update external secrets

rajaskakodkar · Apr 7, 2022 · f8ade6b · f8ade6b
1 parent 3853db6
commit f8ade6b
Show file tree

Hide file tree

Showing 4 changed files with 99 additions and 99 deletions.
diff --git a/config/prow/boskos/patch-aws-account/job.yaml b/config/prow/boskos/patch-aws-account/job.yaml
@@ -35,11 +35,11 @@ spec:
         - name: ACCESS_KEY_ID
           valueFrom:
             secretKeyRef:
-              name: aws-access-key-id
-              key: aws-access-key-id
+              name: tanzu-prow-bot
+              key: AWS_ACCESS_KEY_ID
         - name: ACCESS_KEY_SECRET
           valueFrom:
             secretKeyRef:
-              name: aws-access-key-secret
-              key: aws-access-key-secret
+              name: tanzu-prow-bot
+              key: AWS_SECRET_ACCESS_KEY
       restartPolicy: Never
diff --git a/config/prow/config.yaml b/config/prow/config.yaml
@@ -158,64 +158,27 @@ presets:
       hostPath:
         path: /sys/fs/cgroup
         type: Directory
-# AWS ECR registry creds
-- labels:
-    preset-registry-credentials: "true"
-  env:
-  - name: REGISTRY_ENABLED
-    value: "true"
-  - name: REGISTRY_USERNAME
-    value: /etc/registry-username/username
-  - name: REGISTRY_PASSWORD
-    value: /etc/registry-password/password
-  volumes:
-  - name: registry-username
-    secret:
-      defaultMode: 0400
-      secretName: registry-username
-  - name: registry-password
-    secret:
-      defaultMode: 0400
-      secretName: registry-password
-  volumeMounts:
-  - name: registry-username
-    mountPath: /etc/registry-username
-    readOnly: true
-  - name: registry-password
-    mountPath: /etc/registry-password
-    readOnly: true
 # AWS credentials
 - labels:
     preset-aws-credentials: "true"
   env:
   - name: AWS_ACCESS_KEY_ID
-    value: /etc/aws-access-key-id/aws-access-key-id
+    valueFrom:
+      secretKeyRef:
+        name: tanzu-prow-bot
+        key: AWS_ACCESS_KEY_ID
   - name: AWS_SECRET_ACCESS_KEY
-    value: /etc/aws-access-key-secret/aws-access-key-secret
-  - name: AWS_B64ENCODED_CREDENTIAL
     valueFrom:
       secretKeyRef:
-        name: aws-b64encoded-credential
-        key: aws-b64encoded-credential
+        name: tanzu-prow-bot
+        key: AWS_SECRET_ACCESS_KEY
   - name: AWS_SSH_KEY_NAME
     valueFrom:
       secretKeyRef:
-        name: aws-ssh-key-name
-        key: aws-ssh-key-name
-  volumes:
-  - name: aws-access-key-id
-    secret:
-      defaultMode: 0400
-      secretName: aws-access-key-id
-  - name: aws-access-key-secret
-    secret:
-      defaultMode: 0400
-      secretName: aws-access-key-secret
-  volumeMounts:
-  - name: aws-access-key-id
-    mountPath: /etc/aws-access-key-id
-    readOnly: true
-  - name: aws-access-key-secret
-    mountPath: /etc/aws-access-key-secret
-    readOnly: true
-
+        name: tanzu-prow-bot
+        key: AWS_SSH_KEY_NAME
+  - name: AWS_REGION
+    valueFrom:
+      secretKeyRef:
+        name: tanzu-prow-bot
+        key: AWS_REGION
diff --git a/config/prow/external-secrets.yaml b/config/prow/external-secrets.yaml
@@ -1,78 +1,115 @@
-apiVersion: "kubernetes-client.io/v1"
+# contains AWS credentials for the tanzu-prow-bot user
+apiVersion: kubernetes-client.io/v1
 kind: ExternalSecret
 metadata:
-  name: registry-username
+  name: tanzu-prow-bot
   namespace: test-pods
 spec:
   backendType: secretsManager
-  region: us-east-2
-  roleArn: arn:aws:iam::609817409085:role/prow-ecr
-  data:
-    - key: registry/username
-      name: username
+  # optional: specify role to assume when retrieving the data
+  roleArn: arn:aws:iam::605126514283:role/tanzu-prow-secret-manager-role
+  # optional: specify region
+  region: us-east-1
+  dataFrom:
+    - tanzu/tanzu-prow-bot
+
 ---
-apiVersion: "kubernetes-client.io/v1"
+apiVersion: kubernetes-client.io/v1
 kind: ExternalSecret
 metadata:
-  name: registry-password
-  namespace: test-pods
+  name: github-token
+  namespace: prow
 spec:
   backendType: secretsManager
-  region: us-east-2
-  roleArn: arn:aws:iam::609817409085:role/prow-ecr
+  roleArn: arn:aws:iam::605126514283:role/tanzu-prow-secret-manager-role
+  region: us-east-1
   data:
-    - key: registry/password
-      name: password
+    - key: tanzu/prow-service-cluster
+      name: github-token
+    - key: tanzu/prow-service-cluster
+      name: appid
+
 ---
-apiVersion: "kubernetes-client.io/v1"
+apiVersion: kubernetes-client.io/v1
 kind: ExternalSecret
 metadata:
-  name: aws-access-key-id
-  namespace: test-pods
+  name: hmac-token
+  namespace: prow
 spec:
   backendType: secretsManager
-  region: us-east-2
-  roleArn: arn:aws:iam::609817409085:role/prow-ecr
+  roleArn: arn:aws:iam::605126514283:role/tanzu-prow-secret-manager-role
+  region: us-east-1
   data:
-    - key: aws-access-key-id
-      name: aws-access-key-id
+    - key: tanzu/prow-service-cluster
+      name: hmac-token
+
 ---
-apiVersion: "kubernetes-client.io/v1"
+apiVersion: kubernetes-client.io/v1
 kind: ExternalSecret
 metadata:
-  name: aws-access-key-secret
-  namespace: test-pods
+  name: github-oauth-config
+  namespace: prow
 spec:
   backendType: secretsManager
-  region: us-east-2
-  roleArn: arn:aws:iam::609817409085:role/prow-ecr
-  data:
-    - key: aws-access-key-secret
-      name: aws-access-key-secret
+  roleArn: arn:aws:iam::605126514283:role/tanzu-prow-secret-manager-role
+  region: us-east-1
+  dataFrom:
+    - tanzu/github-oauth-config
+
 ---
-apiVersion: "kubernetes-client.io/v1"
+apiVersion: kubernetes-client.io/v1
 kind: ExternalSecret
 metadata:
-  name: aws-b64encoded-credential
-  namespace: test-pods
+  name: cookie
+  namespace: prow
 spec:
   backendType: secretsManager
-  region: us-east-2
-  roleArn: arn:aws:iam::609817409085:role/prow-ecr
-  data:
-    - key: aws-b64encoded-credential
-      name: aws-b64encoded-credential
+  roleArn: arn:aws:iam::605126514283:role/tanzu-prow-secret-manager-role
+  region: us-east-1
+  dataFrom:
+    - tanzu/cookie
+
+---
+
+# gcs-credentials secret is required in both prow as well as test-pods namespace
+# refer: https://github.com/kubernetes/test-infra/blob/master/prow/getting_started_deploy.md#configure-a-gcs-bucket
+
+apiVersion: kubernetes-client.io/v1
+kind: ExternalSecret
+metadata:
+  name: gcs-credentials
+  namespace: prow
+spec:
+  backendType: secretsManager
+  roleArn: arn:aws:iam::605126514283:role/tanzu-prow-secret-manager-role
+  region: us-east-1
+  dataFrom:
+    - tanzu/prow-service-account
+
 ---
-apiVersion: "kubernetes-client.io/v1"
+
+apiVersion: kubernetes-client.io/v1
 kind: ExternalSecret
 metadata:
-  name: aws-ssh-key-name
+  name: gcs-credentials
   namespace: test-pods
 spec:
   backendType: secretsManager
-  region: us-east-2
-  roleArn: arn:aws:iam::609817409085:role/prow-ecr
-  data:
-    - key: aws-ssh-key-name
-      name: aws-ssh-key-name
+  roleArn: arn:aws:iam::605126514283:role/tanzu-prow-secret-manager-role
+  region: us-east-1
+  dataFrom:
+    - tanzu/prow-service-account
 
+
+---
+apiVersion: kubernetes-client.io/v1
+kind: ExternalSecret
+metadata:
+  name: testgrid-gcs-credentials
+  namespace: test-pods
+spec:
+  backendType: secretsManager
+  roleArn: arn:aws:iam::605126514283:role/tanzu-prow-secret-manager-role
+  region: us-east-1
+  dataFrom:
+    - tanzu/testgrid-service-account
diff --git a/config/prow/kubernetes-external-secrets_sa.yaml b/config/prow/kubernetes-external-secrets_sa.yaml
@@ -3,7 +3,7 @@ kind: ServiceAccount
 metadata:
   annotations:
     eks.amazonaws.com/audience: sts.amazonaws.com
-    eks.amazonaws.com/role-arn: arn:aws:iam::609817409085:role/prow-ecr
+    eks.amazonaws.com/role-arn: arn:aws:iam::605126514283:role/tanzu-prow-secret-manager-role
     eks.amazonaws.com/sts-regional-endpoints: "true"
   name: kubernetes-external-secrets-sa
   namespace: default