Skip to content

Add ExternalSecret CR for snyk_token#22298

Closed
navidshaikh wants to merge 4 commits intokubernetes:masterfrom
navidshaikh:pr/snyk-token-external-secret
Closed

Add ExternalSecret CR for snyk_token#22298
navidshaikh wants to merge 4 commits intokubernetes:masterfrom
navidshaikh:pr/snyk-token-external-secret

Conversation

@navidshaikh
Copy link
Copy Markdown
Contributor

@navidshaikh navidshaikh commented May 21, 2021

xref: kubernetes/kubernetes#101528

/cc: @cjwagner @spiffxp

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. area/config Issues or PRs related to code in /config labels May 21, 2021
@k8s-ci-robot k8s-ci-robot added area/prow/bump Updates to the k8s prow cluster sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels May 21, 2021
@navidshaikh
Copy link
Copy Markdown
Contributor Author

navidshaikh commented May 21, 2021

/hold for actual secret to be created in gsm

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 21, 2021
navidshaikh
navidshaikh commented May 21, 2021
View reviewed changes
@navidshaikh navidshaikh mentioned this pull request May 21, 2021
Closed
7 tasks
@chases2 chases2 requested review from chases2 and cjwagner and removed request for chases2 May 21, 2021 17:56
@spiffxp spiffxp mentioned this pull request May 21, 2021
Merged
cjwagner
cjwagner requested changes May 24, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@cjwagner cjwagner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this secret is for a job in the default build cluster then it needs to be defined in config/prow/cluster/build_kubernetes-external-secrets_customresource.yaml. The file you updated in this PR would incorrectly add the secret to the Prow service cluster. Instructions for setting up secrets for the default build cluster can be found here: https://github.com/kubernetes/test-infra/blob/master/prow/prow_secrets.md#usage-prow-clients

@spiffxp
Copy link
Copy Markdown
Contributor

spiffxp commented May 24, 2021

FWIW I am working to get the k8s-infra-prow-build-trusted cluster setup with kubernetes-external-secrets. Perhaps we can run there?

@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented May 25, 2021

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: navidshaikh
To complete the pull request process, please ask for approval from cjwagner after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

navidshaikh
navidshaikh commented May 25, 2021
View reviewed changes
config/prow/cluster/build_kubernetes-external-secrets_customresource.yaml Outdated
namespace: test-pods
spec:
backendType: gcpSecretsManager
projectId: kubernetes-upstream # gsm project id
Copy link
Copy Markdown
Contributor Author

@navidshaikh navidshaikh May 25, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

..to be verified if this projectId is correct

/hold

Copy link
Copy Markdown
Contributor Author

@navidshaikh navidshaikh May 28, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc: @spiffxp @cjwagner is this correct project we'd want to have secrets into?

Copy link
Copy Markdown
Contributor

@spiffxp spiffxp Jun 15, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
projectId: kubernetes-upstream # gsm project id
projectId: k8s-infra-prow-build-trusted # gsm project id

Copy link
Copy Markdown
Contributor Author

@navidshaikh navidshaikh Jun 15, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done
/unhold

Copy link
Copy Markdown
Contributor Author

@navidshaikh navidshaikh Jun 15, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@spiffxp : can this CR reside in this file ? or should I move to https://github.com/kubernetes/k8s.io/tree/main/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/resources ?

@navidshaikh navidshaikh requested a review from cjwagner May 28, 2021 08:57
@spiffxp spiffxp mentioned this pull request Jun 7, 2021
Merged
@navidshaikh
Add ExternalSecret CR for snyk_token
77b764c 
 - This CR brings snyk_token defined in google secret manager
   into test infra for running periodic snyk CI job.
@navidshaikh
Move the external secret CR into build cluster
0011ad3
@navidshaikh
Use projectId k8s-infra-prow-build-trusted
14dc3dc
@navidshaikh navidshaikh force-pushed the pr/snyk-token-external-secret branch from d231a4f to 14dc3dc Compare June 15, 2021 17:28
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 15, 2021
spiffxp
spiffxp reviewed Jun 15, 2021
View reviewed changes
config/prow/cluster/build_kubernetes-external-secrets_customresource.yaml
Comment on lines +16 to +28
---
apiVersion: kubernetes-client.io/v1
kind: ExternalSecret
metadata:
name: snyk-token
namespace: test-pods
spec:
backendType: gcpSecretsManager
projectId: k8s-infra-prow-build-trusted # gsm project id
data:
- key: snyk-token # name of the GCP secret
name: SNYK_TOKEN # key name in the k8s secret
version: latest
Copy link
Copy Markdown
Contributor

@spiffxp spiffxp Jun 15, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is going to need to be redone as a PR to https://github.com/kubernetes/k8s.io/blob/main/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/resources/test-pods-externalsecrets.yaml

Let me check on the job definition PR

@spiffxp
Copy link
Copy Markdown
Contributor

spiffxp commented Jun 15, 2021

/close
I'm going to redo this PR over in k8s.io

@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Jun 15, 2021

@spiffxp: Closed this PR.

Details

In response to this:

/close
I'm going to redo this PR over in k8s.io

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@spiffxp spiffxp mentioned this pull request Jun 15, 2021
Merged
@navidshaikh navidshaikh deleted the pr/snyk-token-external-secret branch June 15, 2021 20:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cblecker cblecker Awaiting requested review from cblecker

@chases2 chases2 Awaiting requested review from chases2

@cjwagner cjwagner Awaiting requested review from cjwagner

1 more reviewer

@spiffxp spiffxp spiffxp left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@cjwagner cjwagner

Labels

area/config Issues or PRs related to code in /config area/prow/bump Updates to the k8s prow cluster cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@navidshaikh @spiffxp @k8s-ci-robot @cjwagner