From 0c33d3fcd6809ccc981c7891adfa6ac3b8d6847f Mon Sep 17 00:00:00 2001
From: Haitao Chen <haitch@microsoft.com>
Date: Fri, 6 Sep 2024 13:34:17 -0700
Subject: [PATCH] more capz tweaks

---
 .github/workflows/deploy-lts-prow.yaml    |  6 ++++++
 config/capz/capz.bicep                    |  1 +
 config/prow/k8s/test-pods/capz.yaml       | 12 ++++++++++++
 config/prow/release-branch-jobs/base.yaml | 14 ++++++++++----
 4 files changed, 29 insertions(+), 4 deletions(-)
 create mode 100644 config/prow/k8s/test-pods/capz.yaml

diff --git a/.github/workflows/deploy-lts-prow.yaml b/.github/workflows/deploy-lts-prow.yaml
index 95b7a53..9d56780 100644
--- a/.github/workflows/deploy-lts-prow.yaml
+++ b/.github/workflows/deploy-lts-prow.yaml
@@ -120,6 +120,8 @@ jobs:
           echo "::add-mask::$CAPZ_CI_REGISTRY"
           echo "CAPZ_CI_REGISTRY=$CAPZ_CI_REGISTRY" >> "$GITHUB_ENV"
           echo "AZURE_SUBSCRIPTION_ID=${{ secrets.AZURE_SUBSCRIPTION_ID }}" >> "$GITHUB_ENV"
+          ehco "::add-mask::${{ steps.capzbicep.outputs.capz_gmsa_kv_name }}"
+          echo "CAPZ_GMSA_KV=${{ steps.capzbicep.outputs.capz_gmsa_kv_name }}" >> "$GITHUB_ENV"
 
       - name: 'Create job configs'
         run: |
@@ -127,6 +129,10 @@ jobs:
           envsubst < config/prow/release-branch-jobs/1.27.yaml >> cm.yaml
           kubectl create configmap config -n prow --from-file=config.yaml=cm.yaml -o yaml --dry-run=client | kubectl apply -f -
           rm cm.yaml
+        env:
+          AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          CAPZ_RG: ${{ secrets.CAPZ_RG }}
+          CAPZ_GMSA_KV: ${{ steps.capzbicep.outputs.capz_gmsa_kv_name }}
 
       - name: 'Apply Prowjob CRD'
         run: for f in config/prow/k8s/prowjob/*.yaml; do kubectl apply --server-side=true -f $f; done
diff --git a/config/capz/capz.bicep b/config/capz/capz.bicep
index 3c10100..ee4af52 100644
--- a/config/capz/capz.bicep
+++ b/config/capz/capz.bicep
@@ -140,4 +140,5 @@ resource capzsa 'Microsoft.Storage/storageAccounts@2022-05-01' = {
 }
 
 output capzci_registry_name string = capzci_registry.name
+output capz_gmsa_kv_name string = gmsa_kv.name
 output capzsastorage_name string = capzsa.name
diff --git a/config/prow/k8s/test-pods/capz.yaml b/config/prow/k8s/test-pods/capz.yaml
new file mode 100644
index 0000000..6101993
--- /dev/null
+++ b/config/prow/k8s/test-pods/capz.yaml
@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: capz-clusteradmin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: azure
+  namespace: test-pods
\ No newline at end of file
diff --git a/config/prow/release-branch-jobs/base.yaml b/config/prow/release-branch-jobs/base.yaml
index 0b0d7c6..c90d3be 100644
--- a/config/prow/release-branch-jobs/base.yaml
+++ b/config/prow/release-branch-jobs/base.yaml
@@ -44,16 +44,18 @@ plank:
         github_api_endpoints:
           - http://ghproxy
           - https://api.github.com
-        github_app_id: "$GITHUB_APP_ID"
-        github_app_private_key_secret:
-          name: github-token
-          key: cert
+        # disable for now
+        # github_app_id: "$GITHUB_APP_ID"
+        # github_app_private_key_secret:
+        #  name: github-token
+        #  key: cert
         s3_credentials_secret: s3-credentials
         utility_images:
           clonerefs: us-docker.pkg.dev/k8s-infra-prow/images/clonerefs:$K8S_PROW_IMAGE_TAG
           entrypoint: us-docker.pkg.dev/k8s-infra-prow/images/entrypoint:$K8S_PROW_IMAGE_TAG
           initupload: us-docker.pkg.dev/k8s-infra-prow/images/initupload:$K8S_PROW_IMAGE_TAG
           sidecar: us-docker.pkg.dev/k8s-infra-prow/images/sidecar:$K8S_PROW_IMAGE_TAG
+        blobless_fetch: true
 
 presets:
 # docker-in-docker (with images/bootstrap) preset
@@ -146,8 +148,12 @@ presets:
     value: "$CAPZ_SA"
   - name: REGISTRY
     value: $CAPZ_CI_REGISTRY
+  - name: GMSA_KEYVAULT
+    value: $CAPZ_GMSA_KV
   - name: USE_LOCAL_KIND_REGISTRY
     value: "false"
+  - name: CI_RG
+    value: $CAPZ_RG
   volumes:
   - name: azure-token
     projected: