values.prow.configs.job.configMapName }}
-      - name: github
-        secret:
-          secretName: {{ default (printf "%s-github" (include "prow.fullname" .)) .Values.prow.github.secretName }}
-      {{- if include "prow.persistent.needCredentials" . }}
-      - name: persistent-credentials
-        secret:
-          secretName: {{ default (printf "%s-%s-credentials" (include "prow.fullname" .) .Values.persistent.type) .Values.persistent.credentials.secretName }}
-      {{- end }}
+        - name: prow-config
+          configMap:
+              name: {{ default (printf "%s-config" (include "prow.fullname" .)) .Values.prow.configs.prow.configMapName }}
+        - name: prow-jobs
+          configMap:
+              name: {{ default (printf "%s-job" (include "prow.fullname" .)) .Values.prow.configs.job.configMapName }}
+        - name: github
+          secret:
+            secretName: {{ default (printf "%s-github" (include "prow.fullname" .)) .Values.prow.github.secretName }}
+        {{- if include "prow.persistent.needCredentials" . }}
+        - name: persistent-credentials
+          secret:
+            secretName: {{ default (printf "%s-%s-credentials" (include "prow.fullname" .) .Values.persistent.type) .Values.persistent.credentials.secretName }}
+        {{- end }}
+        {{- with .Values.crier.kubeconfigSecret }}
+        - name: kubeconfig
+          secret:
+            secretName: {{ . }}
+            optional: true
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/prow/templates/components/deck/deployment.yaml b/charts/prow/templates/components/deck/deployment.yaml
@@ -80,6 +80,11 @@ spec:
               readOnly: true
             - name: oauth-cookie
               mountPath: /etc/oauth-cookie
+            {{- if .Values.deck.kubeconfigSecret }}
+            - mountPath: /etc/kubeconfig
+              name: kubeconfig
+              readOnly: true
+            {{- end }}
             {{- if include "prow.persistent.needCredentials" . }}
             - name: persistent-credentials
               mountPath: /etc/persistent-credentials
@@ -99,25 +104,31 @@ spec:
             periodSeconds: 3
             timeoutSeconds: 600
       volumes:
-      - name: prow-config
-        configMap:
-          name: {{ default (printf "%s-config" (include "prow.fullname" .)) .Values.prow.configs.prow.configMapName }}
-      - name: prow-plugin
-        configMap:
-          name: {{ default (printf "%s-plugin" (include "prow.fullname" .)) .Values.prow.configs.plugin.configMapName }}
-      - name: prow-jobs
-        configMap:
-          name: {{ default (printf "%s-job" (include "prow.fullname" .)) .Values.prow.configs.job.configMapName }}
-      - name: github
-        secret:
-          secretName: {{ default (printf "%s-github" (include "prow.fullname" .)) .Values.prow.github.secretName }}
-      - name: oauth-cookie
-        secret:
-          secretName: {{ default (printf "%s-oauth-cookie" (include "prow.fullname" .)) .Values.prow.oauth.cookie.secretName }}
-      {{- if include "prow.persistent.needCredentials" . }}
-      - name: persistent-credentials
-        secret:
-          secretName: {{ default (printf "%s-%s-credentials" (include "prow.fullname" .) .Values.persistent.type) .Values.persistent.credentials.secretName }}
+        - name: prow-config
+          configMap:
+            name: {{ default (printf "%s-config" (include "prow.fullname" .)) .Values.prow.configs.prow.configMapName }}
+        - name: prow-plugin
+          configMap:
+            name: {{ default (printf "%s-plugin" (include "prow.fullname" .)) .Values.prow.configs.plugin.configMapName }}
+        - name: prow-jobs
+          configMap:
+            name: {{ default (printf "%s-job" (include "prow.fullname" .)) .Values.prow.configs.job.configMapName }}
+        - name: github
+          secret:
+            secretName: {{ default (printf "%s-github" (include "prow.fullname" .)) .Values.prow.github.secretName }}
+        - name: oauth-cookie
+          secret:
+            secretName: {{ default (printf "%s-oauth-cookie" (include "prow.fullname" .)) .Values.prow.oauth.cookie.secretName }}
+        {{- if include "prow.persistent.needCredentials" . }}
+        - name: persistent-credentials
+          secret:
+            secretName: {{ default (printf "%s-%s-credentials" (include "prow.fullname" .) .Values.persistent.type) .Values.persistent.credentials.secretName }}
+        {{- end }}
+        {{- with .Values.deck.kubeconfigSecret }}
+        - name: kubeconfig
+          secret:
+            secretName: {{ . }}
+            optional: true
       {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:

diff --git a/charts/prow/templates/components/hook/deployment.yaml b/charts/prow/templates/components/hook/deployment.yaml
@@ -74,6 +74,11 @@ spec:
             - name: prow-jobs
               mountPath: /etc/prow-jobs
               readOnly: true
+            {{- if .Values.hook.kubeconfigSecret }}
+            - mountPath: /etc/kubeconfig
+              name: kubeconfig
+              readOnly: true
+            {{- end }}
           livenessProbe:
             httpGet:
               path: /healthz
@@ -105,6 +110,12 @@ spec:
         - name: prow-jobs
           configMap:
             name: {{ default (printf "%s-job" (include "prow.fullname" .)) .Values.prow.configs.job.configMapName }}
+        {{- with .Values.hook.kubeconfigSecret }}
+        - name: kubeconfig
+          secret:
+            secretName: {{ . }}
+            optional: true
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/prow/templates/components/horologium/deployment.yaml b/charts/prow/templates/components/horologium/deployment.yaml
@@ -27,9 +27,9 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "prow.serviceAccountName.horologium" . }}
-      terminationGracePeriodSeconds: 30
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      terminationGracePeriodSeconds: 30
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
@@ -48,12 +48,17 @@ spec:
               containerPort: 80
               protocol: TCP
           volumeMounts:
-          - name: prow-config
-            mountPath: /etc/prow-config
-            readOnly: true
-          - name: prow-jobs
-            mountPath: /etc/prow-jobs
-            readOnly: true
+            - name: prow-config
+              mountPath: /etc/prow-config
+              readOnly: true
+            - name: prow-jobs
+              mountPath: /etc/prow-jobs
+              readOnly: true
+            {{- if .Values.horologium.kubeconfigSecret }}
+            - mountPath: /etc/kubeconfig
+              name: kubeconfig
+              readOnly: true
+            {{- end }}
           resources:
             {{- toYaml .Values.horologium.resources | nindent 12 }}
       volumes:
@@ -63,6 +68,12 @@ spec:
         - name: prow-jobs
           configMap:
             name: {{ default (printf "%s-job" (include "prow.fullname" .)) .Values.prow.configs.job.configMapName }}
+        {{- with .Values.horologium.kubeconfigSecret }}
+        - name: kubeconfig
+          secret:
+            secretName: {{ . }}
+            optional: true
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/prow/templates/components/jenkins-operator/deployment.yaml b/charts/prow/templates/components/jenkins-operator/deployment.yaml
@@ -119,6 +119,11 @@ spec:
               mountPath: /etc/jenkins
               readOnly: true
             {{- end }}
+            {{- if .Values.jenkinsOperator.kubeconfigSecret }}
+            - mountPath: /etc/kubeconfig
+              name: kubeconfig
+              readOnly: true
+            {{- end }}
           resources:
             {{- toYaml .Values.jenkinsOperator.resources | nindent 12 }}
       volumes:
@@ -134,6 +139,12 @@ spec:
             secretName: {{ . }}
             optional: true
         {{- end }}
+        {{- with .Values.jenkinsOperator.kubeconfigSecret }}
+        - name: kubeconfig
+          secret:
+            secretName: {{ . }}
+            optional: true
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/prow/templates/components/prow-controller-manager/deployment.yaml b/charts/prow/templates/components/prow-controller-manager/deployment.yaml
@@ -60,6 +60,11 @@ spec:
           - name: prow-jobs
             mountPath: /etc/prow-jobs
             readOnly: true
+            {{- if .Values.pcm.kubeconfigSecret }}
+            - mountPath: /etc/kubeconfig
+              name: kubeconfig
+              readOnly: true
+            {{- end }}
           resources:
             {{- toYaml .Values.pcm.resources | nindent 12 }}
       volumes:
@@ -72,6 +77,12 @@ spec:
       - name: prow-jobs
         configMap:
             name: {{ default (printf "%s-job" (include "prow.fullname" .)) .Values.prow.configs.job.configMapName }}
+        {{- with .Values.pcm.kubeconfigSecret }}
+        - name: kubeconfig
+          secret:
+            secretName: {{ . }}
+            optional: true
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/prow/templates/components/sinker/deployment.yaml b/charts/prow/templates/components/sinker/deployment.yaml
@@ -47,6 +47,11 @@ spec:
             - name: prow-jobs
               mountPath: /etc/prow-jobs
               readOnly: true
+            {{- if .Values.sinker.kubeconfigSecret }}
+            - mountPath: /etc/kubeconfig
+              name: kubeconfig
+              readOnly: true
+            {{- end }}
           resources:
             {{- toYaml .Values.sinker.resources | nindent 12 }}
       volumes:
@@ -56,6 +61,12 @@ spec:
         - name: prow-jobs
           configMap:
             name: {{ default (printf "%s-job" (include "prow.fullname" .)) .Values.prow.configs.job.configMapName }}
+        {{- with .Values.sinker.kubeconfigSecret }}
+        - name: kubeconfig
+          secret:
+            secretName: {{ . }}
+            optional: true
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/prow/templates/components/status-reconciler/deployment.yaml b/charts/prow/templates/components/status-reconciler/deployment.yaml
@@ -74,26 +74,37 @@ spec:
               mountPath: /etc/persistent-credentials
               readOnly: true
             {{- end }}
+            {{- if .Values.statusReconciler.kubeconfigSecret }}
+            - mountPath: /etc/kubeconfig
+              name: kubeconfig
+              readOnly: true
+            {{- end }}
           resources:
             {{- toYaml .Values.statusReconciler.resources | nindent 12 }}
       volumes:
-      - name: github
-        secret:
-          secretName: {{ default (printf "%s-github" (include "prow.fullname" .)) .Values.prow.github.secretName }}
-      - name: prow-config
-        configMap:
-          name: {{ default (printf "%s-config" (include "prow.fullname" .)) .Values.prow.configs.prow.configMapName }}
-      - name: prow-plugin
-        configMap:
-          name: {{ default (printf "%s-plugin" (include "prow.fullname" .)) .Values.prow.configs.plugin.configMapName }}
-      - name: prow-jobs
-        configMap:
-          name: {{ default (printf "%s-job" (include "prow.fullname" .)) .Values.prow.configs.job.configMapName }}
-      {{- if include "prow.persistent.needCredentials" . }}
-      - name: persistent-credentials
-        secret:
-          secretName: {{ default (printf "%s-%s-credentials" (include "prow.fullname" .) .Values.persistent.type) .Values.persistent.credentials.secretName }}
-      {{- end }}
+        - name: github
+          secret:
+            secretName: {{ default (printf "%s-github" (include "prow.fullname" .)) .Values.prow.github.secretName }}
+        - name: prow-config
+          configMap:
+            name: {{ default (printf "%s-config" (include "prow.fullname" .)) .Values.prow.configs.prow.configMapName }}
+        - name: prow-plugin
+          configMap:
+            name: {{ default (printf "%s-plugin" (include "prow.fullname" .)) .Values.prow.configs.plugin.configMapName }}
+        - name: prow-jobs
+          configMap:
+            name: {{ default (printf "%s-job" (include "prow.fullname" .)) .Values.prow.configs.job.configMapName }}
+        {{- if include "prow.persistent.needCredentials" . }}
+        - name: persistent-credentials
+          secret:
+            secretName: {{ default (printf "%s-%s-credentials" (include "prow.fullname" .) .Values.persistent.type) .Values.persistent.credentials.secretName }}
+        {{- end }}
+        {{- with .Values.statusReconciler.kubeconfigSecret }}
+        - name: kubeconfig
+          secret:
+            secretName: {{ . }}
+            optional: true
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/prow/templates/components/tide/deployment.yaml b/charts/prow/templates/components/tide/deployment.yaml
@@ -75,6 +75,11 @@ spec:
               mountPath: /etc/persistent-credentials
               readOnly: true
             {{- end }}
+            {{- if .Values.tide.kubeconfigSecret }}
+            - mountPath: /etc/kubeconfig
+              name: kubeconfig
+              readOnly: true
+            {{- end }}
           resources:
             {{- toYaml .Values.tide.resources | nindent 12 }}
       volumes:
@@ -92,6 +97,12 @@ spec:
           secret:
             secretName: {{ default (printf "%s-%s-credentials" (include "prow.fullname" .) .Values.persistent.type) .Values.persistent.credentials.secretName }}
         {{- end }}
+        {{- with .Values.tide.kubeconfigSecret }}
+        - name: kubeconfig
+          secret:
+            secretName: {{ . }}
+            optional: true
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}