From 1a5f70cebc50107a35deb7a7d06bc3739c773d3a Mon Sep 17 00:00:00 2001 From: wuhuizuo Date: Sun, 2 Jul 2023 17:14:12 +0800 Subject: [PATCH] feat(charts/prow): add kubeconfig secret support (#632) Signed-off-by: wuhuizuo --- charts/prow/Chart.yaml | 2 +- .../components/crier/deployment.yaml | 39 +++++++++------ .../templates/components/deck/deployment.yaml | 49 ++++++++++++------- .../templates/components/hook/deployment.yaml | 11 +++++ .../components/horologium/deployment.yaml | 25 +++++++--- .../jenkins-operator/deployment.yaml | 11 +++++ .../prow-controller-manager/deployment.yaml | 11 +++++ .../components/sinker/deployment.yaml | 11 +++++ .../status-reconciler/deployment.yaml | 45 ++++++++++------- .../templates/components/tide/deployment.yaml | 11 +++++ charts/prow/values.yaml | 9 ++++ 11 files changed, 166 insertions(+), 58 deletions(-) diff --git a/charts/prow/Chart.yaml b/charts/prow/Chart.yaml index b87b18bb5..a8e20ed84 100644 --- a/charts/prow/Chart.yaml +++ b/charts/prow/Chart.yaml @@ -21,7 +21,7 @@ type: application # time you make changes to the chart and its templates, # including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: "0.9.3" +version: "0.9.4" # This is the version number of the application being deployed. # This version number should be incremented each time you make changes to the diff --git a/charts/prow/templates/components/crier/deployment.yaml b/charts/prow/templates/components/crier/deployment.yaml index adf6389c6..e7a486377 100644 --- a/charts/prow/templates/components/crier/deployment.yaml +++ b/charts/prow/templates/components/crier/deployment.yaml @@ -70,24 +70,35 @@ spec: mountPath: /etc/persistent-credentials readOnly: true {{- end }} + {{- if .Values.crier.kubeconfigSecret }} + - mountPath: /etc/kubeconfig + name: kubeconfig + readOnly: true + {{- end }} resources: {{- toYaml .Values.crier.resources | nindent 12 }} volumes: - - name: prow-config - configMap: - name: {{ default (printf "%s-config" (include "prow.fullname" .)) .Values.prow.configs.prow.configMapName }} - - name: prow-jobs - configMap: - name: {{ default (printf "%s-job" (include "prow.fullname" .)) .Values.prow.configs.job.configMapName }} - - name: github - secret: - secretName: {{ default (printf "%s-github" (include "prow.fullname" .)) .Values.prow.github.secretName }} - {{- if include "prow.persistent.needCredentials" . }} - - name: persistent-credentials - secret: - secretName: {{ default (printf "%s-%s-credentials" (include "prow.fullname" .) .Values.persistent.type) .Values.persistent.credentials.secretName }} - {{- end }} + - name: prow-config + configMap: + name: {{ default (printf "%s-config" (include "prow.fullname" .)) .Values.prow.configs.prow.configMapName }} + - name: prow-jobs + configMap: + name: {{ default (printf "%s-job" (include "prow.fullname" .)) .Values.prow.configs.job.configMapName }} + - name: github + secret: + secretName: {{ default (printf "%s-github" (include "prow.fullname" .)) .Values.prow.github.secretName }} + {{- if include "prow.persistent.needCredentials" . }} + - name: persistent-credentials + secret: + secretName: {{ default (printf "%s-%s-credentials" (include "prow.fullname" .) .Values.persistent.type) .Values.persistent.credentials.secretName }} + {{- end }} + {{- with .Values.crier.kubeconfigSecret }} + - name: kubeconfig + secret: + secretName: {{ . }} + optional: true + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/prow/templates/components/deck/deployment.yaml b/charts/prow/templates/components/deck/deployment.yaml index 24af37c38..e3af717a8 100644 --- a/charts/prow/templates/components/deck/deployment.yaml +++ b/charts/prow/templates/components/deck/deployment.yaml @@ -80,6 +80,11 @@ spec: readOnly: true - name: oauth-cookie mountPath: /etc/oauth-cookie + {{- if .Values.deck.kubeconfigSecret }} + - mountPath: /etc/kubeconfig + name: kubeconfig + readOnly: true + {{- end }} {{- if include "prow.persistent.needCredentials" . }} - name: persistent-credentials mountPath: /etc/persistent-credentials @@ -99,25 +104,31 @@ spec: periodSeconds: 3 timeoutSeconds: 600 volumes: - - name: prow-config - configMap: - name: {{ default (printf "%s-config" (include "prow.fullname" .)) .Values.prow.configs.prow.configMapName }} - - name: prow-plugin - configMap: - name: {{ default (printf "%s-plugin" (include "prow.fullname" .)) .Values.prow.configs.plugin.configMapName }} - - name: prow-jobs - configMap: - name: {{ default (printf "%s-job" (include "prow.fullname" .)) .Values.prow.configs.job.configMapName }} - - name: github - secret: - secretName: {{ default (printf "%s-github" (include "prow.fullname" .)) .Values.prow.github.secretName }} - - name: oauth-cookie - secret: - secretName: {{ default (printf "%s-oauth-cookie" (include "prow.fullname" .)) .Values.prow.oauth.cookie.secretName }} - {{- if include "prow.persistent.needCredentials" . }} - - name: persistent-credentials - secret: - secretName: {{ default (printf "%s-%s-credentials" (include "prow.fullname" .) .Values.persistent.type) .Values.persistent.credentials.secretName }} + - name: prow-config + configMap: + name: {{ default (printf "%s-config" (include "prow.fullname" .)) .Values.prow.configs.prow.configMapName }} + - name: prow-plugin + configMap: + name: {{ default (printf "%s-plugin" (include "prow.fullname" .)) .Values.prow.configs.plugin.configMapName }} + - name: prow-jobs + configMap: + name: {{ default (printf "%s-job" (include "prow.fullname" .)) .Values.prow.configs.job.configMapName }} + - name: github + secret: + secretName: {{ default (printf "%s-github" (include "prow.fullname" .)) .Values.prow.github.secretName }} + - name: oauth-cookie + secret: + secretName: {{ default (printf "%s-oauth-cookie" (include "prow.fullname" .)) .Values.prow.oauth.cookie.secretName }} + {{- if include "prow.persistent.needCredentials" . }} + - name: persistent-credentials + secret: + secretName: {{ default (printf "%s-%s-credentials" (include "prow.fullname" .) .Values.persistent.type) .Values.persistent.credentials.secretName }} + {{- end }} + {{- with .Values.deck.kubeconfigSecret }} + - name: kubeconfig + secret: + secretName: {{ . }} + optional: true {{- end }} {{- with .Values.nodeSelector }} nodeSelector: diff --git a/charts/prow/templates/components/hook/deployment.yaml b/charts/prow/templates/components/hook/deployment.yaml index 5f00ce9b3..679f12c55 100644 --- a/charts/prow/templates/components/hook/deployment.yaml +++ b/charts/prow/templates/components/hook/deployment.yaml @@ -74,6 +74,11 @@ spec: - name: prow-jobs mountPath: /etc/prow-jobs readOnly: true + {{- if .Values.hook.kubeconfigSecret }} + - mountPath: /etc/kubeconfig + name: kubeconfig + readOnly: true + {{- end }} livenessProbe: httpGet: path: /healthz @@ -105,6 +110,12 @@ spec: - name: prow-jobs configMap: name: {{ default (printf "%s-job" (include "prow.fullname" .)) .Values.prow.configs.job.configMapName }} + {{- with .Values.hook.kubeconfigSecret }} + - name: kubeconfig + secret: + secretName: {{ . }} + optional: true + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/prow/templates/components/horologium/deployment.yaml b/charts/prow/templates/components/horologium/deployment.yaml index b7fb3e19e..017723130 100644 --- a/charts/prow/templates/components/horologium/deployment.yaml +++ b/charts/prow/templates/components/horologium/deployment.yaml @@ -27,9 +27,9 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: {{ include "prow.serviceAccountName.horologium" . }} - terminationGracePeriodSeconds: 30 securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} + terminationGracePeriodSeconds: 30 containers: - name: {{ .Chart.Name }} securityContext: @@ -48,12 +48,17 @@ spec: containerPort: 80 protocol: TCP volumeMounts: - - name: prow-config - mountPath: /etc/prow-config - readOnly: true - - name: prow-jobs - mountPath: /etc/prow-jobs - readOnly: true + - name: prow-config + mountPath: /etc/prow-config + readOnly: true + - name: prow-jobs + mountPath: /etc/prow-jobs + readOnly: true + {{- if .Values.horologium.kubeconfigSecret }} + - mountPath: /etc/kubeconfig + name: kubeconfig + readOnly: true + {{- end }} resources: {{- toYaml .Values.horologium.resources | nindent 12 }} volumes: @@ -63,6 +68,12 @@ spec: - name: prow-jobs configMap: name: {{ default (printf "%s-job" (include "prow.fullname" .)) .Values.prow.configs.job.configMapName }} + {{- with .Values.horologium.kubeconfigSecret }} + - name: kubeconfig + secret: + secretName: {{ . }} + optional: true + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/prow/templates/components/jenkins-operator/deployment.yaml b/charts/prow/templates/components/jenkins-operator/deployment.yaml index 522021c0b..9035810f1 100644 --- a/charts/prow/templates/components/jenkins-operator/deployment.yaml +++ b/charts/prow/templates/components/jenkins-operator/deployment.yaml @@ -119,6 +119,11 @@ spec: mountPath: /etc/jenkins readOnly: true {{- end }} + {{- if .Values.jenkinsOperator.kubeconfigSecret }} + - mountPath: /etc/kubeconfig + name: kubeconfig + readOnly: true + {{- end }} resources: {{- toYaml .Values.jenkinsOperator.resources | nindent 12 }} volumes: @@ -134,6 +139,12 @@ spec: secretName: {{ . }} optional: true {{- end }} + {{- with .Values.jenkinsOperator.kubeconfigSecret }} + - name: kubeconfig + secret: + secretName: {{ . }} + optional: true + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/prow/templates/components/prow-controller-manager/deployment.yaml b/charts/prow/templates/components/prow-controller-manager/deployment.yaml index f9a95f1fc..acaf909dc 100644 --- a/charts/prow/templates/components/prow-controller-manager/deployment.yaml +++ b/charts/prow/templates/components/prow-controller-manager/deployment.yaml @@ -60,6 +60,11 @@ spec: - name: prow-jobs mountPath: /etc/prow-jobs readOnly: true + {{- if .Values.pcm.kubeconfigSecret }} + - mountPath: /etc/kubeconfig + name: kubeconfig + readOnly: true + {{- end }} resources: {{- toYaml .Values.pcm.resources | nindent 12 }} volumes: @@ -72,6 +77,12 @@ spec: - name: prow-jobs configMap: name: {{ default (printf "%s-job" (include "prow.fullname" .)) .Values.prow.configs.job.configMapName }} + {{- with .Values.pcm.kubeconfigSecret }} + - name: kubeconfig + secret: + secretName: {{ . }} + optional: true + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/prow/templates/components/sinker/deployment.yaml b/charts/prow/templates/components/sinker/deployment.yaml index 4c0690c9f..415406f56 100644 --- a/charts/prow/templates/components/sinker/deployment.yaml +++ b/charts/prow/templates/components/sinker/deployment.yaml @@ -47,6 +47,11 @@ spec: - name: prow-jobs mountPath: /etc/prow-jobs readOnly: true + {{- if .Values.sinker.kubeconfigSecret }} + - mountPath: /etc/kubeconfig + name: kubeconfig + readOnly: true + {{- end }} resources: {{- toYaml .Values.sinker.resources | nindent 12 }} volumes: @@ -56,6 +61,12 @@ spec: - name: prow-jobs configMap: name: {{ default (printf "%s-job" (include "prow.fullname" .)) .Values.prow.configs.job.configMapName }} + {{- with .Values.sinker.kubeconfigSecret }} + - name: kubeconfig + secret: + secretName: {{ . }} + optional: true + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/prow/templates/components/status-reconciler/deployment.yaml b/charts/prow/templates/components/status-reconciler/deployment.yaml index d796eeb1f..934c8ec3b 100644 --- a/charts/prow/templates/components/status-reconciler/deployment.yaml +++ b/charts/prow/templates/components/status-reconciler/deployment.yaml @@ -74,26 +74,37 @@ spec: mountPath: /etc/persistent-credentials readOnly: true {{- end }} + {{- if .Values.statusReconciler.kubeconfigSecret }} + - mountPath: /etc/kubeconfig + name: kubeconfig + readOnly: true + {{- end }} resources: {{- toYaml .Values.statusReconciler.resources | nindent 12 }} volumes: - - name: github - secret: - secretName: {{ default (printf "%s-github" (include "prow.fullname" .)) .Values.prow.github.secretName }} - - name: prow-config - configMap: - name: {{ default (printf "%s-config" (include "prow.fullname" .)) .Values.prow.configs.prow.configMapName }} - - name: prow-plugin - configMap: - name: {{ default (printf "%s-plugin" (include "prow.fullname" .)) .Values.prow.configs.plugin.configMapName }} - - name: prow-jobs - configMap: - name: {{ default (printf "%s-job" (include "prow.fullname" .)) .Values.prow.configs.job.configMapName }} - {{- if include "prow.persistent.needCredentials" . }} - - name: persistent-credentials - secret: - secretName: {{ default (printf "%s-%s-credentials" (include "prow.fullname" .) .Values.persistent.type) .Values.persistent.credentials.secretName }} - {{- end }} + - name: github + secret: + secretName: {{ default (printf "%s-github" (include "prow.fullname" .)) .Values.prow.github.secretName }} + - name: prow-config + configMap: + name: {{ default (printf "%s-config" (include "prow.fullname" .)) .Values.prow.configs.prow.configMapName }} + - name: prow-plugin + configMap: + name: {{ default (printf "%s-plugin" (include "prow.fullname" .)) .Values.prow.configs.plugin.configMapName }} + - name: prow-jobs + configMap: + name: {{ default (printf "%s-job" (include "prow.fullname" .)) .Values.prow.configs.job.configMapName }} + {{- if include "prow.persistent.needCredentials" . }} + - name: persistent-credentials + secret: + secretName: {{ default (printf "%s-%s-credentials" (include "prow.fullname" .) .Values.persistent.type) .Values.persistent.credentials.secretName }} + {{- end }} + {{- with .Values.statusReconciler.kubeconfigSecret }} + - name: kubeconfig + secret: + secretName: {{ . }} + optional: true + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/prow/templates/components/tide/deployment.yaml b/charts/prow/templates/components/tide/deployment.yaml index 16c97e1ee..d5ecf44ff 100644 --- a/charts/prow/templates/components/tide/deployment.yaml +++ b/charts/prow/templates/components/tide/deployment.yaml @@ -75,6 +75,11 @@ spec: mountPath: /etc/persistent-credentials readOnly: true {{- end }} + {{- if .Values.tide.kubeconfigSecret }} + - mountPath: /etc/kubeconfig + name: kubeconfig + readOnly: true + {{- end }} resources: {{- toYaml .Values.tide.resources | nindent 12 }} volumes: @@ -92,6 +97,12 @@ spec: secret: secretName: {{ default (printf "%s-%s-credentials" (include "prow.fullname" .) .Values.persistent.type) .Values.persistent.credentials.secretName }} {{- end }} + {{- with .Values.tide.kubeconfigSecret }} + - name: kubeconfig + secret: + secretName: {{ . }} + optional: true + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/prow/values.yaml b/charts/prow/values.yaml index 602eb549c..10c458e81 100644 --- a/charts/prow/values.yaml +++ b/charts/prow/values.yaml @@ -113,6 +113,7 @@ crier: create: true name: "" resources: {} + kubeconfigSecret: "" deck: additionalArgs: [] @@ -146,6 +147,7 @@ deck: name: "" resources: {} + kubeconfigSecret: "" ingress: enabled: true className: "" @@ -219,6 +221,7 @@ hook: create: true name: "" resources: {} + kubeconfigSecret: "" ingress: enabled: true className: "" @@ -266,6 +269,7 @@ horologium: create: true name: "" resources: {} + kubeconfigSecret: "" pcm: additionalArgs: [] @@ -295,6 +299,7 @@ pcm: create: true name: "" resources: {} + kubeconfigSecret: "" sinker: additionalArgs: [] @@ -324,6 +329,7 @@ sinker: create: true name: "" resources: {} + kubeconfigSecret: "" statusReconciler: additionalArgs: [] @@ -353,6 +359,7 @@ statusReconciler: create: true name: "" resources: {} + kubeconfigSecret: "" tide: additionalArgs: [] @@ -386,6 +393,7 @@ tide: create: true name: "" resources: {} + kubeconfigSecret: "" pipeline: additionalArgs: [] @@ -451,6 +459,7 @@ jenkinsOperator: create: true name: "" resources: {} + kubeconfigSecret: "" # Whether or not to make mutating API calls to GitHub/Kubernetes/Jenkins. dryRun: true