fix

share/organisation/ci-space.tf

@@ -0,0 +1,66 @@
+resource "kubernetes_namespace_v1" "ns-tekton" {
+  count = var.haveGitea && var.haveTekton?1:0
+  metadata {
+    annotations = local.annotations
+    labels = merge(local.common-labels, local.annotations)
+    name = "${var.domain}-ci-${var.instance}"
+  }
+}
+
+resource "kubectl_manifest" "tekton" {
+  count = var.haveGitea && var.haveTekton?1:0
+  depends_on = [kubernetes_namespace_v1.ns-tekton]
+  yaml_body  = <<-EOF
+    apiVersion: "vynil.solidite.fr/v1"
+    kind: "Install"
+    metadata:
+      name: "tekton-base"
+      namespace: "${var.domain}-ci-${var.instance}"
+      labels: ${jsonencode(local.common-labels)}
+    spec:
+      distrib: "${var.distributions.domain}"
+      category: "share"
+      component: "gitea-tekton-org"
+      options:
+        domain: "${var.domain}"
+        organization: "${trimprefix(var.instance,"org-")}"
+  EOF
+}
+
+resource "kubectl_manifest" "ci-ssh-creds" {
+  depends_on = [kubernetes_namespace_v1.ns-tekton]
+  count = var.haveGitea && var.haveTekton?1:0
+  yaml_body  = <<-EOF
+    apiVersion: "secretgenerator.mittwald.de/v1alpha1"
+    kind: "SSHKeyPair"
+    metadata:
+      name: "ssh-credentials"
+      namespace: "${var.domain}-ci-${var.instance}"
+      labels: ${jsonencode(local.common-labels)}
+    spec:
+      length: "2048"
+      forceRegenerate: false
+      data:
+        known_hosts: "${data.local_file.known_host[0].content}"
+  EOF
+  lifecycle {
+    ignore_changes = [
+      yaml_body,
+    ]
+  }
+}
+
+data "kubernetes_secret_v1" "ci-ssh-creds-read" {
+  depends_on = [kubectl_manifest.ci-ssh-creds]
+  count = var.haveGitea && var.haveTekton?1:0
+  metadata {
+    name = "ssh-credentials"
+    namespace = "${var.domain}-ci-${var.instance}"
+  }
+}
+resource "gitea_public_key" "user-ci-keys" {
+  count = var.haveGitea && var.haveTekton?1:0
+  title = "Tekton token to read repository ${var.instance}"
+  username  = gitea_user.user-ci[0].username
+  key = data.kubernetes_secret_v1.ci-ssh-creds-read[count.index].data["ssh-publickey"]
+}

share/organisation/gitea-user.tf

@@ -1,5 +1,6 @@
 locals {
-  needUser = length(local.sorted-stages)>0 && var.haveGitea
+  needKnownHost = var.haveGitea && (length(local.sorted-stages)>0 || var.haveTekton)
+  needDeploy = var.haveGitea && length(local.sorted-stages)>0
   gitea_host = "http://gitea-http.${var.domain}-ci.svc:3000/"
   gitea_username = data.kubernetes_secret_v1.gitea.data["username"]
   gitea_password = data.kubernetes_secret_v1.gitea.data["password"]
@@ -27,7 +28,7 @@ data "kubernetes_service" "gitea-ssh" {
 }
 
 resource "null_resource" "get_known" {
-  count = local.needUser?1:0
+  count = local.needKnownHost?1:0
   triggers  =  { always_run = "${timestamp()}" }
   provisioner "local-exec" {
     command = "ssh-keyscan -p ${data.kubernetes_service.gitea-ssh.spec.0.port.0.port} ${var.gitea-ssh-domain!=""?var.gitea-ssh-domain:data.kubernetes_ingress_v1.gitea.spec[0].rule[0].host} > ${path.module}/known_host.txt"
@@ -35,14 +36,14 @@ resource "null_resource" "get_known" {
 }
 
 data "local_file" "known_host" {
-  count = local.needUser?1:0
+  count = local.needKnownHost?1:0
   filename = "${path.module}/known_host.txt"
   depends_on = [null_resource.get_known]
 }
 
 resource "kubectl_manifest" "ssh-creds" {
   depends_on = [kubernetes_namespace_v1.ns]
-  count = local.needUser?length(local.sorted-stages):0
+  count = var.haveGitea?length(local.sorted-stages):0
   yaml_body  = <<-EOF
     apiVersion: "secretgenerator.mittwald.de/v1alpha1"
     kind: "SSHKeyPair"
@@ -65,7 +66,7 @@ resource "kubectl_manifest" "ssh-creds" {
 
 data "kubernetes_secret_v1" "ssh-creds-read" {
   depends_on = [kubectl_manifest.ssh-creds]
-  count = local.needUser?length(local.sorted-stages):0
+  count = var.haveGitea?length(local.sorted-stages):0
   metadata {
     name = "ssh-credentials"
     namespace = "${local.sorted-stages[count.index].namespace}"
@@ -79,7 +80,7 @@ resource "random_password" "password" {
 }
 
 resource "gitea_user" "user-ci" {
-  count = local.needUser?1:0
+  count = local.needKnownHost?1:0
   username             = "${var.instance}-ci"
   login_name           = "${var.instance}-ci"
   password             = random_password.password.result
@@ -88,7 +89,7 @@ resource "gitea_user" "user-ci" {
 }
 
 resource "gitea_public_key" "user-ci-keys" {
-  count = local.needUser?length(local.sorted-stages):0
+  count = var.haveGitea?length(local.sorted-stages):0
   title = "Stage ${local.sorted-stages[count.index].name} for organisation ${var.instance}"
   username  = gitea_user.user-ci[0].username
   key = data.kubernetes_secret_v1.ssh-creds-read[count.index].data["ssh-publickey"]
@@ -100,23 +101,32 @@ resource "gitea_org" "orga" {
 }
 
 resource "gitea_repository" "deploy" {
-  count = local.needUser?1:0
+  count = local.needDeploy?1:0
   username     = gitea_org.orga[0].name
   name         = "deploy"
   private      = true
 }
 
-resource "gitea_team" "ci-team" {
-  count = local.needUser?1:0
-  name         = "Automation"
+resource "gitea_team" "cd-team" {
+  count = local.needDeploy?1:0
+  name         = "Deployment"
   organisation = gitea_org.orga[0].name
-  description  = "Automation"
+  description  = "Deployment"
   permission   = "write"
   members      = [gitea_user.user-ci[0].username]
   include_all_repositories = false
   repositories             = [gitea_repository.deploy[0].name]
 }
 
+resource "gitea_team" "ci-team" {
+  count = local.needKnownHost?1:0
+  name         = "Automation"
+  organisation = gitea_org.orga[0].name
+  description  = "Automation"
+  permission   = "read"
+  members      = [gitea_user.user-ci[0].username]
+}
+
 resource "gitea_team" "dev-team" {
   count = var.haveGitea?1:0
   name         = "Devs"

share/organisation/index.yaml

@@ -88,6 +88,11 @@ options:
     examples:
     - false
     type: boolean
+  haveTekton:
+    default: false
+    examples:
+    - false
+    type: boolean
   ingress_class:
     default: traefik
     examples: