Amend/tekton helm charts (#47)

Makefile

@@ -14,6 +14,19 @@ else
 endif
 	jx gitops split -d ${CHART_DIR}/templates
 	jx gitops rename -d ${CHART_DIR}/templates
+    # Remove tekton-pipelines-resolvers-ns
+	rm -r charts/tekton-pipeline/templates/tekton-pipelines-resolvers-ns.yaml
+	# Amend subjects.namespace with release.namespace
+	yq -i '.subjects[].namespace = "{{ .Release.Namespace }}" '   charts/tekton-pipeline/templates/tekton-pipelines-resolvers-namespace-rbac-rb.yaml
+	yq -i '.subjects[].namespace = "{{ .Release.Namespace }}" '   charts/tekton-pipeline/templates/tekton-pipelines-resolvers-crb.yaml
+	yq -i '.subjects[].namespace = "{{ .Release.Namespace }}" '	  charts/tekton-pipeline/templates/tekton-pipelines-webhook-rb.yaml
+	yq -i '.subjects[].namespace = "{{ .Release.Namespace }}" '	  charts/tekton-pipeline/templates/tekton-pipelines-controller-rb.yaml
+	yq -i '.subjects[].namespace = "{{ .Release.Namespace }}" '	  charts/tekton-pipeline/templates/tekton-pipelines-controller-tenant-access-crb.yaml
+	yq -i '.subjects[].namespace = "{{ .Release.Namespace }}" '	  charts/tekton-pipeline/templates/tekton-pipelines-webhook-cluster-access-crb.yaml
+	yq -i '.subjects[].namespace = "{{ .Release.Namespace }}" '	  charts/tekton-pipeline/templates/tekton-pipelines-webhook-leaderelection-rb.yaml
+
+	# Remove namespace from metadata to force with helm install
+	yq -i eval 'del(.metadata.namespace)' charts/tekton-pipeline/templates/*.yaml
 	# move content of data: from feature-slags-cm.yaml to featureFlags: in values.yaml
 	yq -i '.featureFlags = load("$(CHART_DIR)/templates/feature-flags-cm.yaml").data' $(CHART_DIR)/values.yaml
 	yq -i '.data = null' $(CHART_DIR)/templates/feature-flags-cm.yaml
@@ -67,4 +80,4 @@ test-regen:
 
 
 verify:
-	jx kube test run
+	jx kube test run

charts/tekton-pipeline/Chart.yaml

@@ -2,6 +2,6 @@ apiVersion: v1
 description: A Helm chart for Tekton Pipelines
 name: tekton-pipeline
 version: 0.6.0
-appVersion: 0.36.1
+appVersion: 0.42.0
 icon: https://avatars2.githubusercontent.com/u/47602533
 home: https://github.com/cdfoundation/tekton-helm-chart

charts/tekton-pipeline/patches/config-defaults-cm.yaml

@@ -2,7 +2,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: config-defaults
-  namespace: tekton-pipelines
 data:
   helmTemplateRemoveMe: |
     {{- toYaml .Values.configDefaults | nindent 2 }}

charts/tekton-pipeline/patches/feature-flags-cm.yaml

@@ -2,7 +2,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: feature-flags
-  namespace: tekton-pipelines
 data:
   helmTemplateRemoveMe: |
     {{- toYaml .Values.featureFlags | nindent 2 }}

charts/tekton-pipeline/patches/tekton-pipelines-controller-deploy.yaml

@@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: tekton-pipelines-controller
-  namespace: tekton-pipelines
   labels:
     helmTemplateRemoveMe: |
       {{- with .Values.controller.deployment.labels }}

charts/tekton-pipeline/patches/tekton-pipelines-webhook-deploy.yaml

@@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: tekton-pipelines-webhook
-  namespace: tekton-pipelines
   labels:
     helmTemplateRemoveMe: |
       {{- with .Values.webhook.deployment.labels }}

charts/tekton-pipeline/templates/bundleresolver-config-cm.yaml

@@ -16,7 +16,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: bundleresolver-config
-  namespace: tekton-pipelines-resolvers
   labels:
     app.kubernetes.io/component: resolvers
     app.kubernetes.io/instance: default
@@ -25,4 +24,4 @@ data:
   # the default service account name to use for bundle requests.
   default-service-account: "default"
   # The default layer kind in the bundle image.
-  default-kind: "task"
+  default-kind: "task"

charts/tekton-pipeline/templates/cluster-resolver-config-cm.yaml

@@ -16,7 +16,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: cluster-resolver-config
-  namespace: tekton-pipelines-resolvers
   labels:
     app.kubernetes.io/component: resolvers
     app.kubernetes.io/instance: default
@@ -29,4 +28,4 @@ data:
   # An optional comma-separated list of namespaces which the resolver is allowed to access. Defaults to empty, meaning all namespaces are allowed.
   allowed-namespaces: ""
   # An optional comma-separated list of namespaces which the resolver is blocked from accessing. Defaults to empty, meaning all namespaces are allowed.
-  blocked-namespaces: ""
+  blocked-namespaces: ""

charts/tekton-pipeline/templates/clustertasks.tekton.dev-crd.yaml

@@ -58,4 +58,4 @@ spec:
       clientConfig:
         service:
           name: tekton-pipelines-webhook
-          namespace: tekton-pipelines
+          namespace: tekton-pipelines

charts/tekton-pipeline/templates/config-artifact-bucket-cm.yaml

@@ -16,7 +16,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: config-artifact-bucket
-  namespace: tekton-pipelines
   labels:
     app.kubernetes.io/instance: default
     app.kubernetes.io/part-of: tekton-pipelines
@@ -30,4 +29,4 @@ metadata:
 #  bucket.service.account.secret.key:
 #  # The field name that should be used for the service account
 #  # Valid values: GOOGLE_APPLICATION_CREDENTIALS, BOTO_CONFIG.
-#  bucket.service.account.field.name: GOOGLE_APPLICATION_CREDENTIALS
+#  bucket.service.account.field.name: GOOGLE_APPLICATION_CREDENTIALS

charts/tekton-pipeline/templates/config-artifact-pvc-cm.yaml

@@ -16,7 +16,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: config-artifact-pvc
-  namespace: tekton-pipelines
   labels:
     app.kubernetes.io/instance: default
     app.kubernetes.io/part-of: tekton-pipelines
@@ -25,4 +24,4 @@ metadata:
 #   size: 5Gi
 #
 #   # storage class of the PVC volume
-#   storageClassName: storage-class-name
+#   storageClassName: storage-class-name

charts/tekton-pipeline/templates/config-defaults-cm.yaml

@@ -16,8 +16,64 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: config-defaults
-  namespace: tekton-pipelines
   labels:
     app.kubernetes.io/instance: default
     app.kubernetes.io/part-of: tekton-pipelines
-data: null
+data:
+  _example: |
+    ################################
+    #                              #
+    #    EXAMPLE CONFIGURATION     #
+    #                              #
+    ################################
+
+    # This block is not actually functional configuration,
+    # but serves to illustrate the available configuration
+    # options and document them in a way that is accessible
+    # to users that `kubectl edit` this config map.
+    #
+    # These sample configuration options may be copied out of
+    # this example block and unindented to be in the data block
+    # to actually change the configuration.
+
+    # default-timeout-minutes contains the default number of
+    # minutes to use for TaskRun and PipelineRun, if none is specified.
+    default-timeout-minutes: "60"  # 60 minutes
+
+    # default-service-account contains the default service account name
+    # to use for TaskRun and PipelineRun, if none is specified.
+    default-service-account: "default"
+
+    # default-managed-by-label-value contains the default value given to the
+    # "app.kubernetes.io/managed-by" label applied to all Pods created for
+    # TaskRuns. If a user's requested TaskRun specifies another value for this
+    # label, the user's request supercedes.
+    default-managed-by-label-value: "tekton-pipelines"
+
+    # default-pod-template contains the default pod template to use for
+    # TaskRun and PipelineRun. If a pod template is specified on the
+    # PipelineRun, the default-pod-template is merged with that one.
+    # default-pod-template:
+
+    # default-affinity-assistant-pod-template contains the default pod template
+    # to use for affinity assistant pods. If a pod template is specified on the
+    # PipelineRun, the default-affinity-assistant-pod-template is merged with
+    # that one.
+    # default-affinity-assistant-pod-template:
+
+    # default-cloud-events-sink contains the default CloudEvents sink to be
+    # used for TaskRun and PipelineRun, when no sink is specified.
+    # Note that right now it is still not possible to set a PipelineRun or
+    # TaskRun specific sink, so the default is the only option available.
+    # If no sink is specified, no CloudEvent is generated
+    # default-cloud-events-sink:
+
+    # default-task-run-workspace-binding contains the default workspace
+    # configuration provided for any Workspaces that a Task declares
+    # but that a TaskRun does not explicitly provide.
+    # default-task-run-workspace-binding: |
+    #   emptyDir: {}
+
+    # default-max-matrix-combinations-count contains the default maximum number
+    # of combinations from a Matrix, if none is specified.
+    default-max-matrix-combinations-count: "256"

charts/tekton-pipeline/templates/config-leader-election-cm.yaml

@@ -16,7 +16,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: config-leader-election
-  namespace: tekton-pipelines
   labels:
     app.kubernetes.io/component: resolvers
     app.kubernetes.io/instance: default
@@ -50,4 +49,4 @@ data:
     # is N, the N replicas will compete for the M buckets. The owner of a
     # bucket will take care of the reconciling for the keys partitioned into
     # that bucket.
-    buckets: "1"
+    buckets: "1"

charts/tekton-pipeline/templates/config-logging-cm.yaml

@@ -16,7 +16,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: config-logging
-  namespace: tekton-pipelines
   labels:
     app.kubernetes.io/component: resolvers
     app.kubernetes.io/instance: default
@@ -49,4 +48,4 @@ data:
     }
   # Log level overrides
   loglevel.controller: "info"
-  loglevel.webhook: "info"
+  loglevel.webhook: "info"

charts/tekton-pipeline/templates/config-observability-cm.yaml

@@ -16,7 +16,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: config-observability
-  namespace: tekton-pipelines
   labels:
     app.kubernetes.io/component: resolvers
     app.kubernetes.io/instance: default
@@ -58,4 +57,4 @@ data:
     # metrics are not supported by "knative_revision" resource type. Setting this
     # flag to "true" could cause extra Stackdriver charge.
     # If metrics.backend-destination is not Stackdriver, this is ignored.
-    metrics.allow-stackdriver-custom-metrics: "false"
+    metrics.allow-stackdriver-custom-metrics: "false"

charts/tekton-pipeline/templates/config-registry-cert-cm.yaml

@@ -16,10 +16,9 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: config-registry-cert
-  namespace: tekton-pipelines
   labels:
     app.kubernetes.io/instance: default
     app.kubernetes.io/part-of: tekton-pipelines
 # data:
 #  # Registry's self-signed certificate
-#  cert: |
+#  cert: |

charts/tekton-pipeline/templates/config-trusted-resources-cm.yaml

@@ -16,7 +16,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: config-trusted-resources
-  namespace: tekton-pipelines
   labels:
     app.kubernetes.io/instance: default
     app.kubernetes.io/part-of: tekton-pipelines
@@ -38,4 +37,4 @@ data:
 
     # publickeys specifies the list of public keys, the paths are separated by comma
     # publickeys: "/etc/verification-secrets/cosign.pub,
-    # gcpkms://projects/tekton/locations/us/keyRings/trusted-resources/cryptoKeys/trusted-resources"
+    # gcpkms://projects/tekton/locations/us/keyRings/trusted-resources/cryptoKeys/trusted-resources"

charts/tekton-pipeline/templates/config.webhook.pipeline.tekton.dev-valwebhookcfg.yaml

@@ -18,4 +18,4 @@ webhooks:
     name: config.webhook.pipeline.tekton.dev
     objectSelector:
       matchLabels:
-        app.kubernetes.io/part-of: tekton-pipelines
+        app.kubernetes.io/part-of: tekton-pipelines

charts/tekton-pipeline/templates/customruns.tekton.dev-crd.yaml

@@ -63,4 +63,4 @@ spec:
     categories:
       - tekton
       - tekton-pipelines
-  scope: Namespaced
+  scope: Namespaced

charts/tekton-pipeline/templates/feature-flags-cm.yaml

@@ -16,8 +16,76 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: feature-flags
-  namespace: tekton-pipelines
   labels:
     app.kubernetes.io/instance: default
     app.kubernetes.io/part-of: tekton-pipelines
-data: null
+data:
+  # Setting this flag to "true" will prevent Tekton to create an
+  # Affinity Assistant for every TaskRun sharing a PVC workspace
+  #
+  # The default behaviour is for Tekton to create Affinity Assistants
+  #
+  # See more in the workspace documentation about Affinity Assistant
+  # https://github.com/tektoncd/pipeline/blob/main/docs/workspaces.md#affinity-assistant-and-specifying-workspace-order-in-a-pipeline
+  # or https://github.com/tektoncd/pipeline/pull/2630 for more info.
+  disable-affinity-assistant: "false"
+  # Setting this flag to "true" will prevent Tekton scanning attached
+  # service accounts and injecting any credentials it finds into your
+  # Steps.
+  #
+  # The default behaviour currently is for Tekton to search service
+  # accounts for secrets matching a specified format and automatically
+  # mount those into your Steps.
+  #
+  # Note: setting this to "true" will prevent PipelineResources from
+  # working.
+  #
+  # See https://github.com/tektoncd/pipeline/issues/2791 for more
+  # info.
+  disable-creds-init: "false"
+  # Setting this flag to "false" will stop Tekton from waiting for a
+  # TaskRun's sidecar containers to be running before starting the first
+  # step. This will allow Tasks to be run in environments that don't
+  # support the DownwardAPI volume type, but may lead to unintended
+  # behaviour if sidecars are used.
+  #
+  # See https://github.com/tektoncd/pipeline/issues/4937 for more info.
+  await-sidecar-readiness: "true"
+  # This option should be set to false when Pipelines is running in a
+  # cluster that does not use injected sidecars such as Istio. Setting
+  # it to false should decrease the time it takes for a TaskRun to start
+  # running. For clusters that use injected sidecars, setting this
+  # option to false can lead to unexpected behavior.
+  #
+  # See https://github.com/tektoncd/pipeline/issues/2080 for more info.
+  running-in-environment-with-injected-sidecars: "true"
+  # Setting this flag to "true" will require that any Git SSH Secret
+  # offered to Tekton must have known_hosts included.
+  #
+  # See https://github.com/tektoncd/pipeline/issues/2981 for more
+  # info.
+  require-git-ssh-secret-known-hosts: "false"
+  # Setting this flag to "true" enables the use of Tekton OCI bundle.
+  # This is an experimental feature and thus should still be considered
+  # an alpha feature.
+  enable-tekton-oci-bundles: "false"
+  # Setting this flag to "true" enables the use of custom tasks from
+  # within pipelines.
+  # This is an experimental feature and thus should still be considered
+  # an alpha feature.
+  enable-custom-tasks: "false"
+  # Setting this flag will determine which gated features are enabled.
+  # Acceptable values are "stable", "beta", or "alpha".
+  enable-api-fields: "stable"
+  # Setting this flag to "true" enables CloudEvents for Runs, as long as a
+  # CloudEvents sink is configured in the config-defaults config map
+  send-cloudevents-for-runs: "false"
+  # Setting this flag to "enforce" will enforce verification of tasks/pipeline. Failing to verify
+  # will fail the taskrun/pipelinerun. "warn" will only log the err message and "skip"
+  # will skip the whole verification
+  resource-verification-mode: "skip"
+  # Setting this flag to "true" enables populating the "provenance" field in TaskRun
+  # and PipelineRun status. This field contains metadata about resources used
+  # in the TaskRun/PipelineRun such as the source from where a remote Task/Pipeline
+  # definition was fetched.
+  enable-provenance-in-status: "false"

charts/tekton-pipeline/templates/git-resolver-config-cm.yaml

@@ -16,7 +16,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: git-resolver-config
-  namespace: tekton-pipelines-resolvers
   labels:
     app.kubernetes.io/component: resolvers
     app.kubernetes.io/instance: default
@@ -40,4 +39,4 @@ data:
   api-token-secret-namespace: "default"
   # The default organization to look for repositories under when using the authenticated API,
   # if not specified in the resolver parameters. Optional.
-  default-org: ""
+  default-org: ""

charts/tekton-pipeline/templates/hubresolver-config-cm.yaml

@@ -16,7 +16,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: hubresolver-config
-  namespace: tekton-pipelines-resolvers
   labels:
     app.kubernetes.io/component: resolvers
     app.kubernetes.io/instance: default
@@ -31,4 +30,4 @@ data:
   # the default layer kind in the hub image.
   default-kind: "task"
   # the default hub source to pull the resource from.
-  default-type: "artifact"
+  default-type: "artifact"