more capz tweaks

aks-lts · Sep 6, 2024 · 0c33d3f · 0c33d3f
1 parent 437114f
commit 0c33d3f
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 4 deletions.
diff --git a/.github/workflows/deploy-lts-prow.yaml b/.github/workflows/deploy-lts-prow.yaml
@@ -120,13 +120,19 @@ jobs:
           echo "::add-mask::$CAPZ_CI_REGISTRY"
           echo "CAPZ_CI_REGISTRY=$CAPZ_CI_REGISTRY" >> "$GITHUB_ENV"
           echo "AZURE_SUBSCRIPTION_ID=${{ secrets.AZURE_SUBSCRIPTION_ID }}" >> "$GITHUB_ENV"
+          ehco "::add-mask::${{ steps.capzbicep.outputs.capz_gmsa_kv_name }}"
+          echo "CAPZ_GMSA_KV=${{ steps.capzbicep.outputs.capz_gmsa_kv_name }}" >> "$GITHUB_ENV"
 
       - name: 'Create job configs'
         run: |
           envsubst < config/prow/release-branch-jobs/base.yaml > cm.yaml
           envsubst < config/prow/release-branch-jobs/1.27.yaml >> cm.yaml
           kubectl create configmap config -n prow --from-file=config.yaml=cm.yaml -o yaml --dry-run=client | kubectl apply -f -
           rm cm.yaml
+        env:
+          AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          CAPZ_RG: ${{ secrets.CAPZ_RG }}
+          CAPZ_GMSA_KV: ${{ steps.capzbicep.outputs.capz_gmsa_kv_name }}
 
       - name: 'Apply Prowjob CRD'
         run: for f in config/prow/k8s/prowjob/*.yaml; do kubectl apply --server-side=true -f $f; done

diff --git a/config/capz/capz.bicep b/config/capz/capz.bicep
@@ -140,4 +140,5 @@ resource capzsa 'Microsoft.Storage/storageAccounts@2022-05-01' = {
 }
 
 output capzci_registry_name string = capzci_registry.name
+output capz_gmsa_kv_name string = gmsa_kv.name
 output capzsastorage_name string = capzsa.name
diff --git a/config/prow/k8s/test-pods/capz.yaml b/config/prow/k8s/test-pods/capz.yaml
@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: capz-clusteradmin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: azure
+  namespace: test-pods
diff --git a/config/prow/release-branch-jobs/base.yaml b/config/prow/release-branch-jobs/base.yaml
@@ -44,16 +44,18 @@ plank:
         github_api_endpoints:
           - http://ghproxy
           - https://api.github.com
-        github_app_id: "$GITHUB_APP_ID"
-        github_app_private_key_secret:
-          name: github-token
-          key: cert
+        # disable for now
+        # github_app_id: "$GITHUB_APP_ID"
+        # github_app_private_key_secret:
+        #  name: github-token
+        #  key: cert
         s3_credentials_secret: s3-credentials
         utility_images:
           clonerefs: us-docker.pkg.dev/k8s-infra-prow/images/clonerefs:$K8S_PROW_IMAGE_TAG
           entrypoint: us-docker.pkg.dev/k8s-infra-prow/images/entrypoint:$K8S_PROW_IMAGE_TAG
           initupload: us-docker.pkg.dev/k8s-infra-prow/images/initupload:$K8S_PROW_IMAGE_TAG
           sidecar: us-docker.pkg.dev/k8s-infra-prow/images/sidecar:$K8S_PROW_IMAGE_TAG
+        blobless_fetch: true
 
 presets:
 # docker-in-docker (with images/bootstrap) preset
@@ -146,8 +148,12 @@ presets:
     value: "$CAPZ_SA"
   - name: REGISTRY
     value: $CAPZ_CI_REGISTRY
+  - name: GMSA_KEYVAULT
+    value: $CAPZ_GMSA_KV
   - name: USE_LOCAL_KIND_REGISTRY
     value: "false"
+  - name: CI_RG
+    value: $CAPZ_RG
   volumes:
   - name: azure-token
     projected: