apiVersion: apps/v1 kind: Deployment metadata: name: deck namespace: default labels: app: deck spec: replicas: 2 selector: matchLabels: app: deck strategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 1 template: metadata: labels: app: deck spec: serviceAccountName: deck-public terminationGracePeriodSeconds: 30 containers: - name: deck image: us-central1-docker.pkg.dev/gob-prow/prow-images/deck:v20250423-91b28ca9b args: - --config-path=/etc/config/config.yaml - --job-config-path=/etc/job-config - --spyglass=true - --tide-url=http://tide/ - --hook-url=http://hook:8888/plugin-help - --redirect-http-to=oss.gprow.dev - --rerun-creates-job - --oauth-url=/github-login - --github-token-path=/etc/github/oauth - --github-oauth-config-file=/etc/githuboauth/secret - --github-endpoint=http://ghproxy - --github-endpoint=https://api.github.com - --cookie-secret=/etc/cookie/secret - --plugin-config=/etc/plugins/plugins.yaml env: # Use KUBECONFIG envvar rather than --kubeconfig flag in order to provide multiple configs to merge. - name: KUBECONFIG value: "/etc/kubeconfig/config-20240403:/etc/build-openshift-eng/kubeconfig:/etc/build-cloud-kubernetes-node-management-team/kubeconfig:/etc/build-kpt-config-sync/kubeconfig:/etc/build-compute-image-import/kubeconfig:/etc/build-blueprints/kubeconfig:/etc/build-elcarro/kubeconfig:/etc/gke-gcloud-auth-plugin-based/kubeconfigs.yaml" ports: - name: http containerPort: 8080 - name: metrics containerPort: 9090 volumeMounts: - mountPath: /etc/build-openshift-eng name: build-openshift-eng readOnly: true - mountPath: /etc/build-cloud-kubernetes-node-management-team name: build-cloud-kubernetes-node-management-team readOnly: true - mountPath: /etc/build-kpt-config-sync name: build-kpt-config-sync readOnly: true - mountPath: /etc/build-compute-image-import name: build-compute-image-import readOnly: true - mountPath: /etc/build-blueprints name: build-blueprints readOnly: true - mountPath: /etc/build-elcarro name: build-elcarro readOnly: true - name: oauth-config mountPath: /etc/githuboauth readOnly: true - name: cookie-secret mountPath: /etc/cookie readOnly: true - name: oauth-token mountPath: /etc/github readOnly: true - name: config mountPath: /etc/config readOnly: true - name: job-config mountPath: /etc/job-config readOnly: true - name: plugins mountPath: /etc/plugins readOnly: true - mountPath: /etc/kubeconfig name: kubeconfig readOnly: true - mountPath: /etc/gke-gcloud-auth-plugin-based name: kubeconfigs readOnly: true livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 3 periodSeconds: 3 readinessProbe: httpGet: path: /healthz/ready port: 8081 initialDelaySeconds: 10 periodSeconds: 3 timeoutSeconds: 600 volumes: - name: build-openshift-eng secret: defaultMode: 420 secretName: kubeconfig-build-openshift-eng - name: build-cloud-kubernetes-node-management-team secret: defaultMode: 420 secretName: kubeconfig-build-cloud-kubernetes-node-management-team - name: build-kpt-config-sync secret: defaultMode: 420 secretName: kubeconfig-build-kpt-config-sync - name: build-compute-image-import secret: defaultMode: 420 secretName: kubeconfig-build-compute-image-import - name: build-blueprints secret: defaultMode: 420 secretName: kubeconfig-build-blueprints - name: build-elcarro secret: defaultMode: 420 secretName: kubeconfig-build-elcarro - name: oauth-config secret: secretName: github-oauth-config-oss-gprow-dev - name: oauth-token secret: secretName: oauth-token-2 - name: cookie-secret secret: secretName: cookie - name: config configMap: name: config - name: job-config configMap: name: job-config - name: plugins configMap: name: plugins - name: kubeconfig secret: defaultMode: 420 secretName: kubeconfig - name: kubeconfigs configMap: name: kubeconfigs --- apiVersion: v1 kind: Service metadata: labels: app: deck name: deck namespace: default spec: selector: app: deck ports: - name: main port: 80 targetPort: 8080 - name: metrics port: 9090 type: NodePort --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: deck namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: "deck" subjects: - kind: ServiceAccount name: "deck-public" namespace: "default" - kind: ServiceAccount name: "deck" namespace: "test-pods" --- apiVersion: v1 kind: ServiceAccount metadata: name: deck-public namespace: default annotations: "iam.gke.io/gcp-service-account": "oss-prow-public-deck@oss-prow.iam.gserviceaccount.com" --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: deck # namespace: not-namespaced, must get pods in other namespaces rules: - apiGroups: - "" resources: - pods/log verbs: - get - apiGroups: - "prow.k8s.io" resources: - prowjobs verbs: - get - list - watch # Required when deck runs with `--rerun-creates-job=true` - create --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: deck-oauth # namespace: not-namespaced, are we sure? rules: - apiGroups: - authentication.k8s.io resources: - tokenreviews verbs: - create - apiGroups: - authorization.k8s.io resources: - subjectaccessreviews verbs: - create --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: deck-oauth namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: "deck-oauth" subjects: - kind: ServiceAccount name: "deck" namespace: ci