apiVersion: apps/v1 kind: Deployment metadata: name: deck-blueprints namespace: default labels: app: deck-blueprints spec: replicas: 2 selector: matchLabels: app: deck-blueprints strategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 1 template: metadata: labels: app: deck-blueprints spec: serviceAccountName: deck-blueprints terminationGracePeriodSeconds: 30 containers: - name: deck-blueprints image: us-central1-docker.pkg.dev/gob-prow/prow-images/deck:v20250423-91b28ca9b args: - --config-path=/etc/config/config.yaml - --hook-url=http://hook:8888/plugin-help - --tide-url=http://tide/ - --job-config-path=/etc/job-config - --redirect-http-to=prow.infra.cft.dev - --spyglass=true - --tenant-id=blueprints - --rerun-creates-job - --oauth-url=/github-login - --github-token-path=/etc/github/oauth - --github-oauth-config-file=/etc/githuboauth/secret - --github-endpoint=http://ghproxy - --github-endpoint=https://api.github.com - --cookie-secret=/etc/cookie/secret - --plugin-config=/etc/plugins/plugins.yaml env: # Use KUBECONFIG envvar rather than --kubeconfig flag in order to provide multiple configs to merge. - name: KUBECONFIG value: "/etc/kubeconfig/config-20240403:/etc/build-openshift-eng/kubeconfig:/etc/build-cloud-kubernetes-node-management-team/kubeconfig:/etc/build-kpt-config-sync/kubeconfig:/etc/build-compute-image-import/kubeconfig:/etc/build-blueprints/kubeconfig:/etc/build-elcarro/kubeconfig:/etc/build-kubeflow/kubeconfig:/etc/gke-gcloud-auth-plugin-based/kubeconfigs.yaml" ports: - name: http containerPort: 8080 - name: metrics containerPort: 9090 volumeMounts: - mountPath: /etc/build-openshift-eng name: build-openshift-eng readOnly: true - mountPath: /etc/build-cloud-kubernetes-node-management-team name: build-cloud-kubernetes-node-management-team readOnly: true - mountPath: /etc/build-kpt-config-sync name: build-kpt-config-sync readOnly: true - mountPath: /etc/build-compute-image-import name: build-compute-image-import readOnly: true - mountPath: /etc/build-blueprints name: build-blueprints readOnly: true - mountPath: /etc/build-elcarro name: build-elcarro readOnly: true - name: oauth-config mountPath: /etc/githuboauth readOnly: true - name: cookie-secret mountPath: /etc/cookie readOnly: true - name: oauth-token mountPath: /etc/github readOnly: true - name: config mountPath: /etc/config readOnly: true - name: job-config mountPath: /etc/job-config readOnly: true - name: plugins mountPath: /etc/plugins readOnly: true - mountPath: /etc/kubeconfig name: kubeconfig readOnly: true - name: build-kubeflow mountPath: /etc/build-kubeflow readOnly: true - mountPath: /etc/gke-gcloud-auth-plugin-based name: kubeconfigs readOnly: true livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 3 periodSeconds: 3 readinessProbe: httpGet: path: /healthz/ready port: 8081 initialDelaySeconds: 10 periodSeconds: 3 timeoutSeconds: 600 - name: oauth2-proxy image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.1 ports: - containerPort: 4180 protocol: TCP args: - --provider=github - --github-org=GoogleCloudPlatform - --github-team=blueprint-solutions,blueprint-solutions-contrib - --http-address=0.0.0.0:4180 - --upstream=http://localhost:8080 - --cookie-domain=prow.infra.cft.dev - --cookie-name=prow-infra-cft-dev-oauth2-proxy - --cookie-samesite=none - --cookie-expire=23h - --email-domain=* livenessProbe: httpGet: path: /ping port: 4180 initialDelaySeconds: 3 periodSeconds: 3 readinessProbe: httpGet: path: /ping port: 4180 initialDelaySeconds: 3 periodSeconds: 3 env: - name: OAUTH2_PROXY_CLIENT_ID valueFrom: secretKeyRef: name: blueprints-github-oauth key: clientID - name: OAUTH2_PROXY_CLIENT_SECRET valueFrom: secretKeyRef: name: blueprints-github-oauth key: clientSecret - name: OAUTH2_PROXY_COOKIE_SECRET valueFrom: secretKeyRef: name: blueprints-github-oauth key: cookieSecret volumes: - name: build-openshift-eng secret: defaultMode: 420 secretName: kubeconfig-build-openshift-eng - name: build-cloud-kubernetes-node-management-team secret: defaultMode: 420 secretName: kubeconfig-build-cloud-kubernetes-node-management-team - name: build-kpt-config-sync secret: defaultMode: 420 secretName: kubeconfig-build-kpt-config-sync - name: build-compute-image-import secret: defaultMode: 420 secretName: kubeconfig-build-compute-image-import - name: build-blueprints secret: defaultMode: 420 secretName: kubeconfig-build-blueprints - name: build-elcarro secret: defaultMode: 420 secretName: kubeconfig-build-elcarro - name: oauth-config secret: secretName: blueprints-github-oauth-config - name: oauth-token secret: secretName: oauth-token-2 - name: cookie-secret secret: secretName: cookie - name: config configMap: name: config - name: job-config configMap: name: job-config - name: plugins configMap: name: plugins - name: kubeconfig secret: defaultMode: 420 secretName: kubeconfig - name: build-kubeflow secret: defaultMode: 420 secretName: kubeconfig-build-kubeflow - name: kubeconfigs configMap: name: kubeconfigs --- apiVersion: v1 kind: Service metadata: name: deck-blueprints namespace: default spec: selector: app: deck-blueprints ports: - port: 80 targetPort: 4180 type: NodePort --- kind: ServiceAccount apiVersion: v1 metadata: namespace: default name: deck-blueprints annotations: "iam.gke.io/gcp-service-account": "oss-prow-blueprints-deck@oss-prow.iam.gserviceaccount.com" --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: deck-blueprints rules: - apiGroups: - prow.k8s.io resources: - prowjobs verbs: - get - list - watch - create --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: test-pods name: deck-blueprints rules: - apiGroups: - "" resources: - pods/log verbs: - get --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: deck-blueprints roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: deck-blueprints subjects: - kind: ServiceAccount name: deck-blueprints namespace: default --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: test-pods name: deck-blueprints roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: deck-blueprints subjects: - kind: ServiceAccount name: deck-blueprints namespace: default