feat(tekton): setup tekton pipeline in devops namespace #2242 #2243
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- kubernetes/talos-flux/flux Kustomization: flux-system/flux-sync HelmRepository: flux-system/cdfoundation-tekton-charts
+++ kubernetes/talos-flux/flux Kustomization: flux-system/flux-sync HelmRepository: flux-system/cdfoundation-tekton-charts
@@ -0,0 +1,11 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+ name: cdfoundation-tekton-charts
+ namespace: flux-system
+spec:
+ interval: 30m
+ url: https://cdfoundation.github.io/tekton-helm-chart/
+ timeout: 3m
+
--- kubernetes/talos-flux/apps Kustomization: flux-system/apps-sync Namespace: flux-system/devops
+++ kubernetes/talos-flux/apps Kustomization: flux-system/apps-sync Namespace: flux-system/devops
@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/prune: disabled
+ name: devops
+
--- kubernetes/talos-flux/apps/devops/tekton/pipeline Kustomization: flux-system/tekton-pipeline HelmRelease: devops/tekton-pipeline
+++ kubernetes/talos-flux/apps/devops/tekton/pipeline Kustomization: flux-system/tekton-pipeline HelmRelease: devops/tekton-pipeline
@@ -0,0 +1,33 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/instance: tekton
+ app.kubernetes.io/name: tekton
+ name: tekton-pipeline
+ namespace: devops
+spec:
+ chart:
+ spec:
+ chart: tekton-pipeline
+ sourceRef:
+ kind: HelmRepository
+ name: cdfoundation-tekton-charts
+ namespace: flux-system
+ version: 1.0.2
+ install:
+ crds: CreateReplace
+ createNamespace: true
+ remediation:
+ retries: 3
+ interval: 15m
+ maxHistory: 15
+ uninstall:
+ keepHistory: false
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ values: null
+ |
--- kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/config-registry-cert
+++ kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/config-registry-cert
@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config-registry-cert
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+
--- kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/hubresolver-config
+++ kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/hubresolver-config
@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: hubresolver-config
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ default-tekton-hub-catalog: Tekton
+ default-artifact-hub-task-catalog: tekton-catalog-tasks
+ default-artifact-hub-pipeline-catalog: tekton-catalog-pipelines
+ default-kind: task
+ default-type: artifact
+
--- kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/config-logging
+++ kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/config-logging
@@ -0,0 +1,38 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config-logging
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ zap-logger-config: |
+ {
+ "level": "info",
+ "development": false,
+ "sampling": {
+ "initial": 100,
+ "thereafter": 100
+ },
+ "outputPaths": ["stdout"],
+ "errorOutputPaths": ["stderr"],
+ "encoding": "json",
+ "encoderConfig": {
+ "timeKey": "timestamp",
+ "levelKey": "severity",
+ "nameKey": "logger",
+ "callerKey": "caller",
+ "messageKey": "message",
+ "stacktraceKey": "stacktrace",
+ "lineEnding": "",
+ "levelEncoder": "",
+ "timeEncoder": "iso8601",
+ "durationEncoder": "",
+ "callerEncoder": ""
+ }
+ }
+ loglevel.controller: info
+ loglevel.webhook: info
+
--- kubernetes HelmRelease: devops/tekton-pipeline RoleBinding: devops/tekton-pipelines-info
+++ kubernetes HelmRelease: devops/tekton-pipeline RoleBinding: devops/tekton-pipelines-info
@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: tekton-pipelines-info
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+subjects:
+- kind: Group
+ name: system:authenticated
+ apiGroup: rbac.authorization.k8s.io
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: tekton-pipelines-info
+
--- kubernetes HelmRelease: devops/tekton-pipeline HorizontalPodAutoscaler: devops/tekton-pipelines-webhook
+++ kubernetes HelmRelease: devops/tekton-pipeline HorizontalPodAutoscaler: devops/tekton-pipelines-webhook
@@ -0,0 +1,27 @@
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+ name: tekton-pipelines-webhook
+ labels:
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ pipeline.tekton.dev/release: v0.42.0
+ version: v0.42.0
+spec:
+ minReplicas: 1
+ maxReplicas: 5
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: tekton-pipelines-webhook
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ target:
+ type: Utilization
+ averageUtilization: 100
+
--- kubernetes HelmRelease: devops/tekton-pipeline Role: devops/tekton-pipelines-leader-election
+++ kubernetes HelmRelease: devops/tekton-pipeline Role: devops/tekton-pipelines-leader-election
@@ -0,0 +1,22 @@
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: tekton-pipelines-leader-election
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+rules:
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - get
+ - list
+ - create
+ - update
+ - delete
+ - patch
+ - watch
+
--- kubernetes HelmRelease: devops/tekton-pipeline Role: devops/tekton-pipelines-controller
+++ kubernetes HelmRelease: devops/tekton-pipeline Role: devops/tekton-pipelines-controller
@@ -0,0 +1,32 @@
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: tekton-pipelines-controller
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - configmaps
+ verbs:
+ - list
+ - watch
+- apiGroups:
+ - ''
+ resources:
+ - configmaps
+ verbs:
+ - get
+ resourceNames:
+ - config-logging
+ - config-observability
+ - config-artifact-bucket
+ - config-artifact-pvc
+ - feature-flags
+ - config-leader-election
+ - config-registry-cert
+
--- kubernetes HelmRelease: devops/tekton-pipeline ServiceAccount: devops/tekton-pipelines-controller
+++ kubernetes HelmRelease: devops/tekton-pipeline ServiceAccount: devops/tekton-pipelines-controller
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: tekton-pipelines-controller
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+
--- kubernetes HelmRelease: devops/tekton-pipeline ClusterRoleBinding: devops/tekton-pipelines-resolvers
+++ kubernetes HelmRelease: devops/tekton-pipeline ClusterRoleBinding: devops/tekton-pipelines-resolvers
@@ -0,0 +1,18 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: tekton-pipelines-resolvers
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+subjects:
+- kind: ServiceAccount
+ name: tekton-pipelines-resolvers
+ namespace: devops
+roleRef:
+ kind: ClusterRole
+ name: tekton-pipelines-resolvers-resolution-request-updates
+ apiGroup: rbac.authorization.k8s.io
+
--- kubernetes HelmRelease: devops/tekton-pipeline RoleBinding: devops/tekton-pipelines-webhook
+++ kubernetes HelmRelease: devops/tekton-pipeline RoleBinding: devops/tekton-pipelines-webhook
@@ -0,0 +1,18 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: tekton-pipelines-webhook
+ labels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+subjects:
+- kind: ServiceAccount
+ name: tekton-pipelines-webhook
+ namespace: devops
+roleRef:
+ kind: Role
+ name: tekton-pipelines-webhook
+ apiGroup: rbac.authorization.k8s.io
+
--- kubernetes HelmRelease: devops/tekton-pipeline ClusterRole: devops/tekton-pipelines-controller-tenant-access
+++ kubernetes HelmRelease: devops/tekton-pipeline ClusterRole: devops/tekton-pipelines-controller-tenant-access
@@ -0,0 +1,55 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: tekton-pipelines-controller-tenant-access
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - pods
+ - persistentvolumeclaims
+ verbs:
+ - get
+ - list
+ - create
+ - update
+ - delete
+ - patch
+ - watch
+- apiGroups:
+ - ''
+ resources:
+ - events
+ verbs:
+ - create
+ - update
+ - patch
+- apiGroups:
+ - ''
+ resources:
+ - configmaps
+ - limitranges
+ - secrets
+ - serviceaccounts
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - apps
+ resources:
+ - statefulsets
+ verbs:
+ - get
+ - list
+ - create
+ - update
+ - delete
+ - patch
+ - watch
+
--- kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/git-resolver-config
+++ kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/git-resolver-config
@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+data:
+ api-token-secret-key: ''
+ api-token-secret-name: ''
+ api-token-secret-namespace: default
+ default-org: ''
+ default-revision: main
+ default-url: https://github.com/tektoncd/catalog.git
+ fetch-timeout: 1m
+ scm-type: github
+ server-url: ''
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ name: git-resolver-config
+
--- kubernetes HelmRelease: devops/tekton-pipeline Service: devops/tekton-pipelines-controller
+++ kubernetes HelmRelease: devops/tekton-pipeline Service: devops/tekton-pipelines-controller
@@ -0,0 +1,30 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/name: controller
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ pipeline.tekton.dev/release: v0.42.0
+ app: tekton-pipelines-controller
+ version: v0.42.0
+ name: tekton-pipelines-controller
+spec:
+ ports:
+ - name: http-metrics
+ port: 9090
+ protocol: TCP
+ targetPort: 9090
+ - name: http-profiling
+ port: 8008
+ targetPort: 8008
+ - name: probes
+ port: 8080
+ selector:
+ app.kubernetes.io/name: controller
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+
--- kubernetes HelmRelease: devops/tekton-pipeline ClusterRole: devops/tekton-pipelines-webhook-cluster-access
+++ kubernetes HelmRelease: devops/tekton-pipeline ClusterRole: devops/tekton-pipelines-webhook-cluster-access
@@ -0,0 +1,82 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: tekton-pipelines-webhook-cluster-access
+ labels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+rules:
+- apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ - customresourcedefinitions/status
+ verbs:
+ - get
+ - update
+ - patch
+ resourceNames:
+ - pipelines.tekton.dev
+ - pipelineruns.tekton.dev
+ - runs.tekton.dev
+ - tasks.tekton.dev
+ - clustertasks.tekton.dev
+ - taskruns.tekton.dev
+ - pipelineresources.tekton.dev
+ - resolutionrequests.resolution.tekton.dev
+ - customruns.tekton.dev
+- apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - list
+ - watch
+- apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - mutatingwebhookconfigurations
+ - validatingwebhookconfigurations
+ verbs:
+ - list
+ - watch
+- apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - mutatingwebhookconfigurations
+ resourceNames:
+ - webhook.pipeline.tekton.dev
+ verbs:
+ - get
+ - update
+ - delete
+- apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - validatingwebhookconfigurations
+ resourceNames:
+ - validation.webhook.pipeline.tekton.dev
+ - config.webhook.pipeline.tekton.dev
+ verbs:
+ - get
+ - update
+ - delete
+- apiGroups:
+ - ''
+ resources:
+ - namespaces
+ verbs:
+ - get
+ resourceNames:
+ - tekton-pipelines
+- apiGroups:
+ - ''
+ resources:
+ - namespaces/finalizers
+ verbs:
+ - update
+ resourceNames:
+ - tekton-pipelines
+
--- kubernetes HelmRelease: devops/tekton-pipeline RoleBinding: devops/tekton-pipelines-controller-leaderelection
+++ kubernetes HelmRelease: devops/tekton-pipeline RoleBinding: devops/tekton-pipelines-controller-leaderelection
@@ -0,0 +1,18 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: tekton-pipelines-controller-leaderelection
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+subjects:
+- kind: ServiceAccount
+ name: tekton-pipelines-controller
+ namespace: devops
+roleRef:
+ kind: Role
+ name: tekton-pipelines-leader-election
+ apiGroup: rbac.authorization.k8s.io
+
--- kubernetes HelmRelease: devops/tekton-pipeline RoleBinding: devops/tekton-pipelines-webhook-leaderelection
+++ kubernetes HelmRelease: devops/tekton-pipeline RoleBinding: devops/tekton-pipelines-webhook-leaderelection
@@ -0,0 +1,18 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: tekton-pipelines-webhook-leaderelection
+ labels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+subjects:
+- kind: ServiceAccount
+ name: tekton-pipelines-webhook
+ namespace: devops
+roleRef:
+ kind: Role
+ name: tekton-pipelines-leader-election
+ apiGroup: rbac.authorization.k8s.io
+
--- kubernetes HelmRelease: devops/tekton-pipeline Deployment: devops/tekton-pipelines-webhook
+++ kubernetes HelmRelease: devops/tekton-pipeline Deployment: devops/tekton-pipelines-webhook
@@ -0,0 +1,124 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/part-of: tekton-pipelines
+ pipeline.tekton.dev/release: v0.42.0
+ version: v0.42.0
+ name: tekton-pipelines-webhook
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/part-of: tekton-pipelines
+ template:
+ metadata:
+ labels:
+ app: tekton-pipelines-webhook
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/part-of: tekton-pipelines
+ pipeline.tekton.dev/release: v0.42.0
+ version: v0.42.0
+ spec:
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: kubernetes.io/os
+ operator: NotIn
+ values:
+ - windows
+ podAntiAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - podAffinityTerm:
+ labelSelector:
+ matchLabels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/part-of: tekton-pipelines
+ topologyKey: kubernetes.io/hostname
+ weight: 100
+ containers:
+ - env:
+ - name: SYSTEM_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: CONFIG_LOGGING_NAME
+ value: config-logging
+ - name: CONFIG_OBSERVABILITY_NAME
+ value: config-observability
+ - name: CONFIG_LEADERELECTION_NAME
+ value: config-leader-election
+ - name: CONFIG_FEATURE_FLAGS_NAME
+ value: feature-flags
+ - name: WEBHOOK_PORT
+ value: '8443'
+ - name: WEBHOOK_SERVICE_NAME
+ value: tekton-pipelines-webhook
+ - name: WEBHOOK_SECRET_NAME
+ value: webhook-certs
+ - name: METRICS_DOMAIN
+ value: tekton.dev/pipeline
+ envFrom:
+ - secretRef:
+ name: tekton-env
+ optional: true
+ image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/webhook:v0.42.0@sha256:90989eeb6e0ba9c481b1faba3b01bcc70725baa58484c8f6ce9d22cc601e63dc
+ livenessProbe:
+ httpGet:
+ path: /health
+ port: probes
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 5
+ name: webhook
+ ports:
+ - containerPort: 9090
+ name: metrics
+ - containerPort: 8008
+ name: profiling
+ - containerPort: 8443
+ name: https-webhook
+ - containerPort: 8080
+ name: probes
+ readinessProbe:
+ httpGet:
+ path: /readiness
+ port: probes
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 5
+ resources:
+ limits:
+ cpu: 500m
+ memory: 500Mi
+ requests:
+ cpu: 100m
+ memory: 100Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ runAsGroup: 65532
+ runAsNonRoot: true
+ runAsUser: 65532
+ seccompProfile:
+ type: RuntimeDefault
+ nodeSelector: null
+ serviceAccountName: tekton-pipelines-webhook
+ tolerations: null
+
--- kubernetes HelmRelease: devops/tekton-pipeline ClusterRole: devops/tekton-aggregate-view
+++ kubernetes HelmRelease: devops/tekton-pipeline ClusterRole: devops/tekton-aggregate-view
@@ -0,0 +1,25 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: tekton-aggregate-view
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ rbac.authorization.k8s.io/aggregate-to-view: 'true'
+rules:
+- apiGroups:
+ - tekton.dev
+ resources:
+ - tasks
+ - taskruns
+ - pipelines
+ - pipelineruns
+ - pipelineresources
+ - runs
+ - customruns
+ verbs:
+ - get
+ - list
+ - watch
+
--- kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/cluster-resolver-config
+++ kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/cluster-resolver-config
@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: cluster-resolver-config
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ default-kind: task
+ default-namespace: ''
+ allowed-namespaces: ''
+ blocked-namespaces: ''
+
--- kubernetes HelmRelease: devops/tekton-pipeline Deployment: devops/tekton-pipelines-remote-resolvers
+++ kubernetes HelmRelease: devops/tekton-pipeline Deployment: devops/tekton-pipelines-remote-resolvers
@@ -0,0 +1,86 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/name: resolvers
+ app.kubernetes.io/part-of: tekton-pipelines
+ pipeline.tekton.dev/release: v0.42.0
+ version: v0.42.0
+ name: tekton-pipelines-remote-resolvers
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/name: resolvers
+ app.kubernetes.io/part-of: tekton-pipelines
+ template:
+ metadata:
+ labels:
+ app: tekton-pipelines-resolvers
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/name: resolvers
+ app.kubernetes.io/part-of: tekton-pipelines
+ pipeline.tekton.dev/release: v0.42.0
+ version: v0.42.0
+ spec:
+ affinity:
+ podAntiAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - podAffinityTerm:
+ labelSelector:
+ matchLabels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/name: resolvers
+ app.kubernetes.io/part-of: tekton-pipelines
+ topologyKey: kubernetes.io/hostname
+ weight: 100
+ containers:
+ - env:
+ - name: SYSTEM_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: CONFIG_LOGGING_NAME
+ value: config-logging
+ - name: CONFIG_OBSERVABILITY_NAME
+ value: config-observability
+ - name: CONFIG_FEATURE_FLAGS_NAME
+ value: feature-flags
+ - name: CONFIG_LEADERELECTION_NAME
+ value: config-leader-election
+ - name: METRICS_DOMAIN
+ value: tekton.dev/resolution
+ - name: ARTIFACT_HUB_API
+ value: https://artifacthub.io/
+ image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/resolvers:v0.42.0@sha256:eaa7d21d45f0bc1c411823d6a943e668c820f9cf52f1549d188edb89e992f6e0
+ name: controller
+ ports:
+ - containerPort: 9090
+ name: metrics
+ resources:
+ limits:
+ cpu: 1000m
+ memory: 1000Mi
+ requests:
+ cpu: 100m
+ memory: 100Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+ nodeSelector: null
+ serviceAccountName: tekton-pipelines-resolvers
+ tolerations: null
+
--- kubernetes HelmRelease: devops/tekton-pipeline ClusterRoleBinding: devops/tekton-pipelines-controller-tenant-access
+++ kubernetes HelmRelease: devops/tekton-pipeline ClusterRoleBinding: devops/tekton-pipelines-controller-tenant-access
@@ -0,0 +1,18 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: tekton-pipelines-controller-tenant-access
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+subjects:
+- kind: ServiceAccount
+ name: tekton-pipelines-controller
+ namespace: devops
+roleRef:
+ kind: ClusterRole
+ name: tekton-pipelines-controller-tenant-access
+ apiGroup: rbac.authorization.k8s.io
+
--- kubernetes HelmRelease: devops/tekton-pipeline ClusterRole: devops/tekton-aggregate-edit
+++ kubernetes HelmRelease: devops/tekton-pipeline ClusterRole: devops/tekton-aggregate-edit
@@ -0,0 +1,31 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: tekton-aggregate-edit
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ rbac.authorization.k8s.io/aggregate-to-edit: 'true'
+ rbac.authorization.k8s.io/aggregate-to-admin: 'true'
+rules:
+- apiGroups:
+ - tekton.dev
+ resources:
+ - tasks
+ - taskruns
+ - pipelines
+ - pipelineruns
+ - pipelineresources
+ - runs
+ - customruns
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+
--- kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/bundleresolver-config
+++ kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/bundleresolver-config
@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: bundleresolver-config
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ default-service-account: default
+ default-kind: task
+
--- kubernetes HelmRelease: devops/tekton-pipeline ClusterRoleBinding: devops/tekton-pipelines-webhook-cluster-access
+++ kubernetes HelmRelease: devops/tekton-pipeline ClusterRoleBinding: devops/tekton-pipelines-webhook-cluster-access
@@ -0,0 +1,18 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: tekton-pipelines-webhook-cluster-access
+ labels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+subjects:
+- kind: ServiceAccount
+ name: tekton-pipelines-webhook
+ namespace: devops
+roleRef:
+ kind: ClusterRole
+ name: tekton-pipelines-webhook-cluster-access
+ apiGroup: rbac.authorization.k8s.io
+
--- kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/pipelines-info
+++ kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/pipelines-info
@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: pipelines-info
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ version: v0.42.0
+
--- kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/config-leader-election
+++ kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/config-leader-election
@@ -0,0 +1,40 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config-leader-election
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ _example: |
+ ################################
+ # #
+ # EXAMPLE CONFIGURATION #
+ # #
+ ################################
+ # This block is not actually functional configuration,
+ # but serves to illustrate the available configuration
+ # options and document them in a way that is accessible
+ # to users that `kubectl edit` this config map.
+ #
+ # These sample configuration options may be copied out of
+ # this example block and unindented to be in the data block
+ # to actually change the configuration.
+ # lease-duration is how long non-leaders will wait to try to acquire the
+ # lock; 15 seconds is the value used by core kubernetes controllers.
+ lease-duration: "60s"
+ # renew-deadline is how long a leader will try to renew the lease before
+ # giving up; 10 seconds is the value used by core kubernetes controllers.
+ renew-deadline: "40s"
+ # retry-period is how long the leader election client waits between tries of
+ # actions; 2 seconds is the value used by core kubernetes controllers.
+ retry-period: "10s"
+ # buckets is the number of buckets used to partition key space of each
+ # Reconciler. If this number is M and the replica number of the controller
+ # is N, the N replicas will compete for the M buckets. The owner of a
+ # bucket will take care of the reconciling for the keys partitioned into
+ # that bucket.
+ buckets: "1"
+
--- kubernetes HelmRelease: devops/tekton-pipeline ServiceAccount: devops/tekton-pipelines-resolvers
+++ kubernetes HelmRelease: devops/tekton-pipeline ServiceAccount: devops/tekton-pipelines-resolvers
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: tekton-pipelines-resolvers
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+
--- kubernetes HelmRelease: devops/tekton-pipeline Role: devops/tekton-pipelines-resolvers-namespace-rbac
+++ kubernetes HelmRelease: devops/tekton-pipeline Role: devops/tekton-pipelines-resolvers-namespace-rbac
@@ -0,0 +1,33 @@
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: tekton-pipelines-resolvers-namespace-rbac
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - configmaps
+ - secrets
+ verbs:
+ - get
+ - list
+ - update
+ - watch
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - get
+ - list
+ - create
+ - update
+ - delete
+ - patch
+ - watch
+
--- kubernetes HelmRelease: devops/tekton-pipeline Namespace: devops/tekton-pipelines
+++ kubernetes HelmRelease: devops/tekton-pipeline Namespace: devops/tekton-pipelines
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: tekton-pipelines
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ pod-security.kubernetes.io/enforce: restricted
+
--- kubernetes HelmRelease: devops/tekton-pipeline RoleBinding: devops/tekton-pipelines-controller
+++ kubernetes HelmRelease: devops/tekton-pipeline RoleBinding: devops/tekton-pipelines-controller
@@ -0,0 +1,18 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: tekton-pipelines-controller
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+subjects:
+- kind: ServiceAccount
+ name: tekton-pipelines-controller
+ namespace: devops
+roleRef:
+ kind: Role
+ name: tekton-pipelines-controller
+ apiGroup: rbac.authorization.k8s.io
+
--- kubernetes HelmRelease: devops/tekton-pipeline Role: devops/tekton-pipelines-info
+++ kubernetes HelmRelease: devops/tekton-pipeline Role: devops/tekton-pipelines-info
@@ -0,0 +1,18 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: tekton-pipelines-info
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - configmaps
+ resourceNames:
+ - pipelines-info
+ verbs:
+ - get
+
--- kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/config-trusted-resources
+++ kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/config-trusted-resources
@@ -0,0 +1,28 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config-trusted-resources
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ _example: |
+ ################################
+ # #
+ # EXAMPLE CONFIGURATION #
+ # #
+ ################################
+ # This block is not actually functional configuration,
+ # but serves to illustrate the available configuration
+ # options and document them in a way that is accessible
+ # to users that `kubectl edit` this config map.
+ #
+ # These sample configuration options may be copied out of
+ # this example block and unindented to be in the data block
+ # to actually change the configuration.
+
+ # publickeys specifies the list of public keys, the paths are separated by comma
+ # publickeys: "/etc/verification-secrets/cosign.pub,
+ # gcpkms://projects/tekton/locations/us/keyRings/trusted-resources/cryptoKeys/trusted-resources"
+
--- kubernetes HelmRelease: devops/tekton-pipeline ServiceAccount: devops/tekton-bot
+++ kubernetes HelmRelease: devops/tekton-pipeline ServiceAccount: devops/tekton-bot
@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: tekton-bot
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+secrets: null
+
--- kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/config-artifact-pvc
+++ kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/config-artifact-pvc
@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config-artifact-pvc
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+
--- kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/config-observability
+++ kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/config-observability
@@ -0,0 +1,48 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config-observability
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ _example: |
+ ################################
+ # #
+ # EXAMPLE CONFIGURATION #
+ # #
+ ################################
+
+ # This block is not actually functional configuration,
+ # but serves to illustrate the available configuration
+ # options and document them in a way that is accessible
+ # to users that `kubectl edit` this config map.
+ #
+ # These sample configuration options may be copied out of
+ # this example block and unindented to be in the data block
+ # to actually change the configuration.
+
+ # metrics.backend-destination field specifies the system metrics destination.
+ # It supports either prometheus (the default) or stackdriver.
+ # Note: Using stackdriver will incur additional charges
+ metrics.backend-destination: prometheus
+
+ # metrics.request-metrics-backend-destination specifies the request metrics
+ # destination. If non-empty, it enables queue proxy to send request metrics.
+ # Currently supported values: prometheus, stackdriver.
+ metrics.request-metrics-backend-destination: prometheus
+
+ # metrics.stackdriver-project-id field specifies the stackdriver project ID. This
+ # field is optional. When running on GCE, application default credentials will be
+ # used if this field is not provided.
+ metrics.stackdriver-project-id: "<your stackdriver project id>"
+
+ # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed to send metrics to
+ # Stackdriver using "global" resource type and custom metric type if the
+ # metrics are not supported by "knative_revision" resource type. Setting this
+ # flag to "true" could cause extra Stackdriver charge.
+ # If metrics.backend-destination is not Stackdriver, this is ignored.
+ metrics.allow-stackdriver-custom-metrics: "false"
+
--- kubernetes HelmRelease: devops/tekton-pipeline ClusterRole: devops/tekton-pipelines-controller-cluster-access
+++ kubernetes HelmRelease: devops/tekton-pipeline ClusterRole: devops/tekton-pipelines-controller-cluster-access
@@ -0,0 +1,84 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: tekton-pipelines-controller-cluster-access
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - pods
+ verbs:
+ - list
+ - watch
+- apiGroups:
+ - tekton.dev
+ resources:
+ - tasks
+ - clustertasks
+ - taskruns
+ - pipelines
+ - pipelineruns
+ - pipelineresources
+ - runs
+ - customruns
+ verbs:
+ - get
+ - list
+ - create
+ - update
+ - delete
+ - patch
+ - watch
+- apiGroups:
+ - tekton.dev
+ resources:
+ - taskruns/finalizers
+ - pipelineruns/finalizers
+ - runs/finalizers
+ - customruns/finalizers
+ verbs:
+ - get
+ - list
+ - create
+ - update
+ - delete
+ - patch
+ - watch
+- apiGroups:
+ - tekton.dev
+ resources:
+ - tasks/status
+ - clustertasks/status
+ - taskruns/status
+ - pipelines/status
+ - pipelineruns/status
+ - pipelineresources/status
+ - runs/status
+ - customruns/status
+ verbs:
+ - get
+ - list
+ - create
+ - update
+ - delete
+ - patch
+ - watch
+- apiGroups:
+ - resolution.tekton.dev
+ resources:
+ - resolutionrequests
+ - resolutionrequests/status
+ verbs:
+ - get
+ - list
+ - create
+ - update
+ - delete
+ - patch
+ - watch
+
--- kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/resolvers-feature-flags
+++ kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/resolvers-feature-flags
@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: resolvers-feature-flags
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+data:
+ enable-bundles-resolver: 'true'
+ enable-hub-resolver: 'true'
+ enable-git-resolver: 'true'
+ enable-cluster-resolver: 'true'
+
--- kubernetes HelmRelease: devops/tekton-pipeline ServiceAccount: devops/tekton-pipelines-webhook
+++ kubernetes HelmRelease: devops/tekton-pipeline ServiceAccount: devops/tekton-pipelines-webhook
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: tekton-pipelines-webhook
+ labels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+
--- kubernetes HelmRelease: devops/tekton-pipeline Deployment: devops/tekton-pipelines-controller
+++ kubernetes HelmRelease: devops/tekton-pipeline Deployment: devops/tekton-pipelines-controller
@@ -0,0 +1,153 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/name: controller
+ app.kubernetes.io/part-of: tekton-pipelines
+ pipeline.tekton.dev/release: v0.42.0
+ version: v0.42.0
+ name: tekton-pipelines-controller
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/name: controller
+ app.kubernetes.io/part-of: tekton-pipelines
+ template:
+ metadata:
+ annotations:
+ fake: value
+ labels:
+ app: tekton-pipelines-controller
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/name: controller
+ app.kubernetes.io/part-of: tekton-pipelines
+ pipeline.tekton.dev/release: v0.42.0
+ version: v0.42.0
+ spec:
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: kubernetes.io/os
+ operator: NotIn
+ values:
+ - windows
+ containers:
+ - args:
+ - -kubeconfig-writer-image
+ - gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/kubeconfigwriter:v0.42.0@sha256:672df16c97c15d20102749c6e86195683d037bd6c8787560c9c07ade8b610071
+ - -git-image
+ - gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.42.0@sha256:211b0822659b2030a9e12b1cdb47faab2187a63a24ed9d21044520f967674138
+ - -entrypoint-image
+ - gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/entrypoint:v0.42.0@sha256:77e43d0fc9f7e7bdfa31dc16082b08dace05ce81c91a06c00dfa2f547212ce72
+ - -nop-image
+ - gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/nop:v0.42.0@sha256:bd1fcc45d40a8ef1621789856caa2f54d7a884f19af921105feafae0131648c5
+ - -imagedigest-exporter-image
+ - gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/imagedigestexporter:v0.42.0@sha256:370d5a0e39577f784f1376fac0822230b9a44950c01fe2190692a0a5a810adc6
+ - -pr-image
+ - gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/pullrequest-init:v0.42.0@sha256:e00d578d40d57a5124bee5107cb3358763874588a7fe2522ebc7bb979280d06e
+ - -workingdirinit-image
+ - gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/workingdirinit:v0.42.0@sha256:60a39c629448ac2845c4781513ef44c2f2fbcb6eb321d70a016002b5fa7b2379
+ - -gsutil-image
+ - gcr.io/google.com/cloudsdktool/cloud-sdk@sha256:27b2c22bf259d9bc1a291e99c63791ba0c27a04d2db0a43241ba0f1f20f4067f
+ - -shell-image
+ - cgr.dev/chainguard/busybox@sha256:19f02276bf8dbdd62f069b922f10c65262cc34b710eea26ff928129a736be791
+ - -shell-image-win
+ - mcr.microsoft.com/powershell:nanoserver@sha256:b6d5ff841b78bdf2dfed7550000fd4f3437385b8fa686ec0f010be24777654d6
+ env:
+ - name: SYSTEM_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: CONFIG_DEFAULTS_NAME
+ value: config-defaults
+ - name: CONFIG_LOGGING_NAME
+ value: config-logging
+ - name: CONFIG_OBSERVABILITY_NAME
+ value: config-observability
+ - name: CONFIG_ARTIFACT_BUCKET_NAME
+ value: config-artifact-bucket
+ - name: CONFIG_ARTIFACT_PVC_NAME
+ value: config-artifact-pvc
+ - name: CONFIG_FEATURE_FLAGS_NAME
+ value: feature-flags
+ - name: CONFIG_LEADERELECTION_NAME
+ value: config-leader-election
+ - name: CONFIG_TRUSTED_RESOURCES_NAME
+ value: config-trusted-resources
+ - name: SSL_CERT_FILE
+ value: /etc/config-registry-cert/cert
+ - name: SSL_CERT_DIR
+ value: /etc/ssl/certs
+ - name: METRICS_DOMAIN
+ value: tekton.dev/pipeline
+ envFrom:
+ - secretRef:
+ name: tekton-env
+ optional: true
+ livenessProbe:
+ httpGet:
+ path: /health
+ port: probes
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 5
+ name: tekton-pipelines-controller
+ ports:
+ - containerPort: 9090
+ name: metrics
+ - containerPort: 8008
+ name: profiling
+ - containerPort: 8080
+ name: probes
+ readinessProbe:
+ httpGet:
+ path: /readiness
+ port: probes
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 5
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ runAsGroup: 65532
+ runAsNonRoot: true
+ runAsUser: 65532
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /etc/config-logging
+ name: config-logging
+ - mountPath: /etc/config-registry-cert
+ name: config-registry-cert
+ - mountPath: /etc/verification-secrets
+ name: verification-secrets
+ readOnly: true
+ image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/controller:v0.42.0@sha256:1fa50403c071b768984e23e26d0e68d2f7e470284ef2eb73581ec556bacdad95
+ nodeSelector: null
+ serviceAccountName: tekton-pipelines-controller
+ tolerations: null
+ volumes:
+ - configMap:
+ name: config-logging
+ name: config-logging
+ - configMap:
+ name: config-registry-cert
+ name: config-registry-cert
+ - name: verification-secrets
+ secret:
+ optional: true
+ secretName: verification-secrets
+
--- kubernetes HelmRelease: devops/tekton-pipeline Role: devops/tekton-pipelines-webhook
+++ kubernetes HelmRelease: devops/tekton-pipeline Role: devops/tekton-pipelines-webhook
@@ -0,0 +1,45 @@
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: tekton-pipelines-webhook
+ labels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - configmaps
+ verbs:
+ - list
+ - watch
+- apiGroups:
+ - ''
+ resources:
+ - configmaps
+ verbs:
+ - get
+ resourceNames:
+ - config-logging
+ - config-observability
+ - config-leader-election
+ - feature-flags
+- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - list
+ - watch
+- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - get
+ - update
+ resourceNames:
+ - webhook-certs
+
--- kubernetes HelmRelease: devops/tekton-pipeline MutatingWebhookConfiguration: devops/webhook.pipeline.tekton.dev
+++ kubernetes HelmRelease: devops/tekton-pipeline MutatingWebhookConfiguration: devops/webhook.pipeline.tekton.dev
@@ -0,0 +1,21 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+ name: webhook.pipeline.tekton.dev
+ labels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ pipeline.tekton.dev/release: v0.42.0
+webhooks:
+- admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: tekton-pipelines-webhook
+ namespace: tekton-pipelines
+ failurePolicy: Fail
+ sideEffects: None
+ name: webhook.pipeline.tekton.dev
+
--- kubernetes HelmRelease: devops/tekton-pipeline ValidatingWebhookConfiguration: devops/validation.webhook.pipeline.tekton.dev
+++ kubernetes HelmRelease: devops/tekton-pipeline ValidatingWebhookConfiguration: devops/validation.webhook.pipeline.tekton.dev
@@ -0,0 +1,21 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ name: validation.webhook.pipeline.tekton.dev
+ labels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ pipeline.tekton.dev/release: v0.42.0
+webhooks:
+- admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: tekton-pipelines-webhook
+ namespace: tekton-pipelines
+ failurePolicy: Fail
+ sideEffects: None
+ name: validation.webhook.pipeline.tekton.dev
+
--- kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/config-defaults
+++ kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/config-defaults
@@ -0,0 +1,67 @@
+---
+apiVersion: v1
+data:
+ _example: |
+ ################################
+ # #
+ # EXAMPLE CONFIGURATION #
+ # #
+ ################################
+
+ # This block is not actually functional configuration,
+ # but serves to illustrate the available configuration
+ # options and document them in a way that is accessible
+ # to users that `kubectl edit` this config map.
+ #
+ # These sample configuration options may be copied out of
+ # this example block and unindented to be in the data block
+ # to actually change the configuration.
+
+ # default-timeout-minutes contains the default number of
+ # minutes to use for TaskRun and PipelineRun, if none is specified.
+ default-timeout-minutes: "60" # 60 minutes
+
+ # default-service-account contains the default service account name
+ # to use for TaskRun and PipelineRun, if none is specified.
+ default-service-account: "default"
+
+ # default-managed-by-label-value contains the default value given to the
+ # "app.kubernetes.io/managed-by" label applied to all Pods created for
+ # TaskRuns. If a user's requested TaskRun specifies another value for this
+ # label, the user's request supercedes.
+ default-managed-by-label-value: "tekton-pipelines"
+
+ # default-pod-template contains the default pod template to use for
+ # TaskRun and PipelineRun. If a pod template is specified on the
+ # PipelineRun, the default-pod-template is merged with that one.
+ # default-pod-template:
+
+ # default-affinity-assistant-pod-template contains the default pod template
+ # to use for affinity assistant pods. If a pod template is specified on the
+ # PipelineRun, the default-affinity-assistant-pod-template is merged with
+ # that one.
+ # default-affinity-assistant-pod-template:
+
+ # default-cloud-events-sink contains the default CloudEvents sink to be
+ # used for TaskRun and PipelineRun, when no sink is specified.
+ # Note that right now it is still not possible to set a PipelineRun or
+ # TaskRun specific sink, so the default is the only option available.
+ # If no sink is specified, no CloudEvent is generated
+ # default-cloud-events-sink:
+
+ # default-task-run-workspace-binding contains the default workspace
+ # configuration provided for any Workspaces that a Task declares
+ # but that a TaskRun does not explicitly provide.
+ # default-task-run-workspace-binding: |
+ # emptyDir: {}
+
+ # default-max-matrix-combinations-count contains the default maximum number
+ # of combinations from a Matrix, if none is specified.
+ default-max-matrix-combinations-count: "256"
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ name: config-defaults
+
--- kubernetes HelmRelease: devops/tekton-pipeline ClusterRoleBinding: devops/tekton-pipelines-controller-cluster-access
+++ kubernetes HelmRelease: devops/tekton-pipeline ClusterRoleBinding: devops/tekton-pipelines-controller-cluster-access
@@ -0,0 +1,18 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: tekton-pipelines-controller-cluster-access
+ labels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+subjects:
+- kind: ServiceAccount
+ name: tekton-pipelines-controller
+ namespace: devops
+roleRef:
+ kind: ClusterRole
+ name: tekton-pipelines-controller-cluster-access
+ apiGroup: rbac.authorization.k8s.io
+
--- kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/config-artifact-bucket
+++ kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/config-artifact-bucket
@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config-artifact-bucket
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+
--- kubernetes HelmRelease: devops/tekton-pipeline Service: devops/tekton-pipelines-webhook
+++ kubernetes HelmRelease: devops/tekton-pipeline Service: devops/tekton-pipelines-webhook
@@ -0,0 +1,32 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ pipeline.tekton.dev/release: v0.42.0
+ app: tekton-pipelines-webhook
+ version: v0.42.0
+ name: tekton-pipelines-webhook
+spec:
+ ports:
+ - name: http-metrics
+ port: 9090
+ targetPort: 9090
+ - name: http-profiling
+ port: 8008
+ targetPort: 8008
+ - name: https-webhook
+ port: 443
+ targetPort: https-webhook
+ - name: probes
+ port: 8080
+ selector:
+ app.kubernetes.io/name: webhook
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+
--- kubernetes HelmRelease: devops/tekton-pipeline ValidatingWebhookConfiguration: devops/config.webhook.pipeline.tekton.dev
+++ kubernetes HelmRelease: devops/tekton-pipeline ValidatingWebhookConfiguration: devops/config.webhook.pipeline.tekton.dev
@@ -0,0 +1,24 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ name: config.webhook.pipeline.tekton.dev
+ labels:
+ app.kubernetes.io/component: webhook
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ pipeline.tekton.dev/release: v0.42.0
+webhooks:
+- admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: tekton-pipelines-webhook
+ namespace: tekton-pipelines
+ failurePolicy: Fail
+ sideEffects: None
+ name: config.webhook.pipeline.tekton.dev
+ objectSelector:
+ matchLabels:
+ app.kubernetes.io/part-of: tekton-pipelines
+
--- kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/feature-flags
+++ kubernetes HelmRelease: devops/tekton-pipeline ConfigMap: devops/feature-flags
@@ -0,0 +1,21 @@
+---
+apiVersion: v1
+data:
+ await-sidecar-readiness: 'true'
+ disable-affinity-assistant: 'false'
+ disable-creds-init: 'false'
+ enable-api-fields: stable
+ enable-custom-tasks: 'false'
+ enable-provenance-in-status: 'false'
+ enable-tekton-oci-bundles: 'false'
+ require-git-ssh-secret-known-hosts: 'false'
+ resource-verification-mode: skip
+ running-in-environment-with-injected-sidecars: 'true'
+ send-cloudevents-for-runs: 'false'
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+ name: feature-flags
+
--- kubernetes HelmRelease: devops/tekton-pipeline ClusterRole: devops/tekton-pipelines-resolvers-resolution-request-updates
+++ kubernetes HelmRelease: devops/tekton-pipeline ClusterRole: devops/tekton-pipelines-resolvers-resolution-request-updates
@@ -0,0 +1,38 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: tekton-pipelines-resolvers-resolution-request-updates
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+rules:
+- apiGroups:
+ - resolution.tekton.dev
+ resources:
+ - resolutionrequests
+ - resolutionrequests/status
+ verbs:
+ - get
+ - list
+ - watch
+ - update
+ - patch
+- apiGroups:
+ - tekton.dev
+ resources:
+ - tasks
+ - pipelines
+ verbs:
+ - get
+ - list
+- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+
--- kubernetes HelmRelease: devops/tekton-pipeline RoleBinding: devops/tekton-pipelines-resolvers-namespace-rbac
+++ kubernetes HelmRelease: devops/tekton-pipeline RoleBinding: devops/tekton-pipelines-resolvers-namespace-rbac
@@ -0,0 +1,18 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: tekton-pipelines-resolvers-namespace-rbac
+ labels:
+ app.kubernetes.io/component: resolvers
+ app.kubernetes.io/instance: default
+ app.kubernetes.io/part-of: tekton-pipelines
+subjects:
+- kind: ServiceAccount
+ name: tekton-pipelines-resolvers
+ namespace: devops
+roleRef:
+ kind: Role
+ name: tekton-pipelines-resolvers-namespace-rbac
+ apiGroup: rbac.authorization.k8s.io
+ |
🦙 MegaLinter status: ✅ SUCCESS
See detailed report in MegaLinter reports MegaLinter is graciously provided by OX Security |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.