This document lists all types of Secrets used in the kyma-prow and workload-kyma-prow clusters, where all Prow Jobs are executed.
NOTE: All Secrets are stored in the Google Cloud Storage (GCS) bucket.
| Prow Secret | Description |
|---|---|
| hmac-token | Used for validating GitHub webhooks. It is manually generated using the openssl rand -hex 20 command. |
| oauth-token | Personal access token called prow-production used by the kyma-bot GitHub user. |
| sap-slack-bot-token | Token for publishing messages to the SAP CX workspace. Find more information here. |
| workload-cluster | Stores the workload-kyma-prow cluster certificate. |
| slack-token | OAuth token for the Slack bot user. It is used by Crier. |
| Secret | Description |
|---|---|
| whitesource keys | Copied directly from the bucket when executing a job. These Secrets are not stored on the cluster. |
| github-integration | Used to authorize GitHub applications configured in the kyma-project organization. See the OAuth Apps section in GitHub. |
| sa-* | Service Accounts used in pipelines. Find more information here. |
| kyma-bot-github-token | Personal access token called prow-job used by the kyma-bot GitHub user. |
| kyma-guard-bot-github-token | Personal access token for the kyma-guard-bot GitHub account. |
| [email protected] | Stores credentials to the kyma-bot GitHub account. |
| kyma-bot-npm-token | Token for publishing npm packages in the npmjs.com registry. The kyma-bot user credentials are used to authenticate to the registry. The Secret is used by the post-main-varkes Prow Job. |
| gardener-kyma-prow-kubeconfig | Kubeconfig file that allows connection to the kyma-prow Gardener project. |
| slack-nightly-token | Token that allows the stability checker to push notifications to Slack. |
| sap-slack-bot-token | Token for publishing messages to the SAP CX workspace. Find more information here. |
| kyma-alerts-slack-api-url | Token for publishing messages to the SAP CX workspace. It is used by nightly and weekly Prow Jobs. |
| neighbors-alerts-slack-api-url | Publishes alerts to the private neighbors Slack channel. |
| kyma-azure-credential-* | Azure subscription and service principal credentials. |
| kyma-website-bot-* | Personal access token of the kyma-website-bot GitHub account. It is responsible for publishing the kyma-project.io website. |
| slack-webhook-kyma-ci-force | Slack webhook that points to the #kyma-ci-force channel. It is used by alertmanager. |
| slack-webhook-kyma-prow-alerts | Slack webhook that points to the #kyma-prow-alerts channel. It is used by alertmanager. |