From 7103536576c971cce4543ab079b9fd52c377b534 Mon Sep 17 00:00:00 2001 From: mentlak0 Date: Thu, 1 Jun 2023 17:05:40 +0100 Subject: [PATCH] feat: amend makefile to correctly insert ns --- Makefile | 6 +- charts/tekton-pipeline/Chart.yaml | 2 +- .../templates/bundleresolver-config-cm.yaml | 3 +- .../templates/cluster-resolver-config-cm.yaml | 3 +- .../clustertasks.tekton.dev-crd.yaml | 2 +- .../templates/config-artifact-bucket-cm.yaml | 3 +- .../templates/config-artifact-pvc-cm.yaml | 3 +- .../templates/config-defaults-cm.yaml | 21 +- .../templates/config-leader-election-cm.yaml | 3 +- .../templates/config-logging-cm.yaml | 3 +- .../templates/config-observability-cm.yaml | 3 +- .../templates/config-registry-cert-cm.yaml | 3 +- .../config-trusted-resources-cm.yaml | 3 +- ...ook.pipeline.tekton.dev-valwebhookcfg.yaml | 2 +- .../templates/customruns.tekton.dev-crd.yaml | 2 +- .../templates/feature-flags-cm.yaml | 21 +- .../templates/git-resolver-config-cm.yaml | 3 +- .../templates/hubresolver-config-cm.yaml | 3 +- .../pipelineresources.tekton.dev-crd.yaml | 2 +- .../pipelineruns.tekton.dev-crd.yaml | 2 +- .../templates/pipelines-info-cm.yaml | 3 +- .../templates/pipelines.tekton.dev-crd.yaml | 2 +- ...ionrequests.resolution.tekton.dev-crd.yaml | 2 +- .../templates/resolvers-feature-flags-cm.yaml | 3 +- .../templates/runs.tekton.dev-crd.yaml | 2 +- .../templates/taskruns.tekton.dev-crd.yaml | 2 +- .../templates/tasks.tekton.dev-crd.yaml | 2 +- .../tekton-aggregate-edit-clusterrole.yaml | 2 +- .../tekton-aggregate-view-clusterrole.yaml | 2 +- .../tekton-pipelines-controller-deploy.yaml | 270 +++++++++--------- ...ipelines-controller-leaderelection-rb.yaml | 1 - .../tekton-pipelines-controller-rb.yaml | 1 - .../tekton-pipelines-controller-role.yaml | 1 - .../tekton-pipelines-controller-sa.yaml | 1 - .../tekton-pipelines-controller-svc.yaml | 3 +- .../templates/tekton-pipelines-info-rb.yaml | 3 +- .../templates/tekton-pipelines-info-role.yaml | 3 +- ...tekton-pipelines-leader-election-role.yaml | 1 - .../templates/tekton-pipelines-ns.yaml | 3 +- ...ton-pipelines-remote-resolvers-deploy.yaml | 3 +- .../tekton-pipelines-resolvers-crb.yaml | 5 +- ...pipelines-resolvers-namespace-rbac-rb.yaml | 5 +- ...pelines-resolvers-namespace-rbac-role.yaml | 3 +- .../tekton-pipelines-resolvers-ns.yaml | 23 -- ...esolution-request-updates-clusterrole.yaml | 2 +- .../tekton-pipelines-resolvers-sa.yaml | 3 +- ...es-webhook-cluster-access-clusterrole.yaml | 2 +- ...-pipelines-webhook-cluster-access-crb.yaml | 2 +- .../tekton-pipelines-webhook-deploy.yaml | 225 +++++++-------- ...lines-webhook-horizontalpodautoscaler.yaml | 3 +- ...n-pipelines-webhook-leaderelection-rb.yaml | 1 - .../tekton-pipelines-webhook-rb.yaml | 1 - .../tekton-pipelines-webhook-role.yaml | 1 - .../tekton-pipelines-webhook-sa.yaml | 3 +- .../tekton-pipelines-webhook-svc.yaml | 3 +- .../templates/webhook-certs-secret.yaml | 3 +- ...ook.pipeline.tekton.dev-mutwebhookcfg.yaml | 2 +- 57 files changed, 294 insertions(+), 396 deletions(-) delete mode 100644 charts/tekton-pipeline/templates/tekton-pipelines-resolvers-ns.yaml diff --git a/Makefile b/Makefile index 4744a1f..8c6a39e 100644 --- a/Makefile +++ b/Makefile @@ -16,6 +16,9 @@ endif jx gitops rename -d ${CHART_DIR}/templates # Remove tekton-pipelines-resolvers-ns rm -r charts/tekton-pipeline/templates/tekton-pipelines-resolvers-ns.yaml + # Amend tekton-resolver-ns + yq -i '.subjects[].namespace = "tekton-pipelines"' charts/tekton-pipeline/templates/tekton-pipelines-resolvers-namespace-rbac-rb.yaml + yq -i '.subjects[].namespace = "tekton-pipelines"' charts/tekton-pipeline/templates/tekton-pipelines-resolvers-crb.yaml # Remove namespace from metadata to force with helm install yq -i eval 'del(.metadata.namespace)' charts/tekton-pipeline/templates/* # move content of data: from feature-slags-cm.yaml to featureFlags: in values.yaml @@ -28,9 +31,6 @@ endif yq -i '.controller.deployment.image = load("$(CHART_DIR)/templates/tekton-pipelines-controller-deploy.yaml").spec.template.spec.containers[].image' $(CHART_DIR)/values.yaml # Remove the image value, so that end users can customize the image yq -i '.spec.template.spec.containers[].image = null' charts/tekton-pipeline/templates/tekton-pipelines-controller-deploy.yaml - # Amend tekton-resolver-ns - yq -i '.subjects[].namespace = "tekton-pipelines"' charts/tekton-pipeline/templates/tekton-pipelines-resolvers-namespace-rbac-rb.yaml - yq -i '.subjects[].namespace = "tekton-pipelines"' charts/tekton-pipeline/templates/tekton-pipelines-resolvers-crb.yaml # kustomize the resources to include some helm template blocs kustomize build ${CHART_DIR} | sed '/helmTemplateRemoveMe/d' > ${CHART_DIR}/templates/resource.yaml jx gitops split -d ${CHART_DIR}/templates diff --git a/charts/tekton-pipeline/Chart.yaml b/charts/tekton-pipeline/Chart.yaml index c06167d..6ad977e 100644 --- a/charts/tekton-pipeline/Chart.yaml +++ b/charts/tekton-pipeline/Chart.yaml @@ -2,6 +2,6 @@ apiVersion: v1 description: A Helm chart for Tekton Pipelines name: tekton-pipeline version: 0.6.0 -appVersion: 0.36.1 +appVersion: 0.42.0 icon: https://avatars2.githubusercontent.com/u/47602533 home: https://github.com/cdfoundation/tekton-helm-chart diff --git a/charts/tekton-pipeline/templates/bundleresolver-config-cm.yaml b/charts/tekton-pipeline/templates/bundleresolver-config-cm.yaml index d48372d..16fe4cf 100644 --- a/charts/tekton-pipeline/templates/bundleresolver-config-cm.yaml +++ b/charts/tekton-pipeline/templates/bundleresolver-config-cm.yaml @@ -16,7 +16,6 @@ apiVersion: v1 kind: ConfigMap metadata: name: bundleresolver-config - namespace: tekton-pipelines-resolvers labels: app.kubernetes.io/component: resolvers app.kubernetes.io/instance: default @@ -25,4 +24,4 @@ data: # the default service account name to use for bundle requests. default-service-account: "default" # The default layer kind in the bundle image. - default-kind: "task" + default-kind: "task" \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/cluster-resolver-config-cm.yaml b/charts/tekton-pipeline/templates/cluster-resolver-config-cm.yaml index 8f2e775..d08997e 100644 --- a/charts/tekton-pipeline/templates/cluster-resolver-config-cm.yaml +++ b/charts/tekton-pipeline/templates/cluster-resolver-config-cm.yaml @@ -16,7 +16,6 @@ apiVersion: v1 kind: ConfigMap metadata: name: cluster-resolver-config - namespace: tekton-pipelines-resolvers labels: app.kubernetes.io/component: resolvers app.kubernetes.io/instance: default @@ -29,4 +28,4 @@ data: # An optional comma-separated list of namespaces which the resolver is allowed to access. Defaults to empty, meaning all namespaces are allowed. allowed-namespaces: "" # An optional comma-separated list of namespaces which the resolver is blocked from accessing. Defaults to empty, meaning all namespaces are allowed. - blocked-namespaces: "" + blocked-namespaces: "" \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/clustertasks.tekton.dev-crd.yaml b/charts/tekton-pipeline/templates/clustertasks.tekton.dev-crd.yaml index eb88003..cc29a0d 100644 --- a/charts/tekton-pipeline/templates/clustertasks.tekton.dev-crd.yaml +++ b/charts/tekton-pipeline/templates/clustertasks.tekton.dev-crd.yaml @@ -58,4 +58,4 @@ spec: clientConfig: service: name: tekton-pipelines-webhook - namespace: tekton-pipelines + namespace: tekton-pipelines \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/config-artifact-bucket-cm.yaml b/charts/tekton-pipeline/templates/config-artifact-bucket-cm.yaml index 58e9693..2b7384a 100644 --- a/charts/tekton-pipeline/templates/config-artifact-bucket-cm.yaml +++ b/charts/tekton-pipeline/templates/config-artifact-bucket-cm.yaml @@ -16,7 +16,6 @@ apiVersion: v1 kind: ConfigMap metadata: name: config-artifact-bucket - namespace: tekton-pipelines labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines @@ -30,4 +29,4 @@ metadata: # bucket.service.account.secret.key: # # The field name that should be used for the service account # # Valid values: GOOGLE_APPLICATION_CREDENTIALS, BOTO_CONFIG. -# bucket.service.account.field.name: GOOGLE_APPLICATION_CREDENTIALS +# bucket.service.account.field.name: GOOGLE_APPLICATION_CREDENTIALS \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/config-artifact-pvc-cm.yaml b/charts/tekton-pipeline/templates/config-artifact-pvc-cm.yaml index f3ca3b1..c615734 100644 --- a/charts/tekton-pipeline/templates/config-artifact-pvc-cm.yaml +++ b/charts/tekton-pipeline/templates/config-artifact-pvc-cm.yaml @@ -16,7 +16,6 @@ apiVersion: v1 kind: ConfigMap metadata: name: config-artifact-pvc - namespace: tekton-pipelines labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines @@ -25,4 +24,4 @@ metadata: # size: 5Gi # # # storage class of the PVC volume -# storageClassName: storage-class-name +# storageClassName: storage-class-name \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/config-defaults-cm.yaml b/charts/tekton-pipeline/templates/config-defaults-cm.yaml index 125b2a2..761f839 100644 --- a/charts/tekton-pipeline/templates/config-defaults-cm.yaml +++ b/charts/tekton-pipeline/templates/config-defaults-cm.yaml @@ -1,23 +1,10 @@ -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - apiVersion: v1 +data: + {{- toYaml .Values.configDefaults | nindent 2 }} kind: ConfigMap metadata: - name: config-defaults - namespace: tekton-pipelines labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines -data: null + name: config-defaults + namespace: tekton-pipelines \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/config-leader-election-cm.yaml b/charts/tekton-pipeline/templates/config-leader-election-cm.yaml index 4075fff..add9edf 100644 --- a/charts/tekton-pipeline/templates/config-leader-election-cm.yaml +++ b/charts/tekton-pipeline/templates/config-leader-election-cm.yaml @@ -16,7 +16,6 @@ apiVersion: v1 kind: ConfigMap metadata: name: config-leader-election - namespace: tekton-pipelines labels: app.kubernetes.io/component: resolvers app.kubernetes.io/instance: default @@ -50,4 +49,4 @@ data: # is N, the N replicas will compete for the M buckets. The owner of a # bucket will take care of the reconciling for the keys partitioned into # that bucket. - buckets: "1" + buckets: "1" \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/config-logging-cm.yaml b/charts/tekton-pipeline/templates/config-logging-cm.yaml index b3c0447..4fc3c59 100644 --- a/charts/tekton-pipeline/templates/config-logging-cm.yaml +++ b/charts/tekton-pipeline/templates/config-logging-cm.yaml @@ -16,7 +16,6 @@ apiVersion: v1 kind: ConfigMap metadata: name: config-logging - namespace: tekton-pipelines labels: app.kubernetes.io/component: resolvers app.kubernetes.io/instance: default @@ -49,4 +48,4 @@ data: } # Log level overrides loglevel.controller: "info" - loglevel.webhook: "info" + loglevel.webhook: "info" \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/config-observability-cm.yaml b/charts/tekton-pipeline/templates/config-observability-cm.yaml index 4470485..fc891bb 100644 --- a/charts/tekton-pipeline/templates/config-observability-cm.yaml +++ b/charts/tekton-pipeline/templates/config-observability-cm.yaml @@ -16,7 +16,6 @@ apiVersion: v1 kind: ConfigMap metadata: name: config-observability - namespace: tekton-pipelines labels: app.kubernetes.io/component: resolvers app.kubernetes.io/instance: default @@ -58,4 +57,4 @@ data: # metrics are not supported by "knative_revision" resource type. Setting this # flag to "true" could cause extra Stackdriver charge. # If metrics.backend-destination is not Stackdriver, this is ignored. - metrics.allow-stackdriver-custom-metrics: "false" + metrics.allow-stackdriver-custom-metrics: "false" \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/config-registry-cert-cm.yaml b/charts/tekton-pipeline/templates/config-registry-cert-cm.yaml index 22162be..25217db 100644 --- a/charts/tekton-pipeline/templates/config-registry-cert-cm.yaml +++ b/charts/tekton-pipeline/templates/config-registry-cert-cm.yaml @@ -16,10 +16,9 @@ apiVersion: v1 kind: ConfigMap metadata: name: config-registry-cert - namespace: tekton-pipelines labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines # data: # # Registry's self-signed certificate -# cert: | +# cert: | \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/config-trusted-resources-cm.yaml b/charts/tekton-pipeline/templates/config-trusted-resources-cm.yaml index 01f2f30..b9d7e13 100644 --- a/charts/tekton-pipeline/templates/config-trusted-resources-cm.yaml +++ b/charts/tekton-pipeline/templates/config-trusted-resources-cm.yaml @@ -16,7 +16,6 @@ apiVersion: v1 kind: ConfigMap metadata: name: config-trusted-resources - namespace: tekton-pipelines labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines @@ -38,4 +37,4 @@ data: # publickeys specifies the list of public keys, the paths are separated by comma # publickeys: "/etc/verification-secrets/cosign.pub, - # gcpkms://projects/tekton/locations/us/keyRings/trusted-resources/cryptoKeys/trusted-resources" + # gcpkms://projects/tekton/locations/us/keyRings/trusted-resources/cryptoKeys/trusted-resources" \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/config.webhook.pipeline.tekton.dev-valwebhookcfg.yaml b/charts/tekton-pipeline/templates/config.webhook.pipeline.tekton.dev-valwebhookcfg.yaml index b5654cc..b00dc53 100644 --- a/charts/tekton-pipeline/templates/config.webhook.pipeline.tekton.dev-valwebhookcfg.yaml +++ b/charts/tekton-pipeline/templates/config.webhook.pipeline.tekton.dev-valwebhookcfg.yaml @@ -18,4 +18,4 @@ webhooks: name: config.webhook.pipeline.tekton.dev objectSelector: matchLabels: - app.kubernetes.io/part-of: tekton-pipelines + app.kubernetes.io/part-of: tekton-pipelines \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/customruns.tekton.dev-crd.yaml b/charts/tekton-pipeline/templates/customruns.tekton.dev-crd.yaml index e9dfde3..b7b0f92 100644 --- a/charts/tekton-pipeline/templates/customruns.tekton.dev-crd.yaml +++ b/charts/tekton-pipeline/templates/customruns.tekton.dev-crd.yaml @@ -63,4 +63,4 @@ spec: categories: - tekton - tekton-pipelines - scope: Namespaced + scope: Namespaced \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/feature-flags-cm.yaml b/charts/tekton-pipeline/templates/feature-flags-cm.yaml index 80b09a3..a39aa0a 100644 --- a/charts/tekton-pipeline/templates/feature-flags-cm.yaml +++ b/charts/tekton-pipeline/templates/feature-flags-cm.yaml @@ -1,23 +1,10 @@ -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - apiVersion: v1 +data: + {{- toYaml .Values.featureFlags | nindent 2 }} kind: ConfigMap metadata: - name: feature-flags - namespace: tekton-pipelines labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines -data: null + name: feature-flags + namespace: tekton-pipelines \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/git-resolver-config-cm.yaml b/charts/tekton-pipeline/templates/git-resolver-config-cm.yaml index 565d283..5edddb6 100644 --- a/charts/tekton-pipeline/templates/git-resolver-config-cm.yaml +++ b/charts/tekton-pipeline/templates/git-resolver-config-cm.yaml @@ -16,7 +16,6 @@ apiVersion: v1 kind: ConfigMap metadata: name: git-resolver-config - namespace: tekton-pipelines-resolvers labels: app.kubernetes.io/component: resolvers app.kubernetes.io/instance: default @@ -40,4 +39,4 @@ data: api-token-secret-namespace: "default" # The default organization to look for repositories under when using the authenticated API, # if not specified in the resolver parameters. Optional. - default-org: "" + default-org: "" \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/hubresolver-config-cm.yaml b/charts/tekton-pipeline/templates/hubresolver-config-cm.yaml index c0bd930..c0629c0 100644 --- a/charts/tekton-pipeline/templates/hubresolver-config-cm.yaml +++ b/charts/tekton-pipeline/templates/hubresolver-config-cm.yaml @@ -16,7 +16,6 @@ apiVersion: v1 kind: ConfigMap metadata: name: hubresolver-config - namespace: tekton-pipelines-resolvers labels: app.kubernetes.io/component: resolvers app.kubernetes.io/instance: default @@ -31,4 +30,4 @@ data: # the default layer kind in the hub image. default-kind: "task" # the default hub source to pull the resource from. - default-type: "artifact" + default-type: "artifact" \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/pipelineresources.tekton.dev-crd.yaml b/charts/tekton-pipeline/templates/pipelineresources.tekton.dev-crd.yaml index 03a732c..daf14ec 100644 --- a/charts/tekton-pipeline/templates/pipelineresources.tekton.dev-crd.yaml +++ b/charts/tekton-pipeline/templates/pipelineresources.tekton.dev-crd.yaml @@ -49,4 +49,4 @@ spec: categories: - tekton - tekton-pipelines - scope: Namespaced + scope: Namespaced \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/pipelineruns.tekton.dev-crd.yaml b/charts/tekton-pipeline/templates/pipelineruns.tekton.dev-crd.yaml index f9cf27f..4b7a4ca 100644 --- a/charts/tekton-pipeline/templates/pipelineruns.tekton.dev-crd.yaml +++ b/charts/tekton-pipeline/templates/pipelineruns.tekton.dev-crd.yaml @@ -105,4 +105,4 @@ spec: clientConfig: service: name: tekton-pipelines-webhook - namespace: tekton-pipelines + namespace: tekton-pipelines \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/pipelines-info-cm.yaml b/charts/tekton-pipeline/templates/pipelines-info-cm.yaml index 8198a8a..9225125 100644 --- a/charts/tekton-pipeline/templates/pipelines-info-cm.yaml +++ b/charts/tekton-pipeline/templates/pipelines-info-cm.yaml @@ -16,7 +16,6 @@ apiVersion: v1 kind: ConfigMap metadata: name: pipelines-info - namespace: tekton-pipelines labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines @@ -26,4 +25,4 @@ data: # this ConfigMap such that even if we don't have access to # other resources in the namespace we still can have access to # this ConfigMap. - version: "v0.42.0" + version: "v0.42.0" \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/pipelines.tekton.dev-crd.yaml b/charts/tekton-pipeline/templates/pipelines.tekton.dev-crd.yaml index 9689c16..01cd5b4 100644 --- a/charts/tekton-pipeline/templates/pipelines.tekton.dev-crd.yaml +++ b/charts/tekton-pipeline/templates/pipelines.tekton.dev-crd.yaml @@ -74,4 +74,4 @@ spec: clientConfig: service: name: tekton-pipelines-webhook - namespace: tekton-pipelines + namespace: tekton-pipelines \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/resolutionrequests.resolution.tekton.dev-crd.yaml b/charts/tekton-pipeline/templates/resolutionrequests.resolution.tekton.dev-crd.yaml index 8ef6695..39693e2 100644 --- a/charts/tekton-pipeline/templates/resolutionrequests.resolution.tekton.dev-crd.yaml +++ b/charts/tekton-pipeline/templates/resolutionrequests.resolution.tekton.dev-crd.yaml @@ -98,4 +98,4 @@ spec: clientConfig: service: name: tekton-pipelines-webhook - namespace: tekton-pipelines + namespace: tekton-pipelines \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/resolvers-feature-flags-cm.yaml b/charts/tekton-pipeline/templates/resolvers-feature-flags-cm.yaml index cc83a65..18f8725 100644 --- a/charts/tekton-pipeline/templates/resolvers-feature-flags-cm.yaml +++ b/charts/tekton-pipeline/templates/resolvers-feature-flags-cm.yaml @@ -16,7 +16,6 @@ apiVersion: v1 kind: ConfigMap metadata: name: resolvers-feature-flags - namespace: tekton-pipelines-resolvers labels: app.kubernetes.io/component: resolvers app.kubernetes.io/instance: default @@ -29,4 +28,4 @@ data: # Setting this flag to "true" enables remote resolution of tasks and pipelines from Git repositories. enable-git-resolver: "true" # Setting this flag to "true" enables remote resolution of tasks and pipelines from other namespaces within the cluster. - enable-cluster-resolver: "true" + enable-cluster-resolver: "true" \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/runs.tekton.dev-crd.yaml b/charts/tekton-pipeline/templates/runs.tekton.dev-crd.yaml index 911ccc1..f94f198 100644 --- a/charts/tekton-pipeline/templates/runs.tekton.dev-crd.yaml +++ b/charts/tekton-pipeline/templates/runs.tekton.dev-crd.yaml @@ -63,4 +63,4 @@ spec: categories: - tekton - tekton-pipelines - scope: Namespaced + scope: Namespaced \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/taskruns.tekton.dev-crd.yaml b/charts/tekton-pipeline/templates/taskruns.tekton.dev-crd.yaml index 05eaf55..19c7409 100644 --- a/charts/tekton-pipeline/templates/taskruns.tekton.dev-crd.yaml +++ b/charts/tekton-pipeline/templates/taskruns.tekton.dev-crd.yaml @@ -105,4 +105,4 @@ spec: clientConfig: service: name: tekton-pipelines-webhook - namespace: tekton-pipelines + namespace: tekton-pipelines \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/tasks.tekton.dev-crd.yaml b/charts/tekton-pipeline/templates/tasks.tekton.dev-crd.yaml index 3de873c..666f444 100644 --- a/charts/tekton-pipeline/templates/tasks.tekton.dev-crd.yaml +++ b/charts/tekton-pipeline/templates/tasks.tekton.dev-crd.yaml @@ -77,4 +77,4 @@ spec: clientConfig: service: name: tekton-pipelines-webhook - namespace: tekton-pipelines + namespace: tekton-pipelines \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/tekton-aggregate-edit-clusterrole.yaml b/charts/tekton-pipeline/templates/tekton-aggregate-edit-clusterrole.yaml index fb6cf03..797ef90 100644 --- a/charts/tekton-pipeline/templates/tekton-aggregate-edit-clusterrole.yaml +++ b/charts/tekton-pipeline/templates/tekton-aggregate-edit-clusterrole.yaml @@ -40,4 +40,4 @@ rules: - list - patch - update - - watch + - watch \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/tekton-aggregate-view-clusterrole.yaml b/charts/tekton-pipeline/templates/tekton-aggregate-view-clusterrole.yaml index 5effc13..c7ec568 100644 --- a/charts/tekton-pipeline/templates/tekton-aggregate-view-clusterrole.yaml +++ b/charts/tekton-pipeline/templates/tekton-aggregate-view-clusterrole.yaml @@ -34,4 +34,4 @@ rules: verbs: - get - list - - watch + - watch \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/tekton-pipelines-controller-deploy.yaml b/charts/tekton-pipeline/templates/tekton-pipelines-controller-deploy.yaml index ae84753..555c027 100644 --- a/charts/tekton-pipeline/templates/tekton-pipelines-controller-deploy.yaml +++ b/charts/tekton-pipeline/templates/tekton-pipelines-controller-deploy.yaml @@ -1,162 +1,162 @@ -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - apiVersion: apps/v1 kind: Deployment metadata: - name: tekton-pipelines-controller - namespace: tekton-pipelines labels: - app.kubernetes.io/name: controller app.kubernetes.io/component: controller app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.42.0" + app.kubernetes.io/name: controller app.kubernetes.io/part-of: tekton-pipelines - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.42.0" - # labels below are related to istio and should not be used for resource lookup - version: "v0.42.0" + app.kubernetes.io/version: v0.42.0 + {{- with .Values.controller.deployment.labels }} + {{- toYaml . | nindent 4 }} + {{- end}} + pipeline.tekton.dev/release: v0.42.0 + version: v0.42.0 + name: tekton-pipelines-controller + namespace: tekton-pipelines spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: controller app.kubernetes.io/component: controller app.kubernetes.io/instance: default + app.kubernetes.io/name: controller app.kubernetes.io/part-of: tekton-pipelines template: metadata: + annotations: + fake: value + {{- with .Values.controller.pod.annotations }} + {{- toYaml . | nindent 8 }} + {{- end}} labels: - app.kubernetes.io/name: controller + app: tekton-pipelines-controller app.kubernetes.io/component: controller app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.42.0" + app.kubernetes.io/name: controller app.kubernetes.io/part-of: tekton-pipelines - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.42.0" - # labels below are related to istio and should not be used for resource lookup - app: tekton-pipelines-controller - version: "v0.42.0" + app.kubernetes.io/version: v0.42.0 + {{- with .Values.controller.pod.labels }} + {{- toYaml . | nindent 8 }} + {{- end}} + pipeline.tekton.dev/release: v0.42.0 + version: v0.42.0 spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: NotIn - values: - - windows - serviceAccountName: tekton-pipelines-controller + - matchExpressions: + - key: kubernetes.io/os + operator: NotIn + values: + - windows containers: - - name: tekton-pipelines-controller - image: {{ .Values.controller.deployment.image }} - args: [ - # These images are built on-demand by `ko resolve` and are replaced - # by image references by digest. - "-kubeconfig-writer-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/kubeconfigwriter:v0.42.0@sha256:672df16c97c15d20102749c6e86195683d037bd6c8787560c9c07ade8b610071", "-git-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.42.0@sha256:211b0822659b2030a9e12b1cdb47faab2187a63a24ed9d21044520f967674138", "-entrypoint-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/entrypoint:v0.42.0@sha256:77e43d0fc9f7e7bdfa31dc16082b08dace05ce81c91a06c00dfa2f547212ce72", "-nop-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/nop:v0.42.0@sha256:bd1fcc45d40a8ef1621789856caa2f54d7a884f19af921105feafae0131648c5", "-imagedigest-exporter-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/imagedigestexporter:v0.42.0@sha256:370d5a0e39577f784f1376fac0822230b9a44950c01fe2190692a0a5a810adc6", "-pr-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/pullrequest-init:v0.42.0@sha256:e00d578d40d57a5124bee5107cb3358763874588a7fe2522ebc7bb979280d06e", "-workingdirinit-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/workingdirinit:v0.42.0@sha256:60a39c629448ac2845c4781513ef44c2f2fbcb6eb321d70a016002b5fa7b2379", - # This is gcr.io/google.com/cloudsdktool/cloud-sdk:302.0.0-slim - "-gsutil-image", "gcr.io/google.com/cloudsdktool/cloud-sdk@sha256:27b2c22bf259d9bc1a291e99c63791ba0c27a04d2db0a43241ba0f1f20f4067f", - # The shell image must allow root in order to create directories and copy files to PVCs. - # cgr.dev/chainguard/busybox as of April 14 2022 - # image shall not contains tag, so it will be supported on a runtime like cri-o - "-shell-image", "cgr.dev/chainguard/busybox@sha256:19f02276bf8dbdd62f069b922f10c65262cc34b710eea26ff928129a736be791", - # for script mode to work with windows we need a powershell image - # pinning to nanoserver tag as of July 15 2021 - "-shell-image-win", "mcr.microsoft.com/powershell:nanoserver@sha256:b6d5ff841b78bdf2dfed7550000fd4f3437385b8fa686ec0f010be24777654d6"] - volumeMounts: - - name: config-logging - mountPath: /etc/config-logging - - name: config-registry-cert - mountPath: /etc/config-registry-cert - # Mount secret for trusted resources - - name: verification-secrets - mountPath: /etc/verification-secrets - readOnly: true - env: - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - # If you are changing these names, you will also need to update - # the controller's Role in 200-role.yaml to include the new - # values in the "configmaps" "get" rule. - - name: CONFIG_DEFAULTS_NAME - value: config-defaults - - name: CONFIG_LOGGING_NAME - value: config-logging - - name: CONFIG_OBSERVABILITY_NAME - value: config-observability - - name: CONFIG_ARTIFACT_BUCKET_NAME - value: config-artifact-bucket - - name: CONFIG_ARTIFACT_PVC_NAME - value: config-artifact-pvc - - name: CONFIG_FEATURE_FLAGS_NAME - value: feature-flags - - name: CONFIG_LEADERELECTION_NAME - value: config-leader-election - - name: CONFIG_TRUSTED_RESOURCES_NAME - value: config-trusted-resources - - name: SSL_CERT_FILE - value: /etc/config-registry-cert/cert - - name: SSL_CERT_DIR - value: /etc/ssl/certs - - name: METRICS_DOMAIN - value: tekton.dev/pipeline - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - # User 65532 is the nonroot user ID - runAsUser: 65532 - runAsGroup: 65532 - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - ports: - - name: metrics - containerPort: 9090 - - name: profiling - containerPort: 8008 - - name: probes - containerPort: 8080 - livenessProbe: - httpGet: - path: /health - port: probes - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - readinessProbe: - httpGet: - path: /readiness - port: probes - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - volumes: - - name: config-logging - configMap: - name: config-logging - - name: config-registry-cert - configMap: - name: config-registry-cert - # Mount secret for trusted resources - - name: verification-secrets - secret: - secretName: verification-secrets + - args: + - -kubeconfig-writer-image + - gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/kubeconfigwriter:v0.42.0@sha256:672df16c97c15d20102749c6e86195683d037bd6c8787560c9c07ade8b610071 + - -git-image + - gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.42.0@sha256:211b0822659b2030a9e12b1cdb47faab2187a63a24ed9d21044520f967674138 + - -entrypoint-image + - gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/entrypoint:v0.42.0@sha256:77e43d0fc9f7e7bdfa31dc16082b08dace05ce81c91a06c00dfa2f547212ce72 + - -nop-image + - gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/nop:v0.42.0@sha256:bd1fcc45d40a8ef1621789856caa2f54d7a884f19af921105feafae0131648c5 + - -imagedigest-exporter-image + - gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/imagedigestexporter:v0.42.0@sha256:370d5a0e39577f784f1376fac0822230b9a44950c01fe2190692a0a5a810adc6 + - -pr-image + - gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/pullrequest-init:v0.42.0@sha256:e00d578d40d57a5124bee5107cb3358763874588a7fe2522ebc7bb979280d06e + - -workingdirinit-image + - gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/workingdirinit:v0.42.0@sha256:60a39c629448ac2845c4781513ef44c2f2fbcb6eb321d70a016002b5fa7b2379 + - -gsutil-image + - gcr.io/google.com/cloudsdktool/cloud-sdk@sha256:27b2c22bf259d9bc1a291e99c63791ba0c27a04d2db0a43241ba0f1f20f4067f + - -shell-image + - cgr.dev/chainguard/busybox@sha256:19f02276bf8dbdd62f069b922f10c65262cc34b710eea26ff928129a736be791 + - -shell-image-win + - mcr.microsoft.com/powershell:nanoserver@sha256:b6d5ff841b78bdf2dfed7550000fd4f3437385b8fa686ec0f010be24777654d6 + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_DEFAULTS_NAME + value: config-defaults + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: CONFIG_ARTIFACT_BUCKET_NAME + value: config-artifact-bucket + - name: CONFIG_ARTIFACT_PVC_NAME + value: config-artifact-pvc + - name: CONFIG_FEATURE_FLAGS_NAME + value: feature-flags + - name: CONFIG_LEADERELECTION_NAME + value: config-leader-election + - name: CONFIG_TRUSTED_RESOURCES_NAME + value: config-trusted-resources + - name: SSL_CERT_FILE + value: /etc/config-registry-cert/cert + - name: SSL_CERT_DIR + value: /etc/ssl/certs + - name: METRICS_DOMAIN + value: tekton.dev/pipeline + envFrom: + - secretRef: + name: '{{ .Values.controller.envFromSecret }}' optional: true + image: null + livenessProbe: + httpGet: + path: /health + port: probes + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + name: tekton-pipelines-controller + ports: + - containerPort: 9090 + name: metrics + - containerPort: 8008 + name: profiling + - containerPort: 8080 + name: probes + readinessProbe: + httpGet: + path: /readiness + port: probes + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/config-logging + name: config-logging + - mountPath: /etc/config-registry-cert + name: config-registry-cert + - mountPath: /etc/verification-secrets + name: verification-secrets + readOnly: true + image: {{ .Values.controller.deployment.image }} + serviceAccountName: tekton-pipelines-controller + volumes: + - configMap: + name: config-logging + name: config-logging + - configMap: + name: config-registry-cert + name: config-registry-cert + - name: verification-secrets + secret: + optional: true + secretName: verification-secrets \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/tekton-pipelines-controller-leaderelection-rb.yaml b/charts/tekton-pipeline/templates/tekton-pipelines-controller-leaderelection-rb.yaml index f498ea4..4da57a9 100644 --- a/charts/tekton-pipeline/templates/tekton-pipelines-controller-leaderelection-rb.yaml +++ b/charts/tekton-pipeline/templates/tekton-pipelines-controller-leaderelection-rb.yaml @@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: tekton-pipelines-controller-leaderelection - namespace: tekton-pipelines labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: default diff --git a/charts/tekton-pipeline/templates/tekton-pipelines-controller-rb.yaml b/charts/tekton-pipeline/templates/tekton-pipelines-controller-rb.yaml index f05c278..2cabe8c 100644 --- a/charts/tekton-pipeline/templates/tekton-pipelines-controller-rb.yaml +++ b/charts/tekton-pipeline/templates/tekton-pipelines-controller-rb.yaml @@ -16,7 +16,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: tekton-pipelines-controller - namespace: tekton-pipelines labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: default diff --git a/charts/tekton-pipeline/templates/tekton-pipelines-controller-role.yaml b/charts/tekton-pipeline/templates/tekton-pipelines-controller-role.yaml index 9ccb13f..d05f151 100644 --- a/charts/tekton-pipeline/templates/tekton-pipelines-controller-role.yaml +++ b/charts/tekton-pipeline/templates/tekton-pipelines-controller-role.yaml @@ -16,7 +16,6 @@ kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tekton-pipelines-controller - namespace: tekton-pipelines labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: default diff --git a/charts/tekton-pipeline/templates/tekton-pipelines-controller-sa.yaml b/charts/tekton-pipeline/templates/tekton-pipelines-controller-sa.yaml index 5ad8fe8..a0b45c8 100644 --- a/charts/tekton-pipeline/templates/tekton-pipelines-controller-sa.yaml +++ b/charts/tekton-pipeline/templates/tekton-pipelines-controller-sa.yaml @@ -15,7 +15,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: tekton-pipelines-controller - namespace: tekton-pipelines labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: default diff --git a/charts/tekton-pipeline/templates/tekton-pipelines-controller-svc.yaml b/charts/tekton-pipeline/templates/tekton-pipelines-controller-svc.yaml index 2fb0f7f..00468a8 100644 --- a/charts/tekton-pipeline/templates/tekton-pipelines-controller-svc.yaml +++ b/charts/tekton-pipeline/templates/tekton-pipelines-controller-svc.yaml @@ -13,7 +13,6 @@ metadata: app: tekton-pipelines-controller version: "v0.42.0" name: tekton-pipelines-controller - namespace: tekton-pipelines spec: ports: - name: http-metrics @@ -29,4 +28,4 @@ spec: app.kubernetes.io/name: controller app.kubernetes.io/component: controller app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines + app.kubernetes.io/part-of: tekton-pipelines \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/tekton-pipelines-info-rb.yaml b/charts/tekton-pipeline/templates/tekton-pipelines-info-rb.yaml index 31f8cba..f541f32 100644 --- a/charts/tekton-pipeline/templates/tekton-pipelines-info-rb.yaml +++ b/charts/tekton-pipeline/templates/tekton-pipelines-info-rb.yaml @@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: tekton-pipelines-info - namespace: tekton-pipelines labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines @@ -15,4 +14,4 @@ subjects: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: tekton-pipelines-info + name: tekton-pipelines-info \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/tekton-pipelines-info-role.yaml b/charts/tekton-pipeline/templates/tekton-pipelines-info-role.yaml index d5b2716..466d284 100644 --- a/charts/tekton-pipeline/templates/tekton-pipelines-info-role.yaml +++ b/charts/tekton-pipeline/templates/tekton-pipelines-info-role.yaml @@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: tekton-pipelines-info - namespace: tekton-pipelines labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines @@ -14,4 +13,4 @@ rules: - apiGroups: [""] resources: ["configmaps"] resourceNames: ["pipelines-info"] - verbs: ["get"] + verbs: ["get"] \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/tekton-pipelines-leader-election-role.yaml b/charts/tekton-pipeline/templates/tekton-pipelines-leader-election-role.yaml index 8905f76..a00d9f1 100644 --- a/charts/tekton-pipeline/templates/tekton-pipelines-leader-election-role.yaml +++ b/charts/tekton-pipeline/templates/tekton-pipelines-leader-election-role.yaml @@ -2,7 +2,6 @@ kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tekton-pipelines-leader-election - namespace: tekton-pipelines labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines diff --git a/charts/tekton-pipeline/templates/tekton-pipelines-ns.yaml b/charts/tekton-pipeline/templates/tekton-pipelines-ns.yaml index 7a613df..e43b016 100644 --- a/charts/tekton-pipeline/templates/tekton-pipelines-ns.yaml +++ b/charts/tekton-pipeline/templates/tekton-pipelines-ns.yaml @@ -11,6 +11,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. + apiVersion: v1 kind: Namespace metadata: @@ -18,4 +19,4 @@ metadata: labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines - pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/enforce: restricted \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/tekton-pipelines-remote-resolvers-deploy.yaml b/charts/tekton-pipeline/templates/tekton-pipelines-remote-resolvers-deploy.yaml index 608a447..f582819 100644 --- a/charts/tekton-pipeline/templates/tekton-pipelines-remote-resolvers-deploy.yaml +++ b/charts/tekton-pipeline/templates/tekton-pipelines-remote-resolvers-deploy.yaml @@ -15,7 +15,6 @@ apiVersion: apps/v1 kind: Deployment metadata: name: tekton-pipelines-remote-resolvers - namespace: tekton-pipelines-resolvers labels: app.kubernetes.io/name: resolvers app.kubernetes.io/component: resolvers @@ -103,4 +102,4 @@ spec: drop: - "ALL" seccompProfile: - type: RuntimeDefault + type: RuntimeDefault \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/tekton-pipelines-resolvers-crb.yaml b/charts/tekton-pipeline/templates/tekton-pipelines-resolvers-crb.yaml index 3ceb972..a69d39d 100644 --- a/charts/tekton-pipeline/templates/tekton-pipelines-resolvers-crb.yaml +++ b/charts/tekton-pipeline/templates/tekton-pipelines-resolvers-crb.yaml @@ -16,7 +16,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: tekton-pipelines-resolvers - namespace: tekton-pipelines-resolvers labels: app.kubernetes.io/component: resolvers app.kubernetes.io/instance: default @@ -24,8 +23,8 @@ metadata: subjects: - kind: ServiceAccount name: tekton-pipelines-resolvers - namespace: tekton-pipelines-resolvers + namespace: tekton-pipelines roleRef: kind: ClusterRole name: tekton-pipelines-resolvers-resolution-request-updates - apiGroup: rbac.authorization.k8s.io + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/tekton-pipelines-resolvers-namespace-rbac-rb.yaml b/charts/tekton-pipeline/templates/tekton-pipelines-resolvers-namespace-rbac-rb.yaml index 11ca0e8..69cf449 100644 --- a/charts/tekton-pipeline/templates/tekton-pipelines-resolvers-namespace-rbac-rb.yaml +++ b/charts/tekton-pipeline/templates/tekton-pipelines-resolvers-namespace-rbac-rb.yaml @@ -16,7 +16,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: tekton-pipelines-resolvers-namespace-rbac - namespace: tekton-pipelines-resolvers labels: app.kubernetes.io/component: resolvers app.kubernetes.io/instance: default @@ -24,8 +23,8 @@ metadata: subjects: - kind: ServiceAccount name: tekton-pipelines-resolvers - namespace: tekton-pipelines-resolvers + namespace: tekton-pipelines roleRef: kind: Role name: tekton-pipelines-resolvers-namespace-rbac - apiGroup: rbac.authorization.k8s.io + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/tekton-pipelines-resolvers-namespace-rbac-role.yaml b/charts/tekton-pipeline/templates/tekton-pipelines-resolvers-namespace-rbac-role.yaml index a64a35e..ff046f5 100644 --- a/charts/tekton-pipeline/templates/tekton-pipelines-resolvers-namespace-rbac-role.yaml +++ b/charts/tekton-pipeline/templates/tekton-pipelines-resolvers-namespace-rbac-role.yaml @@ -16,7 +16,6 @@ kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tekton-pipelines-resolvers-namespace-rbac - namespace: tekton-pipelines-resolvers labels: app.kubernetes.io/component: resolvers app.kubernetes.io/instance: default @@ -29,4 +28,4 @@ rules: # This is needed by leader election to run the controller in HA. - apiGroups: ["coordination.k8s.io"] resources: ["leases"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/tekton-pipelines-resolvers-ns.yaml b/charts/tekton-pipeline/templates/tekton-pipelines-resolvers-ns.yaml deleted file mode 100644 index 08f05ca..0000000 --- a/charts/tekton-pipeline/templates/tekton-pipelines-resolvers-ns.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2022 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Namespace -metadata: - name: tekton-pipelines-resolvers - labels: - app.kubernetes.io/component: resolvers - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pod-security.kubernetes.io/enforce: restricted diff --git a/charts/tekton-pipeline/templates/tekton-pipelines-resolvers-resolution-request-updates-clusterrole.yaml b/charts/tekton-pipeline/templates/tekton-pipelines-resolvers-resolution-request-updates-clusterrole.yaml index 3215d74..a3e45ae 100644 --- a/charts/tekton-pipeline/templates/tekton-pipelines-resolvers-resolution-request-updates-clusterrole.yaml +++ b/charts/tekton-pipeline/templates/tekton-pipelines-resolvers-resolution-request-updates-clusterrole.yaml @@ -31,4 +31,4 @@ rules: # Read-only access to these. - apiGroups: [""] resources: ["secrets"] - verbs: ["get", "list", "watch"] + verbs: ["get", "list", "watch"] \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/tekton-pipelines-resolvers-sa.yaml b/charts/tekton-pipeline/templates/tekton-pipelines-resolvers-sa.yaml index 08815c6..68aa6f7 100644 --- a/charts/tekton-pipeline/templates/tekton-pipelines-resolvers-sa.yaml +++ b/charts/tekton-pipeline/templates/tekton-pipelines-resolvers-sa.yaml @@ -16,8 +16,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: tekton-pipelines-resolvers - namespace: tekton-pipelines-resolvers labels: app.kubernetes.io/component: resolvers app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines + app.kubernetes.io/part-of: tekton-pipelines \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/tekton-pipelines-webhook-cluster-access-clusterrole.yaml b/charts/tekton-pipeline/templates/tekton-pipelines-webhook-cluster-access-clusterrole.yaml index 5f40859..d103456 100644 --- a/charts/tekton-pipeline/templates/tekton-pipelines-webhook-cluster-access-clusterrole.yaml +++ b/charts/tekton-pipeline/templates/tekton-pipelines-webhook-cluster-access-clusterrole.yaml @@ -59,4 +59,4 @@ rules: verbs: ["update"] # The webhook configured the namespace as the OwnerRef on various cluster-scoped resources, # which requires we can update the system namespace finalizers. - resourceNames: ["tekton-pipelines"] + resourceNames: ["tekton-pipelines"] \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/tekton-pipelines-webhook-cluster-access-crb.yaml b/charts/tekton-pipeline/templates/tekton-pipelines-webhook-cluster-access-crb.yaml index 988ecf2..eed0959 100644 --- a/charts/tekton-pipeline/templates/tekton-pipelines-webhook-cluster-access-crb.yaml +++ b/charts/tekton-pipeline/templates/tekton-pipelines-webhook-cluster-access-crb.yaml @@ -13,4 +13,4 @@ subjects: roleRef: kind: ClusterRole name: tekton-pipelines-webhook-cluster-access - apiGroup: rbac.authorization.k8s.io + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/tekton-pipelines-webhook-deploy.yaml b/charts/tekton-pipeline/templates/tekton-pipelines-webhook-deploy.yaml index 22192d0..393ae8a 100644 --- a/charts/tekton-pipeline/templates/tekton-pipelines-webhook-deploy.yaml +++ b/charts/tekton-pipeline/templates/tekton-pipelines-webhook-deploy.yaml @@ -1,150 +1,129 @@ -# Copyright 2020 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - apiVersion: apps/v1 kind: Deployment metadata: - # Note: the Deployment name must be the same as the Service name specified in - # config/400-webhook-service.yaml. If you change this name, you must also - # change the value of WEBHOOK_SERVICE_NAME below. - name: tekton-pipelines-webhook - namespace: tekton-pipelines labels: - app.kubernetes.io/name: webhook app.kubernetes.io/component: webhook app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.42.0" + app.kubernetes.io/name: webhook app.kubernetes.io/part-of: tekton-pipelines - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.42.0" - # labels below are related to istio and should not be used for resource lookup - version: "v0.42.0" + app.kubernetes.io/version: v0.42.0 + {{- with .Values.webhook.deployment.labels }} + {{- toYaml . | nindent 4 }} + {{- end}} + pipeline.tekton.dev/release: v0.42.0 + version: v0.42.0 + name: tekton-pipelines-webhook + namespace: tekton-pipelines spec: selector: matchLabels: - app.kubernetes.io/name: webhook app.kubernetes.io/component: webhook app.kubernetes.io/instance: default + app.kubernetes.io/name: webhook app.kubernetes.io/part-of: tekton-pipelines template: metadata: labels: - app.kubernetes.io/name: webhook + app: tekton-pipelines-webhook app.kubernetes.io/component: webhook app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.42.0" + app.kubernetes.io/name: webhook app.kubernetes.io/part-of: tekton-pipelines - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.42.0" - # labels below are related to istio and should not be used for resource lookup - app: tekton-pipelines-webhook - version: "v0.42.0" + app.kubernetes.io/version: v0.42.0 + {{- with .Values.webhook.pod.labels }} + {{- toYaml . | nindent 8 }} + {{- end}} + pipeline.tekton.dev/release: v0.42.0 + version: v0.42.0 spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: NotIn - values: - - windows + - matchExpressions: + - key: kubernetes.io/os + operator: NotIn + values: + - windows podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - topologyKey: kubernetes.io/hostname - weight: 100 - serviceAccountName: tekton-pipelines-webhook + - podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/name: webhook + app.kubernetes.io/part-of: tekton-pipelines + topologyKey: kubernetes.io/hostname + weight: 100 containers: - - name: webhook - # This is the Go import path for the binary that is containerized - # and substituted here. - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/webhook:v0.42.0@sha256:90989eeb6e0ba9c481b1faba3b01bcc70725baa58484c8f6ce9d22cc601e63dc - # Resource request required for autoscaler to take any action for a metric - resources: - requests: - cpu: 100m - memory: 100Mi - limits: - cpu: 500m - memory: 500Mi - env: - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - # If you are changing these names, you will also need to update - # the webhook's Role in 200-role.yaml to include the new - # values in the "configmaps" "get" rule. - - name: CONFIG_LOGGING_NAME - value: config-logging - - name: CONFIG_OBSERVABILITY_NAME - value: config-observability - - name: CONFIG_LEADERELECTION_NAME - value: config-leader-election - - name: CONFIG_FEATURE_FLAGS_NAME - value: feature-flags - # If you change WEBHOOK_PORT, you will also need to change the - # containerPort "https-webhook" to the same value. - - name: WEBHOOK_PORT - value: "8443" - - name: WEBHOOK_SERVICE_NAME - value: tekton-pipelines-webhook - - name: WEBHOOK_SECRET_NAME - value: webhook-certs - - name: METRICS_DOMAIN - value: tekton.dev/pipeline - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - # User 65532 is the distroless nonroot user ID - runAsUser: 65532 - runAsGroup: 65532 - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - ports: - - name: metrics - containerPort: 9090 - - name: profiling - containerPort: 8008 - # This must match the value of the environment variable WEBHOOK_PORT. - - name: https-webhook - containerPort: 8443 - - name: probes - containerPort: 8080 - livenessProbe: - httpGet: - path: /health - port: probes - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - readinessProbe: - httpGet: - path: /readiness - port: probes - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 \ No newline at end of file + - env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: CONFIG_LEADERELECTION_NAME + value: config-leader-election + - name: CONFIG_FEATURE_FLAGS_NAME + value: feature-flags + - name: WEBHOOK_PORT + value: "8443" + - name: WEBHOOK_SERVICE_NAME + value: tekton-pipelines-webhook + - name: WEBHOOK_SECRET_NAME + value: webhook-certs + - name: METRICS_DOMAIN + value: tekton.dev/pipeline + envFrom: + - secretRef: + name: '{{ .Values.webhook.envFromSecret }}' + optional: true + image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/webhook:v0.42.0@sha256:90989eeb6e0ba9c481b1faba3b01bcc70725baa58484c8f6ce9d22cc601e63dc + livenessProbe: + httpGet: + path: /health + port: probes + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + name: webhook + ports: + - containerPort: 9090 + name: metrics + - containerPort: 8008 + name: profiling + - containerPort: 8443 + name: https-webhook + - containerPort: 8080 + name: probes + readinessProbe: + httpGet: + path: /readiness + port: probes + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + resources: + limits: + cpu: 500m + memory: 500Mi + requests: + cpu: 100m + memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + serviceAccountName: tekton-pipelines-webhook diff --git a/charts/tekton-pipeline/templates/tekton-pipelines-webhook-horizontalpodautoscaler.yaml b/charts/tekton-pipeline/templates/tekton-pipelines-webhook-horizontalpodautoscaler.yaml index 22e5420..4cb9929 100644 --- a/charts/tekton-pipeline/templates/tekton-pipelines-webhook-horizontalpodautoscaler.yaml +++ b/charts/tekton-pipeline/templates/tekton-pipelines-webhook-horizontalpodautoscaler.yaml @@ -16,7 +16,6 @@ apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: tekton-pipelines-webhook - namespace: tekton-pipelines labels: app.kubernetes.io/name: webhook app.kubernetes.io/component: webhook @@ -40,4 +39,4 @@ spec: name: cpu target: type: Utilization - averageUtilization: 100 + averageUtilization: 100 \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/tekton-pipelines-webhook-leaderelection-rb.yaml b/charts/tekton-pipeline/templates/tekton-pipelines-webhook-leaderelection-rb.yaml index af102a4..4059c94 100644 --- a/charts/tekton-pipeline/templates/tekton-pipelines-webhook-leaderelection-rb.yaml +++ b/charts/tekton-pipeline/templates/tekton-pipelines-webhook-leaderelection-rb.yaml @@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: tekton-pipelines-webhook-leaderelection - namespace: tekton-pipelines labels: app.kubernetes.io/component: webhook app.kubernetes.io/instance: default diff --git a/charts/tekton-pipeline/templates/tekton-pipelines-webhook-rb.yaml b/charts/tekton-pipeline/templates/tekton-pipelines-webhook-rb.yaml index 41c2c4a..5d1e527 100644 --- a/charts/tekton-pipeline/templates/tekton-pipelines-webhook-rb.yaml +++ b/charts/tekton-pipeline/templates/tekton-pipelines-webhook-rb.yaml @@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: tekton-pipelines-webhook - namespace: tekton-pipelines labels: app.kubernetes.io/component: webhook app.kubernetes.io/instance: default diff --git a/charts/tekton-pipeline/templates/tekton-pipelines-webhook-role.yaml b/charts/tekton-pipeline/templates/tekton-pipelines-webhook-role.yaml index 6c65117..261662b 100644 --- a/charts/tekton-pipeline/templates/tekton-pipelines-webhook-role.yaml +++ b/charts/tekton-pipeline/templates/tekton-pipelines-webhook-role.yaml @@ -2,7 +2,6 @@ kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tekton-pipelines-webhook - namespace: tekton-pipelines labels: app.kubernetes.io/component: webhook app.kubernetes.io/instance: default diff --git a/charts/tekton-pipeline/templates/tekton-pipelines-webhook-sa.yaml b/charts/tekton-pipeline/templates/tekton-pipelines-webhook-sa.yaml index 0d45910..3cdf0e9 100644 --- a/charts/tekton-pipeline/templates/tekton-pipelines-webhook-sa.yaml +++ b/charts/tekton-pipeline/templates/tekton-pipelines-webhook-sa.yaml @@ -2,8 +2,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: tekton-pipelines-webhook - namespace: tekton-pipelines labels: app.kubernetes.io/component: webhook app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines + app.kubernetes.io/part-of: tekton-pipelines \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/tekton-pipelines-webhook-svc.yaml b/charts/tekton-pipeline/templates/tekton-pipelines-webhook-svc.yaml index 896be88..673fd3e 100644 --- a/charts/tekton-pipeline/templates/tekton-pipelines-webhook-svc.yaml +++ b/charts/tekton-pipeline/templates/tekton-pipelines-webhook-svc.yaml @@ -13,7 +13,6 @@ metadata: app: tekton-pipelines-webhook version: "v0.42.0" name: tekton-pipelines-webhook - namespace: tekton-pipelines spec: ports: # Define metrics and profiling for them to be accessible within service meshes. @@ -32,4 +31,4 @@ spec: app.kubernetes.io/name: webhook app.kubernetes.io/component: webhook app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines + app.kubernetes.io/part-of: tekton-pipelines \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/webhook-certs-secret.yaml b/charts/tekton-pipeline/templates/webhook-certs-secret.yaml index a03ebfa..782a8dc 100644 --- a/charts/tekton-pipeline/templates/webhook-certs-secret.yaml +++ b/charts/tekton-pipeline/templates/webhook-certs-secret.yaml @@ -16,10 +16,9 @@ apiVersion: v1 kind: Secret metadata: name: webhook-certs - namespace: tekton-pipelines labels: app.kubernetes.io/component: webhook app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines pipeline.tekton.dev/release: "v0.42.0" -# The data is populated at install time. \ No newline at end of file + # The data is populated at install time. \ No newline at end of file diff --git a/charts/tekton-pipeline/templates/webhook.pipeline.tekton.dev-mutwebhookcfg.yaml b/charts/tekton-pipeline/templates/webhook.pipeline.tekton.dev-mutwebhookcfg.yaml index e4faad1..7ddff56 100644 --- a/charts/tekton-pipeline/templates/webhook.pipeline.tekton.dev-mutwebhookcfg.yaml +++ b/charts/tekton-pipeline/templates/webhook.pipeline.tekton.dev-mutwebhookcfg.yaml @@ -15,4 +15,4 @@ webhooks: namespace: tekton-pipelines failurePolicy: Fail sideEffects: None - name: webhook.pipeline.tekton.dev \ No newline at end of file + name: webhook.pipeline.tekton.dev