--- apiVersion: apps/v1 kind: Deployment metadata: name: hook namespace: default labels: app: hook spec: replicas: 6 selector: matchLabels: app: hook strategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 1 template: metadata: labels: app: hook spec: serviceAccountName: hook terminationGracePeriodSeconds: 180 containers: - name: hook image: us-central1-docker.pkg.dev/gob-prow/prow-images/hook:v20250423-91b28ca9b imagePullPolicy: Always args: - --webhook-path=/ghapp-hook - --config-path=/etc/config/config.yaml - --job-config-path=/etc/job-config - --dry-run=false - --github-endpoint=http://ghproxy - --github-endpoint=https://api.github.com - --github-app-id=$(GITHUB_APP_ID) - --github-app-private-key-path=/etc/github/cert env: # Use KUBECONFIG envvar rather than --kubeconfig flag in order to provide multiple configs to merge. - name: KUBECONFIG value: "/etc/kubeconfig/config-20240403:/etc/build-openshift-eng/kubeconfig:/etc/build-cloud-kubernetes-node-management-team/kubeconfig:/etc/build-kpt-config-sync/kubeconfig:/etc/build-compute-image-import/kubeconfig:/etc/build-blueprints/kubeconfig:/etc/build-elcarro/kubeconfig:/etc/build-kubeflow/kubeconfig:/etc/gke-gcloud-auth-plugin-based/kubeconfigs.yaml" - name: GITHUB_APP_ID valueFrom: secretKeyRef: name: ghapp-token key: appid ports: - name: http containerPort: 8888 - name: metrics containerPort: 9090 volumeMounts: - mountPath: /etc/build-openshift-eng name: build-openshift-eng readOnly: true - mountPath: /etc/build-cloud-kubernetes-node-management-team name: build-cloud-kubernetes-node-management-team readOnly: true - mountPath: /etc/build-kpt-config-sync name: build-kpt-config-sync readOnly: true - mountPath: /etc/build-compute-image-import name: build-compute-image-import readOnly: true - mountPath: /etc/build-blueprints name: build-blueprints readOnly: true - mountPath: /etc/build-elcarro name: build-elcarro readOnly: true - name: hmac mountPath: /etc/webhook readOnly: true - name: ghapp-token mountPath: /etc/github readOnly: true - name: config mountPath: /etc/config readOnly: true - name: job-config mountPath: /etc/job-config readOnly: true - name: plugins mountPath: /etc/plugins readOnly: true - name: kubeconfig mountPath: /etc/kubeconfig readOnly: true - name: build-kubeflow mountPath: /etc/build-kubeflow readOnly: true - mountPath: /etc/gke-gcloud-auth-plugin-based name: kubeconfigs readOnly: true resources: requests: # peak usage sampled by most recent usages of hook memory: "4Gi" cpu: "2" livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 3 periodSeconds: 3 readinessProbe: httpGet: path: /healthz/ready port: 8081 initialDelaySeconds: 10 periodSeconds: 3 timeoutSeconds: 600 volumes: - name: build-openshift-eng secret: defaultMode: 420 secretName: kubeconfig-build-openshift-eng - name: build-cloud-kubernetes-node-management-team secret: defaultMode: 420 secretName: kubeconfig-build-cloud-kubernetes-node-management-team - name: build-kpt-config-sync secret: defaultMode: 420 secretName: kubeconfig-build-kpt-config-sync - name: build-compute-image-import secret: defaultMode: 420 secretName: kubeconfig-build-compute-image-import - name: build-blueprints secret: defaultMode: 420 secretName: kubeconfig-build-blueprints - name: build-elcarro secret: defaultMode: 420 secretName: kubeconfig-build-elcarro - name: hmac secret: secretName: ghapp-hmac-token - name: ghapp-token secret: secretName: ghapp-token - name: config configMap: name: config - name: job-config configMap: name: job-config - name: plugins configMap: name: plugins - name: kubeconfig secret: defaultMode: 420 secretName: kubeconfig - name: build-kubeflow secret: defaultMode: 420 secretName: kubeconfig-build-kubeflow - name: kubeconfigs configMap: name: kubeconfigs --- apiVersion: v1 kind: Service metadata: labels: app: hook name: hook namespace: default spec: selector: app: hook ports: - name: main port: 8888 - name: metrics port: 9090 type: NodePort --- apiVersion: v1 kind: ServiceAccount metadata: name: hook namespace: default --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hook namespace: default rules: - apiGroups: - "prow.k8s.io" resources: - prowjobs verbs: - create - get - list - update - apiGroups: - "" resources: - configmaps verbs: - create - get - update --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hook namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: "hook" subjects: - kind: ServiceAccount name: "hook"