Skip to content

feat(crier): switch to upstream manifests#5130

Merged
kubevirt-bot merged 1 commit into
kubevirt:mainfrom
dollierp:crier-upstream
Jun 12, 2026
Merged

feat(crier): switch to upstream manifests#5130
kubevirt-bot merged 1 commit into
kubevirt:mainfrom
dollierp:crier-upstream

Conversation

@dollierp

@dollierp dollierp commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

What this PR does / why we need it:

Make crier deployment use new upstream manifests instead of old k8s-test-infra manifests.

Changes in manifests generated by kustomize:

  • switch to kubevirt-prow GitHub Application credentials instead of kubevirt-bot user token
  • removed unused kubeconfig volumes
  • removed metrics port and service, (KubeVirt Prow relies on pushgateway instead)
--- github/ci/prow-deploy/crier.test_infra.yaml	2026-06-09 16:31:30.927873653 +0200
+++ github/ci/prow-deploy/crier.upstream.yaml	2026-06-10 13:26:29.017626279 +0200
@@ -1,4 +1,3 @@
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -18,52 +17,41 @@
     spec:
       containers:
       - args:
-        - --blob-storage-workers=1
+        - --blob-storage-workers=10
         - --config-path=/etc/config/config.yaml
-        - --gcs-credentials-file=/etc/gcs/service-account.json
+        - --gcs-credentials-file=/etc/gcs-credentials/service-account.json
         - --github-endpoint=http://ghproxy
         - --github-endpoint=https://api.github.com
-        - --github-workers=5
-        - --kubernetes-blob-storage-workers=1
-        - --github-token-path=/etc/github/oauth
+        - --github-workers=10
+        - --kubernetes-blob-storage-workers=10
+        - --github-app-id=$(GITHUB_APP_ID)
+        - --github-app-private-key-path=/etc/github/cert
         - --job-config-path=/etc/job-config
         - --slack-token-file=/etc/slack/token
-        - --slack-workers=1
+        - --slack-workers=10
         env:
-        - name: KUBECONFIG
-          value: /etc/kubeconfig/config
-        image: us-docker.pkg.dev/k8s-infra-prow/images/crier:v20260603-539ecaca1
+        - name: GITHUB_APP_ID
+          valueFrom:
+            secretKeyRef:
+              key: appid
+              name: github-token
+        image: us-docker.pkg.dev/k8s-infra-prow/images/crier:v20260531-24f6b2904
         name: crier
-        ports:
-        - containerPort: 9090
-          name: metrics
         volumeMounts:
-        - mountPath: /etc/kubeconfig
-          name: kubeconfig
-          readOnly: true
-        - mountPath: /etc/kubeconfig-build-test-infra-trusted
-          name: kubeconfig-build-test-infra-trusted
-          readOnly: true
-        - mountPath: /etc/kubeconfig-build-k8s-prow-builds
-          name: kubeconfig-build-k8s-prow-builds
-          readOnly: true
-        - mountPath: /etc/kubeconfig-build-rules-k8s
-          name: kubeconfig-build-rules-k8s
-          readOnly: true
         - mountPath: /etc/config
           name: config
           readOnly: true
         - mountPath: /etc/github
-          name: oauth
+          name: github-token
           readOnly: true
-        - mountPath: /etc/gcs
-          name: gcs
+        - mountPath: /etc/gcs-credentials
+          name: gcs-credentials
           readOnly: true
         - mountPath: /etc/job-config
           name: job-config
           readOnly: true
         - mountPath: /etc/slack
-          name: slack
+          name: slack-token
           readOnly: true
       serviceAccountName: crier
       terminationGracePeriodSeconds: 30
@@ -71,39 +59,23 @@
       - configMap:
           name: config
         name: config
-      - name: oauth
+      - name: github-token
         secret:
-          secretName: oauth-token
-      - name: gcs
+          secretName: github-token
+      - name: gcs-credentials
         secret:
-          secretName: gcs
+          secretName: gcs-credentials
       - configMap:
           name: job-config
         name: job-config
-      - name: slack
+      - name: slack-token
         secret:
           secretName: slack-token
-      - name: kubeconfig
-        secret:
-          defaultMode: 420
-          secretName: kubeconfig
-      - name: kubeconfig-build-test-infra-trusted
-        secret:
-          defaultMode: 420
-          secretName: kubeconfig-build-test-infra-trusted
-      - name: kubeconfig-build-k8s-prow-builds
-        secret:
-          defaultMode: 420
-          secretName: kubeconfig-build-k8s-prow-builds
-      - name: kubeconfig-build-rules-k8s
-        secret:
-          defaultMode: 420
-          secretName: kubeconfig-build-rules-k8s
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: crier-namespaced
+  name: crier
   namespace: kubevirt-prow-jobs
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -117,7 +89,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: crier-namespaced
+  name: crier
   namespace: kubevirt-prow
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -147,8 +119,6 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  annotations:
-    iam.gke.io/gcp-service-account: control-plane@k8s-prow.iam.gserviceaccount.com
   name: crier
   namespace: kubevirt-prow
 ---
@@ -183,21 +153,6 @@
   - patch
 ---
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: crier
-  name: crier
-  namespace: kubevirt-prow
-spec:
-  ports:
-  - name: metrics
-    port: 9090
-    protocol: TCP
-  selector:
-    app: crier

Special notes for your reviewer:

/cc @dhiller

@dollierp
feat(crier): switch to upstream manifests
d919564 
Signed-off-by: Denis Ollier <dollierp@redhat.com>
@kubevirt-bot kubevirt-bot requested a review from dhiller June 10, 2026 11:53
@kubevirt-bot kubevirt-bot added dco-signoff: yes Indicates the PR's author has DCO signed all their commits. size/L labels Jun 10, 2026
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 10, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refactors the Prow deployment to use upstream crier manifests instead of local ones, updating secret handling for the Slack token and adjusting Kustomize configurations and patches accordingly. A review comment suggests changing the hardcoded namespace kubevirt-prow-jobs to test-pods in the new crier-rbac.yaml file to ensure consistency and support dynamic namespace patching.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread github/ci/prow-deploy/kustom/overlays/kubevirt-prow-control-plane/resources/crier-rbac.yaml
Comment on lines +2 to +5
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: kubevirt-prow-jobs

@gemini-code-assist gemini-code-assist Bot Jun 10, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

To maintain consistency with other roles in the overlay (such as deck and prow-controller-manager) and to allow dynamic namespace patching via prow-jobs-namespace.yaml, please use the placeholder namespace test-pods instead of the hardcoded kubevirt-prow-jobs namespace.

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: test-pods

@dhiller dhiller Jun 11, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dollierp is there something to that? I don't remember we even have this placeholder namespace? Is that part of the new manifests and I missed it?

@dollierp dollierp Jun 11, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yet another AI hallucination, all github/ci/prow-deploy/kustom/overlays/kubevirt-prow-control-plane/resources/*-rbac.yaml files are using kubevirt-prow-jobs namespace.

dhiller
dhiller reviewed Jun 11, 2026
View reviewed changes
Comment thread github/ci/prow-deploy/kustom/overlays/kubevirt-prow-control-plane/resources/crier-rbac.yaml
Comment on lines +2 to +5
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: kubevirt-prow-jobs

@dhiller dhiller Jun 11, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dollierp is there something to that? I don't remember we even have this placeholder namespace? Is that part of the new manifests and I missed it?

Comment thread github/ci/prow-deploy/kustom/base/kustomization.yaml
@@ -1,4 +1,9 @@
resources:
- manifests/upstream/crier_deployment.yaml
- manifests/upstream/crier_rolebinding_test-pods.yaml

@dhiller dhiller Jun 11, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i thought we weren't using test-pods?

@dollierp dollierp Jun 11, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Upstream manifests use test-pods while we are using kubevirt-prow-jobs, kustomize rules are doing the replacement for rolebindings here: https://github.com/kubevirt/project-infra/blob/main/github/ci/prow-deploy/kustom/overlays/kubevirt-prow-control-plane/kustomization.yaml#L194-L198.

dhiller
dhiller reviewed Jun 12, 2026
View reviewed changes

@dhiller dhiller left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

Thank you @dollierp !

@kubevirt-bot

kubevirt-bot commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dhiller

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubevirt-bot kubevirt-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 12, 2026
@kubevirt-bot kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Jun 12, 2026
@kubevirt-bot kubevirt-bot merged commit 900563f into kubevirt:main Jun 12, 2026
6 checks passed
@kubevirt-bot

kubevirt-bot commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

@dollierp: Updated the config configmap in namespace kubevirt-prow at cluster default using the following files:

  • key config.yaml using file github/ci/prow-deploy/kustom/base/configs/current/config/config.yaml
Details

In response to this:

What this PR does / why we need it:

Make crier deployment use new upstream manifests instead of old k8s-test-infra manifests.

Changes in manifests generated by kustomize:

  • switch to kubevirt-prow GitHub Application credentials instead of kubevirt-bot user token
  • removed unused kubeconfig volumes
  • removed metrics port and service, (KubeVirt Prow relies on pushgateway instead)
--- github/ci/prow-deploy/crier.test_infra.yaml	2026-06-09 16:31:30.927873653 +0200
+++ github/ci/prow-deploy/crier.upstream.yaml	2026-06-10 13:26:29.017626279 +0200
@@ -1,4 +1,3 @@
----
apiVersion: apps/v1
kind: Deployment
metadata:
@@ -18,52 +17,41 @@
    spec:
      containers:
      - args:
-        - --blob-storage-workers=1
+        - --blob-storage-workers=10
        - --config-path=/etc/config/config.yaml
-        - --gcs-credentials-file=/etc/gcs/service-account.json
+        - --gcs-credentials-file=/etc/gcs-credentials/service-account.json
        - --github-endpoint=http://ghproxy
        - --github-endpoint=https://api.github.com
-        - --github-workers=5
-        - --kubernetes-blob-storage-workers=1
-        - --github-token-path=/etc/github/oauth
+        - --github-workers=10
+        - --kubernetes-blob-storage-workers=10
+        - --github-app-id=$(GITHUB_APP_ID)
+        - --github-app-private-key-path=/etc/github/cert
        - --job-config-path=/etc/job-config
        - --slack-token-file=/etc/slack/token
-        - --slack-workers=1
+        - --slack-workers=10
        env:
-        - name: KUBECONFIG
-          value: /etc/kubeconfig/config
-        image: us-docker.pkg.dev/k8s-infra-prow/images/crier:v20260603-539ecaca1
+        - name: GITHUB_APP_ID
+          valueFrom:
+            secretKeyRef:
+              key: appid
+              name: github-token
+        image: us-docker.pkg.dev/k8s-infra-prow/images/crier:v20260531-24f6b2904
        name: crier
-        ports:
-        - containerPort: 9090
-          name: metrics
        volumeMounts:
-        - mountPath: /etc/kubeconfig
-          name: kubeconfig
-          readOnly: true
-        - mountPath: /etc/kubeconfig-build-test-infra-trusted
-          name: kubeconfig-build-test-infra-trusted
-          readOnly: true
-        - mountPath: /etc/kubeconfig-build-k8s-prow-builds
-          name: kubeconfig-build-k8s-prow-builds
-          readOnly: true
-        - mountPath: /etc/kubeconfig-build-rules-k8s
-          name: kubeconfig-build-rules-k8s
-          readOnly: true
        - mountPath: /etc/config
          name: config
          readOnly: true
        - mountPath: /etc/github
-          name: oauth
+          name: github-token
          readOnly: true
-        - mountPath: /etc/gcs
-          name: gcs
+        - mountPath: /etc/gcs-credentials
+          name: gcs-credentials
          readOnly: true
        - mountPath: /etc/job-config
          name: job-config
          readOnly: true
        - mountPath: /etc/slack
-          name: slack
+          name: slack-token
          readOnly: true
      serviceAccountName: crier
      terminationGracePeriodSeconds: 30
@@ -71,39 +59,23 @@
      - configMap:
          name: config
        name: config
-      - name: oauth
+      - name: github-token
        secret:
-          secretName: oauth-token
-      - name: gcs
+          secretName: github-token
+      - name: gcs-credentials
        secret:
-          secretName: gcs
+          secretName: gcs-credentials
      - configMap:
          name: job-config
        name: job-config
-      - name: slack
+      - name: slack-token
        secret:
          secretName: slack-token
-      - name: kubeconfig
-        secret:
-          defaultMode: 420
-          secretName: kubeconfig
-      - name: kubeconfig-build-test-infra-trusted
-        secret:
-          defaultMode: 420
-          secretName: kubeconfig-build-test-infra-trusted
-      - name: kubeconfig-build-k8s-prow-builds
-        secret:
-          defaultMode: 420
-          secretName: kubeconfig-build-k8s-prow-builds
-      - name: kubeconfig-build-rules-k8s
-        secret:
-          defaultMode: 420
-          secretName: kubeconfig-build-rules-k8s
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
-  name: crier-namespaced
+  name: crier
  namespace: kubevirt-prow-jobs
roleRef:
  apiGroup: rbac.authorization.k8s.io
@@ -117,7 +89,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
-  name: crier-namespaced
+  name: crier
  namespace: kubevirt-prow
roleRef:
  apiGroup: rbac.authorization.k8s.io
@@ -147,8 +119,6 @@
apiVersion: v1
kind: ServiceAccount
metadata:
-  annotations:
-    iam.gke.io/gcp-service-account: control-plane@k8s-prow.iam.gserviceaccount.com
  name: crier
  namespace: kubevirt-prow
---
@@ -183,21 +153,6 @@
  - patch
---
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: crier
-  name: crier
-  namespace: kubevirt-prow
-spec:
-  ports:
-  - name: metrics
-    port: 9090
-    protocol: TCP
-  selector:
-    app: crier

Special notes for your reviewer:

/cc @dhiller

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@dollierp

dollierp commented Jun 12, 2026

Copy link
Copy Markdown
Contributor Author

Looks like it worked as expected, crier is now commenting using kubevirt-prow[bot] and not kubevirt-bot anymore.

@dollierp dollierp deleted the crier-upstream branch June 12, 2026 09:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dhiller dhiller dhiller approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@dhiller dhiller

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. lgtm Indicates that a PR is ready to be merged. size/L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dollierp @kubevirt-bot @dhiller