Added tekton pipelines

This commit is contained in:
Marcus Noble 2020-04-25 19:18:33 +01:00
parent 24f184e4c5
commit 5a1e9fa22c
25 changed files with 3597 additions and 0 deletions

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,705 @@
# Copyright 2019 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: tekton-triggers
spec:
privileged: false
allowPrivilegeEscalation: false
volumes:
- 'emptyDir'
- 'configMap'
- 'secret'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
---
# Copyright 2019 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tekton-triggers-admin
rules:
- apiGroups: [""]
resources: ["configmaps", "secrets", "services"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["apps"]
resources: ["deployments", "deployments/finalizers"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["triggers.tekton.dev"]
resources: ["clustertriggerbindings", "eventlisteners", "triggerbindings", "triggertemplates",
"eventlisteners/finalizers"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["triggers.tekton.dev"]
resources: ["clustertriggerbindings/status", "eventlisteners/status", "triggerbindings/status",
"triggertemplates/status"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
resourceNames: ["tekton-triggers"]
verbs: ["use"]
---
# Copyright 2019 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ServiceAccount
metadata:
name: tekton-triggers-controller
namespace: tekton-pipelines
---
# Copyright 2019 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: tekton-triggers-controller-admin
subjects:
- kind: ServiceAccount
name: tekton-triggers-controller
namespace: tekton-pipelines
roleRef:
kind: ClusterRole
name: tekton-triggers-admin
apiGroup: rbac.authorization.k8s.io
---
# Copyright 2019 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clustertriggerbindings.triggers.tekton.dev
spec:
group: triggers.tekton.dev
scope: Cluster
versions:
- name: v1alpha1
served: true
storage: true
names:
kind: ClusterTriggerBinding
plural: clustertriggerbindings
singular: clustertriggerbinding
shortNames:
- ctb
categories:
- tekton
- tekton-triggers
subresources:
status: {}
version: v1alpha1
---
# Copyright 2019 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: eventlisteners.triggers.tekton.dev
spec:
group: triggers.tekton.dev
scope: Namespaced
versions:
- name: v1alpha1
served: true
storage: true
names:
kind: EventListener
plural: eventlisteners
singular: eventlistener
shortNames:
- el
categories:
- tekton
- tekton-triggers
# Opt into the status subresource so metadata.generation
# starts to increment
subresources:
status: {}
version: v1alpha1
---
# Copyright 2019 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: triggerbindings.triggers.tekton.dev
spec:
group: triggers.tekton.dev
scope: Namespaced
versions:
- name: v1alpha1
served: true
storage: true
names:
kind: TriggerBinding
plural: triggerbindings
singular: triggerbinding
shortNames:
- tb
categories:
- tekton
- tekton-triggers
# Opt into the status subresource so metadata.generation
# starts to increment
subresources:
status: {}
version: v1alpha1
---
# Copyright 2019 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: triggertemplates.triggers.tekton.dev
spec:
group: triggers.tekton.dev
scope: Namespaced
versions:
- name: v1alpha1
served: true
storage: true
names:
kind: TriggerTemplate
plural: triggertemplates
singular: triggertemplate
shortNames:
- tt
categories:
- tekton
- tekton-triggers
# Opt into the status subresource so metadata.generation
# starts to increment
subresources:
status: {}
version: v1alpha1
---
# Copyright 2020 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Secret
metadata:
name: triggers-webhook-certs
namespace: tekton-pipelines
labels:
triggers.tekton.dev/release: devel
# The data is populated at install time.
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: validation.webhook.triggers.tekton.dev
labels:
triggers.tekton.dev/release: devel
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
service:
name: tekton-triggers-webhook
namespace: tekton-pipelines
failurePolicy: Fail
sideEffects: None
name: validation.webhook.triggers.tekton.dev
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: webhook.triggers.tekton.dev
labels:
triggers.tekton.dev/release: devel
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
service:
name: tekton-triggers-webhook
namespace: tekton-pipelines
failurePolicy: Fail
sideEffects: None
name: webhook.triggers.tekton.dev
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: config.webhook.triggers.tekton.dev
labels:
triggers.tekton.dev/release: devel
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
service:
name: tekton-triggers-webhook
namespace: tekton-pipelines
failurePolicy: Fail
sideEffects: None
name: config.webhook.triggers.tekton.dev
namespaceSelector:
matchExpressions:
- key: triggers.tekton.dev/release
operator: Exists
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tekton-triggers-aggregate-edit
labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- tekton.dev
resources:
- clustertriggerbindings
- eventlisteners
- triggerbindings
- triggertemplates
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tekton-triggers-aggregate-view
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
- tekton.dev
resources:
- clustertriggerbindings
- eventlisteners
- triggerbindings
- triggertemplates
verbs:
- get
- list
- watch
---
# Copyright 2019 Tekton Authors LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: config-logging-triggers
namespace: tekton-pipelines
data:
# Common configuration for all knative codebase
zap-logger-config: |
{
"level": "info",
"development": false,
"sampling": {
"initial": 100,
"thereafter": 100
},
"outputPaths": ["stdout"],
"errorOutputPaths": ["stderr"],
"encoding": "json",
"encoderConfig": {
"timeKey": "",
"levelKey": "level",
"nameKey": "logger",
"callerKey": "caller",
"messageKey": "msg",
"stacktraceKey": "stacktrace",
"lineEnding": "",
"levelEncoder": "",
"timeEncoder": "",
"durationEncoder": "",
"callerEncoder": ""
}
}
# Log level overrides
loglevel.controller: "info"
loglevel.webhook: "info"
loglevel.eventlistener: "info"
---
# Copyright 2019 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: config-observability-triggers
namespace: tekton-pipelines
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# metrics.backend-destination field specifies the system metrics destination.
# It supports either prometheus (the default) or stackdriver.
# Note: Using stackdriver will incur additional charges
metrics.backend-destination: prometheus
# metrics.stackdriver-project-id field specifies the stackdriver project ID. This
# field is optional. When running on GCE, application default credentials will be
# used if this field is not provided.
metrics.stackdriver-project-id: "<your stackdriver project id>"
# metrics.allow-stackdriver-custom-metrics indicates whether it is allowed to send metrics to
# Stackdriver using "global" resource type and custom metric type if the
# metrics are not supported by "knative_revision" resource type. Setting this
# flag to "true" could cause extra Stackdriver charge.
# If metrics.backend-destination is not Stackdriver, this is ignored.
metrics.allow-stackdriver-custom-metrics: "false"
---
# Copyright 2019 Tekton Authors LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Service
metadata:
labels:
app: tekton-triggers-controller
version: "v0.4.0"
triggers.tekton.dev/release: "v0.4.0"
name: tekton-triggers-controller
namespace: tekton-pipelines
spec:
ports:
- name: http-metrics
port: 9090
protocol: TCP
targetPort: 9090
selector:
app: tekton-triggers-controller
---
# Copyright 2019 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apps/v1
kind: Deployment
metadata:
name: tekton-triggers-controller
namespace: tekton-pipelines
labels:
app.kubernetes.io/name: tekton-triggers
app.kubernetes.io/component: controller
# tekton.dev/release value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml
triggers.tekton.dev/release: "v0.4.0"
spec:
replicas: 1
selector:
matchLabels:
app: tekton-triggers-controller
template:
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
labels:
app: tekton-triggers-controller
triggers.tekton.dev/release: "v0.4.0"
# version value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml
version: "v0.4.0"
spec:
serviceAccountName: tekton-triggers-controller
containers:
- name: tekton-triggers-controller
image: gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/controller@sha256:bf3517ddccace756e39cee0f0012bbe879c6b28d962a1c904a415e7c60ce5bc2
args: ["-logtostderr", "-stderrthreshold", "INFO", "-el-image", "gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/eventlistenersink@sha256:76c208ec1d73d9733dcaf850240e1b3990e5977709a03c2bd98ad5b20fab9867",
"-el-port", "8080", "-period-seconds", "10", "-failure-threshold", "1"]
env:
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CONFIG_LOGGING_NAME
value: config-logging-triggers
- name: CONFIG_OBSERVABILITY_NAME
value: config-observability-triggers
- name: METRICS_DOMAIN
value: tekton.dev/triggers
---
apiVersion: v1
kind: Service
metadata:
labels:
app: tekton-triggers-webhook
version: "v0.4.0"
triggers.tekton.dev/release: "v0.4.0"
name: tekton-triggers-webhook
namespace: tekton-pipelines
spec:
ports:
- name: https-webhook
port: 443
targetPort: 8443
selector:
app: tekton-triggers-webhook
---
# Copyright 2019 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apps/v1
kind: Deployment
metadata:
name: tekton-triggers-webhook
namespace: tekton-pipelines
labels:
app.kubernetes.io/name: tekton-triggers
app.kubernetes.io/component: webhook-controller
# tekton.dev/release value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml
triggers.tekton.dev/release: "v0.4.0"
spec:
replicas: 1
selector:
matchLabels:
app: tekton-triggers-webhook
template:
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
labels:
app: tekton-triggers-webhook
triggers.tekton.dev/release: "v0.4.0"
# version value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml
version: "v0.4.0"
role: webhook
app.kubernetes.io/name: tekton-triggers
app.kubernetes.io/component: webhook-controller
spec:
serviceAccountName: tekton-triggers-controller
containers:
- name: webhook
# This is the Go import path for the binary that is containerized
# and substituted here.
image: gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/webhook@sha256:d7f1526a9294e671c500f0071b61e050262fb27fb633b54d764a556969855764
env:
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CONFIG_LOGGING_NAME
value: config-logging-triggers
- name: WEBHOOK_SERVICE_NAME
value: tekton-triggers-webhook
- name: METRICS_DOMAIN
value: tekton.dev/triggers
ports:
- name: metrics
containerPort: 9090
- name: profiling
containerPort: 8008
- name: https-webhook
containerPort: 8443
---

View File

@ -0,0 +1,656 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: tekton-webhooks-extension
name: tekton-webhooks-extension
namespace: tekton-pipelines
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: tekton-webhooks-extension
name: tekton-webhooks-extension-eventlistener
namespace: tekton-pipelines
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: tekton-webhooks-extension-minimal
namespace: tekton-pipelines
rules:
- apiGroups:
- extensions
resources:
- ingresses
- ingresses/status
verbs:
- delete
- create
- patch
- get
- list
- update
- watch
- apiGroups:
- ""
resources:
- pods
- services
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- ""
resources:
- pods/log
- namespaces
- events
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- get
- list
- create
- delete
- update
- watch
- apiGroups:
- extensions
- apps
resources:
- deployments
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- tekton.dev
resources:
- tasks
- clustertasks
- taskruns
- pipelines
- pipelineruns
- pipelineresources
- conditions
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- triggers.tekton.dev
resources:
- eventlisteners
- triggerbindings
- triggertemplates
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- tekton.dev
resources:
- taskruns/finalizers
- pipelineruns/finalizers
- tasks/status
- clustertasks/status
- taskruns/status
- pipelines/status
- pipelineruns/status
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tekton-triggers-minimal
rules:
- apiGroups:
- tekton.dev
resources:
- tasks
- taskruns
verbs:
- get
- apiGroups:
- triggers.tekton.dev
resources:
- triggerbindings
- triggertemplates
- eventlisteners
verbs:
- get
- apiGroups:
- tekton.dev
resources:
- pipelineruns
- pipelineresources
- taskruns
verbs:
- create
- apiGroups:
- ""
resources:
- configmaps
verbs:
- list
- get
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tekton-webhooks-extension-minimal-cluster-powers
rules:
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- get
- list
- watch
- apiGroups:
- tekton.dev
resources:
- pipelines
- pipelineruns
verbs:
- get
- list
- watch
- apiGroups:
- triggers.tekton.dev
resources:
- pipelines
- pipelineruns
- tasks
- taskruns
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tekton-webhooks-extension-minimal
namespace: tekton-pipelines
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: tekton-webhooks-extension-minimal
subjects:
- kind: ServiceAccount
name: tekton-webhooks-extension
namespace: tekton-pipelines
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tekton-webhooks-extension-eventlistener-minimal
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tekton-triggers-minimal
subjects:
- kind: ServiceAccount
name: tekton-webhooks-extension-eventlistener
namespace: tekton-pipelines
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tekton-webhooks-extension-minimal-cluster-powers
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tekton-webhooks-extension-minimal-cluster-powers
subjects:
- kind: ServiceAccount
name: tekton-webhooks-extension
namespace: tekton-pipelines
---
apiVersion: v1
kind: Service
metadata:
name: tekton-webhooks-extension-validator
namespace: tekton-pipelines
spec:
ports:
- port: 80
protocol: TCP
targetPort: 8080
selector:
app: tekton-webhooks-extension-validator
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
annotations:
tekton-dashboard-bundle-location: web/extension.c591f714.js
tekton-dashboard-display-name: Webhooks
tekton-dashboard-endpoints: webhooks.web
labels:
app: webhooks-extension
tekton-dashboard-extension: "true"
name: webhooks-extension
namespace: tekton-pipelines
spec:
ports:
- port: 8080
targetPort: 8080
selector:
app: webhooks-extension
type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tekton-webhooks-extension-validator
namespace: tekton-pipelines
spec:
replicas: 1
selector:
matchLabels:
app: tekton-webhooks-extension-validator
template:
metadata:
labels:
app: tekton-webhooks-extension-validator
spec:
containers:
- env:
- name: INSTALLED_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: gcr.io/tekton-releases/github.com/tektoncd/experimental/webhooks-extension/cmd/interceptor@sha256:657d40a9116ef0b6f886f94fa7980755e3267dd34017f2fd9b713b63ddfc0d55
name: validate
serviceAccountName: tekton-webhooks-extension
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: webhooks-extension
name: webhooks-extension
namespace: tekton-pipelines
spec:
replicas: 1
selector:
matchLabels:
app: webhooks-extension
template:
metadata:
labels:
app: webhooks-extension
spec:
containers:
- env:
- name: PORT
value: "8080"
- name: INSTALLED_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: DOCKER_REGISTRY_LOCATION
value: DOCKER_REPO
- name: WEB_RESOURCES_DIR
value: web
- name: WEBHOOK_CALLBACK_URL
value: http://listener.IPADDRESS.nip.io
- name: SSL_VERIFICATION_ENABLED
value: "false"
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
image: gcr.io/tekton-releases/github.com/tektoncd/experimental/webhooks-extension/cmd/extension@sha256:e7bcffbd2db6b874dbb4b4e71fc0c089acf7ccb803df896d9592063b649ac292
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /liveness
port: 8080
name: webhooks-extension
ports:
- containerPort: 8080
readinessProbe:
httpGet:
path: /readiness
port: 8080
serviceAccountName: tekton-webhooks-extension
---
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: monitor-task
namespace: tekton-pipelines
spec:
params:
- description: The statuses url
name: statusesurl
type: string
- default: Success
description: The text to use in the situation where a PipelineRun has succeeded.
name: commentsuccess
type: string
- default: Failed
description: The text to use in the situation where a PipelineRun has failed.
name: commentfailure
type: string
- default: Unknown
description: The text to use in the situation where a PipelineRun has timed out.
name: commenttimeout
type: string
- default: Missing
description: The text to use in the situation where a PipelineRun cannot be found.
name: commentmissing
type: string
- default: http://localhost:9097/
description: The URL to the PipelineRuns page of the dashboard
name: dashboard-url
type: string
- default: github
description: The Git provider ("github" or "gitlab")
name: provider
type: string
- description: The Git API URL for the repository
name: apiurl
type: string
- default: "false"
description: Whether or not to verify SSL Certificates from the git server ("true"
or "false")
name: insecure-skip-tls-verify
type: string
- description: The secret containing the access token to access the git server
name: secret
type: string
resources:
inputs:
- name: pull-request
type: pullRequest
outputs:
- name: pull-request
type: pullRequest
steps:
- args:
- -ce
- "set -e\ncat <<EOF | python\nimport time, os, json, requests, pprint, shutil,
distutils.util\nfrom kubernetes import client, config\ndef diff(li1, li2): \n
\ li_dif = [i for i in li1 + li2 if i not in li1 or i not in li2] \n return
li_dif\nconfig.load_incluster_config()\napi_instance = client.CustomObjectsApi(client.ApiClient(client.Configuration()))\ngitPRcontext
= \"Tekton\"\ngitPRurl = \"\" \nif not \"$URL\".startswith(\"http\"):\n pipelineRunURLPrefix
= \"http://\" + \"$URL\"\nelse:\n pipelineRunURLPrefix = \"$URL\" \nverifySSL
= not bool(distutils.util.strtobool(\"$SKIPSSLVERIFY\"))\nif \"$GITPROVIDER\"
== \"github\":\n statusurl = \"$STATUSES_URL\"\n pendingData = {\n \"state\":
\"pending\",\n \"description\": \"pipelines in progress\",\n \"target_url\":
pipelineRunURLPrefix + \"/#/pipelineruns\",\n \"context\": \"Tekton\"\n }\n
\ resp = requests.post(statusurl, json.dumps(pendingData), headers = {'Content-Type':
'application/json', 'Authorization': \"Token $GITTOKEN\"}, verify=verifySSL)\n
\ print(resp)\nif \"$GITPROVIDER\" == \"gitlab\":\n statusurl = \"$GITAPIURL\"
+ \"/\" + \"$STATUSES_URL\" + \"?state=pending&name=Tekton&target_url=\" + pipelineRunURLPrefix
+ \"/#/pipelineruns\"\n resp = requests.post(statusurl, headers = {'Authorization':
\"Bearer $GITTOKEN\"}, verify=verifySSL)\n print(resp)\nlabelToCheck = \"triggers.tekton.dev/triggers-eventid=$EVENTID\"\nrunsPassed
= []\nrunsFailed = []\nrunsIncomplete = []\nrunsMissing = []\nfailed = 0\ni
= range(180)\ninitial_runs = api_instance.list_cluster_custom_object(\"tekton.dev\",
\"v1beta1\", \"pipelineruns\", label_selector=labelToCheck)[\"items\"]\nfor
x in i:\n time.sleep( 10 )\n runsPassed = []\n runsFailed = []\n runsIncomplete
= []\n # To test this we need a webhook that will kick off two Pipelines\n
\ # We will then delete one PipelineRun and observe it is correctly picked
up as missing\n # This is easiest done by reopening an existing PullRequest\n
\ # It's important to delete the PipelineRun only after the monitor task is
already running because \n # the first thing it's going to do is figure out
the PipelineRuns to watch over\n failed = 0\n \n found_runs = api_instance.list_cluster_custom_object(\"tekton.dev\",
\"v1beta1\", \"pipelineruns\", label_selector=labelToCheck)[\"items\"]\n missingRuns
= diff(initial_runs, found_runs)\n if len(missingRuns) > 0:\n for missingRun
in missingRuns:\n pr = missingRun[\"metadata\"][\"name\"]\n namespace
= missingRun[\"metadata\"][\"namespace\"]\n pipeline = missingRun[\"spec\"][\"pipelineRef\"][\"name\"]\n
\ link = pipelineRunURLPrefix + \"/#/namespaces/\" + namespace + \"/pipelineruns/\"\n
\ data = \"[**$COMMENT_MISSING**](\" + link + \") | \" + pipeline + \"
| \" + pr + \" | \" + namespace\n if data not in runsMissing:\n #
Don't add duplicates. Fear not, once this run is found it'll be removed\n runsMissing.append(data)\n
\ if len(found_runs) > 0:\n for entry in found_runs:\n pr = entry[\"metadata\"][\"name\"]\n
\ namespace = entry[\"metadata\"][\"namespace\"]\n pipeline = entry[\"spec\"][\"pipelineRef\"][\"name\"]\n
\ link = pipelineRunURLPrefix + \"/#/namespaces/\" + namespace + \"/pipelineruns/\"
+ pr\n missingLink = pipelineRunURLPrefix + \"/#/namespaces/\" + namespace
+ \"/pipelineruns/\"\n missingDataEntry = \"[**$COMMENT_MISSING**](\"
+ missingLink + \") | \" + pipeline + \" | \" + pr + \" | \" + namespace\n if
missingDataEntry in runsMissing:\n runsMissing.remove(missingDataEntry)\n
\ print(\"Checking PipelineRun \" + pr + \" in namespace \" + namespace)\n
\ if entry[\"status\"][\"conditions\"][0][\"status\"] == u'True' and entry[\"status\"][\"conditions\"][0][\"type\"]
== u'Succeeded':\n print(\"Success - pipelinerun \" + pr + \" in namespace
\" + namespace)\n runsPassed.append(\"[**$COMMENT_SUCCESS**](\" + link
+ \") | \" + pipeline + \" | \" + pr + \" | \" + namespace)\n continue\n
\ if entry[\"status\"][\"conditions\"][0][\"status\"] == u'False' and
entry[\"status\"][\"conditions\"][0][\"type\"] == u'Succeeded':\n failed
=+ 1\n print(\"Failed - PipelineRun \" + pr + \" in namespace \" +
namespace)\n runsFailed.append(\"[**$COMMENT_FAILURE**](\" + link +
\") | \" + pipeline + \" | \" + pr + \" | \" + namespace)\n continue\n
\ link = pipelineRunURLPrefix + \"/#/namespaces/\" + namespace + \"/pipelineruns/\"
+ pr\n runsIncomplete.append(\"[**$COMMENT_TIMEOUT**](\" + link + \")
| \" + pipeline + \" | \" + pr + \" | \" + namespace)\n if len(runsIncomplete)
== 0:\n break\n else:\n break\ngitPRdescription = \"All pipelines
succeeded!\"\ngitPRcode = \"success\"\nif failed > 0:\n gitPRdescription =
str(failed) + \" pipeline(s) failed!\"\n gitPRcode = \"failure\"\nif len(runsMissing)
> 0:\n gitPRdescription = \"Pipeline(s) missing!\"\n gitPRcode = \"failure\"\nif
len(runsIncomplete) > 0:\n print(\"Some PipelineRuns had not completed when
the monitor reached its timeout\")\n gitPRdescription = \"timed out monitoring
PipelineRuns\"\n gitPRcode = \"error\"\n\nresults = runsPassed + runsFailed
+ runsIncomplete + runsMissing\n\nif (results == []):\n gitPRdescription =
\"No PipelineRuns were ever found for my PullRequest!\"\n gitPRcode = \"error\"\n
\ data = \"**$COMMENT_MISSING** | N/A | No PipelineRuns were ever detected,
failing the build | N/A\"\n runsMissing.append(data) \n \n results
= runsMissing\n\ncomment = (\"## Tekton Status Report \\n\\n\"\n \"Status
| Pipeline | PipelineRun | Namespace\\n\"\n \":----- | :------- |
:--------------- | :--------\\n\"\n ) + \"\\n\".join(results)\n\nshutil.copyfile(\"/workspace/pull-request/pr.json\",\"/workspace/output/pull-request/pr.json\")\n#
Preserve existing comments\nshutil.copytree(\"/workspace/pull-request/comments\",\"/workspace/output/pull-request/comments\")\nhandle
= open(\"/workspace/output/pull-request/comments/newcomment.json\", 'w')\nhandle.write(comment)\nhandle.close()\nif
not \"$URL\".startswith(\"http\"):\n detailsURL = \"http://\" + \"$URL\" +
\"/#/pipelineruns\"\nelse:\n detailsURL = \"$URL\" + \"/#/pipelineruns\"\nprint(\"Set
details url to \" + detailsURL)\nstatus = json.dumps(dict(Label=gitPRcontext,state=gitPRcode,Desc=gitPRdescription,Target=detailsURL))\nprint(\"Setting
status to \" + status)\nif not os.path.exists(\"/workspace/output/pull-request/status\"):\n
\ os.makedirs(\"/workspace/output/pull-request/status\")\nhandle = open(\"/workspace/output/pull-request/status/Tekton.json\",
'w')\nhandle.write(status)\nhandle.close()\nif not os.path.exists(\"/workspace/output/pull-request/labels\"):\n
\ shutil.copytree(\"/workspace/pull-request/labels\",\"/workspace/output/pull-request/labels\")\nshutil.copyfile(\"/workspace/pull-request/base.json\",\"/workspace/output/pull-request/base.json\")
\nshutil.copyfile(\"/workspace/pull-request/head.json\",\"/workspace/output/pull-request/head.json\")\nEOF\n"
command:
- /bin/bash
env:
- name: EVENTID
valueFrom:
fieldRef:
fieldPath: metadata.labels['triggers.tekton.dev/triggers-eventid']
- name: COMMENT_SUCCESS
value: $(inputs.params.commentsuccess)
- name: COMMENT_FAILURE
value: $(inputs.params.commentfailure)
- name: COMMENT_TIMEOUT
value: $(inputs.params.commenttimeout)
- name: COMMENT_MISSING
value: $(inputs.params.commentmissing)
- name: URL
value: $(inputs.params.dashboard-url)
- name: STATUSES_URL
value: $(inputs.params.statusesurl)
- name: GITPROVIDER
value: $(inputs.params.provider)
- name: GITAPIURL
value: $(inputs.params.apiurl)
- name: SKIPSSLVERIFY
value: $(inputs.params.insecure-skip-tls-verify)
- name: GITTOKEN
valueFrom:
secretKeyRef:
key: accessToken
name: $(inputs.params.secret)
image: maiwj/kubernetes-python-client@sha256:74a868a0dff5c8ada64472db3efd09d205d4f877d14d2d3226511adbb25cfea3
name: check
---
apiVersion: triggers.tekton.dev/v1alpha1
kind: TriggerBinding
metadata:
name: monitor-task-github-binding
namespace: tekton-pipelines
spec:
params:
- name: pullrequesturl
value: $(body.pull_request.html_url)
- name: statusesurl
value: $(body.pull_request.statuses_url)
---
apiVersion: triggers.tekton.dev/v1alpha1
kind: TriggerBinding
metadata:
name: monitor-task-gitlab-binding
namespace: tekton-pipelines
spec:
params:
- name: pullrequesturl
value: $(body.object_attributes.url)
- name: statusesurl
value: projects/$(body.project.id)/statuses/$(body.object_attributes.last_commit.id)
---
apiVersion: triggers.tekton.dev/v1alpha1
kind: TriggerTemplate
metadata:
name: monitor-task-template
namespace: tekton-pipelines
spec:
params:
- description: The pull request url
name: pullrequesturl
type: string
- description: The statuses url
name: statusesurl
type: string
- default: github-secrets
description: The git secret name
name: gitsecretname
type: string
- default: token
description: The git secret key name
name: gitsecretkeyname
type: string
- default: Success
description: The text of the success comment
name: commentsuccess
type: string
- default: Failed
description: The text of the failure comment
name: commentfailure
type: string
- default: Unknown
description: The text of the timeout comment
name: commenttimeout
type: string
- default: Missing
description: The text of the missing comment
name: commentmissing
type: string
- default: http://localhost:9097/
description: The URL to the pipelineruns page of the dashboard
name: dashboardurl
type: string
- default: github
description: The git provider, "github" or "gitlab"
name: provider
type: string
- default: ""
description: The git api URL for the repository
name: apiurl
type: string
- default: "false"
description: Whether or not to skip SSL validation of certificates ("true" or
"false")
name: insecure-skip-tls-verify
type: string
resourcetemplates:
- apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
name: pull-request-$(uid)
namespace: tekton-pipelines
spec:
params:
- name: url
value: $(params.pullrequesturl)
- name: insecure-skip-tls-verify
value: $(params.insecure-skip-tls-verify)
secrets:
- fieldName: authToken
secretKey: $(params.gitsecretkeyname)
secretName: $(params.gitsecretname)
type: pullRequest
- apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
generateName: monitor-taskrun-
namespace: tekton-pipelines
spec:
params:
- name: commentsuccess
value: $(params.commentsuccess)
- name: commentfailure
value: $(params.commentfailure)
- name: commenttimeout
value: $(params.commenttimeout)
- name: dashboard-url
value: $(params.dashboardurl)
- name: secret
value: $(params.gitsecretname)
- name: statusesurl
value: $(params.statusesurl)
- name: provider
value: $(params.provider)
- name: apiurl
value: $(params.apiurl)
- name: insecure-skip-tls-verify
value: $(params.insecure-skip-tls-verify)
resources:
inputs:
- name: pull-request
resourceRef:
name: pull-request-$(uid)
outputs:
- name: pull-request
resourceRef:
name: pull-request-$(uid)
serviceAccountName: tekton-webhooks-extension
taskRef:
name: monitor-task
---

View File

@ -0,0 +1,409 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: extensions.dashboard.tekton.dev
spec:
group: dashboard.tekton.dev
names:
categories:
- tekton
- tekton-dashboard
kind: Extension
plural: extensions
scope: Namespaced
subresources:
status: {}
version: v1alpha1
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: tekton-dashboard
name: tekton-dashboard
namespace: tekton-pipelines
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tekton-dashboard-minimal
namespace: tekton-pipelines
rules:
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- update
- patch
- apiGroups:
- ""
resources:
- pods
- services
verbs:
- create
- update
- delete
- patch
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- create
- update
- delete
- apiGroups:
- extensions
- apps
resources:
- deployments
verbs:
- create
- update
- delete
- patch
- apiGroups:
- tekton.dev
resources:
- tasks
- clustertasks
- taskruns
- pipelines
- pipelineruns
- pipelineresources
- conditions
verbs:
- create
- update
- delete
- patch
- apiGroups:
- tekton.dev
resources:
- taskruns/finalizers
- pipelineruns/finalizers
verbs:
- create
- update
- delete
- patch
- apiGroups:
- tekton.dev
resources:
- tasks/status
- clustertasks/status
- taskruns/status
- pipelines/status
- pipelineruns/status
verbs:
- create
- update
- delete
- patch
- apiGroups:
- dashboard.tekton.dev
resources:
- extensions
verbs:
- create
- update
- delete
- patch
- apiGroups:
- triggers.tekton.dev
resources:
- clustertriggerbindings
- eventlisteners
- triggerbindings
- triggertemplates
verbs:
- create
- update
- delete
- patch
- add
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
verbs:
- use
- apiGroups:
- route.openshift.io
resources:
- routes
verbs:
- get
- list
- apiGroups:
- extensions
- apps
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods
- services
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods/log
- namespaces
- events
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- apps
resources:
- deployments
verbs:
- get
- list
- watch
- apiGroups:
- tekton.dev
resources:
- tasks
- clustertasks
- taskruns
- pipelines
- pipelineruns
- pipelineresources
- conditions
verbs:
- get
- list
- watch
- apiGroups:
- tekton.dev
resources:
- taskruns/finalizers
- pipelineruns/finalizers
verbs:
- get
- list
- watch
- apiGroups:
- tekton.dev
resources:
- tasks/status
- clustertasks/status
- taskruns/status
- pipelines/status
- pipelineruns/status
verbs:
- get
- list
- watch
- apiGroups:
- dashboard.tekton.dev
resources:
- extensions
verbs:
- get
- list
- watch
- apiGroups:
- triggers.tekton.dev
resources:
- clustertriggerbindings
- eventlisteners
- triggerbindings
- triggertemplates
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tekton-dashboard-minimal
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tekton-dashboard-minimal
subjects:
- kind: ServiceAccount
name: tekton-dashboard
namespace: tekton-pipelines
---
apiVersion: v1
kind: Service
metadata:
labels:
app: tekton-dashboard
dashboard.tekton.dev/release: v0.6.1
version: v0.6.1
name: tekton-dashboard
namespace: tekton-pipelines
spec:
ports:
- name: http
port: 9097
protocol: TCP
targetPort: 9097
selector:
app: tekton-dashboard
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: tekton-dashboard
dashboard.tekton.dev/release: v0.6.1
version: v0.6.1
name: tekton-dashboard
namespace: tekton-pipelines
spec:
replicas: 1
selector:
matchLabels:
app: tekton-dashboard
template:
metadata:
labels:
app: tekton-dashboard
name: tekton-dashboard
spec:
containers:
- env:
- name: PORT
value: "9097"
- name: READ_ONLY
value: "false"
- name: WEB_RESOURCES_DIR
value: /var/run/ko/web
- name: PIPELINE_RUN_SERVICE_ACCOUNT
value: ""
- name: INSTALLED_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: gcr.io/tekton-releases/github.com/tektoncd/dashboard/cmd/dashboard@sha256:de969ff4ced12c94701bd039137edf5fc66bbc5ccd19f09324c1d7fcfc47e5f1
livenessProbe:
httpGet:
path: /health
port: 9097
name: tekton-dashboard
ports:
- containerPort: 9097
readinessProbe:
httpGet:
path: /readiness
port: 9097
serviceAccountName: tekton-dashboard
---
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: pipeline0
namespace: tekton-pipelines
spec:
params:
- default: /workspace/git-source
description: The path to the resource files to apply
name: pathToResourceFiles
type: string
- default: .
description: The directory from which resources are to be applied
name: apply-directory
type: string
- default: tekton-pipelines
description: The namespace in which to create the resources being imported
name: target-namespace
type: string
resources:
- name: git-source
type: git
tasks:
- name: pipeline0-task
params:
- name: pathToResourceFiles
value: $(params.pathToResourceFiles)
- name: apply-directory
value: $(params.apply-directory)
- name: target-namespace
value: $(params.target-namespace)
resources:
inputs:
- name: git-source
resource: git-source
taskRef:
name: pipeline0-task
---
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: pipeline0-task
namespace: tekton-pipelines
spec:
params:
- default: /workspace/git-source
description: The path to the resource files to apply
name: pathToResourceFiles
type: string
- default: .
description: The directory from which resources are to be applied
name: apply-directory
type: string
- default: tekton-pipelines
description: The namespace where created resources will go
name: target-namespace
type: string
resources:
inputs:
- name: git-source
type: git
steps:
- args:
- apply
- -f
- $(inputs.params.pathToResourceFiles)/$(inputs.params.apply-directory)
- -n
- $(inputs.params.target-namespace)
command:
- kubectl
image: lachlanevenson/k8s-kubectl@sha256:9713d6c1c6d83bdd4b3744d295fd0efce8f6cc149eb3083e86ae0911aa52ee73
name: kubectl-apply
---

View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: Secret
metadata:
name: docker-creds
namespace: tekton-pipelines
annotations:
kube-1password: kgpbumszi4stqgyzg4kqrttxam
kube-1password/vault: Kubernetes
tekton.dev/docker-0: https://docker.cloud.cluster.fun/averagemarcus
type: kubernetes.io/basic-auth

View File

@ -0,0 +1,39 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: eventlistener
namespace: tekton-pipelines
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: eventlistener
namespace: tekton-pipelines
rules:
- apiGroups: ["triggers.tekton.dev"]
resources: ["eventlisteners", "triggerbindings", "triggertemplates"]
verbs: ["get"]
- apiGroups: [""]
resources: ["configmaps", "secrets", "serviceaccounts"]
verbs: ["get", "list", "watch"]
- apiGroups: ["tekton.dev"]
resources: ["pipelineruns", "pipelineresources", "taskruns"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: eventlistener
namespace: tekton-pipelines
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: eventlistener
subjects:
- kind: ServiceAccount
name: eventlistener
namespace: tekton-pipelines

View File

@ -0,0 +1,22 @@
apiVersion: v1
kind: Secret
metadata:
name: gitea-access-token
namespace: tekton-pipelines
annotations:
kube-1password: u45tpgj33bnxl6iz3kwgaf44va
kube-1password/vault: Kubernetes
kube-1password/password-key: access-token
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
name: gitea-creds
annotations:
kube-1password: 3jgo56jlsrdxilf2vdp5zsw6lq
kube-1password/vault: Kubernetes
tekton.dev/git-0: https://git.cloud.cluster.fun
type: kubernetes.io/basic-auth

View File

@ -0,0 +1,19 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: deploy-project
namespace: tekton-pipelines
secrets:
- name: docker-creds
- name: gitea-creds
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: pr-project
namespace: tekton-pipelines
secrets:
- name: docker-creds
- name: gitea-creds

32
tekton/README.md Normal file
View File

@ -0,0 +1,32 @@
# tekton-cicd
## Features
- Install Tekton along with Triggers, Webhook support and the dashboard
- Configures an eventlistener for Gitea
- Defines standard PR and Deploy pipelines
## Install
```sh
kubectl apply --recursive -f ./
```
## Custom Docker images used
### gitea-pr-state
`docker pull docker.cloud.cluster.fun/averagemarcus/gitea-pr-state:latest`
> Sets the state of a commit in Gitea. This is used to set the CI status to pending or success on the PR.
### ci-builder
`docker pull docker.cloud.cluster.fun/averagemarcus/ci-builder:latest`
> Used as a general-purpose Docker image with many common build tools included. This is used for running `make test` and `make build` without needing specific CI images for each project.
## Resources
- [Tekton](https://tekton.dev/)
- [Tekton Docs](https://tekton.dev/docs/)

View File

@ -0,0 +1,19 @@
apiVersion: triggers.tekton.dev/v1alpha1
kind: TriggerBinding
metadata:
name: gitea-binding
namespace: tekton-pipelines
spec:
params:
- name: gitrevision
value: $(body.commit_sha)
- name: gitref
value: $(body.ref)
- name: gitrepositoryurl
value: $(body.repository.html_url)
- name: gitbranch
value: $(body.branch)
- name: projectname
value: $(body.repository.name)
- name: isprivate
value: $(body.repository.private)

View File

@ -0,0 +1,12 @@
apiVersion: tekton.dev/v1alpha1
kind: Condition
metadata:
name: has-makefile
namespace: tekton-pipelines
spec:
resources:
- name: src
type: git
check:
image: alpine
script: 'test -f $(resources.src.path)/Makefile'

View File

@ -0,0 +1,11 @@
apiVersion: tekton.dev/v1alpha1
kind: Condition
metadata:
name: is-public-project
namespace: tekton-pipelines
spec:
params:
- name: isprivate
check:
image: alpine
script: 'test $(params.isprivate) == false'

View File

@ -0,0 +1,51 @@
apiVersion: triggers.tekton.dev/v1alpha1
kind: EventListener
metadata:
name: webhook-listener
namespace: tekton-pipelines
spec:
serviceAccountName: eventlistener
triggers:
- name: pull-request
interceptors:
- cel:
filter: "header.match('X-GitHub-Event', 'pull_request') && body.action != 'closed'"
overlays:
- key: commit_sha
expression: "body.pull_request.head.sha"
- key: branch
expression: "body.pull_request.head.ref"
- key: ref
expression: "body.pull_request.head.ref"
bindings:
- name: gitea-binding
template:
name: pr-project
- name: deploy-master
interceptors:
- cel:
filter: "header.match('X-GitHub-Event', 'push') && split(body.ref, '/')[2] == body.repository.default_branch"
overlays:
- key: commit_sha
expression: "body.after"
- key: branch
expression: "split(body.ref, '/')[2]"
- key: ref
expression: "body.ref"
bindings:
- name: gitea-binding
template:
name: deploy-project
- name: tag
interceptors:
- cel:
filter: "header.match('X-GitHub-Event', 'create') && body.ref_type == 'tag'"
overlays:
- key: commit_sha
expression: "body.sha"
- key: ref
expression: "body.ref"
bindings:
- name: gitea-binding
template:
name: project-tag

View File

@ -0,0 +1,77 @@
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: deploy-project
namespace: tekton-pipelines
spec:
params:
- name: gitbranch
type: string
- name: gitrevision
type: string
- name: projectname
type: string
- name: isprivate
default: "true"
type: string
- name: dockerregistry
type: string
description: The Docker registry to push images to
default: docker.cloud.cluster.fun/private
- name: publicdockerregistry
type: string
description: The Docker registry to push images to
default: docker.cloud.cluster.fun/averagemarcus
- name: imagetag
type: string
description: The Docker image tag
default: latest
resources:
- name: git-source
type: git
tasks:
- name: build-and-publish-latest
taskRef:
name: docker-build-and-publish
params:
- name: IMAGE
value: $(params.dockerregistry)/$(params.projectname):$(params.imagetag)
resources:
inputs:
- name: src
resource: git-source
- name: build-and-publish-sha
taskRef:
name: docker-build-and-publish
params:
- name: IMAGE
value: $(params.dockerregistry)/$(params.projectname):$(params.gitrevision)
resources:
inputs:
- name: src
resource: git-source
- name: build-and-publish-public
conditions:
- conditionRef: is-public-project
params:
- name: isprivate
value: $(params.isprivate)
taskRef:
name: docker-build-and-publish
params:
- name: IMAGE
value: $(params.publicdockerregistry)/$(params.projectname):$(params.imagetag)
resources:
inputs:
- name: src
resource: git-source
- name: make-release
taskRef:
name: make
params:
- name: TARGET
value: "release"
resources:
inputs:
- name: src
resource: git-source

91
tekton/pipelines/pr.yaml Normal file
View File

@ -0,0 +1,91 @@
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: pr-project
namespace: tekton-pipelines
spec:
params:
- name: gitbranch
type: string
- name: gitrevision
type: string
- name: projectname
type: string
resources:
- name: git-source
type: git
tasks:
- name: pr-start
taskRef:
name: pr-status
params:
- name: REPO
value: $(params.projectname)
- name: SHA
value: $(params.gitrevision)
- name: STATE
value: "pending"
- name: make-test
# TODO: Re-enable when conditionals can result in skipped rather than failure
# conditions:
# - conditionRef: has-makefile
# resources:
# - name: src
# resource: git-source
taskRef:
name: make
params:
- name: TARGET
value: "test"
resources:
inputs:
- name: src
resource: git-source
- name: make-build
# TODO: Re-enable when conditionals can result in skipped rather than failure
# conditions:
# - conditionRef: has-makefile
# resources:
# - name: src
# resource: git-source
taskRef:
name: make
params:
- name: TARGET
value: "build"
resources:
inputs:
- name: src
resource: git-source
- name: make-ci
# TODO: Re-enable when conditionals can result in skipped rather than failure
# conditions:
# - conditionRef: has-makefile
# resources:
# - name: src
# resource: git-source
taskRef:
name: make
params:
- name: TARGET
value: "ci"
resources:
inputs:
- name: src
resource: git-source
- name: pr-end
taskRef:
name: pr-status
runAfter:
- pr-start
- make-test
- make-build
- make-ci
params:
- name: REPO
value: $(params.projectname)
- name: SHA
value: $(params.gitrevision)
- name: STATE
value: "success"

53
tekton/pipelines/tag.yaml Normal file
View File

@ -0,0 +1,53 @@
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: project-tag
namespace: tekton-pipelines
spec:
params:
- name: projectname
type: string
- name: isprivate
default: "true"
type: string
- name: dockerregistry
type: string
description: The Docker registry to push images to
default: docker.cloud.cluster.fun/private
- name: publicdockerregistry
type: string
description: The Docker registry to push images to
default: docker.cloud.cluster.fun/averagemarcus
- name: imagetag
type: string
description: The Docker image tag
default: latest
resources:
- name: git-source
type: git
tasks:
- name: build-and-publish-tag
taskRef:
name: docker-build-and-publish
params:
- name: IMAGE
value: $(params.dockerregistry)/$(params.projectname):$(params.imagetag)
resources:
inputs:
- name: src
resource: git-source
- name: build-and-publish-tag-public
conditions:
- conditionRef: is-public-project
params:
- name: isprivate
value: $(params.isprivate)
taskRef:
name: docker-build-and-publish
params:
- name: IMAGE
value: $(params.publicdockerregistry)/$(params.projectname):$(params.imagetag)
resources:
inputs:
- name: src
resource: git-source

View File

@ -0,0 +1,45 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: docker-build-and-publish
namespace: tekton-pipelines
spec:
params:
- name: DOCKERFILE
type: string
description: The path to the dockerfile to build
default: /Dockerfile
- name: CONTEXT
type: string
description: The build context used by Docker.
default: ./
- name: IMAGE
type: string
description: Name (reference) of the image to build.
- name: EXTRA_ARGS
type: string
default: ""
resources:
inputs:
- name: src
type: git
results:
- name: IMAGE_DIGEST
description: Digest of the image just built.
steps:
- name: build-and-push
workingDir: /workspace/src
image: gcr.io/kaniko-project/executor:latest
env:
- name: DOCKER_CONFIG
value: /tekton/home/.docker
command:
- /kaniko/executor
- $(params.EXTRA_ARGS)
- --dockerfile=/workspace/src/$(params.DOCKERFILE)
- --context=/workspace/src/$(params.CONTEXT)
- --destination=$(params.IMAGE)
- --oci-layout-path=/workspace/src/image-digest
- --digest-file=/tekton/results/IMAGE_DIGEST
securityContext:
runAsUser: 0

View File

@ -0,0 +1,14 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: kubectl-apply-files
namespace: tekton-pipelines
spec:
params:
- name: DIRECTORY
description: Directory of kubernetes manifest files
steps:
- name: kubectl-apply
image: gcr.io/cloud-builders/kubectl
script: |
kubectl apply --recursive -f $(params.DIRECTORY)

View File

@ -0,0 +1,14 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: kubectl-apply-inline
namespace: tekton-pipelines
spec:
params:
- name: MANIFEST
description: Content of the resource to deploy
steps:
- name: kubectl-apply
image: gcr.io/cloud-builders/kubectl
script: |
echo "$(params.MANIFEST)" | kubectl apply -f -

View File

@ -0,0 +1,25 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: kubectl-patch-image
namespace: tekton-pipelines
spec:
params:
- name: NAMESPACE
default: "default"
description: The namespace the kubernetes resource is in
- name: RESOURCE_TYPE
default: "deployment"
description: The type of Kubernetes resource
- name: NAME
description: The name of the resource
- name: CONTAINER_NAME
description: The name of the container to patch
default: "*" # defaults to updating _all_ containers
- name: IMAGE
description: The new image to use
steps:
- name: kubectl-patch-image
image: gcr.io/cloud-builders/kubectl
script: |
kubectl --namespace $(params.NAMESPACE) set image $(params.RESOURCE_TYPE) $(params.NAME) $(params.CONTAINER_NAME)=$(params.IMAGE)

19
tekton/tasks/make.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: make
namespace: tekton-pipelines
spec:
params:
- name: TARGET
description: The make target to run
resources:
inputs:
- name: src
type: git
steps:
- name: make
workingDir: /workspace/src
image: docker.cloud.cluster.fun/averagemarcus/ci-builder:latest
script: |
make --dry-run -t $(params.TARGET) &> /dev/null && make $(params.TARGET) || echo "No '$(params.TARGET)' target found, skipping"

View File

@ -0,0 +1,27 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: pr-status
namespace: tekton-pipelines
spec:
params:
- name: REPO
description: The name of the repo
- name: SHA
description: The git SHA to update the status of
- name: STATE
description: The state to set the status to (pending, success, error, failure or warning)
default: "pending"
steps:
- name: pr-status-update
image: docker.cloud.cluster.fun/averagemarcus/gitea-pr-state:latest
env:
- name: ACCESS_TOKEN
valueFrom:
secretKeyRef:
name: gitea-access-token
key: access-token
args:
- "$(params.REPO)"
- "$(params.SHA)"
- "$(params.STATE)"

View File

@ -0,0 +1,49 @@
apiVersion: triggers.tekton.dev/v1alpha1
kind: TriggerTemplate
metadata:
name: deploy-project
namespace: tekton-pipelines
spec:
params:
- name: gitrevision
description: The git revision
- name: gitrepositoryurl
description: The git repository url
- name: gitbranch
description: The branch of the PR
- name: gitref
description: The ref of the PR
- name: projectname
description: The name of the git project
- name: isprivate
description: If the git project is set to private
default: "true"
resourcetemplates:
- apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: deploy-project-
spec:
pipelineRef:
name: deploy-project
serviceAccountName: deploy-project
params:
- name: gitbranch
value: $(params.gitbranch)
- name: gitref
value: $(params.gitref)
- name: gitrevision
value: $(params.gitrevision)
- name: projectname
value: $(params.projectname)
- name: isprivate
value: $(params.isprivate)
resources:
- name: git-source
resourceSpec:
type: git
params:
- name: revision
value: $(params.gitrevision)
- name: url
value: $(params.gitrepositoryurl)

View File

@ -0,0 +1,42 @@
apiVersion: triggers.tekton.dev/v1alpha1
kind: TriggerTemplate
metadata:
name: pr-project
namespace: tekton-pipelines
spec:
params:
- name: gitrevision
description: The git revision
- name: gitrepositoryurl
description: The git repository url
- name: gitbranch
description: The branch of the PR
- name: gitref
description: The ref of the PR
- name: projectname
description: The name of the git project
resourcetemplates:
- apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: pr-project-
spec:
pipelineRef:
name: pr-project
serviceAccountName: pr-project
params:
- name: gitbranch
value: $(params.gitbranch)
- name: gitrevision
value: $(params.gitrevision)
- name: projectname
value: $(params.projectname)
resources:
- name: git-source
resourceSpec:
type: git
params:
- name: revision
value: $(params.gitrevision)
- name: url
value: $(params.gitrepositoryurl)

View File

@ -0,0 +1,51 @@
apiVersion: triggers.tekton.dev/v1alpha1
kind: TriggerTemplate
metadata:
name: project-tag
namespace: tekton-pipelines
spec:
params:
- name: gitrevision
description: The git revision
- name: gitrepositoryurl
description: The git repository url
- name: gitbranch
description: The branch of the PR
- name: gitref
description: The ref of the PR
- name: projectname
description: The name of the git project
- name: isprivate
description: If the git project is set to private
default: "true"
resourcetemplates:
- apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: project-tag-
spec:
pipelineRef:
name: project-tag
serviceAccountName: project-tag
params:
- name: gitbranch
value: $(params.gitbranch)
- name: gitref
value: $(params.gitref)
- name: gitrevision
value: $(params.gitrevision)
- name: projectname
value: $(params.projectname)
- name: isprivate
value: $(params.isprivate)
- name: imagetag
value: $(params.gitref)
resources:
- name: git-source
resourceSpec:
type: git
params:
- name: revision
value: $(params.gitrevision)
- name: url
value: $(params.gitrepositoryurl)