# Copyright 2016 The Kubernetes Authors All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: apps/v1 kind: Deployment metadata: namespace: default name: deck labels: app: deck spec: replicas: 3 strategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 1 selector: matchLabels: app: deck template: metadata: labels: app: deck spec: serviceAccountName: deck terminationGracePeriodSeconds: 30 containers: - name: deck image: us-docker.pkg.dev/k8s-infra-prow/images/deck:v20250927-87810a762 imagePullPolicy: Always ports: - name: http containerPort: 8080 - name: metrics containerPort: 9090 args: - --tide-url=http://tide/ - --hook-url=http://hook:8888/plugin-help - --redirect-http-to=prow.k8s.io - --oauth-url=/github-login - --config-path=/etc/config/config.yaml - --job-config-path=/etc/job-config - --spyglass=true - --rerun-creates-job - --github-token-path=/etc/github/oauth - --github-endpoint=http://ghproxy - --github-endpoint=https://api.github.com - --github-oauth-config-file=/etc/githuboauth/secret - --cookie-secret=/etc/cookie/secret - --plugin-config=/etc/plugins/plugins.yaml env: # Use KUBECONFIG envvar rather than --kubeconfig flag in order to provide multiple configs to merge. - name: KUBECONFIG value: "/etc/kubeconfig-k8s-infra-prow/kubeconfig:/etc/kubeconfig-k8s-infra-prow-build/kubeconfig:/etc/kubeconfig-k8s-infra-prow-build-trusted/kubeconfig:/etc/kubeconfig-k8s-infra-aks-prow-build/kubeconfig:/etc/kubeconfig-eks-prow-build-cluster/kubeconfig:/etc/kubeconfig-k8s-infra-kops-prow-build/kubeconfig:/etc/k8s-infra-ppc64le-prow-build-kubeconfig/kubeconfig:/etc/k8s-infra-s390x-prow-build-kubeconfig/kubeconfig" # AWS_ variables needed to assume role to access the prow-build-cluster EKS cluster. - name: AWS_ROLE_ARN value: arn:aws:iam::468814281478:role/Prow-EKS-Admin - name: AWS_WEB_IDENTITY_TOKEN_FILE value: /var/run/secrets/aws-iam-token/serviceaccount/token - name: AWS_REGION value: us-east-2 # Azure variables needed to authenticate to AKS clusters with Azure AD Integration - name: AZURE_CLIENT_ID # AZURE_CLIENT_ID is being overloaded with Azure Workload ID value: "cabf5f22-ec7e-4e84-9e35-c02e57ca555d" - name: AZURE_SUBSCRIPTION_ID value: "0e46bd28-a80f-4d3a-8200-d9eb8d80cb2e" - name: AZURE_TENANT_ID value: "097f89a0-9286-43d2-9a1a-08f1d49b1af8" - name: AZURE_FEDERATED_TOKEN_FILE value: "/var/run/secrets/azure-token/serviceaccount/token" volumeMounts: - name: oauth-config mountPath: /etc/githuboauth readOnly: true - name: cookie-secret mountPath: /etc/cookie readOnly: true - mountPath: /etc/kubeconfig-k8s-infra-prow name: kubeconfig-k8s-infra-prow readOnly: true - mountPath: /etc/kubeconfig-k8s-infra-prow-build name: kubeconfig-k8s-infra-prow-build readOnly: true - mountPath: /etc/kubeconfig-k8s-infra-prow-build-trusted name: kubeconfig-k8s-infra-prow-build-trusted readOnly: true - mountPath: /etc/kubeconfig-k8s-infra-aks-prow-build name: kubeconfig-k8s-infra-aks-prow-build readOnly: true - mountPath: /etc/kubeconfig-eks-prow-build-cluster name: kubeconfig-eks-prow-build-cluster readOnly: true - mountPath: /etc/kubeconfig-k8s-infra-kops-prow-build name: kubeconfig-k8s-infra-kops-prow-build readOnly: true - mountPath: /etc/k8s-infra-ppc64le-prow-build-kubeconfig name: kubeconfig-k8s-infra-ppc64le-prow-build readOnly: true - mountPath: /etc/k8s-infra-s390x-prow-build-kubeconfig name: kubeconfig-k8s-infra-s390x-prow-build readOnly: true - name: config mountPath: /etc/config readOnly: true - name: job-config mountPath: /etc/job-config readOnly: true - name: oauth-token mountPath: /etc/github readOnly: true - name: plugins mountPath: /etc/plugins readOnly: true # AWS IAM token needed to assume role to access the prow-build-cluster EKS cluster. - name: aws-iam-token mountPath: /var/run/secrets/aws-iam-token/serviceaccount readOnly: true # Azure Token needed for workload identity - name: azure-token mountPath: "/var/run/secrets/azure-token/serviceaccount" readOnly: true livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 3 periodSeconds: 3 readinessProbe: httpGet: path: /healthz/ready port: 8081 initialDelaySeconds: 10 periodSeconds: 3 timeoutSeconds: 600 volumes: - name: oauth-config secret: secretName: github-oauth-config - name: oauth-token secret: secretName: oauth-token - name: cookie-secret secret: secretName: cookie - name: kubeconfig-k8s-infra-prow secret: defaultMode: 420 secretName: kubeconfig-k8s-infra-prow - name: kubeconfig-k8s-infra-prow-build secret: defaultMode: 420 secretName: kubeconfig-k8s-infra-prow-build - name: kubeconfig-k8s-infra-prow-build-trusted secret: defaultMode: 420 secretName: kubeconfig-k8s-infra-prow-build-trusted - name: kubeconfig-k8s-infra-aks-prow-build secret: defaultMode: 420 secretName: kubeconfig-k8s-infra-aks-prow-build - name: kubeconfig-eks-prow-build-cluster secret: defaultMode: 420 secretName: kubeconfig-eks-prow-build-cluster - name: kubeconfig-k8s-infra-kops-prow-build secret: defaultMode: 420 secretName: kubeconfig-k8s-infra-kops-prow-build - name: kubeconfig-k8s-infra-ppc64le-prow-build secret: defaultMode: 420 secretName: kubeconfig-k8s-infra-ppc64le-prow-build - name: kubeconfig-k8s-infra-s390x-prow-build secret: defaultMode: 420 secretName: kubeconfig-k8s-infra-s390x-prow-build - name: config configMap: name: config - name: job-config configMap: name: job-config - name: plugins configMap: name: plugins # AWS IAM token needed to assume role to access the prow-build-cluster EKS cluster. - name: aws-iam-token projected: defaultMode: 420 sources: - serviceAccountToken: audience: sts.amazonaws.com expirationSeconds: 86400 path: token # Azure Token needed for workload identity - name: azure-token projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 86400 path: token audience: api://AzureADTokenExchange --- apiVersion: v1 kind: Service metadata: labels: app: deck namespace: default name: deck spec: selector: app: deck ports: - name: main port: 80 targetPort: 8080 protocol: TCP - name: metrics port: 9090 protocol: TCP --- apiVersion: v1 kind: ServiceAccount metadata: namespace: default annotations: iam.gke.io/gcp-service-account: prow-control-plane@k8s-infra-prow.iam.gserviceaccount.com name: deck --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: deck rules: - apiGroups: - "prow.k8s.io" resources: - prowjobs verbs: - get - list - watch # Required when deck runs with `--rerun-creates-job=true` - create # Required to abort jobs - patch --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: deck roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: deck subjects: - kind: ServiceAccount name: deck