diff --git a/apps/tekton/README.md b/apps/tekton/README.md index 12ff737..75cf2d6 100644 --- a/apps/tekton/README.md +++ b/apps/tekton/README.md @@ -1,8 +1,6 @@ Install: # Pipelines: @kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml@ -# Triggers: @kubectl apply --filename https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml@ #https://github.com/tektoncd/triggers/blob/master/docs/install.md -# Dashboard: -## update submodule in ./dashboard -## Build: @docker build -t tekton-dashboard:arm64 -t docker-registry.lan/tekton-dashboard:arm64 --platform linux/arm64 --build-arg GOARCH=arm64 .@ -## apply deployment.yaml +# Triggers: @kubectl apply --filename https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml@ + @kubectl apply --filename https://storage.googleapis.com/tekton-releases/triggers/latest/interceptors.yaml@ #https://github.com/tektoncd/triggers/blob/master/docs/install.md +# Dashboard: @kubectl apply --filename https://storage.googleapis.com/tekton-releases/dashboard/latest/tekton-dashboard-release.yaml@ diff --git a/apps/tekton/tekton-dashboard-release.yaml b/apps/tekton/tekton-dashboard-release.yaml deleted file mode 100644 index c7eb3da..0000000 --- a/apps/tekton/tekton-dashboard-release.yaml +++ /dev/null @@ -1,526 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-dashboard - name: extensions.dashboard.tekton.dev -spec: - additionalPrinterColumns: - - JSONPath: .spec.apiVersion - name: API version - type: string - - JSONPath: .spec.name - name: Kind - type: string - - JSONPath: .spec.displayname - name: Display name - type: string - - JSONPath: .metadata.creationTimestamp - name: Age - type: date - group: dashboard.tekton.dev - names: - categories: - - tekton - - tekton-dashboard - kind: Extension - plural: extensions - shortNames: - - ext - - exts - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - versions: - - name: v1alpha1 - served: true - storage: true ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-dashboard - name: tekton-dashboard - namespace: tekton-pipelines ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-dashboard - name: tekton-dashboard-backend -rules: - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - apiGroups: - - security.openshift.io - resources: - - securitycontextconstraints - verbs: - - use - - apiGroups: - - tekton.dev - resources: - - clustertasks - - clustertasks/status - verbs: - - get - - list - - watch - - apiGroups: - - triggers.tekton.dev - resources: - - clustertriggerbindings - verbs: - - get - - list - - watch - - apiGroups: - - dashboard.tekton.dev - resources: - - extensions - verbs: - - create - - update - - delete - - patch - - apiGroups: - - tekton.dev - resources: - - clustertasks - - clustertasks/status - verbs: - - create - - update - - delete - - patch - - apiGroups: - - triggers.tekton.dev - resources: - - clustertriggerbindings - verbs: - - create - - update - - delete - - patch - - add ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-dashboard - name: tekton-dashboard-dashboard -rules: - - apiGroups: - - apps - resources: - - deployments - verbs: - - list ---- -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.dashboard.tekton.dev/aggregate-to-dashboard: "true" -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-dashboard - name: tekton-dashboard-extensions ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-dashboard - name: tekton-dashboard-pipelines -rules: - - apiGroups: - - apps - resources: - - deployments - verbs: - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-dashboard - name: tekton-dashboard-tenant -rules: - - apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - dashboard.tekton.dev - resources: - - extensions - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - serviceaccounts - - pods/log - - namespaces - verbs: - - get - - list - - watch - - apiGroups: - - tekton.dev - resources: - - tasks - - taskruns - - pipelines - - pipelineruns - - pipelineresources - - conditions - - tasks/status - - taskruns/status - - pipelines/status - - pipelineruns/status - - taskruns/finalizers - - pipelineruns/finalizers - verbs: - - get - - list - - watch - - apiGroups: - - triggers.tekton.dev - resources: - - eventlisteners - - triggerbindings - - triggertemplates - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - update - - patch - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - create - - update - - delete - - apiGroups: - - tekton.dev - resources: - - tasks - - taskruns - - pipelines - - pipelineruns - - pipelineresources - - conditions - - taskruns/finalizers - - pipelineruns/finalizers - - tasks/status - - taskruns/status - - pipelines/status - - pipelineruns/status - verbs: - - create - - update - - delete - - patch - - apiGroups: - - triggers.tekton.dev - resources: - - eventlisteners - - triggerbindings - - triggertemplates - verbs: - - create - - update - - delete - - patch - - add ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-dashboard - name: tekton-dashboard-triggers -rules: - - apiGroups: - - apps - resources: - - deployments - verbs: - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-dashboard - name: tekton-dashboard-backend -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tekton-dashboard-backend -subjects: - - kind: ServiceAccount - name: tekton-dashboard - namespace: tekton-pipelines ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: tekton-dashboard - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/name: dashboard - app.kubernetes.io/part-of: tekton-dashboard - app.kubernetes.io/version: v0.11.1 - dashboard.tekton.dev/release: v0.11.1 - version: v0.11.1 - name: tekton-dashboard - namespace: tekton-pipelines -spec: - ports: - - name: http - port: 9097 - protocol: TCP - targetPort: 9097 - selector: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/name: dashboard - app.kubernetes.io/part-of: tekton-dashboard ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: tekton-dashboard - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/name: dashboard - app.kubernetes.io/part-of: tekton-dashboard - app.kubernetes.io/version: v0.11.1 - dashboard.tekton.dev/release: v0.11.1 - version: v0.11.1 - name: tekton-dashboard - namespace: tekton-pipelines -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/name: dashboard - app.kubernetes.io/part-of: tekton-dashboard - template: - metadata: - labels: - app: tekton-dashboard - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/name: dashboard - app.kubernetes.io/part-of: tekton-dashboard - app.kubernetes.io/version: v0.11.1 - name: tekton-dashboard - spec: - containers: - - args: - - --port=9097 - - --logout-url= - - --pipelines-namespace=tekton-pipelines - - --triggers-namespace=tekton-pipelines - - --read-only=false - - --csrf-secure-cookie=false - - --log-level=info - - --log-format=json - - --namespace= - - --openshift=false - - --stream-logs=false - - --external-logs= - env: - - name: INSTALLED_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: WEB_RESOURCES_DIR - value: /go/src/github.com/tektoncd/dashboard/web - - name: TEKTON_PIPELINES_WEB_RESOURCES_DIR - value: /go/src/github.com/tektoncd/dashboard/web - #image: gcr.io/tekton-releases/github.com/tektoncd/dashboard/cmd/dashboard@sha256:744eb92d7d0365bbfb2405df4ba4d2a66c01edc26028c362bd5675e2bc1b9626 - image: docker-registry.lan/tekton-dashboard:arm64 - imagePullPolicy: Always - livenessProbe: - httpGet: - path: /health - port: 9097 - name: tekton-dashboard - ports: - - containerPort: 9097 - readinessProbe: - httpGet: - path: /readiness - port: 9097 - securityContext: - runAsNonRoot: true - runAsUser: 65532 - serviceAccountName: tekton-dashboard - volumes: [] - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-dashboard - name: tekton-dashboard-pipelines - namespace: tekton-pipelines -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tekton-dashboard-pipelines -subjects: - - kind: ServiceAccount - name: tekton-dashboard - namespace: tekton-pipelines ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-dashboard - name: tekton-dashboard-dashboard - namespace: tekton-pipelines -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tekton-dashboard-dashboard -subjects: - - kind: ServiceAccount - name: tekton-dashboard - namespace: tekton-pipelines ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-dashboard - name: tekton-dashboard-triggers - namespace: tekton-pipelines -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tekton-dashboard-triggers -subjects: - - kind: ServiceAccount - name: tekton-dashboard - namespace: tekton-pipelines ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-dashboard - name: tekton-dashboard-tenant -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tekton-dashboard-tenant -subjects: - - kind: ServiceAccount - name: tekton-dashboard - namespace: tekton-pipelines ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-dashboard - name: tekton-dashboard-extensions -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tekton-dashboard-extensions -subjects: - - kind: ServiceAccount - name: tekton-dashboard - namespace: tekton-pipelines ---- -apiVersion: networking.k8s.io/v1beta1 -kind: Ingress -metadata: - name: tekton-dashboard - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-dashboard -spec: - rules: - - host: tekton.lan - http: - paths: - - backend: - serviceName: tekton-dashboard - servicePort: 9097 - diff --git a/apps/tekton/tektoncd-0.20.1-release.yaml b/apps/tekton/tektoncd-0.20.1-release.yaml deleted file mode 100644 index 16dbd1f..0000000 --- a/apps/tekton/tektoncd-0.20.1-release.yaml +++ /dev/null @@ -1,2006 +0,0 @@ -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Namespace -metadata: - name: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -spec: - privileged: false - allowPrivilegeEscalation: false - volumes: - - 'emptyDir' - - 'configMap' - - 'secret' - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'MustRunAsNonRoot' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - ---- -# Copyright 2020 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: tekton-pipelines-controller-cluster-access - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -rules: - - apiGroups: [""] - # Namespace access is required because the controller timeout handling logic - # iterates over all namespaces and times out any PipelineRuns that have expired. - # Pod access is required because the taskrun controller wants to be updated when - # a Pod underlying a TaskRun changes state. - resources: ["namespaces", "pods"] - verbs: ["list", "watch"] - # Controller needs cluster access to all of the CRDs that it is responsible for - # managing. - - apiGroups: ["tekton.dev"] - resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "pipelineresources", "conditions", "runs"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - apiGroups: ["tekton.dev"] - resources: ["taskruns/finalizers", "pipelineruns/finalizers", "runs/finalizers"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - apiGroups: ["tekton.dev"] - resources: ["tasks/status", "clustertasks/status", "taskruns/status", "pipelines/status", "pipelineruns/status", "pipelineresources/status", "runs/status"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - # This is the access that the controller needs on a per-namespace basis. - name: tekton-pipelines-controller-tenant-access - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -rules: - - apiGroups: [""] - resources: ["pods", "pods/log", "secrets", "events", "serviceaccounts", "configmaps", "persistentvolumeclaims", "limitranges"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - # Unclear if this access is actually required. Simply a hold-over from the previous - # incarnation of the controller's ClusterRole. - - apiGroups: ["apps"] - resources: ["deployments", "statefulsets"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - apiGroups: ["apps"] - resources: ["deployments/finalizers"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: tekton-pipelines-webhook-cluster-access - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -rules: - # The webhook needs to be able to list and update customresourcedefinitions, - # mainly to update the webhook certificates. - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions", "customresourcedefinitions/status"] - verbs: ["get", "list", "update", "patch", "watch"] - - apiGroups: ["admissionregistration.k8s.io"] - # The webhook performs a reconciliation on these two resources and continuously - # updates configuration. - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - # knative starts informers on these things, which is why we need get, list and watch. - verbs: ["list", "watch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - # This mutating webhook is responsible for applying defaults to tekton objects - # as they are received. - resourceNames: ["webhook.pipeline.tekton.dev"] - # When there are changes to the configs or secrets, knative updates the mutatingwebhook config - # with the updated certificates or the refreshed set of rules. - verbs: ["get", "update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - # validation.webhook.pipeline.tekton.dev performs schema validation when you, for example, create TaskRuns. - # config.webhook.pipeline.tekton.dev validates the logging configuration against knative's logging structure - resourceNames: ["validation.webhook.pipeline.tekton.dev", "config.webhook.pipeline.tekton.dev"] - # When there are changes to the configs or secrets, knative updates the validatingwebhook config - # with the updated certificates or the refreshed set of rules. - verbs: ["get", "update"] - - apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - resourceNames: ["tekton-pipelines"] - verbs: ["use"] - ---- -# Copyright 2020 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: tekton-pipelines-controller - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["list", "watch"] - # The controller needs access to these configmaps for logging information and runtime configuration. - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["config-logging", "config-observability", "config-artifact-bucket", "config-artifact-pvc", "feature-flags", "config-leader-election", "config-registry-cert"] - - apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - resourceNames: ["tekton-pipelines"] - verbs: ["use"] ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: tekton-pipelines-webhook - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["list", "watch"] - # The webhook needs access to these configmaps for logging information. - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["config-logging", "config-observability", "config-leader-election"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["list", "watch"] - # The webhook daemon makes a reconciliation loop on webhook-certs. Whenever - # the secret changes it updates the webhook configurations with the certificates - # stored in the secret. - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "update"] - resourceNames: ["webhook-certs"] - - apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - resourceNames: ["tekton-pipelines"] - verbs: ["use"] ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: tekton-pipelines-leader-election - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -rules: - # We uses leases for leaderelection - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -apiVersion: v1 -kind: ServiceAccount -metadata: - name: tekton-pipelines-controller - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: tekton-pipelines-webhook - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: tekton-pipelines-controller-cluster-access - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -subjects: - - kind: ServiceAccount - name: tekton-pipelines-controller - namespace: tekton-pipelines -roleRef: - kind: ClusterRole - name: tekton-pipelines-controller-cluster-access - apiGroup: rbac.authorization.k8s.io ---- -# If this ClusterRoleBinding is replaced with a RoleBinding -# then the ClusterRole would be namespaced. The access described by -# the tekton-pipelines-controller-tenant-access ClusterRole would -# be scoped to individual tenant namespaces. -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: tekton-pipelines-controller-tenant-access - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -subjects: - - kind: ServiceAccount - name: tekton-pipelines-controller - namespace: tekton-pipelines -roleRef: - kind: ClusterRole - name: tekton-pipelines-controller-tenant-access - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: tekton-pipelines-webhook-cluster-access - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -subjects: - - kind: ServiceAccount - name: tekton-pipelines-webhook - namespace: tekton-pipelines -roleRef: - kind: ClusterRole - name: tekton-pipelines-webhook-cluster-access - apiGroup: rbac.authorization.k8s.io - ---- -# Copyright 2020 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - name: tekton-pipelines-controller - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -subjects: - - kind: ServiceAccount - name: tekton-pipelines-controller - namespace: tekton-pipelines -roleRef: - kind: Role - name: tekton-pipelines-controller - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - name: tekton-pipelines-webhook - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -subjects: - - kind: ServiceAccount - name: tekton-pipelines-webhook - namespace: tekton-pipelines -roleRef: - kind: Role - name: tekton-pipelines-webhook - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - name: tekton-pipelines-controller-leaderelection - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -subjects: - - kind: ServiceAccount - name: tekton-pipelines-controller - namespace: tekton-pipelines -roleRef: - kind: Role - name: tekton-pipelines-leader-election - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - name: tekton-pipelines-webhook-leaderelection - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -subjects: - - kind: ServiceAccount - name: tekton-pipelines-webhook - namespace: tekton-pipelines -roleRef: - kind: Role - name: tekton-pipelines-leader-election - apiGroup: rbac.authorization.k8s.io - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: clustertasks.tekton.dev - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.20.1" - version: "v0.20.1" -spec: - group: tekton.dev - preserveUnknownFields: false - versions: - - &version - name: v1alpha1 - served: true - storage: false - schema: - openAPIV3Schema: - type: object - # One can use x-kubernetes-preserve-unknown-fields: true - # at the root of the schema (and inside any properties, additionalProperties) - # to get the traditional CRD behaviour that nothing is pruned, despite - # setting spec.preserveUnknownProperties: false. - # - # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ - # See issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - # Opt into the status subresource so metadata.generation - # starts to increment - subresources: - status: {} - - !!merge <<: *version - name: v1beta1 - storage: true - names: - kind: ClusterTask - plural: clustertasks - categories: - - tekton - - tekton-pipelines - scope: Cluster - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: ["v1beta1"] - clientConfig: - service: - name: tekton-pipelines-webhook - namespace: tekton-pipelines - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: conditions.tekton.dev - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.20.1" - version: "v0.20.1" -spec: - group: tekton.dev - versions: - - name: v1alpha1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - # One can use x-kubernetes-preserve-unknown-fields: true - # at the root of the schema (and inside any properties, additionalProperties) - # to get the traditional CRD behaviour that nothing is pruned, despite - # setting spec.preserveUnknownProperties: false. - # - # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ - # See issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - # Opt into the status subresource so metadata.generation - # starts to increment - subresources: - status: {} - names: - kind: Condition - plural: conditions - categories: - - tekton - - tekton-pipelines - scope: Namespaced - ---- -# Copyright 2018 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: images.caching.internal.knative.dev - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - knative.dev/crd-install: "true" -spec: - group: caching.internal.knative.dev - version: v1alpha1 - names: - kind: Image - plural: images - singular: image - categories: - - knative-internal - - caching - shortNames: - - img - scope: Namespaced - subresources: - status: {} - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: pipelines.tekton.dev - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.20.1" - version: "v0.20.1" -spec: - group: tekton.dev - preserveUnknownFields: false - versions: - - &version - name: v1alpha1 - served: true - storage: false - # Opt into the status subresource so metadata.generation - # starts to increment - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - # One can use x-kubernetes-preserve-unknown-fields: true - # at the root of the schema (and inside any properties, additionalProperties) - # to get the traditional CRD behaviour that nothing is pruned, despite - # setting spec.preserveUnknownProperties: false. - # - # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ - # See issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - - !!merge <<: *version - name: v1beta1 - storage: true - names: - kind: Pipeline - plural: pipelines - categories: - - tekton - - tekton-pipelines - scope: Namespaced - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: ["v1beta1"] - clientConfig: - service: - name: tekton-pipelines-webhook - namespace: tekton-pipelines - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: pipelineruns.tekton.dev - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.20.1" - version: "v0.20.1" -spec: - group: tekton.dev - preserveUnknownFields: false - versions: - - &version - name: v1alpha1 - served: true - storage: false - schema: - openAPIV3Schema: - type: object - # One can use x-kubernetes-preserve-unknown-fields: true - # at the root of the schema (and inside any properties, additionalProperties) - # to get the traditional CRD behaviour that nothing is pruned, despite - # setting spec.preserveUnknownProperties: false. - # - # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ - # See issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - name: Succeeded - type: string - jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status" - - name: Reason - type: string - jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" - - name: StartTime - type: date - jsonPath: .status.startTime - - name: CompletionTime - type: date - jsonPath: .status.completionTime - # Opt into the status subresource so metadata.generation - # starts to increment - subresources: - status: {} - - !!merge <<: *version - name: v1beta1 - storage: true - names: - kind: PipelineRun - plural: pipelineruns - categories: - - tekton - - tekton-pipelines - shortNames: - - pr - - prs - scope: Namespaced - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: ["v1beta1"] - clientConfig: - service: - name: tekton-pipelines-webhook - namespace: tekton-pipelines - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: pipelineresources.tekton.dev - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.20.1" - version: "v0.20.1" -spec: - group: tekton.dev - versions: - - name: v1alpha1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - # One can use x-kubernetes-preserve-unknown-fields: true - # at the root of the schema (and inside any properties, additionalProperties) - # to get the traditional CRD behaviour that nothing is pruned, despite - # setting spec.preserveUnknownProperties: false. - # - # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ - # See issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - # Opt into the status subresource so metadata.generation - # starts to increment - subresources: - status: {} - names: - kind: PipelineResource - plural: pipelineresources - categories: - - tekton - - tekton-pipelines - scope: Namespaced - ---- -# Copyright 2020 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: runs.tekton.dev - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.20.1" - version: "v0.20.1" -spec: - group: tekton.dev - preserveUnknownFields: false - versions: - - name: v1alpha1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - # One can use x-kubernetes-preserve-unknown-fields: true - # at the root of the schema (and inside any properties, additionalProperties) - # to get the traditional CRD behaviour that nothing is pruned, despite - # setting spec.preserveUnknownProperties: false. - # - # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ - # See issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - name: Succeeded - type: string - jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status" - - name: Reason - type: string - jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" - - name: StartTime - type: date - jsonPath: .status.startTime - - name: CompletionTime - type: date - jsonPath: .status.completionTime - # Opt into the status subresource so metadata.generation - # starts to increment - subresources: - status: {} - names: - kind: Run - plural: runs - categories: - - tekton - - tekton-pipelines - scope: Namespaced - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: tasks.tekton.dev - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.20.1" - version: "v0.20.1" -spec: - group: tekton.dev - preserveUnknownFields: false - versions: - - &version - name: v1alpha1 - served: true - storage: false - schema: - openAPIV3Schema: - type: object - # One can use x-kubernetes-preserve-unknown-fields: true - # at the root of the schema (and inside any properties, additionalProperties) - # to get the traditional CRD behaviour that nothing is pruned, despite - # setting spec.preserveUnknownProperties: false. - # - # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ - # See issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - # Opt into the status subresource so metadata.generation - # starts to increment - subresources: - status: {} - - !!merge <<: *version - name: v1beta1 - storage: true - names: - kind: Task - plural: tasks - categories: - - tekton - - tekton-pipelines - scope: Namespaced - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: ["v1beta1"] - clientConfig: - service: - name: tekton-pipelines-webhook - namespace: tekton-pipelines - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: taskruns.tekton.dev - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.20.1" - version: "v0.20.1" -spec: - group: tekton.dev - preserveUnknownFields: false - versions: - - &version - name: v1alpha1 - served: true - storage: false - schema: - openAPIV3Schema: - type: object - # One can use x-kubernetes-preserve-unknown-fields: true - # at the root of the schema (and inside any properties, additionalProperties) - # to get the traditional CRD behaviour that nothing is pruned, despite - # setting spec.preserveUnknownProperties: false. - # - # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ - # See issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - name: Succeeded - type: string - jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status" - - name: Reason - type: string - jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" - - name: StartTime - type: date - jsonPath: .status.startTime - - name: CompletionTime - type: date - jsonPath: .status.completionTime - # Opt into the status subresource so metadata.generation - # starts to increment - subresources: - status: {} - - !!merge <<: *version - name: v1beta1 - storage: true - names: - kind: TaskRun - plural: taskruns - categories: - - tekton - - tekton-pipelines - shortNames: - - tr - - trs - scope: Namespaced - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: ["v1beta1"] - clientConfig: - service: - name: tekton-pipelines-webhook - namespace: tekton-pipelines - ---- -# Copyright 2020 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: webhook-certs - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.20.1" -# The data is populated at install time. ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: validation.webhook.pipeline.tekton.dev - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.20.1" -webhooks: - - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: tekton-pipelines-webhook - namespace: tekton-pipelines - failurePolicy: Fail - sideEffects: None - name: validation.webhook.pipeline.tekton.dev ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: webhook.pipeline.tekton.dev - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.20.1" -webhooks: - - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: tekton-pipelines-webhook - namespace: tekton-pipelines - failurePolicy: Fail - sideEffects: None - name: webhook.pipeline.tekton.dev ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: config.webhook.pipeline.tekton.dev - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.20.1" -webhooks: - - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: tekton-pipelines-webhook - namespace: tekton-pipelines - failurePolicy: Fail - sideEffects: None - name: config.webhook.pipeline.tekton.dev - objectSelector: - matchLabels: - app.kubernetes.io/part-of: tekton-pipelines - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: tekton-aggregate-edit - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - tekton.dev - resources: - - tasks - - taskruns - - pipelines - - pipelineruns - - pipelineresources - - conditions - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: tekton-aggregate-view - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - rbac.authorization.k8s.io/aggregate-to-view: "true" -rules: - - apiGroups: - - tekton.dev - resources: - - tasks - - taskruns - - pipelines - - pipelineruns - - pipelineresources - - conditions - verbs: - - get - - list - - watch - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-artifact-bucket - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -# data: -# # location of the gcs bucket to be used for artifact storage -# location: "gs://bucket-name" -# # name of the secret that will contain the credentials for the service account -# # with access to the bucket -# bucket.service.account.secret.name: -# # The key in the secret with the required service account json -# bucket.service.account.secret.key: -# # The field name that should be used for the service account -# # Valid values: GOOGLE_APPLICATION_CREDENTIALS, BOTO_CONFIG. -# bucket.service.account.field.name: GOOGLE_APPLICATION_CREDENTIALS - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-artifact-pvc - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -# data: -# # size of the PVC volume -# size: 5Gi -# -# # storage class of the PVC volume -# storageClassName: storage-class-name - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-defaults - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -data: - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - ################################ - - # This block is not actually functional configuration, - # but serves to illustrate the available configuration - # options and document them in a way that is accessible - # to users that `kubectl edit` this config map. - # - # These sample configuration options may be copied out of - # this example block and unindented to be in the data block - # to actually change the configuration. - - # default-timeout-minutes contains the default number of - # minutes to use for TaskRun and PipelineRun, if none is specified. - default-timeout-minutes: "60" # 60 minutes - - # default-service-account contains the default service account name - # to use for TaskRun and PipelineRun, if none is specified. - default-service-account: "default" - - # default-managed-by-label-value contains the default value given to the - # "app.kubernetes.io/managed-by" label applied to all Pods created for - # TaskRuns. If a user's requested TaskRun specifies another value for this - # label, the user's request supercedes. - default-managed-by-label-value: "tekton-pipelines" - - # default-pod-template contains the default pod template to use - # TaskRun and PipelineRun, if none is specified. If a pod template - # is specified, the default pod template is ignored. - # default-pod-template: - - # default-cloud-events-sink contains the default CloudEvents sink to be - # used for TaskRun and PipelineRun, when no sink is specified. - # Note that right now it is still not possible to set a PipelineRun or - # TaskRun specific sink, so the default is the only option available. - # If no sink is specified, no CloudEvent is generated - # default-cloud-events-sink: - - # default-task-run-workspace-binding contains the default workspace - # configuration provided for any Workspaces that a Task declares - # but that a TaskRun does not explicitly provide. - # default-task-run-workspace-binding: | - # emptyDir: {} - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: feature-flags - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -data: - # Setting this flag to "true" will prevent Tekton to create an - # Affinity Assistant for every TaskRun sharing a PVC workspace - # - # The default behaviour is for Tekton to create Affinity Assistants - # - # See more in the workspace documentation about Affinity Assistant - # https://github.com/tektoncd/pipeline/blob/master/docs/workspaces.md#affinity-assistant-and-specifying-workspace-order-in-a-pipeline - # or https://github.com/tektoncd/pipeline/pull/2630 for more info. - disable-affinity-assistant: "false" - # Setting this flag to "true" will prevent Tekton overriding your - # Task container's $HOME environment variable. - # - # The default behaviour currently is for Tekton to override the - # $HOME environment variable but this will change in an upcoming - # release. - # - # See https://github.com/tektoncd/pipeline/issues/2013 for more - # info. - disable-home-env-overwrite: "false" - # Setting this flag to "true" will prevent Tekton overriding your - # Task container's working directory. - # - # The default behaviour currently is for Tekton to override the - # working directory if not set by the user but this will change - # in an upcoming release. - # - # See https://github.com/tektoncd/pipeline/issues/1836 for more - # info. - disable-working-directory-overwrite: "false" - # Setting this flag to "true" will prevent Tekton scanning attached - # service accounts and injecting any credentials it finds into your - # Steps. - # - # The default behaviour currently is for Tekton to search service - # accounts for secrets matching a specified format and automatically - # mount those into your Steps. - # - # Note: setting this to "true" will prevent PipelineResources from - # working. - # - # See https://github.com/tektoncd/pipeline/issues/1836 for more - # info. - disable-creds-init: "false" - # This option should be set to false when Pipelines is running in a - # cluster that does not use injected sidecars such as Istio. Setting - # it to false should decrease the time it takes for a TaskRun to start - # running. For clusters that use injected sidecars, setting this - # option to false can lead to unexpected behavior. - # - # See https://github.com/tektoncd/pipeline/issues/2080 for more info. - running-in-environment-with-injected-sidecars: "true" - # Setting this flag to "true" will require that any Git SSH Secret - # offered to Tekton must have known_hosts included. - # - # See https://github.com/tektoncd/pipeline/issues/2981 for more - # info. - require-git-ssh-secret-known-hosts: "false" - # Setting this flag to "true" enables the use of Tekton OCI bundle. - # This is an experimental feature and thus should still be considered - # an alpha feature. - enable-tekton-oci-bundles: "false" - # Setting this flag to "true" enables the use of custom tasks from - # within pipelines. - # This is an experimental feature and thus should still be considered - # an alpha feature. - enable-custom-tasks: "false" - ---- -# Copyright 2020 Tekton Authors LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-leader-election - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -data: - # An inactive but valid configuration follows; see example. - leaseDuration: "15s" - renewDeadline: "10s" - retryPeriod: "2s" - ---- -# Copyright 2019 Tekton Authors LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-logging - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -data: - # Common configuration for all knative codebase - zap-logger-config: | - { - "level": "info", - "development": false, - "sampling": { - "initial": 100, - "thereafter": 100 - }, - "outputPaths": ["stdout"], - "errorOutputPaths": ["stderr"], - "encoding": "json", - "encoderConfig": { - "timeKey": "ts", - "levelKey": "level", - "nameKey": "logger", - "callerKey": "caller", - "messageKey": "msg", - "stacktraceKey": "stacktrace", - "lineEnding": "", - "levelEncoder": "", - "timeEncoder": "iso8601", - "durationEncoder": "", - "callerEncoder": "" - } - } - # Log level overrides - loglevel.controller: "info" - loglevel.webhook: "info" - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-observability - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -data: - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - ################################ - - # This block is not actually functional configuration, - # but serves to illustrate the available configuration - # options and document them in a way that is accessible - # to users that `kubectl edit` this config map. - # - # These sample configuration options may be copied out of - # this example block and unindented to be in the data block - # to actually change the configuration. - - # metrics.backend-destination field specifies the system metrics destination. - # It supports either prometheus (the default) or stackdriver. - # Note: Using Stackdriver will incur additional charges. - metrics.backend-destination: prometheus - - # metrics.stackdriver-project-id field specifies the Stackdriver project ID. This - # field is optional. When running on GCE, application default credentials will be - # used and metrics will be sent to the cluster's project if this field is - # not provided. - metrics.stackdriver-project-id: "" - - # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed - # to send metrics to Stackdriver using "global" resource type and custom - # metric type. Setting this flag to "true" could cause extra Stackdriver - # charge. If metrics.backend-destination is not Stackdriver, this is - # ignored. - metrics.allow-stackdriver-custom-metrics: "false" - ---- -# Copyright 2020 Tekton Authors LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-registry-cert - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -# data: -# # Registry's self-signed certificate -# cert: | - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tekton-pipelines-controller - namespace: tekton-pipelines - labels: - app.kubernetes.io/name: controller - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.20.1" - app.kubernetes.io/part-of: tekton-pipelines - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.20.1" - # labels below are related to istio and should not be used for resource lookup - version: "v0.20.1" -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: controller - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - template: - metadata: - annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "false" - labels: - app.kubernetes.io/name: controller - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.20.1" - app.kubernetes.io/part-of: tekton-pipelines - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.20.1" - # labels below are related to istio and should not be used for resource lookup - app: tekton-pipelines-controller - version: "v0.20.1" - spec: - serviceAccountName: tekton-pipelines-controller - containers: - - name: tekton-pipelines-controller - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/controller:v0.20.1@sha256:2e7c84d4280a03d75a7a8f32dbe4084f608f01d7ddf43f903560645bd6cd46de - args: [ - # Version, to be replace at release time - "-version", "v0.20.1", - # These images are built on-demand by `ko resolve` and are replaced - # by image references by digest. - "-kubeconfig-writer-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/kubeconfigwriter:v0.20.1@sha256:b2c6d0962cda88fb3095128b6202da9b0e6c9c0df3ef6cf7863505ffd25072fd", "-git-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.20.1@sha256:a0f7a0948152a401f587dde580b41b5e80b52f3432aba7902166aa79941e8835", "-entrypoint-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/entrypoint:v0.20.1@sha256:15f7c3c278decc9373dfe49e220734fb9f55bfc5263ddbbddb44ac24ed7d4638", "-nop-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/nop:v0.20.1@sha256:4e2aeda1d2ffc7d4d71ab5967ef42706f4957b45ec43742b2d3b9e846d3db0d2", "-imagedigest-exporter-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/imagedigestexporter:v0.20.1@sha256:b3cde192d0f82d49ef93d3f3f0c0f60fac116463c021a85619b273425655feb7", "-pr-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/pullrequest-init:v0.20.1@sha256:69633ecd0e948f6462c61bb9e008b940a05b143ef51c67e6e4093278a23dac53", "-build-gcs-fetcher-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/vendor/github.com/googlecloudplatform/cloud-builders/gcs-fetcher/cmd/gcs-fetcher:v0.20.1@sha256:184a9ee5730cdd4fd219c9f57b503b1bb1b5093b53f359cbd118ab58f7959dd4", - # This is gcr.io/google.com/cloudsdktool/cloud-sdk:302.0.0-slim - "-gsutil-image", "gcr.io/google.com/cloudsdktool/cloud-sdk@sha256:27b2c22bf259d9bc1a291e99c63791ba0c27a04d2db0a43241ba0f1f20f4067f", - # The shell image must be root in order to create directories and copy files to PVCs. - # gcr.io/distroless/base:debug as of November 15, 2020 - # image shall not contains tag, so it will be supported on a runtime like cri-o - "-shell-image", "gcr.io/distroless/base@sha256:92720b2305d7315b5426aec19f8651e9e04222991f877cae71f40b3141d2f07e"] - volumeMounts: - - name: config-logging - mountPath: /etc/config-logging - - name: config-registry-cert - mountPath: /etc/config-registry-cert - - name: ssl-certs - mountPath: /etc/ssl/certs - readOnly: true - env: - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - # If you are changing these names, you will also need to update - # the controller's Role in 200-role.yaml to include the new - # values in the "configmaps" "get" rule. - - name: CONFIG_DEFAULTS_NAME - value: config-defaults - - name: CONFIG_LOGGING_NAME - value: config-logging - - name: CONFIG_OBSERVABILITY_NAME - value: config-observability - - name: CONFIG_ARTIFACT_BUCKET_NAME - value: config-artifact-bucket - - name: CONFIG_ARTIFACT_PVC_NAME - value: config-artifact-pvc - - name: CONFIG_FEATURE_FLAGS_NAME - value: feature-flags - - name: CONFIG_LEADERELECTION_NAME - value: config-leader-election - - name: SSL_CERT_FILE - value: /etc/config-registry-cert/cert - - name: SSL_CERT_DIR - value: /etc/ssl/certs - - name: METRICS_DOMAIN - value: tekton.dev/pipeline - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - # User 65532 is the distroless nonroot user ID - runAsUser: 65532 - runAsGroup: 65532 - ports: - - name: probes - containerPort: 8080 - livenessProbe: - httpGet: - path: /health - port: probes - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - readinessProbe: - httpGet: - path: /readiness - port: probes - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - volumes: - - name: config-logging - configMap: - name: config-logging - - name: config-registry-cert - configMap: - name: config-registry-cert - - name: ssl-certs - hostPath: - path: /etc/ssl/certs - type: Directory ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/name: controller - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.20.1" - app.kubernetes.io/part-of: tekton-pipelines - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.20.1" - # labels below are related to istio and should not be used for resource lookup - app: tekton-pipelines-controller - version: "v0.20.1" - name: tekton-pipelines-controller - namespace: tekton-pipelines -spec: - ports: - - name: http-metrics - port: 9090 - protocol: TCP - targetPort: 9090 - - name: probes - port: 8080 - selector: - app.kubernetes.io/name: controller - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - ---- -# Copyright 2020 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: tekton-pipelines-webhook - namespace: tekton-pipelines - labels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.20.1" - app.kubernetes.io/part-of: tekton-pipelines - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.20.1" - # labels below are related to istio and should not be used for resource lookup - version: "v0.20.1" -spec: - minReplicas: 1 - maxReplicas: 5 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: tekton-pipelines-webhook - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: 100 ---- -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: tekton-pipelines-webhook - namespace: tekton-pipelines - labels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.20.1" - app.kubernetes.io/part-of: tekton-pipelines - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.20.1" - # labels below are related to istio and should not be used for resource lookup - version: "v0.20.1" -spec: - minAvailable: 80% - selector: - matchLabels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - ---- -# Copyright 2020 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apps/v1 -kind: Deployment -metadata: - # Note: the Deployment name must be the same as the Service name specified in - # config/400-webhook-service.yaml. If you change this name, you must also - # change the value of WEBHOOK_SERVICE_NAME below. - name: tekton-pipelines-webhook - namespace: tekton-pipelines - labels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.20.1" - app.kubernetes.io/part-of: tekton-pipelines - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.20.1" - # labels below are related to istio and should not be used for resource lookup - version: "v0.20.1" -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - template: - metadata: - annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "false" - labels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.20.1" - app.kubernetes.io/part-of: tekton-pipelines - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.20.1" - # labels below are related to istio and should not be used for resource lookup - app: tekton-pipelines-webhook - version: "v0.20.1" - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - topologyKey: kubernetes.io/hostname - weight: 100 - serviceAccountName: tekton-pipelines-webhook - containers: - - name: webhook - # This is the Go import path for the binary that is containerized - # and substituted here. - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/webhook:v0.20.1@sha256:48708800185088e4a87c3ceb8fb1059ea657efa46fe091af87173ab635ef3309 - # Resource request required for autoscaler to take any action for a metric - resources: - requests: - cpu: 100m - memory: 100Mi - limits: - cpu: 500m - memory: 500Mi - env: - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - # If you are changing these names, you will also need to update - # the webhook's Role in 200-role.yaml to include the new - # values in the "configmaps" "get" rule. - - name: CONFIG_LOGGING_NAME - value: config-logging - - name: CONFIG_OBSERVABILITY_NAME - value: config-observability - - name: CONFIG_LEADERELECTION_NAME - value: config-leader-election - - name: WEBHOOK_SERVICE_NAME - value: tekton-pipelines-webhook - - name: WEBHOOK_SECRET_NAME - value: webhook-certs - - name: METRICS_DOMAIN - value: tekton.dev/pipeline - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - # User 65532 is the distroless nonroot user ID - runAsUser: 65532 - runAsGroup: 65532 - ports: - - name: metrics - containerPort: 9090 - - name: profiling - containerPort: 8008 - - name: https-webhook - containerPort: 8443 - - name: probes - containerPort: 8080 - livenessProbe: - httpGet: - path: /health - port: probes - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - readinessProbe: - httpGet: - path: /readiness - port: probes - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.20.1" - app.kubernetes.io/part-of: tekton-pipelines - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.20.1" - # labels below are related to istio and should not be used for resource lookup - app: tekton-pipelines-webhook - version: "v0.20.1" - name: tekton-pipelines-webhook - namespace: tekton-pipelines -spec: - ports: - # Define metrics and profiling for them to be accessible within service meshes. - - name: http-metrics - port: 9090 - targetPort: 9090 - - name: http-profiling - port: 8008 - targetPort: 8008 - - name: https-webhook - port: 443 - targetPort: 8443 - - name: probes - port: 8080 - selector: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - ----