Allow image builder from prod repo #9642

dekiel · 2024-01-12T17:25:41Z

Description

Changes proposed in this pull request:

Added image-builder and buildkit-image-builder images from production reqistry to the list of trusted images accessing sa-kyma-push-images secret.

Updated the 'run_if_changed' patterns in the 'images.yaml' file for more precise reaction to changes. Furthermore, '--export-tags' option was removed for building image-builder as tags are not used in build process. A post-build job for image-builder was added. Now, every time changes are detected in the specified paths in 'main' branch, the image-builder image will be built automatically. This reduces manual effort and ensures that the latest code changes are incorporated in the image-builder.

…roject#9437)

kyma-project#9456) * tag telemetry-manager image with module version and remove release job * tag telemetry-manager image with module version in a separate job * change job name * add auto-generated empty line

…-project#9474) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.152.0 to 0.153.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.152.0...v0.153.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4 to 5. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@v4...v5) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps golang from 1.21.4-alpine3.17 to 1.21.5-alpine3.17. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

) No eu.gcr.io/kyma-project/test-infra/ changes. No europe-docker.pkg.dev/kyma-project/prod/testimages/ changes. Multiple distinct europe-docker.pkg.dev/kyma-project/prod/test-infra/ changes: Commits | Dates | Images --- | --- | --- kyma-project/test-infra@e65a3f7...ba72d49 | 2023‑12‑04 → 2023‑12‑06 | prod/test-infra/ko/clusterscollector, prod/test-infra/ko/cors-proxy, prod/test-infra/ko/diskscollector, prod/test-infra/ko/dnscollector, prod/test-infra/ko/externalsecretschecker, prod/test-infra/ko/gardener-rotate, prod/test-infra/ko/gcscleaner, prod/test-infra/ko/github-webhook-gateway, prod/test-infra/ko/image-detector, prod/test-infra/ko/image-syncer, prod/test-infra/ko/image-url-helper, prod/test-infra/ko/ipcleaner, prod/test-infra/ko/markdown-index, prod/test-infra/ko/move-gcs-bucket, prod/test-infra/ko/needs-tws, prod/test-infra/ko/orphanremover, prod/test-infra/ko/pjtester, prod/test-infra/ko/scan-logs-for-secrets, prod/test-infra/ko/search-github-issue, prod/test-infra/ko/usersmapchecker, prod/test-infra/ko/vmscollector kyma-project/test-infra@57f98c4...ba72d49 | 2023‑12‑04 → 2023‑12‑06 | prod/test-infra/slackmessagesender

…yma-project#9480) Bumps golang from 1.21.4-alpine3.17 to 1.21.5-alpine3.17. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…project#9475) Bumps [github.com/spf13/viper](https://github.com/spf13/viper) from 1.17.0 to 1.18.0. - [Release notes](https://github.com/spf13/viper/releases) - [Commits](spf13/viper@v1.17.0...v1.18.0) --- updated-dependencies: - dependency-name: github.com/spf13/viper dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps golang from 1.21.4-alpine3.17 to 1.21.5-alpine3.17. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

) No eu.gcr.io/kyma-project/test-infra/ changes. europe-docker.pkg.dev/kyma-project/prod/testimages/ changes: kyma-project/test-infra@57f98c4...59f0cdf (2023‑12‑04 → 2023‑12‑06) europe-docker.pkg.dev/kyma-project/prod/test-infra/ changes: kyma-project/test-infra@ba72d49...37d4a17 (2023‑12‑06 → 2023‑12‑06)

) No eu.gcr.io/kyma-project/test-infra/ changes. No europe-docker.pkg.dev/kyma-project/prod/testimages/ changes. europe-docker.pkg.dev/kyma-project/prod/test-infra/ changes: kyma-project/test-infra@37d4a17...f9e8ceb (2023‑12‑06 → 2023‑12‑06)

* Use semantic versioning for eventing manager * Restore template

…oject#9486) * chore: Remove cli related e2e test that use kyma deploy * cleanup templates * cleanup templates * revert integration

* Ignore docker images based on regexp * Update cloud run config as well

kyma-project#9498) * allow post build job to run on release-* branches for eventing-manager * remove skip instruction * add formatting and add release branch instruction

Bumps alpine from 3.18.5 to 3.19.0. --- updated-dependencies: - dependency-name: alpine dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…project#9501) Bumps [github.com/spf13/viper](https://github.com/spf13/viper) from 1.18.0 to 1.18.1. - [Release notes](https://github.com/spf13/viper/releases) - [Commits](spf13/viper@v1.18.0...v1.18.1) --- updated-dependencies: - dependency-name: github.com/spf13/viper dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…yma-project#9502) Bumps alpine from 3.18.5 to 3.19.0. --- updated-dependencies: - dependency-name: alpine dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

) No eu.gcr.io/kyma-project/test-infra/ changes. No europe-docker.pkg.dev/kyma-project/prod/testimages/ changes. Multiple distinct europe-docker.pkg.dev/kyma-project/prod/test-infra/ changes: Commits | Dates | Images --- | --- | --- kyma-project/test-infra@f9e8ceb...e0b1571 | 2023‑12‑06 → 2023‑12‑08 | prod/test-infra/ko/clusterscollector, prod/test-infra/ko/cors-proxy, prod/test-infra/ko/diskscollector, prod/test-infra/ko/dnscollector, prod/test-infra/ko/externalsecretschecker, prod/test-infra/ko/gardener-rotate, prod/test-infra/ko/gcscleaner, prod/test-infra/ko/github-webhook-gateway, prod/test-infra/ko/image-detector, prod/test-infra/ko/image-syncer, prod/test-infra/ko/image-url-helper, prod/test-infra/ko/ipcleaner, prod/test-infra/ko/markdown-index, prod/test-infra/ko/move-gcs-bucket, prod/test-infra/ko/needs-tws, prod/test-infra/ko/orphanremover, prod/test-infra/ko/pjtester, prod/test-infra/ko/scan-logs-for-secrets, prod/test-infra/ko/search-github-issue, prod/test-infra/ko/usersmapchecker, prod/test-infra/ko/vmscollector kyma-project/test-infra@37d4a17...e0b1571 | 2023‑12‑06 → 2023‑12‑08 | prod/test-infra/slackmessagesender

* Refactored Subscription Cleanup Job Location * Name and Repo Update * Update provisioner-subscription-cleanup-job-build.yaml

…ma-project#9617) * remove restrictions on pull-nats-module-build to only run on main We need this pull-nats-module-build to also run and release branches. * add whitespace * Revert "remove restrictions on pull-nats-module-build to only run on main" This reverts commit 6caeebb. * allow pull-nats-module-build from release branches

* Add release job for runtime-watcher * Add release job for runtime-watcher * Add release job for runtime-watcher * Add pjtester * Add pjtester * Add pjtester * remove pjtester * Review fix

* Change Serverless image build jobs * comment * add release 0.* * vpath * vpath * vpath

* Secure access to sa-kyma-push-images * Improve list of images and entrypoint_options

…9638) * Adjust branches for serverless runtime post build jobs * adjust template

…ject#9635)

…aints (kyma-project#9641)

* Add possibility to use kaniko build config from PR in ADO Builder * Add prowjob to verify kaniko config in ado pipeline * Ad TestPieplineId * Move the validaiton job to separated file * Fix definition * Fix linter error * 'Remove ADO validation job for kaniko build config'

…ed secret.

kyma-bot · 2024-01-12T17:25:45Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

kyma-bot · 2024-01-12T17:25:46Z

Keywords which can automatically close issues and at(@) or hashtag(#) mentions are not allowed in commit messages.

The list of commits with invalid commit messages:

9973d73 gomod(deps): bump google.golang.org/api from 0.152.0 to 0.153.0 (gomod(deps): bump google.golang.org/api from 0.152.0 to 0.153.0 #9474)
bc2bed7 actions(deps): bump actions/setup-go from 4 to 5 (actions(deps): bump actions/setup-go from 4 to 5 #9476)
bc92b09 docker-rotate-sa(deps): bump golang (docker-rotate-sa(deps): bump golang from 1.21.4-alpine3.17 to 1.21.5-alpine3.17 in /cmd/cloud-run/rotate-service-account #9477)
66405ff move-gcs-bucket(deps): bump golang in /cmd/cloud-run/move-gcs-bucket (move-gcs-bucket(deps): bump golang from 1.21.4-alpine3.17 to 1.21.5-alpine3.17 in /cmd/cloud-run/move-gcs-bucket #9480)
89b8b0b gomod(deps): bump github.com/spf13/viper from 1.17.0 to 1.18.0 (gomod(deps): bump github.com/spf13/viper from 1.17.0 to 1.18.0 #9475)
94693f9 ginkgo(deps): bump golang in /prow/images/ginkgo (ginkgo(deps): bump golang from 1.21.4-alpine3.17 to 1.21.5-alpine3.17 in /prow/images/ginkgo #9478)
d2d58e9 docker-rotate-sa(deps): bump alpine (docker-rotate-sa(deps): bump alpine from 3.18.5 to 3.19.0 in /cmd/cloud-run/rotate-service-account #9500)
1154d0f gomod(deps): bump github.com/spf13/viper from 1.18.0 to 1.18.1 (gomod(deps): bump github.com/spf13/viper from 1.18.0 to 1.18.1 #9501)
114206b move-gcs-bucket(deps): bump alpine in /cmd/cloud-run/move-gcs-bucket (move-gcs-bucket(deps): bump alpine from 3.18.5 to 3.19.0 in /cmd/cloud-run/move-gcs-bucket #9502)
3779f97 slack-msg-sender(deps): bump python (slack-msg-sender(deps): bump python from 3.12.0-alpine3.18 to 3.12.1-alpine3.18 in /cmd/cloud-run/slack-message-sender #9513)
ff9c38b tf(deps): bump hashicorp/google in /configs/terraform/core (tf(deps): bump hashicorp/google from 5.8.0 to 5.9.0 in /configs/terraform/core #9512)
5811e4f gomod(deps): bump github.com/spf13/viper from 1.18.1 to 1.18.2 (gomod(deps): bump github.com/spf13/viper from 1.18.1 to 1.18.2 #9546)
1563ad7 gomod(deps): bump google.golang.org/api from 0.153.0 to 0.154.0 (gomod(deps): bump google.golang.org/api from 0.153.0 to 0.154.0 #9522)
0fdc511 gomod(deps): bump github.com/google/uuid from 1.4.0 to 1.5.0 (gomod(deps): bump github.com/google/uuid from 1.4.0 to 1.5.0 #9523)
42cf428 gomod(deps): bump cloud.google.com/go/logging from 1.8.1 to 1.9.0 (gomod(deps): bump cloud.google.com/go/logging from 1.8.1 to 1.9.0 #9527)
53ccbb8 gomod(deps): bump cloud.google.com/go/storage from 1.35.1 to 1.36.0 (gomod(deps): bump cloud.google.com/go/storage from 1.35.1 to 1.36.0 #9528)
4f1f2ed gomod(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 (gomod(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 #9547)
0266076 tf(deps): bump hashicorp/google in /configs/terraform/core (tf(deps): bump hashicorp/google from 5.9.0 to 5.10.0 in /configs/terraform/core #9561)
9be28ee Build image-builder in ado. (Build image-builder in ado. #9538)
6944b40 Build buildkit version of image-builder in ado (Build buildkit version of image-builder in ado #9581)
e1317db tf(deps): bump hashicorp/google in /configs/terraform/core (tf(deps): bump hashicorp/google from 5.10.0 to 5.11.0 in /configs/terraform/core #9620)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

github-actions · 2024-01-12T17:28:57Z

Plan Result

CI link

⚠️ Resource Deletion will happen ⚠️

This plan contains resource delete operation. Please check the plan result very carefully!

Plan: 2 to add, 2 to change, 2 to destroy.

Create
- module.trusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only trusted usage of sa-kyma-push-images gcp service account which has permissions to write images in kyma production oci registry.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: sa-kyma-push-images\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n namespaces:\n - "default"\n parameters:\n restrictedSecrets:\n # usually provided with preset-sa-kyma-push-images\n - sa-kyma-push-images\n trustedImages:\n - image: "eu.gcr.io/sap-kyma-neighbors-dev/image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n - image: "europe-docker.pkg.dev/kyma-project/prod/image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n - image: "europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n #kyma-dashboard-dev, kyma-dashboard-stage, kyma-dashboard-prod and post-k8s-prow-build-release\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\["\/docker-credential-gcr configure-docker --registries=europe-docker.pkg.dev"\],"container_name":"test",.}$'\n #serverless-module-build\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/buildpack-go:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\["make","-C","components/operator/hack/ci","module-build"\],"container_name":"test",.}$'\n # sidecar\n - image: "europe-docker.pkg.dev/kyma-project/prod/k8s-prow/sidecar:*"\n command: [ ]\n args: [ ]"]
- module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only trusted usage of sa-kyma-push-images gcp service account which has permissions to write images in kyma production oci registry.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: sa-kyma-push-images\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n namespaces:\n - "default"\n parameters:\n restrictedSecrets:\n # usually provided with preset-sa-kyma-push-images\n - sa-kyma-push-images\n trustedImages:\n - image: "eu.gcr.io/sap-kyma-neighbors-dev/image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n - image: "europe-docker.pkg.dev/kyma-project/prod/image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n - image: "europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n #kyma-dashboard-dev, kyma-dashboard-stage, kyma-dashboard-prod and post-k8s-prow-build-release\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\["\/docker-credential-gcr configure-docker --registries=europe-docker.pkg.dev"\],"container_name":"test",.}$'\n #serverless-module-build\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/buildpack-go:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\["make","-C","components/operator/hack/ci","module-build"\],"container_name":"test",.}$'\n # sidecar\n - image: "europe-docker.pkg.dev/kyma-project/prod/k8s-prow/sidecar:*"\n command: [ ]\n args: [ ]"]
Update
- module.artifact_registry["modules-internal"].google_artifact_registry_repository.artifact_registry
- module.service_account_keys_cleaner.google_cloud_scheduler_job.service_account_keys_cleaner
Delete
- module.trusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only trusted usage of sa-kyma-push-images gcp service account which has permissions to write images in kyma production oci registry.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: sa-kyma-push-images\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n namespaces:\n - "default"\n parameters:\n restrictedSecrets:\n # usually provided with preset-sa-kyma-push-images\n - sa-kyma-push-images\n trustedImages:\n - image: "eu.gcr.io/sap-kyma-neighbors-dev/image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n #kyma-dashboard-dev, kyma-dashboard-stage, kyma-dashboard-prod and post-k8s-prow-build-release\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\["\/docker-credential-gcr configure-docker --registries=europe-docker.pkg.dev"\],"container_name":"test",.}$'\n #serverless-module-build\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/buildpack-go:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\["make","-C","components/operator/hack/ci","module-build"\],"container_name":"test",.}$'\n # sidecar\n - image: "europe-docker.pkg.dev/kyma-project/prod/k8s-prow/sidecar:*"\n command: [ ]\n args: [ ]"]
- module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only trusted usage of sa-kyma-push-images gcp service account which has permissions to write images in kyma production oci registry.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: sa-kyma-push-images\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n namespaces:\n - "default"\n parameters:\n restrictedSecrets:\n # usually provided with preset-sa-kyma-push-images\n - sa-kyma-push-images\n trustedImages:\n - image: "eu.gcr.io/sap-kyma-neighbors-dev/image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n #kyma-dashboard-dev, kyma-dashboard-stage, kyma-dashboard-prod and post-k8s-prow-build-release\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\["\/docker-credential-gcr configure-docker --registries=europe-docker.pkg.dev"\],"container_name":"test",.}$'\n #serverless-module-build\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/buildpack-go:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\["make","-C","components/operator/hack/ci","module-build"\],"container_name":"test",.}$'\n # sidecar\n - image: "europe-docker.pkg.dev/kyma-project/prod/k8s-prow/sidecar:*"\n command: [ ]\n args: [ ]"]

Change Result (Click me)

  # module.artifact_registry["modules-internal"].google_artifact_registry_repository.artifact_registry will be updated in-place
  ~ resource "google_artifact_registry_repository" "artifact_registry" {
        id               = "projects/kyma-project/locations/europe/repositories/modules-internal"
        name             = "modules-internal"
        # (11 unchanged attributes hidden)

      + docker_config {
          + immutable_tags = false
        }
    }

  # module.service_account_keys_cleaner.google_cloud_scheduler_job.service_account_keys_cleaner will be updated in-place
  ~ resource "google_cloud_scheduler_job" "service_account_keys_cleaner" {
        id               = "projects/sap-kyma-prow/locations/europe-west3/jobs/service-account-keys-cleaner"
        name             = "service-account-keys-cleaner"
        # (8 unchanged attributes hidden)

      ~ http_target {
          ~ uri         = "https://service-account-keys-cleaner-q25ja7ch3q-ez.a.run.app/?project=sap-kyma-prow&age=24" -> "https://service-account-keys-cleaner-q25ja7ch3q-ez.a.run.app?project=sap-kyma-prow&age=24"
            # (2 unchanged attributes hidden)

            # (1 unchanged block hidden)
        }
    }

  # module.trusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only trusted usage of sa-kyma-push-images gcp service account which has permissions to write images in kyma production oci registry.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: sa-kyma-push-images\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n    namespaces:\n      - \"default\"\n  parameters:\n    restrictedSecrets:\n      # usually provided with preset-sa-kyma-push-images\n      - sa-kyma-push-images\n    trustedImages:\n      - image: \"eu.gcr.io/sap-kyma-neighbors-dev/image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n        #kyma-dashboard-dev, kyma-dashboard-stage, kyma-dashboard-prod and post-k8s-prow-build-release\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[\"\\/docker-credential-gcr configure-docker --registries=europe-docker.pkg.dev\"\\],\"container_name\":\"test\",.*}$'\n        #serverless-module-build\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/buildpack-go:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[\"make\",\"-C\",\"components/operator/hack/ci\",\"module-build\"\\],\"container_name\":\"test\",.*}$'\n      # sidecar\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/k8s-prow/sidecar:*\"\n        command: [ ]\n        args: [ ]"] will be destroyed
  # (because key ["# Constraint to allow only trusted usage of sa-kyma-push-images gcp service account which has permissions to write images in kyma production oci registry.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: sa-kyma-push-images\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n    namespaces:\n      - \"default\"\n  parameters:\n    restrictedSecrets:\n      # usually provided with preset-sa-kyma-push-images\n      - sa-kyma-push-images\n    trustedImages:\n      - image: \"eu.gcr.io/sap-kyma-neighbors-dev/image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n        #kyma-dashboard-dev, kyma-dashboard-stage, kyma-dashboard-prod and post-k8s-prow-build-release\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[\"\\/docker-credential-gcr configure-docker --registries=europe-docker.pkg.dev\"\\],\"container_name\":\"test\",.*}$'\n        #serverless-module-build\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/buildpack-go:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[\"make\",\"-C\",\"components/operator/hack/ci\",\"module-build\"\\],\"container_name\":\"test\",.*}$'\n      # sidecar\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/k8s-prow/sidecar:*\"\n        command: [ ]\n        args: [ ]"] is not in for_each map)
  - resource "kubectl_manifest" "constraints" {
      - api_version             = "constraints.gatekeeper.sh/v1beta1" -> null
      - apply_only              = false -> null
      - field_manager           = "kubectl" -> null
      - force_conflicts         = false -> null
      - force_new               = false -> null
      - id                      = "/apis/constraints.gatekeeper.sh/v1beta1/secrettrustedusages/sa-kyma-push-images" -> null
      - kind                    = "SecretTrustedUsage" -> null
      - live_manifest_incluster = (sensitive value) -> null
      - live_uid                = "4bc764f8-32c4-4824-b45d-3ec03b8dc627" -> null
      - name                    = "sa-kyma-push-images" -> null
      - server_side_apply       = false -> null
      - uid                     = "4bc764f8-32c4-4824-b45d-3ec03b8dc627" -> null
      - validate_schema         = true -> null
      - wait_for_rollout        = true -> null
      - yaml_body               = (sensitive value) -> null
      - yaml_body_parsed        = <<-EOT
            apiVersion: constraints.gatekeeper.sh/v1beta1
            kind: SecretTrustedUsage
            metadata:
              name: sa-kyma-push-images
            spec:
              enforcementAction: deny
              match:
                kinds:
                - apiGroups:
                  - ""
                  kinds:
                  - Pod
                namespaces:
                - default
              parameters:
                restrictedSecrets:
                - sa-kyma-push-images
                trustedImages:
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\[.*"\/image-builder".*,"--config=/config/kaniko-build-config.yaml".*\],"container_name":"test",.*}$
                  image: eu.gcr.io/sap-kyma-neighbors-dev/image-builder:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\["\/docker-credential-gcr configure-docker --registries=europe-docker.pkg.dev"\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\["make","-C","components/operator/hack/ci","module-build"\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/testimages/buildpack-go:*
                - args: []
                  command: []
                  image: europe-docker.pkg.dev/kyma-project/prod/k8s-prow/sidecar:*
        EOT -> null
      - yaml_incluster          = (sensitive value) -> null
    }

  # module.trusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only trusted usage of sa-kyma-push-images gcp service account which has permissions to write images in kyma production oci registry.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: sa-kyma-push-images\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n    namespaces:\n      - \"default\"\n  parameters:\n    restrictedSecrets:\n      # usually provided with preset-sa-kyma-push-images\n      - sa-kyma-push-images\n    trustedImages:\n      - image: \"eu.gcr.io/sap-kyma-neighbors-dev/image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n        #kyma-dashboard-dev, kyma-dashboard-stage, kyma-dashboard-prod and post-k8s-prow-build-release\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[\"\\/docker-credential-gcr configure-docker --registries=europe-docker.pkg.dev\"\\],\"container_name\":\"test\",.*}$'\n        #serverless-module-build\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/buildpack-go:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[\"make\",\"-C\",\"components/operator/hack/ci\",\"module-build\"\\],\"container_name\":\"test\",.*}$'\n      # sidecar\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/k8s-prow/sidecar:*\"\n        command: [ ]\n        args: [ ]"] will be created
  + resource "kubectl_manifest" "constraints" {
      + api_version             = "constraints.gatekeeper.sh/v1beta1"
      + apply_only              = false
      + field_manager           = "kubectl"
      + force_conflicts         = false
      + force_new               = false
      + id                      = (known after apply)
      + kind                    = "SecretTrustedUsage"
      + live_manifest_incluster = (sensitive value)
      + live_uid                = (known after apply)
      + name                    = "sa-kyma-push-images"
      + namespace               = (known after apply)
      + server_side_apply       = false
      + uid                     = (known after apply)
      + validate_schema         = true
      + wait_for_rollout        = true
      + yaml_body               = (sensitive value)
      + yaml_body_parsed        = <<-EOT
            apiVersion: constraints.gatekeeper.sh/v1beta1
            kind: SecretTrustedUsage
            metadata:
              name: sa-kyma-push-images
            spec:
              enforcementAction: deny
              match:
                kinds:
                - apiGroups:
                  - ""
                  kinds:
                  - Pod
                namespaces:
                - default
              parameters:
                restrictedSecrets:
                - sa-kyma-push-images
                trustedImages:
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\[.*"\/image-builder".*,"--config=/config/kaniko-build-config.yaml".*\],"container_name":"test",.*}$
                  image: eu.gcr.io/sap-kyma-neighbors-dev/image-builder:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\[.*"\/image-builder".*,"--config=/config/kaniko-build-config.yaml".*\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/image-builder:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\[.*"\/image-builder".*,"--config=/config/kaniko-build-config.yaml".*\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\["\/docker-credential-gcr configure-docker --registries=europe-docker.pkg.dev"\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\["make","-C","components/operator/hack/ci","module-build"\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/testimages/buildpack-go:*
                - args: []
                  command: []
                  image: europe-docker.pkg.dev/kyma-project/prod/k8s-prow/sidecar:*
        EOT
      + yaml_incluster          = (sensitive value)
    }

  # module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only trusted usage of sa-kyma-push-images gcp service account which has permissions to write images in kyma production oci registry.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: sa-kyma-push-images\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n    namespaces:\n      - \"default\"\n  parameters:\n    restrictedSecrets:\n      # usually provided with preset-sa-kyma-push-images\n      - sa-kyma-push-images\n    trustedImages:\n      - image: \"eu.gcr.io/sap-kyma-neighbors-dev/image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n        #kyma-dashboard-dev, kyma-dashboard-stage, kyma-dashboard-prod and post-k8s-prow-build-release\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[\"\\/docker-credential-gcr configure-docker --registries=europe-docker.pkg.dev\"\\],\"container_name\":\"test\",.*}$'\n        #serverless-module-build\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/buildpack-go:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[\"make\",\"-C\",\"components/operator/hack/ci\",\"module-build\"\\],\"container_name\":\"test\",.*}$'\n      # sidecar\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/k8s-prow/sidecar:*\"\n        command: [ ]\n        args: [ ]"] will be destroyed
  # (because key ["# Constraint to allow only trusted usage of sa-kyma-push-images gcp service account which has permissions to write images in kyma production oci registry.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: sa-kyma-push-images\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n    namespaces:\n      - \"default\"\n  parameters:\n    restrictedSecrets:\n      # usually provided with preset-sa-kyma-push-images\n      - sa-kyma-push-images\n    trustedImages:\n      - image: \"eu.gcr.io/sap-kyma-neighbors-dev/image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n        #kyma-dashboard-dev, kyma-dashboard-stage, kyma-dashboard-prod and post-k8s-prow-build-release\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[\"\\/docker-credential-gcr configure-docker --registries=europe-docker.pkg.dev\"\\],\"container_name\":\"test\",.*}$'\n        #serverless-module-build\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/buildpack-go:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[\"make\",\"-C\",\"components/operator/hack/ci\",\"module-build\"\\],\"container_name\":\"test\",.*}$'\n      # sidecar\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/k8s-prow/sidecar:*\"\n        command: [ ]\n        args: [ ]"] is not in for_each map)
  - resource "kubectl_manifest" "constraints" {
      - api_version             = "constraints.gatekeeper.sh/v1beta1" -> null
      - apply_only              = false -> null
      - field_manager           = "kubectl" -> null
      - force_conflicts         = false -> null
      - force_new               = false -> null
      - id                      = "/apis/constraints.gatekeeper.sh/v1beta1/secrettrustedusages/sa-kyma-push-images" -> null
      - kind                    = "SecretTrustedUsage" -> null
      - live_manifest_incluster = (sensitive value) -> null
      - live_uid                = "b4542658-10d8-4388-b9b1-a7da99beaabd" -> null
      - name                    = "sa-kyma-push-images" -> null
      - server_side_apply       = false -> null
      - uid                     = "b4542658-10d8-4388-b9b1-a7da99beaabd" -> null
      - validate_schema         = true -> null
      - wait_for_rollout        = true -> null
      - yaml_body               = (sensitive value) -> null
      - yaml_body_parsed        = <<-EOT
            apiVersion: constraints.gatekeeper.sh/v1beta1
            kind: SecretTrustedUsage
            metadata:
              name: sa-kyma-push-images
            spec:
              enforcementAction: deny
              match:
                kinds:
                - apiGroups:
                  - ""
                  kinds:
                  - Pod
                namespaces:
                - default
              parameters:
                restrictedSecrets:
                - sa-kyma-push-images
                trustedImages:
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\[.*"\/image-builder".*,"--config=/config/kaniko-build-config.yaml".*\],"container_name":"test",.*}$
                  image: eu.gcr.io/sap-kyma-neighbors-dev/image-builder:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\["\/docker-credential-gcr configure-docker --registries=europe-docker.pkg.dev"\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\["make","-C","components/operator/hack/ci","module-build"\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/testimages/buildpack-go:*
                - args: []
                  command: []
                  image: europe-docker.pkg.dev/kyma-project/prod/k8s-prow/sidecar:*
        EOT -> null
      - yaml_incluster          = (sensitive value) -> null
    }

  # module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only trusted usage of sa-kyma-push-images gcp service account which has permissions to write images in kyma production oci registry.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: sa-kyma-push-images\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n    namespaces:\n      - \"default\"\n  parameters:\n    restrictedSecrets:\n      # usually provided with preset-sa-kyma-push-images\n      - sa-kyma-push-images\n    trustedImages:\n      - image: \"eu.gcr.io/sap-kyma-neighbors-dev/image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n        #kyma-dashboard-dev, kyma-dashboard-stage, kyma-dashboard-prod and post-k8s-prow-build-release\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[\"\\/docker-credential-gcr configure-docker --registries=europe-docker.pkg.dev\"\\],\"container_name\":\"test\",.*}$'\n        #serverless-module-build\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/buildpack-go:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[\"make\",\"-C\",\"components/operator/hack/ci\",\"module-build\"\\],\"container_name\":\"test\",.*}$'\n      # sidecar\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/k8s-prow/sidecar:*\"\n        command: [ ]\n        args: [ ]"] will be created
  + resource "kubectl_manifest" "constraints" {
      + api_version             = "constraints.gatekeeper.sh/v1beta1"
      + apply_only              = false
      + field_manager           = "kubectl"
      + force_conflicts         = false
      + force_new               = false
      + id                      = (known after apply)
      + kind                    = "SecretTrustedUsage"
      + live_manifest_incluster = (sensitive value)
      + live_uid                = (known after apply)
      + name                    = "sa-kyma-push-images"
      + namespace               = (known after apply)
      + server_side_apply       = false
      + uid                     = (known after apply)
      + validate_schema         = true
      + wait_for_rollout        = true
      + yaml_body               = (sensitive value)
      + yaml_body_parsed        = <<-EOT
            apiVersion: constraints.gatekeeper.sh/v1beta1
            kind: SecretTrustedUsage
            metadata:
              name: sa-kyma-push-images
            spec:
              enforcementAction: deny
              match:
                kinds:
                - apiGroups:
                  - ""
                  kinds:
                  - Pod
                namespaces:
                - default
              parameters:
                restrictedSecrets:
                - sa-kyma-push-images
                trustedImages:
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\[.*"\/image-builder".*,"--config=/config/kaniko-build-config.yaml".*\],"container_name":"test",.*}$
                  image: eu.gcr.io/sap-kyma-neighbors-dev/image-builder:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\[.*"\/image-builder".*,"--config=/config/kaniko-build-config.yaml".*\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/image-builder:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\[.*"\/image-builder".*,"--config=/config/kaniko-build-config.yaml".*\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\["\/docker-credential-gcr configure-docker --registries=europe-docker.pkg.dev"\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\["make","-C","components/operator/hack/ci","module-build"\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/testimages/buildpack-go:*
                - args: []
                  command: []
                  image: europe-docker.pkg.dev/kyma-project/prod/k8s-prow/sidecar:*
        EOT
      + yaml_incluster          = (sensitive value)
    }

Plan: 2 to add, 2 to change, 2 to destroy.

Changes to Outputs:
  ~ artifact_registry                                   = {
      ~ modules-internal = {
          ~ artifact_registry_collection = {
                id                        = "projects/kyma-project/locations/europe/repositories/modules-internal"
                name                      = "modules-internal"
              ~ update_time               = "2024-01-12T14:20:44.646313Z" -> "2024-01-12T15:40:11.731385Z"
                # (16 unchanged attributes hidden)
            }
        }
    }

ℹ️ Objects have changed outside of Terraform

This feature was introduced from Terraform v0.15.4.

OpenTofu detected the following changes made outside of OpenTofu since the
last "tofu apply" which may have affected this plan:

  # module.artifact_registry["modules-internal"].google_artifact_registry_repository.artifact_registry has changed
  ~ resource "google_artifact_registry_repository" "artifact_registry" {
        id               = "projects/kyma-project/locations/europe/repositories/modules-internal"
        name             = "modules-internal"
      ~ update_time      = "2024-01-12T14:31:12.309573Z" -> "2024-01-12T15:40:11.731385Z"
        # (10 unchanged attributes hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the

dekiel and others added 30 commits December 16, 2023 20:27

Allow admins to bypass branch protection in community-modules (kyma-p…

6ff0865

…roject#9437)

Remove unused script from Istio reconciler testing (kyma-project#9468)

c37fca1

Tag telemetry-manager image with module version and remove release job (

c12d34d

kyma-project#9456) * tag telemetry-manager image with module version and remove release job * tag telemetry-manager image with module version in a separate job * change job name * add auto-generated empty line

job_removed (kyma-project#9471)

47ab59d

Bumping sec-scanners-config.yaml (kyma-project#9458)

a27040b

Bump natsio images (kyma-project#9469)

acfab5a

Remove the eventing manager template. (kyma-project#9484)

7459628

Use semantic versioning for eventing manager (kyma-project#9473)

c5ff46d

* Use semantic versioning for eventing manager * Restore template

Adds a setting to ignore non-required tide contexts (kyma-project#9485)

8cc35f8

fix run_if_changed (kyma-project#9487)

a6fe7e8

chore: Remove cli related k3d pipelines that use kyma deploy (kyma-pr…

6e00005

…oject#9486) * chore: Remove cli related e2e test that use kyma deploy * cleanup templates * cleanup templates * revert integration

Ignore docker images based on regexp (kyma-project#9488)

d9f4429

* Ignore docker images based on regexp * Update cloud run config as well

Bumping sec-scanners-config.yaml (kyma-project#9483)

db483d5

add two missing required job (kyma-project#9489)

1dd9587

allow post build job to run on release-* branches for eventing-manager (

9b9d11a

kyma-project#9498) * allow post build job to run on release-* branches for eventing-manager * remove skip instruction * add formatting and add release branch instruction

Bumping sec-scanners-config.yaml (kyma-project#9504)

0a83216

Sawthis and others added 20 commits January 12, 2024 18:11

Remove area and kind labels check (kyma-project#9624)

2743896

Refactored Subscription Cleanup Job Location (kyma-project#9580)

a5910e0

* Refactored Subscription Cleanup Job Location * Name and Repo Update * Update provisioner-subscription-cleanup-job-build.yaml

Increase 'pre-kyma-cli' job memory limit (kyma-project#9626)

00d70e1

Add full SHA tag for warden post-submit builds (kyma-project#9627)

e1a3b20

Add release job for runtime-watcher (kyma-project#9583)

b5dca21

* Add release job for runtime-watcher * Add release job for runtime-watcher * Add release job for runtime-watcher * Add pjtester * Add pjtester * Add pjtester * remove pjtester * Review fix

Adjust to new GH Actions (kyma-project#9630)

03ec347

Change Serverless image build jobs (kyma-project#9633)

8f733e7

* Change Serverless image build jobs * comment * add release 0.* * vpath * vpath * vpath

removal of obsolete jobs (kyma-project#9636)

54d2d56

removal (kyma-project#9637)

ad8b364

Secure access to sa-kyma-push-images (kyma-project#9629)

2e88acc

* Secure access to sa-kyma-push-images * Improve list of images and entrypoint_options

Adjust branches for serverless runtime post build jobs (kyma-project#…

fd6aeb7

…9638) * Adjust branches for serverless runtime post build jobs * adjust template

Add sidecar image for secured sa-kyma-push-images (kyma-project#9639)

5c6f64c

Build serverless runtimes only on changes (kyma-project#9640)

c6435ac

feat: Add runtime-watcher e2e test as required status check (kyma-pro…

dbbb6e7

…ject#9635)

Add serverless and update to more geeneric regex image builder constr…

59442fe

…aints (kyma-project#9641)

Merge branch 'kyma-project:main' into main

7dfc78b

Merge remote-tracking branch 'origin/main' into main

56d95d4

Allow image-builder image from production registry to access restrict…

e9c8f2a

…ed secret.

kyma-bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 12, 2024

kyma-bot added the do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. label Jan 12, 2024

kyma-bot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. cla: yes Indicates the PR's author has signed the CLA. labels Jan 12, 2024

dekiel closed this Jan 12, 2024

dekiel deleted the allow-image-builder-from-prod-repo branch January 12, 2024 17:26

github-actions bot added the destroy label Jan 12, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Allow image builder from prod repo #9642

Allow image builder from prod repo #9642

dekiel commented Jan 12, 2024

kyma-bot commented Jan 12, 2024

kyma-bot commented Jan 12, 2024

github-actions bot commented Jan 12, 2024

Allow image builder from prod repo #9642

Allow image builder from prod repo #9642

Conversation

dekiel commented Jan 12, 2024

kyma-bot commented Jan 12, 2024

kyma-bot commented Jan 12, 2024

github-actions bot commented Jan 12, 2024

Plan Result

⚠️ Resource Deletion will happen ⚠️