Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Removed pull-eventing-manager-unit-test #8634

Merged
merged 2 commits into from
Aug 10, 2023
Merged

Removed pull-eventing-manager-unit-test #8634

merged 2 commits into from
Aug 10, 2023

Conversation

mfaizanse
Copy link
Member

@mfaizanse mfaizanse commented Aug 10, 2023
edited
Loading

Description

Changes proposed in this pull request:

Related issue(s)

@kyma-bot kyma-bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 10, 2023
@kyma-bot
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@kyma-bot kyma-bot added needs-kind needs-area size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 10, 2023
@mfaizanse mfaizanse marked this pull request as ready for review August 10, 2023 13:16
@kyma-bot kyma-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 10, 2023
@mfaizanse mfaizanse requested a review from muralov August 10, 2023 13:16
@github-actions
Copy link

github-actions bot commented Aug 10, 2023
edited
Loading

Plan Result

CI link

Plan: 0 to add, 1 to change, 0 to destroy.
  • Update
    • module.artifact_registry["modules-internal"].google_artifact_registry_repository.artifact_registry
Change Result (Click me) 
  # module.artifact_registry["modules-internal"].google_artifact_registry_repository.artifact_registry will be updated in-place
  ~ resource "google_artifact_registry_repository" "artifact_registry" {
        id            = "projects/sap-kyma-prow/locations/europe/repositories/modules-internal"
        name          = "modules-internal"
        # (9 unchanged attributes hidden)

      + docker_config {
          + immutable_tags = false
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

@mfaizanse mfaizanse added the area/eventing Issues or PRs related to eventing label Aug 10, 2023
@mfaizanse mfaizanse added kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. needs-area labels Aug 10, 2023
@kyma-bot kyma-bot added the lgtm Looks good to me! label Aug 10, 2023
@kyma-bot kyma-bot merged commit eee76d4 into kyma-project:main Aug 10, 2023
3 checks passed
@kyma-bot
Copy link
Contributor

@mfaizanse: Updated the job-config configmap in namespace default at cluster default using the following files:

  • key eventing-manager-generic.yaml using file prow/jobs/eventing-manager/eventing-manager-generic.yaml

In response to this:

Description

Changes proposed in this pull request:

Related issue(s)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@mfaizanse mfaizanse deleted the remove_em_ut branch August 10, 2023 14:01
@kyma-bot
Copy link
Contributor

✅ Apply Result

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.
Details (Click me) 
google_container_cluster.trusted_workload: Refreshing state... [id=projects/sap-kyma-prow/locations/europe-west4/clusters/trusted-workload-kyma-prow]
module.github_webhook_gateway.data.google_secret_manager_secret.gh_tools_kyma_bot_token: Reading...
google_service_account.sa_gke_kyma_integration: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-gke-kyma-integration@sap-kyma-prow.iam.gserviceaccount.com]
google_dns_managed_zone.build_kyma: Refreshing state... [id=projects/sap-kyma-prow/managedZones/build-kyma]
data.google_container_cluster.prow_k8s_cluster: Reading...
module.slack_message_sender.data.google_secret_manager_secret.common_slack_bot_token: Reading...
data.google_container_cluster.untrusted_workload_k8s_cluster: Reading...
data.google_container_cluster.trusted_workload_k8s_cluster: Reading...
module.github_webhook_gateway.data.google_secret_manager_secret.webhook_token: Reading...
module.github_webhook_gateway.data.google_project.project: Reading...
module.github_webhook_gateway.data.google_secret_manager_secret.webhook_token: Read complete after 0s [id=projects/sap-kyma-prow/secrets/sap-tools-github-backlog-webhook-secret]
data.google_client_config.gcp: Reading...
data.google_client_config.gcp: Read complete after 0s [id=projects/"sap-kyma-prow"/regions/"europe-west4"/zones/<null>]
module.artifact_registry["modules-internal"].data.google_client_config.this: Reading...
module.artifact_registry["modules-internal"].data.google_client_config.this: Read complete after 0s [id=projects/"sap-kyma-prow"/regions/"europe-west4"/zones/<null>]
module.github_webhook_gateway.google_pubsub_topic.issue_labeled: Refreshing state... [id=projects/sap-kyma-prow/topics/issue-labeled]
module.github_webhook_gateway.data.google_secret_manager_secret.gh_tools_kyma_bot_token: Read complete after 0s [id=projects/sap-kyma-prow/secrets/trusted_default_kyma-bot-github-sap-token]
module.slack_message_sender.data.google_secret_manager_secret.common_slack_bot_token: Read complete after 0s [id=projects/sap-kyma-prow/secrets/common-slack-bot-token]
module.github_webhook_gateway.data.google_iam_policy.noauth: Reading...
module.slack_message_sender.google_monitoring_alert_policy.slack_message_sender: Refreshing state... [id=projects/sap-kyma-prow/alertPolicies/17360148176148949136]
module.github_webhook_gateway.data.google_iam_policy.noauth: Read complete after 0s [id=3450855414]
module.github_webhook_gateway.google_service_account.github_webhook_gateway: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/github-webhook-gateway@sap-kyma-prow.iam.gserviceaccount.com]
data.google_container_cluster.prow_k8s_cluster: Read complete after 0s [id=projects/sap-kyma-prow/locations/europe-west3-a/clusters/prow]
module.slack_message_sender.google_service_account.slack_message_sender: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/slack-message-sender@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.terraform_executor: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-executor@sap-kyma-prow.iam.gserviceaccount.com]
module.artifact_registry["modules-internal"].google_artifact_registry_repository.artifact_registry: Refreshing state... [id=projects/sap-kyma-prow/locations/europe/repositories/modules-internal]
data.google_container_cluster.untrusted_workload_k8s_cluster: Read complete after 1s [id=projects/sap-kyma-prow/locations/europe-west3/clusters/untrusted-workload-kyma-prow]
data.google_container_cluster.trusted_workload_k8s_cluster: Read complete after 1s [id=projects/sap-kyma-prow/locations/europe-west4/clusters/trusted-workload-kyma-prow]
module.artifact_registry["modules-internal"].google_artifact_registry_repository_iam_member.member_service_account[0]: Refreshing state... [id=projects/sap-kyma-prow/locations/europe/repositories/modules-internal/roles/artifactregistry.writer/serviceAccount:kyma-submission-pipeline@kyma-project.iam.gserviceaccount.com]
module.prow_gatekeeper.data.kubectl_path_documents.constraint_templates_path["../../../../opa/gatekeeper/constraint-templates/**.yaml"]: Reading...
module.artifact_registry["modules-internal"].google_artifact_registry_repository_iam_member.reader_service_accounts["klm-controller-manager@sap-ti-dx-kyma-mps-prod.iam.gserviceaccount.com"]: Refreshing state... [id=projects/sap-kyma-prow/locations/europe/repositories/modules-internal/roles/artifactregistry.reader/serviceAccount:klm-controller-manager@sap-ti-dx-kyma-mps-prod.iam.gserviceaccount.com]
module.artifact_registry["modules-internal"].google_artifact_registry_repository_iam_member.reader_service_accounts["klm-controller-manager@sap-ti-dx-kyma-mps-stage.iam.gserviceaccount.com"]: Refreshing state... [id=projects/sap-kyma-prow/locations/europe/repositories/modules-internal/roles/artifactregistry.reader/serviceAccount:klm-controller-manager@sap-ti-dx-kyma-mps-stage.iam.gserviceaccount.com]
module.artifact_registry["modules-internal"].google_artifact_registry_repository_iam_member.reader_service_accounts["klm-controller-manager@sap-ti-dx-kyma-mps-dev.iam.gserviceaccount.com"]: Refreshing state... [id=projects/sap-kyma-prow/locations/europe/repositories/modules-internal/roles/artifactregistry.reader/serviceAccount:klm-controller-manager@sap-ti-dx-kyma-mps-dev.iam.gserviceaccount.com]
module.prow_gatekeeper.data.kubectl_path_documents.constraints_path["../../../../prow/cluster/resources/gatekeeper-constraints/prow/**.yaml"]: Reading...
module.prow_gatekeeper.data.kubectl_file_documents.gatekeeper: Reading...
module.prow_gatekeeper.data.kubectl_path_documents.constraints_path["../../../../prow/cluster/resources/gatekeeper-constraints/prow/**.yaml"]: Read complete after 0s [id=855a9e69c8456439c97de0f50933e09215da23ba88f3d11f61e9195746970b7a]
module.prow_gatekeeper.data.kubectl_path_documents.constraint_templates_path["../../../../opa/gatekeeper/constraint-templates/**.yaml"]: Read complete after 0s [id=927f68fe2b1bee2bed9ddde896cce2ee56bbf0312119b6937b57278b94152090]
module.prow_gatekeeper.data.kubectl_file_documents.gatekeeper: Read complete after 0s [id=dd3443633a39325c8656d232ea51eb8515040007156fb9e6433fddd5276456b6]
google_service_account_iam_binding.terraform_workload_identity: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-executor@sap-kyma-prow.iam.gserviceaccount.com/roles/iam.workloadIdentityUser]
module.github_webhook_gateway.google_secret_manager_secret_iam_member.webhook_token_accessor: Refreshing state... [id=projects/sap-kyma-prow/secrets/sap-tools-github-backlog-webhook-secret/roles/secretmanager.secretAccessor/serviceAccount:github-webhook-gateway@sap-kyma-prow.iam.gserviceaccount.com]
module.untrusted_workload_gatekeeper.data.kubectl_path_documents.constraints_path["../../../../prow/cluster/resources/gatekeeper-constraints/untrusted/**.yaml"]: Reading...
module.untrusted_workload_gatekeeper.data.kubectl_path_documents.constraints_path["../../../../prow/cluster/resources/gatekeeper-constraints/workloads/**.yaml"]: Reading...
module.untrusted_workload_gatekeeper.data.kubectl_path_documents.constraints_path["../../../../prow/cluster/resources/gatekeeper-constraints/untrusted/**.yaml"]: Read complete after 0s [id=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]
module.untrusted_workload_gatekeeper.data.kubectl_path_documents.constraint_templates_path["../../../../opa/gatekeeper/constraint-templates/**.yaml"]: Reading...
module.untrusted_workload_gatekeeper.data.kubectl_file_documents.gatekeeper: Reading...
module.github_webhook_gateway.google_secret_manager_secret_iam_member.gh_tools_kyma_bot_token_accessor: Refreshing state... [id=projects/sap-kyma-prow/secrets/trusted_default_kyma-bot-github-sap-token/roles/secretmanager.secretAccessor/serviceAccount:github-webhook-gateway@sap-kyma-prow.iam.gserviceaccount.com]
google_project_iam_member.terraform_executor_prow_project_owner: Refreshing state... [id=sap-kyma-prow/roles/owner/serviceAccount:terraform-executor@sap-kyma-prow.iam.gserviceaccount.com]
module.untrusted_workload_gatekeeper.data.kubectl_path_documents.constraints_path["../../../../prow/cluster/resources/gatekeeper-constraints/workloads/**.yaml"]: Read complete after 0s [id=5aca06f29213e735c97e6ccf341ffc2a6d2bcd6be80e510934f9ab2124551c1f]
google_project_iam_binding.dns_collector_container_analysis_occurrences_viewer: Refreshing state... [id=sap-kyma-prow/roles/containeranalysis.occurrences.viewer]
module.untrusted_workload_gatekeeper.data.kubectl_path_documents.constraint_templates_path["../../../../opa/gatekeeper/constraint-templates/**.yaml"]: Read complete after 0s [id=927f68fe2b1bee2bed9ddde896cce2ee56bbf0312119b6937b57278b94152090]
module.slack_message_sender.google_secret_manager_secret_iam_member.slack_msg_sender_common_slack_bot_token_accessor: Refreshing state... [id=projects/sap-kyma-prow/secrets/common-slack-bot-token/roles/secretmanager.secretAccessor/serviceAccount:slack-message-sender@sap-kyma-prow.iam.gserviceaccount.com]
module.untrusted_workload_gatekeeper.data.kubectl_file_documents.gatekeeper: Read complete after 0s [id=dd3443633a39325c8656d232ea51eb8515040007156fb9e6433fddd5276456b6]
google_project_iam_binding.dns_collector_bucket_get: Refreshing state... [id=sap-kyma-prow/projects/sap-kyma-prow/roles/BucketGet]
google_project_iam_binding.dns_collector_dns_reader: Refreshing state... [id=sap-kyma-prow/roles/dns.reader]
google_project_iam_member.terraform_executor_workloads_project_owner: Refreshing state... [id=sap-kyma-prow-workloads/roles/owner/serviceAccount:terraform-executor@sap-kyma-prow.iam.gserviceaccount.com]
module.slack_message_sender.google_project_iam_member.project_run_invoker: Refreshing state... [id=sap-kyma-prow/roles/run.invoker/serviceAccount:slack-message-sender@sap-kyma-prow.iam.gserviceaccount.com]
module.slack_message_sender.data.google_iam_policy.run_invoker: Reading...
module.slack_message_sender.data.google_iam_policy.run_invoker: Read complete after 0s [id=1526577908]
kubernetes_cluster_role.access_signify_secrets_untrusted_workloads: Refreshing state... [id=access-signify-secrets]
kubernetes_service_account.untrusted_workload_terraform_executor: Refreshing state... [id=default/terraform-executor]
kubernetes_cluster_role.access_kyma_bot_github_tokens_untrusted_workloads: Refreshing state... [id=access-kyma-bot-github-tokens]
module.prow_gatekeeper.kubectl_manifest.constraint_templates["apiVersion: templates.gatekeeper.sh/v1\nkind: ConstraintTemplate\nmetadata:\n  name: k8spspapparmor\n  annotations:\n    metadata.gatekeeper.sh/title: \"App Armor\"\n    metadata.gatekeeper.sh/version: 1.0.0\n    description: >-\n      Configures an allow-list of AppArmor profiles for use by containers.\n      This corresponds to specific annotations applied to a PodSecurityPolicy.\n      For information on AppArmor, see\n      https://kubernetes.io/docs/tutorials/clusters/apparmor/\nspec:\n  crd:\n    spec:\n      names:\n        kind: K8sPSPAppArmor\n      validation:\n        # Schema for the `parameters` field\n        openAPIV3Schema:\n          type: object\n          description: >-\n            Configures an allow-list of AppArmor profiles for use by containers.\n            This corresponds to specific annotations applied to a PodSecurityPolicy.\n            For information on AppArmor, see\n            https://kubernetes.io/docs/tutorials/clusters/apparmor/\n          properties:\n            exemptImages:\n              description: >-\n                Any container that uses an image that matches an entry in this list will be excluded\n                from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`.\n\n                It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name)\n                in order to avoid unexpectedly exempting images from an untrusted repository.\n              type: array\n              items:\n                type: string\n            allowedProfiles:\n              description: \"An array of AppArmor profiles. Examples: `runtime/default`, `unconfined`.\"\n              type: array\n              items:\n                type: string\n  targets:\n    - target: admission.k8s.gatekeeper.sh\n      rego: |\n        package k8spspapparmor\n\n        import data.lib.exempt_container.is_exempt\n\n        violation[{\"msg\": msg, \"details\": {}}] {\n            metadata := input.review.object.metadata\n            container := input_containers[_]\n            not is_exempt(container)\n            not input_apparmor_allowed(container, metadata)\n            msg := sprintf(\"AppArmor profile is not allowed, pod: %v, container: %v. Allowed profiles: %v\", [input.review.object.metadata.name, container.name, input.parameters.allowedProfiles])\n        }\n\n        input_apparmor_allowed(container, metadata) {\n            get_annotation_for(container, metadata) == input.parameters.allowedProfiles[_]\n        }\n\n        input_containers[c] {\n            c := input.review.object.spec.containers[_]\n        }\n        input_containers[c] {\n            c := input.review.object.spec.initContainers[_]\n        }\n        input_containers[c] {\n            c := input.review.object.spec.ephemeralContainers[_]\n        }\n\n        get_annotation_for(container, metadata) = out {\n            out = metadata.annotations[sprintf(\"container.apparmor.security.beta.kubernetes.io/%v\", [container.name])]\n        }\n        get_annotation_for(container, metadata) = out {\n            not metadata.annotations[sprintf(\"container.apparmor.security.beta.kubernetes.io/%v\", [container.name])]\n            out = \"runtime/default\"\n        }\n      libs:\n        - |\n          package lib.exempt_container\n\n          is_exempt(container) {\n              exempt_images := object.get(object.get(input, \"parameters\", {}), \"exemptImages\", [])\n              img := container.image\n              exemption := exempt_images[_]\n              _matches_exemption(img, exemption)\n          }\n\n          _matches_exemption(img, exemption) {\n              not endswith(exemption, \"*\")\n              exemption == img\n          }\n\n          _matches_exemption(img, exemption) {\n              endswith(exemption, \"*\")\n              prefix := trim_suffix(exemption, \"*\")\n              startswith(img, prefix)\n          }"]: Refreshing state... [id=/apis/templates.gatekeeper.sh/v1/constrainttemplates/k8spspapparmor]
module.github_webhook_gateway.data.google_project.project: Read complete after 2s [id=projects/sap-kyma-prow]
module.prow_gatekeeper.kubectl_manifest.constraint_templates["apiVersion: templates.gatekeeper.sh/v1\nkind: ConstraintTemplate\nmetadata:\n  name: k8spsphostnetworkingports\n  annotations:\n    metadata.gatekeeper.sh/title: \"Host Networking Ports\"\n    metadata.gatekeeper.sh/version: 1.0.0\n    description: >-\n      Controls usage of host network namespace by pod containers. Specific\n      ports must be specified. Corresponds to the `hostNetwork` and\n      `hostPorts` fields in a PodSecurityPolicy. For more information, see\n      https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces\nspec:\n  crd:\n    spec:\n      names:\n        kind: K8sPSPHostNetworkingPorts\n      validation:\n        # Schema for the `parameters` field\n        openAPIV3Schema:\n          type: object\n          description: >-\n            Controls usage of host network namespace by pod containers. Specific\n            ports must be specified. Corresponds to the `hostNetwork` and\n            `hostPorts` fields in a PodSecurityPolicy. For more information, see\n            https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces\n          properties:\n            exemptImages:\n              description: >-\n                Any container that uses an image that matches an entry in this list will be excluded\n                from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`.\n\n                It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name)\n                in order to avoid unexpectedly exempting images from an untrusted repository.\n              type: array\n              items:\n                type: string\n            hostNetwork:\n              description: \"Determines if the policy allows the use of HostNetwork in the pod spec.\"\n              type: boolean\n            min:\n              description: \"The start of the allowed port range, inclusive.\"\n              type: integer\n            max:\n              description: \"The end of the allowed port range, inclusive.\"\n              type: integer\n  targets:\n    - target: admission.k8s.gatekeeper.sh\n      rego: |\n        package k8spsphostnetworkingports\n\n        import data.lib.exempt_container.is_exempt\n\n        violation[{\"msg\": msg, \"details\": {}}] {\n            input_share_hostnetwork(input.review.object)\n            msg := sprintf(\"The specified hostNetwork and hostPort are not allowed, pod: %v. Allowed values: %v\", [input.review.object.metadata.name, input.parameters])\n        }\n\n        input_share_hostnetwork(o) {\n            not input.parameters.hostNetwork\n            o.spec.hostNetwork\n        }\n\n        input_share_hostnetwork(o) {\n            hostPort := input_containers[_].ports[_].hostPort\n            hostPort < input.parameters.min\n        }\n\n        input_share_hostnetwork(o) {\n            hostPort := input_containers[_].ports[_].hostPort\n            hostPort > input.parameters.max\n        }\n\n        input_containers[c] {\n            c := input.review.object.spec.containers[_]\n            not is_exempt(c)\n        }\n\n        input_containers[c] {\n            c := input.review.object.spec.initContainers[_]\n            not is_exempt(c)\n        }\n\n        input_containers[c] {\n            c := input.review.object.spec.ephemeralContainers[_]\n            not is_exempt(c)\n        }\n      libs:\n        - |\n          package lib.exempt_container\n\n          is_exempt(container) {\n              exempt_images := object.get(object.get(input, \"parameters\", {}), \"exemptImages\", [])\n              img := container.image\n              exemption := exempt_images[_]\n              _matches_exemption(img, exemption)\n          }\n\n          _matches_exemption(img, exemption) {\n              not endswith(exemption, \"*\")\n              exemption == img\n          }\n\n          _matches_exemption(img, exemption) {\n              endswith(exemption, \"*\")\n              prefix := trim_suffix(exemption, \"*\")\n              startswith(img, prefix)\n          }"]: Refreshing state... [id=/apis/templates.gatekeeper.sh/v1/constrainttemplates/k8spsphostnetworkingports]
module.prow_gatekeeper.kubectl_manifest.constraint_templates["# k8sallowedimages constraint template validates that a pod is not using an image that is not allowed.\n# It prevents the use of images with the :latest tag.\n# The k8sallowedimages accepts one parameter:\n# - images: a list of allowed image URLs. Each image URL must be a prefix of the image URL used in the Pod spec.\napiVersion: templates.gatekeeper.sh/v1beta1\nkind: ConstraintTemplate\nmetadata:\n  name: k8sallowedimages\nspec:\n  crd:\n    spec:\n      names:\n        kind: K8sAllowedImages\n      validation:\n        openAPIV3Schema:\n          properties:\n            images:\n              type: array\n              items:\n                type: string\n                description: A list of allowed image URLs. Each image URL must be a prefix of the image URL used in the Pod spec.\n  targets:\n    - target: admission.k8s.gatekeeper.sh\n      rego: |\n        package k8sallowedimages\n        # Check containers are not using latest tag.\n        violation[{\"msg\": msg}] {\n          container := input.r

# ...
# ... The maximum length of GitHub Comment is 65536, so the content is omitted by tfcmt.
# ...

bels-override=kind\\/chore,area\\/prow\"\\],\"container_name\":\"test\",.*}$'\n      # Prowjob name: ci-prow-autobump-jobs\n      - image: \"gcr.io/k8s-prow/generic-autobumper:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"generic-autobumper\",\"--config=prow\\/autobump-config\\/test-infra-autobump-config\\.yaml\",\"--labels-override=skip-review,area\\/ci,kind\\/chore\"\\],\"container_name\":\"test\",.*}$'\n      # Prowjob name: ci-prow-label-sync\n      - image: \"gcr.io/k8s-prow/label_sync:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"label_sync\",\"--config=\\/etc\\/config\\/labels\\.yaml\",\"--confirm=true\",\"--orgs=kyma-project,kyma-incubator\",\"--token=\\/etc\\/github\\/token\",\"--endpoint=http:\\/\\/ghproxy\",\"--endpoint=https:\\/\\/api\\.github\\.com\",\"--debug\"\\],\"container_name\":\"test\",.*}$'\n      # ci-dockerhub-autobump\n      - image: \"gcr.io/k8s-prow/generic-autobumper:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"generic-autobumper\",\"--config=prow\\/autobump-config\\/dockerhub-autobump\\.yaml\",\"--labels-override=skip-review,area\\/ci,kind\\/chore\"\\],\"container_name\":\"test\",.*}$'\n      # sidecar\n      - image: \"gcr.io/k8s-prow/sidecar:*\"\n        command: []\n        args: []"]: Refreshing state... [id=/apis/constraints.gatekeeper.sh/v1beta1/secrettrustedusages/kyma-autobump-bot-github-token]
module.trusted_workload_gatekeeper.kubectl_manifest.constraints["apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: K8sPSPAllowPrivilegeEscalationContainer\nmetadata:\n  name: psp-allow-privilege-escalation-container\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n    namespaces:\n      - \"default\"\n  parameters:\n    exemptImages:\n      - gcr.io/k8s-prow/entrypoint:*\n      - gcr.io/k8s-prow/initupload:*\n      - gcr.io/k8s-prow/clonerefs:*\n      - gcr.io/k8s-prow/sidecar:*\n      - \"aquasec/trivy:*\"\n      - \"eu.gcr.io/kyma-project/prow/cleaner:*\"\n      - \"eu.gcr.io/kyma-project/test-infra/bootstrap:*\"\n      - \"eu.gcr.io/kyma-project/test-infra/buildpack-golang:*\"\n      - \"eu.gcr.io/kyma-project/test-infra/gardener-rotate:*\"\n      - \"eu.gcr.io/kyma-project/test-infra/golangci-lint:*\"\n      - \"eu.gcr.io/kyma-project/test-infra/kyma-integration:*\"\n      - \"eu.gcr.io/sap-kyma-neighbors-dev/image-builder:*\"\n      - \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:*\"\n      - \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-nodejs:*\"\n      - \"europe-docker.pkg.dev/kyma-project/prod/test-infra/prow-tools:*\"\n      - \"gcr.io/k8s-prow/generic-autobumper:*\"\n      - \"gcr.io/k8s-prow/ghproxy:*\""]: Refreshing state... [id=/apis/constraints.gatekeeper.sh/v1beta1/k8spspallowprivilegeescalationcontainers/psp-allow-privilege-escalation-container]
module.trusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only image-builder tool trusted usage on tekton cluster run as image-builder service account identity.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: pjtester-kubeconfig\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n  parameters:\n    restrictedSecrets:\n      - pjtester-kubeconfig\n      - pjtester-github-oauth-token\n    trustedImages:\n      # pull-test-infra-pjtester\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/pjtester:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"\\/ko-app\\/pjtester\",\"--github-token-path=\\/etc\\/github\\/oauth\"\\],\"container_name\":\"test\",.*}$'\n      # sidecar\n      - image: \"gcr.io/k8s-prow/sidecar:*\"\n        command: []\n        args: []"]: Refreshing state... [id=/apis/constraints.gatekeeper.sh/v1beta1/secrettrustedusages/pjtester-kubeconfig]
module.trusted_workload_gatekeeper.kubectl_manifest.constraints["apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: K8sPSPPrivilegedContainer\nmetadata:\n  name: psp-privileged-container\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n    namespaces:\n      - \"default\"\n  parameters:\n    exemptImages:\n      - gcr.io/k8s-prow/entrypoint:*\n      - gcr.io/k8s-prow/initupload:*\n      - gcr.io/k8s-prow/clonerefs:*\n      - gcr.io/k8s-prow/sidecar:*\n      - \"aquasec/trivy:*\"\n      - \"eu.gcr.io/kyma-project/prow/cleaner:*\"\n      - \"eu.gcr.io/kyma-project/test-infra/bootstrap:*\"\n      - \"eu.gcr.io/kyma-project/test-infra/buildpack-golang:*\"\n      - \"eu.gcr.io/kyma-project/test-infra/gardener-rotate:*\"\n      - \"eu.gcr.io/kyma-project/test-infra/golangci-lint:*\"\n      - \"eu.gcr.io/kyma-project/test-infra/kyma-integration:*\"\n      - \"eu.gcr.io/sap-kyma-neighbors-dev/image-builder:*\"\n      - \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:*\"\n      - \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-nodejs:*\"\n      - \"europe-docker.pkg.dev/kyma-project/prod/test-infra/prow-tools:*\"\n      - \"gcr.io/k8s-prow/generic-autobumper:*\"\n      - \"gcr.io/k8s-prow/ghproxy:*\""]: Refreshing state... [id=/apis/constraints.gatekeeper.sh/v1beta1/k8spspprivilegedcontainers/psp-privileged-container]
module.trusted_workload_gatekeeper.kubectl_manifest.constraints["apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: K8sPSPAppArmor\nmetadata:\n  name: psp-apparmor\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n    namespaces:\n      - \"default\"\n  parameters:\n    allowedProfiles:\n      - runtime/default\n    exemptImages:\n      - eu.gcr.io/sap-kyma-neighbors-dev/image-builder:*"]: Refreshing state... [id=/apis/constraints.gatekeeper.sh/v1beta1/k8spspapparmors/psp-apparmor]
module.trusted_workload_gatekeeper.kubectl_manifest.constraints["apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: K8sPSPHostNamespace\nmetadata:\n  name: psp-host-namespace\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n    namespaces:\n      - \"default\""]: Refreshing state... [id=/apis/constraints.gatekeeper.sh/v1beta1/k8spsphostnamespaces/psp-host-namespace]
module.trusted_workload_gatekeeper.kubectl_manifest.constraints["apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: K8sPSPHostFilesystem\nmetadata:\n  name: psp-host-filesystem\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n    namespaces:\n      - \"default\"\n  parameters:\n    allowedHostPaths:\n      - pathPrefix: \"/lib/modules\"\n      - pathPrefix: \"/sys/fs/cgroup\""]: Refreshing state... [id=/apis/constraints.gatekeeper.sh/v1beta1/k8spsphostfilesystems/psp-host-filesystem]
module.secrets_leaks_log_scanner.google_service_account.github_issue_finder: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/github-issue-finder@sap-kyma-prow.iam.gserviceaccount.com]
module.secrets_leaks_log_scanner.data.google_storage_bucket.kyma_prow_logs: Reading...
module.secrets_leaks_log_scanner.google_service_account.gcs_bucket_mover: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/gcs-bucket-mover@sap-kyma-prow.iam.gserviceaccount.com]
module.secrets_leaks_log_scanner.google_service_account.github_issue_creator: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/github-issue-creator@sap-kyma-prow.iam.gserviceaccount.com]
module.secrets_leaks_log_scanner.google_service_account.secrets_leak_log_scanner: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/secrets-leak-log-scanner@sap-kyma-prow.iam.gserviceaccount.com]
module.secrets_leaks_log_scanner.data.google_project.project: Reading...
module.secrets_leaks_log_scanner.google_storage_bucket.kyma_prow_logs_secured: Refreshing state... [id=kyma-prow-logs-secured]
module.secrets_leaks_log_scanner.google_monitoring_alert_policy.secrets_leak_log_scanner: Refreshing state... [id=projects/sap-kyma-prow/alertPolicies/4186084580898851963]
module.secrets_leaks_log_scanner.google_service_account.secrets_leak_detector: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/secrets-leak-detector@sap-kyma-prow.iam.gserviceaccount.com]
module.secrets_leaks_log_scanner.google_monitoring_alert_policy.github_issue_finder: Refreshing state... [id=projects/sap-kyma-prow/alertPolicies/7170185124964513561]
module.secrets_leaks_log_scanner.data.google_storage_bucket.kyma_prow_logs: Read complete after 0s [id=kyma-prow-logs]
module.secrets_leaks_log_scanner.data.google_secret_manager_secret.gh_tools_kyma_bot_token: Reading...
module.secrets_leaks_log_scanner.google_monitoring_alert_policy.gcs_bucket_mover: Refreshing state... [id=projects/sap-kyma-prow/alertPolicies/14829426496191956253]
module.secrets_leaks_log_scanner.google_monitoring_alert_policy.github_issue_creator: Refreshing state... [id=projects/sap-kyma-prow/alertPolicies/4186084580898851199]
module.secrets_leaks_log_scanner.google_storage_bucket_iam_member.kyma_prow_logs_object_admin: Refreshing state... [id=b/kyma-prow-logs/roles/storage.objectAdmin/serviceAccount:gcs-bucket-mover@sap-kyma-prow.iam.gserviceaccount.com]
module.secrets_leaks_log_scanner.google_storage_bucket_iam_member.kyma_prow_logs_secured_object_admin: Refreshing state... [id=b/kyma-prow-logs-secured/roles/storage.objectAdmin/serviceAccount:gcs-bucket-mover@sap-kyma-prow.iam.gserviceaccount.com]
module.secrets_leaks_log_scanner.google_storage_bucket_iam_member.kyma_prow_logs_viewer: Refreshing state... [id=b/kyma-prow-logs/roles/storage.objectViewer/serviceAccount:gcs-bucket-mover@sap-kyma-prow.iam.gserviceaccount.com]
module.secrets_leaks_log_scanner.google_cloud_run_service.gcs_bucket_mover: Refreshing state... [id=locations/europe-west3/namespaces/sap-kyma-prow/services/gcs-bucket-mover]
module.secrets_leaks_log_scanner.data.google_secret_manager_secret.gh_tools_kyma_bot_token: Read complete after 0s [id=projects/sap-kyma-prow/secrets/trusted_default_kyma-bot-github-sap-token]
module.secrets_leaks_log_scanner.google_secret_manager_secret_iam_member.gh_issue_creator_gh_tools_kyma_bot_token_accessor: Refreshing state... [id=projects/sap-kyma-prow/secrets/trusted_default_kyma-bot-github-sap-token/roles/secretmanager.secretAccessor/serviceAccount:github-issue-creator@sap-kyma-prow.iam.gserviceaccount.com]
module.secrets_leaks_log_scanner.google_secret_manager_secret_iam_member.gh_issue_finder_gh_tools_kyma_bot_token_accessor: Refreshing state... [id=projects/sap-kyma-prow/secrets/trusted_default_kyma-bot-github-sap-token/roles/secretmanager.secretAccessor/serviceAccount:github-issue-finder@sap-kyma-prow.iam.gserviceaccount.com]
module.secrets_leaks_log_scanner.google_cloud_run_service.secrets_leak_log_scanner: Refreshing state... [id=locations/europe-west3/namespaces/sap-kyma-prow/services/secrets-leak-log-scanner]
module.secrets_leaks_log_scanner.data.google_iam_policy.run_invoker: Reading...
module.secrets_leaks_log_scanner.data.google_iam_policy.run_invoker: Read complete after 0s [id=735823064]
module.secrets_leaks_log_scanner.google_storage_bucket_iam_member.secrets_leak_detector: Refreshing state... [id=b/kyma-prow-logs/roles/storage.objectViewer/serviceAccount:secrets-leak-detector@sap-kyma-prow.iam.gserviceaccount.com]
module.secrets_leaks_log_scanner.google_cloud_run_service_iam_policy.secrets_leak_log_scanner: Refreshing state... [id=v1/projects/sap-kyma-prow/locations/europe-west3/services/secrets-leak-log-scanner]
module.secrets_leaks_log_scanner.google_cloud_run_service_iam_policy.gcs_bucket_mover: Refreshing state... [id=v1/projects/sap-kyma-prow/locations/europe-west3/services/gcs-bucket-mover]
module.secrets_leaks_log_scanner.google_cloud_run_service.github_issue_creator: Refreshing state... [id=locations/europe-west3/namespaces/sap-kyma-prow/services/github-issue-creator]
module.secrets_leaks_log_scanner.google_cloud_run_service_iam_policy.github_issue_creator: Refreshing state... [id=v1/projects/sap-kyma-prow/locations/europe-west3/services/github-issue-creator]
module.secrets_leaks_log_scanner.google_cloud_run_service.github_issue_finder: Refreshing state... [id=locations/europe-west3/namespaces/sap-kyma-prow/services/github-issue-finder]
module.secrets_leaks_log_scanner.data.google_project.project: Read complete after 1s [id=projects/sap-kyma-prow]
module.secrets_leaks_log_scanner.google_project_iam_member.project_workflows_invoker: Refreshing state... [id=projects/sap-kyma-prow/roles/workflows.invoker/serviceAccount:secrets-leak-detector@sap-kyma-prow.iam.gserviceaccount.com]
module.secrets_leaks_log_scanner.google_project_iam_member.project_log_writer: Refreshing state... [id=projects/sap-kyma-prow/roles/logging.logWriter/serviceAccount:secrets-leak-detector@sap-kyma-prow.iam.gserviceaccount.com]
module.secrets_leaks_log_scanner.google_cloud_run_service_iam_policy.github_issue_finder: Refreshing state... [id=v1/projects/sap-kyma-prow/locations/europe-west3/services/github-issue-finder]
module.secrets_leaks_log_scanner.google_workflows_workflow.secrets_leak_detector: Refreshing state... [id=projects/sap-kyma-prow/locations/europe-west3/workflows/secrets-leak-detector]
module.secrets_leaks_log_scanner.google_eventarc_trigger.secrets_leak_detector_workflow: Refreshing state... [id=projects/sap-kyma-prow/locations/europe-west3/triggers/secrets-leak-detector]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.artifact_registry["modules-internal"].google_artifact_registry_repository.artifact_registry will be updated in-place
  ~ resource "google_artifact_registry_repository" "artifact_registry" {
        id            = "projects/sap-kyma-prow/locations/europe/repositories/modules-internal"
        name          = "modules-internal"
        # (9 unchanged attributes hidden)

      + docker_config {
          + immutable_tags = false
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Changes to Outputs:
  ~ artifact_registry = {
      ~ modules-internal = {
          ~ artifact_registry_collection = {
                id                        = "projects/sap-kyma-prow/locations/europe/repositories/modules-internal"
                name                      = "modules-internal"
              ~ update_time               = "2023-08-10T12:58:31.725263Z" -> "2023-08-10T13:10:24.482474Z"
                # (14 unchanged elements hidden)
            }
        }
    }
module.artifact_registry["modules-internal"].google_artifact_registry_repository.artifact_registry: Modifying... [id=projects/sap-kyma-prow/locations/europe/repositories/modules-internal]
module.artifact_registry["modules-internal"].google_artifact_registry_repository.artifact_registry: Modifications complete after 0s [id=projects/sap-kyma-prow/locations/europe/repositories/modules-internal]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Outputs:

artifact_registry = {
  "modules-internal" = {
    "artifact_registry_collection" = {
      "create_time" = "2023-08-10T08:42:35.562245Z"
      "description" = "modules-internal repository"
      "docker_config" = tolist([
        {
          "immutable_tags" = false
        },
      ])
      "format" = "DOCKER"
      "id" = "projects/sap-kyma-prow/locations/europe/repositories/modules-internal"
      "kms_key_name" = ""
      "labels" = tomap({
        "name" = "modules-internal"
        "owner" = "neighbors"
        "type" = "production"
      })
      "location" = "europe"
      "maven_config" = tolist([])
      "mode" = "STANDARD_REPOSITORY"
      "name" = "modules-internal"
      "project" = "sap-kyma-prow"
      "remote_repository_config" = tolist([])
      "repository_id" = "modules-internal"
      "timeouts" = null /* object */
      "update_time" = "2023-08-10T13:10:24.482474Z"
      "virtual_repository_config" = tolist([])
    }
  }
}
terraform_executor_gcp_prow_project_iam_member = {
  "condition" = tolist([])
  "etag" = "BwYCfDnqE7E="
  "id" = "sap-kyma-prow/roles/owner/serviceAccount:[email protected]"
  "member" = "serviceAccount:[email protected]"
  "project" = "sap-kyma-prow"
  "role" = "roles/owner"
}
terraform_executor_gcp_service_account = {
  "account_id" = "terraform-executor"
  "description" = "Identity of terraform executor. It's mapped to k8s service account through workload identity."
  "disabled" = false
  "display_name" = "terraform-executor"
  "email" = "[email protected]"
  "id" = "projects/sap-kyma-prow/serviceAccounts/[email protected]"
  "member" = "serviceAccount:[email protected]"
  "name" = "projects/sap-kyma-prow/serviceAccounts/[email protected]"
  "project" = "sap-kyma-prow"
  "timeouts" = null /* object */
  "unique_id" = "109665069699011807029"
}
terraform_executor_gcp_workload_identity = {
  "condition" = tolist([])
  "etag" = "BwYBZe0VFi0="
  "id" = "projects/sap-kyma-prow/serviceAccounts/[email protected]/roles/iam.workloadIdentityUser"
  "members" = toset([
    "principal://iam.googleapis.com/projects/351981214969/locations/global/workloadIdentityPools/github-com-kyma-project/subject/repository_id:147495537:repository_owner_id:39153523:workflow:Pull Plan Prod Terraform",
    "serviceAccount:sap-kyma-prow.svc.id.goog[default/terraform-executor]",
  ])
  "role" = "roles/iam.workloadIdentityUser"
  "service_account_id" = "projects/sap-kyma-prow/serviceAccounts/[email protected]"
}
terraform_executor_gcp_workloads_project_iam_member = {
  "condition" = tolist([])
  "etag" = "BwYATedyR9s="
  "id" = "sap-kyma-prow-workloads/roles/owner/serviceAccount:[email protected]"
  "member" = "serviceAccount:[email protected]"
  "project" = "sap-kyma-prow-workloads"
  "role" = "roles/owner"
}
trusted_workload_gatekeeper = <sensitive>
trusted_workload_terraform_executor_k8s_service_account = {
  "automount_service_account_token" = true
  "default_secret_name" = ""
  "id" = "default/terraform-executor"
  "image_pull_secret" = toset([])
  "metadata" = tolist([
    {
      "annotations" = tomap({
        "iam.gke.io/gcp-service-account" = "[email protected]"
      })
      "generate_name" = ""
      "generation" = 0
      "labels" = tomap({})
      "name" = "terraform-executor"
      "namespace" = "default"
      "resource_version" = "12339023"
      "uid" = "48c37f5c-7367-43f3-a0d9-b82778b47a6e"
    },
  ])
  "secret" = toset([])
  "timeouts" = null /* object */
}
untrusted_workload_gatekeeper = <sensitive>
untrusted_workload_terraform_executor_k8s_service_account = {
  "automount_service_account_token" = true
  "default_secret_name" = ""
  "id" = "default/terraform-executor"
  "image_pull_secret" = toset([])
  "metadata" = tolist([
    {
      "annotations" = tomap({
        "iam.gke.io/gcp-service-account" = "[email protected]"
      })
      "generate_name" = ""
      "generation" = 0
      "labels" = tomap({})
      "name" = "terraform-executor"
      "namespace" = "default"
      "resource_version" = "611209604"
      "uid" = "bab03c90-cf4a-439e-8d88-491bd1cc40f7"
    },
  ])
  "secret" = toset([])
  "timeouts" = null /* object */
}

`

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@muralov muralov muralov approved these changes

@neighbors-dev-bot neighbors-dev-bot Awaiting requested review from neighbors-dev-bot neighbors-dev-bot is a code owner

@the1bit the1bit Awaiting requested review from the1bit the1bit is a code owner automatically assigned from kyma-project/prow

@KacperMalachowski KacperMalachowski Awaiting requested review from KacperMalachowski KacperMalachowski is a code owner automatically assigned from kyma-project/prow

Assignees

@muralov muralov

Labels
add-or-update area/eventing Issues or PRs related to eventing kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm Looks good to me! size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mfaizanse @kyma-bot @muralov