Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cleanup of ko #12055

Merged
merged 3 commits into from
Oct 3, 2024
Merged

cleanup of ko #12055

merged 3 commits into from
Oct 3, 2024

Conversation

akiioto
Copy link
Contributor

@akiioto akiioto commented Oct 3, 2024

Description

Changes proposed in this pull request:

  • Remove Ko builds/jobs/occurencies
  • ...
  • ...

Related issue(s)

@akiioto akiioto requested review from neighbors-dev-bot and a team as code owners October 3, 2024 00:18
@akiioto akiioto requested review from dekiel and szumejker October 3, 2024 00:18
@kyma-bot kyma-bot added cla: yes Indicates the PR's author has signed the CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Oct 3, 2024
dekiel
dekiel previously approved these changes Oct 3, 2024
View reviewed changes
Copy link
Contributor

@dekiel dekiel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please link PR to the issue.

@kyma-bot kyma-bot added the lgtm Looks good to me! label Oct 3, 2024
@kyma-bot kyma-bot removed the lgtm Looks good to me! label Oct 3, 2024
Sawthis
Sawthis previously approved these changes Oct 3, 2024
View reviewed changes
@kyma-bot kyma-bot added lgtm Looks good to me! destroy labels Oct 3, 2024
@kyma-bot
Copy link
Contributor

kyma-bot commented Oct 3, 2024
edited
Loading

Plan Result

CI link

⚠️ Resource Deletion will happen ⚠️

This plan contains resource delete operation. Please check the plan result very carefully!

Plan: 12 to add, 9 to change, 12 to destroy.
  • Create
    • module.trusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only image-builder tool trusted usage on Prow cluster run as image-builder service account identity.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: kyma-bot-github-token\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n namespaces:\n - "default"\n parameters:\n restrictedSecrets:\n # usually provided with preset-bot-github-token\n - kyma-bot-github-token\n trustedImages:\n # rel-api-gateway-goreleaser\n - image: "europe-docker.pkg.dev/kyma-project/prod/buildpack-go:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^."args":\["\/bin\/bash","-c","mkdir -p \/prow-tools \\u0026\\u0026 ln -s \/usr\/local\/bin\/jobguard \/prow-tools\/jobguard \\u0026\\u0026 hack/release.sh"\],"container_name":"test",.$'\n # rel-kyma-cli\n - image: "europe-docker.pkg.dev/kyma-project/prod/buildpack-go:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^."args":\["make","ci-release"\],"container_name":"test",.$'\n - image: "eu.gcr.io/kyma-project/test-infra/bootstrap:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^."args":\["\/home\/prow\/go\/src\/github\.com\/kyma-project\/test-infra\/prow\/scripts\/build-kyma-artifacts\.sh"\],"container_name":"test",.$'\n # skr-aws-upgrade-integration-dev\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-nodejs:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^."args":\["\/home\/prow\/go\/src\/github\.com\/kyma-project\/test-infra\/prow\/scripts\/cluster-integration\/skr-aws-upgrade-integration-dev\.sh"\],"container_name":"test",.$'\n # post-telemetry-manager-release-module\n - image: "europe-docker.pkg.dev/kyma-project/prod/e2e-gcloud:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^."args":\["make","release"\],"container_name":"test",.$'\n # pre-main-check-users-map\n - image: "europe-docker.pkg.dev/kyma-project/prod/usersmapchecker:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["/usersmapchecker"\],"container_name":"test",.}$'\n # sidecar\n - image: "gcr.io/k8s-prow/sidecar:*"\n command: []\n args: []"]
    • module.trusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only image-builder tool trusted usage on Prow cluster run as image-builder service account identity.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: pjtester-kubeconfig\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n parameters:\n restrictedSecrets:\n - pjtester-kubeconfig\n - pjtester-github-oauth-token\n trustedImages:\n # pull-test-infra-pjtester\n - image: "europe-docker.pkg.dev/kyma-project/prod/pjtester:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["\\/pjtester","--github-token-path=\/etc\/github\/oauth"\],"container_name":"test",.}$'\n # sidecar\n - image: "gcr.io/k8s-prow/sidecar:"\n command: []\n args: []"]
    • module.trusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only trusted usage of sa-kyma-push-images gcp service account which has permissions to write images in kyma production oci registry.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: sa-kyma-push-images\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n namespaces:\n - "default"\n parameters:\n restrictedSecrets:\n # usually provided with preset-sa-kyma-push-images\n - sa-kyma-push-images\n trustedImages:\n - image: "eu.gcr.io/sap-kyma-neighbors-dev/image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n - image: "europe-docker.pkg.dev/kyma-project/prod/image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n - image: "europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n #kyma-dashboard-dev, kyma-dashboard-stage, kyma-dashboard-prod, post-k8s-prow-build-release and post-main-build-testimages\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":.,"container_name":"test",.}$'\n - image: "europe-docker.pkg.dev/kyma-project/prod/buildpack-go:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":.,"container_name":"test",.}$'\n # sidecar\n - image: "gcr.io/k8s-prow/sidecar:"\n command: [ ]\n args: [ ]\n # image-syncer\n - image: "europe-docker.pkg.dev/kyma-project/prod/image-syncer:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\["\/image-syncer","--images-file=cmd/image-syncer/external-images.yaml","--target-repo-auth-key=."\],"container_name":"test",.*}$'"]
    • module.trusted_workload_gatekeeper.kubectl_manifest.constraints["apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: K8sPSPSeccomp\nmetadata:\n name: psp-seccomp\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n namespaces:\n - "default"\n parameters:\n allowedProfiles:\n - runtime/default\n - docker/default\n exemptImages:\n - "gcr.io/k8s-prow/entrypoint:"\n - "gcr.io/k8s-prow/initupload:"\n - "gcr.io/k8s-prow/clonerefs:"\n - "gcr.io/k8s-prow/sidecar:"\n - "aquasec/trivy:"\n - "eu.gcr.io/kyma-project/prow/cleaner:"\n - "eu.gcr.io/kyma-project/test-infra/bootstrap:"\n - "eu.gcr.io/kyma-project/test-infra/buildpack-golang:"\n - "eu.gcr.io/kyma-project/test-infra/golangci-lint:"\n - "eu.gcr.io/kyma-project/test-infra/kyma-integration:"\n - "eu.gcr.io/sap-kyma-neighbors-dev/image-builder:"\n - "europe-docker.pkg.dev/kyma-project/prod/image-builder:"\n - "europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:"\n - "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:"\n - "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-nodejs:"\n - "europe-docker.pkg.dev/kyma-project/prod/test-infra/prow-tools:"\n - "gcr.io/k8s-prow/generic-autobumper:"\n - "gcr.io/k8s-prow/ghproxy:"\n - "europe-docker.pkg.dev/kyma-project/prod/e2e-gcloud:*""]
    • module.trusted_workload_gatekeeper.kubectl_manifest.constraints["apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: kyma-autobump-bot-github-token\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n parameters:\n restrictedSecrets:\n - kyma-autobump-bot-github-token\n trustedImages:\n # Prowjob name: post-test-infra-markdown-index-autobump\n - image: "europe-docker.pkg.dev/kyma-project/prod/markdown-index:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["\\/markdown-index","--config=configs\/autobump-config\/test-infra-markdown-index-autobump-config\.yaml","--labels-override=kind\/chore,area\/documentation"\],"container_name":"test",.}$'\n # Prowjob name: test-infra-image-detector-autobump\n # Prowjob name: post-test-infra-image-detector-autobump\n - image: "europe-docker.pkg.dev/kyma-project/prod/image-detector:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["\\/image-detector","--prow-config=prow\/config\.yaml","--prow-jobs-dir=prow\/jobs","--terraform-dir=configs\/terraform","--sec-scanner-config=sec-scanners-config\.yaml","--kubernetes-dir=prow\/cluster\/components","--autobump-config=configs\/autobump-config\/test-infra-sec-config-autobump-config\.yaml"\],"container_name":"test",.}$'\n # Prowjob name: ci-prow-autobump\n - image: "gcr.io/k8s-prow/generic-autobumper:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["generic-autobumper","--config=configs\/autobump-config\/prow-cluster-autobump-config\.yaml","--labels-override=kind\/chore,area\/prow"\],"container_name":"test",.}$'\n # Prowjob name: ci-prow-autobump-jobs\n - image: "gcr.io/k8s-prow/generic-autobumper:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["generic-autobumper","--config=configs\/autobump-config\/test-infra-autobump-config\.yaml","--labels-override=skip-review,area\/ci,kind\/chore"\],"container_name":"test",.}$'\n # ci-k8s-prow-autobump-testimages\n - image: "gcr.io/k8s-prow/generic-autobumper:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["generic-autobumper","--config=config\/prow\/autobump-config\/kyma-testimages-autobump-config\.yaml","--labels-override=kind\/chore,area\/prow,skip-review"\],"container_name":"test",.}$'\n # sidecar\n - image: "gcr.io/k8s-prow/sidecar:"\n command: []\n args: []"]
    • module.trusted_workload_gatekeeper.kubectl_manifest.constraints["apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: kyma-bot-github-sap-token\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n parameters:\n restrictedSecrets:\n - kyma-bot-github-sap-token\n trustedImages:\n # Prowjob name: pre-main-check-users-map\n - image: "europe-docker.pkg.dev/kyma-project/prod/usersmapchecker:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["/usersmapchecker"\],"container_name":"test",.*}$'"]
    • module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only image-builder tool trusted usage on Prow cluster run as image-builder service account identity.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: kyma-bot-github-token\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n namespaces:\n - "default"\n parameters:\n restrictedSecrets:\n # usually provided with preset-bot-github-token\n - kyma-bot-github-token\n trustedImages:\n # rel-api-gateway-goreleaser\n - image: "europe-docker.pkg.dev/kyma-project/prod/buildpack-go:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^."args":\["\/bin\/bash","-c","mkdir -p \/prow-tools \\u0026\\u0026 ln -s \/usr\/local\/bin\/jobguard \/prow-tools\/jobguard \\u0026\\u0026 hack/release.sh"\],"container_name":"test",.$'\n # rel-kyma-cli\n - image: "europe-docker.pkg.dev/kyma-project/prod/buildpack-go:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^."args":\["make","ci-release"\],"container_name":"test",.$'\n - image: "eu.gcr.io/kyma-project/test-infra/bootstrap:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^."args":\["\/home\/prow\/go\/src\/github\.com\/kyma-project\/test-infra\/prow\/scripts\/build-kyma-artifacts\.sh"\],"container_name":"test",.$'\n # skr-aws-upgrade-integration-dev\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-nodejs:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^."args":\["\/home\/prow\/go\/src\/github\.com\/kyma-project\/test-infra\/prow\/scripts\/cluster-integration\/skr-aws-upgrade-integration-dev\.sh"\],"container_name":"test",.$'\n # post-telemetry-manager-release-module\n - image: "europe-docker.pkg.dev/kyma-project/prod/e2e-gcloud:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^."args":\["make","release"\],"container_name":"test",.$'\n # pre-main-check-users-map\n - image: "europe-docker.pkg.dev/kyma-project/prod/usersmapchecker:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["/usersmapchecker"\],"container_name":"test",.}$'\n # sidecar\n - image: "gcr.io/k8s-prow/sidecar:*"\n command: []\n args: []"]
    • module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only image-builder tool trusted usage on Prow cluster run as image-builder service account identity.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: pjtester-kubeconfig\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n parameters:\n restrictedSecrets:\n - pjtester-kubeconfig\n - pjtester-github-oauth-token\n trustedImages:\n # pull-test-infra-pjtester\n - image: "europe-docker.pkg.dev/kyma-project/prod/pjtester:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["\\/pjtester","--github-token-path=\/etc\/github\/oauth"\],"container_name":"test",.}$'\n # sidecar\n - image: "gcr.io/k8s-prow/sidecar:"\n command: []\n args: []"]
    • module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only trusted usage of sa-kyma-push-images gcp service account which has permissions to write images in kyma production oci registry.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: sa-kyma-push-images\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n namespaces:\n - "default"\n parameters:\n restrictedSecrets:\n # usually provided with preset-sa-kyma-push-images\n - sa-kyma-push-images\n trustedImages:\n - image: "eu.gcr.io/sap-kyma-neighbors-dev/image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n - image: "europe-docker.pkg.dev/kyma-project/prod/image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n - image: "europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n #kyma-dashboard-dev, kyma-dashboard-stage, kyma-dashboard-prod, post-k8s-prow-build-release and post-main-build-testimages\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":.,"container_name":"test",.}$'\n - image: "europe-docker.pkg.dev/kyma-project/prod/buildpack-go:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":.,"container_name":"test",.}$'\n # sidecar\n - image: "gcr.io/k8s-prow/sidecar:"\n command: [ ]\n args: [ ]\n # image-syncer\n - image: "europe-docker.pkg.dev/kyma-project/prod/image-syncer:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\["\/image-syncer","--images-file=cmd/image-syncer/external-images.yaml","--target-repo-auth-key=."\],"container_name":"test",.*}$'"]
    • module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: K8sPSPSeccomp\nmetadata:\n name: psp-seccomp\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n namespaces:\n - "default"\n parameters:\n allowedProfiles:\n - runtime/default\n - docker/default\n exemptImages:\n - "gcr.io/k8s-prow/entrypoint:"\n - "gcr.io/k8s-prow/initupload:"\n - "gcr.io/k8s-prow/clonerefs:"\n - "gcr.io/k8s-prow/sidecar:"\n - "aquasec/trivy:"\n - "eu.gcr.io/kyma-project/prow/cleaner:"\n - "eu.gcr.io/kyma-project/test-infra/bootstrap:"\n - "eu.gcr.io/kyma-project/test-infra/buildpack-golang:"\n - "eu.gcr.io/kyma-project/test-infra/golangci-lint:"\n - "eu.gcr.io/kyma-project/test-infra/kyma-integration:"\n - "eu.gcr.io/sap-kyma-neighbors-dev/image-builder:"\n - "europe-docker.pkg.dev/kyma-project/prod/image-builder:"\n - "europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:"\n - "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:"\n - "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-nodejs:"\n - "europe-docker.pkg.dev/kyma-project/prod/test-infra/prow-tools:"\n - "gcr.io/k8s-prow/generic-autobumper:"\n - "gcr.io/k8s-prow/ghproxy:"\n - "europe-docker.pkg.dev/kyma-project/prod/e2e-gcloud:*""]
    • module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: kyma-autobump-bot-github-token\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n parameters:\n restrictedSecrets:\n - kyma-autobump-bot-github-token\n trustedImages:\n # Prowjob name: post-test-infra-markdown-index-autobump\n - image: "europe-docker.pkg.dev/kyma-project/prod/markdown-index:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["\\/markdown-index","--config=configs\/autobump-config\/test-infra-markdown-index-autobump-config\.yaml","--labels-override=kind\/chore,area\/documentation"\],"container_name":"test",.}$'\n # Prowjob name: test-infra-image-detector-autobump\n # Prowjob name: post-test-infra-image-detector-autobump\n - image: "europe-docker.pkg.dev/kyma-project/prod/image-detector:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["\\/image-detector","--prow-config=prow\/config\.yaml","--prow-jobs-dir=prow\/jobs","--terraform-dir=configs\/terraform","--sec-scanner-config=sec-scanners-config\.yaml","--kubernetes-dir=prow\/cluster\/components","--autobump-config=configs\/autobump-config\/test-infra-sec-config-autobump-config\.yaml"\],"container_name":"test",.}$'\n # Prowjob name: ci-prow-autobump\n - image: "gcr.io/k8s-prow/generic-autobumper:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["generic-autobumper","--config=configs\/autobump-config\/prow-cluster-autobump-config\.yaml","--labels-override=kind\/chore,area\/prow"\],"container_name":"test",.}$'\n # Prowjob name: ci-prow-autobump-jobs\n - image: "gcr.io/k8s-prow/generic-autobumper:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["generic-autobumper","--config=configs\/autobump-config\/test-infra-autobump-config\.yaml","--labels-override=skip-review,area\/ci,kind\/chore"\],"container_name":"test",.}$'\n # ci-k8s-prow-autobump-testimages\n - image: "gcr.io/k8s-prow/generic-autobumper:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["generic-autobumper","--config=config\/prow\/autobump-config\/kyma-testimages-autobump-config\.yaml","--labels-override=kind\/chore,area\/prow,skip-review"\],"container_name":"test",.}$'\n # sidecar\n - image: "gcr.io/k8s-prow/sidecar:"\n command: []\n args: []"]
    • module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: kyma-bot-github-sap-token\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n parameters:\n restrictedSecrets:\n - kyma-bot-github-sap-token\n trustedImages:\n # Prowjob name: pre-main-check-users-map\n - image: "europe-docker.pkg.dev/kyma-project/prod/usersmapchecker:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["/usersmapchecker"\],"container_name":"test",.*}$'"]
  • Update
    • google_artifact_registry_repository.dockerhub_mirror
    • kubectl_manifest.automated_approver["/apis/apps/v1/namespaces/default/deployments/automated-approver"]
    • module.cors_proxy.google_cloud_run_service.cors_proxy
    • module.github_webhook_gateway.google_cloud_run_service.github_webhook_gateway
    • module.secrets_leaks_log_scanner.google_cloud_run_service.gcs_bucket_mover
    • module.secrets_leaks_log_scanner.google_cloud_run_service.github_issue_creator
    • module.secrets_leaks_log_scanner.google_cloud_run_service.github_issue_finder
    • module.secrets_leaks_log_scanner.google_cloud_run_service.secrets_leak_log_scanner
    • module.security_dashboard_token.google_cloud_run_service.security_dashboard_token
  • Delete
    • module.trusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only image-builder tool trusted usage on Prow cluster run as image-builder service account identity.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: kyma-bot-github-token\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n namespaces:\n - "default"\n parameters:\n restrictedSecrets:\n # usually provided with preset-bot-github-token\n - kyma-bot-github-token\n trustedImages:\n # rel-api-gateway-goreleaser\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/buildpack-go:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^."args":\["\/bin\/bash","-c","mkdir -p \/prow-tools \\u0026\\u0026 ln -s \/usr\/local\/bin\/jobguard \/prow-tools\/jobguard \\u0026\\u0026 hack/release.sh"\],"container_name":"test",.$'\n # rel-kyma-cli\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/buildpack-go:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^."args":\["make","ci-release"\],"container_name":"test",.$'\n - image: "eu.gcr.io/kyma-project/test-infra/bootstrap:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^."args":\["\/home\/prow\/go\/src\/github\.com\/kyma-project\/test-infra\/prow\/scripts\/build-kyma-artifacts\.sh"\],"container_name":"test",.$'\n # skr-aws-upgrade-integration-dev\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-nodejs:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^."args":\["\/home\/prow\/go\/src\/github\.com\/kyma-project\/test-infra\/prow\/scripts\/cluster-integration\/skr-aws-upgrade-integration-dev\.sh"\],"container_name":"test",.$'\n # post-telemetry-manager-release-module\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-gcloud:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^."args":\["make","release"\],"container_name":"test",.$'\n # pre-main-check-users-map\n - image: "europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/usersmapchecker:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["/ko-app/usersmapchecker"\],"container_name":"test",.}$'\n # sidecar\n - image: "gcr.io/k8s-prow/sidecar:*"\n command: []\n args: []"]
    • module.trusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only image-builder tool trusted usage on Prow cluster run as image-builder service account identity.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: pjtester-kubeconfig\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n parameters:\n restrictedSecrets:\n - pjtester-kubeconfig\n - pjtester-github-oauth-token\n trustedImages:\n # pull-test-infra-pjtester\n - image: "europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/pjtester:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["\/ko-app\/pjtester","--github-token-path=\/etc\/github\/oauth"\],"container_name":"test",.}$'\n # sidecar\n - image: "gcr.io/k8s-prow/sidecar:"\n command: []\n args: []"]
    • module.trusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only trusted usage of sa-kyma-push-images gcp service account which has permissions to write images in kyma production oci registry.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: sa-kyma-push-images\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n namespaces:\n - "default"\n parameters:\n restrictedSecrets:\n # usually provided with preset-sa-kyma-push-images\n - sa-kyma-push-images\n trustedImages:\n - image: "eu.gcr.io/sap-kyma-neighbors-dev/image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n - image: "europe-docker.pkg.dev/kyma-project/prod/image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n - image: "europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n #kyma-dashboard-dev, kyma-dashboard-stage, kyma-dashboard-prod, post-k8s-prow-build-release and post-main-build-testimages\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":.,"container_name":"test",.}$'\n #post-test-infra-ko-build\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/buildpack-go:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":.,"container_name":"test",.}$'\n # sidecar\n - image: "gcr.io/k8s-prow/sidecar:"\n command: [ ]\n args: [ ]\n # image-syncer\n - image: "europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/image-syncer:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\["\/ko-app/image-syncer","--images-file=cmd/image-syncer/external-images.yaml","--target-repo-auth-key=."\],"container_name":"test",.*}$'"]
    • module.trusted_workload_gatekeeper.kubectl_manifest.constraints["apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: K8sPSPSeccomp\nmetadata:\n name: psp-seccomp\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n namespaces:\n - "default"\n parameters:\n allowedProfiles:\n - runtime/default\n - docker/default\n exemptImages:\n - "gcr.io/k8s-prow/entrypoint:"\n - "gcr.io/k8s-prow/initupload:"\n - "gcr.io/k8s-prow/clonerefs:"\n - "gcr.io/k8s-prow/sidecar:"\n - "aquasec/trivy:"\n - "eu.gcr.io/kyma-project/prow/cleaner:"\n - "eu.gcr.io/kyma-project/test-infra/bootstrap:"\n - "eu.gcr.io/kyma-project/test-infra/buildpack-golang:"\n - "eu.gcr.io/kyma-project/test-infra/golangci-lint:"\n - "eu.gcr.io/kyma-project/test-infra/kyma-integration:"\n - "eu.gcr.io/sap-kyma-neighbors-dev/image-builder:"\n - "europe-docker.pkg.dev/kyma-project/prod/image-builder:"\n - "europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:"\n - "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:"\n - "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-nodejs:"\n - "europe-docker.pkg.dev/kyma-project/prod/test-infra/prow-tools:"\n - "gcr.io/k8s-prow/generic-autobumper:"\n - "gcr.io/k8s-prow/ghproxy:"\n - "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-gcloud:*""]
    • module.trusted_workload_gatekeeper.kubectl_manifest.constraints["apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: kyma-autobump-bot-github-token\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n parameters:\n restrictedSecrets:\n - kyma-autobump-bot-github-token\n trustedImages:\n # Prowjob name: post-test-infra-markdown-index-autobump\n - image: "europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/markdown-index:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["\/ko-app\/markdown-index","--config=configs\/autobump-config\/test-infra-markdown-index-autobump-config\.yaml","--labels-override=kind\/chore,area\/documentation"\],"container_name":"test",.}$'\n # Prowjob name: test-infra-image-detector-autobump\n # Prowjob name: post-test-infra-image-detector-autobump\n - image: "europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/image-detector:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["\/ko-app\/image-detector","--prow-config=prow\/config\.yaml","--prow-jobs-dir=prow\/jobs","--terraform-dir=configs\/terraform","--sec-scanner-config=sec-scanners-config\.yaml","--kubernetes-dir=prow\/cluster\/components","--autobump-config=configs\/autobump-config\/test-infra-sec-config-autobump-config\.yaml"\],"container_name":"test",.}$'\n # Prowjob name: ci-prow-autobump\n - image: "gcr.io/k8s-prow/generic-autobumper:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["generic-autobumper","--config=configs\/autobump-config\/prow-cluster-autobump-config\.yaml","--labels-override=kind\/chore,area\/prow"\],"container_name":"test",.}$'\n # Prowjob name: ci-prow-autobump-jobs\n - image: "gcr.io/k8s-prow/generic-autobumper:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["generic-autobumper","--config=configs\/autobump-config\/test-infra-autobump-config\.yaml","--labels-override=skip-review,area\/ci,kind\/chore"\],"container_name":"test",.}$'\n # ci-k8s-prow-autobump-testimages\n - image: "gcr.io/k8s-prow/generic-autobumper:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["generic-autobumper","--config=config\/prow\/autobump-config\/kyma-testimages-autobump-config\.yaml","--labels-override=kind\/chore,area\/prow,skip-review"\],"container_name":"test",.}$'\n # sidecar\n - image: "gcr.io/k8s-prow/sidecar:"\n command: []\n args: []"]
    • module.trusted_workload_gatekeeper.kubectl_manifest.constraints["apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: kyma-bot-github-sap-token\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n parameters:\n restrictedSecrets:\n - kyma-bot-github-sap-token\n trustedImages:\n # Prowjob name: pre-main-check-users-map\n - image: "europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/usersmapchecker:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["/ko-app/usersmapchecker"\],"container_name":"test",.*}$'"]
    • module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only image-builder tool trusted usage on Prow cluster run as image-builder service account identity.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: kyma-bot-github-token\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n namespaces:\n - "default"\n parameters:\n restrictedSecrets:\n # usually provided with preset-bot-github-token\n - kyma-bot-github-token\n trustedImages:\n # rel-api-gateway-goreleaser\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/buildpack-go:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^."args":\["\/bin\/bash","-c","mkdir -p \/prow-tools \\u0026\\u0026 ln -s \/usr\/local\/bin\/jobguard \/prow-tools\/jobguard \\u0026\\u0026 hack/release.sh"\],"container_name":"test",.$'\n # rel-kyma-cli\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/buildpack-go:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^."args":\["make","ci-release"\],"container_name":"test",.$'\n - image: "eu.gcr.io/kyma-project/test-infra/bootstrap:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^."args":\["\/home\/prow\/go\/src\/github\.com\/kyma-project\/test-infra\/prow\/scripts\/build-kyma-artifacts\.sh"\],"container_name":"test",.$'\n # skr-aws-upgrade-integration-dev\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-nodejs:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^."args":\["\/home\/prow\/go\/src\/github\.com\/kyma-project\/test-infra\/prow\/scripts\/cluster-integration\/skr-aws-upgrade-integration-dev\.sh"\],"container_name":"test",.$'\n # post-telemetry-manager-release-module\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-gcloud:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^."args":\["make","release"\],"container_name":"test",.$'\n # pre-main-check-users-map\n - image: "europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/usersmapchecker:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["/ko-app/usersmapchecker"\],"container_name":"test",.}$'\n # sidecar\n - image: "gcr.io/k8s-prow/sidecar:*"\n command: []\n args: []"]
    • module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only image-builder tool trusted usage on Prow cluster run as image-builder service account identity.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: pjtester-kubeconfig\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n parameters:\n restrictedSecrets:\n - pjtester-kubeconfig\n - pjtester-github-oauth-token\n trustedImages:\n # pull-test-infra-pjtester\n - image: "europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/pjtester:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["\/ko-app\/pjtester","--github-token-path=\/etc\/github\/oauth"\],"container_name":"test",.}$'\n # sidecar\n - image: "gcr.io/k8s-prow/sidecar:"\n command: []\n args: []"]
    • module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only trusted usage of sa-kyma-push-images gcp service account which has permissions to write images in kyma production oci registry.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: sa-kyma-push-images\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n namespaces:\n - "default"\n parameters:\n restrictedSecrets:\n # usually provided with preset-sa-kyma-push-images\n - sa-kyma-push-images\n trustedImages:\n - image: "eu.gcr.io/sap-kyma-neighbors-dev/image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n - image: "europe-docker.pkg.dev/kyma-project/prod/image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n - image: "europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n #kyma-dashboard-dev, kyma-dashboard-stage, kyma-dashboard-prod, post-k8s-prow-build-release and post-main-build-testimages\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":.,"container_name":"test",.}$'\n #post-test-infra-ko-build\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/buildpack-go:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":.,"container_name":"test",.}$'\n # sidecar\n - image: "gcr.io/k8s-prow/sidecar:"\n command: [ ]\n args: [ ]\n # image-syncer\n - image: "europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/image-syncer:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\["\/ko-app/image-syncer","--images-file=cmd/image-syncer/external-images.yaml","--target-repo-auth-key=."\],"container_name":"test",.*}$'"]
    • module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: K8sPSPSeccomp\nmetadata:\n name: psp-seccomp\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n namespaces:\n - "default"\n parameters:\n allowedProfiles:\n - runtime/default\n - docker/default\n exemptImages:\n - "gcr.io/k8s-prow/entrypoint:"\n - "gcr.io/k8s-prow/initupload:"\n - "gcr.io/k8s-prow/clonerefs:"\n - "gcr.io/k8s-prow/sidecar:"\n - "aquasec/trivy:"\n - "eu.gcr.io/kyma-project/prow/cleaner:"\n - "eu.gcr.io/kyma-project/test-infra/bootstrap:"\n - "eu.gcr.io/kyma-project/test-infra/buildpack-golang:"\n - "eu.gcr.io/kyma-project/test-infra/golangci-lint:"\n - "eu.gcr.io/kyma-project/test-infra/kyma-integration:"\n - "eu.gcr.io/sap-kyma-neighbors-dev/image-builder:"\n - "europe-docker.pkg.dev/kyma-project/prod/image-builder:"\n - "europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:"\n - "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:"\n - "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-nodejs:"\n - "europe-docker.pkg.dev/kyma-project/prod/test-infra/prow-tools:"\n - "gcr.io/k8s-prow/generic-autobumper:"\n - "gcr.io/k8s-prow/ghproxy:"\n - "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-gcloud:*""]
    • module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: kyma-autobump-bot-github-token\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n parameters:\n restrictedSecrets:\n - kyma-autobump-bot-github-token\n trustedImages:\n # Prowjob name: post-test-infra-markdown-index-autobump\n - image: "europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/markdown-index:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["\/ko-app\/markdown-index","--config=configs\/autobump-config\/test-infra-markdown-index-autobump-config\.yaml","--labels-override=kind\/chore,area\/documentation"\],"container_name":"test",.}$'\n # Prowjob name: test-infra-image-detector-autobump\n # Prowjob name: post-test-infra-image-detector-autobump\n - image: "europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/image-detector:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["\/ko-app\/image-detector","--prow-config=prow\/config\.yaml","--prow-jobs-dir=prow\/jobs","--terraform-dir=configs\/terraform","--sec-scanner-config=sec-scanners-config\.yaml","--kubernetes-dir=prow\/cluster\/components","--autobump-config=configs\/autobump-config\/test-infra-sec-config-autobump-config\.yaml"\],"container_name":"test",.}$'\n # Prowjob name: ci-prow-autobump\n - image: "gcr.io/k8s-prow/generic-autobumper:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["generic-autobumper","--config=configs\/autobump-config\/prow-cluster-autobump-config\.yaml","--labels-override=kind\/chore,area\/prow"\],"container_name":"test",.}$'\n # Prowjob name: ci-prow-autobump-jobs\n - image: "gcr.io/k8s-prow/generic-autobumper:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["generic-autobumper","--config=configs\/autobump-config\/test-infra-autobump-config\.yaml","--labels-override=skip-review,area\/ci,kind\/chore"\],"container_name":"test",.}$'\n # ci-k8s-prow-autobump-testimages\n - image: "gcr.io/k8s-prow/generic-autobumper:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["generic-autobumper","--config=config\/prow\/autobump-config\/kyma-testimages-autobump-config\.yaml","--labels-override=kind\/chore,area\/prow,skip-review"\],"container_name":"test",.}$'\n # sidecar\n - image: "gcr.io/k8s-prow/sidecar:"\n command: []\n args: []"]
    • module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: kyma-bot-github-sap-token\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n parameters:\n restrictedSecrets:\n - kyma-bot-github-sap-token\n trustedImages:\n # Prowjob name: pre-main-check-users-map\n - image: "europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/usersmapchecker:"\n command:\n - /tools/entrypoint\n args: []\n entrypoint_options: '^{."args":\["/ko-app/usersmapchecker"\],"container_name":"test",.*}$'"]
Change Result (Click me) 
  # google_artifact_registry_repository.dockerhub_mirror will be updated in-place
  ~ resource "google_artifact_registry_repository" "dockerhub_mirror" {
      ~ description            = "Remote repository mirroring Docker Hub" -> "Remote repository mirroring Docker Hub. For more details, see https://github.tools.sap/kyma/oci-image-builder/blob/main/README.md"
        id                     = "projects/sap-kyma-prow/locations/europe/repositories/dockerhub-mirror"
        name                   = "dockerhub-mirror"
        # (11 unchanged attributes hidden)

      + cleanup_policies {
          + action = "DELETE"
          + id     = "cleanup-old-images"

          + condition {
              + older_than            = "730d"
              + package_name_prefixes = []
              + tag_prefixes          = []
              + tag_state             = "ANY"
              + version_name_prefixes = []
            }
        }

        # (1 unchanged block hidden)
    }

  # kubectl_manifest.automated_approver["/apis/apps/v1/namespaces/default/deployments/automated-approver"] will be updated in-place
  ~ resource "kubectl_manifest" "automated_approver" {
        id                      = "/apis/apps/v1/namespaces/default/deployments/automated-approver"
        name                    = "automated-approver"
      ~ yaml_body               = (sensitive value)
      ~ yaml_body_parsed        = <<-EOT
            apiVersion: apps/v1
            kind: Deployment
            metadata:
              labels:
                app: automated-approver
              name: automated-approver
              namespace: default
            spec:
              selector:
                matchLabels:
                  app: automated-approver
              template:
                metadata:
                  labels:
                    app: automated-approver
                spec:
                  containers:
                  - args:
                    - --dry-run=false
                    - --port=8080
                    - --hmac-secret-file=/etc/webhook/hmac
                    - --log-level=info
                    - --github-endpoint=http://ghproxy
                    - --github-endpoint=https://api.github.com
                    - --github-token-path=/etc/github/oauth
                    - --rules-path=/etc/config/rules.yaml
                    - --wait-for-statuses-timeout=1800
          -         image: europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/automated-approver:v20241003-9d1845c9
          +         image: europe-docker.pkg.dev/kyma-project/prod/automated-approver:v20241002-aac0cb23
                    imagePullPolicy: Always
                    name: automated-approver
                    ports:
                    - containerPort: 8080
                      name: http
                    volumeMounts:
                    - mountPath: /etc/webhook
                      name: hmac
                      readOnly: true
                    - mountPath: /etc/github
                      name: oauth
                      readOnly: true
                    - mountPath: /etc/config
                      name: rules
                      readOnly: true
                  volumes:
                  - name: hmac
                    secret:
                      secretName: hmac-token
                  - name: oauth
                    secret:
                      secretName: neighbors-dev-bot-github-token
                  - configMap:
                      items:
                      - key: rules
                        path: rules.yaml
                      name: automated-approver-rules
                    name: rules
        EOT
        # (14 unchanged attributes hidden)
    }

  # module.cors_proxy.google_cloud_run_service.cors_proxy will be updated in-place
  ~ resource "google_cloud_run_service" "cors_proxy" {
        id                         = "locations/europe-west3/namespaces/sap-kyma-prow/services/cors-proxy"
        name                       = "cors-proxy"
        # (4 unchanged attributes hidden)

      ~ template {
          ~ spec {
                # (3 unchanged attributes hidden)

              ~ containers {
                  ~ image   = "europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/cors-proxy:v20241003-9d1845c9" -> "europe-docker.pkg.dev/kyma-project/prod/cors-proxy:v20241002-aac0cb23"
                    # (2 unchanged attributes hidden)

                    # (6 unchanged blocks hidden)
                }
            }

            # (1 unchanged block hidden)
        }

        # (2 unchanged blocks hidden)
    }

  # module.github_webhook_gateway.google_cloud_run_service.github_webhook_gateway will be updated in-place
  ~ resource "google_cloud_run_service" "github_webhook_gateway" {
        id                         = "locations/europe-west3/namespaces/sap-kyma-prow/services/github-webhook-gateway"
        name                       = "github-webhook-gateway"
        # (4 unchanged attributes hidden)

      ~ template {
          ~ spec {
                # (3 unchanged attributes hidden)

              ~ containers {
                  ~ image   = "europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/github-webhook-gateway:v20241003-9d1845c9" -> "europe-docker.pkg.dev/kyma-project/prod/github-webhook-gateway:v20241002-aac0cb23"
                    # (2 unchanged attributes hidden)

                    # (12 unchanged blocks hidden)
                }

                # (2 unchanged blocks hidden)
            }

            # (1 unchanged block hidden)
        }

        # (2 unchanged blocks hidden)
    }

  # module.secrets_leaks_log_scanner.google_cloud_run_service.gcs_bucket_mover will be updated in-place
  ~ resource "google_cloud_run_service" "gcs_bucket_mover" {
        id                         = "locations/europe-west3/namespaces/sap-kyma-prow/services/gcs-bucket-mover"
        name                       = "gcs-bucket-mover"
        # (4 unchanged attributes hidden)

      ~ template {
          ~ spec {
                # (3 unchanged attributes hidden)

              ~ containers {
                  ~ image   = "europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/move-gcs-bucket:v20241003-9d1845c9" -> "europe-docker.pkg.dev/kyma-project/prod/move-gcs-bucket:v20241002-aac0cb23"
                    # (2 unchanged attributes hidden)

                    # (9 unchanged blocks hidden)
                }
            }

            # (1 unchanged block hidden)
        }

        # (2 unchanged blocks hidden)
    }

  # module.secrets_leaks_log_scanner.google_cloud_run_service.github_issue_creator will be updated in-place
  ~ resource "google_cloud_run_service" "github_issue_creator" {
        id                         = "locations/europe-west3/namespaces/sap-kyma-prow/services/github-issue-creator"
        name                       = "github-issue-creator"
        # (4 unchanged attributes hidden)

      ~ template {
          ~ spec {
                # (3 unchanged attributes hidden)

              ~ containers {
                  ~ image   = "europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/create-github-issue:v20241003-9d1845c9" -> "europe-docker.pkg.dev/kyma-project/prod/create-github-issue:v20241002-aac0cb23"
                    # (2 unchanged attributes hidden)

                    # (11 unchanged blocks hidden)
                }

                # (1 unchanged block hidden)
            }

            # (1 unchanged block hidden)
        }

        # (2 unchanged blocks hidden)
    }

  # module.secrets_leaks_log_scanner.google_cloud_run_service.github_issue_finder will be updated in-place
  ~ resource "google_cloud_run_service" "github_issue_finder" {
        id                         = "locations/europe-west3/namespaces/sap-kyma-prow/services/github-issue-finder"
        name                       = "github-issue-finder"
        # (4 unchanged attributes hidden)

      ~ template {
          ~ spec {
                # (3 unchanged attributes hidden)

              ~ containers {
                  ~ image   = "europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/search-github-issue:v20241003-9d1845c9" -> "europe-docker.pkg.dev/kyma-project/prod/search-github-issue:v20241002-aac0cb23"
                    # (2 unchanged attributes hidden)

                    # (11 unchanged blocks hidden)
                }

                # (1 unchanged block hidden)
            }

            # (1 unchanged block hidden)
        }

        # (2 unchanged blocks hidden)
    }

  # module.secrets_leaks_log_scanner.google_cloud_run_service.secrets_leak_log_scanner will be updated in-place
  ~ resource "google_cloud_run_service" "secrets_leak_log_scanner" {
        id                         = "locations/europe-west3/namespaces/sap-kyma-prow/services/secrets-leak-log-scanner"
        name                       = "secrets-leak-log-scanner"
        # (4 unchanged attributes hidden)

      ~ template {
          ~ spec {
                # (3 unchanged attributes hidden)

              ~ containers {
                  ~ image   = "europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/scan-logs-for-secrets:v20241003-9d1845c9" -> "europe-docker.pkg.dev/kyma-project/prod/scan-logs-for-secrets:v20241002-aac0cb23"
                    # (2 unchanged attributes hidden)

                    # (7 unchanged blocks hidden)
                }
            }

            # (1 unchanged block hidden)
        }

        # (2 unchanged blocks hidden)
    }

  # module.security_dashboard_token.google_cloud_run_service.security_dashboard_token will be updated in-place
  ~ resource "google_cloud_run_service" "security_dashboard_token" {
        id                         = "locations/europe-west1/namespaces/sap-kyma-prow/services/security-dashboard-token"
        name                       = "security-dashboard-token"
        # (4 unchanged attributes hidden)

      ~ template {
          ~ spec {
                # (3 unchanged attributes hidden)

              ~ containers {
                  ~ image   = "europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/dashboard-token-proxy:v20241003-9d1845c9" -> "europe-docker.pkg.dev/kyma-project/prod/dashboard-token-proxy:v20241002-aac0cb23"
                    name    = "dashboard-token-proxy-1"
                    # (2 unchanged attributes hidden)

                    # (6 unchanged blocks hidden)
                }
            }

            # (1 unchanged block hidden)
        }

        # (2 unchanged blocks hidden)
    }

  # module.trusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only image-builder tool trusted usage on Prow cluster run as image-builder service account identity.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: kyma-bot-github-token\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n    namespaces:\n      - \"default\"\n  parameters:\n    restrictedSecrets:\n      # usually provided with preset-bot-github-token\n      - kyma-bot-github-token\n    trustedImages:\n      # rel-api-gateway-goreleaser\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/buildpack-go:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^.*\"args\":\\[\"\\/bin\\/bash\",\"-c\",\"mkdir -p \\/prow-tools \\\\u0026\\\\u0026 ln -s \\/usr\\/local\\/bin\\/jobguard \\/prow-tools\\/jobguard \\\\u0026\\\\u0026 hack/release.sh\"\\],\"container_name\":\"test\",.*$'\n      # rel-kyma-cli\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/buildpack-go:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^.*\"args\":\\[\"make\",\"ci-release\"\\],\"container_name\":\"test\",.*$'\n      - image: \"eu.gcr.io/kyma-project/test-infra/bootstrap:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^.*\"args\":\\[\"\\/home\\/prow\\/go\\/src\\/github\\.com\\/kyma-project\\/test-infra\\/prow\\/scripts\\/build-kyma-artifacts\\.sh\"\\],\"container_name\":\"test\",.*$'\n      # skr-aws-upgrade-integration-dev\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-nodejs:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^.*\"args\":\\[\"\\/home\\/prow\\/go\\/src\\/github\\.com\\/kyma-project\\/test-infra\\/prow\\/scripts\\/cluster-integration\\/skr-aws-upgrade-integration-dev\\.sh\"\\],\"container_name\":\"test\",.*$'\n      # post-telemetry-manager-release-module\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/e2e-gcloud:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^.*\"args\":\\[\"make\",\"release\"\\],\"container_name\":\"test\",.*$'\n      # pre-main-check-users-map\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/usersmapchecker:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"/usersmapchecker\"\\],\"container_name\":\"test\",.*}$'\n      # sidecar\n      - image: \"gcr.io/k8s-prow/sidecar:*\"\n        command: []\n        args: []"] will be created
  + resource "kubectl_manifest" "constraints" {
      + api_version             = "constraints.gatekeeper.sh/v1beta1"
      + apply_only              = false
      + field_manager           = "kubectl"
      + force_conflicts         = false
      + force_new               = false
      + id                      = (known after apply)
      + kind                    = "SecretTrustedUsage"
      + live_manifest_incluster = (sensitive value)
      + live_uid                = (known after apply)
      + name                    = "kyma-bot-github-token"
      + namespace               = (known after apply)
      + server_side_apply       = false
      + uid                     = (known after apply)
      + validate_schema         = true
      + wait_for_rollout        = true
      + yaml_body               = (sensitive value)
      + yaml_body_parsed        = <<-EOT
            apiVersion: constraints.gatekeeper.sh/v1beta1
            kind: SecretTrustedUsage
            metadata:
              name: kyma-bot-github-token
            spec:
              enforcementAction: deny
              match:
                kinds:
                - apiGroups:
                  - ""
                  kinds:
                  - Pod
                namespaces:
                - default
              parameters:
                restrictedSecrets:
                - kyma-bot-github-token
                trustedImages:
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^.*"args":\["\/bin\/bash","-c","mkdir -p \/prow-tools \\u0026\\u0026
                    ln -s \/usr\/local\/bin\/jobguard \/prow-tools\/jobguard \\u0026\\u0026 hack/release.sh"\],"container_name":"test",.*$
                  image: europe-docker.pkg.dev/kyma-project/prod/buildpack-go:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^.*"args":\["make","ci-release"\],"container_name":"test",.*$
                  image: europe-docker.pkg.dev/kyma-project/prod/buildpack-go:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^.*"args":\["\/home\/prow\/go\/src\/github\.com\/kyma-project\/test-infra\/prow\/scripts\/build-kyma-artifacts\.sh"\],"container_name":"test",.*$
                  image: eu.gcr.io/kyma-project/test-infra/bootstrap:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^.*"args":\["\/home\/prow\/go\/src\/github\.com\/kyma-project\/test-infra\/prow\/scripts\/cluster-integration\/skr-aws-upgrade-integration-dev\.sh"\],"container_name":"test",.*$
                  image: europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-nodejs:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^.*"args":\["make","release"\],"container_name":"test",.*$
                  image: europe-docker.pkg.dev/kyma-project/prod/e2e-gcloud:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\["/usersmapchecker"\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/usersmapchecker:*
                - args: []
                  command: []
                  image: gcr.io/k8s-prow/sidecar:*
        EOT
      + yaml_incluster          = (sensitive value)
    }

  # module.trusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only image-builder tool trusted usage on Prow cluster run as image-builder service account identity.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: kyma-bot-github-token\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n    namespaces:\n      - \"default\"\n  parameters:\n    restrictedSecrets:\n      # usually provided with preset-bot-github-token\n      - kyma-bot-github-token\n    trustedImages:\n      # rel-api-gateway-goreleaser\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/buildpack-go:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^.*\"args\":\\[\"\\/bin\\/bash\",\"-c\",\"mkdir -p \\/prow-tools \\\\u0026\\\\u0026 ln -s \\/usr\\/local\\/bin\\/jobguard \\/prow-tools\\/jobguard \\\\u0026\\\\u0026 hack/release.sh\"\\],\"container_name\":\"test\",.*$'\n      # rel-kyma-cli\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/buildpack-go:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^.*\"args\":\\[\"make\",\"ci-release\"\\],\"container_name\":\"test\",.*$'\n      - image: \"eu.gcr.io/kyma-project/test-infra/bootstrap:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^.*\"args\":\\[\"\\/home\\/prow\\/go\\/src\\/github\\.com\\/kyma-project\\/test-infra\\/prow\\/scripts\\/build-kyma-artifacts\\.sh\"\\],\"container_name\":\"test\",.*$'\n      # skr-aws-upgrade-integration-dev\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-nodejs:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^.*\"args\":\\[\"\\/home\\/prow\\/go\\/src\\/github\\.com\\/kyma-project\\/test-infra\\/prow\\/scripts\\/cluster-integration\\/skr-aws-upgrade-integration-dev\\.sh\"\\],\"container_name\":\"test\",.*$'\n      # post-telemetry-manager-release-module\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-gcloud:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^.*\"args\":\\[\"make\",\"release\"\\],\"container_name\":\"test\",.*$'\n      # pre-main-check-users-map\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/usersmapchecker:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"/ko-app/usersmapchecker\"\\],\"container_name\":\"test\",.*}$'\n      # sidecar\n      - image: \"gcr.io/k8s-prow/sidecar:*\"\n        command: []\n        args: []"] will be destroyed
  # (because key ["# Constraint to allow only image-builder tool trusted usage on Prow cluster run as image-builder service account identity.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: kyma-bot-github-token\nspec:\n  enforcementAction: deny\n 

# ...
# ... The maximum length of GitHub Comment is 65536, so the content is omitted by tfcmt.
# ...

trypoint_options: '^{.*\"args\":\\[\"generic-autobumper\",\"--config=configs\\/autobump-config\\/test-infra-autobump-config\\.yaml\",\"--labels-override=skip-review,area\\/ci,kind\\/chore\"\\],\"container_name\":\"test\",.*}$'\n      # ci-k8s-prow-autobump-testimages\n      - image: \"gcr.io/k8s-prow/generic-autobumper:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"generic-autobumper\",\"--config=config\\/prow\\/autobump-config\\/kyma-testimages-autobump-config\\.yaml\",\"--labels-override=kind\\/chore,area\\/prow,skip-review\"\\],\"container_name\":\"test\",.*}$'\n      # sidecar\n      - image: \"gcr.io/k8s-prow/sidecar:*\"\n        command: []\n        args: []"] will be created
  + resource "kubectl_manifest" "constraints" {
      + api_version             = "constraints.gatekeeper.sh/v1beta1"
      + apply_only              = false
      + field_manager           = "kubectl"
      + force_conflicts         = false
      + force_new               = false
      + id                      = (known after apply)
      + kind                    = "SecretTrustedUsage"
      + live_manifest_incluster = (sensitive value)
      + live_uid                = (known after apply)
      + name                    = "kyma-autobump-bot-github-token"
      + namespace               = (known after apply)
      + server_side_apply       = false
      + uid                     = (known after apply)
      + validate_schema         = true
      + wait_for_rollout        = true
      + yaml_body               = (sensitive value)
      + yaml_body_parsed        = <<-EOT
            apiVersion: constraints.gatekeeper.sh/v1beta1
            kind: SecretTrustedUsage
            metadata:
              name: kyma-autobump-bot-github-token
            spec:
              enforcementAction: deny
              match:
                kinds:
                - apiGroups:
                  - ""
                  kinds:
                  - Pod
              parameters:
                restrictedSecrets:
                - kyma-autobump-bot-github-token
                trustedImages:
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\["\\/markdown-index","--config=configs\/autobump-config\/test-infra-markdown-index-autobump-config\.yaml","--labels-override=kind\/chore,area\/documentation"\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/markdown-index:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\["\\/image-detector","--prow-config=prow\/config\.yaml","--prow-jobs-dir=prow\/jobs","--terraform-dir=configs\/terraform","--sec-scanner-config=sec-scanners-config\.yaml","--kubernetes-dir=prow\/cluster\/components","--autobump-config=configs\/autobump-config\/test-infra-sec-config-autobump-config\.yaml"\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/image-detector:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\["generic-autobumper","--config=configs\/autobump-config\/prow-cluster-autobump-config\.yaml","--labels-override=kind\/chore,area\/prow"\],"container_name":"test",.*}$
                  image: gcr.io/k8s-prow/generic-autobumper:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\["generic-autobumper","--config=configs\/autobump-config\/test-infra-autobump-config\.yaml","--labels-override=skip-review,area\/ci,kind\/chore"\],"container_name":"test",.*}$
                  image: gcr.io/k8s-prow/generic-autobumper:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\["generic-autobumper","--config=config\/prow\/autobump-config\/kyma-testimages-autobump-config\.yaml","--labels-override=kind\/chore,area\/prow,skip-review"\],"container_name":"test",.*}$
                  image: gcr.io/k8s-prow/generic-autobumper:*
                - args: []
                  command: []
                  image: gcr.io/k8s-prow/sidecar:*
        EOT
      + yaml_incluster          = (sensitive value)
    }

  # module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: kyma-autobump-bot-github-token\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n  parameters:\n    restrictedSecrets:\n      - kyma-autobump-bot-github-token\n    trustedImages:\n      # Prowjob name: post-test-infra-markdown-index-autobump\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/markdown-index:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"\\/ko-app\\/markdown-index\",\"--config=configs\\/autobump-config\\/test-infra-markdown-index-autobump-config\\.yaml\",\"--labels-override=kind\\/chore,area\\/documentation\"\\],\"container_name\":\"test\",.*}$'\n      # Prowjob name: test-infra-image-detector-autobump\n      # Prowjob name: post-test-infra-image-detector-autobump\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/image-detector:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"\\/ko-app\\/image-detector\",\"--prow-config=prow\\/config\\.yaml\",\"--prow-jobs-dir=prow\\/jobs\",\"--terraform-dir=configs\\/terraform\",\"--sec-scanner-config=sec-scanners-config\\.yaml\",\"--kubernetes-dir=prow\\/cluster\\/components\",\"--autobump-config=configs\\/autobump-config\\/test-infra-sec-config-autobump-config\\.yaml\"\\],\"container_name\":\"test\",.*}$'\n      # Prowjob name: ci-prow-autobump\n      - image: \"gcr.io/k8s-prow/generic-autobumper:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"generic-autobumper\",\"--config=configs\\/autobump-config\\/prow-cluster-autobump-config\\.yaml\",\"--labels-override=kind\\/chore,area\\/prow\"\\],\"container_name\":\"test\",.*}$'\n      # Prowjob name: ci-prow-autobump-jobs\n      - image: \"gcr.io/k8s-prow/generic-autobumper:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"generic-autobumper\",\"--config=configs\\/autobump-config\\/test-infra-autobump-config\\.yaml\",\"--labels-override=skip-review,area\\/ci,kind\\/chore\"\\],\"container_name\":\"test\",.*}$'\n      # ci-k8s-prow-autobump-testimages\n      - image: \"gcr.io/k8s-prow/generic-autobumper:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"generic-autobumper\",\"--config=config\\/prow\\/autobump-config\\/kyma-testimages-autobump-config\\.yaml\",\"--labels-override=kind\\/chore,area\\/prow,skip-review\"\\],\"container_name\":\"test\",.*}$'\n      # sidecar\n      - image: \"gcr.io/k8s-prow/sidecar:*\"\n        command: []\n        args: []"] will be destroyed
  # (because key ["apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: kyma-autobump-bot-github-token\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n  parameters:\n    restrictedSecrets:\n      - kyma-autobump-bot-github-token\n    trustedImages:\n      # Prowjob name: post-test-infra-markdown-index-autobump\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/markdown-index:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"\\/ko-app\\/markdown-index\",\"--config=configs\\/autobump-config\\/test-infra-markdown-index-autobump-config\\.yaml\",\"--labels-override=kind\\/chore,area\\/documentation\"\\],\"container_name\":\"test\",.*}$'\n      # Prowjob name: test-infra-image-detector-autobump\n      # Prowjob name: post-test-infra-image-detector-autobump\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/image-detector:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"\\/ko-app\\/image-detector\",\"--prow-config=prow\\/config\\.yaml\",\"--prow-jobs-dir=prow\\/jobs\",\"--terraform-dir=configs\\/terraform\",\"--sec-scanner-config=sec-scanners-config\\.yaml\",\"--kubernetes-dir=prow\\/cluster\\/components\",\"--autobump-config=configs\\/autobump-config\\/test-infra-sec-config-autobump-config\\.yaml\"\\],\"container_name\":\"test\",.*}$'\n      # Prowjob name: ci-prow-autobump\n      - image: \"gcr.io/k8s-prow/generic-autobumper:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"generic-autobumper\",\"--config=configs\\/autobump-config\\/prow-cluster-autobump-config\\.yaml\",\"--labels-override=kind\\/chore,area\\/prow\"\\],\"container_name\":\"test\",.*}$'\n      # Prowjob name: ci-prow-autobump-jobs\n      - image: \"gcr.io/k8s-prow/generic-autobumper:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"generic-autobumper\",\"--config=configs\\/autobump-config\\/test-infra-autobump-config\\.yaml\",\"--labels-override=skip-review,area\\/ci,kind\\/chore\"\\],\"container_name\":\"test\",.*}$'\n      # ci-k8s-prow-autobump-testimages\n      - image: \"gcr.io/k8s-prow/generic-autobumper:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"generic-autobumper\",\"--config=config\\/prow\\/autobump-config\\/kyma-testimages-autobump-config\\.yaml\",\"--labels-override=kind\\/chore,area\\/prow,skip-review\"\\],\"container_name\":\"test\",.*}$'\n      # sidecar\n      - image: \"gcr.io/k8s-prow/sidecar:*\"\n        command: []\n        args: []"] is not in for_each map)
  - resource "kubectl_manifest" "constraints" {
      - api_version             = "constraints.gatekeeper.sh/v1beta1" -> null
      - apply_only              = false -> null
      - field_manager           = "kubectl" -> null
      - force_conflicts         = false -> null
      - force_new               = false -> null
      - id                      = "/apis/constraints.gatekeeper.sh/v1beta1/secrettrustedusages/kyma-autobump-bot-github-token" -> null
      - kind                    = "SecretTrustedUsage" -> null
      - live_manifest_incluster = (sensitive value) -> null
      - live_uid                = "28b17da0-c0ef-499b-b6d6-02dec945cecc" -> null
      - name                    = "kyma-autobump-bot-github-token" -> null
      - server_side_apply       = false -> null
      - uid                     = "28b17da0-c0ef-499b-b6d6-02dec945cecc" -> null
      - validate_schema         = true -> null
      - wait_for_rollout        = true -> null
      - yaml_body               = (sensitive value) -> null
      - yaml_body_parsed        = <<-EOT
            apiVersion: constraints.gatekeeper.sh/v1beta1
            kind: SecretTrustedUsage
            metadata:
              name: kyma-autobump-bot-github-token
            spec:
              enforcementAction: deny
              match:
                kinds:
                - apiGroups:
                  - ""
                  kinds:
                  - Pod
              parameters:
                restrictedSecrets:
                - kyma-autobump-bot-github-token
                trustedImages:
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\["\/ko-app\/markdown-index","--config=configs\/autobump-config\/test-infra-markdown-index-autobump-config\.yaml","--labels-override=kind\/chore,area\/documentation"\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/markdown-index:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\["\/ko-app\/image-detector","--prow-config=prow\/config\.yaml","--prow-jobs-dir=prow\/jobs","--terraform-dir=configs\/terraform","--sec-scanner-config=sec-scanners-config\.yaml","--kubernetes-dir=prow\/cluster\/components","--autobump-config=configs\/autobump-config\/test-infra-sec-config-autobump-config\.yaml"\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/image-detector:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\["generic-autobumper","--config=configs\/autobump-config\/prow-cluster-autobump-config\.yaml","--labels-override=kind\/chore,area\/prow"\],"container_name":"test",.*}$
                  image: gcr.io/k8s-prow/generic-autobumper:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\["generic-autobumper","--config=configs\/autobump-config\/test-infra-autobump-config\.yaml","--labels-override=skip-review,area\/ci,kind\/chore"\],"container_name":"test",.*}$
                  image: gcr.io/k8s-prow/generic-autobumper:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\["generic-autobumper","--config=config\/prow\/autobump-config\/kyma-testimages-autobump-config\.yaml","--labels-override=kind\/chore,area\/prow,skip-review"\],"container_name":"test",.*}$
                  image: gcr.io/k8s-prow/generic-autobumper:*
                - args: []
                  command: []
                  image: gcr.io/k8s-prow/sidecar:*
        EOT -> null
      - yaml_incluster          = (sensitive value) -> null
    }

  # module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: kyma-bot-github-sap-token\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n  parameters:\n    restrictedSecrets:\n      - kyma-bot-github-sap-token\n    trustedImages:\n      # Prowjob name: pre-main-check-users-map\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/usersmapchecker:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"/ko-app/usersmapchecker\"\\],\"container_name\":\"test\",.*}$'"] will be destroyed
  # (because key ["apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: kyma-bot-github-sap-token\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n  parameters:\n    restrictedSecrets:\n      - kyma-bot-github-sap-token\n    trustedImages:\n      # Prowjob name: pre-main-check-users-map\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/usersmapchecker:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"/ko-app/usersmapchecker\"\\],\"container_name\":\"test\",.*}$'"] is not in for_each map)
  - resource "kubectl_manifest" "constraints" {
      - api_version             = "constraints.gatekeeper.sh/v1beta1" -> null
      - apply_only              = false -> null
      - field_manager           = "kubectl" -> null
      - force_conflicts         = false -> null
      - force_new               = false -> null
      - id                      = "/apis/constraints.gatekeeper.sh/v1beta1/secrettrustedusages/kyma-bot-github-sap-token" -> null
      - kind                    = "SecretTrustedUsage" -> null
      - live_manifest_incluster = (sensitive value) -> null
      - live_uid                = "ccb085b6-53ae-4e4a-be64-337780accdb9" -> null
      - name                    = "kyma-bot-github-sap-token" -> null
      - server_side_apply       = false -> null
      - uid                     = "ccb085b6-53ae-4e4a-be64-337780accdb9" -> null
      - validate_schema         = true -> null
      - wait_for_rollout        = true -> null
      - yaml_body               = (sensitive value) -> null
      - yaml_body_parsed        = <<-EOT
            apiVersion: constraints.gatekeeper.sh/v1beta1
            kind: SecretTrustedUsage
            metadata:
              name: kyma-bot-github-sap-token
            spec:
              enforcementAction: deny
              match:
                kinds:
                - apiGroups:
                  - ""
                  kinds:
                  - Pod
              parameters:
                restrictedSecrets:
                - kyma-bot-github-sap-token
                trustedImages:
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\["/ko-app/usersmapchecker"\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/usersmapchecker:*
        EOT -> null
      - yaml_incluster          = (sensitive value) -> null
    }

  # module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: kyma-bot-github-sap-token\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n  parameters:\n    restrictedSecrets:\n      - kyma-bot-github-sap-token\n    trustedImages:\n      # Prowjob name: pre-main-check-users-map\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/usersmapchecker:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"/usersmapchecker\"\\],\"container_name\":\"test\",.*}$'"] will be created
  + resource "kubectl_manifest" "constraints" {
      + api_version             = "constraints.gatekeeper.sh/v1beta1"
      + apply_only              = false
      + field_manager           = "kubectl"
      + force_conflicts         = false
      + force_new               = false
      + id                      = (known after apply)
      + kind                    = "SecretTrustedUsage"
      + live_manifest_incluster = (sensitive value)
      + live_uid                = (known after apply)
      + name                    = "kyma-bot-github-sap-token"
      + namespace               = (known after apply)
      + server_side_apply       = false
      + uid                     = (known after apply)
      + validate_schema         = true
      + wait_for_rollout        = true
      + yaml_body               = (sensitive value)
      + yaml_body_parsed        = <<-EOT
            apiVersion: constraints.gatekeeper.sh/v1beta1
            kind: SecretTrustedUsage
            metadata:
              name: kyma-bot-github-sap-token
            spec:
              enforcementAction: deny
              match:
                kinds:
                - apiGroups:
                  - ""
                  kinds:
                  - Pod
              parameters:
                restrictedSecrets:
                - kyma-bot-github-sap-token
                trustedImages:
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\["/usersmapchecker"\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/usersmapchecker:*
        EOT
      + yaml_incluster          = (sensitive value)
    }

Plan: 12 to add, 9 to change, 12 to destroy.

@Sawthis
Copy link
Contributor

Sawthis commented Oct 3, 2024

#9434

@kyma-bot kyma-bot removed the lgtm Looks good to me! label Oct 3, 2024
@kyma-bot kyma-bot added the lgtm Looks good to me! label Oct 3, 2024
@kyma-bot
Copy link
Contributor

kyma-bot commented Oct 3, 2024
edited
Loading

@akiioto: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-main-build-testimages 0bbc9e8 link true /test pull-main-build-testimages

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@Sawthis
Copy link
Contributor

Sawthis commented Oct 3, 2024

/override pull-test-infra-ko-build

@kyma-bot
Copy link
Contributor

kyma-bot commented Oct 3, 2024

@Sawthis: Overrode contexts on behalf of Sawthis: pull-test-infra-ko-build

In response to this:

/override pull-test-infra-ko-build

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kyma-bot kyma-bot merged commit acbac28 into kyma-project:main Oct 3, 2024
72 checks passed
@kyma-bot
Copy link
Contributor

kyma-bot commented Oct 3, 2024

@akiioto: Updated the job-config configmap in namespace default at cluster default using the following files:

  • key image-syncer.yaml using file prow/jobs/kyma-project/test-infra/image-syncer.yaml
  • key ko-build.yaml using file ``
  • key kyma-bot.yaml using file prow/jobs/kyma-project/test-infra/kyma-bot.yaml
  • key periodics.yaml using file prow/jobs/kyma-project/test-infra/periodics.yaml
  • key pjtester.yaml using file prow/jobs/kyma-project/test-infra/pjtester.yaml
  • key prow-periodics.yaml using file prow/jobs/kyma-project/test-infra/prow-periodics.yaml
  • key validation.yaml using file prow/jobs/kyma-project/test-infra/validation.yaml

In response to this:

Description

Changes proposed in this pull request:

  • Remove Ko builds/jobs/occurencies
  • ...
  • ...

Related issue(s)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kyma-bot
Copy link
Contributor

kyma-bot commented Oct 3, 2024

❌ Apply Result

CI link

Error: Error updating Repository "projects/sap-kyma-prow/locations/europe/repositories/dockerhub-mirror": googleapi: Error 400: Invalid value at 'repository.cleanup_policies[0].value.condition.older_than' (type.googleapis.com/google.protobuf.Duration), Field 'olderThan', Illegal duration format; duration must end with 's'
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.BadRequest",
    "fieldViolations": [
      {
        "description": "Invalid value at 'repository.cleanup_policies[0].value.condition.older_than' (type.googleapis.com/google.protobuf.Duration), Field 'olderThan', Illegal duration format; duration must end with 's'",
        "field": "repository.cleanup_policies[0].value.condition.older_than"
      }
    ]
  }
]

  with google_artifact_registry_repository.dockerhub_mirror,
  on image-builder.tf line 91, in resource "google_artifact_registry_repository" "dockerhub_mirror":
  91: resource "google_artifact_registry_repository" "dockerhub_mirror" {
Details (Click me) 
Acquiring state lock. This may take a few moments...
data.kubectl_file_documents.automated_approver: Reading...
data.kubectl_file_documents.automated_approver_rules: Reading...
data.kubectl_file_documents.automated_approver_rules: Read complete after 0s [id=48d07f870c26a37d3a48229fcc9cd29ae14bea83cf200e4e8326e5d755a1e790]
data.kubectl_file_documents.automated_approver: Read complete after 0s [id=3146b32a8f85d517569daf0d35258534d5bd5e9ebae3944023433f4710c8c249]
github_actions_organization_variable.image_builder_ado_pat_gcp_secret_name: Refreshing state... [id=IMAGE_BUILDER_ADO_PAT_GCP_SECRET_NAME]
data.github_repository.test_infra: Reading...
github_actions_variable.github_terraform_planner_secret_name: Refreshing state... [id=test-infra:GH_TERRAFORM_PLANNER_SECRET_NAME]
data.github_organization.kyma-project: Reading...
github_actions_variable.github_terraform_executor_secret_name: Refreshing state... [id=test-infra:GH_TERRAFORM_EXECUTOR_SECRET_NAME]
github_actions_organization_variable.gcp_kyma_project_project_id: Refreshing state... [id=GCP_KYMA_PROJECT_PROJECT_ID]
data.github_repository.gitleaks_repository["test-infra"]: Reading...
module.artifact_registry["modules-internal"].data.google_client_config.this: Reading...
google_service_account.kyma_project_image_builder: Refreshing state... [id=projects/kyma-project/serviceAccounts/azure-pipeline-image-builder@kyma-project.iam.gserviceaccount.com]
google_artifact_registry_repository.prod_docker_repository: Refreshing state... [id=projects/kyma-project/locations/europe/repositories/prod]
google_container_cluster.trusted_workload: Refreshing state... [id=projects/sap-kyma-prow/locations/europe-west4/clusters/trusted-workload-kyma-prow]
module.service_account_keys_rotator.google_project_service_identity.pubsub_identity_agent: Refreshing state... [id=projects/sap-kyma-prow/services/pubsub.googleapis.com]
google_service_account.secret-manager-trusted: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/secret-manager-trusted@sap-kyma-prow.iam.gserviceaccount.com]
module.artifact_registry["modules-internal"].data.google_client_config.this: Read complete after 0s [id=projects/"kyma-project"/regions/"europe-west4"/zones/<null>]
data.google_container_cluster.untrusted_workload_k8s_cluster: Reading...
google_service_account.image_syncer_reader: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/image-syncer-reader@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-secret-update: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-secret-update@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-prowjob-gcp-logging-client: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-prowjob-gcp-logging-client@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa_gke_kyma_integration: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-gke-kyma-integration@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.neighbors-conduit-cli-builder: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/neighbors-conduit-cli-builder@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-kyma-artifacts: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-kyma-artifacts@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.kyma-security-scanners: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/kyma-security-scanners@sap-kyma-prow.iam.gserviceaccount.com]
module.slack_message_sender.google_service_account.slack_message_sender: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/slack-message-sender@sap-kyma-prow.iam.gserviceaccount.com]
module.github_webhook_gateway.google_pubsub_topic.issue_labeled: Refreshing state... [id=projects/sap-kyma-prow/topics/issue-labeled]
module.cors_proxy.google_cloud_run_service.cors_proxy: Refreshing state... [id=locations/europe-west3/namespaces/sap-kyma-prow/services/cors-proxy]
google_service_account.image_syncer_writer: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/image-syncer-writer@sap-kyma-prow.iam.gserviceaccount.com]
module.github_webhook_gateway.data.google_secret_manager_secret.gh_tools_kyma_bot_token: Reading...
google_service_account.firebase-adminsdk-udzxq: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/firebase-adminsdk-udzxq@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.secret-manager-untrusted: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/secret-manager-untrusted@sap-kyma-prow.iam.gserviceaccount.com]
module.github_webhook_gateway.data.google_secret_manager_secret.gh_tools_kyma_bot_token: Read complete after 0s [id=projects/sap-kyma-prow/secrets/trusted_default_kyma-bot-github-sap-token]
module.service_account_keys_rotator.data.google_project.project: Reading...
module.security_dashboard_token.data.google_iam_policy.noauth: Reading...
module.security_dashboard_token.data.google_iam_policy.noauth: Read complete after 0s [id=3450855414]
module.github_webhook_gateway.google_service_account.github_webhook_gateway: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/github-webhook-gateway@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_cleaner.data.google_project.project: Reading...
google_service_account.sa-prow-pubsub: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-prow-pubsub@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-vm-kyma-integration: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-vm-kyma-integration@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-kyma-dns-serviceuser: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-kyma-dns-serviceuser@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-gcr-kyma-project-trusted: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-gcr-kyma-project-trusted@sap-kyma-prow.iam.gserviceaccount.com]
google_dns_managed_zone.build_kyma: Refreshing state... [id=projects/sap-kyma-prow/managedZones/build-kyma]
google_service_account.secrets-rotator: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/secrets-rotator@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_rotator.data.google_project.project: Read complete after 1s [id=projects/sap-kyma-prow]
module.slack_message_sender.google_monitoring_alert_policy.slack_message_sender: Refreshing state... [id=projects/sap-kyma-prow/alertPolicies/17360148176148949136]
google_service_account.sa-security-dashboard-oauth: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-security-dashboard-oauth@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.gcr-cleaner: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/gcr-cleaner@sap-kyma-prow.iam.gserviceaccount.com]
module.signify_secret_rotator.google_service_account.signify_secret_rotator: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/signify-rotator@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-prow-job-resource-cleaners: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-prow-job-resource-cleaners@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_cleaner.data.google_project.project: Read complete after 1s [id=projects/sap-kyma-prow]
google_service_account.terraform-planner: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-planner@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.kyma-submission-pipeline: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/kyma-submission-pipeline@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.gitleaks-secret-accesor: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/gitleaks-secret-accesor@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.gitleaks_secret_accesor: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/gitleaks-secret-accesor@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.counduit-cli-bucket: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/counduit-cli-bucket@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.kyma-oci-image-builder: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/kyma-oci-image-builder@sap-kyma-prow.iam.gserviceaccount.com]
module.github_webhook_gateway.data.google_secret_manager_secret.webhook_token: Reading...
module.signify_secret_rotator.data.google_project.project: Reading...
google_service_account.control-plane: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/control-plane@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.gencred-refresher: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/gencred-refresher@sap-kyma-prow.iam.gserviceaccount.com]
module.github_webhook_gateway.data.google_secret_manager_secret.webhook_token: Read complete after 0s [id=projects/sap-kyma-prow/secrets/sap-tools-github-backlog-webhook-secret]
google_service_account.kyma-compliance-pipeline: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/kyma-compliance-pipeline@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.secret-manager-prow: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/secret-manager-prow@sap-kyma-prow.iam.gserviceaccount.com]
data.github_repository.test_infra: Read complete after 2s [id=test-infra]
google_service_account.sa-gcs-plank: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-gcs-plank@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-kyma-project: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-kyma-project@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_cleaner.google_service_account.service_account_keys_cleaner: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-keys-cleaner@sap-kyma-prow.iam.gserviceaccount.com]
module.security_dashboard_token.google_cloud_run_service.security_dashboard_token: Refreshing state... [id=locations/europe-west1/namespaces/sap-kyma-prow/services/security-dashboard-token]
data.google_container_cluster.prow_k8s_cluster: Reading...
google_service_account.sa-dev-kyma-project: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-dev-kyma-project@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-prow-deploy: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-prow-deploy@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.terraform_executor: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-executor@sap-kyma-prow.iam.gserviceaccount.com]
data.github_repository.gitleaks_repository["test-infra"]: Read complete after 1s [id=test-infra]
google_service_account.terraform_planner: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-planner@sap-kyma-prow.iam.gserviceaccount.com]
google_artifact_registry_repository.dockerhub_mirror: Refreshing state... [id=projects/sap-kyma-prow/locations/europe/repositories/dockerhub-mirror]
data.google_client_config.gcp: Reading...
module.github_webhook_gateway.data.google_project.project: Reading...
module.cors_proxy.data.google_iam_policy.noauth: Reading...
module.cors_proxy.data.google_iam_policy.noauth: Read complete after 0s [id=3450855414]
google_service_account.terraform-executor: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-executor@sap-kyma-prow.iam.gserviceaccount.com]
module.signify_secret_rotator.data.google_project.project: Read complete after 0s [id=projects/sap-kyma-prow]
google_service_account.sa-gke-kyma-integration: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-gke-kyma-integration@sap-kyma-prow.iam.gserviceaccount.com]
data.google_pubsub_topic.secret-manager-notifications-topic: Reading...
data.google_container_cluster.trusted_workload_k8s_cluster: Reading...
data.google_container_cluster.untrusted_workload_k8s_cluster: Read complete after 1s [id=projects/sap-kyma-prow/locations/europe-west3/clusters/untrusted-workload-kyma-prow]
google_pubsub_topic.secrets_rotator_dead_letter: Refreshing state... [id=projects/sap-kyma-prow/topics/secrets-rotator-dead-letter]
data.google_client_config.gcp: Read complete after 0s [id=projects/"sap-kyma-prow"/regions/"europe-west4"/zones/<null>]
module.security_dashboard_token.data.google_project.project: Reading...
data.google_pubsub_topic.secret-manager-notifications-topic: Read complete after 0s [id=projects/sap-kyma-prow/topics/secret-manager-notifications]
module.cors_proxy.data.google_project.project: Reading...
module.github_webhook_gateway.data.google_project.project: Read complete after 0s [id=projects/sap-kyma-prow]
module.service_account_keys_rotator.google_service_account.service_account_keys_rotator: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-keys-rotator@sap-kyma-prow.iam.gserviceaccount.com]
module.github_webhook_gateway.data.google_iam_policy.noauth: Reading...
module.github_webhook_gateway.data.google_iam_policy.noauth: Read complete after 0s [id=3450855414]
module.slack_message_sender.data.google_secret_manager_secret.common_slack_bot_token: Reading...
module.artifact_registry["modules-internal"].google_artifact_registry_repository.artifact_registry: Refreshing state... [id=projects/kyma-project/locations/europe/repositories/modules-internal]
module.slack_message_sender.data.google_secret_manager_secret.common_slack_bot_token: Read complete after 0s [id=projects/sap-kyma-prow/secrets/common-slack-bot-token]
github_actions_organization_variable.image_syncer_reader_service_account_email: Refreshing state... [id=IMAGE_SYNCER_READER_SERVICE_ACCOUNT_EMAIL]
module.security_dashboard_token.data.google_project.project: Read complete after 0s [id=projects/sap-kyma-prow]
google_project_iam_binding.dns_collector_dns_reader: Refreshing state... [id=sap-kyma-prow/roles/dns.reader]
module.cors_proxy.data.google_project.project: Read complete after 0s [id=projects/sap-kyma-prow]
google_project_iam_binding.dns_collector_bucket_get: Refreshing state... [id=sap-kyma-prow/projects/sap-kyma-prow/roles/BucketGet]
google_project_iam_binding.dns_collector_container_analysis_occurrences_viewer: Refreshing state... [id=sap-kyma-prow/roles/containeranalysis.occurrences.viewer]
module.slack_message_sender.data.google_iam_policy.run_invoker: Reading...
module.slack_message_sender.data.google_iam_policy.run_invoker: Read complete after 0s [id=1526577908]
module.slack_message_sender.google_project_iam_member.project_run_invoker: Refreshing state... [id=sap-kyma-prow/roles/run.invoker/serviceAccount:slack-message-sender@sap-kyma-prow.iam.gserviceaccount.com]
github_actions_organization_variable.image_syncer_writer_service_account_email: Refreshing state... [id=IMAGE_SYNCER_WRITER_SERVICE_ACCOUNT_EMAIL]
module.github_webhook_gateway.google_pubsub_topic_iam_binding.issue_labeled: Refreshing state... [id=projects/sap-kyma-prow/topics/issue-labeled/roles/pubsub.publisher]
data.google_container_cluster.prow_k8s_cluster: Read complete after 1s [id=projects/sap-kyma-prow/locations/europe-west3-a/clusters/prow]
module.github_webhook_gateway.google_secret_manager_secret_iam_member.gh_tools_kyma_bot_token_accessor: Refreshing state... [id=projects/sap-kyma-prow/secrets/trusted_default_kyma-bot-github-sap-token/roles/secretmanager.secretAccessor/serviceAccount:github-webhook-gateway@sap-kyma-prow.iam.gserviceaccount.com]
google_artifact_registry_repository_iam_member.image_syncer_prod_repo_writer: Refreshing state... [id=projects/kyma-project/locations/europe/repositories/prod/roles/artifactregistry.createOnPushWriter/serviceAccount:image-syncer-writer@sap-kyma-prow.iam.gserviceaccount.com]
google_artifact_registry_repository_iam_member.image_syncer_prod_repo_reader: Refreshing state... [id=projects/kyma-project/locations/europe/repositories/prod/roles/artifactregistry.reader/serviceAccount:image-syncer-reader@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_rotator.google_project_iam_binding.pubsub_project_token_creator: Refreshing state... [id=sap-kyma-prow/roles/iam.serviceAccountTokenCreator]
module.signify_secret_rotator.google_cloud_run_service.signify_secret_rotator: Refreshing state... [id=locations/europe-west4/namespaces/sap-kyma-prow/services/signify-secret-rotator]
module.github_webhook_gateway.google_secret_manager_secret_iam_member.webhook_token_accessor: Refreshing state... [id=projects/sap-kyma-prow/secrets/sap-tools-github-backlog-webhook-secret/roles/secretmanager.secretAccessor/serviceAccount:github-webhook-gateway@sap-kyma-prow.iam.gserviceaccount.com]
github_actions_variable.kyma_autobump_bot_github_token_secret_name: Refreshing state... [id=test-infra:KYMA_AUTOBUMP_BOT_GITHUB_SECRET_NAME]
module.service_account_keys_cleaner.google_project_iam_member.service_account_keys_cleaner_secret_viewer: Refreshing state... [id=sap-kyma-prow/roles/secretmanager.viewer/serviceAccount:sa-keys-cleaner@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_cleaner.google_project_iam_member.service_account_keys_cleaner_sa_keys_admin: Refreshing state... [id=sap-kyma-prow/roles/iam.serviceAccountKeyAdmin/serviceAccount:sa-keys-cleaner@sap-kyma-prow.iam.gserviceaccount.com]
data.google_container_cluster.trusted_workload_k8s_cluster: Read complete after 1s [id=projects/sap-kyma-prow/locations/europe-west4/clusters/trusted-workload-kyma-prow]
module.service_account_keys_cleaner.google_project_iam_member.service_account_keys_cleaner_secrets_versions_manager: Refreshing state... [id=sap-kyma-prow/roles/secretmanager.secretVersionManager/serviceAccount:sa-keys-cleaner@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_cleaner.google_cloud_run_service.service_account_keys_cleaner: Refreshing state... [id=locations/europe-west4/namespaces/sap-kyma-prow/services/service-account-keys-cleaner]
google_project_iam_member.terraform_executor_prow_project_owner: Refreshing state... [id=sap-kyma-prow/roles/owner/serviceAccount:terraform-executor@sap-kyma-prow.iam.gserviceaccount.com]
github_actions_variable.gcp_terraform_executor_service_account_email: Refreshing state... [id=test-infra:GCP_TERRAFORM_EXECUTOR_SERVICE_ACCOUNT_EMAIL]
google_project_iam_member.terraform_executor_workloads_project_owner: Refreshing state... [id=sap-kyma-prow-workloads/roles/owner/serviceAccount:terraform-executor@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account_iam_binding.terraform_workload_identity: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-executor@sap-kyma-prow.iam.gserviceaccount.com/roles/iam.workloadIdentityUser]
github_actions_variable.gcp_terraform_planner_service_account_email: Refreshing state... [id=test-infra:GCP_TERRAFORM_PLANNER_SERVICE_ACCOUNT_EMAIL]
google_service_account_iam_binding.terraform_planner_workload_identity: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-planner@sap-kyma-prow.iam.gserviceaccount.com/roles/iam.workloadIdentityUser]
google_storage_bucket_iam_binding.planner_state_bucket_write_access: Refreshing state... [id=b/tf-state-kyma-project/roles/storage.objectUser]
google_project_iam_member.terraform_planner_workloads_project_read_access["roles/viewer"]: Refreshing state... [id=sap-kyma-prow-workloads/roles/viewer/serviceAccount:terraform-planner@sap-kyma-prow.iam.gserviceaccount.com]
google_project_iam_member.terraform_planner_prow_project_read_access["roles/storage.objectViewer"]: Refreshing state... [id=sap-kyma-prow/roles/storage.objectViewer/serviceAccount:terraform-planner@sap-kyma-prow.iam.gserviceaccount.com]
google_project_iam_member.terraform_planner_prow_project_read_access["roles/viewer"]: Refreshing state... [id=sap-kyma-prow/roles/viewer/serviceAccount:terraform-planner@sap-kyma-prow.iam.gserviceaccount.com]
google_project_iam_member.terraform_planner_prow_project_rea

# ...
# ... The maximum length of GitHub Comment is 65536, so the content is omitted by tfcmt.
# ...

,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n        #kyma-dashboard-dev, kyma-dashboard-stage, kyma-dashboard-prod, post-k8s-prow-build-release and post-main-build-testimages\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":.*,\"container_name\":\"test\",.*}$'\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/buildpack-go:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":.*,\"container_name\":\"test\",.*}$'\n      # sidecar\n      - image: \"gcr.io/k8s-prow/sidecar:*\"\n        command: [ ]\n        args: [ ]\n      # image-syncer\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/image-syncer:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[\"\\/image-syncer\",\"--images-file=cmd/image-syncer/external-images.yaml\",\"--target-repo-auth-key=.*\"\\],\"container_name\":\"test\",.*}$'"]: Creating...
module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only image-builder tool trusted usage on Prow cluster run as image-builder service account identity.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: pjtester-kubeconfig\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n  parameters:\n    restrictedSecrets:\n      - pjtester-kubeconfig\n      - pjtester-github-oauth-token\n    trustedImages:\n      # pull-test-infra-pjtester\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/pjtester:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"\\\\/pjtester\",\"--github-token-path=\\/etc\\/github\\/oauth\"\\],\"container_name\":\"test\",.*}$'\n      # sidecar\n      - image: \"gcr.io/k8s-prow/sidecar:*\"\n        command: []\n        args: []"]: Creating...
module.cors_proxy.google_cloud_run_service.cors_proxy: Modifying... [id=locations/europe-west3/namespaces/sap-kyma-prow/services/cors-proxy]
module.security_dashboard_token.google_cloud_run_service.security_dashboard_token: Modifying... [id=locations/europe-west1/namespaces/sap-kyma-prow/services/security-dashboard-token]
module.trusted_workload_gatekeeper.kubectl_manifest.constraints["apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: K8sPSPSeccomp\nmetadata:\n  name: psp-seccomp\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n    namespaces:\n      - \"default\"\n  parameters:\n    allowedProfiles:\n      - runtime/default\n      - docker/default\n    exemptImages:\n      - \"gcr.io/k8s-prow/entrypoint:*\"\n      - \"gcr.io/k8s-prow/initupload:*\"\n      - \"gcr.io/k8s-prow/clonerefs:*\"\n      - \"gcr.io/k8s-prow/sidecar:*\"\n      - \"aquasec/trivy:*\"\n      - \"eu.gcr.io/kyma-project/prow/cleaner:*\"\n      - \"eu.gcr.io/kyma-project/test-infra/bootstrap:*\"\n      - \"eu.gcr.io/kyma-project/test-infra/buildpack-golang:*\"\n      - \"eu.gcr.io/kyma-project/test-infra/golangci-lint:*\"\n      - \"eu.gcr.io/kyma-project/test-infra/kyma-integration:*\"\n      - \"eu.gcr.io/sap-kyma-neighbors-dev/image-builder:*\"\n      - \"europe-docker.pkg.dev/kyma-project/prod/image-builder:*\"\n      - \"europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:*\"\n      - \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:*\"\n      - \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-nodejs:*\"\n      - \"europe-docker.pkg.dev/kyma-project/prod/test-infra/prow-tools:*\"\n      - \"gcr.io/k8s-prow/generic-autobumper:*\"\n      - \"gcr.io/k8s-prow/ghproxy:*\"\n      - \"europe-docker.pkg.dev/kyma-project/prod/e2e-gcloud:*\""]: Creation complete after 3s [id=/apis/constraints.gatekeeper.sh/v1beta1/k8spspseccomps/psp-seccomp]
google_artifact_registry_repository.dockerhub_mirror: Modifying... [id=projects/sap-kyma-prow/locations/europe/repositories/dockerhub-mirror]
module.github_webhook_gateway.google_cloud_run_service.github_webhook_gateway: Modifying... [id=locations/europe-west3/namespaces/sap-kyma-prow/services/github-webhook-gateway]
module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: kyma-bot-github-sap-token\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n  parameters:\n    restrictedSecrets:\n      - kyma-bot-github-sap-token\n    trustedImages:\n      # Prowjob name: pre-main-check-users-map\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/usersmapchecker:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"/usersmapchecker\"\\],\"container_name\":\"test\",.*}$'"]: Creation complete after 4s [id=/apis/constraints.gatekeeper.sh/v1beta1/secrettrustedusages/kyma-bot-github-sap-token]
module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: kyma-autobump-bot-github-token\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n  parameters:\n    restrictedSecrets:\n      - kyma-autobump-bot-github-token\n    trustedImages:\n      # Prowjob name: post-test-infra-markdown-index-autobump\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/markdown-index:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"\\\\/markdown-index\",\"--config=configs\\/autobump-config\\/test-infra-markdown-index-autobump-config\\.yaml\",\"--labels-override=kind\\/chore,area\\/documentation\"\\],\"container_name\":\"test\",.*}$'\n      # Prowjob name: test-infra-image-detector-autobump\n      # Prowjob name: post-test-infra-image-detector-autobump\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/image-detector:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"\\\\/image-detector\",\"--prow-config=prow\\/config\\.yaml\",\"--prow-jobs-dir=prow\\/jobs\",\"--terraform-dir=configs\\/terraform\",\"--sec-scanner-config=sec-scanners-config\\.yaml\",\"--kubernetes-dir=prow\\/cluster\\/components\",\"--autobump-config=configs\\/autobump-config\\/test-infra-sec-config-autobump-config\\.yaml\"\\],\"container_name\":\"test\",.*}$'\n      # Prowjob name: ci-prow-autobump\n      - image: \"gcr.io/k8s-prow/generic-autobumper:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"generic-autobumper\",\"--config=configs\\/autobump-config\\/prow-cluster-autobump-config\\.yaml\",\"--labels-override=kind\\/chore,area\\/prow\"\\],\"container_name\":\"test\",.*}$'\n      # Prowjob name: ci-prow-autobump-jobs\n      - image: \"gcr.io/k8s-prow/generic-autobumper:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"generic-autobumper\",\"--config=configs\\/autobump-config\\/test-infra-autobump-config\\.yaml\",\"--labels-override=skip-review,area\\/ci,kind\\/chore\"\\],\"container_name\":\"test\",.*}$'\n      # ci-k8s-prow-autobump-testimages\n      - image: \"gcr.io/k8s-prow/generic-autobumper:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"generic-autobumper\",\"--config=config\\/prow\\/autobump-config\\/kyma-testimages-autobump-config\\.yaml\",\"--labels-override=kind\\/chore,area\\/prow,skip-review\"\\],\"container_name\":\"test\",.*}$'\n      # sidecar\n      - image: \"gcr.io/k8s-prow/sidecar:*\"\n        command: []\n        args: []"]: Creation complete after 4s [id=/apis/constraints.gatekeeper.sh/v1beta1/secrettrustedusages/kyma-autobump-bot-github-token]
module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only image-builder tool trusted usage on Prow cluster run as image-builder service account identity.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: kyma-bot-github-token\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n    namespaces:\n      - \"default\"\n  parameters:\n    restrictedSecrets:\n      # usually provided with preset-bot-github-token\n      - kyma-bot-github-token\n    trustedImages:\n      # rel-api-gateway-goreleaser\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/buildpack-go:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^.*\"args\":\\[\"\\/bin\\/bash\",\"-c\",\"mkdir -p \\/prow-tools \\\\u0026\\\\u0026 ln -s \\/usr\\/local\\/bin\\/jobguard \\/prow-tools\\/jobguard \\\\u0026\\\\u0026 hack/release.sh\"\\],\"container_name\":\"test\",.*$'\n      # rel-kyma-cli\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/buildpack-go:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^.*\"args\":\\[\"make\",\"ci-release\"\\],\"container_name\":\"test\",.*$'\n      - image: \"eu.gcr.io/kyma-project/test-infra/bootstrap:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^.*\"args\":\\[\"\\/home\\/prow\\/go\\/src\\/github\\.com\\/kyma-project\\/test-infra\\/prow\\/scripts\\/build-kyma-artifacts\\.sh\"\\],\"container_name\":\"test\",.*$'\n      # skr-aws-upgrade-integration-dev\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-nodejs:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^.*\"args\":\\[\"\\/home\\/prow\\/go\\/src\\/github\\.com\\/kyma-project\\/test-infra\\/prow\\/scripts\\/cluster-integration\\/skr-aws-upgrade-integration-dev\\.sh\"\\],\"container_name\":\"test\",.*$'\n      # post-telemetry-manager-release-module\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/e2e-gcloud:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^.*\"args\":\\[\"make\",\"release\"\\],\"container_name\":\"test\",.*$'\n      # pre-main-check-users-map\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/usersmapchecker:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"/usersmapchecker\"\\],\"container_name\":\"test\",.*}$'\n      # sidecar\n      - image: \"gcr.io/k8s-prow/sidecar:*\"\n        command: []\n        args: []"]: Creation complete after 4s [id=/apis/constraints.gatekeeper.sh/v1beta1/secrettrustedusages/kyma-bot-github-token]
module.secrets_leaks_log_scanner.google_cloud_run_service.github_issue_finder: Modifying... [id=locations/europe-west3/namespaces/sap-kyma-prow/services/github-issue-finder]
module.secrets_leaks_log_scanner.google_cloud_run_service.gcs_bucket_mover: Modifying... [id=locations/europe-west3/namespaces/sap-kyma-prow/services/gcs-bucket-mover]
module.secrets_leaks_log_scanner.google_cloud_run_service.github_issue_creator: Modifying... [id=locations/europe-west3/namespaces/sap-kyma-prow/services/github-issue-creator]
module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: K8sPSPSeccomp\nmetadata:\n  name: psp-seccomp\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n    namespaces:\n      - \"default\"\n  parameters:\n    allowedProfiles:\n      - runtime/default\n      - docker/default\n    exemptImages:\n      - \"gcr.io/k8s-prow/entrypoint:*\"\n      - \"gcr.io/k8s-prow/initupload:*\"\n      - \"gcr.io/k8s-prow/clonerefs:*\"\n      - \"gcr.io/k8s-prow/sidecar:*\"\n      - \"aquasec/trivy:*\"\n      - \"eu.gcr.io/kyma-project/prow/cleaner:*\"\n      - \"eu.gcr.io/kyma-project/test-infra/bootstrap:*\"\n      - \"eu.gcr.io/kyma-project/test-infra/buildpack-golang:*\"\n      - \"eu.gcr.io/kyma-project/test-infra/golangci-lint:*\"\n      - \"eu.gcr.io/kyma-project/test-infra/kyma-integration:*\"\n      - \"eu.gcr.io/sap-kyma-neighbors-dev/image-builder:*\"\n      - \"europe-docker.pkg.dev/kyma-project/prod/image-builder:*\"\n      - \"europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:*\"\n      - \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:*\"\n      - \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-nodejs:*\"\n      - \"europe-docker.pkg.dev/kyma-project/prod/test-infra/prow-tools:*\"\n      - \"gcr.io/k8s-prow/generic-autobumper:*\"\n      - \"gcr.io/k8s-prow/ghproxy:*\"\n      - \"europe-docker.pkg.dev/kyma-project/prod/e2e-gcloud:*\""]: Creation complete after 5s [id=/apis/constraints.gatekeeper.sh/v1beta1/k8spspseccomps/psp-seccomp]
module.secrets_leaks_log_scanner.google_cloud_run_service.secrets_leak_log_scanner: Modifying... [id=locations/europe-west3/namespaces/sap-kyma-prow/services/secrets-leak-log-scanner]
module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only image-builder tool trusted usage on Prow cluster run as image-builder service account identity.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: pjtester-kubeconfig\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n  parameters:\n    restrictedSecrets:\n      - pjtester-kubeconfig\n      - pjtester-github-oauth-token\n    trustedImages:\n      # pull-test-infra-pjtester\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/pjtester:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"\\\\/pjtester\",\"--github-token-path=\\/etc\\/github\\/oauth\"\\],\"container_name\":\"test\",.*}$'\n      # sidecar\n      - image: \"gcr.io/k8s-prow/sidecar:*\"\n        command: []\n        args: []"]: Creation complete after 5s [id=/apis/constraints.gatekeeper.sh/v1beta1/secrettrustedusages/pjtester-kubeconfig]
module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only trusted usage of sa-kyma-push-images gcp service account which has permissions to write images in kyma production oci registry.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: sa-kyma-push-images\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n    namespaces:\n      - \"default\"\n  parameters:\n    restrictedSecrets:\n      # usually provided with preset-sa-kyma-push-images\n      - sa-kyma-push-images\n    trustedImages:\n      - image: \"eu.gcr.io/sap-kyma-neighbors-dev/image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n        #kyma-dashboard-dev, kyma-dashboard-stage, kyma-dashboard-prod, post-k8s-prow-build-release and post-main-build-testimages\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":.*,\"container_name\":\"test\",.*}$'\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/buildpack-go:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":.*,\"container_name\":\"test\",.*}$'\n      # sidecar\n      - image: \"gcr.io/k8s-prow/sidecar:*\"\n        command: [ ]\n        args: [ ]\n      # image-syncer\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/image-syncer:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[\"\\/image-syncer\",\"--images-file=cmd/image-syncer/external-images.yaml\",\"--target-repo-auth-key=.*\"\\],\"container_name\":\"test\",.*}$'"]: Creation complete after 5s [id=/apis/constraints.gatekeeper.sh/v1beta1/secrettrustedusages/sa-kyma-push-images]
kubectl_manifest.automated_approver["/apis/apps/v1/namespaces/default/deployments/automated-approver"]: Modifications complete after 8s [id=/apis/apps/v1/namespaces/default/deployments/automated-approver]
module.cors_proxy.google_cloud_run_service.cors_proxy: Still modifying... [id=locations/europe-west3/namespaces/sap-kyma-prow/services/cors-proxy, 10s elapsed]
module.security_dashboard_token.google_cloud_run_service.security_dashboard_token: Still modifying... [id=locations/europe-west1/namespaces/sap-k...prow/services/security-dashboard-token, 10s elapsed]
module.security_dashboard_token.google_cloud_run_service.security_dashboard_token: Modifications complete after 11s [id=locations/europe-west1/namespaces/sap-kyma-prow/services/security-dashboard-token]
module.cors_proxy.google_cloud_run_service.cors_proxy: Modifications complete after 11s [id=locations/europe-west3/namespaces/sap-kyma-prow/services/cors-proxy]
module.github_webhook_gateway.google_cloud_run_service.github_webhook_gateway: Modifications complete after 9s [id=locations/europe-west3/namespaces/sap-kyma-prow/services/github-webhook-gateway]
module.secrets_leaks_log_scanner.google_cloud_run_service.github_issue_finder: Modifications complete after 9s [id=locations/europe-west3/namespaces/sap-kyma-prow/services/github-issue-finder]
module.secrets_leaks_log_scanner.google_cloud_run_service.gcs_bucket_mover: Modifications complete after 9s [id=locations/europe-west3/namespaces/sap-kyma-prow/services/gcs-bucket-mover]
module.secrets_leaks_log_scanner.google_cloud_run_service.secrets_leak_log_scanner: Modifications complete after 9s [id=locations/europe-west3/namespaces/sap-kyma-prow/services/secrets-leak-log-scanner]
module.secrets_leaks_log_scanner.google_cloud_run_service.github_issue_creator: Modifications complete after 10s [id=locations/europe-west3/namespaces/sap-kyma-prow/services/github-issue-creator]

Error: Error updating Repository "projects/sap-kyma-prow/locations/europe/repositories/dockerhub-mirror": googleapi: Error 400: Invalid value at 'repository.cleanup_policies[0].value.condition.older_than' (type.googleapis.com/google.protobuf.Duration), Field 'olderThan', Illegal duration format; duration must end with 's'
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.BadRequest",
    "fieldViolations": [
      {
        "description": "Invalid value at 'repository.cleanup_policies[0].value.condition.older_than' (type.googleapis.com/google.protobuf.Duration), Field 'olderThan', Illegal duration format; duration must end with 's'",
        "field": "repository.cleanup_policies[0].value.condition.older_than"
      }
    ]
  }
]

  with google_artifact_registry_repository.dockerhub_mirror,
  on image-builder.tf line 91, in resource "google_artifact_registry_repository" "dockerhub_mirror":
  91: resource "google_artifact_registry_repository" "dockerhub_mirror" {

`

@dekiel dekiel removed their assignment Oct 7, 2024
@Sawthis Sawthis assigned akiioto and unassigned Sawthis Oct 7, 2024
KacperMalachowski pushed a commit to KacperMalachowski/test-infra that referenced this pull request Nov 6, 2024
@akiioto @KacperMalachowski
cleanup of ko (kyma-project#12055)
962d27b 
* cleanup of ko

* Bump image
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Sawthis Sawthis Sawthis approved these changes

@dekiel dekiel dekiel left review comments

@neighbors-dev-bot neighbors-dev-bot Awaiting requested review from neighbors-dev-bot neighbors-dev-bot is a code owner

@szumejker szumejker Awaiting requested review from szumejker szumejker is a code owner automatically assigned from kyma-project/prow

Assignees

@akiioto akiioto

Labels
cla: yes Indicates the PR's author has signed the CLA. destroy lgtm Looks good to me! size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@akiioto @kyma-bot @Sawthis @dekiel