diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..6677ebd --- /dev/null +++ b/.gitignore @@ -0,0 +1,5 @@ +.idea + +*.tmp +*.tar.gz +*.tgz \ No newline at end of file diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..bb688ec --- /dev/null +++ b/Makefile @@ -0,0 +1,44 @@ +CHART_REPO := gs://jenkinsxio/charts +NAME := jx-git-operator + +fetch: + rm -f tekton/templates/*.yaml + curl https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml > tekton/templates/resource.yaml + jx gitops split -d tekton/templates + jx gitops rename -d tekton/templates + cp src/templates/* tekton/templates + +build: clean + rm -rf Chart.lock + helm dependency build + helm lint + +install: clean build + helm install . --name ${NAME} + +upgrade: clean build + helm upgrade ${NAME} . + +delete: + helm delete --purge ${NAME} + +clean: + rm -rf charts + rm -rf ${NAME}*.tgz + +release: clean + sed -i -e "s/version:.*/version: $(VERSION)/" Chart.yaml + + helm dependency build + helm lint + helm package . + helm repo add jx-labs $(CHART_REPO) + helm gcs push ${NAME}*.tgz jx-labs --public + rm -rf ${NAME}*.tgz% + +test: + cd tests && go test -v + +test-regen: + cd tests && export HELM_UNIT_REGENERATE_EXPECTED=true && go test -v + diff --git a/README.md b/README.md index 4633b3c..417198c 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,5 @@ # tekton-helm-chart -CDF official helm chart for Tekton + +CDF official helm chart for [Tekton Pipelines](https://github.com/tektoncd/pipeline). + +See chart [readme](./tekton/README.md) for install and config options. \ No newline at end of file diff --git a/src/templates/tekton-bot-sa.yaml b/src/templates/tekton-bot-sa.yaml new file mode 100644 index 0000000..9736cda --- /dev/null +++ b/src/templates/tekton-bot-sa.yaml @@ -0,0 +1,25 @@ +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tekton-bot + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +secrets: +- name: tekton-git +- name: tekton-container-registry-auth diff --git a/src/templates/tekton-container-registry-auth-secret.yaml b/src/templates/tekton-container-registry-auth-secret.yaml new file mode 100644 index 0000000..02e75bd --- /dev/null +++ b/src/templates/tekton-container-registry-auth-secret.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +data: + .dockerconfigjson: {{ .Values.auth.docker.configJson | b64enc | quote }} +kind: Secret +metadata: + name: tekton-container-registry-auth + namespace: tekton-pipelines + annotations: + tekton.dev/docker-0: {{ .Values.auth.docker.url | quote }} + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +type: kubernetes.io/dockerconfigjson diff --git a/src/templates/tekton-git-secret.yaml b/src/templates/tekton-git-secret.yaml new file mode 100644 index 0000000..3291d12 --- /dev/null +++ b/src/templates/tekton-git-secret.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +data: + password: {{ .Values.auth.git.password | b64enc | quote }} + username: {{ .Values.auth.git.username | b64enc | quote }} +kind: Secret +metadata: + name: tekton-git + namespace: tekton-pipelines + annotations: + tekton.dev/git-0: {{ .Values.auth.git.url | quote }} + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +type: kubernetes.io/basic-auth diff --git a/tekton/Chart.yaml b/tekton/Chart.yaml new file mode 100644 index 0000000..9727fdd --- /dev/null +++ b/tekton/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +description: A Helm chart for Tekton Pipelines +name: tekton +version: 0.0.1-SNAPSHOT +icon: https://avatars2.githubusercontent.com/u/47602533 +home: https://github.com/jenkins-x-charts/tekton/ diff --git a/tekton/README.md b/tekton/README.md new file mode 100644 index 0000000..85a5fd4 --- /dev/null +++ b/tekton/README.md @@ -0,0 +1,2 @@ +# tekton pipelines helm chart + diff --git a/tekton/templates/.gitignore b/tekton/templates/.gitignore new file mode 100644 index 0000000..1944fd6 --- /dev/null +++ b/tekton/templates/.gitignore @@ -0,0 +1 @@ +*.tmp diff --git a/tekton/templates/clustertasks.tekton.dev-crd.yaml b/tekton/templates/clustertasks.tekton.dev-crd.yaml new file mode 100644 index 0000000..a0f4ad0 --- /dev/null +++ b/tekton/templates/clustertasks.tekton.dev-crd.yaml @@ -0,0 +1,61 @@ +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clustertasks.tekton.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pipeline.tekton.dev/release: "v0.16.3" + version: "v0.16.3" +spec: + group: tekton.dev + preserveUnknownFields: false + validation: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true + versions: + - name: v1alpha1 + served: true + storage: false + - name: v1beta1 + served: true + storage: true + names: + kind: ClusterTask + plural: clustertasks + categories: + - tekton + - tekton-pipelines + scope: Cluster + # Opt into the status subresource so metadata.generation + # starts to increment + subresources: + status: {} + conversion: + strategy: Webhook + webhookClientConfig: + service: + name: tekton-pipelines-webhook + namespace: tekton-pipelines diff --git a/tekton/templates/conditions.tekton.dev-crd.yaml b/tekton/templates/conditions.tekton.dev-crd.yaml new file mode 100644 index 0000000..807e785 --- /dev/null +++ b/tekton/templates/conditions.tekton.dev-crd.yaml @@ -0,0 +1,37 @@ +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: conditions.tekton.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pipeline.tekton.dev/release: "v0.16.3" + version: "v0.16.3" +spec: + group: tekton.dev + names: + kind: Condition + plural: conditions + categories: + - tekton + - tekton-pipelines + scope: Namespaced + # Opt into the status subresource so metadata.generation + # starts to increment + subresources: + status: {} + version: v1alpha1 diff --git a/tekton/templates/config-artifact-bucket-cm.yaml b/tekton/templates/config-artifact-bucket-cm.yaml new file mode 100644 index 0000000..58e9693 --- /dev/null +++ b/tekton/templates/config-artifact-bucket-cm.yaml @@ -0,0 +1,33 @@ +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-artifact-bucket + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +# data: +# # location of the gcs bucket to be used for artifact storage +# location: "gs://bucket-name" +# # name of the secret that will contain the credentials for the service account +# # with access to the bucket +# bucket.service.account.secret.name: +# # The key in the secret with the required service account json +# bucket.service.account.secret.key: +# # The field name that should be used for the service account +# # Valid values: GOOGLE_APPLICATION_CREDENTIALS, BOTO_CONFIG. +# bucket.service.account.field.name: GOOGLE_APPLICATION_CREDENTIALS diff --git a/tekton/templates/config-artifact-pvc-cm.yaml b/tekton/templates/config-artifact-pvc-cm.yaml new file mode 100644 index 0000000..f3ca3b1 --- /dev/null +++ b/tekton/templates/config-artifact-pvc-cm.yaml @@ -0,0 +1,28 @@ +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-artifact-pvc + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +# data: +# # size of the PVC volume +# size: 5Gi +# +# # storage class of the PVC volume +# storageClassName: storage-class-name diff --git a/tekton/templates/config-defaults-cm.yaml b/tekton/templates/config-defaults-cm.yaml new file mode 100644 index 0000000..a75dc28 --- /dev/null +++ b/tekton/templates/config-defaults-cm.yaml @@ -0,0 +1,70 @@ +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-defaults + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # default-timeout-minutes contains the default number of + # minutes to use for TaskRun and PipelineRun, if none is specified. + default-timeout-minutes: "60" # 60 minutes + + # default-service-account contains the default service account name + # to use for TaskRun and PipelineRun, if none is specified. + default-service-account: "default" + + # default-managed-by-label-value contains the default value given to the + # "app.kubernetes.io/managed-by" label applied to all Pods created for + # TaskRuns. If a user's requested TaskRun specifies another value for this + # label, the user's request supercedes. + default-managed-by-label-value: "tekton-pipelines" + + # default-pod-template contains the default pod template to use + # TaskRun and PipelineRun, if none is specified. If a pod template + # is specified, the default pod template is ignored. + # default-pod-template: + + # default-cloud-events-sink contains the default CloudEvents sink to be + # used for TaskRun and PipelineRun, when no sink is specified. + # Note that right now it is still not possible to set a PipelineRun or + # TaskRun specific sink, so the default is the only option available. + # If no sink is specified, no CloudEvent is generated + # default-cloud-events-sink: + + # default-task-run-workspace-binding contains the default workspace + # configuration provided for any Workspaces that a Task declares + # but that a TaskRun does not explicitly provide. + # default-task-run-workspace-binding: | + # emptyDir: {} diff --git a/tekton/templates/config-leader-election-cm.yaml b/tekton/templates/config-leader-election-cm.yaml new file mode 100644 index 0000000..cec52e4 --- /dev/null +++ b/tekton/templates/config-leader-election-cm.yaml @@ -0,0 +1,28 @@ +# Copyright 2020 Tekton Authors LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-leader-election + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + # An inactive but valid configuration follows; see example. + resourceLock: "leases" + leaseDuration: "15s" + renewDeadline: "10s" + retryPeriod: "2s" diff --git a/tekton/templates/config-logging-cm.yaml b/tekton/templates/config-logging-cm.yaml new file mode 100644 index 0000000..b8742ec --- /dev/null +++ b/tekton/templates/config-logging-cm.yaml @@ -0,0 +1,52 @@ +# Copyright 2019 Tekton Authors LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-logging + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + # Common configuration for all knative codebase + zap-logger-config: | + { + "level": "info", + "development": false, + "sampling": { + "initial": 100, + "thereafter": 100 + }, + "outputPaths": ["stdout"], + "errorOutputPaths": ["stderr"], + "encoding": "json", + "encoderConfig": { + "timeKey": "", + "levelKey": "level", + "nameKey": "logger", + "callerKey": "caller", + "messageKey": "msg", + "stacktraceKey": "stacktrace", + "lineEnding": "", + "levelEncoder": "", + "timeEncoder": "", + "durationEncoder": "", + "callerEncoder": "" + } + } + # Log level overrides + loglevel.controller: "info" + loglevel.webhook: "info" diff --git a/tekton/templates/config-observability-cm.yaml b/tekton/templates/config-observability-cm.yaml new file mode 100644 index 0000000..353ddc3 --- /dev/null +++ b/tekton/templates/config-observability-cm.yaml @@ -0,0 +1,56 @@ +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-observability + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # metrics.backend-destination field specifies the system metrics destination. + # It supports either prometheus (the default) or stackdriver. + # Note: Using Stackdriver will incur additional charges. + metrics.backend-destination: prometheus + + # metrics.stackdriver-project-id field specifies the Stackdriver project ID. This + # field is optional. When running on GCE, application default credentials will be + # used and metrics will be sent to the cluster's project if this field is + # not provided. + metrics.stackdriver-project-id: "" + + # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed + # to send metrics to Stackdriver using "global" resource type and custom + # metric type. Setting this flag to "true" could cause extra Stackdriver + # charge. If metrics.backend-destination is not Stackdriver, this is + # ignored. + metrics.allow-stackdriver-custom-metrics: "false" diff --git a/tekton/templates/config.webhook.pipeline.tekton.dev-valwebhookcfg.yaml b/tekton/templates/config.webhook.pipeline.tekton.dev-valwebhookcfg.yaml new file mode 100644 index 0000000..de26859 --- /dev/null +++ b/tekton/templates/config.webhook.pipeline.tekton.dev-valwebhookcfg.yaml @@ -0,0 +1,22 @@ +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: config.webhook.pipeline.tekton.dev + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pipeline.tekton.dev/release: "v0.16.3" +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: tekton-pipelines-webhook + namespace: tekton-pipelines + failurePolicy: Fail + sideEffects: None + name: config.webhook.pipeline.tekton.dev + objectSelector: + matchLabels: + app.kubernetes.io/part-of: tekton-pipelines diff --git a/tekton/templates/feature-flags-cm.yaml b/tekton/templates/feature-flags-cm.yaml new file mode 100644 index 0000000..9313eee --- /dev/null +++ b/tekton/templates/feature-flags-cm.yaml @@ -0,0 +1,60 @@ +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: feature-flags + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + # Setting this flag to "true" will prevent Tekton to create an + # Affinity Assistant for every TaskRun sharing a PVC workspace + # + # The default behaviour is for Tekton to create Affinity Assistants + # + # See more in the workspace documentation about Affinity Assistant + # https://github.com/tektoncd/pipeline/blob/master/docs/workspaces.md#affinity-assistant-and-specifying-workspace-order-in-a-pipeline + # or https://github.com/tektoncd/pipeline/pull/2630 for more info. + disable-affinity-assistant: "false" + # Setting this flag to "true" will prevent Tekton overriding your + # Task container's $HOME environment variable. + # + # The default behaviour currently is for Tekton to override the + # $HOME environment variable but this will change in an upcoming + # release. + # + # See https://github.com/tektoncd/pipeline/issues/2013 for more + # info. + disable-home-env-overwrite: "false" + # Setting this flag to "true" will prevent Tekton overriding your + # Task container's working directory. + # + # The default behaviour currently is for Tekton to override the + # working directory if not set by the user but this will change + # in an upcoming release. + # + # See https://github.com/tektoncd/pipeline/issues/1836 for more + # info. + disable-working-directory-overwrite: "false" + # This option should be set to false when Pipelines is running in a + # cluster that does not use injected sidecars such as Istio. Setting + # it to false should decrease the time it takes for a TaskRun to start + # running. For clusters that use injected sidecars, setting this + # option to false can lead to unexpected behavior. + # + # See https://github.com/tektoncd/pipeline/issues/2080 for more info. + running-in-environment-with-injected-sidecars: "true" diff --git a/tekton/templates/images.caching.internal.knative.dev-crd.yaml b/tekton/templates/images.caching.internal.knative.dev-crd.yaml new file mode 100644 index 0000000..1ca1d22 --- /dev/null +++ b/tekton/templates/images.caching.internal.knative.dev-crd.yaml @@ -0,0 +1,37 @@ +# Copyright 2018 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: images.caching.internal.knative.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + knative.dev/crd-install: "true" +spec: + group: caching.internal.knative.dev + version: v1alpha1 + names: + kind: Image + plural: images + singular: image + categories: + - knative-internal + - caching + shortNames: + - img + scope: Namespaced + subresources: + status: {} diff --git a/tekton/templates/pipelineresources.tekton.dev-crd.yaml b/tekton/templates/pipelineresources.tekton.dev-crd.yaml new file mode 100644 index 0000000..497a729 --- /dev/null +++ b/tekton/templates/pipelineresources.tekton.dev-crd.yaml @@ -0,0 +1,37 @@ +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: pipelineresources.tekton.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pipeline.tekton.dev/release: "v0.16.3" + version: "v0.16.3" +spec: + group: tekton.dev + names: + kind: PipelineResource + plural: pipelineresources + categories: + - tekton + - tekton-pipelines + scope: Namespaced + # Opt into the status subresource so metadata.generation + # starts to increment + subresources: + status: {} + version: v1alpha1 diff --git a/tekton/templates/pipelineruns.tekton.dev-crd.yaml b/tekton/templates/pipelineruns.tekton.dev-crd.yaml new file mode 100644 index 0000000..1dbb95a --- /dev/null +++ b/tekton/templates/pipelineruns.tekton.dev-crd.yaml @@ -0,0 +1,77 @@ +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: pipelineruns.tekton.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pipeline.tekton.dev/release: "v0.16.3" + version: "v0.16.3" +spec: + group: tekton.dev + preserveUnknownFields: false + validation: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true + versions: + - name: v1alpha1 + served: true + storage: false + - name: v1beta1 + served: true + storage: true + names: + kind: PipelineRun + plural: pipelineruns + categories: + - tekton + - tekton-pipelines + shortNames: + - pr + - prs + scope: Namespaced + additionalPrinterColumns: + - name: Succeeded + type: string + JSONPath: ".status.conditions[?(@.type==\"Succeeded\")].status" + - name: Reason + type: string + JSONPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" + - name: StartTime + type: date + JSONPath: .status.startTime + - name: CompletionTime + type: date + JSONPath: .status.completionTime + # Opt into the status subresource so metadata.generation + # starts to increment + subresources: + status: {} + conversion: + strategy: Webhook + webhookClientConfig: + service: + name: tekton-pipelines-webhook + namespace: tekton-pipelines diff --git a/tekton/templates/pipelines.tekton.dev-crd.yaml b/tekton/templates/pipelines.tekton.dev-crd.yaml new file mode 100644 index 0000000..2641079 --- /dev/null +++ b/tekton/templates/pipelines.tekton.dev-crd.yaml @@ -0,0 +1,61 @@ +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: pipelines.tekton.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pipeline.tekton.dev/release: "v0.16.3" + version: "v0.16.3" +spec: + group: tekton.dev + preserveUnknownFields: false + validation: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true + versions: + - name: v1alpha1 + served: true + storage: false + - name: v1beta1 + served: true + storage: true + names: + kind: Pipeline + plural: pipelines + categories: + - tekton + - tekton-pipelines + scope: Namespaced + # Opt into the status subresource so metadata.generation + # starts to increment + subresources: + status: {} + conversion: + strategy: Webhook + webhookClientConfig: + service: + name: tekton-pipelines-webhook + namespace: tekton-pipelines diff --git a/tekton/templates/runs.tekton.dev-crd.yaml b/tekton/templates/runs.tekton.dev-crd.yaml new file mode 100644 index 0000000..b391408 --- /dev/null +++ b/tekton/templates/runs.tekton.dev-crd.yaml @@ -0,0 +1,71 @@ +# Copyright 2020 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: runs.tekton.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pipeline.tekton.dev/release: "v0.16.3" + version: "v0.16.3" +spec: + group: tekton.dev + preserveUnknownFields: false + validation: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true + versions: + - name: v1alpha1 + served: true + storage: true + names: + kind: Run + plural: runs + categories: + - tekton + - tekton-pipelines + scope: Namespaced + additionalPrinterColumns: + - name: Succeeded + type: string + JSONPath: ".status.conditions[?(@.type==\"Succeeded\")].status" + - name: Reason + type: string + JSONPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" + - name: StartTime + type: date + JSONPath: .status.startTime + - name: CompletionTime + type: date + JSONPath: .status.completionTime + # Opt into the status subresource so metadata.generation + # starts to increment + subresources: + status: {} + conversion: + strategy: Webhook + webhookClientConfig: + service: + name: tekton-pipelines-webhook + namespace: tekton-pipelines diff --git a/tekton/templates/taskruns.tekton.dev-crd.yaml b/tekton/templates/taskruns.tekton.dev-crd.yaml new file mode 100644 index 0000000..3f2b164 --- /dev/null +++ b/tekton/templates/taskruns.tekton.dev-crd.yaml @@ -0,0 +1,77 @@ +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: taskruns.tekton.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pipeline.tekton.dev/release: "v0.16.3" + version: "v0.16.3" +spec: + group: tekton.dev + preserveUnknownFields: false + validation: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true + versions: + - name: v1alpha1 + served: true + storage: false + - name: v1beta1 + served: true + storage: true + names: + kind: TaskRun + plural: taskruns + categories: + - tekton + - tekton-pipelines + shortNames: + - tr + - trs + scope: Namespaced + additionalPrinterColumns: + - name: Succeeded + type: string + JSONPath: ".status.conditions[?(@.type==\"Succeeded\")].status" + - name: Reason + type: string + JSONPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" + - name: StartTime + type: date + JSONPath: .status.startTime + - name: CompletionTime + type: date + JSONPath: .status.completionTime + # Opt into the status subresource so metadata.generation + # starts to increment + subresources: + status: {} + conversion: + strategy: Webhook + webhookClientConfig: + service: + name: tekton-pipelines-webhook + namespace: tekton-pipelines diff --git a/tekton/templates/tasks.tekton.dev-crd.yaml b/tekton/templates/tasks.tekton.dev-crd.yaml new file mode 100644 index 0000000..8364990 --- /dev/null +++ b/tekton/templates/tasks.tekton.dev-crd.yaml @@ -0,0 +1,61 @@ +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: tasks.tekton.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pipeline.tekton.dev/release: "v0.16.3" + version: "v0.16.3" +spec: + group: tekton.dev + preserveUnknownFields: false + validation: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true + versions: + - name: v1alpha1 + served: true + storage: false + - name: v1beta1 + served: true + storage: true + names: + kind: Task + plural: tasks + categories: + - tekton + - tekton-pipelines + scope: Namespaced + # Opt into the status subresource so metadata.generation + # starts to increment + subresources: + status: {} + conversion: + strategy: Webhook + webhookClientConfig: + service: + name: tekton-pipelines-webhook + namespace: tekton-pipelines diff --git a/tekton/templates/tekton-aggregate-edit-clusterrole.yaml b/tekton/templates/tekton-aggregate-edit-clusterrole.yaml new file mode 100644 index 0000000..22ac1bd --- /dev/null +++ b/tekton/templates/tekton-aggregate-edit-clusterrole.yaml @@ -0,0 +1,42 @@ +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tekton-aggregate-edit + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: +- apiGroups: + - tekton.dev + resources: + - tasks + - taskruns + - pipelines + - pipelineruns + - pipelineresources + - conditions + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch diff --git a/tekton/templates/tekton-aggregate-view-clusterrole.yaml b/tekton/templates/tekton-aggregate-view-clusterrole.yaml new file mode 100644 index 0000000..1bc2648 --- /dev/null +++ b/tekton/templates/tekton-aggregate-view-clusterrole.yaml @@ -0,0 +1,36 @@ +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tekton-aggregate-view + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: + - tekton.dev + resources: + - tasks + - taskruns + - pipelines + - pipelineruns + - pipelineresources + - conditions + verbs: + - get + - list + - watch diff --git a/tekton/templates/tekton-bot-sa.yaml b/tekton/templates/tekton-bot-sa.yaml new file mode 100644 index 0000000..9736cda --- /dev/null +++ b/tekton/templates/tekton-bot-sa.yaml @@ -0,0 +1,25 @@ +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tekton-bot + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +secrets: +- name: tekton-git +- name: tekton-container-registry-auth diff --git a/tekton/templates/tekton-container-registry-auth-secret.yaml b/tekton/templates/tekton-container-registry-auth-secret.yaml new file mode 100644 index 0000000..02e75bd --- /dev/null +++ b/tekton/templates/tekton-container-registry-auth-secret.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +data: + .dockerconfigjson: {{ .Values.auth.docker.configJson | b64enc | quote }} +kind: Secret +metadata: + name: tekton-container-registry-auth + namespace: tekton-pipelines + annotations: + tekton.dev/docker-0: {{ .Values.auth.docker.url | quote }} + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +type: kubernetes.io/dockerconfigjson diff --git a/tekton/templates/tekton-git-secret.yaml b/tekton/templates/tekton-git-secret.yaml new file mode 100644 index 0000000..3291d12 --- /dev/null +++ b/tekton/templates/tekton-git-secret.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +data: + password: {{ .Values.auth.git.password | b64enc | quote }} + username: {{ .Values.auth.git.username | b64enc | quote }} +kind: Secret +metadata: + name: tekton-git + namespace: tekton-pipelines + annotations: + tekton.dev/git-0: {{ .Values.auth.git.url | quote }} + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +type: kubernetes.io/basic-auth diff --git a/tekton/templates/tekton-pipelines-controller-cluster-access-clusterrole.yaml b/tekton/templates/tekton-pipelines-controller-cluster-access-clusterrole.yaml new file mode 100644 index 0000000..b367556 --- /dev/null +++ b/tekton/templates/tekton-pipelines-controller-cluster-access-clusterrole.yaml @@ -0,0 +1,43 @@ +# Copyright 2020 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-pipelines-controller-cluster-access + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +rules: +- apiGroups: [""] + # Namespace access is required because the controller timeout handling logic + # iterates over all namespaces and times out any PipelineRuns that have expired. + # Pod access is required because the taskrun controller wants to be updated when + # a Pod underlying a TaskRun changes state. + resources: ["namespaces", "pods"] + verbs: ["list", "watch"] + # Controller needs cluster access to all of the CRDs that it is responsible for + # managing. +- apiGroups: ["tekton.dev"] + resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "pipelineresources", + "conditions"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] +- apiGroups: ["tekton.dev"] + resources: ["taskruns/finalizers", "pipelineruns/finalizers"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] +- apiGroups: ["tekton.dev"] + resources: ["tasks/status", "clustertasks/status", "taskruns/status", "pipelines/status", + "pipelineruns/status", "pipelineresources/status"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] \ No newline at end of file diff --git a/tekton/templates/tekton-pipelines-controller-cluster-access-crb.yaml b/tekton/templates/tekton-pipelines-controller-cluster-access-crb.yaml new file mode 100644 index 0000000..b416438 --- /dev/null +++ b/tekton/templates/tekton-pipelines-controller-cluster-access-crb.yaml @@ -0,0 +1,30 @@ +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: tekton-pipelines-controller-cluster-access + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +subjects: +- kind: ServiceAccount + name: tekton-pipelines-controller + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: tekton-pipelines-controller-cluster-access + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/tekton/templates/tekton-pipelines-controller-deploy.yaml b/tekton/templates/tekton-pipelines-controller-deploy.yaml new file mode 100644 index 0000000..8401f0a --- /dev/null +++ b/tekton/templates/tekton-pipelines-controller-deploy.yaml @@ -0,0 +1,107 @@ +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tekton-pipelines-controller + namespace: tekton-pipelines + labels: + app.kubernetes.io/name: controller + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/version: "v0.16.3" + app.kubernetes.io/part-of: tekton-pipelines + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "v0.16.3" + # labels below are related to istio and should not be used for resource lookup + version: "v0.16.3" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: controller + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" + labels: + app.kubernetes.io/name: controller + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/version: "v0.16.3" + app.kubernetes.io/part-of: tekton-pipelines + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "v0.16.3" + # labels below are related to istio and should not be used for resource lookup + app: tekton-pipelines-controller + version: "v0.16.3" + spec: + serviceAccountName: tekton-pipelines-controller + containers: + - name: tekton-pipelines-controller + image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/controller:v0.16.3@sha256:a14129ffff1c46b39a9cb82e44096b49770efc4f1f8b85fb67d1bb00af906c44 + args: [ + # These images are built on-demand by `ko resolve` and are replaced + # by image references by digest. + "-kubeconfig-writer-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/kubeconfigwriter:v0.16.3@sha256:e35c309c4ddba302d550e84ab99f9fcd1593a257e06749435d58974f7544b042", + "-creds-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/creds-init:v0.16.3@sha256:6511445893b09699cf74ab7fb5874c43f490d8e29fb3ea1f4cde0b83dacb03ac", + "-git-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.16.3@sha256:17d8d9f55002fccf40e0c83ff2773a1db120beddfa53b87e5e2879e149050659", + "-entrypoint-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/entrypoint:v0.16.3@sha256:2c691255e2b1e3987235d18c11da6081626f194ec5e44c1317d76d8b4eb80ef6", + "-nop-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/nop:v0.16.3@sha256:04ef155888ef3616266c511873069813f9da31d32c31a5d74f9443dc93058699", + "-imagedigest-exporter-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/imagedigestexporter:v0.16.3@sha256:42578816dbaf7fb79bce7b6d347e655bb30aa5c545697f06cd84bcafbead4482", + "-pr-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/pullrequest-init:v0.16.3@sha256:7fe4999ed8d5c0d46ee7d99ef5c2a0ccc7bfbe36d349e443d9e9ce73143453d0", + "-build-gcs-fetcher-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/vendor/github.com/googlecloudplatform/cloud-builders/gcs-fetcher/cmd/gcs-fetcher:v0.16.3@sha256:cfd7324098dfc0913930f33889920d6f7205994c730f436d50c22ef267300fa2", + # This is google/cloud-sdk:302.0.0-slim + "-gsutil-image", "google/cloud-sdk@sha256:27b2c22bf259d9bc1a291e99c63791ba0c27a04d2db0a43241ba0f1f20f4067f", + # The shell image must be root in order to create directories and copy files to PVCs. + # gcr.io/distroless/base:debug-nonroot as of July 23, 2020 + "-shell-image", "gcr.io/distroless/base@sha256:60f5ffe6fc481e9102747b043b3873a01893a5a8138f970c5f5fc06fb7494656"] + volumeMounts: + - name: config-logging + mountPath: /etc/config-logging + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - # If you are changing these names, you will also need to update + # the controller's Role in 200-role.yaml to include the new + # values in the "configmaps" "get" rule. + name: CONFIG_DEFAULTS_NAME + value: config-defaults + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: CONFIG_ARTIFACT_BUCKET_NAME + value: config-artifact-bucket + - name: CONFIG_ARTIFACT_PVC_NAME + value: config-artifact-pvc + - name: CONFIG_FEATURE_FLAGS_NAME + value: feature-flags + - name: CONFIG_LEADERELECTION_NAME + value: config-leader-election + - name: METRICS_DOMAIN + value: tekton.dev/pipeline + securityContext: + allowPrivilegeEscalation: false + runAsUser: 1001 + volumes: + - name: config-logging + configMap: + name: config-logging \ No newline at end of file diff --git a/tekton/templates/tekton-pipelines-controller-leaderelection-crb.yaml b/tekton/templates/tekton-pipelines-controller-leaderelection-crb.yaml new file mode 100644 index 0000000..8a6832a --- /dev/null +++ b/tekton/templates/tekton-pipelines-controller-leaderelection-crb.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: tekton-pipelines-controller-leaderelection + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +subjects: +- kind: ServiceAccount + name: tekton-pipelines-controller + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: tekton-pipelines-leader-election + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/tekton/templates/tekton-pipelines-controller-rb.yaml b/tekton/templates/tekton-pipelines-controller-rb.yaml new file mode 100644 index 0000000..961e6cf --- /dev/null +++ b/tekton/templates/tekton-pipelines-controller-rb.yaml @@ -0,0 +1,31 @@ +# Copyright 2020 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: tekton-pipelines-controller + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +subjects: +- kind: ServiceAccount + name: tekton-pipelines-controller + namespace: tekton-pipelines +roleRef: + kind: Role + name: tekton-pipelines-controller + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/tekton/templates/tekton-pipelines-controller-role.yaml b/tekton/templates/tekton-pipelines-controller-role.yaml new file mode 100644 index 0000000..20cfd65 --- /dev/null +++ b/tekton/templates/tekton-pipelines-controller-role.yaml @@ -0,0 +1,37 @@ +# Copyright 2020 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-pipelines-controller + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["list", "watch"] +- # The controller needs access to these configmaps for logging information and runtime configuration. + apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["config-logging", "config-observability", "config-artifact-bucket", + "config-artifact-pvc", "feature-flags", "config-leader-election"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: ["tekton-pipelines"] + verbs: ["use"] \ No newline at end of file diff --git a/tekton/templates/tekton-pipelines-controller-sa.yaml b/tekton/templates/tekton-pipelines-controller-sa.yaml new file mode 100644 index 0000000..5ad8fe8 --- /dev/null +++ b/tekton/templates/tekton-pipelines-controller-sa.yaml @@ -0,0 +1,22 @@ +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tekton-pipelines-controller + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines \ No newline at end of file diff --git a/tekton/templates/tekton-pipelines-controller-svc.yaml b/tekton/templates/tekton-pipelines-controller-svc.yaml new file mode 100644 index 0000000..7fd8d91 --- /dev/null +++ b/tekton/templates/tekton-pipelines-controller-svc.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: controller + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/version: "v0.16.3" + app.kubernetes.io/part-of: tekton-pipelines + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "v0.16.3" + # labels below are related to istio and should not be used for resource lookup + app: tekton-pipelines-controller + version: "v0.16.3" + name: tekton-pipelines-controller + namespace: tekton-pipelines +spec: + ports: + - name: http-metrics + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + app.kubernetes.io/name: controller + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines diff --git a/tekton/templates/tekton-pipelines-controller-tenant-access-clusterrole.yaml b/tekton/templates/tekton-pipelines-controller-tenant-access-clusterrole.yaml new file mode 100644 index 0000000..5e6a5b0 --- /dev/null +++ b/tekton/templates/tekton-pipelines-controller-tenant-access-clusterrole.yaml @@ -0,0 +1,22 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + # This is the access that the controller needs on a per-namespace basis. + name: tekton-pipelines-controller-tenant-access + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +rules: +- apiGroups: [""] + resources: ["pods", "pods/log", "secrets", "events", "serviceaccounts", "configmaps", + "persistentvolumeclaims", "limitranges"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + # Unclear if this access is actually required. Simply a hold-over from the previous + # incarnation of the controller's ClusterRole. +- apiGroups: ["apps"] + resources: ["deployments", "statefulsets"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] +- apiGroups: ["apps"] + resources: ["deployments/finalizers"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] \ No newline at end of file diff --git a/tekton/templates/tekton-pipelines-controller-tenant-access-crb.yaml b/tekton/templates/tekton-pipelines-controller-tenant-access-crb.yaml new file mode 100644 index 0000000..0ebdd12 --- /dev/null +++ b/tekton/templates/tekton-pipelines-controller-tenant-access-crb.yaml @@ -0,0 +1,20 @@ +# If this ClusterRoleBinding is replaced with a RoleBinding +# then the ClusterRole would be namespaced. The access described by +# the tekton-pipelines-controller-tenant-access ClusterRole would +# be scoped to individual tenant namespaces. +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: tekton-pipelines-controller-tenant-access + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +subjects: +- kind: ServiceAccount + name: tekton-pipelines-controller + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: tekton-pipelines-controller-tenant-access + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/tekton/templates/tekton-pipelines-leader-election-clusterrole.yaml b/tekton/templates/tekton-pipelines-leader-election-clusterrole.yaml new file mode 100644 index 0000000..d8047ea --- /dev/null +++ b/tekton/templates/tekton-pipelines-leader-election-clusterrole.yaml @@ -0,0 +1,12 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-pipelines-leader-election + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +rules: +- # We uses leases for leaderelection + apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] diff --git a/tekton/templates/tekton-pipelines-ns.yaml b/tekton/templates/tekton-pipelines-ns.yaml new file mode 100644 index 0000000..5254a8c --- /dev/null +++ b/tekton/templates/tekton-pipelines-ns.yaml @@ -0,0 +1,21 @@ +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Namespace +metadata: + name: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines diff --git a/tekton/templates/tekton-pipelines-podsecuritypolicy.yaml b/tekton/templates/tekton-pipelines-podsecuritypolicy.yaml new file mode 100644 index 0000000..d14ba28 --- /dev/null +++ b/tekton/templates/tekton-pipelines-podsecuritypolicy.yaml @@ -0,0 +1,45 @@ +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +spec: + privileged: false + allowPrivilegeEscalation: false + volumes: + - 'emptyDir' + - 'configMap' + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 diff --git a/tekton/templates/tekton-pipelines-webhook-cluster-access-clusterrole.yaml b/tekton/templates/tekton-pipelines-webhook-cluster-access-clusterrole.yaml new file mode 100644 index 0000000..aab247a --- /dev/null +++ b/tekton/templates/tekton-pipelines-webhook-cluster-access-clusterrole.yaml @@ -0,0 +1,40 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-pipelines-webhook-cluster-access + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +rules: +- # The webhook needs to be able to list and update customresourcedefinitions, + # mainly to update the webhook certificates. + apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions", "customresourcedefinitions/status"] + verbs: ["get", "list", "update", "patch", "watch"] +- apiGroups: ["admissionregistration.k8s.io"] + # The webhook performs a reconciliation on these two resources and continuously + # updates configuration. + resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] + # knative starts informers on these things, which is why we need get, list and watch. + verbs: ["list", "watch"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + # This mutating webhook is responsible for applying defaults to tekton objects + # as they are received. + resourceNames: ["webhook.pipeline.tekton.dev"] + # When there are changes to the configs or secrets, knative updates the mutatingwebhook config + # with the updated certificates or the refreshed set of rules. + verbs: ["get", "update"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + # validation.webhook.pipeline.tekton.dev performs schema validation when you, for example, create TaskRuns. + # config.webhook.pipeline.tekton.dev validates the logging configuration against knative's logging structure + resourceNames: ["validation.webhook.pipeline.tekton.dev", "config.webhook.pipeline.tekton.dev"] + # When there are changes to the configs or secrets, knative updates the validatingwebhook config + # with the updated certificates or the refreshed set of rules. + verbs: ["get", "update"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: ["tekton-pipelines"] + verbs: ["use"] \ No newline at end of file diff --git a/tekton/templates/tekton-pipelines-webhook-cluster-access-crb.yaml b/tekton/templates/tekton-pipelines-webhook-cluster-access-crb.yaml new file mode 100644 index 0000000..cdc9d55 --- /dev/null +++ b/tekton/templates/tekton-pipelines-webhook-cluster-access-crb.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: tekton-pipelines-webhook-cluster-access + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +subjects: +- kind: ServiceAccount + name: tekton-pipelines-webhook + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: tekton-pipelines-webhook-cluster-access + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/tekton/templates/tekton-pipelines-webhook-deploy.yaml b/tekton/templates/tekton-pipelines-webhook-deploy.yaml new file mode 100644 index 0000000..9f5d6fc --- /dev/null +++ b/tekton/templates/tekton-pipelines-webhook-deploy.yaml @@ -0,0 +1,103 @@ +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + # Note: the Deployment name must be the same as the Service name specified in + # config/400-webhook-service.yaml. If you change this name, you must also + # change the value of WEBHOOK_SERVICE_NAME below. + name: tekton-pipelines-webhook + namespace: tekton-pipelines + labels: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/version: "v0.16.3" + app.kubernetes.io/part-of: tekton-pipelines + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "v0.16.3" + # labels below are related to istio and should not be used for resource lookup + version: "v0.16.3" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" + labels: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/version: "v0.16.3" + app.kubernetes.io/part-of: tekton-pipelines + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "v0.16.3" + # labels below are related to istio and should not be used for resource lookup + app: tekton-pipelines-webhook + version: "v0.16.3" + spec: + serviceAccountName: tekton-pipelines-webhook + containers: + - name: webhook + # This is the Go import path for the binary that is containerized + # and substituted here. + image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/webhook:v0.16.3@sha256:5087d4022a4688990cf04eee003d76fc736a939b011a62a160c89ae5bd6b7c20 + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - # If you are changing these names, you will also need to update + # the webhook's Role in 200-role.yaml to include the new + # values in the "configmaps" "get" rule. + name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: CONFIG_LEADERELECTION_NAME + value: config-leader-election + - name: WEBHOOK_SERVICE_NAME + value: tekton-pipelines-webhook + - name: WEBHOOK_SECRET_NAME + value: webhook-certs + - name: METRICS_DOMAIN + value: tekton.dev/pipeline + securityContext: + allowPrivilegeEscalation: false + runAsUser: 1001 + ports: + - name: metrics + containerPort: 9090 + - name: profiling + containerPort: 8008 + - name: https-webhook + containerPort: 8443 + livenessProbe: + tcpSocket: + port: https-webhook + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: https-webhook + initialDelaySeconds: 5 + periodSeconds: 10 \ No newline at end of file diff --git a/tekton/templates/tekton-pipelines-webhook-leaderelection-crb.yaml b/tekton/templates/tekton-pipelines-webhook-leaderelection-crb.yaml new file mode 100644 index 0000000..a55bda0 --- /dev/null +++ b/tekton/templates/tekton-pipelines-webhook-leaderelection-crb.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: tekton-pipelines-webhook-leaderelection + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +subjects: +- kind: ServiceAccount + name: tekton-pipelines-webhook + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: tekton-pipelines-leader-election + apiGroup: rbac.authorization.k8s.io diff --git a/tekton/templates/tekton-pipelines-webhook-rb.yaml b/tekton/templates/tekton-pipelines-webhook-rb.yaml new file mode 100644 index 0000000..55ff88d --- /dev/null +++ b/tekton/templates/tekton-pipelines-webhook-rb.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: tekton-pipelines-webhook + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +subjects: +- kind: ServiceAccount + name: tekton-pipelines-webhook + namespace: tekton-pipelines +roleRef: + kind: Role + name: tekton-pipelines-webhook + apiGroup: rbac.authorization.k8s.io diff --git a/tekton/templates/tekton-pipelines-webhook-role.yaml b/tekton/templates/tekton-pipelines-webhook-role.yaml new file mode 100644 index 0000000..7644f73 --- /dev/null +++ b/tekton/templates/tekton-pipelines-webhook-role.yaml @@ -0,0 +1,32 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-pipelines-webhook + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["list", "watch"] +- # The webhook needs access to these configmaps for logging information. + apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["config-logging", "config-observability", "config-leader-election"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["list", "watch"] +- # The webhook daemon makes a reconciliation loop on webhook-certs. Whenever + # the secret changes it updates the webhook configurations with the certificates + # stored in the secret. + apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "update"] + resourceNames: ["webhook-certs"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: ["tekton-pipelines"] + verbs: ["use"] diff --git a/tekton/templates/tekton-pipelines-webhook-sa.yaml b/tekton/templates/tekton-pipelines-webhook-sa.yaml new file mode 100644 index 0000000..0d45910 --- /dev/null +++ b/tekton/templates/tekton-pipelines-webhook-sa.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tekton-pipelines-webhook + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines diff --git a/tekton/templates/tekton-pipelines-webhook-svc.yaml b/tekton/templates/tekton-pipelines-webhook-svc.yaml new file mode 100644 index 0000000..99715d3 --- /dev/null +++ b/tekton/templates/tekton-pipelines-webhook-svc.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/version: "v0.16.3" + app.kubernetes.io/part-of: tekton-pipelines + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "v0.16.3" + # labels below are related to istio and should not be used for resource lookup + app: tekton-pipelines-webhook + version: "v0.16.3" + name: tekton-pipelines-webhook + namespace: tekton-pipelines +spec: + ports: + - # Define metrics and profiling for them to be accessible within service meshes. + name: http-metrics + port: 9090 + targetPort: 9090 + - name: http-profiling + port: 8008 + targetPort: 8008 + - name: https-webhook + port: 443 + targetPort: 8443 + selector: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines diff --git a/tekton/templates/validation.webhook.pipeline.tekton.dev-valwebhookcfg.yaml b/tekton/templates/validation.webhook.pipeline.tekton.dev-valwebhookcfg.yaml new file mode 100644 index 0000000..0dd66aa --- /dev/null +++ b/tekton/templates/validation.webhook.pipeline.tekton.dev-valwebhookcfg.yaml @@ -0,0 +1,19 @@ +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: validation.webhook.pipeline.tekton.dev + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pipeline.tekton.dev/release: "v0.16.3" +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: tekton-pipelines-webhook + namespace: tekton-pipelines + failurePolicy: Fail + sideEffects: None + name: validation.webhook.pipeline.tekton.dev \ No newline at end of file diff --git a/tekton/templates/webhook-certs-secret.yaml b/tekton/templates/webhook-certs-secret.yaml new file mode 100644 index 0000000..9ad1910 --- /dev/null +++ b/tekton/templates/webhook-certs-secret.yaml @@ -0,0 +1,25 @@ +# Copyright 2020 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Secret +metadata: + name: webhook-certs + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pipeline.tekton.dev/release: "v0.16.3" +# The data is populated at install time. \ No newline at end of file diff --git a/tekton/templates/webhook.pipeline.tekton.dev-mutwebhookcfg.yaml b/tekton/templates/webhook.pipeline.tekton.dev-mutwebhookcfg.yaml new file mode 100644 index 0000000..7cb5fec --- /dev/null +++ b/tekton/templates/webhook.pipeline.tekton.dev-mutwebhookcfg.yaml @@ -0,0 +1,19 @@ +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: webhook.pipeline.tekton.dev + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pipeline.tekton.dev/release: "v0.16.3" +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: tekton-pipelines-webhook + namespace: tekton-pipelines + failurePolicy: Fail + sideEffects: None + name: webhook.pipeline.tekton.dev \ No newline at end of file diff --git a/tekton/values.yaml b/tekton/values.yaml new file mode 100644 index 0000000..98bd8d8 --- /dev/null +++ b/tekton/values.yaml @@ -0,0 +1,9 @@ +auth: + git: + username: + password: + url: https://github.com + docker: + # if specified use the docker config.json style secret like this: + # https://github.com/tektoncd/pipeline/blob/master/docs/auth.md#configuring-docker-authentication-for-docker + configJson: "" \ No newline at end of file