├── argocd ├── base │ ├── namespace.yaml │ └── kustomization.yaml └── overlays │ └── production │ ├── kustomization.yaml │ └── argocd-server-svc-patch.yaml ├── argo-events ├── base │ ├── namespace.yaml │ ├── kustomization.yaml │ ├── install-validating-webhook.yaml │ └── install.yaml └── overlays │ └── production │ └── kustomization.yaml ├── cmds ├── get-argocd-admin-pwd.sh ├── get-cluster-ca.sh ├── get-vcluster-kubeconfig.sh ├── get-vault-auth-token.sh ├── install-argocd.sh └── patch-argocd-server.sh ├── vclusters └── vcluster1 │ ├── vcluster1-patch │ ├── namespace.yaml │ └── ingress.yaml │ ├── kustomization.yaml │ ├── vcluster1-patch-app.yaml │ └── vcluster1-app.yaml ├── cert-manager ├── base │ └── kustomization.yaml └── overlays │ └── production │ ├── clusterissuer-root-issuer.yaml │ ├── kustomization.yaml │ ├── external-root-issuer.yaml │ └── secretstore.yaml ├── runtimes └── pipeline1-runtime │ ├── kustomization.yaml │ ├── pipeline1-project.yaml │ ├── production │ ├── tekton-app.yaml │ ├── patch-app.yaml │ ├── argo-events-app.yaml │ ├── patch │ │ └── ingress-argocd.yaml │ ├── external-secret-app.yaml │ └── vault-app.yaml │ └── pipeline1-app.yaml ├── tekton ├── base │ ├── kustomization.yaml │ ├── tekton-dashboard-release.yaml │ └── release.yaml └── overlays │ └── production │ ├── configmap-feature-flags-patch.yaml │ ├── kustomization.yaml │ └── dashboard-ingress.yaml ├── production ├── patch │ ├── serverstransport-default.yaml │ ├── vault-rbac.yaml │ └── ingress-argocd.yaml ├── patch-app.yaml ├── cert-manager-app.yaml ├── external-secret-app.yaml ├── vcluster-appset.yaml ├── metallb-app.yaml ├── runtime-appset.yaml ├── runtime-argocd-appset.yaml ├── traefik-app.yaml └── vault-app.yaml ├── project.yaml ├── app.yaml ├── README.md └── LICENSE /argocd/base/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: argocd 7 | 8 | -------------------------------------------------------------------------------- /argo-events/base/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: argo-events 7 | 8 | -------------------------------------------------------------------------------- /cmds/get-argocd-admin-pwd.sh: -------------------------------------------------------------------------------- 1 | kubectl get secret argocd-initial-admin-secret -n argocd -o jsonpath="{.data.password}" |base64 -d -------------------------------------------------------------------------------- /cmds/get-cluster-ca.sh: -------------------------------------------------------------------------------- 1 | KUBECONFIG=$1 2 | cat $KUBECONFIG |grep certificate-authority-data | awk -F ' ' '{print $2}' |base64 -d -------------------------------------------------------------------------------- /vclusters/vcluster1/vcluster1-patch/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: vcluster1 6 | -------------------------------------------------------------------------------- /cmds/get-vcluster-kubeconfig.sh: -------------------------------------------------------------------------------- 1 | VCLUSTER=$1 2 | kubectl get secret vc-$VCLUSTER-app -n $VCLUSTER --template={{.data.config}} | base64 -d -------------------------------------------------------------------------------- /cert-manager/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - cert-manager-1.8.0.yaml 5 | -------------------------------------------------------------------------------- /cmds/get-vault-auth-token.sh: -------------------------------------------------------------------------------- 1 | kubectl get sa -n vault vault-auth -o jsonpath="{.secrets[0].name}"|xargs kubectl get secret -n vault -o jsonpath="{.data.token}"|base64 -d -------------------------------------------------------------------------------- /cmds/install-argocd.sh: -------------------------------------------------------------------------------- 1 | kubectl create namespace argocd 2 | kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml -------------------------------------------------------------------------------- /argo-events/overlays/production/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ../../base 5 | namespace: argo-events 6 | -------------------------------------------------------------------------------- /argocd/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - namespace.yaml 5 | - argocd-install.yaml 6 | namespace: argocd 7 | -------------------------------------------------------------------------------- /cmds/patch-argocd-server.sh: -------------------------------------------------------------------------------- 1 | kubectl patch service argocd-server -n argocd -p '{"metadata":{"annotations":{"traefik.ingress.kubernetes.io/service.serverstransport":"traefik-default@kubernetescrd"}}}' -------------------------------------------------------------------------------- /vclusters/vcluster1/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - vcluster1-app.yaml 5 | - vcluster1-patch-app.yaml 6 | namespace: argocd 7 | -------------------------------------------------------------------------------- /runtimes/pipeline1-runtime/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - pipeline1-project.yaml 5 | - pipeline1-app.yaml 6 | namespace: argocd 7 | -------------------------------------------------------------------------------- /tekton/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - release.yaml 5 | - tekton-dashboard-release.yaml 6 | namespace: tekton-pipelines 7 | -------------------------------------------------------------------------------- /argocd/overlays/production/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ../../base 5 | patchesStrategicMerge: 6 | - argocd-server-svc-patch.yaml 7 | -------------------------------------------------------------------------------- /production/patch/serverstransport-default.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: traefik.containo.us/v1alpha1 2 | kind: ServersTransport 3 | metadata: 4 | name: default 5 | namespace: traefik 6 | spec: 7 | insecureSkipVerify: true 8 | -------------------------------------------------------------------------------- /cert-manager/overlays/production/clusterissuer-root-issuer.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: ClusterIssuer 4 | metadata: 5 | name: org-issuer 6 | spec: 7 | ca: 8 | secretName: root-issuer 9 | -------------------------------------------------------------------------------- /argo-events/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - namespace.yaml 5 | - install.yaml 6 | - install-validating-webhook.yaml 7 | namespace: argo-events 8 | -------------------------------------------------------------------------------- /tekton/overlays/production/configmap-feature-flags-patch.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: feature-flags 5 | namespace: tekton-pipelines 6 | data: 7 | disable-affinity-assistant: "true" 8 | 9 | -------------------------------------------------------------------------------- /argocd/overlays/production/argocd-server-svc-patch.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: argocd-server 5 | annotations: 6 | traefik.ingress.kubernetes.io/service.serverstransport: traefik-default@kubernetescrd 7 | -------------------------------------------------------------------------------- /cert-manager/overlays/production/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ../../base 5 | - secretstore.yaml 6 | - external-root-issuer.yaml 7 | - clusterissuer-root-issuer.yaml 8 | -------------------------------------------------------------------------------- /tekton/overlays/production/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ../../base 5 | - dashboard-ingress.yaml 6 | patchesStrategicMerge: 7 | - configmap-feature-flags-patch.yaml 8 | namespace: tekton-pipelines 9 | -------------------------------------------------------------------------------- /project.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: AppProject 3 | metadata: 4 | name: demo-vcluster 5 | namespace: argocd 6 | finalizers: 7 | - resources-finalizer.argocd.argoproj.io 8 | spec: 9 | description: demo 10 | sourceRepos: 11 | - '*' 12 | destinations: 13 | - namespace: '*' 14 | server: '*' 15 | clusterResourceWhitelist: 16 | - group: '*' 17 | kind: '*' 18 | namespaceResourceWhitelist: 19 | - group: '*' 20 | kind: '*' 21 | -------------------------------------------------------------------------------- /production/patch/vault-rbac.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: vault-auth 5 | namespace: vault 6 | --- 7 | apiVersion: rbac.authorization.k8s.io/v1beta1 8 | kind: ClusterRoleBinding 9 | metadata: 10 | name: role-tokenreview-binding 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: system:auth-delegator 15 | subjects: 16 | - kind: ServiceAccount 17 | name: vault-auth 18 | namespace: vault 19 | -------------------------------------------------------------------------------- /tekton/overlays/production/dashboard-ingress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: Ingress 4 | metadata: 5 | name: pipeline1-tekton 6 | namespace: tekton-pipelines 7 | spec: 8 | rules: 9 | - host: tekton.pipeline1.119-8-58-20.nip.io 10 | http: 11 | paths: 12 | - path: / 13 | pathType: ImplementationSpecific 14 | backend: 15 | service: 16 | name: tekton-dashboard 17 | port: 18 | number: 9097 19 | -------------------------------------------------------------------------------- /runtimes/pipeline1-runtime/pipeline1-project.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: AppProject 3 | metadata: 4 | name: demo-pipeline 5 | namespace: argocd 6 | finalizers: 7 | - resources-finalizer.argocd.argoproj.io 8 | spec: 9 | description: production project 10 | sourceRepos: 11 | - '*' 12 | destinations: 13 | - namespace: '*' 14 | server: '*' 15 | clusterResourceWhitelist: 16 | - group: '*' 17 | kind: '*' 18 | namespaceResourceWhitelist: 19 | - group: '*' 20 | kind: '*' 21 | -------------------------------------------------------------------------------- /cert-manager/overlays/production/external-root-issuer.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1beta1 2 | kind: ExternalSecret 3 | metadata: 4 | name: root-issuer 5 | namespace: cert-manager 6 | spec: 7 | refreshInterval: "15s" 8 | secretStoreRef: 9 | name: cert-manager-secretstore 10 | kind: SecretStore 11 | target: 12 | name: root-issuer 13 | data: 14 | - secretKey: tls.crt 15 | remoteRef: 16 | key: root 17 | property: tls.crt 18 | - secretKey: tls.key 19 | remoteRef: 20 | key: root 21 | property: tls.key 22 | 23 | -------------------------------------------------------------------------------- /production/patch-app.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: patch 5 | namespace: argocd 6 | finalizers: 7 | - resources-finalizer.argocd.argoproj.io 8 | spec: 9 | project: demo-vcluster 10 | source: 11 | path: production/patch 12 | repoURL: https://github.com/lanbingcloud/demo-vcluster-tekton-argoevents-vaultagent-externalsecrets.git 13 | targetRevision: HEAD 14 | destination: 15 | server: https://kubernetes.default.svc 16 | syncPolicy: 17 | automated: 18 | selfHeal: true 19 | prune: true 20 | -------------------------------------------------------------------------------- /app.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: root 5 | namespace: argocd 6 | finalizers: 7 | - resources-finalizer.argocd.argoproj.io 8 | spec: 9 | project: demo-vcluster 10 | source: 11 | path: production 12 | repoURL: https://github.com/lanbingcloud/demo-vcluster-tekton-argoevents-vaultagent-externalsecrets.git 13 | targetRevision: HEAD 14 | destination: 15 | server: https://kubernetes.default.svc 16 | namespace: argocd 17 | syncPolicy: 18 | automated: 19 | selfHeal: true 20 | prune: true 21 | -------------------------------------------------------------------------------- /production/cert-manager-app.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: cert-manager 5 | namespace: argocd 6 | finalizers: 7 | - resources-finalizer.argocd.argoproj.io 8 | spec: 9 | project: demo-vcluster 10 | source: 11 | path: cert-manager/overlays/production 12 | repoURL: https://github.com/lanbingcloud/demo-vcluster-tekton-argoevents-vaultagent-externalsecrets.git 13 | targetRevision: HEAD 14 | destination: 15 | server: https://kubernetes.default.svc 16 | syncPolicy: 17 | automated: 18 | selfHeal: true 19 | prune: true 20 | -------------------------------------------------------------------------------- /production/patch/ingress-argocd.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: Ingress 4 | metadata: 5 | name: argocd-server 6 | namespace: argocd 7 | annotations: 8 | cert-manager.io/cluster-issuer: org-issuer 9 | spec: 10 | rules: 11 | - host: argocd.119-8-58-20.nip.io 12 | http: 13 | paths: 14 | - path: / 15 | pathType: ImplementationSpecific 16 | backend: 17 | service: 18 | name: argocd-server 19 | port: 20 | name: https 21 | tls: 22 | - hosts: 23 | - argocd.119-8-58-20.nip.io 24 | secretName: argocd-cert 25 | -------------------------------------------------------------------------------- /runtimes/pipeline1-runtime/production/tekton-app.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: tekton 5 | namespace: argocd 6 | finalizers: 7 | - resources-finalizer.argocd.argoproj.io 8 | spec: 9 | project: demo-pipeline 10 | source: 11 | path: tekton/overlays/production 12 | repoURL: https://github.com/lanbingcloud/demo-vcluster-tekton-argoevents-vaultagent-externalsecrets.git 13 | targetRevision: HEAD 14 | destination: 15 | server: https://kubernetes.default.svc 16 | syncPolicy: 17 | automated: 18 | selfHeal: true 19 | prune: true 20 | 21 | -------------------------------------------------------------------------------- /vclusters/vcluster1/vcluster1-patch-app.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: vcluster1-patch 5 | namespace: argocd 6 | finalizers: 7 | - resources-finalizer.argocd.argoproj.io 8 | spec: 9 | project: demo-vcluster 10 | source: 11 | path: vclusters/vcluster1/vcluster1-patch 12 | repoURL: https://github.com/lanbingcloud/demo-vcluster-tekton-argoevents-vaultagent-externalsecrets.git 13 | targetRevision: HEAD 14 | destination: 15 | server: https://kubernetes.default.svc 16 | syncPolicy: 17 | automated: 18 | selfHeal: true 19 | prune: true 20 | -------------------------------------------------------------------------------- /production/external-secret-app.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: external-secrets 5 | namespace: argocd 6 | finalizers: 7 | - resources-finalizer.argocd.argoproj.io 8 | spec: 9 | project: demo-vcluster 10 | source: 11 | chart: external-secrets 12 | repoURL: https://charts.external-secrets.io 13 | targetRevision: 0.5.7 14 | destination: 15 | server: https://kubernetes.default.svc 16 | namespace: external-secrets 17 | syncPolicy: 18 | automated: 19 | selfHeal: true 20 | prune: true 21 | syncOptions: 22 | - CreateNamespace=true 23 | -------------------------------------------------------------------------------- /runtimes/pipeline1-runtime/production/patch-app.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: patch 5 | namespace: argocd 6 | finalizers: 7 | - resources-finalizer.argocd.argoproj.io 8 | spec: 9 | project: demo-pipeline 10 | source: 11 | path: runtimes/pipeline1-runtime/production/patch 12 | repoURL: https://github.com/lanbingcloud/demo-vcluster-tekton-argoevents-vaultagent-externalsecrets.git 13 | targetRevision: HEAD 14 | destination: 15 | server: https://kubernetes.default.svc 16 | syncPolicy: 17 | automated: 18 | selfHeal: true 19 | prune: true 20 | -------------------------------------------------------------------------------- /runtimes/pipeline1-runtime/production/argo-events-app.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: argo-events 5 | namespace: argocd 6 | finalizers: 7 | - resources-finalizer.argocd.argoproj.io 8 | spec: 9 | project: demo-pipeline 10 | source: 11 | path: argo-events/overlays/production 12 | repoURL: https://github.com/lanbingcloud/demo-vcluster-tekton-argoevents-vaultagent-externalsecrets.git 13 | targetRevision: HEAD 14 | destination: 15 | server: https://kubernetes.default.svc 16 | syncPolicy: 17 | automated: 18 | selfHeal: true 19 | prune: true 20 | 21 | -------------------------------------------------------------------------------- /runtimes/pipeline1-runtime/pipeline1-app.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: pipeline1 5 | namespace: argocd 6 | finalizers: 7 | - resources-finalizer.argocd.argoproj.io 8 | spec: 9 | project: demo-pipeline 10 | source: 11 | path: runtimes/pipeline1-runtime/production 12 | repoURL: https://github.com/lanbingcloud/demo-vcluster-tekton-argoevents-vaultagent-externalsecrets.git 13 | targetRevision: HEAD 14 | destination: 15 | server: https://kubernetes.default.svc 16 | namespace: argocd 17 | syncPolicy: 18 | automated: 19 | selfHeal: true 20 | prune: true 21 | -------------------------------------------------------------------------------- /runtimes/pipeline1-runtime/production/patch/ingress-argocd.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | name: argocd-server 5 | namespace: argocd 6 | annotations: 7 | cert-manager.io/cluster-issuer: org-issuer 8 | spec: 9 | rules: 10 | - host: argocd.pipeline1.119-8-58-20.nip.io 11 | http: 12 | paths: 13 | - path: / 14 | pathType: ImplementationSpecific 15 | backend: 16 | service: 17 | name: argocd-server 18 | port: 19 | name: https 20 | tls: 21 | - hosts: 22 | - argocd.pipeline1.119-8-58-20.nip.io 23 | secretName: argocd-cert 24 | -------------------------------------------------------------------------------- /runtimes/pipeline1-runtime/production/external-secret-app.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: external-secrets 5 | namespace: argocd 6 | finalizers: 7 | - resources-finalizer.argocd.argoproj.io 8 | spec: 9 | project: demo-pipeline 10 | source: 11 | chart: external-secrets 12 | repoURL: https://charts.external-secrets.io 13 | targetRevision: 0.5.7 14 | destination: 15 | server: https://kubernetes.default.svc 16 | namespace: external-secrets 17 | syncPolicy: 18 | automated: 19 | selfHeal: true 20 | prune: true 21 | syncOptions: 22 | - CreateNamespace=true 23 | -------------------------------------------------------------------------------- /vclusters/vcluster1/vcluster1-app.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: vcluster1-app 5 | namespace: argocd 6 | finalizers: 7 | - resources-finalizer.argocd.argoproj.io 8 | spec: 9 | project: demo-vcluster 10 | source: 11 | chart: vcluster 12 | repoURL: https://charts.loft.sh 13 | targetRevision: 0.10.1 14 | helm: 15 | values: |- 16 | vcluster: 17 | image: rancher/k3s:v1.21.13-k3s1 18 | syncer: 19 | extraArgs: 20 | - --tls-san=192.168.0.184 21 | destination: 22 | server: https://kubernetes.default.svc 23 | namespace: vcluster1 24 | syncPolicy: 25 | automated: 26 | selfHeal: true 27 | prune: true 28 | -------------------------------------------------------------------------------- /cert-manager/overlays/production/secretstore.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1beta1 2 | kind: SecretStore 3 | metadata: 4 | name: cert-manager-secretstore 5 | namespace: cert-manager 6 | spec: 7 | provider: 8 | vault: 9 | server: "http://192.168.0.184:31820" 10 | path: "pki" 11 | version: "v2" 12 | auth: 13 | kubernetes: 14 | # Path where the Kubernetes authentication backend is mounted in Vault 15 | mountPath: "host-cluster" 16 | # A required field containing the Vault Role to assume. 17 | role: "cert-manager" 18 | # Optional service account field containing the name 19 | # of a kubernetes ServiceAccount 20 | serviceAccountRef: 21 | name: "default" 22 | -------------------------------------------------------------------------------- /production/vcluster-appset.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: ApplicationSet 3 | metadata: 4 | name: vcluster-appset 5 | namespace: argocd 6 | spec: 7 | generators: 8 | - list: 9 | elements: 10 | - cluster: vcluster1 11 | template: 12 | metadata: 13 | name: '{{cluster}}' 14 | spec: 15 | project: demo-vcluster 16 | source: 17 | repoURL: https://github.com/lanbingcloud/demo-vcluster-tekton-argoevents-vaultagent-externalsecrets.git 18 | targetRevision: HEAD 19 | path: vclusters/{{cluster}} 20 | destination: 21 | server: https://kubernetes.default.svc 22 | namespace: argocd 23 | syncPolicy: 24 | automated: 25 | selfHeal: true 26 | prune: true 27 | -------------------------------------------------------------------------------- /production/metallb-app.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: metallb 5 | namespace: argocd 6 | finalizers: 7 | - resources-finalizer.argocd.argoproj.io 8 | spec: 9 | project: demo-vcluster 10 | source: 11 | chart: metallb 12 | repoURL: https://metallb.github.io/metallb 13 | targetRevision: 0.12.1 14 | helm: 15 | values: |- 16 | configInline: 17 | address-pools: 18 | - name: default 19 | protocol: layer2 20 | addresses: 21 | - 192.168.0.184-192.168.0.184 22 | destination: 23 | server: https://kubernetes.default.svc 24 | namespace: metallb 25 | syncPolicy: 26 | automated: 27 | selfHeal: true 28 | prune: true 29 | syncOptions: 30 | - CreateNamespace=true 31 | -------------------------------------------------------------------------------- /production/runtime-appset.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: ApplicationSet 3 | metadata: 4 | name: runtime-appset 5 | namespace: argocd 6 | spec: 7 | generators: 8 | - list: 9 | elements: 10 | - runtime: pipeline1-runtime 11 | clusterURL: https://192.168.0.184:31543 12 | template: 13 | metadata: 14 | name: '{{runtime}}' 15 | namespace: argocd 16 | spec: 17 | project: demo-vcluster 18 | source: 19 | repoURL: https://github.com/lanbingcloud/demo-vcluster-tekton-argoevents-vaultagent-externalsecrets.git 20 | targetRevision: HEAD 21 | path: runtimes/{{runtime}} 22 | destination: 23 | server: '{{clusterURL}}' 24 | namespace: argocd 25 | syncPolicy: 26 | automated: 27 | selfHeal: true 28 | prune: true 29 | -------------------------------------------------------------------------------- /production/runtime-argocd-appset.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: ApplicationSet 3 | metadata: 4 | name: runtime-argocd-appset 5 | namespace: argocd 6 | spec: 7 | generators: 8 | - list: 9 | elements: 10 | - runtime: pipeline1-runtime-argocd 11 | clusterURL: https://192.168.0.184:31543 12 | template: 13 | metadata: 14 | name: '{{runtime}}' 15 | namespace: argocd 16 | spec: 17 | project: demo-vcluster 18 | source: 19 | repoURL: https://github.com/lanbingcloud/demo-vcluster-tekton-argoevents-vaultagent-externalsecrets.git 20 | targetRevision: HEAD 21 | path: argocd/overlays/production 22 | destination: 23 | server: '{{clusterURL}}' 24 | namespace: argocd 25 | syncPolicy: 26 | automated: 27 | selfHeal: true 28 | prune: true 29 | -------------------------------------------------------------------------------- /production/traefik-app.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: traefik 5 | namespace: argocd 6 | finalizers: 7 | - resources-finalizer.argocd.argoproj.io 8 | spec: 9 | project: demo-vcluster 10 | source: 11 | chart: traefik 12 | repoURL: https://helm.traefik.io/traefik 13 | targetRevision: v10.22.0 14 | helm: 15 | values: |- 16 | ports: 17 | traefik: 18 | port: 9000 19 | web: 20 | nodePort: 30080 21 | websecure: 22 | nodePort: 30443 23 | tls: 24 | enabled: true 25 | providers: 26 | kubernetesIngress: 27 | publishedService: 28 | enabled: true 29 | destination: 30 | server: https://kubernetes.default.svc 31 | namespace: traefik 32 | syncPolicy: 33 | automated: 34 | selfHeal: true 35 | prune: true 36 | syncOptions: 37 | - CreateNamespace=true 38 | 39 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 这个项目是用于演示如何用argocd来部署和管理一个CI的环境,需要部署的工具如下: 2 | 3 | - metallb: k8s的lb工具。 4 | - traefik: 反向代理工具,用于ingress的实现。 5 | - cert-manager: 证书签发工具。 6 | - vault: 密钥管理工具。 7 | - external-secrets: 可以将外部的密钥同步为k8s的secret。 8 | - vcluster: 可以在物理k8s集群中创建虚拟集群的工具。 9 | - argo-events: 提供事件监听、转换和触发的工具。 10 | - tekton: k8s原生的流水线工具。 11 | 12 | 首先需要准备一个k8s集群和一个vault实例,然后按照以下步骤进行部署(所需的命令行在cmds目录下): 13 | 14 | 1. 在vault中创建一个secret用于存放cert-manger所需的证书和私钥。 15 | 2. 手动在集群中安装argocd以及argocd-server的patch。 16 | 3. 将项目根目录的project.yaml和app.yaml安装到集群中。 17 | 4. argocd会根据配置在物理集群中安装metallb、traefik、cert-manager、vault(包括认证所需的sa)、external-secrets、并创建一个vcluster,等待初始化完成。 18 | 5. 在vault中创建一个kubernetes认证,填写物理机群的api-server地址、ca证书、认证sa的token。然后在此认证下创建保存了cert-manger私钥的secret的访问权限。 19 | 6. 通过vcluster命名空间下的secret生成用于访问虚拟集群的kubeconfig文件,并修改server字段中的ip、端口、cluster名称等。 20 | 7. 通过argocd命令行使用kubeconfig文件向argocd注册新创建的虚拟集群。 21 | 8. 物理集群的argocd自动向虚拟集群中部署argocd,以及用于虚拟集群内部初始化所需的project和app资源。 22 | 9. 等待虚拟集群内部的argocd完成所有工具的部署,包括:argo-events、tekton、traefik、vault、external-secrets。 -------------------------------------------------------------------------------- /production/vault-app.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: vault 5 | namespace: argocd 6 | finalizers: 7 | - resources-finalizer.argocd.argoproj.io 8 | spec: 9 | project: demo-vcluster 10 | source: 11 | chart: vault 12 | repoURL: https://helm.releases.hashicorp.com/ 13 | targetRevision: 0.20.1 14 | helm: 15 | values: |- 16 | global: 17 | enabled: false 18 | injector: 19 | enabled: true 20 | authPath: auth/host-cluster 21 | externalVaultAddr: http://192.168.0.184:31820 22 | destination: 23 | server: https://kubernetes.default.svc 24 | namespace: vault 25 | ignoreDifferences: 26 | - group: "admissionregistration.k8s.io" 27 | kind: "MutatingWebhookConfiguration" 28 | jsonPointers: 29 | - /webhooks/0/clientConfig/caBundle 30 | syncPolicy: 31 | automated: 32 | selfHeal: true 33 | prune: true 34 | syncOptions: 35 | - CreateNamespace=true 36 | - RespectIgnoreDifferences=true 37 | -------------------------------------------------------------------------------- /runtimes/pipeline1-runtime/production/vault-app.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: vault 5 | namespace: argocd 6 | finalizers: 7 | - resources-finalizer.argocd.argoproj.io 8 | spec: 9 | project: demo-pipeline 10 | source: 11 | chart: vault 12 | repoURL: https://helm.releases.hashicorp.com/ 13 | targetRevision: 0.20.1 14 | helm: 15 | values: |- 16 | global: 17 | enabled: false 18 | injector: 19 | enabled: true 20 | authPath: auth/pipeline1 21 | externalVaultAddr: http://119.8.58.20:31820 22 | destination: 23 | server: https://kubernetes.default.svc 24 | namespace: vault 25 | ignoreDifferences: 26 | - group: "admissionregistration.k8s.io" 27 | kind: "MutatingWebhookConfiguration" 28 | jsonPointers: 29 | - /webhooks/0/clientConfig/caBundle 30 | syncPolicy: 31 | automated: 32 | selfHeal: true 33 | prune: true 34 | syncOptions: 35 | - CreateNamespace=true 36 | - RespectIgnoreDifferences=true 37 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 lanbingcloud 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /vclusters/vcluster1/vcluster1-patch/ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: traefik.containo.us/v1alpha1 2 | kind: ServersTransport 3 | metadata: 4 | name: vcluster1-apiserver 5 | namespace: vcluster1 6 | spec: 7 | insecureSkipVerify: true 8 | --- 9 | apiVersion: networking.k8s.io/v1 10 | kind: Ingress 11 | metadata: 12 | name: vcluster1 13 | namespace: vcluster1 14 | annotations: 15 | cert-manager.io/cluster-issuer: org-issuer 16 | spec: 17 | rules: 18 | - host: vcluster1.lanbing.tech 19 | http: 20 | paths: 21 | - path: / 22 | pathType: ImplementationSpecific 23 | backend: 24 | service: 25 | name: vcluster1-svc 26 | port: 27 | name: https 28 | tls: 29 | - hosts: 30 | - vcluster1.lanbing.tech 31 | secretName: vcluster1-cert 32 | --- 33 | apiVersion: v1 34 | kind: Service 35 | metadata: 36 | annotations: 37 | traefik.ingress.kubernetes.io/service.serverstransport: vcluster1-vcluster1-apiserver@kubernetescrd 38 | name: vcluster1-svc 39 | namespace: vcluster1 40 | spec: 41 | ports: 42 | - name: https 43 | port: 443 44 | protocol: TCP 45 | targetPort: 8443 46 | nodePort: 31543 47 | selector: 48 | app: vcluster 49 | sessionAffinity: None 50 | type: NodePort 51 | --- 52 | -------------------------------------------------------------------------------- /argo-events/base/install-validating-webhook.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: argo-events-webhook-sa 5 | namespace: argo-events 6 | --- 7 | apiVersion: rbac.authorization.k8s.io/v1 8 | kind: ClusterRole 9 | metadata: 10 | name: argo-events-webhook 11 | rules: 12 | - apiGroups: 13 | - "" 14 | resources: 15 | - secrets 16 | verbs: 17 | - get 18 | - list 19 | - create 20 | - update 21 | - delete 22 | - patch 23 | - watch 24 | - apiGroups: 25 | - "" 26 | resources: 27 | - configmaps 28 | verbs: 29 | - get 30 | - list 31 | - watch 32 | - apiGroups: 33 | - apps 34 | resources: 35 | - deployments 36 | verbs: 37 | - get 38 | - list 39 | - apiGroups: 40 | - admissionregistration.k8s.io 41 | resources: 42 | - validatingwebhookconfigurations 43 | verbs: 44 | - get 45 | - list 46 | - create 47 | - update 48 | - delete 49 | - patch 50 | - watch 51 | - apiGroups: 52 | - argoproj.io 53 | resources: 54 | - eventbus 55 | - eventsources 56 | - sensors 57 | verbs: 58 | - get 59 | - list 60 | - watch 61 | - apiGroups: 62 | - rbac.authorization.k8s.io 63 | resources: 64 | - clusterroles 65 | verbs: 66 | - get 67 | - list 68 | --- 69 | apiVersion: rbac.authorization.k8s.io/v1 70 | kind: ClusterRoleBinding 71 | metadata: 72 | name: argo-events-webhook-binding 73 | roleRef: 74 | apiGroup: rbac.authorization.k8s.io 75 | kind: ClusterRole 76 | name: argo-events-webhook 77 | subjects: 78 | - kind: ServiceAccount 79 | name: argo-events-webhook-sa 80 | namespace: argo-events 81 | --- 82 | apiVersion: v1 83 | kind: Service 84 | metadata: 85 | name: events-webhook 86 | namespace: argo-events 87 | spec: 88 | ports: 89 | - port: 443 90 | targetPort: 443 91 | selector: 92 | app: events-webhook 93 | --- 94 | apiVersion: apps/v1 95 | kind: Deployment 96 | metadata: 97 | name: events-webhook 98 | namespace: argo-events 99 | spec: 100 | replicas: 1 101 | selector: 102 | matchLabels: 103 | app: events-webhook 104 | template: 105 | metadata: 106 | labels: 107 | app: events-webhook 108 | spec: 109 | containers: 110 | - args: 111 | - webhook-service 112 | env: 113 | - name: NAMESPACE 114 | valueFrom: 115 | fieldRef: 116 | fieldPath: metadata.namespace 117 | image: quay.io/argoproj/argo-events:v1.7.1 118 | imagePullPolicy: Always 119 | name: webhook 120 | serviceAccountName: argo-events-webhook-sa 121 | -------------------------------------------------------------------------------- /argo-events/base/install.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: eventbus.argoproj.io 5 | spec: 6 | group: argoproj.io 7 | names: 8 | kind: EventBus 9 | listKind: EventBusList 10 | plural: eventbus 11 | shortNames: 12 | - eb 13 | singular: eventbus 14 | scope: Namespaced 15 | versions: 16 | - name: v1alpha1 17 | schema: 18 | openAPIV3Schema: 19 | properties: 20 | apiVersion: 21 | type: string 22 | kind: 23 | type: string 24 | metadata: 25 | type: object 26 | spec: 27 | type: object 28 | x-kubernetes-preserve-unknown-fields: true 29 | status: 30 | type: object 31 | x-kubernetes-preserve-unknown-fields: true 32 | required: 33 | - metadata 34 | - spec 35 | type: object 36 | served: true 37 | storage: true 38 | subresources: 39 | status: {} 40 | --- 41 | apiVersion: apiextensions.k8s.io/v1 42 | kind: CustomResourceDefinition 43 | metadata: 44 | name: eventsources.argoproj.io 45 | spec: 46 | group: argoproj.io 47 | names: 48 | kind: EventSource 49 | listKind: EventSourceList 50 | plural: eventsources 51 | shortNames: 52 | - es 53 | singular: eventsource 54 | scope: Namespaced 55 | versions: 56 | - name: v1alpha1 57 | schema: 58 | openAPIV3Schema: 59 | properties: 60 | apiVersion: 61 | type: string 62 | kind: 63 | type: string 64 | metadata: 65 | type: object 66 | spec: 67 | type: object 68 | x-kubernetes-preserve-unknown-fields: true 69 | status: 70 | type: object 71 | x-kubernetes-preserve-unknown-fields: true 72 | required: 73 | - metadata 74 | - spec 75 | type: object 76 | served: true 77 | storage: true 78 | subresources: 79 | status: {} 80 | --- 81 | apiVersion: apiextensions.k8s.io/v1 82 | kind: CustomResourceDefinition 83 | metadata: 84 | name: sensors.argoproj.io 85 | spec: 86 | group: argoproj.io 87 | names: 88 | kind: Sensor 89 | listKind: SensorList 90 | plural: sensors 91 | shortNames: 92 | - sn 93 | singular: sensor 94 | scope: Namespaced 95 | versions: 96 | - name: v1alpha1 97 | schema: 98 | openAPIV3Schema: 99 | properties: 100 | apiVersion: 101 | type: string 102 | kind: 103 | type: string 104 | metadata: 105 | type: object 106 | spec: 107 | type: object 108 | x-kubernetes-preserve-unknown-fields: true 109 | status: 110 | type: object 111 | x-kubernetes-preserve-unknown-fields: true 112 | required: 113 | - metadata 114 | - spec 115 | type: object 116 | served: true 117 | storage: true 118 | subresources: 119 | status: {} 120 | --- 121 | apiVersion: v1 122 | kind: ServiceAccount 123 | metadata: 124 | name: argo-events-sa 125 | namespace: argo-events 126 | --- 127 | apiVersion: rbac.authorization.k8s.io/v1 128 | kind: ClusterRole 129 | metadata: 130 | labels: 131 | rbac.authorization.k8s.io/aggregate-to-admin: "true" 132 | name: argo-events-aggregate-to-admin 133 | rules: 134 | - apiGroups: 135 | - argoproj.io 136 | resources: 137 | - sensors 138 | - sensors/finalizers 139 | - sensors/status 140 | - eventsources 141 | - eventsources/finalizers 142 | - eventsources/status 143 | - eventbus 144 | - eventbus/finalizers 145 | - eventbus/status 146 | verbs: 147 | - create 148 | - delete 149 | - deletecollection 150 | - get 151 | - list 152 | - patch 153 | - update 154 | - watch 155 | --- 156 | apiVersion: rbac.authorization.k8s.io/v1 157 | kind: ClusterRole 158 | metadata: 159 | labels: 160 | rbac.authorization.k8s.io/aggregate-to-edit: "true" 161 | name: argo-events-aggregate-to-edit 162 | rules: 163 | - apiGroups: 164 | - argoproj.io 165 | resources: 166 | - sensors 167 | - sensors/finalizers 168 | - sensors/status 169 | - eventsources 170 | - eventsources/finalizers 171 | - eventsources/status 172 | - eventbus 173 | - eventbus/finalizers 174 | - eventbus/status 175 | verbs: 176 | - create 177 | - delete 178 | - deletecollection 179 | - get 180 | - list 181 | - patch 182 | - update 183 | - watch 184 | --- 185 | apiVersion: rbac.authorization.k8s.io/v1 186 | kind: ClusterRole 187 | metadata: 188 | labels: 189 | rbac.authorization.k8s.io/aggregate-to-view: "true" 190 | name: argo-events-aggregate-to-view 191 | rules: 192 | - apiGroups: 193 | - argoproj.io 194 | resources: 195 | - sensors 196 | - sensors/finalizers 197 | - sensors/status 198 | - eventsources 199 | - eventsources/finalizers 200 | - eventsources/status 201 | - eventbus 202 | - eventbus/finalizers 203 | - eventbus/status 204 | verbs: 205 | - get 206 | - list 207 | - watch 208 | --- 209 | apiVersion: rbac.authorization.k8s.io/v1 210 | kind: ClusterRole 211 | metadata: 212 | name: argo-events-role 213 | rules: 214 | - apiGroups: 215 | - "" 216 | resources: 217 | - events 218 | verbs: 219 | - create 220 | - patch 221 | - apiGroups: 222 | - coordination.k8s.io 223 | resources: 224 | - leases 225 | verbs: 226 | - get 227 | - list 228 | - watch 229 | - create 230 | - update 231 | - patch 232 | - delete 233 | - apiGroups: 234 | - argoproj.io 235 | resources: 236 | - sensors 237 | - sensors/finalizers 238 | - sensors/status 239 | - eventsources 240 | - eventsources/finalizers 241 | - eventsources/status 242 | - eventbus 243 | - eventbus/finalizers 244 | - eventbus/status 245 | verbs: 246 | - create 247 | - delete 248 | - deletecollection 249 | - get 250 | - list 251 | - patch 252 | - update 253 | - watch 254 | - apiGroups: 255 | - "" 256 | resources: 257 | - pods 258 | - pods/exec 259 | - configmaps 260 | - secrets 261 | - services 262 | - persistentvolumeclaims 263 | verbs: 264 | - create 265 | - get 266 | - list 267 | - watch 268 | - update 269 | - patch 270 | - delete 271 | - apiGroups: 272 | - apps 273 | resources: 274 | - deployments 275 | - statefulsets 276 | verbs: 277 | - create 278 | - get 279 | - list 280 | - watch 281 | - update 282 | - patch 283 | - delete 284 | --- 285 | apiVersion: rbac.authorization.k8s.io/v1 286 | kind: ClusterRoleBinding 287 | metadata: 288 | name: argo-events-binding 289 | roleRef: 290 | apiGroup: rbac.authorization.k8s.io 291 | kind: ClusterRole 292 | name: argo-events-role 293 | subjects: 294 | - kind: ServiceAccount 295 | name: argo-events-sa 296 | namespace: argo-events 297 | --- 298 | apiVersion: v1 299 | data: 300 | controller-config.yaml: | 301 | eventBus: 302 | nats: 303 | versions: 304 | - version: 0.22.1 305 | natsStreamingImage: nats-streaming:0.22.1 306 | metricsExporterImage: natsio/prometheus-nats-exporter:0.8.0 307 | jetstream: 308 | # Default JetStream settings, could be overridden by EventBus JetStream specs 309 | settings: | 310 | # https://docs.nats.io/running-a-nats-service/configuration#jetstream 311 | # Only configure "max_memory_store" or "max_file_store", do not set "store_dir" as it has been hardcoded. 312 | # e.g. 1G. -1 means no limit, up to 75% of available memory 313 | max_memory_store: -1 314 | # e.g. 20G. -1 means no limit, Up to 1TB if available 315 | max_file_store: 1TB 316 | streamConfig: | 317 | # The default properties of the streams to be created in this JetStream service 318 | maxMsgs: 50000 319 | maxAge: 168h 320 | maxBytes: -1 321 | replicas: 3 322 | duplicates: 300s 323 | versions: 324 | - version: latest 325 | natsImage: nats:2.8.1 326 | metricsExporterImage: natsio/prometheus-nats-exporter:0.9.1 327 | configReloaderImage: natsio/nats-server-config-reloader:0.7.0 328 | startCommand: /nats-server 329 | - version: 2.8.1 330 | natsImage: nats:2.8.1 331 | metricsExporterImage: natsio/prometheus-nats-exporter:0.9.1 332 | configReloaderImage: natsio/nats-server-config-reloader:0.7.0 333 | startCommand: /nats-server 334 | - version: 2.8.1-alpine 335 | natsImage: nats:2.8.1-alpine 336 | metricsExporterImage: natsio/prometheus-nats-exporter:0.9.1 337 | configReloaderImage: natsio/nats-server-config-reloader:0.7.0 338 | startCommand: nats-server 339 | - version: 2.8.2 340 | natsImage: nats:2.8.2 341 | metricsExporterImage: natsio/prometheus-nats-exporter:0.9.1 342 | configReloaderImage: natsio/nats-server-config-reloader:0.7.0 343 | startCommand: /nats-server 344 | - version: 2.8.2-alpine 345 | natsImage: nats:2.8.2-alpine 346 | metricsExporterImage: natsio/prometheus-nats-exporter:0.9.1 347 | configReloaderImage: natsio/nats-server-config-reloader:0.7.0 348 | startCommand: nats-server 349 | kind: ConfigMap 350 | metadata: 351 | name: argo-events-controller-config 352 | namespace: argo-events 353 | --- 354 | apiVersion: apps/v1 355 | kind: Deployment 356 | metadata: 357 | name: controller-manager 358 | namespace: argo-events 359 | spec: 360 | replicas: 1 361 | selector: 362 | matchLabels: 363 | app: controller-manager 364 | template: 365 | metadata: 366 | labels: 367 | app: controller-manager 368 | spec: 369 | containers: 370 | - args: 371 | - controller 372 | env: 373 | - name: ARGO_EVENTS_IMAGE 374 | value: quay.io/argoproj/argo-events:v1.7.1 375 | - name: NAMESPACE 376 | valueFrom: 377 | fieldRef: 378 | fieldPath: metadata.namespace 379 | image: quay.io/argoproj/argo-events:v1.7.1 380 | imagePullPolicy: Always 381 | livenessProbe: 382 | httpGet: 383 | path: /healthz 384 | port: 8081 385 | initialDelaySeconds: 3 386 | periodSeconds: 3 387 | name: controller-manager 388 | readinessProbe: 389 | httpGet: 390 | path: /readyz 391 | port: 8081 392 | initialDelaySeconds: 3 393 | periodSeconds: 3 394 | volumeMounts: 395 | - mountPath: /etc/argo-events 396 | name: controller-config-volume 397 | securityContext: 398 | runAsNonRoot: true 399 | runAsUser: 9731 400 | serviceAccountName: argo-events-sa 401 | volumes: 402 | - configMap: 403 | name: argo-events-controller-config 404 | name: controller-config-volume 405 | -------------------------------------------------------------------------------- /tekton/base/tekton-dashboard-release.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: dashboard 6 | app.kubernetes.io/instance: default 7 | app.kubernetes.io/part-of: tekton-dashboard 8 | name: extensions.dashboard.tekton.dev 9 | spec: 10 | group: dashboard.tekton.dev 11 | names: 12 | categories: 13 | - tekton 14 | - tekton-dashboard 15 | kind: Extension 16 | plural: extensions 17 | shortNames: 18 | - ext 19 | - exts 20 | preserveUnknownFields: false 21 | scope: Namespaced 22 | versions: 23 | - additionalPrinterColumns: 24 | - jsonPath: .spec.apiVersion 25 | name: API version 26 | type: string 27 | - jsonPath: .spec.name 28 | name: Kind 29 | type: string 30 | - jsonPath: .spec.displayname 31 | name: Display name 32 | type: string 33 | - jsonPath: .metadata.creationTimestamp 34 | name: Age 35 | type: date 36 | name: v1alpha1 37 | schema: 38 | openAPIV3Schema: 39 | type: object 40 | x-kubernetes-preserve-unknown-fields: true 41 | served: true 42 | storage: true 43 | subresources: 44 | status: {} 45 | --- 46 | apiVersion: v1 47 | kind: ServiceAccount 48 | metadata: 49 | labels: 50 | app.kubernetes.io/component: dashboard 51 | app.kubernetes.io/instance: default 52 | app.kubernetes.io/part-of: tekton-dashboard 53 | name: tekton-dashboard 54 | namespace: tekton-pipelines 55 | --- 56 | apiVersion: rbac.authorization.k8s.io/v1 57 | kind: Role 58 | metadata: 59 | labels: 60 | app.kubernetes.io/instance: default 61 | app.kubernetes.io/part-of: tekton-dashboard 62 | name: tekton-dashboard-info 63 | namespace: tekton-pipelines 64 | rules: 65 | - apiGroups: 66 | - "" 67 | resourceNames: 68 | - dashboard-info 69 | resources: 70 | - configmaps 71 | verbs: 72 | - get 73 | --- 74 | apiVersion: rbac.authorization.k8s.io/v1 75 | kind: ClusterRole 76 | metadata: 77 | labels: 78 | app.kubernetes.io/component: dashboard 79 | app.kubernetes.io/instance: default 80 | app.kubernetes.io/part-of: tekton-dashboard 81 | name: tekton-dashboard-backend 82 | rules: 83 | - apiGroups: 84 | - apiextensions.k8s.io 85 | resources: 86 | - customresourcedefinitions 87 | verbs: 88 | - get 89 | - list 90 | - apiGroups: 91 | - security.openshift.io 92 | resources: 93 | - securitycontextconstraints 94 | verbs: 95 | - use 96 | - apiGroups: 97 | - tekton.dev 98 | resources: 99 | - clustertasks 100 | - clustertasks/status 101 | verbs: 102 | - get 103 | - list 104 | - watch 105 | - apiGroups: 106 | - triggers.tekton.dev 107 | resources: 108 | - clusterinterceptors 109 | - clustertriggerbindings 110 | verbs: 111 | - get 112 | - list 113 | - watch 114 | - apiGroups: 115 | - "" 116 | resources: 117 | - serviceaccounts 118 | verbs: 119 | - get 120 | - list 121 | - watch 122 | - apiGroups: 123 | - dashboard.tekton.dev 124 | resources: 125 | - extensions 126 | verbs: 127 | - create 128 | - update 129 | - delete 130 | - patch 131 | - apiGroups: 132 | - tekton.dev 133 | resources: 134 | - clustertasks 135 | - clustertasks/status 136 | verbs: 137 | - create 138 | - update 139 | - delete 140 | - patch 141 | - apiGroups: 142 | - triggers.tekton.dev 143 | resources: 144 | - clusterinterceptors 145 | - clustertriggerbindings 146 | verbs: 147 | - create 148 | - update 149 | - delete 150 | - patch 151 | --- 152 | apiVersion: rbac.authorization.k8s.io/v1 153 | kind: ClusterRole 154 | metadata: 155 | labels: 156 | app.kubernetes.io/component: dashboard 157 | app.kubernetes.io/instance: default 158 | app.kubernetes.io/part-of: tekton-dashboard 159 | name: tekton-dashboard-tenant 160 | rules: 161 | - apiGroups: 162 | - dashboard.tekton.dev 163 | resources: 164 | - extensions 165 | verbs: 166 | - get 167 | - list 168 | - watch 169 | - apiGroups: 170 | - "" 171 | resources: 172 | - events 173 | - namespaces 174 | - pods 175 | - pods/log 176 | verbs: 177 | - get 178 | - list 179 | - watch 180 | - apiGroups: 181 | - tekton.dev 182 | resources: 183 | - tasks 184 | - taskruns 185 | - pipelines 186 | - pipelineruns 187 | - pipelineresources 188 | - tasks/status 189 | - taskruns/status 190 | - pipelines/status 191 | - pipelineruns/status 192 | - taskruns/finalizers 193 | - pipelineruns/finalizers 194 | verbs: 195 | - get 196 | - list 197 | - watch 198 | - apiGroups: 199 | - triggers.tekton.dev 200 | resources: 201 | - eventlisteners 202 | - triggerbindings 203 | - triggers 204 | - triggertemplates 205 | verbs: 206 | - get 207 | - list 208 | - watch 209 | - apiGroups: 210 | - tekton.dev 211 | resources: 212 | - tasks 213 | - taskruns 214 | - pipelines 215 | - pipelineruns 216 | - pipelineresources 217 | - taskruns/finalizers 218 | - pipelineruns/finalizers 219 | - tasks/status 220 | - taskruns/status 221 | - pipelines/status 222 | - pipelineruns/status 223 | verbs: 224 | - create 225 | - update 226 | - delete 227 | - patch 228 | - apiGroups: 229 | - triggers.tekton.dev 230 | resources: 231 | - eventlisteners 232 | - triggerbindings 233 | - triggers 234 | - triggertemplates 235 | verbs: 236 | - create 237 | - update 238 | - delete 239 | - patch 240 | --- 241 | apiVersion: rbac.authorization.k8s.io/v1 242 | kind: RoleBinding 243 | metadata: 244 | labels: 245 | app.kubernetes.io/instance: default 246 | app.kubernetes.io/part-of: tekton-dashboard 247 | name: tekton-dashboard-info 248 | namespace: tekton-pipelines 249 | roleRef: 250 | apiGroup: rbac.authorization.k8s.io 251 | kind: Role 252 | name: tekton-dashboard-info 253 | subjects: 254 | - apiGroup: rbac.authorization.k8s.io 255 | kind: Group 256 | name: system:authenticated 257 | --- 258 | apiVersion: rbac.authorization.k8s.io/v1 259 | kind: ClusterRoleBinding 260 | metadata: 261 | labels: 262 | app.kubernetes.io/component: dashboard 263 | app.kubernetes.io/instance: default 264 | app.kubernetes.io/part-of: tekton-dashboard 265 | rbac.dashboard.tekton.dev/subject: tekton-dashboard 266 | name: tekton-dashboard-backend 267 | roleRef: 268 | apiGroup: rbac.authorization.k8s.io 269 | kind: ClusterRole 270 | name: tekton-dashboard-backend 271 | subjects: 272 | - kind: ServiceAccount 273 | name: tekton-dashboard 274 | namespace: tekton-pipelines 275 | --- 276 | apiVersion: v1 277 | data: 278 | version: v0.28.0 279 | kind: ConfigMap 280 | metadata: 281 | labels: 282 | app.kubernetes.io/instance: default 283 | app.kubernetes.io/part-of: tekton-dashboard 284 | name: dashboard-info 285 | namespace: tekton-pipelines 286 | --- 287 | apiVersion: v1 288 | kind: Service 289 | metadata: 290 | labels: 291 | app: tekton-dashboard 292 | app.kubernetes.io/component: dashboard 293 | app.kubernetes.io/instance: default 294 | app.kubernetes.io/name: dashboard 295 | app.kubernetes.io/part-of: tekton-dashboard 296 | app.kubernetes.io/version: v0.28.0 297 | dashboard.tekton.dev/release: v0.28.0 298 | version: v0.28.0 299 | name: tekton-dashboard 300 | namespace: tekton-pipelines 301 | spec: 302 | ports: 303 | - name: http 304 | port: 9097 305 | protocol: TCP 306 | targetPort: 9097 307 | selector: 308 | app.kubernetes.io/component: dashboard 309 | app.kubernetes.io/instance: default 310 | app.kubernetes.io/name: dashboard 311 | app.kubernetes.io/part-of: tekton-dashboard 312 | --- 313 | apiVersion: apps/v1 314 | kind: Deployment 315 | metadata: 316 | labels: 317 | app: tekton-dashboard 318 | app.kubernetes.io/component: dashboard 319 | app.kubernetes.io/instance: default 320 | app.kubernetes.io/name: dashboard 321 | app.kubernetes.io/part-of: tekton-dashboard 322 | app.kubernetes.io/version: v0.28.0 323 | dashboard.tekton.dev/release: v0.28.0 324 | version: v0.28.0 325 | name: tekton-dashboard 326 | namespace: tekton-pipelines 327 | spec: 328 | replicas: 1 329 | selector: 330 | matchLabels: 331 | app.kubernetes.io/component: dashboard 332 | app.kubernetes.io/instance: default 333 | app.kubernetes.io/name: dashboard 334 | app.kubernetes.io/part-of: tekton-dashboard 335 | template: 336 | metadata: 337 | labels: 338 | app: tekton-dashboard 339 | app.kubernetes.io/component: dashboard 340 | app.kubernetes.io/instance: default 341 | app.kubernetes.io/name: dashboard 342 | app.kubernetes.io/part-of: tekton-dashboard 343 | app.kubernetes.io/version: v0.28.0 344 | name: tekton-dashboard 345 | spec: 346 | containers: 347 | - args: 348 | - --port=9097 349 | - --logout-url= 350 | - --pipelines-namespace=tekton-pipelines 351 | - --triggers-namespace=tekton-pipelines 352 | - --read-only=false 353 | - --log-level=info 354 | - --log-format=json 355 | - --namespace= 356 | - --stream-logs=true 357 | - --external-logs= 358 | env: 359 | - name: INSTALLED_NAMESPACE 360 | valueFrom: 361 | fieldRef: 362 | fieldPath: metadata.namespace 363 | image: gcr.io/tekton-releases/github.com/tektoncd/dashboard/cmd/dashboard:v0.28.0@sha256:5ac6044647175e9bb2b0beed19fd34353bb18156faab70d0a789a2b0a7ba8092 364 | livenessProbe: 365 | httpGet: 366 | path: /health 367 | port: 9097 368 | name: tekton-dashboard 369 | ports: 370 | - containerPort: 9097 371 | readinessProbe: 372 | httpGet: 373 | path: /readiness 374 | port: 9097 375 | nodeSelector: 376 | kubernetes.io/os: linux 377 | securityContext: 378 | runAsNonRoot: true 379 | runAsUser: 65532 380 | serviceAccountName: tekton-dashboard 381 | volumes: [] 382 | 383 | --- 384 | --- 385 | apiVersion: rbac.authorization.k8s.io/v1 386 | kind: ClusterRoleBinding 387 | metadata: 388 | labels: 389 | app.kubernetes.io/component: dashboard 390 | app.kubernetes.io/instance: default 391 | app.kubernetes.io/part-of: tekton-dashboard 392 | rbac.dashboard.tekton.dev/subject: tekton-dashboard 393 | name: tekton-dashboard-tenant 394 | roleRef: 395 | apiGroup: rbac.authorization.k8s.io 396 | kind: ClusterRole 397 | name: tekton-dashboard-tenant 398 | subjects: 399 | - kind: ServiceAccount 400 | name: tekton-dashboard 401 | namespace: tekton-pipelines 402 | -------------------------------------------------------------------------------- /tekton/base/release.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2019 The Tekton Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | name: tekton-pipelines 19 | labels: 20 | app.kubernetes.io/instance: default 21 | app.kubernetes.io/part-of: tekton-pipelines 22 | 23 | --- 24 | # Copyright 2019 The Tekton Authors 25 | # 26 | # Licensed under the Apache License, Version 2.0 (the "License"); 27 | # you may not use this file except in compliance with the License. 28 | # You may obtain a copy of the License at 29 | # 30 | # http://www.apache.org/licenses/LICENSE-2.0 31 | # 32 | # Unless required by applicable law or agreed to in writing, software 33 | # distributed under the License is distributed on an "AS IS" BASIS, 34 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 35 | # See the License for the specific language governing permissions and 36 | # limitations under the License. 37 | 38 | apiVersion: policy/v1beta1 39 | kind: PodSecurityPolicy 40 | metadata: 41 | name: tekton-pipelines 42 | labels: 43 | app.kubernetes.io/instance: default 44 | app.kubernetes.io/part-of: tekton-pipelines 45 | annotations: 46 | seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' 47 | seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' 48 | apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' 49 | apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' 50 | spec: 51 | privileged: false 52 | allowPrivilegeEscalation: false 53 | requiredDropCapabilities: 54 | - ALL 55 | volumes: 56 | - 'emptyDir' 57 | - 'configMap' 58 | - 'secret' 59 | hostNetwork: false 60 | hostIPC: false 61 | hostPID: false 62 | runAsUser: 63 | rule: 'MustRunAsNonRoot' 64 | runAsGroup: 65 | rule: 'MustRunAs' 66 | ranges: 67 | - min: 1 68 | max: 65535 69 | seLinux: 70 | rule: 'RunAsAny' 71 | supplementalGroups: 72 | rule: 'MustRunAs' 73 | ranges: 74 | - min: 1 75 | max: 65535 76 | fsGroup: 77 | rule: 'MustRunAs' 78 | ranges: 79 | - min: 1 80 | max: 65535 81 | 82 | --- 83 | # Copyright 2020 The Tekton Authors 84 | # 85 | # Licensed under the Apache License, Version 2.0 (the "License"); 86 | # you may not use this file except in compliance with the License. 87 | # You may obtain a copy of the License at 88 | # 89 | # https://www.apache.org/licenses/LICENSE-2.0 90 | # 91 | # Unless required by applicable law or agreed to in writing, software 92 | # distributed under the License is distributed on an "AS IS" BASIS, 93 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 94 | # See the License for the specific language governing permissions and 95 | # limitations under the License. 96 | 97 | kind: ClusterRole 98 | apiVersion: rbac.authorization.k8s.io/v1 99 | metadata: 100 | name: tekton-pipelines-controller-cluster-access 101 | labels: 102 | app.kubernetes.io/component: controller 103 | app.kubernetes.io/instance: default 104 | app.kubernetes.io/part-of: tekton-pipelines 105 | rules: 106 | - apiGroups: [""] 107 | # Controller needs to watch Pods created by TaskRuns to see them progress. 108 | resources: ["pods"] 109 | verbs: ["list", "watch"] 110 | # Controller needs cluster access to all of the CRDs that it is responsible for 111 | # managing. 112 | - apiGroups: ["tekton.dev"] 113 | resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "pipelineresources", "conditions", "runs"] 114 | verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] 115 | - apiGroups: ["tekton.dev"] 116 | resources: ["taskruns/finalizers", "pipelineruns/finalizers", "runs/finalizers"] 117 | verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] 118 | - apiGroups: ["tekton.dev"] 119 | resources: ["tasks/status", "clustertasks/status", "taskruns/status", "pipelines/status", "pipelineruns/status", "pipelineresources/status", "runs/status"] 120 | verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] 121 | --- 122 | kind: ClusterRole 123 | apiVersion: rbac.authorization.k8s.io/v1 124 | metadata: 125 | # This is the access that the controller needs on a per-namespace basis. 126 | name: tekton-pipelines-controller-tenant-access 127 | labels: 128 | app.kubernetes.io/component: controller 129 | app.kubernetes.io/instance: default 130 | app.kubernetes.io/part-of: tekton-pipelines 131 | rules: 132 | # Read-write access to create Pods and PVCs (for Workspaces) 133 | - apiGroups: [""] 134 | resources: ["pods", "persistentvolumeclaims"] 135 | verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] 136 | # Write permissions to publish events. 137 | - apiGroups: [""] 138 | resources: ["events"] 139 | verbs: ["create", "update", "patch"] 140 | # Read-only access to these. 141 | - apiGroups: [""] 142 | resources: ["configmaps", "limitranges", "secrets", "serviceaccounts"] 143 | verbs: ["get", "list", "watch"] 144 | # Read-write access to StatefulSets for Affinity Assistant. 145 | - apiGroups: ["apps"] 146 | resources: ["statefulsets"] 147 | verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] 148 | # Read-write access to ResolutionRequest for remote resolution. 149 | - apiGroups: ["resolution.tekton.dev"] 150 | resources: ["resolutionrequests"] 151 | verbs: ["get", "list", "watch", "create", "delete"] 152 | --- 153 | kind: ClusterRole 154 | apiVersion: rbac.authorization.k8s.io/v1 155 | metadata: 156 | name: tekton-pipelines-webhook-cluster-access 157 | labels: 158 | app.kubernetes.io/component: webhook 159 | app.kubernetes.io/instance: default 160 | app.kubernetes.io/part-of: tekton-pipelines 161 | rules: 162 | # The webhook needs to be able to get and update customresourcedefinitions, 163 | # mainly to update the webhook certificates. 164 | - apiGroups: ["apiextensions.k8s.io"] 165 | resources: ["customresourcedefinitions", "customresourcedefinitions/status"] 166 | verbs: ["get", "update", "patch"] 167 | resourceNames: 168 | - pipelines.tekton.dev 169 | - pipelineruns.tekton.dev 170 | - runs.tekton.dev 171 | - tasks.tekton.dev 172 | - clustertasks.tekton.dev 173 | - taskruns.tekton.dev 174 | - pipelineresources.tekton.dev 175 | - conditions.tekton.dev 176 | # knative.dev/pkg needs list/watch permissions to set up informers for the webhook. 177 | - apiGroups: ["apiextensions.k8s.io"] 178 | resources: ["customresourcedefinitions"] 179 | verbs: ["list", "watch"] 180 | - apiGroups: ["admissionregistration.k8s.io"] 181 | # The webhook performs a reconciliation on these two resources and continuously 182 | # updates configuration. 183 | resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] 184 | # knative starts informers on these things, which is why we need get, list and watch. 185 | verbs: ["list", "watch"] 186 | - apiGroups: ["admissionregistration.k8s.io"] 187 | resources: ["mutatingwebhookconfigurations"] 188 | # This mutating webhook is responsible for applying defaults to tekton objects 189 | # as they are received. 190 | resourceNames: ["webhook.pipeline.tekton.dev"] 191 | # When there are changes to the configs or secrets, knative updates the mutatingwebhook config 192 | # with the updated certificates or the refreshed set of rules. 193 | verbs: ["get", "update", "delete"] 194 | - apiGroups: ["admissionregistration.k8s.io"] 195 | resources: ["validatingwebhookconfigurations"] 196 | # validation.webhook.pipeline.tekton.dev performs schema validation when you, for example, create TaskRuns. 197 | # config.webhook.pipeline.tekton.dev validates the logging configuration against knative's logging structure 198 | resourceNames: ["validation.webhook.pipeline.tekton.dev", "config.webhook.pipeline.tekton.dev"] 199 | # When there are changes to the configs or secrets, knative updates the validatingwebhook config 200 | # with the updated certificates or the refreshed set of rules. 201 | verbs: ["get", "update", "delete"] 202 | - apiGroups: ["policy"] 203 | resources: ["podsecuritypolicies"] 204 | resourceNames: ["tekton-pipelines"] 205 | verbs: ["use"] 206 | - apiGroups: [""] 207 | resources: ["namespaces"] 208 | verbs: ["get"] 209 | # The webhook configured the namespace as the OwnerRef on various cluster-scoped resources, 210 | # which requires we can Get the system namespace. 211 | resourceNames: ["tekton-pipelines"] 212 | - apiGroups: [""] 213 | resources: ["namespaces/finalizers"] 214 | verbs: ["update"] 215 | # The webhook configured the namespace as the OwnerRef on various cluster-scoped resources, 216 | # which requires we can update the system namespace finalizers. 217 | resourceNames: ["tekton-pipelines"] 218 | 219 | --- 220 | # Copyright 2020 The Tekton Authors 221 | # 222 | # Licensed under the Apache License, Version 2.0 (the "License"); 223 | # you may not use this file except in compliance with the License. 224 | # You may obtain a copy of the License at 225 | # 226 | # https://www.apache.org/licenses/LICENSE-2.0 227 | # 228 | # Unless required by applicable law or agreed to in writing, software 229 | # distributed under the License is distributed on an "AS IS" BASIS, 230 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 231 | # See the License for the specific language governing permissions and 232 | # limitations under the License. 233 | 234 | kind: Role 235 | apiVersion: rbac.authorization.k8s.io/v1 236 | metadata: 237 | name: tekton-pipelines-controller 238 | namespace: tekton-pipelines 239 | labels: 240 | app.kubernetes.io/component: controller 241 | app.kubernetes.io/instance: default 242 | app.kubernetes.io/part-of: tekton-pipelines 243 | rules: 244 | - apiGroups: [""] 245 | resources: ["configmaps"] 246 | verbs: ["list", "watch"] 247 | # The controller needs access to these configmaps for logging information and runtime configuration. 248 | - apiGroups: [""] 249 | resources: ["configmaps"] 250 | verbs: ["get"] 251 | resourceNames: ["config-logging", "config-observability", "config-artifact-bucket", "config-artifact-pvc", "feature-flags", "config-leader-election", "config-registry-cert"] 252 | - apiGroups: ["policy"] 253 | resources: ["podsecuritypolicies"] 254 | resourceNames: ["tekton-pipelines"] 255 | verbs: ["use"] 256 | --- 257 | kind: Role 258 | apiVersion: rbac.authorization.k8s.io/v1 259 | metadata: 260 | name: tekton-pipelines-webhook 261 | namespace: tekton-pipelines 262 | labels: 263 | app.kubernetes.io/component: webhook 264 | app.kubernetes.io/instance: default 265 | app.kubernetes.io/part-of: tekton-pipelines 266 | rules: 267 | - apiGroups: [""] 268 | resources: ["configmaps"] 269 | verbs: ["list", "watch"] 270 | # The webhook needs access to these configmaps for logging information. 271 | - apiGroups: [""] 272 | resources: ["configmaps"] 273 | verbs: ["get"] 274 | resourceNames: ["config-logging", "config-observability", "config-leader-election", "feature-flags"] 275 | - apiGroups: [""] 276 | resources: ["secrets"] 277 | verbs: ["list", "watch"] 278 | # The webhook daemon makes a reconciliation loop on webhook-certs. Whenever 279 | # the secret changes it updates the webhook configurations with the certificates 280 | # stored in the secret. 281 | - apiGroups: [""] 282 | resources: ["secrets"] 283 | verbs: ["get", "update"] 284 | resourceNames: ["webhook-certs"] 285 | - apiGroups: ["policy"] 286 | resources: ["podsecuritypolicies"] 287 | resourceNames: ["tekton-pipelines"] 288 | verbs: ["use"] 289 | --- 290 | kind: Role 291 | apiVersion: rbac.authorization.k8s.io/v1 292 | metadata: 293 | name: tekton-pipelines-leader-election 294 | namespace: tekton-pipelines 295 | labels: 296 | app.kubernetes.io/instance: default 297 | app.kubernetes.io/part-of: tekton-pipelines 298 | rules: 299 | # We uses leases for leaderelection 300 | - apiGroups: ["coordination.k8s.io"] 301 | resources: ["leases"] 302 | verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] 303 | --- 304 | apiVersion: rbac.authorization.k8s.io/v1 305 | kind: Role 306 | metadata: 307 | name: tekton-pipelines-info 308 | namespace: tekton-pipelines 309 | labels: 310 | app.kubernetes.io/instance: default 311 | app.kubernetes.io/part-of: tekton-pipelines 312 | rules: 313 | # All system:authenticated users needs to have access 314 | # of the pipelines-info ConfigMap even if they don't 315 | # have access to the other resources present in the 316 | # installed namespace. 317 | - apiGroups: [""] 318 | resources: ["configmaps"] 319 | resourceNames: ["pipelines-info"] 320 | verbs: ["get"] 321 | 322 | --- 323 | # Copyright 2019 The Tekton Authors 324 | # 325 | # Licensed under the Apache License, Version 2.0 (the "License"); 326 | # you may not use this file except in compliance with the License. 327 | # You may obtain a copy of the License at 328 | # 329 | # http://www.apache.org/licenses/LICENSE-2.0 330 | # 331 | # Unless required by applicable law or agreed to in writing, software 332 | # distributed under the License is distributed on an "AS IS" BASIS, 333 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 334 | # See the License for the specific language governing permissions and 335 | # limitations under the License. 336 | apiVersion: v1 337 | kind: ServiceAccount 338 | metadata: 339 | name: tekton-pipelines-controller 340 | namespace: tekton-pipelines 341 | labels: 342 | app.kubernetes.io/component: controller 343 | app.kubernetes.io/instance: default 344 | app.kubernetes.io/part-of: tekton-pipelines 345 | --- 346 | apiVersion: v1 347 | kind: ServiceAccount 348 | metadata: 349 | name: tekton-pipelines-webhook 350 | namespace: tekton-pipelines 351 | labels: 352 | app.kubernetes.io/component: webhook 353 | app.kubernetes.io/instance: default 354 | app.kubernetes.io/part-of: tekton-pipelines 355 | 356 | --- 357 | # Copyright 2019 The Tekton Authors 358 | # 359 | # Licensed under the Apache License, Version 2.0 (the "License"); 360 | # you may not use this file except in compliance with the License. 361 | # You may obtain a copy of the License at 362 | # 363 | # http://www.apache.org/licenses/LICENSE-2.0 364 | # 365 | # Unless required by applicable law or agreed to in writing, software 366 | # distributed under the License is distributed on an "AS IS" BASIS, 367 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 368 | # See the License for the specific language governing permissions and 369 | # limitations under the License. 370 | 371 | apiVersion: rbac.authorization.k8s.io/v1 372 | kind: ClusterRoleBinding 373 | metadata: 374 | name: tekton-pipelines-controller-cluster-access 375 | labels: 376 | app.kubernetes.io/component: controller 377 | app.kubernetes.io/instance: default 378 | app.kubernetes.io/part-of: tekton-pipelines 379 | subjects: 380 | - kind: ServiceAccount 381 | name: tekton-pipelines-controller 382 | namespace: tekton-pipelines 383 | roleRef: 384 | kind: ClusterRole 385 | name: tekton-pipelines-controller-cluster-access 386 | apiGroup: rbac.authorization.k8s.io 387 | --- 388 | # If this ClusterRoleBinding is replaced with a RoleBinding 389 | # then the ClusterRole would be namespaced. The access described by 390 | # the tekton-pipelines-controller-tenant-access ClusterRole would 391 | # be scoped to individual tenant namespaces. 392 | apiVersion: rbac.authorization.k8s.io/v1 393 | kind: ClusterRoleBinding 394 | metadata: 395 | name: tekton-pipelines-controller-tenant-access 396 | labels: 397 | app.kubernetes.io/component: controller 398 | app.kubernetes.io/instance: default 399 | app.kubernetes.io/part-of: tekton-pipelines 400 | subjects: 401 | - kind: ServiceAccount 402 | name: tekton-pipelines-controller 403 | namespace: tekton-pipelines 404 | roleRef: 405 | kind: ClusterRole 406 | name: tekton-pipelines-controller-tenant-access 407 | apiGroup: rbac.authorization.k8s.io 408 | --- 409 | apiVersion: rbac.authorization.k8s.io/v1 410 | kind: ClusterRoleBinding 411 | metadata: 412 | name: tekton-pipelines-webhook-cluster-access 413 | labels: 414 | app.kubernetes.io/component: webhook 415 | app.kubernetes.io/instance: default 416 | app.kubernetes.io/part-of: tekton-pipelines 417 | subjects: 418 | - kind: ServiceAccount 419 | name: tekton-pipelines-webhook 420 | namespace: tekton-pipelines 421 | roleRef: 422 | kind: ClusterRole 423 | name: tekton-pipelines-webhook-cluster-access 424 | apiGroup: rbac.authorization.k8s.io 425 | 426 | --- 427 | # Copyright 2020 The Tekton Authors 428 | # 429 | # Licensed under the Apache License, Version 2.0 (the "License"); 430 | # you may not use this file except in compliance with the License. 431 | # You may obtain a copy of the License at 432 | # 433 | # http://www.apache.org/licenses/LICENSE-2.0 434 | # 435 | # Unless required by applicable law or agreed to in writing, software 436 | # distributed under the License is distributed on an "AS IS" BASIS, 437 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 438 | # See the License for the specific language governing permissions and 439 | # limitations under the License. 440 | 441 | apiVersion: rbac.authorization.k8s.io/v1 442 | kind: RoleBinding 443 | metadata: 444 | name: tekton-pipelines-controller 445 | namespace: tekton-pipelines 446 | labels: 447 | app.kubernetes.io/component: controller 448 | app.kubernetes.io/instance: default 449 | app.kubernetes.io/part-of: tekton-pipelines 450 | subjects: 451 | - kind: ServiceAccount 452 | name: tekton-pipelines-controller 453 | namespace: tekton-pipelines 454 | roleRef: 455 | kind: Role 456 | name: tekton-pipelines-controller 457 | apiGroup: rbac.authorization.k8s.io 458 | --- 459 | apiVersion: rbac.authorization.k8s.io/v1 460 | kind: RoleBinding 461 | metadata: 462 | name: tekton-pipelines-webhook 463 | namespace: tekton-pipelines 464 | labels: 465 | app.kubernetes.io/component: webhook 466 | app.kubernetes.io/instance: default 467 | app.kubernetes.io/part-of: tekton-pipelines 468 | subjects: 469 | - kind: ServiceAccount 470 | name: tekton-pipelines-webhook 471 | namespace: tekton-pipelines 472 | roleRef: 473 | kind: Role 474 | name: tekton-pipelines-webhook 475 | apiGroup: rbac.authorization.k8s.io 476 | --- 477 | apiVersion: rbac.authorization.k8s.io/v1 478 | kind: RoleBinding 479 | metadata: 480 | name: tekton-pipelines-controller-leaderelection 481 | namespace: tekton-pipelines 482 | labels: 483 | app.kubernetes.io/component: controller 484 | app.kubernetes.io/instance: default 485 | app.kubernetes.io/part-of: tekton-pipelines 486 | subjects: 487 | - kind: ServiceAccount 488 | name: tekton-pipelines-controller 489 | namespace: tekton-pipelines 490 | roleRef: 491 | kind: Role 492 | name: tekton-pipelines-leader-election 493 | apiGroup: rbac.authorization.k8s.io 494 | --- 495 | apiVersion: rbac.authorization.k8s.io/v1 496 | kind: RoleBinding 497 | metadata: 498 | name: tekton-pipelines-webhook-leaderelection 499 | namespace: tekton-pipelines 500 | labels: 501 | app.kubernetes.io/component: webhook 502 | app.kubernetes.io/instance: default 503 | app.kubernetes.io/part-of: tekton-pipelines 504 | subjects: 505 | - kind: ServiceAccount 506 | name: tekton-pipelines-webhook 507 | namespace: tekton-pipelines 508 | roleRef: 509 | kind: Role 510 | name: tekton-pipelines-leader-election 511 | apiGroup: rbac.authorization.k8s.io 512 | --- 513 | apiVersion: rbac.authorization.k8s.io/v1 514 | kind: RoleBinding 515 | metadata: 516 | name: tekton-pipelines-info 517 | namespace: tekton-pipelines 518 | labels: 519 | app.kubernetes.io/instance: default 520 | app.kubernetes.io/part-of: tekton-pipelines 521 | subjects: 522 | # Giving all system:authenticated users the access of the 523 | # ConfigMap which contains version information. 524 | - kind: Group 525 | name: system:authenticated 526 | apiGroup: rbac.authorization.k8s.io 527 | roleRef: 528 | apiGroup: rbac.authorization.k8s.io 529 | kind: Role 530 | name: tekton-pipelines-info 531 | 532 | --- 533 | # Copyright 2019 The Tekton Authors 534 | # 535 | # Licensed under the Apache License, Version 2.0 (the "License"); 536 | # you may not use this file except in compliance with the License. 537 | # You may obtain a copy of the License at 538 | # 539 | # https://www.apache.org/licenses/LICENSE-2.0 540 | # 541 | # Unless required by applicable law or agreed to in writing, software 542 | # distributed under the License is distributed on an "AS IS" BASIS, 543 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 544 | # See the License for the specific language governing permissions and 545 | # limitations under the License. 546 | 547 | apiVersion: apiextensions.k8s.io/v1 548 | kind: CustomResourceDefinition 549 | metadata: 550 | name: clustertasks.tekton.dev 551 | labels: 552 | app.kubernetes.io/instance: default 553 | app.kubernetes.io/part-of: tekton-pipelines 554 | pipeline.tekton.dev/release: "v20220623-a84f97e8a5" 555 | version: "v20220623-a84f97e8a5" 556 | spec: 557 | group: tekton.dev 558 | preserveUnknownFields: false 559 | versions: 560 | - name: v1alpha1 561 | served: true 562 | storage: false 563 | schema: 564 | openAPIV3Schema: 565 | type: object 566 | # One can use x-kubernetes-preserve-unknown-fields: true 567 | # at the root of the schema (and inside any properties, additionalProperties) 568 | # to get the traditional CRD behaviour that nothing is pruned, despite 569 | # setting spec.preserveUnknownProperties: false. 570 | # 571 | # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ 572 | # See issue: https://github.com/knative/serving/issues/912 573 | x-kubernetes-preserve-unknown-fields: true 574 | # Opt into the status subresource so metadata.generation 575 | # starts to increment 576 | subresources: 577 | status: {} 578 | - name: v1beta1 579 | served: true 580 | storage: true 581 | schema: 582 | openAPIV3Schema: 583 | type: object 584 | # One can use x-kubernetes-preserve-unknown-fields: true 585 | # at the root of the schema (and inside any properties, additionalProperties) 586 | # to get the traditional CRD behaviour that nothing is pruned, despite 587 | # setting spec.preserveUnknownProperties: false. 588 | # 589 | # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ 590 | # See issue: https://github.com/knative/serving/issues/912 591 | x-kubernetes-preserve-unknown-fields: true 592 | # Opt into the status subresource so metadata.generation 593 | # starts to increment 594 | subresources: 595 | status: {} 596 | names: 597 | kind: ClusterTask 598 | plural: clustertasks 599 | singular: clustertask 600 | categories: 601 | - tekton 602 | - tekton-pipelines 603 | scope: Cluster 604 | conversion: 605 | strategy: Webhook 606 | webhook: 607 | conversionReviewVersions: ["v1beta1"] 608 | clientConfig: 609 | service: 610 | name: tekton-pipelines-webhook 611 | namespace: tekton-pipelines 612 | 613 | --- 614 | # Copyright 2019 The Tekton Authors 615 | # 616 | # Licensed under the Apache License, Version 2.0 (the "License"); 617 | # you may not use this file except in compliance with the License. 618 | # You may obtain a copy of the License at 619 | # 620 | # https://www.apache.org/licenses/LICENSE-2.0 621 | # 622 | # Unless required by applicable law or agreed to in writing, software 623 | # distributed under the License is distributed on an "AS IS" BASIS, 624 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 625 | # See the License for the specific language governing permissions and 626 | # limitations under the License. 627 | 628 | apiVersion: apiextensions.k8s.io/v1 629 | kind: CustomResourceDefinition 630 | metadata: 631 | name: pipelines.tekton.dev 632 | labels: 633 | app.kubernetes.io/instance: default 634 | app.kubernetes.io/part-of: tekton-pipelines 635 | pipeline.tekton.dev/release: "v20220623-a84f97e8a5" 636 | version: "v20220623-a84f97e8a5" 637 | spec: 638 | group: tekton.dev 639 | preserveUnknownFields: false 640 | versions: 641 | - name: v1alpha1 642 | served: true 643 | storage: false 644 | # Opt into the status subresource so metadata.generation 645 | # starts to increment 646 | subresources: 647 | status: {} 648 | schema: 649 | openAPIV3Schema: 650 | type: object 651 | # One can use x-kubernetes-preserve-unknown-fields: true 652 | # at the root of the schema (and inside any properties, additionalProperties) 653 | # to get the traditional CRD behaviour that nothing is pruned, despite 654 | # setting spec.preserveUnknownProperties: false. 655 | # 656 | # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ 657 | # See issue: https://github.com/knative/serving/issues/912 658 | x-kubernetes-preserve-unknown-fields: true 659 | - name: v1beta1 660 | served: true 661 | storage: true 662 | # Opt into the status subresource so metadata.generation 663 | # starts to increment 664 | subresources: 665 | status: {} 666 | schema: 667 | openAPIV3Schema: 668 | type: object 669 | # One can use x-kubernetes-preserve-unknown-fields: true 670 | # at the root of the schema (and inside any properties, additionalProperties) 671 | # to get the traditional CRD behaviour that nothing is pruned, despite 672 | # setting spec.preserveUnknownProperties: false. 673 | # 674 | # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ 675 | # See issue: https://github.com/knative/serving/issues/912 676 | x-kubernetes-preserve-unknown-fields: true 677 | names: 678 | kind: Pipeline 679 | plural: pipelines 680 | singular: pipeline 681 | categories: 682 | - tekton 683 | - tekton-pipelines 684 | scope: Namespaced 685 | conversion: 686 | strategy: Webhook 687 | webhook: 688 | conversionReviewVersions: ["v1beta1"] 689 | clientConfig: 690 | service: 691 | name: tekton-pipelines-webhook 692 | namespace: tekton-pipelines 693 | 694 | --- 695 | # Copyright 2019 The Tekton Authors 696 | # 697 | # Licensed under the Apache License, Version 2.0 (the "License"); 698 | # you may not use this file except in compliance with the License. 699 | # You may obtain a copy of the License at 700 | # 701 | # https://www.apache.org/licenses/LICENSE-2.0 702 | # 703 | # Unless required by applicable law or agreed to in writing, software 704 | # distributed under the License is distributed on an "AS IS" BASIS, 705 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 706 | # See the License for the specific language governing permissions and 707 | # limitations under the License. 708 | 709 | apiVersion: apiextensions.k8s.io/v1 710 | kind: CustomResourceDefinition 711 | metadata: 712 | name: pipelineruns.tekton.dev 713 | labels: 714 | app.kubernetes.io/instance: default 715 | app.kubernetes.io/part-of: tekton-pipelines 716 | pipeline.tekton.dev/release: "v20220623-a84f97e8a5" 717 | version: "v20220623-a84f97e8a5" 718 | spec: 719 | group: tekton.dev 720 | preserveUnknownFields: false 721 | versions: 722 | - name: v1alpha1 723 | served: true 724 | storage: false 725 | schema: 726 | openAPIV3Schema: 727 | type: object 728 | # One can use x-kubernetes-preserve-unknown-fields: true 729 | # at the root of the schema (and inside any properties, additionalProperties) 730 | # to get the traditional CRD behaviour that nothing is pruned, despite 731 | # setting spec.preserveUnknownProperties: false. 732 | # 733 | # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ 734 | # See issue: https://github.com/knative/serving/issues/912 735 | x-kubernetes-preserve-unknown-fields: true 736 | additionalPrinterColumns: 737 | - name: Succeeded 738 | type: string 739 | jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status" 740 | - name: Reason 741 | type: string 742 | jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" 743 | - name: StartTime 744 | type: date 745 | jsonPath: .status.startTime 746 | - name: CompletionTime 747 | type: date 748 | jsonPath: .status.completionTime 749 | # Opt into the status subresource so metadata.generation 750 | # starts to increment 751 | subresources: 752 | status: {} 753 | - name: v1beta1 754 | served: true 755 | storage: true 756 | schema: 757 | openAPIV3Schema: 758 | type: object 759 | # One can use x-kubernetes-preserve-unknown-fields: true 760 | # at the root of the schema (and inside any properties, additionalProperties) 761 | # to get the traditional CRD behaviour that nothing is pruned, despite 762 | # setting spec.preserveUnknownProperties: false. 763 | # 764 | # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ 765 | # See issue: https://github.com/knative/serving/issues/912 766 | x-kubernetes-preserve-unknown-fields: true 767 | additionalPrinterColumns: 768 | - name: Succeeded 769 | type: string 770 | jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status" 771 | - name: Reason 772 | type: string 773 | jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" 774 | - name: StartTime 775 | type: date 776 | jsonPath: .status.startTime 777 | - name: CompletionTime 778 | type: date 779 | jsonPath: .status.completionTime 780 | # Opt into the status subresource so metadata.generation 781 | # starts to increment 782 | subresources: 783 | status: {} 784 | names: 785 | kind: PipelineRun 786 | plural: pipelineruns 787 | singular: pipelinerun 788 | categories: 789 | - tekton 790 | - tekton-pipelines 791 | shortNames: 792 | - pr 793 | - prs 794 | scope: Namespaced 795 | conversion: 796 | strategy: Webhook 797 | webhook: 798 | conversionReviewVersions: ["v1beta1"] 799 | clientConfig: 800 | service: 801 | name: tekton-pipelines-webhook 802 | namespace: tekton-pipelines 803 | 804 | --- 805 | # Copyright 2022 The Tekton Authors 806 | # 807 | # Licensed under the Apache License, Version 2.0 (the "License"); 808 | # you may not use this file except in compliance with the License. 809 | # You may obtain a copy of the License at 810 | # 811 | # https://www.apache.org/licenses/LICENSE-2.0 812 | # 813 | # Unless required by applicable law or agreed to in writing, software 814 | # distributed under the License is distributed on an "AS IS" BASIS, 815 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 816 | # See the License for the specific language governing permissions and 817 | # limitations under the License. 818 | 819 | apiVersion: apiextensions.k8s.io/v1 820 | kind: CustomResourceDefinition 821 | metadata: 822 | name: resolutionrequests.resolution.tekton.dev 823 | labels: 824 | resolution.tekton.dev/release: devel 825 | spec: 826 | group: resolution.tekton.dev 827 | scope: Namespaced 828 | names: 829 | kind: ResolutionRequest 830 | plural: resolutionrequests 831 | singular: resolutionrequest 832 | categories: 833 | - all 834 | - tekton 835 | versions: 836 | - name: v1alpha1 837 | served: true 838 | storage: true 839 | subresources: 840 | status: {} 841 | schema: 842 | openAPIV3Schema: 843 | type: object 844 | properties: 845 | spec: 846 | description: Spec holds the parameters for the request. 847 | type: object 848 | properties: 849 | params: 850 | type: object 851 | x-kubernetes-preserve-unknown-fields: true 852 | status: 853 | description: Status receives the data of a completed request. 854 | type: object 855 | properties: 856 | data: 857 | description: The resolved contents of the requested resource in-lined as a string. 858 | type: string 859 | annotations: 860 | description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. 861 | type: object 862 | x-kubernetes-preserve-unknown-fields: true 863 | conditions: 864 | description: Conditions the latest available observations of a resource's current state. 865 | type: array 866 | items: 867 | description: Conditions describe the success and completion state of the resource request. 868 | type: object 869 | required: 870 | - status 871 | - type 872 | properties: 873 | lastTransitionTime: 874 | description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). 875 | type: string 876 | format: date-time 877 | message: 878 | description: A human readable message indicating details about the transition. 879 | type: string 880 | reason: 881 | description: The reason for the condition's last transition. 882 | type: string 883 | severity: 884 | description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. 885 | type: string 886 | status: 887 | description: Status of the condition, one of True, False, Unknown. 888 | type: string 889 | type: 890 | description: Type of condition. 891 | type: string 892 | observedGeneration: 893 | description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. 894 | type: integer 895 | format: int64 896 | additionalPrinterColumns: 897 | - name: Succeeded 898 | type: string 899 | jsonPath: ".status.conditions[?(@.type=='Succeeded')].status" 900 | - name: Reason 901 | type: string 902 | jsonPath: ".status.conditions[?(@.type=='Succeeded')].reason" 903 | 904 | --- 905 | # Copyright 2019 The Tekton Authors 906 | # 907 | # Licensed under the Apache License, Version 2.0 (the "License"); 908 | # you may not use this file except in compliance with the License. 909 | # You may obtain a copy of the License at 910 | # 911 | # https://www.apache.org/licenses/LICENSE-2.0 912 | # 913 | # Unless required by applicable law or agreed to in writing, software 914 | # distributed under the License is distributed on an "AS IS" BASIS, 915 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 916 | # See the License for the specific language governing permissions and 917 | # limitations under the License. 918 | 919 | apiVersion: apiextensions.k8s.io/v1 920 | kind: CustomResourceDefinition 921 | metadata: 922 | name: pipelineresources.tekton.dev 923 | labels: 924 | app.kubernetes.io/instance: default 925 | app.kubernetes.io/part-of: tekton-pipelines 926 | pipeline.tekton.dev/release: "v20220623-a84f97e8a5" 927 | version: "v20220623-a84f97e8a5" 928 | spec: 929 | group: tekton.dev 930 | versions: 931 | - name: v1alpha1 932 | served: true 933 | storage: true 934 | schema: 935 | openAPIV3Schema: 936 | type: object 937 | # One can use x-kubernetes-preserve-unknown-fields: true 938 | # at the root of the schema (and inside any properties, additionalProperties) 939 | # to get the traditional CRD behaviour that nothing is pruned, despite 940 | # setting spec.preserveUnknownProperties: false. 941 | # 942 | # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ 943 | # See issue: https://github.com/knative/serving/issues/912 944 | x-kubernetes-preserve-unknown-fields: true 945 | # Opt into the status subresource so metadata.generation 946 | # starts to increment 947 | subresources: 948 | status: {} 949 | names: 950 | kind: PipelineResource 951 | plural: pipelineresources 952 | singular: pipelineresource 953 | categories: 954 | - tekton 955 | - tekton-pipelines 956 | scope: Namespaced 957 | 958 | --- 959 | # Copyright 2020 The Tekton Authors 960 | # 961 | # Licensed under the Apache License, Version 2.0 (the "License"); 962 | # you may not use this file except in compliance with the License. 963 | # You may obtain a copy of the License at 964 | # 965 | # https://www.apache.org/licenses/LICENSE-2.0 966 | # 967 | # Unless required by applicable law or agreed to in writing, software 968 | # distributed under the License is distributed on an "AS IS" BASIS, 969 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 970 | # See the License for the specific language governing permissions and 971 | # limitations under the License. 972 | 973 | apiVersion: apiextensions.k8s.io/v1 974 | kind: CustomResourceDefinition 975 | metadata: 976 | name: runs.tekton.dev 977 | labels: 978 | app.kubernetes.io/instance: default 979 | app.kubernetes.io/part-of: tekton-pipelines 980 | pipeline.tekton.dev/release: "v20220623-a84f97e8a5" 981 | version: "v20220623-a84f97e8a5" 982 | spec: 983 | group: tekton.dev 984 | preserveUnknownFields: false 985 | versions: 986 | - name: v1alpha1 987 | served: true 988 | storage: true 989 | schema: 990 | openAPIV3Schema: 991 | type: object 992 | # One can use x-kubernetes-preserve-unknown-fields: true 993 | # at the root of the schema (and inside any properties, additionalProperties) 994 | # to get the traditional CRD behaviour that nothing is pruned, despite 995 | # setting spec.preserveUnknownProperties: false. 996 | # 997 | # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ 998 | # See issue: https://github.com/knative/serving/issues/912 999 | x-kubernetes-preserve-unknown-fields: true 1000 | additionalPrinterColumns: 1001 | - name: Succeeded 1002 | type: string 1003 | jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status" 1004 | - name: Reason 1005 | type: string 1006 | jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" 1007 | - name: StartTime 1008 | type: date 1009 | jsonPath: .status.startTime 1010 | - name: CompletionTime 1011 | type: date 1012 | jsonPath: .status.completionTime 1013 | # Opt into the status subresource so metadata.generation 1014 | # starts to increment 1015 | subresources: 1016 | status: {} 1017 | names: 1018 | kind: Run 1019 | plural: runs 1020 | singular: run 1021 | categories: 1022 | - tekton 1023 | - tekton-pipelines 1024 | scope: Namespaced 1025 | 1026 | --- 1027 | # Copyright 2019 The Tekton Authors 1028 | # 1029 | # Licensed under the Apache License, Version 2.0 (the "License"); 1030 | # you may not use this file except in compliance with the License. 1031 | # You may obtain a copy of the License at 1032 | # 1033 | # https://www.apache.org/licenses/LICENSE-2.0 1034 | # 1035 | # Unless required by applicable law or agreed to in writing, software 1036 | # distributed under the License is distributed on an "AS IS" BASIS, 1037 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1038 | # See the License for the specific language governing permissions and 1039 | # limitations under the License. 1040 | 1041 | apiVersion: apiextensions.k8s.io/v1 1042 | kind: CustomResourceDefinition 1043 | metadata: 1044 | name: tasks.tekton.dev 1045 | labels: 1046 | app.kubernetes.io/instance: default 1047 | app.kubernetes.io/part-of: tekton-pipelines 1048 | pipeline.tekton.dev/release: "v20220623-a84f97e8a5" 1049 | version: "v20220623-a84f97e8a5" 1050 | spec: 1051 | group: tekton.dev 1052 | preserveUnknownFields: false 1053 | versions: 1054 | - name: v1alpha1 1055 | served: true 1056 | storage: false 1057 | schema: 1058 | openAPIV3Schema: 1059 | type: object 1060 | # One can use x-kubernetes-preserve-unknown-fields: true 1061 | # at the root of the schema (and inside any properties, additionalProperties) 1062 | # to get the traditional CRD behaviour that nothing is pruned, despite 1063 | # setting spec.preserveUnknownProperties: false. 1064 | # 1065 | # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ 1066 | # See issue: https://github.com/knative/serving/issues/912 1067 | x-kubernetes-preserve-unknown-fields: true 1068 | # Opt into the status subresource so metadata.generation 1069 | # starts to increment 1070 | subresources: 1071 | status: {} 1072 | - name: v1beta1 1073 | served: true 1074 | storage: true 1075 | schema: 1076 | openAPIV3Schema: 1077 | type: object 1078 | # One can use x-kubernetes-preserve-unknown-fields: true 1079 | # at the root of the schema (and inside any properties, additionalProperties) 1080 | # to get the traditional CRD behaviour that nothing is pruned, despite 1081 | # setting spec.preserveUnknownProperties: false. 1082 | # 1083 | # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ 1084 | # See issue: https://github.com/knative/serving/issues/912 1085 | x-kubernetes-preserve-unknown-fields: true 1086 | # Opt into the status subresource so metadata.generation 1087 | # starts to increment 1088 | subresources: 1089 | status: {} 1090 | names: 1091 | kind: Task 1092 | plural: tasks 1093 | singular: task 1094 | categories: 1095 | - tekton 1096 | - tekton-pipelines 1097 | scope: Namespaced 1098 | conversion: 1099 | strategy: Webhook 1100 | webhook: 1101 | conversionReviewVersions: ["v1beta1"] 1102 | clientConfig: 1103 | service: 1104 | name: tekton-pipelines-webhook 1105 | namespace: tekton-pipelines 1106 | 1107 | --- 1108 | # Copyright 2019 The Tekton Authors 1109 | # 1110 | # Licensed under the Apache License, Version 2.0 (the "License"); 1111 | # you may not use this file except in compliance with the License. 1112 | # You may obtain a copy of the License at 1113 | # 1114 | # https://www.apache.org/licenses/LICENSE-2.0 1115 | # 1116 | # Unless required by applicable law or agreed to in writing, software 1117 | # distributed under the License is distributed on an "AS IS" BASIS, 1118 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1119 | # See the License for the specific language governing permissions and 1120 | # limitations under the License. 1121 | 1122 | apiVersion: apiextensions.k8s.io/v1 1123 | kind: CustomResourceDefinition 1124 | metadata: 1125 | name: taskruns.tekton.dev 1126 | labels: 1127 | app.kubernetes.io/instance: default 1128 | app.kubernetes.io/part-of: tekton-pipelines 1129 | pipeline.tekton.dev/release: "v20220623-a84f97e8a5" 1130 | version: "v20220623-a84f97e8a5" 1131 | spec: 1132 | group: tekton.dev 1133 | preserveUnknownFields: false 1134 | versions: 1135 | - name: v1alpha1 1136 | served: true 1137 | storage: false 1138 | schema: 1139 | openAPIV3Schema: 1140 | type: object 1141 | # One can use x-kubernetes-preserve-unknown-fields: true 1142 | # at the root of the schema (and inside any properties, additionalProperties) 1143 | # to get the traditional CRD behaviour that nothing is pruned, despite 1144 | # setting spec.preserveUnknownProperties: false. 1145 | # 1146 | # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ 1147 | # See issue: https://github.com/knative/serving/issues/912 1148 | x-kubernetes-preserve-unknown-fields: true 1149 | additionalPrinterColumns: 1150 | - name: Succeeded 1151 | type: string 1152 | jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status" 1153 | - name: Reason 1154 | type: string 1155 | jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" 1156 | - name: StartTime 1157 | type: date 1158 | jsonPath: .status.startTime 1159 | - name: CompletionTime 1160 | type: date 1161 | jsonPath: .status.completionTime 1162 | # Opt into the status subresource so metadata.generation 1163 | # starts to increment 1164 | subresources: 1165 | status: {} 1166 | - name: v1beta1 1167 | served: true 1168 | storage: true 1169 | schema: 1170 | openAPIV3Schema: 1171 | type: object 1172 | # One can use x-kubernetes-preserve-unknown-fields: true 1173 | # at the root of the schema (and inside any properties, additionalProperties) 1174 | # to get the traditional CRD behaviour that nothing is pruned, despite 1175 | # setting spec.preserveUnknownProperties: false. 1176 | # 1177 | # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ 1178 | # See issue: https://github.com/knative/serving/issues/912 1179 | x-kubernetes-preserve-unknown-fields: true 1180 | additionalPrinterColumns: 1181 | - name: Succeeded 1182 | type: string 1183 | jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status" 1184 | - name: Reason 1185 | type: string 1186 | jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" 1187 | - name: StartTime 1188 | type: date 1189 | jsonPath: .status.startTime 1190 | - name: CompletionTime 1191 | type: date 1192 | jsonPath: .status.completionTime 1193 | # Opt into the status subresource so metadata.generation 1194 | # starts to increment 1195 | subresources: 1196 | status: {} 1197 | names: 1198 | kind: TaskRun 1199 | plural: taskruns 1200 | singular: taskrun 1201 | categories: 1202 | - tekton 1203 | - tekton-pipelines 1204 | shortNames: 1205 | - tr 1206 | - trs 1207 | scope: Namespaced 1208 | conversion: 1209 | strategy: Webhook 1210 | webhook: 1211 | conversionReviewVersions: ["v1beta1"] 1212 | clientConfig: 1213 | service: 1214 | name: tekton-pipelines-webhook 1215 | namespace: tekton-pipelines 1216 | 1217 | --- 1218 | # Copyright 2020 The Tekton Authors 1219 | # 1220 | # Licensed under the Apache License, Version 2.0 (the "License"); 1221 | # you may not use this file except in compliance with the License. 1222 | # You may obtain a copy of the License at 1223 | # 1224 | # https://www.apache.org/licenses/LICENSE-2.0 1225 | # 1226 | # Unless required by applicable law or agreed to in writing, software 1227 | # distributed under the License is distributed on an "AS IS" BASIS, 1228 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1229 | # See the License for the specific language governing permissions and 1230 | # limitations under the License. 1231 | 1232 | apiVersion: v1 1233 | kind: Secret 1234 | metadata: 1235 | name: webhook-certs 1236 | namespace: tekton-pipelines 1237 | labels: 1238 | app.kubernetes.io/component: webhook 1239 | app.kubernetes.io/instance: default 1240 | app.kubernetes.io/part-of: tekton-pipelines 1241 | pipeline.tekton.dev/release: "v20220623-a84f97e8a5" 1242 | # The data is populated at install time. 1243 | --- 1244 | apiVersion: admissionregistration.k8s.io/v1 1245 | kind: ValidatingWebhookConfiguration 1246 | metadata: 1247 | name: validation.webhook.pipeline.tekton.dev 1248 | labels: 1249 | app.kubernetes.io/component: webhook 1250 | app.kubernetes.io/instance: default 1251 | app.kubernetes.io/part-of: tekton-pipelines 1252 | pipeline.tekton.dev/release: "v20220623-a84f97e8a5" 1253 | webhooks: 1254 | - admissionReviewVersions: ["v1"] 1255 | clientConfig: 1256 | service: 1257 | name: tekton-pipelines-webhook 1258 | namespace: tekton-pipelines 1259 | failurePolicy: Fail 1260 | sideEffects: None 1261 | name: validation.webhook.pipeline.tekton.dev 1262 | --- 1263 | apiVersion: admissionregistration.k8s.io/v1 1264 | kind: MutatingWebhookConfiguration 1265 | metadata: 1266 | name: webhook.pipeline.tekton.dev 1267 | labels: 1268 | app.kubernetes.io/component: webhook 1269 | app.kubernetes.io/instance: default 1270 | app.kubernetes.io/part-of: tekton-pipelines 1271 | pipeline.tekton.dev/release: "v20220623-a84f97e8a5" 1272 | webhooks: 1273 | - admissionReviewVersions: ["v1"] 1274 | clientConfig: 1275 | service: 1276 | name: tekton-pipelines-webhook 1277 | namespace: tekton-pipelines 1278 | failurePolicy: Fail 1279 | sideEffects: None 1280 | name: webhook.pipeline.tekton.dev 1281 | --- 1282 | apiVersion: admissionregistration.k8s.io/v1 1283 | kind: ValidatingWebhookConfiguration 1284 | metadata: 1285 | name: config.webhook.pipeline.tekton.dev 1286 | labels: 1287 | app.kubernetes.io/component: webhook 1288 | app.kubernetes.io/instance: default 1289 | app.kubernetes.io/part-of: tekton-pipelines 1290 | pipeline.tekton.dev/release: "v20220623-a84f97e8a5" 1291 | webhooks: 1292 | - admissionReviewVersions: ["v1"] 1293 | clientConfig: 1294 | service: 1295 | name: tekton-pipelines-webhook 1296 | namespace: tekton-pipelines 1297 | failurePolicy: Fail 1298 | sideEffects: None 1299 | name: config.webhook.pipeline.tekton.dev 1300 | objectSelector: 1301 | matchLabels: 1302 | app.kubernetes.io/part-of: tekton-pipelines 1303 | 1304 | --- 1305 | # Copyright 2019 The Tekton Authors 1306 | # 1307 | # Licensed under the Apache License, Version 2.0 (the "License"); 1308 | # you may not use this file except in compliance with the License. 1309 | # You may obtain a copy of the License at 1310 | # 1311 | # https://www.apache.org/licenses/LICENSE-2.0 1312 | # 1313 | # Unless required by applicable law or agreed to in writing, software 1314 | # distributed under the License is distributed on an "AS IS" BASIS, 1315 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1316 | # See the License for the specific language governing permissions and 1317 | # limitations under the License. 1318 | 1319 | apiVersion: rbac.authorization.k8s.io/v1 1320 | kind: ClusterRole 1321 | metadata: 1322 | name: tekton-aggregate-edit 1323 | labels: 1324 | app.kubernetes.io/instance: default 1325 | app.kubernetes.io/part-of: tekton-pipelines 1326 | rbac.authorization.k8s.io/aggregate-to-edit: "true" 1327 | rbac.authorization.k8s.io/aggregate-to-admin: "true" 1328 | rules: 1329 | - apiGroups: 1330 | - tekton.dev 1331 | resources: 1332 | - tasks 1333 | - taskruns 1334 | - pipelines 1335 | - pipelineruns 1336 | - pipelineresources 1337 | - conditions 1338 | verbs: 1339 | - create 1340 | - delete 1341 | - deletecollection 1342 | - get 1343 | - list 1344 | - patch 1345 | - update 1346 | - watch 1347 | 1348 | --- 1349 | # Copyright 2019 The Tekton Authors 1350 | # 1351 | # Licensed under the Apache License, Version 2.0 (the "License"); 1352 | # you may not use this file except in compliance with the License. 1353 | # You may obtain a copy of the License at 1354 | # 1355 | # https://www.apache.org/licenses/LICENSE-2.0 1356 | # 1357 | # Unless required by applicable law or agreed to in writing, software 1358 | # distributed under the License is distributed on an "AS IS" BASIS, 1359 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1360 | # See the License for the specific language governing permissions and 1361 | # limitations under the License. 1362 | 1363 | apiVersion: rbac.authorization.k8s.io/v1 1364 | kind: ClusterRole 1365 | metadata: 1366 | name: tekton-aggregate-view 1367 | labels: 1368 | app.kubernetes.io/instance: default 1369 | app.kubernetes.io/part-of: tekton-pipelines 1370 | rbac.authorization.k8s.io/aggregate-to-view: "true" 1371 | rules: 1372 | - apiGroups: 1373 | - tekton.dev 1374 | resources: 1375 | - tasks 1376 | - taskruns 1377 | - pipelines 1378 | - pipelineruns 1379 | - pipelineresources 1380 | - conditions 1381 | verbs: 1382 | - get 1383 | - list 1384 | - watch 1385 | 1386 | --- 1387 | # Copyright 2019 The Tekton Authors 1388 | # 1389 | # Licensed under the Apache License, Version 2.0 (the "License"); 1390 | # you may not use this file except in compliance with the License. 1391 | # You may obtain a copy of the License at 1392 | # 1393 | # https://www.apache.org/licenses/LICENSE-2.0 1394 | # 1395 | # Unless required by applicable law or agreed to in writing, software 1396 | # distributed under the License is distributed on an "AS IS" BASIS, 1397 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1398 | # See the License for the specific language governing permissions and 1399 | # limitations under the License. 1400 | 1401 | apiVersion: v1 1402 | kind: ConfigMap 1403 | metadata: 1404 | name: config-artifact-bucket 1405 | namespace: tekton-pipelines 1406 | labels: 1407 | app.kubernetes.io/instance: default 1408 | app.kubernetes.io/part-of: tekton-pipelines 1409 | # data: 1410 | # # location of the gcs bucket to be used for artifact storage 1411 | # location: "gs://bucket-name" 1412 | # # name of the secret that will contain the credentials for the service account 1413 | # # with access to the bucket 1414 | # bucket.service.account.secret.name: 1415 | # # The key in the secret with the required service account json 1416 | # bucket.service.account.secret.key: 1417 | # # The field name that should be used for the service account 1418 | # # Valid values: GOOGLE_APPLICATION_CREDENTIALS, BOTO_CONFIG. 1419 | # bucket.service.account.field.name: GOOGLE_APPLICATION_CREDENTIALS 1420 | 1421 | --- 1422 | # Copyright 2019 The Tekton Authors 1423 | # 1424 | # Licensed under the Apache License, Version 2.0 (the "License"); 1425 | # you may not use this file except in compliance with the License. 1426 | # You may obtain a copy of the License at 1427 | # 1428 | # https://www.apache.org/licenses/LICENSE-2.0 1429 | # 1430 | # Unless required by applicable law or agreed to in writing, software 1431 | # distributed under the License is distributed on an "AS IS" BASIS, 1432 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1433 | # See the License for the specific language governing permissions and 1434 | # limitations under the License. 1435 | 1436 | apiVersion: v1 1437 | kind: ConfigMap 1438 | metadata: 1439 | name: config-artifact-pvc 1440 | namespace: tekton-pipelines 1441 | labels: 1442 | app.kubernetes.io/instance: default 1443 | app.kubernetes.io/part-of: tekton-pipelines 1444 | # data: 1445 | # # size of the PVC volume 1446 | # size: 5Gi 1447 | # 1448 | # # storage class of the PVC volume 1449 | # storageClassName: storage-class-name 1450 | 1451 | --- 1452 | # Copyright 2019 The Tekton Authors 1453 | # 1454 | # Licensed under the Apache License, Version 2.0 (the "License"); 1455 | # you may not use this file except in compliance with the License. 1456 | # You may obtain a copy of the License at 1457 | # 1458 | # https://www.apache.org/licenses/LICENSE-2.0 1459 | # 1460 | # Unless required by applicable law or agreed to in writing, software 1461 | # distributed under the License is distributed on an "AS IS" BASIS, 1462 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1463 | # See the License for the specific language governing permissions and 1464 | # limitations under the License. 1465 | 1466 | apiVersion: v1 1467 | kind: ConfigMap 1468 | metadata: 1469 | name: config-defaults 1470 | namespace: tekton-pipelines 1471 | labels: 1472 | app.kubernetes.io/instance: default 1473 | app.kubernetes.io/part-of: tekton-pipelines 1474 | data: 1475 | _example: | 1476 | ################################ 1477 | # # 1478 | # EXAMPLE CONFIGURATION # 1479 | # # 1480 | ################################ 1481 | 1482 | # This block is not actually functional configuration, 1483 | # but serves to illustrate the available configuration 1484 | # options and document them in a way that is accessible 1485 | # to users that `kubectl edit` this config map. 1486 | # 1487 | # These sample configuration options may be copied out of 1488 | # this example block and unindented to be in the data block 1489 | # to actually change the configuration. 1490 | 1491 | # default-timeout-minutes contains the default number of 1492 | # minutes to use for TaskRun and PipelineRun, if none is specified. 1493 | default-timeout-minutes: "60" # 60 minutes 1494 | 1495 | # default-service-account contains the default service account name 1496 | # to use for TaskRun and PipelineRun, if none is specified. 1497 | default-service-account: "default" 1498 | 1499 | # default-managed-by-label-value contains the default value given to the 1500 | # "app.kubernetes.io/managed-by" label applied to all Pods created for 1501 | # TaskRuns. If a user's requested TaskRun specifies another value for this 1502 | # label, the user's request supercedes. 1503 | default-managed-by-label-value: "tekton-pipelines" 1504 | 1505 | # default-pod-template contains the default pod template to use for 1506 | # TaskRun and PipelineRun. If a pod template is specified on the 1507 | # PipelineRun, the default-pod-template is merged with that one. 1508 | # default-pod-template: 1509 | 1510 | # default-affinity-assistant-pod-template contains the default pod template 1511 | # to use for affinity assistant pods. If a pod template is specified on the 1512 | # PipelineRun, the default-affinity-assistant-pod-template is merged with 1513 | # that one. 1514 | # default-affinity-assistant-pod-template: 1515 | 1516 | # default-cloud-events-sink contains the default CloudEvents sink to be 1517 | # used for TaskRun and PipelineRun, when no sink is specified. 1518 | # Note that right now it is still not possible to set a PipelineRun or 1519 | # TaskRun specific sink, so the default is the only option available. 1520 | # If no sink is specified, no CloudEvent is generated 1521 | # default-cloud-events-sink: 1522 | 1523 | # default-task-run-workspace-binding contains the default workspace 1524 | # configuration provided for any Workspaces that a Task declares 1525 | # but that a TaskRun does not explicitly provide. 1526 | # default-task-run-workspace-binding: | 1527 | # emptyDir: {} 1528 | 1529 | # default-max-matrix-combinations-count contains the default maximum number 1530 | # of combinations from a Matrix, if none is specified. 1531 | default-max-matrix-combinations-count: "256" 1532 | 1533 | --- 1534 | # Copyright 2019 The Tekton Authors 1535 | # 1536 | # Licensed under the Apache License, Version 2.0 (the "License"); 1537 | # you may not use this file except in compliance with the License. 1538 | # You may obtain a copy of the License at 1539 | # 1540 | # https://www.apache.org/licenses/LICENSE-2.0 1541 | # 1542 | # Unless required by applicable law or agreed to in writing, software 1543 | # distributed under the License is distributed on an "AS IS" BASIS, 1544 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1545 | # See the License for the specific language governing permissions and 1546 | # limitations under the License. 1547 | 1548 | apiVersion: v1 1549 | kind: ConfigMap 1550 | metadata: 1551 | name: feature-flags 1552 | namespace: tekton-pipelines 1553 | labels: 1554 | app.kubernetes.io/instance: default 1555 | app.kubernetes.io/part-of: tekton-pipelines 1556 | data: 1557 | # Setting this flag to "true" will prevent Tekton to create an 1558 | # Affinity Assistant for every TaskRun sharing a PVC workspace 1559 | # 1560 | # The default behaviour is for Tekton to create Affinity Assistants 1561 | # 1562 | # See more in the workspace documentation about Affinity Assistant 1563 | # https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md#affinity-assistant-and-specifying-workspace-order-in-a-pipeline 1564 | # or https://github.com/tektoncd/pipeline/pull/2630 for more info. 1565 | disable-affinity-assistant: "false" 1566 | # Setting this flag to "true" will prevent Tekton scanning attached 1567 | # service accounts and injecting any credentials it finds into your 1568 | # Steps. 1569 | # 1570 | # The default behaviour currently is for Tekton to search service 1571 | # accounts for secrets matching a specified format and automatically 1572 | # mount those into your Steps. 1573 | # 1574 | # Note: setting this to "true" will prevent PipelineResources from 1575 | # working. 1576 | # 1577 | # See https://github.com/tektoncd/pipeline/issues/2791 for more 1578 | # info. 1579 | disable-creds-init: "false" 1580 | # This option should be set to false when Pipelines is running in a 1581 | # cluster that does not use injected sidecars such as Istio. Setting 1582 | # it to false should decrease the time it takes for a TaskRun to start 1583 | # running. For clusters that use injected sidecars, setting this 1584 | # option to false can lead to unexpected behavior. 1585 | # 1586 | # See https://github.com/tektoncd/pipeline/issues/2080 for more info. 1587 | running-in-environment-with-injected-sidecars: "true" 1588 | # Setting this flag to "true" will require that any Git SSH Secret 1589 | # offered to Tekton must have known_hosts included. 1590 | # 1591 | # See https://github.com/tektoncd/pipeline/issues/2981 for more 1592 | # info. 1593 | require-git-ssh-secret-known-hosts: "false" 1594 | # Setting this flag to "true" enables the use of Tekton OCI bundle. 1595 | # This is an experimental feature and thus should still be considered 1596 | # an alpha feature. 1597 | enable-tekton-oci-bundles: "false" 1598 | # Setting this flag to "true" enables the use of custom tasks from 1599 | # within pipelines. 1600 | # This is an experimental feature and thus should still be considered 1601 | # an alpha feature. 1602 | enable-custom-tasks: "false" 1603 | # Setting this flag will determine which gated features are enabled. 1604 | # Acceptable values are "stable" or "alpha". 1605 | enable-api-fields: "stable" 1606 | # Setting this flag to "true" enables CloudEvents for Runs, as long as a 1607 | # CloudEvents sink is configured in the config-defaults config map 1608 | send-cloudevents-for-runs: "false" 1609 | 1610 | --- 1611 | # Copyright 2021 The Tekton Authors 1612 | # 1613 | # Licensed under the Apache License, Version 2.0 (the "License"); 1614 | # you may not use this file except in compliance with the License. 1615 | # You may obtain a copy of the License at 1616 | # 1617 | # https://www.apache.org/licenses/LICENSE-2.0 1618 | # 1619 | # Unless required by applicable law or agreed to in writing, software 1620 | # distributed under the License is distributed on an "AS IS" BASIS, 1621 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1622 | # See the License for the specific language governing permissions and 1623 | # limitations under the License. 1624 | 1625 | apiVersion: v1 1626 | kind: ConfigMap 1627 | metadata: 1628 | name: pipelines-info 1629 | namespace: tekton-pipelines 1630 | labels: 1631 | app.kubernetes.io/instance: default 1632 | app.kubernetes.io/part-of: tekton-pipelines 1633 | data: 1634 | # Contains pipelines version which can be queried by external 1635 | # tools such as CLI. Elevated permissions are already given to 1636 | # this ConfigMap such that even if we don't have access to 1637 | # other resources in the namespace we still can have access to 1638 | # this ConfigMap. 1639 | version: "v20220623-a84f97e8a5" 1640 | 1641 | --- 1642 | # Copyright 2020 Tekton Authors LLC 1643 | # 1644 | # Licensed under the Apache License, Version 2.0 (the "License"); 1645 | # you may not use this file except in compliance with the License. 1646 | # You may obtain a copy of the License at 1647 | # 1648 | # https://www.apache.org/licenses/LICENSE-2.0 1649 | # 1650 | # Unless required by applicable law or agreed to in writing, software 1651 | # distributed under the License is distributed on an "AS IS" BASIS, 1652 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1653 | # See the License for the specific language governing permissions and 1654 | # limitations under the License. 1655 | 1656 | apiVersion: v1 1657 | kind: ConfigMap 1658 | metadata: 1659 | name: config-leader-election 1660 | namespace: tekton-pipelines 1661 | labels: 1662 | app.kubernetes.io/instance: default 1663 | app.kubernetes.io/part-of: tekton-pipelines 1664 | data: 1665 | # An inactive but valid configuration follows; see example. 1666 | lease-duration: "60s" 1667 | renew-deadline: "40s" 1668 | retry-period: "10s" 1669 | 1670 | --- 1671 | # Copyright 2019 Tekton Authors LLC 1672 | # 1673 | # Licensed under the Apache License, Version 2.0 (the "License"); 1674 | # you may not use this file except in compliance with the License. 1675 | # You may obtain a copy of the License at 1676 | # 1677 | # https://www.apache.org/licenses/LICENSE-2.0 1678 | # 1679 | # Unless required by applicable law or agreed to in writing, software 1680 | # distributed under the License is distributed on an "AS IS" BASIS, 1681 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1682 | # See the License for the specific language governing permissions and 1683 | # limitations under the License. 1684 | 1685 | apiVersion: v1 1686 | kind: ConfigMap 1687 | metadata: 1688 | name: config-logging 1689 | namespace: tekton-pipelines 1690 | labels: 1691 | app.kubernetes.io/instance: default 1692 | app.kubernetes.io/part-of: tekton-pipelines 1693 | data: 1694 | # Common configuration for all knative codebase 1695 | zap-logger-config: | 1696 | { 1697 | "level": "info", 1698 | "development": false, 1699 | "sampling": { 1700 | "initial": 100, 1701 | "thereafter": 100 1702 | }, 1703 | "outputPaths": ["stdout"], 1704 | "errorOutputPaths": ["stderr"], 1705 | "encoding": "json", 1706 | "encoderConfig": { 1707 | "timeKey": "ts", 1708 | "levelKey": "level", 1709 | "nameKey": "logger", 1710 | "callerKey": "caller", 1711 | "messageKey": "msg", 1712 | "stacktraceKey": "stacktrace", 1713 | "lineEnding": "", 1714 | "levelEncoder": "", 1715 | "timeEncoder": "iso8601", 1716 | "durationEncoder": "", 1717 | "callerEncoder": "" 1718 | } 1719 | } 1720 | # Log level overrides 1721 | loglevel.controller: "info" 1722 | loglevel.webhook: "info" 1723 | 1724 | --- 1725 | # Copyright 2019 The Tekton Authors 1726 | # 1727 | # Licensed under the Apache License, Version 2.0 (the "License"); 1728 | # you may not use this file except in compliance with the License. 1729 | # You may obtain a copy of the License at 1730 | # 1731 | # https://www.apache.org/licenses/LICENSE-2.0 1732 | # 1733 | # Unless required by applicable law or agreed to in writing, software 1734 | # distributed under the License is distributed on an "AS IS" BASIS, 1735 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1736 | # See the License for the specific language governing permissions and 1737 | # limitations under the License. 1738 | 1739 | apiVersion: v1 1740 | kind: ConfigMap 1741 | metadata: 1742 | name: config-observability 1743 | namespace: tekton-pipelines 1744 | labels: 1745 | app.kubernetes.io/instance: default 1746 | app.kubernetes.io/part-of: tekton-pipelines 1747 | data: 1748 | _example: | 1749 | ################################ 1750 | # # 1751 | # EXAMPLE CONFIGURATION # 1752 | # # 1753 | ################################ 1754 | 1755 | # This block is not actually functional configuration, 1756 | # but serves to illustrate the available configuration 1757 | # options and document them in a way that is accessible 1758 | # to users that `kubectl edit` this config map. 1759 | # 1760 | # These sample configuration options may be copied out of 1761 | # this example block and unindented to be in the data block 1762 | # to actually change the configuration. 1763 | 1764 | # metrics.backend-destination field specifies the system metrics destination. 1765 | # It supports either prometheus (the default) or stackdriver. 1766 | # Note: Using Stackdriver will incur additional charges. 1767 | metrics.backend-destination: prometheus 1768 | 1769 | # metrics.stackdriver-project-id field specifies the Stackdriver project ID. This 1770 | # field is optional. When running on GCE, application default credentials will be 1771 | # used and metrics will be sent to the cluster's project if this field is 1772 | # not provided. 1773 | metrics.stackdriver-project-id: "" 1774 | 1775 | # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed 1776 | # to send metrics to Stackdriver using "global" resource type and custom 1777 | # metric type. Setting this flag to "true" could cause extra Stackdriver 1778 | # charge. If metrics.backend-destination is not Stackdriver, this is 1779 | # ignored. 1780 | metrics.allow-stackdriver-custom-metrics: "false" 1781 | metrics.taskrun.level: "task" 1782 | metrics.taskrun.duration-type: "histogram" 1783 | metrics.pipelinerun.level: "pipeline" 1784 | metrics.pipelinerun.duration-type: "histogram" 1785 | 1786 | --- 1787 | # Copyright 2020 Tekton Authors LLC 1788 | # 1789 | # Licensed under the Apache License, Version 2.0 (the "License"); 1790 | # you may not use this file except in compliance with the License. 1791 | # You may obtain a copy of the License at 1792 | # 1793 | # https://www.apache.org/licenses/LICENSE-2.0 1794 | # 1795 | # Unless required by applicable law or agreed to in writing, software 1796 | # distributed under the License is distributed on an "AS IS" BASIS, 1797 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1798 | # See the License for the specific language governing permissions and 1799 | # limitations under the License. 1800 | 1801 | apiVersion: v1 1802 | kind: ConfigMap 1803 | metadata: 1804 | name: config-registry-cert 1805 | namespace: tekton-pipelines 1806 | labels: 1807 | app.kubernetes.io/instance: default 1808 | app.kubernetes.io/part-of: tekton-pipelines 1809 | # data: 1810 | # # Registry's self-signed certificate 1811 | # cert: | 1812 | 1813 | --- 1814 | # Copyright 2019 The Tekton Authors 1815 | # 1816 | # Licensed under the Apache License, Version 2.0 (the "License"); 1817 | # you may not use this file except in compliance with the License. 1818 | # You may obtain a copy of the License at 1819 | # 1820 | # http://www.apache.org/licenses/LICENSE-2.0 1821 | # 1822 | # Unless required by applicable law or agreed to in writing, software 1823 | # distributed under the License is distributed on an "AS IS" BASIS, 1824 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1825 | # See the License for the specific language governing permissions and 1826 | # limitations under the License. 1827 | 1828 | apiVersion: apps/v1 1829 | kind: Deployment 1830 | metadata: 1831 | name: tekton-pipelines-controller 1832 | namespace: tekton-pipelines 1833 | labels: 1834 | app.kubernetes.io/name: controller 1835 | app.kubernetes.io/component: controller 1836 | app.kubernetes.io/instance: default 1837 | app.kubernetes.io/version: "v20220623-a84f97e8a5" 1838 | app.kubernetes.io/part-of: tekton-pipelines 1839 | # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml 1840 | pipeline.tekton.dev/release: "v20220623-a84f97e8a5" 1841 | # labels below are related to istio and should not be used for resource lookup 1842 | version: "v20220623-a84f97e8a5" 1843 | spec: 1844 | replicas: 1 1845 | selector: 1846 | matchLabels: 1847 | app.kubernetes.io/name: controller 1848 | app.kubernetes.io/component: controller 1849 | app.kubernetes.io/instance: default 1850 | app.kubernetes.io/part-of: tekton-pipelines 1851 | template: 1852 | metadata: 1853 | labels: 1854 | app.kubernetes.io/name: controller 1855 | app.kubernetes.io/component: controller 1856 | app.kubernetes.io/instance: default 1857 | app.kubernetes.io/version: "v20220623-a84f97e8a5" 1858 | app.kubernetes.io/part-of: tekton-pipelines 1859 | # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml 1860 | pipeline.tekton.dev/release: "v20220623-a84f97e8a5" 1861 | # labels below are related to istio and should not be used for resource lookup 1862 | app: tekton-pipelines-controller 1863 | version: "v20220623-a84f97e8a5" 1864 | spec: 1865 | affinity: 1866 | nodeAffinity: 1867 | requiredDuringSchedulingIgnoredDuringExecution: 1868 | nodeSelectorTerms: 1869 | - matchExpressions: 1870 | - key: kubernetes.io/os 1871 | operator: NotIn 1872 | values: 1873 | - windows 1874 | serviceAccountName: tekton-pipelines-controller 1875 | containers: 1876 | - name: tekton-pipelines-controller 1877 | image: gcr.io/tekton-nightly/github.com/tektoncd/pipeline/cmd/controller:v20220623-a84f97e8a5@sha256:56884c214e5cc606d500c1dde0192a16b5dfad320c25ae3b7fb0f41dc1899263 1878 | args: [ 1879 | # These images are built on-demand by `ko resolve` and are replaced 1880 | # by image references by digest. 1881 | "-kubeconfig-writer-image", "gcr.io/tekton-nightly/github.com/tektoncd/pipeline/cmd/kubeconfigwriter:v20220623-a84f97e8a5@sha256:32507c280e0616dcecf4ddafd840e984b04c469d30263f5d67660960fe13873c", "-git-image", "gcr.io/tekton-nightly/github.com/tektoncd/pipeline/cmd/git-init:v20220623-a84f97e8a5@sha256:60b9ac8790d5196a74f38e588e0e80330582089dea02106034868cb2b8b442cd", "-entrypoint-image", "gcr.io/tekton-nightly/github.com/tektoncd/pipeline/cmd/entrypoint:v20220623-a84f97e8a5@sha256:90bb81729b81e8861e65e63454438d54deb60e32bf00f46f93221bc57fd8bede", "-nop-image", "gcr.io/tekton-nightly/github.com/tektoncd/pipeline/cmd/nop:v20220623-a84f97e8a5@sha256:6bbaf84e6149ef8277fc915de84999014f035335d24def4faf44b4076ef9fad5", "-imagedigest-exporter-image", "gcr.io/tekton-nightly/github.com/tektoncd/pipeline/cmd/imagedigestexporter:v20220623-a84f97e8a5@sha256:e2fd7404c77f588539e3b631403a00ab8af25ea9ea9c5f5be0b35c0c3787b1a2", "-pr-image", "gcr.io/tekton-nightly/github.com/tektoncd/pipeline/cmd/pullrequest-init:v20220623-a84f97e8a5@sha256:2a7ab64a51b230e564361069c8b86c7f3a13e153886fe128bf530c2981b8d9c7", "-workingdirinit-image", "gcr.io/tekton-nightly/github.com/tektoncd/pipeline/cmd/workingdirinit:v20220623-a84f97e8a5@sha256:065d1173e04e40c939a490d8d9dff501b3f01e438118c137f40079bd117419eb", 1882 | # This is gcr.io/google.com/cloudsdktool/cloud-sdk:302.0.0-slim 1883 | "-gsutil-image", "gcr.io/google.com/cloudsdktool/cloud-sdk@sha256:27b2c22bf259d9bc1a291e99c63791ba0c27a04d2db0a43241ba0f1f20f4067f", 1884 | # The shell image must allow root in order to create directories and copy files to PVCs. 1885 | # ghcr.io/distroless/busybox as of April 14 2022 1886 | # image shall not contains tag, so it will be supported on a runtime like cri-o 1887 | "-shell-image", "ghcr.io/distroless/busybox@sha256:19f02276bf8dbdd62f069b922f10c65262cc34b710eea26ff928129a736be791", 1888 | # for script mode to work with windows we need a powershell image 1889 | # pinning to nanoserver tag as of July 15 2021 1890 | "-shell-image-win", "mcr.microsoft.com/powershell:nanoserver@sha256:b6d5ff841b78bdf2dfed7550000fd4f3437385b8fa686ec0f010be24777654d6"] 1891 | volumeMounts: 1892 | - name: config-logging 1893 | mountPath: /etc/config-logging 1894 | - name: config-registry-cert 1895 | mountPath: /etc/config-registry-cert 1896 | env: 1897 | - name: SYSTEM_NAMESPACE 1898 | valueFrom: 1899 | fieldRef: 1900 | fieldPath: metadata.namespace 1901 | # If you are changing these names, you will also need to update 1902 | # the controller's Role in 200-role.yaml to include the new 1903 | # values in the "configmaps" "get" rule. 1904 | - name: CONFIG_DEFAULTS_NAME 1905 | value: config-defaults 1906 | - name: CONFIG_LOGGING_NAME 1907 | value: config-logging 1908 | - name: CONFIG_OBSERVABILITY_NAME 1909 | value: config-observability 1910 | - name: CONFIG_ARTIFACT_BUCKET_NAME 1911 | value: config-artifact-bucket 1912 | - name: CONFIG_ARTIFACT_PVC_NAME 1913 | value: config-artifact-pvc 1914 | - name: CONFIG_FEATURE_FLAGS_NAME 1915 | value: feature-flags 1916 | - name: CONFIG_LEADERELECTION_NAME 1917 | value: config-leader-election 1918 | - name: SSL_CERT_FILE 1919 | value: /etc/config-registry-cert/cert 1920 | - name: SSL_CERT_DIR 1921 | value: /etc/ssl/certs 1922 | - name: METRICS_DOMAIN 1923 | value: tekton.dev/pipeline 1924 | securityContext: 1925 | allowPrivilegeEscalation: false 1926 | capabilities: 1927 | drop: 1928 | - all 1929 | # User 65532 is the distroless nonroot user ID 1930 | runAsUser: 65532 1931 | runAsGroup: 65532 1932 | ports: 1933 | - name: metrics 1934 | containerPort: 9090 1935 | - name: profiling 1936 | containerPort: 8008 1937 | - name: probes 1938 | containerPort: 8080 1939 | livenessProbe: 1940 | httpGet: 1941 | path: /health 1942 | port: probes 1943 | scheme: HTTP 1944 | initialDelaySeconds: 5 1945 | periodSeconds: 10 1946 | timeoutSeconds: 5 1947 | readinessProbe: 1948 | httpGet: 1949 | path: /readiness 1950 | port: probes 1951 | scheme: HTTP 1952 | initialDelaySeconds: 5 1953 | periodSeconds: 10 1954 | timeoutSeconds: 5 1955 | volumes: 1956 | - name: config-logging 1957 | configMap: 1958 | name: config-logging 1959 | - name: config-registry-cert 1960 | configMap: 1961 | name: config-registry-cert 1962 | --- 1963 | apiVersion: v1 1964 | kind: Service 1965 | metadata: 1966 | labels: 1967 | app.kubernetes.io/name: controller 1968 | app.kubernetes.io/component: controller 1969 | app.kubernetes.io/instance: default 1970 | app.kubernetes.io/version: "v20220623-a84f97e8a5" 1971 | app.kubernetes.io/part-of: tekton-pipelines 1972 | # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml 1973 | pipeline.tekton.dev/release: "v20220623-a84f97e8a5" 1974 | # labels below are related to istio and should not be used for resource lookup 1975 | app: tekton-pipelines-controller 1976 | version: "v20220623-a84f97e8a5" 1977 | name: tekton-pipelines-controller 1978 | namespace: tekton-pipelines 1979 | spec: 1980 | ports: 1981 | - name: http-metrics 1982 | port: 9090 1983 | protocol: TCP 1984 | targetPort: 9090 1985 | - name: http-profiling 1986 | port: 8008 1987 | targetPort: 8008 1988 | - name: probes 1989 | port: 8080 1990 | selector: 1991 | app.kubernetes.io/name: controller 1992 | app.kubernetes.io/component: controller 1993 | app.kubernetes.io/instance: default 1994 | app.kubernetes.io/part-of: tekton-pipelines 1995 | 1996 | --- 1997 | # Copyright 2020 The Tekton Authors 1998 | # 1999 | # Licensed under the Apache License, Version 2.0 (the "License"); 2000 | # you may not use this file except in compliance with the License. 2001 | # You may obtain a copy of the License at 2002 | # 2003 | # https://www.apache.org/licenses/LICENSE-2.0 2004 | # 2005 | # Unless required by applicable law or agreed to in writing, software 2006 | # distributed under the License is distributed on an "AS IS" BASIS, 2007 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 2008 | # See the License for the specific language governing permissions and 2009 | # limitations under the License. 2010 | 2011 | apiVersion: autoscaling/v2beta1 2012 | kind: HorizontalPodAutoscaler 2013 | metadata: 2014 | name: tekton-pipelines-webhook 2015 | namespace: tekton-pipelines 2016 | labels: 2017 | app.kubernetes.io/name: webhook 2018 | app.kubernetes.io/component: webhook 2019 | app.kubernetes.io/instance: default 2020 | app.kubernetes.io/version: "v20220623-a84f97e8a5" 2021 | app.kubernetes.io/part-of: tekton-pipelines 2022 | # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml 2023 | pipeline.tekton.dev/release: "v20220623-a84f97e8a5" 2024 | # labels below are related to istio and should not be used for resource lookup 2025 | version: "v20220623-a84f97e8a5" 2026 | spec: 2027 | minReplicas: 1 2028 | maxReplicas: 5 2029 | scaleTargetRef: 2030 | apiVersion: apps/v1 2031 | kind: Deployment 2032 | name: tekton-pipelines-webhook 2033 | metrics: 2034 | - type: Resource 2035 | resource: 2036 | name: cpu 2037 | targetAverageUtilization: 100 2038 | 2039 | --- 2040 | # Copyright 2020 The Tekton Authors 2041 | # 2042 | # Licensed under the Apache License, Version 2.0 (the "License"); 2043 | # you may not use this file except in compliance with the License. 2044 | # You may obtain a copy of the License at 2045 | # 2046 | # https://www.apache.org/licenses/LICENSE-2.0 2047 | # 2048 | # Unless required by applicable law or agreed to in writing, software 2049 | # distributed under the License is distributed on an "AS IS" BASIS, 2050 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 2051 | # See the License for the specific language governing permissions and 2052 | # limitations under the License. 2053 | 2054 | apiVersion: apps/v1 2055 | kind: Deployment 2056 | metadata: 2057 | # Note: the Deployment name must be the same as the Service name specified in 2058 | # config/400-webhook-service.yaml. If you change this name, you must also 2059 | # change the value of WEBHOOK_SERVICE_NAME below. 2060 | name: tekton-pipelines-webhook 2061 | namespace: tekton-pipelines 2062 | labels: 2063 | app.kubernetes.io/name: webhook 2064 | app.kubernetes.io/component: webhook 2065 | app.kubernetes.io/instance: default 2066 | app.kubernetes.io/version: "v20220623-a84f97e8a5" 2067 | app.kubernetes.io/part-of: tekton-pipelines 2068 | # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml 2069 | pipeline.tekton.dev/release: "v20220623-a84f97e8a5" 2070 | # labels below are related to istio and should not be used for resource lookup 2071 | version: "v20220623-a84f97e8a5" 2072 | spec: 2073 | replicas: 1 2074 | selector: 2075 | matchLabels: 2076 | app.kubernetes.io/name: webhook 2077 | app.kubernetes.io/component: webhook 2078 | app.kubernetes.io/instance: default 2079 | app.kubernetes.io/part-of: tekton-pipelines 2080 | template: 2081 | metadata: 2082 | labels: 2083 | app.kubernetes.io/name: webhook 2084 | app.kubernetes.io/component: webhook 2085 | app.kubernetes.io/instance: default 2086 | app.kubernetes.io/version: "v20220623-a84f97e8a5" 2087 | app.kubernetes.io/part-of: tekton-pipelines 2088 | # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml 2089 | pipeline.tekton.dev/release: "v20220623-a84f97e8a5" 2090 | # labels below are related to istio and should not be used for resource lookup 2091 | app: tekton-pipelines-webhook 2092 | version: "v20220623-a84f97e8a5" 2093 | spec: 2094 | affinity: 2095 | nodeAffinity: 2096 | requiredDuringSchedulingIgnoredDuringExecution: 2097 | nodeSelectorTerms: 2098 | - matchExpressions: 2099 | - key: kubernetes.io/os 2100 | operator: NotIn 2101 | values: 2102 | - windows 2103 | podAntiAffinity: 2104 | preferredDuringSchedulingIgnoredDuringExecution: 2105 | - podAffinityTerm: 2106 | labelSelector: 2107 | matchLabels: 2108 | app.kubernetes.io/name: webhook 2109 | app.kubernetes.io/component: webhook 2110 | app.kubernetes.io/instance: default 2111 | app.kubernetes.io/part-of: tekton-pipelines 2112 | topologyKey: kubernetes.io/hostname 2113 | weight: 100 2114 | serviceAccountName: tekton-pipelines-webhook 2115 | containers: 2116 | - name: webhook 2117 | # This is the Go import path for the binary that is containerized 2118 | # and substituted here. 2119 | image: gcr.io/tekton-nightly/github.com/tektoncd/pipeline/cmd/webhook:v20220623-a84f97e8a5@sha256:cde901ac3c5eb4bfe1c29bab733899de241aba6629bbb4b2c2864b9c49f7158e 2120 | # Resource request required for autoscaler to take any action for a metric 2121 | resources: 2122 | requests: 2123 | cpu: 100m 2124 | memory: 100Mi 2125 | limits: 2126 | cpu: 500m 2127 | memory: 500Mi 2128 | env: 2129 | - name: SYSTEM_NAMESPACE 2130 | valueFrom: 2131 | fieldRef: 2132 | fieldPath: metadata.namespace 2133 | # If you are changing these names, you will also need to update 2134 | # the webhook's Role in 200-role.yaml to include the new 2135 | # values in the "configmaps" "get" rule. 2136 | - name: CONFIG_LOGGING_NAME 2137 | value: config-logging 2138 | - name: CONFIG_OBSERVABILITY_NAME 2139 | value: config-observability 2140 | - name: CONFIG_LEADERELECTION_NAME 2141 | value: config-leader-election 2142 | - name: CONFIG_FEATURE_FLAGS_NAME 2143 | value: feature-flags 2144 | - name: WEBHOOK_SERVICE_NAME 2145 | value: tekton-pipelines-webhook 2146 | - name: WEBHOOK_SECRET_NAME 2147 | value: webhook-certs 2148 | - name: METRICS_DOMAIN 2149 | value: tekton.dev/pipeline 2150 | securityContext: 2151 | allowPrivilegeEscalation: false 2152 | capabilities: 2153 | drop: 2154 | - all 2155 | # User 65532 is the distroless nonroot user ID 2156 | runAsUser: 65532 2157 | runAsGroup: 65532 2158 | ports: 2159 | - name: metrics 2160 | containerPort: 9090 2161 | - name: profiling 2162 | containerPort: 8008 2163 | - name: https-webhook 2164 | containerPort: 8443 2165 | - name: probes 2166 | containerPort: 8080 2167 | livenessProbe: 2168 | httpGet: 2169 | path: /health 2170 | port: probes 2171 | scheme: HTTP 2172 | initialDelaySeconds: 5 2173 | periodSeconds: 10 2174 | timeoutSeconds: 5 2175 | readinessProbe: 2176 | httpGet: 2177 | path: /readiness 2178 | port: probes 2179 | scheme: HTTP 2180 | initialDelaySeconds: 5 2181 | periodSeconds: 10 2182 | timeoutSeconds: 5 2183 | --- 2184 | apiVersion: v1 2185 | kind: Service 2186 | metadata: 2187 | labels: 2188 | app.kubernetes.io/name: webhook 2189 | app.kubernetes.io/component: webhook 2190 | app.kubernetes.io/instance: default 2191 | app.kubernetes.io/version: "v20220623-a84f97e8a5" 2192 | app.kubernetes.io/part-of: tekton-pipelines 2193 | # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml 2194 | pipeline.tekton.dev/release: "v20220623-a84f97e8a5" 2195 | # labels below are related to istio and should not be used for resource lookup 2196 | app: tekton-pipelines-webhook 2197 | version: "v20220623-a84f97e8a5" 2198 | name: tekton-pipelines-webhook 2199 | namespace: tekton-pipelines 2200 | spec: 2201 | ports: 2202 | # Define metrics and profiling for them to be accessible within service meshes. 2203 | - name: http-metrics 2204 | port: 9090 2205 | targetPort: 9090 2206 | - name: http-profiling 2207 | port: 8008 2208 | targetPort: 8008 2209 | - name: https-webhook 2210 | port: 443 2211 | targetPort: 8443 2212 | - name: probes 2213 | port: 8080 2214 | selector: 2215 | app.kubernetes.io/name: webhook 2216 | app.kubernetes.io/component: webhook 2217 | app.kubernetes.io/instance: default 2218 | app.kubernetes.io/part-of: tekton-pipelines 2219 | 2220 | --- 2221 | --------------------------------------------------------------------------------