# Copyright 2020 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: apps/v1 kind: Deployment metadata: # Note: the Deployment name must be the same as the Service name specified in # config/400-webhook-service.yaml. If you change this name, you must also # change the value of WEBHOOK_SERVICE_NAME below. name: tekton-pipelines-webhook namespace: tekton-pipelines labels: app.kubernetes.io/name: webhook app.kubernetes.io/component: webhook app.kubernetes.io/instance: default app.kubernetes.io/version: "v0.57.0" app.kubernetes.io/part-of: tekton-pipelines # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml pipeline.tekton.dev/release: "v0.57.0" # labels below are related to istio and should not be used for resource lookup version: "v0.57.0" spec: selector: matchLabels: app.kubernetes.io/name: webhook app.kubernetes.io/component: webhook app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines template: metadata: labels: app.kubernetes.io/name: webhook app.kubernetes.io/component: webhook app.kubernetes.io/instance: default app.kubernetes.io/version: "v0.57.0" app.kubernetes.io/part-of: tekton-pipelines # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml pipeline.tekton.dev/release: "v0.57.0" # labels below are related to istio and should not be used for resource lookup app: tekton-pipelines-webhook version: "v0.57.0" spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/os operator: NotIn values: - windows podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchLabels: app.kubernetes.io/name: webhook app.kubernetes.io/component: webhook app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines topologyKey: kubernetes.io/hostname weight: 100 serviceAccountName: tekton-pipelines-webhook containers: - name: webhook # This is the Go import path for the binary that is containerized # and substituted here. image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/webhook:v0.57.0@sha256:23cbd3301ff967151230f4fc2540110338ecf062583e6456d9dc905db9f08350 # Resource request required for autoscaler to take any action for a metric resources: requests: cpu: 100m memory: 100Mi limits: cpu: 500m memory: 500Mi env: - name: SYSTEM_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace # If you are changing these names, you will also need to update # the webhook's Role in 200-role.yaml to include the new # values in the "configmaps" "get" rule. - name: CONFIG_LOGGING_NAME value: config-logging - name: CONFIG_OBSERVABILITY_NAME value: config-observability - name: CONFIG_LEADERELECTION_NAME value: config-leader-election-webhook - name: CONFIG_FEATURE_FLAGS_NAME value: feature-flags # If you change PROBES_PORT, you will also need to change the # containerPort "probes" to the same value. - name: PROBES_PORT value: "8080" # If you change WEBHOOK_PORT, you will also need to change the # containerPort "https-webhook" to the same value. - name: WEBHOOK_PORT value: "8443" # if you change WEBHOOK_ADMISSION_CONTROLLER_NAME, you will also need to update # the webhooks.name in 500-webhooks.yaml to include the new names of admission webhooks. # Additionally, you will also need to change the resource names (metadata.name) of # "MutatingWebhookConfiguration" and "ValidatingWebhookConfiguration" in 500-webhooks.yaml # to reflect the change in the name of the admission webhook. # Followed by changing the webhook's Role in 200-clusterrole.yaml to update the "resourceNames" of # "mutatingwebhookconfigurations" and "validatingwebhookconfigurations" resources. - name: WEBHOOK_ADMISSION_CONTROLLER_NAME value: webhook.pipeline.tekton.dev - name: WEBHOOK_SERVICE_NAME value: tekton-pipelines-webhook - name: WEBHOOK_SECRET_NAME value: webhook-certs - name: METRICS_DOMAIN value: tekton.dev/pipeline securityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" # User 65532 is the distroless nonroot user ID runAsUser: 65532 runAsGroup: 65532 runAsNonRoot: true seccompProfile: type: RuntimeDefault ports: - name: metrics containerPort: 9090 - name: profiling containerPort: 8008 # This must match the value of the environment variable WEBHOOK_PORT. - name: https-webhook containerPort: 8443 # This must match the value of the environment variable PROBES_PORT. - name: probes containerPort: 8080 livenessProbe: httpGet: path: /health port: probes scheme: HTTP initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 readinessProbe: httpGet: path: /readiness port: probes scheme: HTTP initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5