apiVersion: apps/v1 kind: Deployment metadata: name: sub namespace: default labels: app: sub spec: replicas: 2 selector: matchLabels: app: sub strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 1 type: RollingUpdate template: metadata: labels: app: sub spec: terminationGracePeriodSeconds: 120 serviceAccountName: sub containers: - name: sub image: us-central1-docker.pkg.dev/gob-prow/prow-images/sub:v20250423-91b28ca9b args: - --config-path=/etc/config/config.yaml - --job-config-path=/etc/job-config - --grace-period=110s - --github-app-id=$(GITHUB_APP_ID) - --github-app-private-key-path=/etc/github/cert - --dry-run=false env: - name: GITHUB_APP_ID valueFrom: secretKeyRef: name: ghapp-token key: appid ports: - name: http containerPort: 80 - name: metrics containerPort: 9090 volumeMounts: - name: config mountPath: /etc/config readOnly: true - name: job-config mountPath: /etc/job-config readOnly: true - name: ghapp-token mountPath: /etc/github readOnly: true resources: # The node has 7.91CPU in total, set requests and limits, # so that only 2 sub pods are on the same node, and they # don't use more than that requests: cpu: 3 limits: cpu: 3 volumes: - name: config configMap: name: config - name: job-config configMap: name: job-config - name: ghapp-token secret: secretName: ghapp-token --- apiVersion: v1 kind: ServiceAccount metadata: name: sub namespace: default annotations: iam.gke.io/gcp-service-account: prow-pubsub@oss-prow.iam.gserviceaccount.com --- apiVersion: v1 kind: Service metadata: name: sub namespace: default spec: selector: app: sub ports: - port: 80 targetPort: 80 type: NodePort --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: "sub" rules: - apiGroups: - "prow.k8s.io" resources: - prowjobs verbs: - create - get - list - update --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: "sub" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: "sub" subjects: - kind: ServiceAccount name: "sub"