Skip to content

Bump Prow to v20260225, fix Spyglass S3 URI error, add smart deploy restarts#60

Merged
m-chau merged 8 commits into
mainfrom
bump-prow-images-v20260328
Apr 1, 2026
Merged

Bump Prow to v20260225, fix Spyglass S3 URI error, add smart deploy restarts#60
m-chau merged 8 commits into
mainfrom
bump-prow-images-v20260328

Conversation

@m-chau

@m-chau m-chau commented Mar 31, 2026

Copy link
Copy Markdown
Collaborator

Changes

Prow image bump

  • Bump all Prow component images to v20260225-8287579aa (matching upstream production)

S3 endpoint fix

  • The new Prow images use AWS SDK v2, which requires the S3 endpoint to be a full URI with scheme
  • Added http:// prefix to the MinIO endpoint in s3-credentials secrets (both prow and test-pods namespaces)
  • Without this, Spyglass fails with: Custom endpoint 'minio.prow.svc.cluster.local' was not a valid URI

Deploy workflow: smart secret-aware restarts

  • Prow components (deck, crier) read s3-credentials at startup and don't watch for changes
  • Added a post-deploy step that computes the md5 hash of the current s3-credentials secret and compares it to an annotation on the deployment's pod template
  • If the hash doesn't match (or the annotation is missing), the deployment is patched with the new hash — triggering a rolling restart
  • If the hash matches, no restart occurs (idempotent deploys stay fast)

Testing

@m-chau
m-chau force-pushed the bump-prow-images-v20260328 branch from 6e48f7d to 9446fca Compare March 31, 2026 03:11
@m-chau m-chau changed the title Bump Prow images to v20260328-dc2bbc9fc Bump Prow utility images to v20260328-dc2bbc9fc Mar 31, 2026
@m-chau
m-chau force-pushed the bump-prow-images-v20260328 branch from 9446fca to 51d1abc Compare March 31, 2026 03:14
@m-chau m-chau changed the title Bump Prow utility images to v20260328-dc2bbc9fc Bump Prow utility images and fix Spyglass lens config Mar 31, 2026
@m-chau
m-chau force-pushed the bump-prow-images-v20260328 branch from 51d1abc to dcd0b75 Compare March 31, 2026 03:28
@m-chau m-chau changed the title Bump Prow utility images and fix Spyglass lens config Bump all Prow images to v20260225-8287579aa (match upstream production) Mar 31, 2026
Match upstream prow.k8s.io production versions:
- Update K8S_PROW_IMAGE_TAG from v20240802-66b115076 to v20260225-8287579aa
- Fix ghproxy image registry from gcr.io/k8s-prow (legacy) to
  us-docker.pkg.dev/k8s-infra-prow/images (current)

This applies to all Prow components (deck, hook, tide, crier, horologium,
sinker, prow-controller-manager, status-reconciler, ghproxy) and utility
images (clonerefs, entrypoint, initupload, sidecar).

Upstream production version confirmed via deck's static asset version tag:
  curl -s https://prow.k8s.io/ | grep -o 'v=[a-z0-9-]*' | head -1
  # v=v20260225-8287579aa

Note: upstream's git still shows v20240802 in cluster deployment YAMLs,
but production was manually deployed with a newer version.
@m-chau
m-chau force-pushed the bump-prow-images-v20260328 branch from dcd0b75 to d244a27 Compare March 31, 2026 03:37
Newer Prow (v20260225) uses an updated AWS SDK that requires a full URI
with scheme for custom endpoints. Without it, Spyglass fails with:
  'Custom endpoint minio.prow.svc.cluster.local was not a valid URI'
Both s3-credentials secrets (prow and test-pods namespaces) need the
http:// scheme. Previous commit only fixed the prow namespace one.
AKSClaw added 2 commits March 31, 2026 04:12
Prow components (deck, crier) read s3-credentials at startup and don't
watch for changes. After applying updated secrets (e.g. endpoint with
http:// scheme), pods must be restarted to pick up the new values.

This fixes the 'Custom endpoint was not a valid URI' Spyglass error
seen after the Prow image bump.
Snapshot s3-credentials checksums before and after applying manifests.
Only trigger rollout restart if the secret data changed, avoiding
unnecessary pod restarts on idempotent deploys.
The before/after checksum approach missed cases where the secret was
updated in a prior deploy but pods were never restarted. Instead, store
the secret hash as a pod template annotation — if the current secret
hash doesn't match the annotation, patch the deployment (which triggers
a rolling restart). If they match, no restart occurs.

This handles both fresh changes and stale pods from prior deploys.
AKSClaw added 2 commits March 31, 2026 04:46
Hook was missing --plugin-config=/etc/plugins/plugins.yaml in its args.
The volume and mount were already present, but without the flag the new
Prow image doesn't load plugins (including trigger, which handles
/test commands). The old image had this as a default path.
@m-chau m-chau changed the title Bump all Prow images to v20260225-8287579aa (match upstream production) Bump Prow images to v20260225-8287579aa and fix S3 endpoint compatibility Mar 31, 2026
@m-chau m-chau changed the title Bump Prow images to v20260225-8287579aa and fix S3 endpoint compatibility Bump Prow to v20260225, fix Spyglass S3 URI error, add smart deploy restarts Mar 31, 2026
@wenhug

wenhug commented Apr 1, 2026

Copy link
Copy Markdown
Collaborator

/lgtm

@m-chau
m-chau merged commit 3cf998d into main Apr 1, 2026
@m-chau
m-chau deleted the bump-prow-images-v20260328 branch April 1, 2026 01:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants