apiVersion: apps/v1 kind: Deployment metadata: namespace: default name: prow-controller-manager labels: app: prow-controller-manager spec: replicas: 1 revisionHistoryLimit: 2 selector: matchLabels: app: prow-controller-manager template: metadata: labels: app: prow-controller-manager spec: serviceAccountName: prow-controller-manager containers: - name: prow-controller-manager image: us-central1-docker.pkg.dev/gob-prow/prow-images/prow-controller-manager:v20250423-91b28ca9b args: - --config-path=/etc/config/config.yaml - --dry-run=false - --enable-controller=plank - --job-config-path=/etc/job-config env: # Use KUBECONFIG envvar rather than --kubeconfig flag in order to append multiple configs. - name: KUBECONFIG value: "/etc/kubeconfig/config-20240403:/etc/build-openshift-eng/kubeconfig:/etc/build-cloud-kubernetes-node-management-team/kubeconfig:/etc/build-kpt-config-sync/kubeconfig:/etc/build-compute-image-import/kubeconfig:/etc/build-blueprints/kubeconfig:/etc/build-elcarro/kubeconfig:/etc/gke-gcloud-auth-plugin-based/kubeconfigs.yaml" ports: - name: metrics containerPort: 9090 volumeMounts: - mountPath: /etc/build-openshift-eng name: build-openshift-eng readOnly: true - mountPath: /etc/build-cloud-kubernetes-node-management-team name: build-cloud-kubernetes-node-management-team readOnly: true - mountPath: /etc/build-kpt-config-sync name: build-kpt-config-sync readOnly: true - mountPath: /etc/build-compute-image-import name: build-compute-image-import readOnly: true - mountPath: /etc/build-blueprints name: build-blueprints readOnly: true - mountPath: /etc/build-elcarro name: build-elcarro readOnly: true - name: config mountPath: /etc/config readOnly: true - name: job-config mountPath: /etc/job-config readOnly: true - mountPath: /etc/kubeconfig name: kubeconfig readOnly: true - mountPath: /etc/gke-gcloud-auth-plugin-based name: kubeconfigs readOnly: true volumes: - name: build-openshift-eng secret: defaultMode: 420 secretName: kubeconfig-build-openshift-eng - name: build-cloud-kubernetes-node-management-team secret: defaultMode: 420 secretName: kubeconfig-build-cloud-kubernetes-node-management-team - name: build-kpt-config-sync secret: defaultMode: 420 secretName: kubeconfig-build-kpt-config-sync - name: build-compute-image-import secret: defaultMode: 420 secretName: kubeconfig-build-compute-image-import - name: build-blueprints secret: defaultMode: 420 secretName: kubeconfig-build-blueprints - name: build-elcarro secret: defaultMode: 420 secretName: kubeconfig-build-elcarro - name: config configMap: name: config - name: job-config configMap: name: job-config - name: kubeconfig secret: defaultMode: 420 secretName: kubeconfig - name: kubeconfigs configMap: name: kubeconfigs --- apiVersion: v1 kind: ServiceAccount metadata: namespace: default name: "prow-controller-manager" annotations: "iam.gke.io/gcp-service-account": "oss-prow@oss-prow.iam.gserviceaccount.com" --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: "prow-controller-manager" rules: - apiGroups: - coordination.k8s.io resources: - leases resourceNames: - prow-controller-manager-leader-lock verbs: - get - update - apiGroups: - coordination.k8s.io resources: - leases verbs: - create - apiGroups: - "" resources: - configmaps resourceNames: - prow-controller-manager-leader-lock verbs: - get - update - apiGroups: - "" resources: - configmaps - events verbs: - create - apiGroups: - prow.k8s.io resources: - prowjobs verbs: - get - update - list - watch - update - patch --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: test-pods name: "prow-controller-manager" rules: - apiGroups: - "" resources: - pods verbs: - create - delete - list - watch - get - patch --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: "prow-controller-manager" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: "prow-controller-manager" subjects: - kind: ServiceAccount name: "prow-controller-manager" --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: test-pods name: "prow-controller-manager" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: "prow-controller-manager" subjects: - kind: ServiceAccount name: "prow-controller-manager" namespace: default --- apiVersion: v1 kind: Service metadata: labels: app: prow-controller-manager namespace: default name: prow-controller-manager spec: ports: - name: metrics port: 9090 selector: app: prow-controller-manager