vynil/addons
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial release

Browse Source
This commit is contained in:
Sébastien Huss
2024-03-19 13:13:53 +01:00
commit 451fdb09fc
391 changed files with 184309 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
workflow/flux/apps_v1_Deployment_helm-controller.yaml Normal file
View File

@@ -0,0 +1,80 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: helm-controller
app.kubernetes.io/instance: flux-system
app.kubernetes.io/part-of: flux
control-plane: controller
name: helm-controller
namespace: flux-system
spec:
replicas: 1
selector:
matchLabels:
app: helm-controller
template:
metadata:
annotations:
prometheus.io/port: "8080"
prometheus.io/scrape: "true"
labels:
app: helm-controller
spec:
containers:
- args:
- --events-addr=http://notification-controller.flux-system.svc.cluster.local./
- --watch-all-namespaces
- --log-level=info
- --log-encoding=json
- --enable-leader-election
env:
- name: RUNTIME_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: ghcr.io/fluxcd/helm-controller:v0.37.4
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /healthz
port: healthz
name: manager
ports:
- containerPort: 8080
name: http-prom
protocol: TCP
- containerPort: 9440
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: healthz
resources:
limits:
cpu: 1000m
memory: 1Gi
requests:
cpu: 100m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /tmp
name: temp
priorityClassName: system-cluster-critical
securityContext:
fsGroup: 1337
serviceAccountName: helm-controller
terminationGracePeriodSeconds: 600
volumes:
- emptyDir: {}
name: temp

79
workflow/flux/apps_v1_Deployment_image-automation-controller.yaml Normal file
View File

@@ -0,0 +1,79 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: image-automation-controller
app.kubernetes.io/instance: flux-system
app.kubernetes.io/part-of: flux
control-plane: controller
name: image-automation-controller
namespace: flux-system
spec:
replicas: 1
selector:
matchLabels:
app: image-automation-controller
template:
metadata:
annotations:
prometheus.io/port: "8080"
prometheus.io/scrape: "true"
labels:
app: image-automation-controller
spec:
containers:
- args:
- --events-addr=http://notification-controller.flux-system.svc.cluster.local./
- --watch-all-namespaces
- --log-level=info
- --log-encoding=json
- --enable-leader-election
env:
- name: RUNTIME_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: ghcr.io/fluxcd/image-automation-controller:v0.37.1
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /healthz
port: healthz
name: manager
ports:
- containerPort: 8080
name: http-prom
protocol: TCP
- containerPort: 9440
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: healthz
resources:
limits:
cpu: 1000m
memory: 1Gi
requests:
cpu: 100m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /tmp
name: temp
securityContext:
fsGroup: 1337
serviceAccountName: image-automation-controller
terminationGracePeriodSeconds: 10
volumes:
- emptyDir: {}
name: temp

83
workflow/flux/apps_v1_Deployment_image-reflector-controller.yaml Normal file
View File

@@ -0,0 +1,83 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: image-reflector-controller
app.kubernetes.io/instance: flux-system
app.kubernetes.io/part-of: flux
control-plane: controller
name: image-reflector-controller
namespace: flux-system
spec:
replicas: 1
selector:
matchLabels:
app: image-reflector-controller
template:
metadata:
annotations:
prometheus.io/port: "8080"
prometheus.io/scrape: "true"
labels:
app: image-reflector-controller
spec:
containers:
- args:
- --events-addr=http://notification-controller.flux-system.svc.cluster.local./
- --watch-all-namespaces
- --log-level=info
- --log-encoding=json
- --enable-leader-election
env:
- name: RUNTIME_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: ghcr.io/fluxcd/image-reflector-controller:v0.31.2
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /healthz
port: healthz
name: manager
ports:
- containerPort: 8080
name: http-prom
protocol: TCP
- containerPort: 9440
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: healthz
resources:
limits:
cpu: 1000m
memory: 1Gi
requests:
cpu: 100m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /tmp
name: temp
- mountPath: /data
name: data
securityContext:
fsGroup: 1337
serviceAccountName: image-reflector-controller
terminationGracePeriodSeconds: 10
volumes:
- emptyDir: {}
name: temp
- emptyDir: {}
name: data

80
workflow/flux/apps_v1_Deployment_kustomize-controller.yaml Normal file
View File

@@ -0,0 +1,80 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: kustomize-controller
app.kubernetes.io/instance: flux-system
app.kubernetes.io/part-of: flux
control-plane: controller
name: kustomize-controller
namespace: flux-system
spec:
replicas: 1
selector:
matchLabels:
app: kustomize-controller
template:
metadata:
annotations:
prometheus.io/port: "8080"
prometheus.io/scrape: "true"
labels:
app: kustomize-controller
spec:
containers:
- args:
- --events-addr=http://notification-controller.flux-system.svc.cluster.local./
- --watch-all-namespaces
- --log-level=info
- --log-encoding=json
- --enable-leader-election
env:
- name: RUNTIME_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: ghcr.io/fluxcd/kustomize-controller:v1.2.2
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /healthz
port: healthz
name: manager
ports:
- containerPort: 8080
name: http-prom
protocol: TCP
- containerPort: 9440
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: healthz
resources:
limits:
cpu: 1000m
memory: 1Gi
requests:
cpu: 100m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /tmp
name: temp
priorityClassName: system-cluster-critical
securityContext:
fsGroup: 1337
serviceAccountName: kustomize-controller
terminationGracePeriodSeconds: 60
volumes:
- emptyDir: {}
name: temp

84
workflow/flux/apps_v1_Deployment_notification-controller.yaml Normal file
View File

@@ -0,0 +1,84 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: notification-controller
app.kubernetes.io/instance: flux-system
app.kubernetes.io/part-of: flux
control-plane: controller
name: notification-controller
namespace: flux-system
spec:
replicas: 1
selector:
matchLabels:
app: notification-controller
template:
metadata:
annotations:
prometheus.io/port: "8080"
prometheus.io/scrape: "true"
labels:
app: notification-controller
spec:
containers:
- args:
- --watch-all-namespaces
- --log-level=info
- --log-encoding=json
- --enable-leader-election
env:
- name: RUNTIME_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: ghcr.io/fluxcd/notification-controller:v1.2.4
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /healthz
port: healthz
name: manager
ports:
- containerPort: 9090
name: http
protocol: TCP
- containerPort: 9292
name: http-webhook
protocol: TCP
- containerPort: 8080
name: http-prom
protocol: TCP
- containerPort: 9440
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: healthz
resources:
limits:
cpu: 1000m
memory: 1Gi
requests:
cpu: 100m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /tmp
name: temp
securityContext:
fsGroup: 1337
serviceAccountName: notification-controller
terminationGracePeriodSeconds: 10
volumes:
- emptyDir: {}
name: temp

93
workflow/flux/apps_v1_Deployment_source-controller.yaml Normal file
View File

@@ -0,0 +1,93 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: source-controller
app.kubernetes.io/instance: flux-system
app.kubernetes.io/part-of: flux
control-plane: controller
name: source-controller
namespace: flux-system
spec:
replicas: 1
selector:
matchLabels:
app: source-controller
strategy:
type: Recreate
template:
metadata:
annotations:
prometheus.io/port: "8080"
prometheus.io/scrape: "true"
labels:
app: source-controller
spec:
containers:
- args:
- --events-addr=http://notification-controller.flux-system.svc.cluster.local./
- --watch-all-namespaces
- --log-level=info
- --log-encoding=json
- --enable-leader-election
- --storage-path=/data
- --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc.cluster.local.
env:
- name: RUNTIME_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: TUF_ROOT
value: /tmp/.sigstore
image: ghcr.io/fluxcd/source-controller:v1.2.4
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /healthz
port: healthz
name: manager
ports:
- containerPort: 9090
name: http
protocol: TCP
- containerPort: 8080
name: http-prom
protocol: TCP
- containerPort: 9440
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /
port: http
resources:
limits:
cpu: 1000m
memory: 1Gi
requests:
cpu: 50m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /data
name: data
- mountPath: /tmp
name: tmp
priorityClassName: system-cluster-critical
securityContext:
fsGroup: 1337
serviceAccountName: source-controller
terminationGracePeriodSeconds: 10
volumes:
- emptyDir: {}
name: data
- emptyDir: {}
name: tmp

18
workflow/flux/datas.tf Normal file
View File

@@ -0,0 +1,18 @@
locals {
common-labels = {
"vynil.solidite.fr/owner-name" = var.instance
"vynil.solidite.fr/owner-namespace" = var.namespace
"vynil.solidite.fr/owner-category" = var.category
"vynil.solidite.fr/owner-component" = var.component
"app.kubernetes.io/managed-by" = "vynil"
"app.kubernetes.io/name" = var.component
"app.kubernetes.io/instance" = var.instance
}
}
data "kustomization_overlay" "data" {
namespace = var.namespace
common_labels = local.common-labels
resources = [ for file in fileset(path.module, "*.yaml"): file if file != "index.yaml"]
}

19
workflow/flux/index.yaml Normal file
View File

@@ -0,0 +1,19 @@
---
apiVersion: vinyl.solidite.fr/v1beta1
kind: Component
category: workflow
metadata:
name: flux
description: 'FluxCD: Open and extensible Continuous Delivery solution for Kubernetes.'
options:
release:
default: 2.2.3
examples:
- 2.2.3
type: string
dependencies:
- dist: null
category: crd
component: flux
providers: null
tfaddtype: null

18
workflow/flux/networking.k8s.io_v1_NetworkPolicy_allow-egress.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/instance: flux-system
app.kubernetes.io/part-of: flux
name: allow-egress
namespace: flux-system
spec:
egress:
- {}
ingress:
- from:
- podSelector: {}
podSelector: {}
policyTypes:
- Ingress
- Egress

18
workflow/flux/networking.k8s.io_v1_NetworkPolicy_allow-scraping.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/instance: flux-system
app.kubernetes.io/part-of: flux
name: allow-scraping
namespace: flux-system
spec:
ingress:
- from:
- namespaceSelector: {}
ports:
- port: 8080
protocol: TCP
podSelector: {}
policyTypes:
- Ingress

17
workflow/flux/networking.k8s.io_v1_NetworkPolicy_allow-webhooks.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/instance: flux-system
app.kubernetes.io/part-of: flux
name: allow-webhooks
namespace: flux-system
spec:
ingress:
- from:
- namespaceSelector: {}
podSelector:
matchLabels:
app: notification-controller
policyTypes:
- Ingress

18
workflow/flux/rbac.authorization.k8s.io_v1_ClusterRoleBinding_cluster-reconciler.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: flux-system
app.kubernetes.io/part-of: flux
name: cluster-reconciler
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kustomize-controller
namespace: flux-system
- kind: ServiceAccount
name: helm-controller
namespace: flux-system

30
workflow/flux/rbac.authorization.k8s.io_v1_ClusterRoleBinding_crd-controller.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: flux-system
app.kubernetes.io/part-of: flux
name: crd-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: crd-controller
subjects:
- kind: ServiceAccount
name: kustomize-controller
namespace: flux-system
- kind: ServiceAccount
name: helm-controller
namespace: flux-system
- kind: ServiceAccount
name: source-controller
namespace: flux-system
- kind: ServiceAccount
name: notification-controller
namespace: flux-system
- kind: ServiceAccount
name: image-reflector-controller
namespace: flux-system
- kind: ServiceAccount
name: image-automation-controller
namespace: flux-system

88
workflow/flux/rbac.authorization.k8s.io_v1_ClusterRole_crd-controller.yaml Normal file
View File

@@ -0,0 +1,88 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: flux-system
app.kubernetes.io/part-of: flux
name: crd-controller
rules:
- apiGroups:
- source.toolkit.fluxcd.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- kustomize.toolkit.fluxcd.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- helm.toolkit.fluxcd.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- notification.toolkit.fluxcd.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- image.toolkit.fluxcd.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- ""
resources:
- namespaces
- secrets
- configmaps
- serviceaccounts
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps/status
verbs:
- get
- update
- patch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete

24
workflow/flux/rbac.authorization.k8s.io_v1_ClusterRole_flux-edit.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: flux-system
app.kubernetes.io/part-of: flux
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: flux-edit
rules:
- apiGroups:
- notification.toolkit.fluxcd.io
- source.toolkit.fluxcd.io
- helm.toolkit.fluxcd.io
- image.toolkit.fluxcd.io
- kustomize.toolkit.fluxcd.io
resources:
- '*'
verbs:
- create
- delete
- deletecollection
- patch
- update

23
workflow/flux/rbac.authorization.k8s.io_v1_ClusterRole_flux-view.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: flux-system
app.kubernetes.io/part-of: flux
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: flux-view
rules:
- apiGroups:
- notification.toolkit.fluxcd.io
- source.toolkit.fluxcd.io
- helm.toolkit.fluxcd.io
- image.toolkit.fluxcd.io
- kustomize.toolkit.fluxcd.io
resources:
- '*'
verbs:
- get
- list
- watch

18
workflow/flux/v1_ResourceQuota_critical-pods.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: ResourceQuota
metadata:
labels:
app.kubernetes.io/instance: flux-system
app.kubernetes.io/part-of: flux
name: critical-pods
namespace: flux-system
spec:
hard:
pods: "1000"
scopeSelector:
matchExpressions:
- operator: In
scopeName: PriorityClass
values:
- system-node-critical
- system-cluster-critical

9
workflow/flux/v1_ServiceAccount_helm-controller.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: helm-controller
app.kubernetes.io/instance: flux-system
app.kubernetes.io/part-of: flux
name: helm-controller
namespace: flux-system

9
workflow/flux/v1_ServiceAccount_image-automation-controller.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: image-automation-controller
app.kubernetes.io/instance: flux-system
app.kubernetes.io/part-of: flux
name: image-automation-controller
namespace: flux-system

9
workflow/flux/v1_ServiceAccount_image-reflector-controller.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: image-reflector-controller
app.kubernetes.io/instance: flux-system
app.kubernetes.io/part-of: flux
name: image-reflector-controller
namespace: flux-system

9
workflow/flux/v1_ServiceAccount_kustomize-controller.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: kustomize-controller
app.kubernetes.io/instance: flux-system
app.kubernetes.io/part-of: flux
name: kustomize-controller
namespace: flux-system

9
workflow/flux/v1_ServiceAccount_notification-controller.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: notification-controller
app.kubernetes.io/instance: flux-system
app.kubernetes.io/part-of: flux
name: notification-controller
namespace: flux-system

9
workflow/flux/v1_ServiceAccount_source-controller.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: source-controller
app.kubernetes.io/instance: flux-system
app.kubernetes.io/part-of: flux
name: source-controller
namespace: flux-system

19
workflow/flux/v1_Service_notification-controller.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: notification-controller
app.kubernetes.io/instance: flux-system
app.kubernetes.io/part-of: flux
control-plane: controller
name: notification-controller
namespace: flux-system
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
selector:
app: notification-controller
type: ClusterIP

19
workflow/flux/v1_Service_source-controller.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: source-controller
app.kubernetes.io/instance: flux-system
app.kubernetes.io/part-of: flux
control-plane: controller
name: source-controller
namespace: flux-system
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
selector:
app: source-controller
type: ClusterIP

19
workflow/flux/v1_Service_webhook-receiver.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: notification-controller
app.kubernetes.io/instance: flux-system
app.kubernetes.io/part-of: flux
control-plane: controller
name: webhook-receiver
namespace: flux-system
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: http-webhook
selector:
app: notification-controller
type: ClusterIP

18
workflow/tekton-pipelines/admissionregistration.k8s.io_v1_MutatingWebhookConfiguration_webhook.pipeline.tekton.dev.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: webhook.pipeline.tekton.dev
labels:
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
pipeline.tekton.dev/release: "v0.57.0"
webhooks:
- admissionReviewVersions: ["v1"]
clientConfig:
service:
name: tekton-pipelines-webhook
namespace: tekton-pipelines
failurePolicy: Fail
sideEffects: None
name: webhook.pipeline.tekton.dev

21
workflow/tekton-pipelines/admissionregistration.k8s.io_v1_ValidatingWebhookConfiguration_config.webhook.pipeline.tekton.dev.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: config.webhook.pipeline.tekton.dev
labels:
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
pipeline.tekton.dev/release: "v0.57.0"
webhooks:
- admissionReviewVersions: ["v1"]
clientConfig:
service:
name: tekton-pipelines-webhook
namespace: tekton-pipelines
failurePolicy: Fail
sideEffects: None
name: config.webhook.pipeline.tekton.dev
objectSelector:
matchLabels:
app.kubernetes.io/part-of: tekton-pipelines

18
workflow/tekton-pipelines/admissionregistration.k8s.io_v1_ValidatingWebhookConfiguration_validation.webhook.pipeline.tekton.dev.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: validation.webhook.pipeline.tekton.dev
labels:
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
pipeline.tekton.dev/release: "v0.57.0"
webhooks:
- admissionReviewVersions: ["v1"]
clientConfig:
service:
name: tekton-pipelines-webhook
namespace: tekton-pipelines
failurePolicy: Fail
sideEffects: None
name: validation.webhook.pipeline.tekton.dev

131
workflow/tekton-pipelines/apps_v1_Deployment_tekton-events-controller.yaml Normal file
View File

@@ -0,0 +1,131 @@
# Copyright 2023 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apps/v1
kind: Deployment
metadata:
name: tekton-events-controller
namespace: tekton-pipelines
labels:
app.kubernetes.io/name: events
app.kubernetes.io/component: events
app.kubernetes.io/instance: default
app.kubernetes.io/version: "v0.57.0"
app.kubernetes.io/part-of: tekton-pipelines
# tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
pipeline.tekton.dev/release: "v0.57.0"
# labels below are related to istio and should not be used for resource lookup
version: "v0.57.0"
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: events
app.kubernetes.io/component: events
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
template:
metadata:
labels:
app.kubernetes.io/name: events
app.kubernetes.io/component: events
app.kubernetes.io/instance: default
app.kubernetes.io/version: "v0.57.0"
app.kubernetes.io/part-of: tekton-pipelines
# tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
pipeline.tekton.dev/release: "v0.57.0"
# labels below are related to istio and should not be used for resource lookup
app: tekton-events-controller
version: "v0.57.0"
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: NotIn
values:
- windows
serviceAccountName: tekton-events-controller
containers:
- name: tekton-events-controller
image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/events:v0.57.0@sha256:cb4ceb832a67260a6744de17900c330513da410457a58317baa941093952df20
args: []
volumeMounts:
- name: config-logging
mountPath: /etc/config-logging
- name: config-registry-cert
mountPath: /etc/config-registry-cert
env:
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
# If you are changing these names, you will also need to update
# the controller's Role in 200-role.yaml to include the new
# values in the "configmaps" "get" rule.
- name: CONFIG_DEFAULTS_NAME
value: config-defaults
- name: CONFIG_LOGGING_NAME
value: config-logging
- name: CONFIG_OBSERVABILITY_NAME
value: config-observability
- name: CONFIG_LEADERELECTION_NAME
value: config-leader-election-events
- name: SSL_CERT_FILE
value: /etc/config-registry-cert/cert
- name: SSL_CERT_DIR
value: /etc/ssl/certs
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
# User 65532 is the nonroot user ID
runAsUser: 65532
runAsGroup: 65532
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
ports:
- name: metrics
containerPort: 9090
- name: profiling
containerPort: 8008
- name: probes
containerPort: 8080
livenessProbe:
httpGet:
path: /health
port: probes
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
readinessProbe:
httpGet:
path: /readiness
port: probes
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
volumes:
- name: config-logging
configMap:
name: config-logging
- name: config-registry-cert
configMap:
name: config-registry-cert

147
workflow/tekton-pipelines/apps_v1_Deployment_tekton-pipelines-controller.yaml Normal file
View File

@@ -0,0 +1,147 @@
# Copyright 2019 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apps/v1
kind: Deployment
metadata:
name: tekton-pipelines-controller
namespace: tekton-pipelines
labels:
app.kubernetes.io/name: controller
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/version: "v0.57.0"
app.kubernetes.io/part-of: tekton-pipelines
# tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
pipeline.tekton.dev/release: "v0.57.0"
# labels below are related to istio and should not be used for resource lookup
version: "v0.57.0"
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: controller
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
template:
metadata:
labels:
app.kubernetes.io/name: controller
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/version: "v0.57.0"
app.kubernetes.io/part-of: tekton-pipelines
# tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
pipeline.tekton.dev/release: "v0.57.0"
# labels below are related to istio and should not be used for resource lookup
app: tekton-pipelines-controller
version: "v0.57.0"
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: NotIn
values:
- windows
serviceAccountName: tekton-pipelines-controller
containers:
- name: tekton-pipelines-controller
image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/controller:v0.57.0@sha256:111353d2fdf32fa8c51195dca4447582333b44419d57d66c915f59b89cde0ec3
args: [
# These images are built on-demand by `ko resolve` and are replaced
# by image references by digest.
"-entrypoint-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/entrypoint:v0.57.0@sha256:223a61b2b9798a679cbf36a8abad6f8fa13bf7bd9f11c8a2fd91d2afd3e14690", "-nop-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/nop:v0.57.0@sha256:6e65d18c3ffe76da47df74bb854d4b86452f6080b981d249c5e6ca7bdc328240", "-sidecarlogresults-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/sidecarlogresults:v0.57.0@sha256:e84e852fe5e777c072899dbadaf265fa784924587349926108340130cb48eb09", "-workingdirinit-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/workingdirinit:v0.57.0@sha256:6f97f5c9d4c4effdaa81a8cf2e7f7be39b366a91a0973cb0f10c44a033c6b042",
# The shell image must allow root in order to create directories and copy files to PVCs.
# cgr.dev/chainguard/busybox as of April 14 2022
# image shall not contains tag, so it will be supported on a runtime like cri-o
"-shell-image", "cgr.dev/chainguard/busybox@sha256:19f02276bf8dbdd62f069b922f10c65262cc34b710eea26ff928129a736be791",
# for script mode to work with windows we need a powershell image
# pinning to nanoserver tag as of July 15 2021
"-shell-image-win", "mcr.microsoft.com/powershell:nanoserver@sha256:b6d5ff841b78bdf2dfed7550000fd4f3437385b8fa686ec0f010be24777654d6"]
volumeMounts:
- name: config-logging
mountPath: /etc/config-logging
- name: config-registry-cert
mountPath: /etc/config-registry-cert
env:
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
# If you are changing these names, you will also need to update
# the controller's Role in 200-role.yaml to include the new
# values in the "configmaps" "get" rule.
- name: CONFIG_DEFAULTS_NAME
value: config-defaults
- name: CONFIG_LOGGING_NAME
value: config-logging
- name: CONFIG_OBSERVABILITY_NAME
value: config-observability
- name: CONFIG_FEATURE_FLAGS_NAME
value: feature-flags
- name: CONFIG_LEADERELECTION_NAME
value: config-leader-election-controller
- name: CONFIG_SPIRE
value: config-spire
- name: SSL_CERT_FILE
value: /etc/config-registry-cert/cert
- name: SSL_CERT_DIR
value: /etc/ssl/certs
- name: METRICS_DOMAIN
value: tekton.dev/pipeline
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
# User 65532 is the nonroot user ID
runAsUser: 65532
runAsGroup: 65532
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
ports:
- name: metrics
containerPort: 9090
- name: profiling
containerPort: 8008
- name: probes
containerPort: 8080
livenessProbe:
httpGet:
path: /health
port: probes
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
readinessProbe:
httpGet:
path: /readiness
port: probes
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
volumes:
- name: config-logging
configMap:
name: config-logging
- name: config-registry-cert
configMap:
name: config-registry-cert

115
workflow/tekton-pipelines/apps_v1_Deployment_tekton-pipelines-remote-resolvers.yaml Normal file
View File

@@ -0,0 +1,115 @@
# Copyright 2022 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apps/v1
kind: Deployment
metadata:
name: tekton-pipelines-remote-resolvers
namespace: tekton-pipelines-resolvers
labels:
app.kubernetes.io/name: resolvers
app.kubernetes.io/component: resolvers
app.kubernetes.io/instance: default
app.kubernetes.io/version: "v0.57.0"
app.kubernetes.io/part-of: tekton-pipelines
# tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
pipeline.tekton.dev/release: "v0.57.0"
# labels below are related to istio and should not be used for resource lookup
version: "v0.57.0"
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: resolvers
app.kubernetes.io/component: resolvers
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
template:
metadata:
labels:
app.kubernetes.io/name: resolvers
app.kubernetes.io/component: resolvers
app.kubernetes.io/instance: default
app.kubernetes.io/version: "v0.57.0"
app.kubernetes.io/part-of: tekton-pipelines
# tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
pipeline.tekton.dev/release: "v0.57.0"
# labels below are related to istio and should not be used for resource lookup
app: tekton-pipelines-resolvers
version: "v0.57.0"
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: resolvers
app.kubernetes.io/component: resolvers
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
topologyKey: kubernetes.io/hostname
weight: 100
serviceAccountName: tekton-pipelines-resolvers
containers:
- name: controller
image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/resolvers:v0.57.0@sha256:6c1baec70338f75cffc91a7baff70b45bcd6078abca6400f890b45886da96e45
resources:
requests:
cpu: 100m
memory: 100Mi
limits:
cpu: 1000m
memory: 4Gi
ports:
- name: metrics
containerPort: 9090
- name: profiling
containerPort: 8008
# This must match the value of the environment variable PROBES_PORT.
- name: probes
containerPort: 8080
env:
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
# If you are changing these names, you will also need to update
# the controller's Role in 200-role.yaml to include the new
# values in the "configmaps" "get" rule.
- name: CONFIG_LOGGING_NAME
value: config-logging
- name: CONFIG_OBSERVABILITY_NAME
value: config-observability
- name: CONFIG_FEATURE_FLAGS_NAME
value: feature-flags
- name: CONFIG_LEADERELECTION_NAME
value: config-leader-election-resolvers
- name: METRICS_DOMAIN
value: tekton.dev/resolution
- name: PROBES_PORT
value: "8080"
# Override this env var to set a private hub api endpoint
- name: ARTIFACT_HUB_API
value: "https://artifacthub.io/"
- name: TEKTON_HUB_API
value: "https://api.hub.tekton.dev/"
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- "ALL"
seccompProfile:
type: RuntimeDefault

164
workflow/tekton-pipelines/apps_v1_Deployment_tekton-pipelines-webhook.yaml Normal file
View File

@@ -0,0 +1,164 @@
# Copyright 2020 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apps/v1
kind: Deployment
metadata:
# Note: the Deployment name must be the same as the Service name specified in
# config/400-webhook-service.yaml. If you change this name, you must also
# change the value of WEBHOOK_SERVICE_NAME below.
name: tekton-pipelines-webhook
namespace: tekton-pipelines
labels:
app.kubernetes.io/name: webhook
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: default
app.kubernetes.io/version: "v0.57.0"
app.kubernetes.io/part-of: tekton-pipelines
# tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
pipeline.tekton.dev/release: "v0.57.0"
# labels below are related to istio and should not be used for resource lookup
version: "v0.57.0"
spec:
selector:
matchLabels:
app.kubernetes.io/name: webhook
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
template:
metadata:
labels:
app.kubernetes.io/name: webhook
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: default
app.kubernetes.io/version: "v0.57.0"
app.kubernetes.io/part-of: tekton-pipelines
# tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
pipeline.tekton.dev/release: "v0.57.0"
# labels below are related to istio and should not be used for resource lookup
app: tekton-pipelines-webhook
version: "v0.57.0"
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: NotIn
values:
- windows
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: webhook
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
topologyKey: kubernetes.io/hostname
weight: 100
serviceAccountName: tekton-pipelines-webhook
containers:
- name: webhook
# This is the Go import path for the binary that is containerized
# and substituted here.
image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/webhook:v0.57.0@sha256:23cbd3301ff967151230f4fc2540110338ecf062583e6456d9dc905db9f08350
# Resource request required for autoscaler to take any action for a metric
resources:
requests:
cpu: 100m
memory: 100Mi
limits:
cpu: 500m
memory: 500Mi
env:
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
# If you are changing these names, you will also need to update
# the webhook's Role in 200-role.yaml to include the new
# values in the "configmaps" "get" rule.
- name: CONFIG_LOGGING_NAME
value: config-logging
- name: CONFIG_OBSERVABILITY_NAME
value: config-observability
- name: CONFIG_LEADERELECTION_NAME
value: config-leader-election-webhook
- name: CONFIG_FEATURE_FLAGS_NAME
value: feature-flags
# If you change PROBES_PORT, you will also need to change the
# containerPort "probes" to the same value.
- name: PROBES_PORT
value: "8080"
# If you change WEBHOOK_PORT, you will also need to change the
# containerPort "https-webhook" to the same value.
- name: WEBHOOK_PORT
value: "8443"
# if you change WEBHOOK_ADMISSION_CONTROLLER_NAME, you will also need to update
# the webhooks.name in 500-webhooks.yaml to include the new names of admission webhooks.
# Additionally, you will also need to change the resource names (metadata.name) of
# "MutatingWebhookConfiguration" and "ValidatingWebhookConfiguration" in 500-webhooks.yaml
# to reflect the change in the name of the admission webhook.
# Followed by changing the webhook's Role in 200-clusterrole.yaml to update the "resourceNames" of
# "mutatingwebhookconfigurations" and "validatingwebhookconfigurations" resources.
- name: WEBHOOK_ADMISSION_CONTROLLER_NAME
value: webhook.pipeline.tekton.dev
- name: WEBHOOK_SERVICE_NAME
value: tekton-pipelines-webhook
- name: WEBHOOK_SECRET_NAME
value: webhook-certs
- name: METRICS_DOMAIN
value: tekton.dev/pipeline
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
# User 65532 is the distroless nonroot user ID
runAsUser: 65532
runAsGroup: 65532
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
ports:
- name: metrics
containerPort: 9090
- name: profiling
containerPort: 8008
# This must match the value of the environment variable WEBHOOK_PORT.
- name: https-webhook
containerPort: 8443
# This must match the value of the environment variable PROBES_PORT.
- name: probes
containerPort: 8080
livenessProbe:
httpGet:
path: /health
port: probes
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
readinessProbe:
httpGet:
path: /readiness
port: probes
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5

43
workflow/tekton-pipelines/autoscaling_v2_HorizontalPodAutoscaler_tekton-pipelines-webhook.yaml Normal file
View File

@@ -0,0 +1,43 @@
# Copyright 2020 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: tekton-pipelines-webhook
namespace: tekton-pipelines
labels:
app.kubernetes.io/name: webhook
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: default
app.kubernetes.io/version: "v0.57.0"
app.kubernetes.io/part-of: tekton-pipelines
# tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
pipeline.tekton.dev/release: "v0.57.0"
# labels below are related to istio and should not be used for resource lookup
version: "v0.57.0"
spec:
minReplicas: 1
maxReplicas: 5
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: tekton-pipelines-webhook
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 100

162
workflow/tekton-pipelines/datas.tf Normal file
View File

@@ -0,0 +1,162 @@
locals {
common-labels = {
"vynil.solidite.fr/owner-name" = var.instance
"vynil.solidite.fr/owner-namespace" = var.namespace
"vynil.solidite.fr/owner-category" = var.category
"vynil.solidite.fr/owner-component" = var.component
"app.kubernetes.io/managed-by" = "vynil"
"app.kubernetes.io/name" = var.component
"app.kubernetes.io/instance" = var.instance
}
rb-patch = <<-EOF
- op: replace
path: /subjects/0/namespace
value: "${var.namespace}"
EOF
}
data "kustomization_overlay" "data" {
common_labels = local.common-labels
namespace = var.namespace
resources = [for file in fileset(path.module, "*.yaml"): file if file != "index.yaml" && length(regexall("ClusterRole",file))<1 && length(regexall("WebhookConfiguration",file))<1]
images {
name = "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/events"
new_name = "${var.images.events.registry}/${var.images.events.repository}"
new_tag = "${var.images.events.tag}"
}
images {
name = "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/controller"
new_name = "${var.images.controller.registry}/${var.images.controller.repository}"
new_tag = "${var.images.controller.tag}"
}
images {
name = "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/resolvers"
new_name = "${var.images.resolvers.registry}/${var.images.resolvers.repository}"
new_tag = "${var.images.resolvers.tag}"
}
images {
name = "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/webhook"
new_name = "${var.images.webhook.registry}/${var.images.webhook.repository}"
new_tag = "${var.images.webhook.tag}"
}
patches {
target {
kind = "Deployment"
name = "tekton-pipelines-webhook"
}
patch = <<-EOF
- op: replace
path: /spec/template/spec/containers/0/imagePullPolicy
value: "${var.images.webhook.pull_policy}"
EOF
}
patches {
target {
kind = "Deployment"
name = "tekton-pipelines-remote-resolvers"
}
patch = <<-EOF
- op: replace
path: /spec/template/spec/containers/0/imagePullPolicy
value: "${var.images.resolvers.pull_policy}"
EOF
}
patches {
target {
kind = "Deployment"
name = "tekton-pipelines-controller"
}
patch = <<-EOF
- op: replace
path: /spec/template/spec/containers/0/imagePullPolicy
value: "${var.images.controller.pull_policy}"
EOF
}
patches {
target {
kind = "Deployment"
name = "tekton-events-controller"
}
patch = <<-EOF
- op: replace
path: /spec/template/spec/containers/0/imagePullPolicy
value: "${var.images.events.pull_policy}"
EOF
}
}
data "kustomization_overlay" "data_no_ns" {
common_labels = local.common-labels
resources = [for file in fileset(path.module, "*.yaml"): file if file != "index.yaml" && (length(regexall("ClusterRole",file))>0 || length(regexall("WebhookConfiguration",file))>0)]
patches {
target {
kind = "ClusterRoleBinding"
name = "tekton-events-controller-cluster-access"
}
patch = local.rb-patch
}
patches {
target {
kind = "ClusterRoleBinding"
name = "tekton-pipelines-controller-cluster-access"
}
patch = local.rb-patch
}
patches {
target {
kind = "ClusterRoleBinding"
name = "tekton-pipelines-controller-tenant-access"
}
patch = local.rb-patch
}
patches {
target {
kind = "ClusterRoleBinding"
name = "tekton-pipelines-resolvers"
}
patch = local.rb-patch
}
patches {
target {
kind = "ClusterRoleBinding"
name = "tekton-pipelines-webhook-cluster-access"
}
patch = local.rb-patch
}
patches {
target {
kind = "MutatingWebhookConfiguration"
name = "webhook.pipeline.tekton.dev"
}
patch = <<-EOF
- op: replace
path: /webhooks/0/clientConfig/service/namespace
value: "${var.namespace}"
EOF
}
patches {
target {
kind = "ValidatingWebhookConfiguration"
name = "validation.webhook.pipeline.tekton.dev"
}
patch = <<-EOF
- op: replace
path: /webhooks/0/clientConfig/service/namespace
value: "${var.namespace}"
EOF
}
patches {
target {
kind = "ValidatingWebhookConfiguration"
name = "config.webhook.pipeline.tekton.dev"
}
patch = <<-EOF
- op: replace
path: /webhooks/0/clientConfig/service/namespace
value: "${var.namespace}"
EOF
}
}

155
workflow/tekton-pipelines/index.yaml Normal file
View File

@@ -0,0 +1,155 @@
---
apiVersion: vinyl.solidite.fr/v1beta1
kind: Component
category: workflow
metadata:
name: tekton-pipelines
description: null
options:
images:
default:
controller:
pull_policy: IfNotPresent
registry: gcr.io
repository: tekton-releases/github.com/tektoncd/pipeline/cmd/controller
tag: v0.57.0@sha256:111353d2fdf32fa8c51195dca4447582333b44419d57d66c915f59b89cde0ec3
events:
pull_policy: IfNotPresent
registry: gcr.io
repository: tekton-releases/github.com/tektoncd/pipeline/cmd/events
tag: v0.57.0@sha256:cb4ceb832a67260a6744de17900c330513da410457a58317baa941093952df20
resolvers:
pull_policy: IfNotPresent
registry: gcr.io
repository: tekton-releases/github.com/tektoncd/pipeline/cmd/resolvers
tag: v0.57.0@sha256:6c1baec70338f75cffc91a7baff70b45bcd6078abca6400f890b45886da96e45
webhook:
pull_policy: IfNotPresent
registry: gcr.io
repository: tekton-releases/github.com/tektoncd/pipeline/cmd/webhook
tag: v0.57.0@sha256:23cbd3301ff967151230f4fc2540110338ecf062583e6456d9dc905db9f08350
examples:
- controller:
pull_policy: IfNotPresent
registry: gcr.io
repository: tekton-releases/github.com/tektoncd/pipeline/cmd/controller
tag: v0.57.0@sha256:111353d2fdf32fa8c51195dca4447582333b44419d57d66c915f59b89cde0ec3
events:
pull_policy: IfNotPresent
registry: gcr.io
repository: tekton-releases/github.com/tektoncd/pipeline/cmd/events
tag: v0.57.0@sha256:cb4ceb832a67260a6744de17900c330513da410457a58317baa941093952df20
resolvers:
pull_policy: IfNotPresent
registry: gcr.io
repository: tekton-releases/github.com/tektoncd/pipeline/cmd/resolvers
tag: v0.57.0@sha256:6c1baec70338f75cffc91a7baff70b45bcd6078abca6400f890b45886da96e45
webhook:
pull_policy: IfNotPresent
registry: gcr.io
repository: tekton-releases/github.com/tektoncd/pipeline/cmd/webhook
tag: v0.57.0@sha256:23cbd3301ff967151230f4fc2540110338ecf062583e6456d9dc905db9f08350
properties:
controller:
default:
pull_policy: IfNotPresent
registry: gcr.io
repository: tekton-releases/github.com/tektoncd/pipeline/cmd/controller
tag: v0.57.0@sha256:111353d2fdf32fa8c51195dca4447582333b44419d57d66c915f59b89cde0ec3
properties:
pull_policy:
default: IfNotPresent
enum:
- Always
- Never
- IfNotPresent
type: string
registry:
default: gcr.io
type: string
repository:
default: tekton-releases/github.com/tektoncd/pipeline/cmd/controller
type: string
tag:
default: v0.57.0@sha256:111353d2fdf32fa8c51195dca4447582333b44419d57d66c915f59b89cde0ec3
type: string
type: object
events:
default:
pull_policy: IfNotPresent
registry: gcr.io
repository: tekton-releases/github.com/tektoncd/pipeline/cmd/events
tag: v0.57.0@sha256:cb4ceb832a67260a6744de17900c330513da410457a58317baa941093952df20
properties:
pull_policy:
default: IfNotPresent
enum:
- Always
- Never
- IfNotPresent
type: string
registry:
default: gcr.io
type: string
repository:
default: tekton-releases/github.com/tektoncd/pipeline/cmd/events
type: string
tag:
default: v0.57.0@sha256:cb4ceb832a67260a6744de17900c330513da410457a58317baa941093952df20
type: string
type: object
resolvers:
default:
pull_policy: IfNotPresent
registry: gcr.io
repository: tekton-releases/github.com/tektoncd/pipeline/cmd/resolvers
tag: v0.57.0@sha256:6c1baec70338f75cffc91a7baff70b45bcd6078abca6400f890b45886da96e45
properties:
pull_policy:
default: IfNotPresent
enum:
- Always
- Never
- IfNotPresent
type: string
registry:
default: gcr.io
type: string
repository:
default: tekton-releases/github.com/tektoncd/pipeline/cmd/resolvers
type: string
tag:
default: v0.57.0@sha256:6c1baec70338f75cffc91a7baff70b45bcd6078abca6400f890b45886da96e45
type: string
type: object
webhook:
default:
pull_policy: IfNotPresent
registry: gcr.io
repository: tekton-releases/github.com/tektoncd/pipeline/cmd/webhook
tag: v0.57.0@sha256:23cbd3301ff967151230f4fc2540110338ecf062583e6456d9dc905db9f08350
properties:
pull_policy:
default: IfNotPresent
enum:
- Always
- Never
- IfNotPresent
type: string
registry:
default: gcr.io
type: string
repository:
default: tekton-releases/github.com/tektoncd/pipeline/cmd/webhook
type: string
tag:
default: v0.57.0@sha256:23cbd3301ff967151230f4fc2540110338ecf062583e6456d9dc905db9f08350
type: string
type: object
type: object
dependencies:
- dist: null
category: crd
component: tekton-pipelines
providers: null
tfaddtype: null

16
workflow/tekton-pipelines/rbac.authorization.k8s.io_v1_ClusterRoleBinding_tekton-events-controller-cluster-access.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tekton-events-controller-cluster-access
labels:
app.kubernetes.io/component: events
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
subjects:
- kind: ServiceAccount
name: tekton-events-controller
namespace: tekton-pipelines
roleRef:
kind: ClusterRole
name: tekton-events-controller-cluster-access
apiGroup: rbac.authorization.k8s.io

30
workflow/tekton-pipelines/rbac.authorization.k8s.io_v1_ClusterRoleBinding_tekton-pipelines-controller-cluster-access.yaml Normal file
View File

@@ -0,0 +1,30 @@
# Copyright 2019 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tekton-pipelines-controller-cluster-access
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
subjects:
- kind: ServiceAccount
name: tekton-pipelines-controller
namespace: tekton-pipelines
roleRef:
kind: ClusterRole
name: tekton-pipelines-controller-cluster-access
apiGroup: rbac.authorization.k8s.io

20
workflow/tekton-pipelines/rbac.authorization.k8s.io_v1_ClusterRoleBinding_tekton-pipelines-controller-tenant-access.yaml Normal file
View File

@@ -0,0 +1,20 @@
# If this ClusterRoleBinding is replaced with a RoleBinding
# then the ClusterRole would be namespaced. The access described by
# the tekton-pipelines-controller-tenant-access ClusterRole would
# be scoped to individual tenant namespaces.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tekton-pipelines-controller-tenant-access
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
subjects:
- kind: ServiceAccount
name: tekton-pipelines-controller
namespace: tekton-pipelines
roleRef:
kind: ClusterRole
name: tekton-pipelines-controller-tenant-access
apiGroup: rbac.authorization.k8s.io

30
workflow/tekton-pipelines/rbac.authorization.k8s.io_v1_ClusterRoleBinding_tekton-pipelines-resolvers.yaml Normal file
View File

@@ -0,0 +1,30 @@
# Copyright 2021 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tekton-pipelines-resolvers
labels:
app.kubernetes.io/component: resolvers
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
subjects:
- kind: ServiceAccount
name: tekton-pipelines-resolvers
namespace: tekton-pipelines-resolvers
roleRef:
kind: ClusterRole
name: tekton-pipelines-resolvers-resolution-request-updates
apiGroup: rbac.authorization.k8s.io

16
workflow/tekton-pipelines/rbac.authorization.k8s.io_v1_ClusterRoleBinding_tekton-pipelines-webhook-cluster-access.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tekton-pipelines-webhook-cluster-access
labels:
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
subjects:
- kind: ServiceAccount
name: tekton-pipelines-webhook
namespace: tekton-pipelines
roleRef:
kind: ClusterRole
name: tekton-pipelines-webhook-cluster-access
apiGroup: rbac.authorization.k8s.io

43
workflow/tekton-pipelines/rbac.authorization.k8s.io_v1_ClusterRole_tekton-aggregate-edit.yaml Normal file
View File

@@ -0,0 +1,43 @@
# Copyright 2019-2022 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tekton-aggregate-edit
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- tekton.dev
resources:
- tasks
- taskruns
- pipelines
- pipelineruns
- runs
- customruns
- stepactions
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch

37
workflow/tekton-pipelines/rbac.authorization.k8s.io_v1_ClusterRole_tekton-aggregate-view.yaml Normal file
View File

@@ -0,0 +1,37 @@
# Copyright 2019-2022 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tekton-aggregate-view
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
- tekton.dev
resources:
- tasks
- taskruns
- pipelines
- pipelineruns
- runs
- customruns
- stepactions
verbs:
- get
- list
- watch

12
workflow/tekton-pipelines/rbac.authorization.k8s.io_v1_ClusterRole_tekton-events-controller-cluster-access.yaml Normal file
View File

@@ -0,0 +1,12 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tekton-events-controller-cluster-access
labels:
app.kubernetes.io/component: events
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
rules:
- apiGroups: ["tekton.dev"]
resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "customruns"]
verbs: ["get", "list", "watch"]

49
workflow/tekton-pipelines/rbac.authorization.k8s.io_v1_ClusterRole_tekton-pipelines-controller-cluster-access.yaml Normal file
View File

@@ -0,0 +1,49 @@
# Copyright 2020-2022 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tekton-pipelines-controller-cluster-access
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
rules:
- apiGroups: [""]
# Controller needs to watch Pods created by TaskRuns to see them progress.
resources: ["pods"]
verbs: ["list", "watch"]
- apiGroups: [""]
# Controller needs to get the list of cordoned nodes over the course of a single run
resources: ["nodes"]
verbs: ["list"]
# Controller needs cluster access to all of the CRDs that it is responsible for
# managing.
- apiGroups: ["tekton.dev"]
resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "customruns", "stepactions"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["tekton.dev"]
resources: ["verificationpolicies"]
verbs: ["get", "list", "watch"]
- apiGroups: ["tekton.dev"]
resources: ["taskruns/finalizers", "pipelineruns/finalizers", "customruns/finalizers"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["tekton.dev"]
resources: ["tasks/status", "clustertasks/status", "taskruns/status", "pipelines/status", "pipelineruns/status", "customruns/status", "verificationpolicies/status", "stepactions/status"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
# resolution.tekton.dev
- apiGroups: ["resolution.tekton.dev"]
resources: ["resolutionrequests", "resolutionrequests/status"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]

26
workflow/tekton-pipelines/rbac.authorization.k8s.io_v1_ClusterRole_tekton-pipelines-controller-tenant-access.yaml Normal file
View File

@@ -0,0 +1,26 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
# This is the access that the controller needs on a per-namespace basis.
name: tekton-pipelines-controller-tenant-access
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
rules:
# Read-write access to create Pods and PVCs (for Workspaces)
- apiGroups: [""]
resources: ["pods", "persistentvolumeclaims"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
# Write permissions to publish events.
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "update", "patch"]
# Read-only access to these.
- apiGroups: [""]
resources: ["configmaps", "limitranges", "secrets", "serviceaccounts"]
verbs: ["get", "list", "watch"]
# Read-write access to StatefulSets for Affinity Assistant.
- apiGroups: ["apps"]
resources: ["statefulsets"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]

34
workflow/tekton-pipelines/rbac.authorization.k8s.io_v1_ClusterRole_tekton-pipelines-resolvers-resolution-request-updates.yaml Normal file
View File

@@ -0,0 +1,34 @@
# Copyright 2022 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
# ClusterRole for resolvers to monitor and update resolutionrequests.
name: tekton-pipelines-resolvers-resolution-request-updates
labels:
app.kubernetes.io/component: resolvers
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
rules:
- apiGroups: ["resolution.tekton.dev"]
resources: ["resolutionrequests", "resolutionrequests/status"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["tekton.dev"]
resources: ["tasks", "pipelines"]
verbs: ["get", "list"]
# Read-only access to these.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]

62
workflow/tekton-pipelines/rbac.authorization.k8s.io_v1_ClusterRole_tekton-pipelines-webhook-cluster-access.yaml Normal file
View File

@@ -0,0 +1,62 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tekton-pipelines-webhook-cluster-access
labels:
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
rules:
# The webhook needs to be able to get and update customresourcedefinitions,
# mainly to update the webhook certificates.
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions", "customresourcedefinitions/status"]
verbs: ["get", "update", "patch"]
resourceNames:
- pipelines.tekton.dev
- pipelineruns.tekton.dev
- tasks.tekton.dev
- clustertasks.tekton.dev
- taskruns.tekton.dev
- resolutionrequests.resolution.tekton.dev
- customruns.tekton.dev
- verificationpolicies.tekton.dev
- stepactions.tekton.dev
# knative.dev/pkg needs list/watch permissions to set up informers for the webhook.
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["list", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
# The webhook performs a reconciliation on these two resources and continuously
# updates configuration.
resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
# knative starts informers on these things, which is why we need get, list and watch.
verbs: ["list", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
# This mutating webhook is responsible for applying defaults to tekton objects
# as they are received.
resourceNames: ["webhook.pipeline.tekton.dev"]
# When there are changes to the configs or secrets, knative updates the mutatingwebhook config
# with the updated certificates or the refreshed set of rules.
verbs: ["get", "update", "delete"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
# validation.webhook.pipeline.tekton.dev performs schema validation when you, for example, create TaskRuns.
# config.webhook.pipeline.tekton.dev validates the logging configuration against knative's logging structure
resourceNames: ["validation.webhook.pipeline.tekton.dev", "config.webhook.pipeline.tekton.dev"]
# When there are changes to the configs or secrets, knative updates the validatingwebhook config
# with the updated certificates or the refreshed set of rules.
verbs: ["get", "update", "delete"]
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get"]
# The webhook configured the namespace as the OwnerRef on various cluster-scoped resources,
# which requires we can Get the system namespace.
resourceNames: ["tekton-pipelines"]
- apiGroups: [""]
resources: ["namespaces/finalizers"]
verbs: ["update"]
# The webhook configured the namespace as the OwnerRef on various cluster-scoped resources,
# which requires we can update the system namespace finalizers.
resourceNames: ["tekton-pipelines"]

17
workflow/tekton-pipelines/rbac.authorization.k8s.io_v1_RoleBinding_tekton-events-controller-leaderelection.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tekton-events-controller-leaderelection
namespace: tekton-pipelines
labels:
app.kubernetes.io/component: events
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
subjects:
- kind: ServiceAccount
name: tekton-events-controller
namespace: tekton-pipelines
roleRef:
kind: Role
name: tekton-pipelines-leader-election
apiGroup: rbac.authorization.k8s.io

17
workflow/tekton-pipelines/rbac.authorization.k8s.io_v1_RoleBinding_tekton-pipelines-controller-leaderelection.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tekton-pipelines-controller-leaderelection
namespace: tekton-pipelines
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
subjects:
- kind: ServiceAccount
name: tekton-pipelines-controller
namespace: tekton-pipelines
roleRef:
kind: Role
name: tekton-pipelines-leader-election
apiGroup: rbac.authorization.k8s.io

31
workflow/tekton-pipelines/rbac.authorization.k8s.io_v1_RoleBinding_tekton-pipelines-controller.yaml Normal file
View File

@@ -0,0 +1,31 @@
# Copyright 2020 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tekton-pipelines-controller
namespace: tekton-pipelines
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
subjects:
- kind: ServiceAccount
name: tekton-pipelines-controller
namespace: tekton-pipelines
roleRef:
kind: Role
name: tekton-pipelines-controller
apiGroup: rbac.authorization.k8s.io

17
workflow/tekton-pipelines/rbac.authorization.k8s.io_v1_RoleBinding_tekton-pipelines-events-controller.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tekton-pipelines-events-controller
namespace: tekton-pipelines
labels:
app.kubernetes.io/component: events
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
subjects:
- kind: ServiceAccount
name: tekton-events-controller
namespace: tekton-pipelines
roleRef:
kind: Role
name: tekton-pipelines-events-controller
apiGroup: rbac.authorization.k8s.io

18
workflow/tekton-pipelines/rbac.authorization.k8s.io_v1_RoleBinding_tekton-pipelines-info.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tekton-pipelines-info
namespace: tekton-pipelines
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
subjects:
# Giving all system:authenticated users the access of the
# ConfigMap which contains version information.
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: tekton-pipelines-info

31
workflow/tekton-pipelines/rbac.authorization.k8s.io_v1_RoleBinding_tekton-pipelines-resolvers-namespace-rbac.yaml Normal file
View File

@@ -0,0 +1,31 @@
# Copyright 2021 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tekton-pipelines-resolvers-namespace-rbac
namespace: tekton-pipelines-resolvers
labels:
app.kubernetes.io/component: resolvers
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
subjects:
- kind: ServiceAccount
name: tekton-pipelines-resolvers
namespace: tekton-pipelines-resolvers
roleRef:
kind: Role
name: tekton-pipelines-resolvers-namespace-rbac
apiGroup: rbac.authorization.k8s.io

17
workflow/tekton-pipelines/rbac.authorization.k8s.io_v1_RoleBinding_tekton-pipelines-webhook-leaderelection.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tekton-pipelines-webhook-leaderelection
namespace: tekton-pipelines
labels:
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
subjects:
- kind: ServiceAccount
name: tekton-pipelines-webhook
namespace: tekton-pipelines
roleRef:
kind: Role
name: tekton-pipelines-leader-election
apiGroup: rbac.authorization.k8s.io

17
workflow/tekton-pipelines/rbac.authorization.k8s.io_v1_RoleBinding_tekton-pipelines-webhook.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tekton-pipelines-webhook
namespace: tekton-pipelines
labels:
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
subjects:
- kind: ServiceAccount
name: tekton-pipelines-webhook
namespace: tekton-pipelines
roleRef:
kind: Role
name: tekton-pipelines-webhook
apiGroup: rbac.authorization.k8s.io

32
workflow/tekton-pipelines/rbac.authorization.k8s.io_v1_Role_tekton-pipelines-controller.yaml Normal file
View File

@@ -0,0 +1,32 @@
# Copyright 2020 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tekton-pipelines-controller
namespace: tekton-pipelines
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["list", "watch"]
# The controller needs access to these configmaps for logging information and runtime configuration.
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
resourceNames: ["config-logging", "config-observability", "feature-flags", "config-leader-election-controller", "config-registry-cert"]

18
workflow/tekton-pipelines/rbac.authorization.k8s.io_v1_Role_tekton-pipelines-events-controller.yaml Normal file
View File

@@ -0,0 +1,18 @@
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tekton-pipelines-events-controller
namespace: tekton-pipelines
labels:
app.kubernetes.io/component: events
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["list", "watch"]
# The controller needs access to these configmaps for logging information and runtime configuration.
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
resourceNames: ["config-logging", "config-observability", "feature-flags", "config-leader-election-events", "config-registry-cert"]

17
workflow/tekton-pipelines/rbac.authorization.k8s.io_v1_Role_tekton-pipelines-info.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: tekton-pipelines-info
namespace: tekton-pipelines
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
rules:
# All system:authenticated users needs to have access
# of the pipelines-info ConfigMap even if they don't
# have access to the other resources present in the
# installed namespace.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["pipelines-info"]
verbs: ["get"]

13
workflow/tekton-pipelines/rbac.authorization.k8s.io_v1_Role_tekton-pipelines-leader-election.yaml Normal file
View File

@@ -0,0 +1,13 @@
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tekton-pipelines-leader-election
namespace: tekton-pipelines
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
rules:
# We uses leases for leaderelection
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]

32
workflow/tekton-pipelines/rbac.authorization.k8s.io_v1_Role_tekton-pipelines-resolvers-namespace-rbac.yaml Normal file
View File

@@ -0,0 +1,32 @@
# Copyright 2022 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tekton-pipelines-resolvers-namespace-rbac
namespace: tekton-pipelines-resolvers
labels:
app.kubernetes.io/component: resolvers
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
rules:
# Needed to watch and load configuration and secret data.
- apiGroups: [""]
resources: ["configmaps", "secrets"]
verbs: ["get", "list", "update", "watch"]
# This is needed by leader election to run the controller in HA.
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]

28
workflow/tekton-pipelines/rbac.authorization.k8s.io_v1_Role_tekton-pipelines-webhook.yaml Normal file
View File

@@ -0,0 +1,28 @@
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tekton-pipelines-webhook
namespace: tekton-pipelines
labels:
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["list", "watch"]
# The webhook needs access to these configmaps for logging information.
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
resourceNames: ["config-logging", "config-observability", "config-leader-election-webhook", "feature-flags"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["list", "watch"]
# The webhook daemon makes a reconciliation loop on webhook-certs. Whenever
# the secret changes it updates the webhook configurations with the certificates
# stored in the secret.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "update"]
resourceNames: ["webhook-certs"]

45
workflow/tekton-pipelines/ressources_no_ns.tf Normal file
View File

@@ -0,0 +1,45 @@
# first loop through resources in ids_prio[0]
resource "kustomization_resource" "pre_no_ns" {
for_each = data.kustomization_overlay.data_no_ns.ids_prio[0]
manifest = (
contains(["_/Secret"], regex("(?P<group_kind>.*/.*)/.*/.*", each.value)["group_kind"])
? sensitive(data.kustomization_overlay.data_no_ns.manifests[each.value])
: data.kustomization_overlay.data_no_ns.manifests[each.value]
)
}
# then loop through resources in ids_prio[1]
# and set an explicit depends_on on kustomization_resource.pre
# wait 2 minutes for any deployment or daemonset to become ready
resource "kustomization_resource" "main_no_ns" {
for_each = data.kustomization_overlay.data_no_ns.ids_prio[1]
manifest = (
contains(["_/Secret"], regex("(?P<group_kind>.*/.*)/.*/.*", each.value)["group_kind"])
? sensitive(data.kustomization_overlay.data_no_ns.manifests[each.value])
: data.kustomization_overlay.data_no_ns.manifests[each.value]
)
wait = true
timeouts {
create = "5m"
update = "5m"
}
depends_on = [kustomization_resource.pre_no_ns]
}
# finally, loop through resources in ids_prio[2]
# and set an explicit depends_on on kustomization_resource.main
resource "kustomization_resource" "post_no_ns" {
for_each = data.kustomization_overlay.data_no_ns.ids_prio[2]
manifest = (
contains(["_/Secret"], regex("(?P<group_kind>.*/.*)/.*/.*", each.value)["group_kind"])
? sensitive(data.kustomization_overlay.data_no_ns.manifests[each.value])
: data.kustomization_overlay.data_no_ns.manifests[each.value]
)
depends_on = [kustomization_resource.main_no_ns]
}

26
workflow/tekton-pipelines/v1_ConfigMap_bundleresolver-config.yaml Normal file
View File

@@ -0,0 +1,26 @@
# Copyright 2022 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: bundleresolver-config
namespace: tekton-pipelines-resolvers
labels:
app.kubernetes.io/component: resolvers
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
data:
# The default layer kind in the bundle image.
default-kind: "task"

32
workflow/tekton-pipelines/v1_ConfigMap_cluster-resolver-config.yaml Normal file
View File

@@ -0,0 +1,32 @@
# Copyright 2022 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-resolver-config
namespace: tekton-pipelines-resolvers
labels:
app.kubernetes.io/component: resolvers
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
data:
# The default kind to fetch.
default-kind: "task"
# The default namespace to look for resources in.
default-namespace: ""
# An optional comma-separated list of namespaces which the resolver is allowed to access. Defaults to empty, meaning all namespaces are allowed.
allowed-namespaces: ""
# An optional comma-separated list of namespaces which the resolver is blocked from accessing. Defaults to empty, meaning all namespaces are allowed.
blocked-namespaces: ""

146
workflow/tekton-pipelines/v1_ConfigMap_config-defaults.yaml Normal file
View File

@@ -0,0 +1,146 @@
# Copyright 2019 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: config-defaults
namespace: tekton-pipelines
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# default-timeout-minutes contains the default number of
# minutes to use for TaskRun and PipelineRun, if none is specified.
default-timeout-minutes: "60" # 60 minutes
# default-service-account contains the default service account name
# to use for TaskRun and PipelineRun, if none is specified.
default-service-account: "default"
# default-managed-by-label-value contains the default value given to the
# "app.kubernetes.io/managed-by" label applied to all Pods created for
# TaskRuns. If a user's requested TaskRun specifies another value for this
# label, the user's request supercedes.
default-managed-by-label-value: "tekton-pipelines"
# default-pod-template contains the default pod template to use for
# TaskRun and PipelineRun. If a pod template is specified on the
# PipelineRun, the default-pod-template is merged with that one.
# default-pod-template:
# default-affinity-assistant-pod-template contains the default pod template
# to use for affinity assistant pods. If a pod template is specified on the
# PipelineRun, the default-affinity-assistant-pod-template is merged with
# that one.
# default-affinity-assistant-pod-template:
# default-cloud-events-sink contains the default CloudEvents sink to be
# used for TaskRun and PipelineRun, when no sink is specified.
# Note that right now it is still not possible to set a PipelineRun or
# TaskRun specific sink, so the default is the only option available.
# If no sink is specified, no CloudEvent is generated
# default-cloud-events-sink:
# default-task-run-workspace-binding contains the default workspace
# configuration provided for any Workspaces that a Task declares
# but that a TaskRun does not explicitly provide.
# default-task-run-workspace-binding: |
# emptyDir: {}
# default-max-matrix-combinations-count contains the default maximum number
# of combinations from a Matrix, if none is specified.
default-max-matrix-combinations-count: "256"
# default-forbidden-env contains comma seperated environment variables that cannot be
# overridden by podTemplate.
default-forbidden-env:
# default-resolver-type contains the default resolver type to be used in the cluster,
# no default-resolver-type is specified by default
default-resolver-type:
# default-imagepullbackoff-timeout contains the default duration to wait
# before requeuing the TaskRun to retry, specifying 0 here is equivalent to fail fast
# possible values could be 1m, 5m, 10s, 1h, etc
# default-imagepullbackoff-timeout: "5m"
# default-container-resource-requirements allow users to update default resource requirements
# to a init-containers and containers of a pods create by the controller
# Onet: All the resource requirements are applied to init-containers and containers
# only if the existing resource requirements are empty.
# default-container-resource-requirements: |
# place-scripts: # updates resource requirements of a 'place-scripts' container
# requests:
# memory: "64Mi"
# cpu: "250m"
# limits:
# memory: "128Mi"
# cpu: "500m"
#
# prepare: # updates resource requirements of a 'prepare' container
# requests:
# memory: "64Mi"
# cpu: "250m"
# limits:
# memory: "256Mi"
# cpu: "500m"
#
# working-dir-initializer: # updates resource requirements of a 'working-dir-initializer' container
# requests:
# memory: "64Mi"
# cpu: "250m"
# limits:
# memory: "512Mi"
# cpu: "500m"
#
# prefix-scripts: # updates resource requirements of containers which starts with 'scripts-'
# requests:
# memory: "64Mi"
# cpu: "250m"
# limits:
# memory: "128Mi"
# cpu: "500m"
#
# prefix-sidecar-scripts: # updates resource requirements of containers which starts with 'sidecar-scripts-'
# requests:
# memory: "64Mi"
# cpu: "250m"
# limits:
# memory: "128Mi"
# cpu: "500m"
#
# default: # updates resource requirements of init-containers and containers which has empty resource resource requirements
# requests:
# memory: "64Mi"
# cpu: "250m"
# limits:
# memory: "256Mi"
# cpu: "500m"

49
workflow/tekton-pipelines/v1_ConfigMap_config-events.yaml Normal file
View File

@@ -0,0 +1,49 @@
# Copyright 2023 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: config-events
namespace: tekton-pipelines
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# formats contains a comma seperated list of event formats to be used
# the only format supported today is "tektonv1". An empty string is not
# a valid configuration. To disable events, do not specify the sink.
formats: "tektonv1"
# sink contains the event sink to be used for TaskRun, PipelineRun and
# CustomRun. If no sink is specified, no CloudEvent is generated.
# This setting supercedes the "default-cloud-events-sink" from the
# "config-defaults" config map
sink: "https://events.sink/cdevents"

52
workflow/tekton-pipelines/v1_ConfigMap_config-leader-election-controller.yaml Normal file
View File

@@ -0,0 +1,52 @@
# Copyright 2020 Tekton Authors LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: config-leader-election-controller
namespace: tekton-pipelines
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# lease-duration is how long non-leaders will wait to try to acquire the
# lock; 15 seconds is the value used by core kubernetes controllers.
lease-duration: "60s"
# renew-deadline is how long a leader will try to renew the lease before
# giving up; 10 seconds is the value used by core kubernetes controllers.
renew-deadline: "40s"
# retry-period is how long the leader election client waits between tries of
# actions; 2 seconds is the value used by core kubernetes controllers.
retry-period: "10s"
# buckets is the number of buckets used to partition key space of each
# Reconciler. If this number is M and the replica number of the controller
# is N, the N replicas will compete for the M buckets. The owner of a
# bucket will take care of the reconciling for the keys partitioned into
# that bucket.
buckets: "1"

52
workflow/tekton-pipelines/v1_ConfigMap_config-leader-election-events.yaml Normal file
View File

@@ -0,0 +1,52 @@
# Copyright 2023 Tekton Authors LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: config-leader-election-events
namespace: tekton-pipelines
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# lease-duration is how long non-leaders will wait to try to acquire the
# lock; 15 seconds is the value used by core kubernetes controllers.
lease-duration: "60s"
# renew-deadline is how long a leader will try to renew the lease before
# giving up; 10 seconds is the value used by core kubernetes controllers.
renew-deadline: "40s"
# retry-period is how long the leader election client waits between tries of
# actions; 2 seconds is the value used by core kubernetes controllers.
retry-period: "10s"
# buckets is the number of buckets used to partition key space of each
# Reconciler. If this number is M and the replica number of the controller
# is N, the N replicas will compete for the M buckets. The owner of a
# bucket will take care of the reconciling for the keys partitioned into
# that bucket.
buckets: "1"

53
workflow/tekton-pipelines/v1_ConfigMap_config-leader-election-resolvers.yaml Normal file
View File

@@ -0,0 +1,53 @@
# Copyright 2020 Tekton Authors LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: config-leader-election-resolvers
namespace: tekton-pipelines-resolvers
labels:
app.kubernetes.io/component: resolvers
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# lease-duration is how long non-leaders will wait to try to acquire the
# lock; 15 seconds is the value used by core kubernetes controllers.
lease-duration: "60s"
# renew-deadline is how long a leader will try to renew the lease before
# giving up; 10 seconds is the value used by core kubernetes controllers.
renew-deadline: "40s"
# retry-period is how long the leader election client waits between tries of
# actions; 2 seconds is the value used by core kubernetes controllers.
retry-period: "10s"
# buckets is the number of buckets used to partition key space of each
# Reconciler. If this number is M and the replica number of the controller
# is N, the N replicas will compete for the M buckets. The owner of a
# bucket will take care of the reconciling for the keys partitioned into
# that bucket.
buckets: "1"

52
workflow/tekton-pipelines/v1_ConfigMap_config-leader-election-webhook.yaml Normal file
View File

@@ -0,0 +1,52 @@
# Copyright 2023 Tekton Authors LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: config-leader-election-webhook
namespace: tekton-pipelines
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# lease-duration is how long non-leaders will wait to try to acquire the
# lock; 15 seconds is the value used by core kubernetes controllers.
lease-duration: "60s"
# renew-deadline is how long a leader will try to renew the lease before
# giving up; 10 seconds is the value used by core kubernetes controllers.
renew-deadline: "40s"
# retry-period is how long the leader election client waits between tries of
# actions; 2 seconds is the value used by core kubernetes controllers.
retry-period: "10s"
# buckets is the number of buckets used to partition key space of each
# Reconciler. If this number is M and the replica number of the controller
# is N, the N replicas will compete for the M buckets. The owner of a
# bucket will take care of the reconciling for the keys partitioned into
# that bucket.
buckets: "1"

52
workflow/tekton-pipelines/v1_ConfigMap_config-logging.yaml Normal file
View File

@@ -0,0 +1,52 @@
# Copyright 2019 Tekton Authors LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: config-logging
namespace: tekton-pipelines-resolvers
labels:
app.kubernetes.io/component: resolvers
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
data:
zap-logger-config: |
{
"level": "info",
"development": false,
"sampling": {
"initial": 100,
"thereafter": 100
},
"outputPaths": ["stdout"],
"errorOutputPaths": ["stderr"],
"encoding": "json",
"encoderConfig": {
"timeKey": "timestamp",
"levelKey": "severity",
"nameKey": "logger",
"callerKey": "caller",
"messageKey": "message",
"stacktraceKey": "stacktrace",
"lineEnding": "",
"levelEncoder": "",
"timeEncoder": "iso8601",
"durationEncoder": "",
"callerEncoder": ""
}
}
# Log level overrides
loglevel.controller: "info"
loglevel.webhook: "info"

61
workflow/tekton-pipelines/v1_ConfigMap_config-observability.yaml Normal file
View File

@@ -0,0 +1,61 @@
# Copyright 2022 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: config-observability
namespace: tekton-pipelines-resolvers
labels:
app.kubernetes.io/component: resolvers
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# metrics.backend-destination field specifies the system metrics destination.
# It supports either prometheus (the default) or stackdriver.
# Note: Using stackdriver will incur additional charges
metrics.backend-destination: prometheus
# metrics.request-metrics-backend-destination specifies the request metrics
# destination. If non-empty, it enables queue proxy to send request metrics.
# Currently supported values: prometheus, stackdriver.
metrics.request-metrics-backend-destination: prometheus
# metrics.stackdriver-project-id field specifies the stackdriver project ID. This
# field is optional. When running on GCE, application default credentials will be
# used if this field is not provided.
metrics.stackdriver-project-id: "<your stackdriver project id>"
# metrics.allow-stackdriver-custom-metrics indicates whether it is allowed to send metrics to
# Stackdriver using "global" resource type and custom metric type if the
# metrics are not supported by "knative_revision" resource type. Setting this
# flag to "true" could cause extra Stackdriver charge.
# If metrics.backend-destination is not Stackdriver, this is ignored.
metrics.allow-stackdriver-custom-metrics: "false"

25
workflow/tekton-pipelines/v1_ConfigMap_config-registry-cert.yaml Normal file
View File

@@ -0,0 +1,25 @@
# Copyright 2020 Tekton Authors LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: config-registry-cert
namespace: tekton-pipelines
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
# data:
# # Registry's self-signed certificate
# cert: |

49
workflow/tekton-pipelines/v1_ConfigMap_config-spire.yaml Normal file
View File

@@ -0,0 +1,49 @@
# Copyright 2022 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: config-spire
namespace: tekton-pipelines
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
#
# spire-trust-domain specifies the SPIRE trust domain to use.
# spire-trust-domain: "example.org"
#
# spire-socket-path specifies the SPIRE agent socket for SPIFFE workload API.
# spire-socket-path: "unix:///spiffe-workload-api/spire-agent.sock"
#
# spire-server-addr specifies the SPIRE server address for workload/node registration.
# spire-server-addr: "spire-server.spire.svc.cluster.local:8081"
#
# spire-node-alias-prefix specifies the SPIRE node alias prefix to use.
# spire-node-alias-prefix: "/tekton-node/"

46
workflow/tekton-pipelines/v1_ConfigMap_config-tracing.yaml Normal file
View File

@@ -0,0 +1,46 @@
# Copyright 2023 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: config-tracing
namespace: tekton-pipelines
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
#
# Enable sending traces to defined endpoint by setting this to true
enabled: "true"
#
# API endpoint to send the traces to
# (optional): The default value is given below
endpoint: "http://jaeger-collector.jaeger.svc.cluster.local:14268/api/traces"
# (optional) Name of the k8s secret which contains basic auth credentials
credentialsSecret: "jaeger-creds"

130
workflow/tekton-pipelines/v1_ConfigMap_feature-flags.yaml Normal file
View File

@@ -0,0 +1,130 @@
# Copyright 2019 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: feature-flags
namespace: tekton-pipelines
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
data:
# Setting this flag to "true" will prevent Tekton to create an
# Affinity Assistant for every TaskRun sharing a PVC workspace
#
# The default behaviour is for Tekton to create Affinity Assistants
#
# See more in the Affinity Assistant documentation
# https://github.com/tektoncd/pipeline/blob/main/docs/affinityassistants.md
# or https://github.com/tektoncd/pipeline/pull/2630 for more info.
#
# Note: This feature flag is deprecated and will be removed in release v0.60. Consider using `coschedule` feature flag to configure Affinity Assistant behavior.
disable-affinity-assistant: "false"
# Setting this flag will determine how PipelineRun Pods are scheduled with Affinity Assistant.
# Acceptable values are "workspaces" (default), "pipelineruns", "isolate-pipelinerun", or "disabled".
#
# Setting it to "workspaces" will schedule all the taskruns sharing the same PVC-based workspace in a pipelinerun to the same node.
# Setting it to "pipelineruns" will schedule all the taskruns in a pipelinerun to the same node.
# Setting it to "isolate-pipelinerun" will schedule all the taskruns in a pipelinerun to the same node,
# and only allows one pipelinerun to run on a node at a time.
# Setting it to "disabled" will not apply any coschedule policy.
#
# See more in the Affinity Assistant documentation
# https://github.com/tektoncd/pipeline/blob/main/docs/affinityassistants.md
coschedule: "workspaces"
# Setting this flag to "true" will prevent Tekton scanning attached
# service accounts and injecting any credentials it finds into your
# Steps.
#
# The default behaviour currently is for Tekton to search service
# accounts for secrets matching a specified format and automatically
# mount those into your Steps.
#
# Note: setting this to "true" will prevent PipelineResources from
# working.
#
# See https://github.com/tektoncd/pipeline/issues/2791 for more
# info.
disable-creds-init: "false"
# Setting this flag to "false" will stop Tekton from waiting for a
# TaskRun's sidecar containers to be running before starting the first
# step. This will allow Tasks to be run in environments that don't
# support the DownwardAPI volume type, but may lead to unintended
# behaviour if sidecars are used.
#
# See https://github.com/tektoncd/pipeline/issues/4937 for more info.
await-sidecar-readiness: "true"
# This option should be set to false when Pipelines is running in a
# cluster that does not use injected sidecars such as Istio. Setting
# it to false should decrease the time it takes for a TaskRun to start
# running. For clusters that use injected sidecars, setting this
# option to false can lead to unexpected behavior.
#
# See https://github.com/tektoncd/pipeline/issues/2080 for more info.
running-in-environment-with-injected-sidecars: "true"
# Setting this flag to "true" will require that any Git SSH Secret
# offered to Tekton must have known_hosts included.
#
# See https://github.com/tektoncd/pipeline/issues/2981 for more
# info.
require-git-ssh-secret-known-hosts: "false"
# Setting this flag to "true" enables the use of Tekton OCI bundle.
# This is an experimental feature and thus should still be considered
# an alpha feature.
enable-tekton-oci-bundles: "false"
# Setting this flag will determine which gated features are enabled.
# Acceptable values are "stable", "beta", or "alpha".
enable-api-fields: "beta"
# Setting this flag to "true" enables CloudEvents for CustomRuns and Runs, as long as a
# CloudEvents sink is configured in the config-defaults config map
send-cloudevents-for-runs: "false"
# This flag affects the behavior of taskruns and pipelineruns in cases where no VerificationPolicies match them.
# If it is set to "fail", TaskRuns and PipelineRuns will fail verification if no matching policies are found.
# If it is set to "warn", TaskRuns and PipelineRuns will run to completion if no matching policies are found, and an error will be logged.
# If it is set to "ignore", TaskRuns and PipelineRuns will run to completion if no matching policies are found, and no error will be logged.
trusted-resources-verification-no-match-policy: "ignore"
# Setting this flag to "true" enables populating the "provenance" field in TaskRun
# and PipelineRun status. This field contains metadata about resources used
# in the TaskRun/PipelineRun such as the source from where a remote Task/Pipeline
# definition was fetched.
enable-provenance-in-status: "true"
# Setting this flag will determine how Tekton pipelines will handle non-falsifiable provenance.
# If set to "spire", then SPIRE will be used to ensure non-falsifiable provenance.
# If set to "none", then Tekton will not have non-falsifiable provenance.
# This is an experimental feature and thus should still be considered an alpha feature.
enforce-nonfalsifiability: "none"
# Setting this flag will determine how Tekton pipelines will handle extracting results from the task.
# Acceptable values are "termination-message" or "sidecar-logs".
# "sidecar-logs" is an experimental feature and thus should still be considered
# an alpha feature.
results-from: "termination-message"
# Setting this flag will determine the upper limit of each task result
# This flag is optional and only associated with the previous flag, results-from
# When results-from is set to "sidecar-logs", this flag can be used to configure the upper limit of a task result
# max-result-size: "4096"
# Setting this flag to "true" will limit privileges for containers injected by Tekton into TaskRuns.
# This allows TaskRuns to run in namespaces with "restricted" pod security standards.
# Not all Kubernetes implementations support this option.
set-security-context: "false"
# Setting this flag to "true" will keep pod on cancellation
# allowing examination of the logs on the pods from cancelled taskruns
keep-pod-on-cancel: "false"
# Setting this flag to "true" will enable the CEL evaluation in WhenExpression
enable-cel-in-whenexpression: "false"
# Setting this flag to "true" will enable the use of StepActions in Steps
# This feature is in preview mode and not implemented yet. Please check #7259 for updates.
enable-step-actions: "false"
# Setting this flag to "true" will enable the built-in param input validation via param enum.
enable-param-enum: "false"

43
workflow/tekton-pipelines/v1_ConfigMap_git-resolver-config.yaml Normal file
View File

@@ -0,0 +1,43 @@
# Copyright 2022 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: git-resolver-config
namespace: tekton-pipelines-resolvers
labels:
app.kubernetes.io/component: resolvers
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
data:
# The maximum amount of time a single anonymous cloning resolution may take.
fetch-timeout: "1m"
# The git url to fetch the remote resource from when using anonymous cloning.
default-url: "https://github.com/tektoncd/catalog.git"
# The git revision to fetch the remote resource from with either anonymous cloning or the authenticated API.
default-revision: "main"
# The SCM type to use with the authenticated API. Can be github, gitlab, gitea, bitbucketserver, bitbucketcloud
scm-type: "github"
# The SCM server URL to use with the authenticated API. Not needed when using github.com, gitlab.com, or BitBucket Cloud
server-url: ""
# The Kubernetes secret containing the API token for the SCM provider. Required when using the authenticated API.
api-token-secret-name: ""
# The key in the API token secret containing the actual token. Required when using the authenticated API.
api-token-secret-key: ""
# The namespace containing the API token secret. Defaults to "default".
api-token-secret-namespace: "default"
# The default organization to look for repositories under when using the authenticated API,
# if not specified in the resolver parameters. Optional.
default-org: ""

26
workflow/tekton-pipelines/v1_ConfigMap_http-resolver-config.yaml Normal file
View File

@@ -0,0 +1,26 @@
# Copyright 2023 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: http-resolver-config
namespace: tekton-pipelines-resolvers
labels:
app.kubernetes.io/component: resolvers
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
data:
# The maximum amount of time the http resolver will wait for a response from the server.
fetch-timeout: "1m"

34
workflow/tekton-pipelines/v1_ConfigMap_hubresolver-config.yaml Normal file
View File

@@ -0,0 +1,34 @@
# Copyright 2022 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: hubresolver-config
namespace: tekton-pipelines-resolvers
labels:
app.kubernetes.io/component: resolvers
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
data:
# the default Tekton Hub catalog from where to pull the resource.
default-tekton-hub-catalog: "Tekton"
# the default Artifact Hub Task catalog from where to pull the resource.
default-artifact-hub-task-catalog: "tekton-catalog-tasks"
# the default Artifact Hub Pipeline catalog from where to pull the resource.
default-artifact-hub-pipeline-catalog: "tekton-catalog-pipelines"
# the default layer kind in the hub image.
default-kind: "task"
# the default hub source to pull the resource from.
default-type: "artifact"

29
workflow/tekton-pipelines/v1_ConfigMap_pipelines-info.yaml Normal file
View File

@@ -0,0 +1,29 @@
# Copyright 2021 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: pipelines-info
namespace: tekton-pipelines
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
data:
# Contains pipelines version which can be queried by external
# tools such as CLI. Elevated permissions are already given to
# this ConfigMap such that even if we don't have access to
# other resources in the namespace we still can have access to
# this ConfigMap.
version: "v0.57.0"

32
workflow/tekton-pipelines/v1_ConfigMap_resolvers-feature-flags.yaml Normal file
View File

@@ -0,0 +1,32 @@
# Copyright 2019 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: resolvers-feature-flags
namespace: tekton-pipelines-resolvers
labels:
app.kubernetes.io/component: resolvers
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
data:
# Setting this flag to "true" enables remote resolution of Tekton OCI bundles.
enable-bundles-resolver: "true"
# Setting this flag to "true" enables remote resolution of tasks and pipelines via the Tekton Hub.
enable-hub-resolver: "true"
# Setting this flag to "true" enables remote resolution of tasks and pipelines from Git repositories.
enable-git-resolver: "true"
# Setting this flag to "true" enables remote resolution of tasks and pipelines from other namespaces within the cluster.
enable-cluster-resolver: "true"

25
workflow/tekton-pipelines/v1_Secret_webhook-certs.yaml Normal file
View File

@@ -0,0 +1,25 @@
# Copyright 2020 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Secret
metadata:
name: webhook-certs
namespace: tekton-pipelines
labels:
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines
pipeline.tekton.dev/release: "v0.57.0"
# The data is populated at install time.

9
workflow/tekton-pipelines/v1_ServiceAccount_tekton-events-controller.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: tekton-events-controller
namespace: tekton-pipelines
labels:
app.kubernetes.io/component: events
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines

22
workflow/tekton-pipelines/v1_ServiceAccount_tekton-pipelines-controller.yaml Normal file
View File

@@ -0,0 +1,22 @@
# Copyright 2019 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ServiceAccount
metadata:
name: tekton-pipelines-controller
namespace: tekton-pipelines
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines

23
workflow/tekton-pipelines/v1_ServiceAccount_tekton-pipelines-resolvers.yaml Normal file
View File

@@ -0,0 +1,23 @@
# Copyright 2022 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ServiceAccount
metadata:
name: tekton-pipelines-resolvers
namespace: tekton-pipelines-resolvers
labels:
app.kubernetes.io/component: resolvers
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines

9
workflow/tekton-pipelines/v1_ServiceAccount_tekton-pipelines-webhook.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: tekton-pipelines-webhook
namespace: tekton-pipelines
labels:
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines

32
workflow/tekton-pipelines/v1_Service_tekton-events-controller.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: events
app.kubernetes.io/component: events
app.kubernetes.io/instance: default
app.kubernetes.io/version: "v0.57.0"
app.kubernetes.io/part-of: tekton-pipelines
# tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
pipeline.tekton.dev/release: "v0.57.0"
# labels below are related to istio and should not be used for resource lookup
app: tekton-events-controller
version: "v0.57.0"
name: tekton-events-controller
namespace: tekton-pipelines
spec:
ports:
- name: http-metrics
port: 9090
protocol: TCP
targetPort: 9090
- name: http-profiling
port: 8008
targetPort: 8008
- name: probes
port: 8080
selector:
app.kubernetes.io/name: events
app.kubernetes.io/component: events
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines

32
workflow/tekton-pipelines/v1_Service_tekton-pipelines-controller.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: controller
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/version: "v0.57.0"
app.kubernetes.io/part-of: tekton-pipelines
# tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
pipeline.tekton.dev/release: "v0.57.0"
# labels below are related to istio and should not be used for resource lookup
app: tekton-pipelines-controller
version: "v0.57.0"
name: tekton-pipelines-controller
namespace: tekton-pipelines
spec:
ports:
- name: http-metrics
port: 9090
protocol: TCP
targetPort: 9090
- name: http-profiling
port: 8008
targetPort: 8008
- name: probes
port: 8080
selector:
app.kubernetes.io/name: controller
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines

45
workflow/tekton-pipelines/v1_Service_tekton-pipelines-remote-resolvers.yaml Normal file
View File

@@ -0,0 +1,45 @@
# Copyright 2023 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: resolvers
app.kubernetes.io/component: resolvers
app.kubernetes.io/instance: default
app.kubernetes.io/version: "v0.57.0"
app.kubernetes.io/part-of: tekton-pipelines
# tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
pipeline.tekton.dev/release: "v0.57.0"
# labels below are related to istio and should not be used for resource lookup
app: tekton-pipelines-remote-resolvers
version: "v0.57.0"
name: tekton-pipelines-remote-resolvers
namespace: tekton-pipelines-resolvers
spec:
ports:
- name: http-metrics
port: 9090
protocol: TCP
targetPort: 9090
- name: http-profiling
port: 8008
targetPort: 8008
- name: probes
port: 8080
selector:
app.kubernetes.io/name: resolvers
app.kubernetes.io/component: resolvers
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines

36
workflow/tekton-pipelines/v1_Service_tekton-pipelines-webhook.yaml Normal file
View File

@@ -0,0 +1,36 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: webhook
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: default
app.kubernetes.io/version: "v0.57.0"
app.kubernetes.io/part-of: tekton-pipelines
# tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
pipeline.tekton.dev/release: "v0.57.0"
# labels below are related to istio and should not be used for resource lookup
app: tekton-pipelines-webhook
version: "v0.57.0"
name: tekton-pipelines-webhook
namespace: tekton-pipelines
spec:
ports:
# Define metrics and profiling for them to be accessible within service meshes.
- name: http-metrics
port: 9090
targetPort: metrics
- name: http-profiling
port: 8008
targetPort: profiling
- name: https-webhook
port: 443
targetPort: https-webhook
- name: probes
port: 8080
targetPort: probes
selector:
app.kubernetes.io/name: webhook
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-pipelines

19
workflow/tekton-triggers/admissionregistration.k8s.io_v1_MutatingWebhookConfiguration_webhook.triggers.tekton.dev.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: webhook.triggers.tekton.dev
labels:
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-triggers
triggers.tekton.dev/release: "v0.26.1"
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: tekton-triggers-webhook
namespace: tekton-pipelines
failurePolicy: Fail
sideEffects: None
name: webhook.triggers.tekton.dev

23
workflow/tekton-triggers/admissionregistration.k8s.io_v1_ValidatingWebhookConfiguration_config.webhook.triggers.tekton.dev.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: config.webhook.triggers.tekton.dev
labels:
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-triggers
triggers.tekton.dev/release: "v0.26.1"
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: tekton-triggers-webhook
namespace: tekton-pipelines
failurePolicy: Fail
sideEffects: None
name: config.webhook.triggers.tekton.dev
namespaceSelector:
matchExpressions:
- key: triggers.tekton.dev/release
operator: Exists

19
workflow/tekton-triggers/admissionregistration.k8s.io_v1_ValidatingWebhookConfiguration_validation.webhook.triggers.tekton.dev.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: validation.webhook.triggers.tekton.dev
labels:
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-triggers
triggers.tekton.dev/release: "v0.26.1"
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: tekton-triggers-webhook
namespace: tekton-pipelines
failurePolicy: Fail
sideEffects: None
name: validation.webhook.triggers.tekton.dev

81
workflow/tekton-triggers/apps_v1_Deployment_tekton-triggers-controller.yaml Normal file
View File

@@ -0,0 +1,81 @@
# Copyright 2019 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apps/v1
kind: Deployment
metadata:
name: tekton-triggers-controller
namespace: tekton-pipelines
labels:
app.kubernetes.io/name: controller
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/version: "v0.26.1"
app.kubernetes.io/part-of: tekton-triggers
# tekton.dev/release value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml
triggers.tekton.dev/release: "v0.26.1"
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: controller
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-triggers
template:
metadata:
labels:
app.kubernetes.io/name: controller
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/version: "v0.26.1"
app.kubernetes.io/part-of: tekton-triggers
app: tekton-triggers-controller
triggers.tekton.dev/release: "v0.26.1"
# version value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml
version: "v0.26.1"
spec:
serviceAccountName: tekton-triggers-controller
containers:
- name: tekton-triggers-controller
image: "gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/controller:v0.26.1@sha256:276c6167a2a9b2822d268ad7e84517ee45c92ccd978546db17ff2a3763721f7e"
args: ["-logtostderr", "-stderrthreshold", "INFO", "-el-image", "gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/eventlistenersink:v0.26.1@sha256:6cf43395114325531c17aa3722da7c14ffcd50f2b829c6c18c6605dfb74208a0", "-el-port", "8080", "-el-security-context=true", "-el-events", "disable", "-el-readtimeout", "5", "-el-writetimeout", "40", "-el-idletimeout", "120", "-el-timeouthandler", "30", "-el-httpclient-readtimeout", "30", "-el-httpclient-keep-alive", "30", "-el-httpclient-tlshandshaketimeout", "10", "-el-httpclient-responseheadertimeout", "10", "-el-httpclient-expectcontinuetimeout", "1", "-period-seconds", "10", "-failure-threshold", "3"]
env:
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CONFIG_LOGGING_NAME
value: config-logging-triggers
- name: CONFIG_OBSERVABILITY_NAME
value: config-observability-triggers
- name: CONFIG_DEFAULTS_NAME
value: config-defaults-triggers
- name: METRICS_DOMAIN
value: tekton.dev/triggers
- name: METRICS_PROMETHEUS_PORT
value: "9000"
- name: CONFIG_LEADERELECTION_NAME
value: config-leader-election-triggers-controllers
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
# User 65532 is the distroless nonroot user ID
runAsUser: 65532
runAsGroup: 65532
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

90
workflow/tekton-triggers/apps_v1_Deployment_tekton-triggers-core-interceptors.yaml Normal file
View File

@@ -0,0 +1,90 @@
# Copyright 2020 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apps/v1
kind: Deployment
metadata:
name: tekton-triggers-core-interceptors
namespace: tekton-pipelines
labels:
app.kubernetes.io/name: core-interceptors
app.kubernetes.io/component: interceptors
app.kubernetes.io/instance: default
app.kubernetes.io/version: "v0.26.1"
app.kubernetes.io/part-of: tekton-triggers
# tekton.dev/release value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml
triggers.tekton.dev/release: "v0.26.1"
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: core-interceptors
app.kubernetes.io/component: interceptors
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-triggers
template:
metadata:
labels:
app.kubernetes.io/name: core-interceptors
app.kubernetes.io/component: interceptors
app.kubernetes.io/instance: default
app.kubernetes.io/version: "v0.26.1"
app.kubernetes.io/part-of: tekton-triggers
app: tekton-triggers-core-interceptors
triggers.tekton.dev/release: "v0.26.1"
# version value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml
version: "v0.26.1"
spec:
serviceAccountName: tekton-triggers-core-interceptors
containers:
- name: tekton-triggers-core-interceptors
image: "gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/interceptors:v0.26.1@sha256:ffc13aab0d0e16836c98bdf15f516a7f9df4e3eed1184a64825193f6a2fa6753"
ports:
- containerPort: 8443
args: ["-logtostderr", "-stderrthreshold", "INFO"]
env:
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CONFIG_LOGGING_NAME
value: config-logging-triggers
- name: CONFIG_OBSERVABILITY_NAME
value: config-observability-triggers
- name: METRICS_DOMAIN
value: tekton.dev/triggers
# assuming service and deployment names are same always for consistency
- name: INTERCEPTOR_TLS_SVC_NAME
value: tekton-triggers-core-interceptors
- name: INTERCEPTOR_TLS_SECRET_NAME
value: tekton-triggers-core-interceptors-certs
readinessProbe:
httpGet:
path: /ready
port: 8443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
securityContext:
allowPrivilegeEscalation: false
# User 65532 is the distroless nonroot user ID
runAsUser: 65532
runAsGroup: 65532
runAsNonRoot: true
capabilities:
drop:
- "ALL"
seccompProfile:
type: RuntimeDefault

87
workflow/tekton-triggers/apps_v1_Deployment_tekton-triggers-webhook.yaml Normal file
View File

@@ -0,0 +1,87 @@
# Copyright 2019 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apps/v1
kind: Deployment
metadata:
name: tekton-triggers-webhook
namespace: tekton-pipelines
labels:
app.kubernetes.io/name: webhook
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: default
app.kubernetes.io/version: "v0.26.1"
app.kubernetes.io/part-of: tekton-triggers
# tekton.dev/release value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml
triggers.tekton.dev/release: "v0.26.1"
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: webhook
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-triggers
template:
metadata:
labels:
app.kubernetes.io/name: webhook
app.kubernetes.io/component: webhook
app.kubernetes.io/instance: default
app.kubernetes.io/version: "v0.26.1"
app.kubernetes.io/part-of: tekton-triggers
app: tekton-triggers-webhook
triggers.tekton.dev/release: "v0.26.1"
# version value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml
version: "v0.26.1"
spec:
serviceAccountName: tekton-triggers-webhook
containers:
- name: webhook
# This is the Go import path for the binary that is containerized
# and substituted here.
image: "gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/webhook:v0.26.1@sha256:229240b3ac6770bb8513f672d1b19fa9879be6c379b73a47d94b208a1d6e3992"
env:
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CONFIG_LOGGING_NAME
value: config-logging-triggers
- name: WEBHOOK_SERVICE_NAME
value: tekton-triggers-webhook
- name: WEBHOOK_SECRET_NAME
value: triggers-webhook-certs
- name: METRICS_DOMAIN
value: tekton.dev/triggers
- name: CONFIG_LEADERELECTION_NAME
value: config-leader-election-triggers-webhook
ports:
- name: metrics
containerPort: 9000
- name: profiling
containerPort: 8008
- name: https-webhook
containerPort: 8443
securityContext:
allowPrivilegeEscalation: false
# User 65532 is the distroless nonroot user ID
runAsUser: 65532
runAsGroup: 65532
runAsNonRoot: true
capabilities:
drop:
- "ALL"
seccompProfile:
type: RuntimeDefault

139
workflow/tekton-triggers/datas.tf Normal file
View File

@@ -0,0 +1,139 @@
locals {
common-labels = {
"vynil.solidite.fr/owner-name" = var.instance
"vynil.solidite.fr/owner-namespace" = var.namespace
"vynil.solidite.fr/owner-category" = var.category
"vynil.solidite.fr/owner-component" = var.component
"app.kubernetes.io/managed-by" = "vynil"
"app.kubernetes.io/name" = var.component
"app.kubernetes.io/instance" = var.instance
}
rb-patch = <<-EOF
- op: replace
path: /subjects/0/namespace
value: "${var.namespace}"
EOF
}
data "kustomization_overlay" "data" {
common_labels = local.common-labels
namespace = var.namespace
resources = [for file in fileset(path.module, "*.yaml"): file if file != "index.yaml" && length(regexall("ClusterRole",file))<1 && length(regexall("WebhookConfiguration",file))<1 && length(regexall("ClusterInterceptor",file))<1]
images {
name = "gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/controller"
new_name = "${var.images.controller.registry}/${var.images.controller.repository}"
new_tag = "${var.images.controller.tag}"
}
images {
name = "gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/interceptors"
new_name = "${var.images.interceptors.registry}/${var.images.interceptors.repository}"
new_tag = "${var.images.interceptors.tag}"
}
images {
name = "gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/webhook"
new_name = "${var.images.webhook.registry}/${var.images.webhook.repository}"
new_tag = "${var.images.webhook.tag}"
}
patches {
target {
kind = "Deployment"
name = "tekton-triggers-webhook"
}
patch = <<-EOF
- op: replace
path: /spec/template/spec/containers/0/imagePullPolicy
value: "${var.images.webhook.pull_policy}"
EOF
}
patches {
target {
kind = "Deployment"
name = "tekton-triggers-core-interceptors"
}
patch = <<-EOF
- op: replace
path: /spec/template/spec/containers/0/imagePullPolicy
value: "${var.images.interceptors.pull_policy}"
EOF
}
patches {
target {
kind = "Deployment"
name = "tekton-triggers-controller"
}
patch = <<-EOF
- op: replace
path: /spec/template/spec/containers/0/imagePullPolicy
value: "${var.images.controller.pull_policy}"
EOF
}
}
data "kustomization_overlay" "data_no_ns" {
common_labels = local.common-labels
resources = [for file in fileset(path.module, "*.yaml"): file if file != "index.yaml" && (length(regexall("ClusterInterceptor",file))>0 || length(regexall("ClusterRole",file))>0 || length(regexall("WebhookConfiguration",file))>0)]
patches {
target {
kind = "ClusterRoleBinding"
name = "tekton-triggers-controller-admin"
}
patch = local.rb-patch
}
patches {
target {
kind = "ClusterRoleBinding"
name = "tekton-triggers-core-interceptors-secrets"
}
patch = local.rb-patch
}
patches {
target {
kind = "ClusterRoleBinding"
name = "tekton-triggers-core-interceptors"
}
patch = local.rb-patch
}
patches {
target {
kind = "ClusterRoleBinding"
name = "tekton-triggers-webhook-admin"
}
patch = local.rb-patch
}
patches {
target {
kind = "MutatingWebhookConfiguration"
name = "webhook.triggers.tekton.dev"
}
patch = <<-EOF
- op: replace
path: /webhooks/0/clientConfig/service/namespace
value: "${var.namespace}"
EOF
}
patches {
target {
kind = "ValidatingWebhookConfiguration"
name = "config.webhook.triggers.tekton.dev"
}
patch = <<-EOF
- op: replace
path: /webhooks/0/clientConfig/service/namespace
value: "${var.namespace}"
EOF
}
patches {
target {
kind = "ValidatingWebhookConfiguration"
name = "validation.webhook.triggers.tekton.dev"
}
patch = <<-EOF
- op: replace
path: /webhooks/0/clientConfig/service/namespace
value: "${var.namespace}"
EOF
}
}

118
workflow/tekton-triggers/index.yaml Normal file
View File

@@ -0,0 +1,118 @@
---
apiVersion: vinyl.solidite.fr/v1beta1
kind: Component
category: workflow
metadata:
name: tekton-triggers
description: null
options:
images:
default:
controller:
pull_policy: IfNotPresent
registry: gcr.io
repository: tekton-releases/github.com/tektoncd/triggers/cmd/controller
tag: v0.26.1@sha256:276c6167a2a9b2822d268ad7e84517ee45c92ccd978546db17ff2a3763721f7e
interceptors:
pull_policy: IfNotPresent
registry: gcr.io
repository: tekton-releases/github.com/tektoncd/triggers/cmd/interceptors
tag: v0.26.1@sha256:ffc13aab0d0e16836c98bdf15f516a7f9df4e3eed1184a64825193f6a2fa6753
webhook:
pull_policy: IfNotPresent
registry: gcr.io
repository: tekton-releases/github.com/tektoncd/triggers/cmd/webhook
tag: v0.26.1@sha256:229240b3ac6770bb8513f672d1b19fa9879be6c379b73a47d94b208a1d6e3992
examples:
- controller:
pull_policy: IfNotPresent
registry: gcr.io
repository: tekton-releases/github.com/tektoncd/triggers/cmd/controller
tag: v0.26.1@sha256:276c6167a2a9b2822d268ad7e84517ee45c92ccd978546db17ff2a3763721f7e
interceptors:
pull_policy: IfNotPresent
registry: gcr.io
repository: tekton-releases/github.com/tektoncd/triggers/cmd/interceptors
tag: v0.26.1@sha256:ffc13aab0d0e16836c98bdf15f516a7f9df4e3eed1184a64825193f6a2fa6753
webhook:
pull_policy: IfNotPresent
registry: gcr.io
repository: tekton-releases/github.com/tektoncd/triggers/cmd/webhook
tag: v0.26.1@sha256:229240b3ac6770bb8513f672d1b19fa9879be6c379b73a47d94b208a1d6e3992
properties:
controller:
default:
pull_policy: IfNotPresent
registry: gcr.io
repository: tekton-releases/github.com/tektoncd/triggers/cmd/controller
tag: v0.26.1@sha256:276c6167a2a9b2822d268ad7e84517ee45c92ccd978546db17ff2a3763721f7e
properties:
pull_policy:
default: IfNotPresent
enum:
- Always
- Never
- IfNotPresent
type: string
registry:
default: gcr.io
type: string
repository:
default: tekton-releases/github.com/tektoncd/triggers/cmd/controller
type: string
tag:
default: v0.26.1@sha256:276c6167a2a9b2822d268ad7e84517ee45c92ccd978546db17ff2a3763721f7e
type: string
type: object
interceptors:
default:
pull_policy: IfNotPresent
registry: gcr.io
repository: tekton-releases/github.com/tektoncd/triggers/cmd/interceptors
tag: v0.26.1@sha256:ffc13aab0d0e16836c98bdf15f516a7f9df4e3eed1184a64825193f6a2fa6753
properties:
pull_policy:
default: IfNotPresent
enum:
- Always
- Never
- IfNotPresent
type: string
registry:
default: gcr.io
type: string
repository:
default: tekton-releases/github.com/tektoncd/triggers/cmd/interceptors
type: string
tag:
default: v0.26.1@sha256:ffc13aab0d0e16836c98bdf15f516a7f9df4e3eed1184a64825193f6a2fa6753
type: string
type: object
webhook:
default:
pull_policy: IfNotPresent
registry: gcr.io
repository: tekton-releases/github.com/tektoncd/triggers/cmd/webhook
tag: v0.26.1@sha256:229240b3ac6770bb8513f672d1b19fa9879be6c379b73a47d94b208a1d6e3992
properties:
pull_policy:
default: IfNotPresent
enum:
- Always
- Never
- IfNotPresent
type: string
registry:
default: gcr.io
type: string
repository:
default: tekton-releases/github.com/tektoncd/triggers/cmd/webhook
type: string
tag:
default: v0.26.1@sha256:229240b3ac6770bb8513f672d1b19fa9879be6c379b73a47d94b208a1d6e3992
type: string
type: object
type: object
dependencies: []
providers: null
tfaddtype: null

29
workflow/tekton-triggers/rbac.authorization.k8s.io_v1_ClusterRoleBinding_tekton-triggers-controller-admin.yaml Normal file
View File

@@ -0,0 +1,29 @@
# Copyright 2019 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tekton-triggers-controller-admin
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-triggers
subjects:
- kind: ServiceAccount
name: tekton-triggers-controller
namespace: tekton-pipelines
roleRef:
kind: ClusterRole
name: tekton-triggers-admin
apiGroup: rbac.authorization.k8s.io

Some files were not shown because too many files have changed in this diff Show More