diff --git a/tekton/1-Install/1-pipeline.yaml b/tekton/1-Install/1-pipeline.yaml index bbcfc1b..a4cc212 100644 --- a/tekton/1-Install/1-pipeline.yaml +++ b/tekton/1-Install/1-pipeline.yaml @@ -11,6 +11,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. + apiVersion: v1 kind: Namespace metadata: @@ -30,6 +31,7 @@ metadata: # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. + apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -60,24 +62,34 @@ spec: max: 65535 --- +# Copyright 2020 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: tekton-pipelines-admin + name: tekton-pipelines-controller-cluster-access rules: - apiGroups: [""] - resources: ["pods", "pods/log", "namespaces", "secrets", "events", "serviceaccounts", - "configmaps", "persistentvolumeclaims", "limitranges"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] -- apiGroups: ["apps"] - resources: ["deployments/finalizers"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + # Namespace access is required because the controller timeout handling logic + # iterates over all namespaces and times out any PipelineRuns that have expired. + # Pod access is required because the taskrun controller wants to be updated when + # a Pod underlying a TaskRun changes state. + resources: ["namespaces", "pods"] + verbs: ["list", "watch"] + # Controller needs cluster access to all of the CRDs that it is responsible for + # managing. - apiGroups: ["tekton.dev"] resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "pipelineresources", "conditions"] @@ -93,6 +105,118 @@ rules: resources: ["podsecuritypolicies"] resourceNames: ["tekton-pipelines"] verbs: ["use"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + # This is the access that the controller needs on a per-namespace basis. + name: tekton-pipelines-controller-tenant-access +rules: +- apiGroups: [""] + resources: ["pods", "pods/log", "secrets", "events", "serviceaccounts", "configmaps", + "persistentvolumeclaims", "limitranges"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + # Unclear if this access is actually required. Simply a hold-over from the previous + # incarnation of the controller's ClusterRole. +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] +- apiGroups: ["apps"] + resources: ["deployments/finalizers"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-pipelines-webhook-cluster-access +rules: +- # The webhook needs to be able to list and update customresourcedefinitions, + # mainly to update the webhook certificates. + apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions", "customresourcedefinitions/status"] + verbs: ["get", "list", "update", "patch", "watch"] +- apiGroups: ["admissionregistration.k8s.io"] + # The webhook performs a reconciliation on these two resources and continuously + # updates configuration. + resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] + # knative starts informers on these things, which is why we need get, list and watch. + verbs: ["list", "watch"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + # This mutating webhook is responsible for applying defaults to tekton objects + # as they are received. + resourceNames: ["webhook.pipeline.tekton.dev"] + # When there are changes to the configs or secrets, knative updates the mutatingwebhook config + # with the updated certificates or the refreshed set of rules. + verbs: ["get", "update"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + # validation.webhook.pipeline.tekton.dev performs schema validation when you, for example, create TaskRuns. + # config.webhook.pipeline.tekton.dev validates the logging configuration against knative's logging structure + resourceNames: ["validation.webhook.pipeline.tekton.dev", "config.webhook.pipeline.tekton.dev"] + # When there are changes to the configs or secrets, knative updates the validatingwebhook config + # with the updated certificates or the refreshed set of rules. + verbs: ["get", "update"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: ["tekton-pipelines"] + verbs: ["use"] + +--- +# Copyright 2020 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-pipelines-controller + namespace: tekton-pipelines +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["list", "watch"] +- # The controller needs access to these configmaps for logging information and runtime configuration. + apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["config-logging", "config-observability", "config-artifact-bucket", + "config-artifact-pvc", "feature-flags", "config-leader-election"] +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-pipelines-webhook + namespace: tekton-pipelines +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["list", "watch"] +- # The webhook needs access to these configmaps for logging information. + apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["config-logging", "config-observability"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["list", "watch"] +- # The webhook daemon makes a reconciliation loop on webhook-certs. Whenever + # the secret changes it updates the webhook configurations with the certificates + # stored in the secret. + apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "update"] + resourceNames: ["webhook-certs"] --- # Copyright 2019 The Tekton Authors @@ -113,6 +237,12 @@ kind: ServiceAccount metadata: name: tekton-pipelines-controller namespace: tekton-pipelines +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tekton-pipelines-webhook + namespace: tekton-pipelines --- # Copyright 2019 The Tekton Authors @@ -128,17 +258,91 @@ metadata: # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. + apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: - name: tekton-pipelines-controller-admin + name: tekton-pipelines-controller-cluster-access subjects: - kind: ServiceAccount name: tekton-pipelines-controller namespace: tekton-pipelines roleRef: kind: ClusterRole - name: tekton-pipelines-admin + name: tekton-pipelines-controller-cluster-access + apiGroup: rbac.authorization.k8s.io +--- +# If this ClusterRoleBinding is replaced with a RoleBinding +# then the ClusterRole would be namespaced. The access described by +# the tekton-pipelines-controller-tenant-access ClusterRole would +# be scoped to individual tenant namespaces. +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: tekton-pipelines-controller-tenant-access +subjects: +- kind: ServiceAccount + name: tekton-pipelines-controller + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: tekton-pipelines-controller-tenant-access + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: tekton-pipelines-webhook-cluster-access +subjects: +- kind: ServiceAccount + name: tekton-pipelines-webhook + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: tekton-pipelines-webhook-cluster-access + apiGroup: rbac.authorization.k8s.io + +--- +# Copyright 2020 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: tekton-pipelines-controller + namespace: tekton-pipelines +subjects: +- kind: ServiceAccount + name: tekton-pipelines-controller + namespace: tekton-pipelines +roleRef: + kind: Role + name: tekton-pipelines-controller + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: tekton-pipelines-webhook + namespace: tekton-pipelines +subjects: +- kind: ServiceAccount + name: tekton-pipelines-webhook + namespace: tekton-pipelines +roleRef: + kind: Role + name: tekton-pipelines-webhook apiGroup: rbac.authorization.k8s.io --- @@ -155,12 +359,28 @@ roleRef: # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. + apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: clustertasks.tekton.dev + labels: + pipeline.tekton.dev/release: "devel" + version: "devel" spec: group: tekton.dev + preserveUnknownFields: false + validation: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true versions: - name: v1alpha1 served: true @@ -179,7 +399,12 @@ spec: # starts to increment subresources: status: {} - version: v1alpha1 + conversion: + strategy: Webhook + webhookClientConfig: + service: + name: tekton-pipelines-webhook + namespace: tekton-pipelines --- # Copyright 2019 The Tekton Authors @@ -195,10 +420,14 @@ spec: # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. + apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: conditions.tekton.dev + labels: + pipeline.tekton.dev/release: "devel" + version: "devel" spec: group: tekton.dev names: @@ -228,6 +457,7 @@ spec: # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. + apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: @@ -264,12 +494,28 @@ spec: # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. + apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: pipelines.tekton.dev + labels: + pipeline.tekton.dev/release: "devel" + version: "devel" spec: group: tekton.dev + preserveUnknownFields: false + validation: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true versions: - name: v1alpha1 served: true @@ -288,7 +534,12 @@ spec: # starts to increment subresources: status: {} - version: v1alpha1 + conversion: + strategy: Webhook + webhookClientConfig: + service: + name: tekton-pipelines-webhook + namespace: tekton-pipelines --- # Copyright 2019 The Tekton Authors @@ -304,12 +555,28 @@ spec: # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. + apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: pipelineruns.tekton.dev + labels: + pipeline.tekton.dev/release: "devel" + version: "devel" spec: group: tekton.dev + preserveUnknownFields: false + validation: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true versions: - name: v1alpha1 served: true @@ -344,7 +611,12 @@ spec: # starts to increment subresources: status: {} - version: v1alpha1 + conversion: + strategy: Webhook + webhookClientConfig: + service: + name: tekton-pipelines-webhook + namespace: tekton-pipelines --- # Copyright 2019 The Tekton Authors @@ -360,10 +632,14 @@ spec: # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. + apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: pipelineresources.tekton.dev + labels: + pipeline.tekton.dev/release: "devel" + version: "devel" spec: group: tekton.dev names: @@ -393,12 +669,28 @@ spec: # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. + apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: tasks.tekton.dev + labels: + pipeline.tekton.dev/release: "devel" + version: "devel" spec: group: tekton.dev + preserveUnknownFields: false + validation: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true versions: - name: v1alpha1 served: true @@ -417,7 +709,12 @@ spec: # starts to increment subresources: status: {} - version: v1alpha1 + conversion: + strategy: Webhook + webhookClientConfig: + service: + name: tekton-pipelines-webhook + namespace: tekton-pipelines --- # Copyright 2019 The Tekton Authors @@ -433,12 +730,28 @@ spec: # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. + apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: taskruns.tekton.dev + labels: + pipeline.tekton.dev/release: "devel" + version: "devel" spec: group: tekton.dev + preserveUnknownFields: false + validation: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true versions: - name: v1alpha1 served: true @@ -473,7 +786,12 @@ spec: # starts to increment subresources: status: {} - version: v1alpha1 + conversion: + strategy: Webhook + webhookClientConfig: + service: + name: tekton-pipelines-webhook + namespace: tekton-pipelines --- # Copyright 2020 The Tekton Authors @@ -498,20 +816,6 @@ metadata: labels: pipeline.tekton.dev/release: devel # The data is populated at install time. - -# Copyright 2020 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration @@ -529,20 +833,6 @@ webhooks: failurePolicy: Fail sideEffects: None name: validation.webhook.pipeline.tekton.dev - -# Copyright 2020 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration @@ -560,20 +850,6 @@ webhooks: failurePolicy: Fail sideEffects: None name: webhook.pipeline.tekton.dev - -# Copyright 2020 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration @@ -597,6 +873,20 @@ webhooks: operator: Exists --- +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -625,6 +915,20 @@ rules: - watch --- +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -800,6 +1104,33 @@ data: # info. disable-working-directory-overwrite: "false" +--- +# Copyright 2020 Tekton Authors LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-leader-election + namespace: tekton-pipelines +data: + # An inactive but valid configuration follows; see example. + resourceLock: "leases" + leaseDuration: "15s" + renewDeadline: "10s" + retryPeriod: "2s" + --- # Copyright 2019 Tekton Authors LLC # @@ -920,6 +1251,7 @@ data: # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. + apiVersion: apps/v1 kind: Deployment metadata: @@ -928,8 +1260,8 @@ metadata: labels: app.kubernetes.io/name: tekton-pipelines app.kubernetes.io/component: controller - pipeline.tekton.dev/release: "v0.11.2" - version: "v0.11.2" + pipeline.tekton.dev/release: "v0.12.1" + version: "v0.12.1" spec: replicas: 1 selector: @@ -944,21 +1276,27 @@ spec: app.kubernetes.io/name: tekton-pipelines app.kubernetes.io/component: controller # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.11.2" - version: "v0.11.2" + pipeline.tekton.dev/release: "v0.12.1" + version: "v0.12.1" spec: serviceAccountName: tekton-pipelines-controller containers: - name: tekton-pipelines-controller - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/controller:v0.11.2@sha256:0791513ec1176da38c403eb81220406e987f78f3e58608bd57be1adc45bc9aac - args: ["-kubeconfig-writer-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/kubeconfigwriter:v0.11.2@sha256:d01fa1db8abcad318d05e62e35153a91c6c995949e52133520d9e4735e9a486c", - "-creds-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/creds-init:v0.11.2@sha256:ced427e48b143bc821aedd4a0936fa2caef3f208d70efe68ccba786c12b2c943", - "-git-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.11.2@sha256:bee98bfe6807e8f4e0a31b4e786fd1f7f459e653ed1a22b1a25999f33fa9134a", - "-nop-image", "tianon/true", "-shell-image", "busybox", "-gsutil-image", - "google/cloud-sdk", "-entrypoint-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/entrypoint:v0.11.2@sha256:bc5beb48ca4f87013ccb466bf739d6c99ef9f1ddf51899c73ead99f242b4e57d", - "-imagedigest-exporter-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/imagedigestexporter:v0.11.2@sha256:7a03343deaeaa6b2d779df37417f9bf76cb5f67b36dd298e5bb69a0f625a2b38", - "-pr-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/pullrequest-init:v0.11.2@sha256:3a395509e0d75786eafe96f68d22afc7c4d23a2a76ffc77218b25e8c6c81f6ba", - "-build-gcs-fetcher-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/vendor/github.com/googlecloudplatform/cloud-builders/gcs-fetcher/cmd/gcs-fetcher:v0.11.2@sha256:a020c8510b15870a5b059708197ac7c4ef0d1cbd668eb0872105ad658d509f67"] + image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/controller:v0.12.1@sha256:0ca86ec6f246f49c1ac643357fd1c8e73a474aaa216548807b1216a9ff12f7be + args: [ + # These images are built on-demand by `ko resolve` and are replaced + # by image references by digest. + "-kubeconfig-writer-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/kubeconfigwriter:v0.12.1@sha256:67dcd447b0c624befa12843ce9cc0bcfc502179bdb28d59563d761a7f3968509", + "-creds-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/creds-init:v0.12.1@sha256:6266d023172dde7fa421f626074b4e7eedc7d7d5ff561c033d6d63ebfff4a2f2", + "-git-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.12.1@sha256:d82c78288699dd6ee40c852b146cb3bd89b322b42fb3bc4feec28ea54bb7b36c", + "-entrypoint-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/entrypoint:v0.12.1@sha256:7f3db925f7660673a74b0e1030e65540adea36fe361ab7f06f5b5c47cdcef47d", + "-imagedigest-exporter-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/imagedigestexporter:v0.12.1@sha256:e8f08214baad9054bbed7be2b8617c6964b9a1c5405cf59eabcc3d3267a6253f", + "-pr-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/pullrequest-init:v0.12.1@sha256:71e0226346e0d3d57af7c35b6cb907d42d3142e845b0f865ba0c86d3e248f3cb", + "-build-gcs-fetcher-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/vendor/github.com/googlecloudplatform/cloud-builders/gcs-fetcher/cmd/gcs-fetcher:v0.12.1@sha256:ae5721bf0d883947c3c13f519ca26129792f4058d5f9dfedd50174d9e7acb2bc", + # These images are pulled from Dockerhub, by digest, as of April 15, 2020. + "-nop-image", "tianon/true@sha256:009cce421096698832595ce039aa13fa44327d96beedb84282a69d3dbcf5a81b", + "-shell-image", "busybox@sha256:a2490cec4484ee6c1068ba3a05f89934010c85242f736280b35343483b2264b6", + "-gsutil-image", "google/cloud-sdk@sha256:6e8676464c7581b2dc824956b112a61c95e4144642bec035e6db38e3384cae2e"] volumeMounts: - name: config-logging mountPath: /etc/config-logging @@ -967,10 +1305,21 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - - name: CONFIG_LOGGING_NAME + - # If you are changing these names, you will also need to update + # the controller's Role in 200-role.yaml to include the new + # values in the "configmaps" "get" rule. + name: CONFIG_LOGGING_NAME value: config-logging - name: CONFIG_OBSERVABILITY_NAME value: config-observability + - name: CONFIG_ARTIFACT_BUCKET_NAME + value: config-artifact-bucket + - name: CONFIG_ARTIFACT_PVC_NAME + value: config-artifact-pvc + - name: CONFIG_FEATURE_FLAGS_NAME + value: feature-flags + - name: CONFIG_LEADERELECTION_NAME + value: config-leader-election - name: METRICS_DOMAIN value: tekton.dev/pipeline volumes: @@ -983,8 +1332,8 @@ kind: Service metadata: labels: app: tekton-pipelines-controller - pipeline.tekton.dev/release: "v0.11.2" - version: "v0.11.2" + pipeline.tekton.dev/release: "v0.12.1" + version: "v0.12.1" name: tekton-pipelines-controller namespace: tekton-pipelines spec: @@ -1022,8 +1371,8 @@ metadata: labels: app.kubernetes.io/name: tekton-pipelines app.kubernetes.io/component: webhook-controller - pipeline.tekton.dev/release: "v0.11.2" - version: "v0.11.2" + pipeline.tekton.dev/release: "v0.12.1" + version: "v0.12.1" spec: replicas: 1 selector: @@ -1039,26 +1388,33 @@ spec: role: webhook app.kubernetes.io/name: tekton-pipelines app.kubernetes.io/component: webhook-controller - pipeline.tekton.dev/release: "v0.11.2" - version: "v0.11.2" + pipeline.tekton.dev/release: "v0.12.1" + version: "v0.12.1" spec: - serviceAccountName: tekton-pipelines-controller + serviceAccountName: tekton-pipelines-webhook containers: - name: webhook # This is the Go import path for the binary that is containerized # and substituted here. - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/webhook:v0.11.2@sha256:9826548f3bd8cc0c4187ca0ab5ab8114009874625828a23301c1f60be4f294fa + image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/webhook:v0.12.1@sha256:69f065d493244dbd50563b96f5474bf6590821a6308fd8c69c5ef06cf4d988b2 env: - name: SYSTEM_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - - name: CONFIG_LOGGING_NAME + - # If you are changing these names, you will also need to update + # the webhook's Role in 200-role.yaml to include the new + # values in the "configmaps" "get" rule. + name: CONFIG_LOGGING_NAME value: config-logging - name: CONFIG_OBSERVABILITY_NAME value: config-observability + - name: CONFIG_LEADERELECTION_NAME + value: config-leader-election - name: WEBHOOK_SERVICE_NAME value: tekton-pipelines-webhook + - name: WEBHOOK_SECRET_NAME + value: webhook-certs - name: METRICS_DOMAIN value: tekton.dev/pipeline securityContext: @@ -1077,8 +1433,8 @@ metadata: labels: app: tekton-pipelines-webhook role: webhook - pipeline.tekton.dev/release: v0.11.2 - version: "v0.11.2" + pipeline.tekton.dev/release: v0.12.1 + version: "v0.12.1" name: tekton-pipelines-webhook namespace: tekton-pipelines spec: diff --git a/tekton/1-Install/2-triggers.yaml b/tekton/1-Install/2-triggers.yaml index 758bda3..1be8fc6 100644 --- a/tekton/1-Install/2-triggers.yaml +++ b/tekton/1-Install/2-triggers.yaml @@ -16,6 +16,9 @@ apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: tekton-triggers + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-triggers spec: privileged: false allowPrivilegeEscalation: false @@ -60,6 +63,9 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tekton-triggers-admin + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-triggers rules: - apiGroups: [""] resources: ["configmaps", "secrets", "services"] @@ -103,6 +109,9 @@ kind: ServiceAccount metadata: name: tekton-triggers-controller namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-triggers --- # Copyright 2019 The Tekton Authors @@ -123,6 +132,9 @@ apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: tekton-triggers-controller-admin + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-triggers subjects: - kind: ServiceAccount name: tekton-triggers-controller @@ -151,6 +163,11 @@ apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: clustertriggerbindings.triggers.tekton.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-triggers + triggers.tekton.dev/release: "devel" + version: "devel" spec: group: triggers.tekton.dev scope: Cluster @@ -190,6 +207,11 @@ apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: eventlisteners.triggers.tekton.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-triggers + triggers.tekton.dev/release: "devel" + version: "devel" spec: group: triggers.tekton.dev scope: Namespaced @@ -231,6 +253,11 @@ apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: triggerbindings.triggers.tekton.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-triggers + triggers.tekton.dev/release: "devel" + version: "devel" spec: group: triggers.tekton.dev scope: Namespaced @@ -272,6 +299,11 @@ apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: triggertemplates.triggers.tekton.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-triggers + triggers.tekton.dev/release: "devel" + version: "devel" spec: group: triggers.tekton.dev scope: Namespaced @@ -315,6 +347,9 @@ metadata: name: triggers-webhook-certs namespace: tekton-pipelines labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-triggers triggers.tekton.dev/release: devel # The data is populated at install time. --- @@ -323,6 +358,9 @@ kind: ValidatingWebhookConfiguration metadata: name: validation.webhook.triggers.tekton.dev labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-triggers triggers.tekton.dev/release: devel webhooks: - admissionReviewVersions: @@ -340,6 +378,9 @@ kind: MutatingWebhookConfiguration metadata: name: webhook.triggers.tekton.dev labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-triggers triggers.tekton.dev/release: devel webhooks: - admissionReviewVersions: @@ -357,6 +398,9 @@ kind: ValidatingWebhookConfiguration metadata: name: config.webhook.triggers.tekton.dev labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-triggers triggers.tekton.dev/release: devel webhooks: - admissionReviewVersions: @@ -374,16 +418,32 @@ webhooks: operator: Exists --- +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: tekton-triggers-aggregate-edit labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-triggers rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" rules: - apiGroups: - - tekton.dev + - triggers.tekton.dev resources: - clustertriggerbindings - eventlisteners @@ -400,15 +460,31 @@ rules: - watch --- +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: tekton-triggers-aggregate-view labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-triggers rbac.authorization.k8s.io/aggregate-to-view: "true" rules: - apiGroups: - - tekton.dev + - triggers.tekton.dev resources: - clustertriggerbindings - eventlisteners @@ -439,6 +515,9 @@ kind: ConfigMap metadata: name: config-logging-triggers namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-triggers data: # Common configuration for all knative codebase zap-logger-config: | @@ -491,6 +570,9 @@ kind: ConfigMap metadata: name: config-observability-triggers namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-triggers data: _example: | ################################ @@ -544,9 +626,14 @@ apiVersion: v1 kind: Service metadata: labels: + app.kubernetes.io/name: controller + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/version: v0.5.0 + app.kubernetes.io/part-of: tekton-triggers + triggers.tekton.dev/release: "v0.5.0" app: tekton-triggers-controller - version: "v0.4.0" - triggers.tekton.dev/release: "v0.4.0" + version: "v0.5.0" name: tekton-triggers-controller namespace: tekton-pipelines spec: @@ -556,7 +643,10 @@ spec: protocol: TCP targetPort: 9090 selector: - app: tekton-triggers-controller + app.kubernetes.io/name: controller + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-triggers --- # Copyright 2019 The Tekton Authors @@ -579,30 +669,41 @@ metadata: name: tekton-triggers-controller namespace: tekton-pipelines labels: - app.kubernetes.io/name: tekton-triggers + app.kubernetes.io/name: controller app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/version: v0.5.0 + app.kubernetes.io/part-of: tekton-triggers # tekton.dev/release value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml - triggers.tekton.dev/release: "v0.4.0" + triggers.tekton.dev/release: "v0.5.0" spec: replicas: 1 selector: matchLabels: - app: tekton-triggers-controller + app.kubernetes.io/name: controller + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-triggers template: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "false" labels: + app.kubernetes.io/name: controller + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/version: v0.5.0 + app.kubernetes.io/part-of: tekton-triggers app: tekton-triggers-controller - triggers.tekton.dev/release: "v0.4.0" + triggers.tekton.dev/release: "v0.5.0" # version value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml - version: "v0.4.0" + version: "v0.5.0" spec: serviceAccountName: tekton-triggers-controller containers: - name: tekton-triggers-controller - image: gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/controller@sha256:bf3517ddccace756e39cee0f0012bbe879c6b28d962a1c904a415e7c60ce5bc2 - args: ["-logtostderr", "-stderrthreshold", "INFO", "-el-image", "gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/eventlistenersink@sha256:76c208ec1d73d9733dcaf850240e1b3990e5977709a03c2bd98ad5b20fab9867", + image: gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/controller@sha256:5d71b1706da0e1a1673e3bdb1e230b28534698e1cb5b8604540083024fd7d58d + args: ["-logtostderr", "-stderrthreshold", "INFO", "-el-image", "gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/eventlistenersink@sha256:ddb43420d5e51065aeb730dc06ce555822590ebfd5b820835f875e3159d99901", "-el-port", "8080", "-period-seconds", "10", "-failure-threshold", "1"] env: - name: SYSTEM_NAMESPACE @@ -617,22 +718,44 @@ spec: value: tekton.dev/triggers --- +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + apiVersion: v1 kind: Service metadata: - labels: - app: tekton-triggers-webhook - version: "v0.4.0" - triggers.tekton.dev/release: "v0.4.0" name: tekton-triggers-webhook namespace: tekton-pipelines + labels: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/version: v0.5.0 + app.kubernetes.io/part-of: tekton-triggers + app: tekton-triggers-webhook + version: "v0.5.0" + triggers.tekton.dev/release: "v0.5.0" spec: ports: - name: https-webhook port: 443 targetPort: 8443 selector: - app: tekton-triggers-webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-triggers --- # Copyright 2019 The Tekton Authors @@ -655,34 +778,42 @@ metadata: name: tekton-triggers-webhook namespace: tekton-pipelines labels: - app.kubernetes.io/name: tekton-triggers - app.kubernetes.io/component: webhook-controller + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/version: v0.5.0 + app.kubernetes.io/part-of: tekton-triggers # tekton.dev/release value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml - triggers.tekton.dev/release: "v0.4.0" + triggers.tekton.dev/release: "v0.5.0" spec: replicas: 1 selector: matchLabels: - app: tekton-triggers-webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-triggers template: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "false" labels: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/version: v0.5.0 + app.kubernetes.io/part-of: tekton-triggers app: tekton-triggers-webhook - triggers.tekton.dev/release: "v0.4.0" + triggers.tekton.dev/release: "v0.5.0" # version value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml - version: "v0.4.0" - role: webhook - app.kubernetes.io/name: tekton-triggers - app.kubernetes.io/component: webhook-controller + version: "v0.5.0" spec: serviceAccountName: tekton-triggers-controller containers: - name: webhook # This is the Go import path for the binary that is containerized # and substituted here. - image: gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/webhook@sha256:d7f1526a9294e671c500f0071b61e050262fb27fb633b54d764a556969855764 + image: gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/webhook@sha256:c6986c68804ce3832bd1894249a39d37a0a46b3458a1cb29697a17b37df674ef env: - name: SYSTEM_NAMESPACE valueFrom: @@ -692,6 +823,8 @@ spec: value: config-logging-triggers - name: WEBHOOK_SERVICE_NAME value: tekton-triggers-webhook + - name: WEBHOOK_SECRET_NAME + value: triggers-webhook-certs - name: METRICS_DOMAIN value: tekton.dev/triggers ports: diff --git a/tekton/1-Install/3-webhooks.yaml b/tekton/1-Install/3-webhooks.yaml index 76358d6..7b2f40a 100644 --- a/tekton/1-Install/3-webhooks.yaml +++ b/tekton/1-Install/3-webhooks.yaml @@ -261,7 +261,7 @@ apiVersion: v1 kind: Service metadata: annotations: - tekton-dashboard-bundle-location: web/extension.c591f714.js + tekton-dashboard-bundle-location: web/extension.33e1ae7b.js tekton-dashboard-display-name: Webhooks tekton-dashboard-endpoints: webhooks.web labels: @@ -298,7 +298,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: gcr.io/tekton-releases/github.com/tektoncd/experimental/webhooks-extension/cmd/interceptor@sha256:657d40a9116ef0b6f886f94fa7980755e3267dd34017f2fd9b713b63ddfc0d55 + image: gcr.io/tekton-releases/github.com/tektoncd/experimental/webhooks-extension/cmd/interceptor@sha256:f029e6b5bbeae6efaff1ebd4db6d8bce17cfed3ed93ed8999428c6fb1e09a946 name: validate serviceAccountName: tekton-webhooks-extension --- @@ -339,7 +339,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.serviceAccountName - image: gcr.io/tekton-releases/github.com/tektoncd/experimental/webhooks-extension/cmd/extension@sha256:e7bcffbd2db6b874dbb4b4e71fc0c089acf7ccb803df896d9592063b649ac292 + image: gcr.io/tekton-releases/github.com/tektoncd/experimental/webhooks-extension/cmd/extension@sha256:b76dedeb9dae1a88fe359fab3ac6cac058d7bf9d41906b9b22a20f67e671dd7c imagePullPolicy: Always livenessProbe: httpGet: @@ -354,303 +354,3 @@ spec: port: 8080 serviceAccountName: tekton-webhooks-extension --- -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: monitor-task - namespace: tekton-pipelines -spec: - params: - - description: The statuses url - name: statusesurl - type: string - - default: Success - description: The text to use in the situation where a PipelineRun has succeeded. - name: commentsuccess - type: string - - default: Failed - description: The text to use in the situation where a PipelineRun has failed. - name: commentfailure - type: string - - default: Unknown - description: The text to use in the situation where a PipelineRun has timed out. - name: commenttimeout - type: string - - default: Missing - description: The text to use in the situation where a PipelineRun cannot be found. - name: commentmissing - type: string - - default: http://localhost:9097/ - description: The URL to the PipelineRuns page of the dashboard - name: dashboard-url - type: string - - default: github - description: The Git provider ("github" or "gitlab") - name: provider - type: string - - description: The Git API URL for the repository - name: apiurl - type: string - - default: "false" - description: Whether or not to verify SSL Certificates from the git server ("true" - or "false") - name: insecure-skip-tls-verify - type: string - - description: The secret containing the access token to access the git server - name: secret - type: string - resources: - inputs: - - name: pull-request - type: pullRequest - outputs: - - name: pull-request - type: pullRequest - steps: - - args: - - -ce - - "set -e\ncat < 0:\n for missingRun - in missingRuns:\n pr = missingRun[\"metadata\"][\"name\"]\n namespace - = missingRun[\"metadata\"][\"namespace\"]\n pipeline = missingRun[\"spec\"][\"pipelineRef\"][\"name\"]\n - \ link = pipelineRunURLPrefix + \"/#/namespaces/\" + namespace + \"/pipelineruns/\"\n - \ data = \"[**$COMMENT_MISSING**](\" + link + \") | \" + pipeline + \" - | \" + pr + \" | \" + namespace\n if data not in runsMissing:\n # - Don't add duplicates. Fear not, once this run is found it'll be removed\n runsMissing.append(data)\n - \ if len(found_runs) > 0:\n for entry in found_runs:\n pr = entry[\"metadata\"][\"name\"]\n - \ namespace = entry[\"metadata\"][\"namespace\"]\n pipeline = entry[\"spec\"][\"pipelineRef\"][\"name\"]\n - \ link = pipelineRunURLPrefix + \"/#/namespaces/\" + namespace + \"/pipelineruns/\" - + pr\n missingLink = pipelineRunURLPrefix + \"/#/namespaces/\" + namespace - + \"/pipelineruns/\"\n missingDataEntry = \"[**$COMMENT_MISSING**](\" - + missingLink + \") | \" + pipeline + \" | \" + pr + \" | \" + namespace\n if - missingDataEntry in runsMissing:\n runsMissing.remove(missingDataEntry)\n - \ print(\"Checking PipelineRun \" + pr + \" in namespace \" + namespace)\n - \ if entry[\"status\"][\"conditions\"][0][\"status\"] == u'True' and entry[\"status\"][\"conditions\"][0][\"type\"] - == u'Succeeded':\n print(\"Success - pipelinerun \" + pr + \" in namespace - \" + namespace)\n runsPassed.append(\"[**$COMMENT_SUCCESS**](\" + link - + \") | \" + pipeline + \" | \" + pr + \" | \" + namespace)\n continue\n - \ if entry[\"status\"][\"conditions\"][0][\"status\"] == u'False' and - entry[\"status\"][\"conditions\"][0][\"type\"] == u'Succeeded':\n failed - =+ 1\n print(\"Failed - PipelineRun \" + pr + \" in namespace \" + - namespace)\n runsFailed.append(\"[**$COMMENT_FAILURE**](\" + link + - \") | \" + pipeline + \" | \" + pr + \" | \" + namespace)\n continue\n - \ link = pipelineRunURLPrefix + \"/#/namespaces/\" + namespace + \"/pipelineruns/\" - + pr\n runsIncomplete.append(\"[**$COMMENT_TIMEOUT**](\" + link + \") - | \" + pipeline + \" | \" + pr + \" | \" + namespace)\n if len(runsIncomplete) - == 0:\n break\n else:\n break\ngitPRdescription = \"All pipelines - succeeded!\"\ngitPRcode = \"success\"\nif failed > 0:\n gitPRdescription = - str(failed) + \" pipeline(s) failed!\"\n gitPRcode = \"failure\"\nif len(runsMissing) - > 0:\n gitPRdescription = \"Pipeline(s) missing!\"\n gitPRcode = \"failure\"\nif - len(runsIncomplete) > 0:\n print(\"Some PipelineRuns had not completed when - the monitor reached its timeout\")\n gitPRdescription = \"timed out monitoring - PipelineRuns\"\n gitPRcode = \"error\"\n\nresults = runsPassed + runsFailed - + runsIncomplete + runsMissing\n\nif (results == []):\n gitPRdescription = - \"No PipelineRuns were ever found for my PullRequest!\"\n gitPRcode = \"error\"\n - \ data = \"**$COMMENT_MISSING** | N/A | No PipelineRuns were ever detected, - failing the build | N/A\"\n runsMissing.append(data) \n \n results - = runsMissing\n\ncomment = (\"## Tekton Status Report \\n\\n\"\n \"Status - | Pipeline | PipelineRun | Namespace\\n\"\n \":----- | :------- | - :--------------- | :--------\\n\"\n ) + \"\\n\".join(results)\n\nshutil.copyfile(\"/workspace/pull-request/pr.json\",\"/workspace/output/pull-request/pr.json\")\n# - Preserve existing comments\nshutil.copytree(\"/workspace/pull-request/comments\",\"/workspace/output/pull-request/comments\")\nhandle - = open(\"/workspace/output/pull-request/comments/newcomment.json\", 'w')\nhandle.write(comment)\nhandle.close()\nif - not \"$URL\".startswith(\"http\"):\n detailsURL = \"http://\" + \"$URL\" + - \"/#/pipelineruns\"\nelse:\n detailsURL = \"$URL\" + \"/#/pipelineruns\"\nprint(\"Set - details url to \" + detailsURL)\nstatus = json.dumps(dict(Label=gitPRcontext,state=gitPRcode,Desc=gitPRdescription,Target=detailsURL))\nprint(\"Setting - status to \" + status)\nif not os.path.exists(\"/workspace/output/pull-request/status\"):\n - \ os.makedirs(\"/workspace/output/pull-request/status\")\nhandle = open(\"/workspace/output/pull-request/status/Tekton.json\", - 'w')\nhandle.write(status)\nhandle.close()\nif not os.path.exists(\"/workspace/output/pull-request/labels\"):\n - \ shutil.copytree(\"/workspace/pull-request/labels\",\"/workspace/output/pull-request/labels\")\nshutil.copyfile(\"/workspace/pull-request/base.json\",\"/workspace/output/pull-request/base.json\") - \nshutil.copyfile(\"/workspace/pull-request/head.json\",\"/workspace/output/pull-request/head.json\")\nEOF\n" - command: - - /bin/bash - env: - - name: EVENTID - valueFrom: - fieldRef: - fieldPath: metadata.labels['triggers.tekton.dev/triggers-eventid'] - - name: COMMENT_SUCCESS - value: $(inputs.params.commentsuccess) - - name: COMMENT_FAILURE - value: $(inputs.params.commentfailure) - - name: COMMENT_TIMEOUT - value: $(inputs.params.commenttimeout) - - name: COMMENT_MISSING - value: $(inputs.params.commentmissing) - - name: URL - value: $(inputs.params.dashboard-url) - - name: STATUSES_URL - value: $(inputs.params.statusesurl) - - name: GITPROVIDER - value: $(inputs.params.provider) - - name: GITAPIURL - value: $(inputs.params.apiurl) - - name: SKIPSSLVERIFY - value: $(inputs.params.insecure-skip-tls-verify) - - name: GITTOKEN - valueFrom: - secretKeyRef: - key: accessToken - name: $(inputs.params.secret) - image: maiwj/kubernetes-python-client@sha256:74a868a0dff5c8ada64472db3efd09d205d4f877d14d2d3226511adbb25cfea3 - name: check ---- -apiVersion: triggers.tekton.dev/v1alpha1 -kind: TriggerBinding -metadata: - name: monitor-task-github-binding - namespace: tekton-pipelines -spec: - params: - - name: pullrequesturl - value: $(body.pull_request.html_url) - - name: statusesurl - value: $(body.pull_request.statuses_url) ---- -apiVersion: triggers.tekton.dev/v1alpha1 -kind: TriggerBinding -metadata: - name: monitor-task-gitlab-binding - namespace: tekton-pipelines -spec: - params: - - name: pullrequesturl - value: $(body.object_attributes.url) - - name: statusesurl - value: projects/$(body.project.id)/statuses/$(body.object_attributes.last_commit.id) ---- -apiVersion: triggers.tekton.dev/v1alpha1 -kind: TriggerTemplate -metadata: - name: monitor-task-template - namespace: tekton-pipelines -spec: - params: - - description: The pull request url - name: pullrequesturl - type: string - - description: The statuses url - name: statusesurl - type: string - - default: github-secrets - description: The git secret name - name: gitsecretname - type: string - - default: token - description: The git secret key name - name: gitsecretkeyname - type: string - - default: Success - description: The text of the success comment - name: commentsuccess - type: string - - default: Failed - description: The text of the failure comment - name: commentfailure - type: string - - default: Unknown - description: The text of the timeout comment - name: commenttimeout - type: string - - default: Missing - description: The text of the missing comment - name: commentmissing - type: string - - default: http://localhost:9097/ - description: The URL to the pipelineruns page of the dashboard - name: dashboardurl - type: string - - default: github - description: The git provider, "github" or "gitlab" - name: provider - type: string - - default: "" - description: The git api URL for the repository - name: apiurl - type: string - - default: "false" - description: Whether or not to skip SSL validation of certificates ("true" or - "false") - name: insecure-skip-tls-verify - type: string - resourcetemplates: - - apiVersion: tekton.dev/v1alpha1 - kind: PipelineResource - metadata: - name: pull-request-$(uid) - namespace: tekton-pipelines - spec: - params: - - name: url - value: $(params.pullrequesturl) - - name: insecure-skip-tls-verify - value: $(params.insecure-skip-tls-verify) - secrets: - - fieldName: authToken - secretKey: $(params.gitsecretkeyname) - secretName: $(params.gitsecretname) - type: pullRequest - - apiVersion: tekton.dev/v1beta1 - kind: TaskRun - metadata: - generateName: monitor-taskrun- - namespace: tekton-pipelines - spec: - params: - - name: commentsuccess - value: $(params.commentsuccess) - - name: commentfailure - value: $(params.commentfailure) - - name: commenttimeout - value: $(params.commenttimeout) - - name: dashboard-url - value: $(params.dashboardurl) - - name: secret - value: $(params.gitsecretname) - - name: statusesurl - value: $(params.statusesurl) - - name: provider - value: $(params.provider) - - name: apiurl - value: $(params.apiurl) - - name: insecure-skip-tls-verify - value: $(params.insecure-skip-tls-verify) - resources: - inputs: - - name: pull-request - resourceRef: - name: pull-request-$(uid) - outputs: - - name: pull-request - resourceRef: - name: pull-request-$(uid) - serviceAccountName: tekton-webhooks-extension - taskRef: - name: monitor-task - ---- diff --git a/tekton/1-Install/4-dashboard.yaml b/tekton/1-Install/4-dashboard.yaml index 4a5e5a0..7053115 100644 --- a/tekton/1-Install/4-dashboard.yaml +++ b/tekton/1-Install/4-dashboard.yaml @@ -49,7 +49,6 @@ rules: - apiGroups: - "" resources: - - secrets - configmaps verbs: - create @@ -125,6 +124,17 @@ rules: - delete - patch - add +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete - apiGroups: - apiextensions.k8s.io resources: @@ -184,7 +194,6 @@ rules: - apiGroups: - "" resources: - - secrets - configmaps verbs: - get @@ -272,8 +281,8 @@ kind: Service metadata: labels: app: tekton-dashboard - dashboard.tekton.dev/release: v0.6.1 - version: v0.6.1 + dashboard.tekton.dev/release: v0.6.1.5 + version: v0.6.1.5 name: tekton-dashboard namespace: tekton-pipelines spec: @@ -290,8 +299,8 @@ kind: Deployment metadata: labels: app: tekton-dashboard - dashboard.tekton.dev/release: v0.6.1 - version: v0.6.1 + dashboard.tekton.dev/release: v0.6.1.5 + version: v0.6.1.5 name: tekton-dashboard namespace: tekton-pipelines spec: @@ -313,13 +322,17 @@ spec: value: "false" - name: WEB_RESOURCES_DIR value: /var/run/ko/web - - name: PIPELINE_RUN_SERVICE_ACCOUNT - value: "" + - name: CSRF_SECURE_COOKIE + value: "false" + - name: TRIGGERS_NAMESPACE + value: tekton-pipelines + - name: PIPELINE_NAMESPACE + value: tekton-pipelines - name: INSTALLED_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - image: gcr.io/tekton-releases/github.com/tektoncd/dashboard/cmd/dashboard@sha256:de969ff4ced12c94701bd039137edf5fc66bbc5ccd19f09324c1d7fcfc47e5f1 + image: gcr.io/tekton-releases/github.com/tektoncd/dashboard/cmd/dashboard@sha256:ca22f87e8bec86cf91833aa3996cf9d316313628870eb74c1ea9a73bea77c83d livenessProbe: httpGet: path: /health @@ -332,78 +345,5 @@ spec: path: /readiness port: 9097 serviceAccountName: tekton-dashboard ---- -apiVersion: tekton.dev/v1beta1 -kind: Pipeline -metadata: - name: pipeline0 - namespace: tekton-pipelines -spec: - params: - - default: /workspace/git-source - description: The path to the resource files to apply - name: pathToResourceFiles - type: string - - default: . - description: The directory from which resources are to be applied - name: apply-directory - type: string - - default: tekton-pipelines - description: The namespace in which to create the resources being imported - name: target-namespace - type: string - resources: - - name: git-source - type: git - tasks: - - name: pipeline0-task - params: - - name: pathToResourceFiles - value: $(params.pathToResourceFiles) - - name: apply-directory - value: $(params.apply-directory) - - name: target-namespace - value: $(params.target-namespace) - resources: - inputs: - - name: git-source - resource: git-source - taskRef: - name: pipeline0-task ---- -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: pipeline0-task - namespace: tekton-pipelines -spec: - params: - - default: /workspace/git-source - description: The path to the resource files to apply - name: pathToResourceFiles - type: string - - default: . - description: The directory from which resources are to be applied - name: apply-directory - type: string - - default: tekton-pipelines - description: The namespace where created resources will go - name: target-namespace - type: string - resources: - inputs: - - name: git-source - type: git - steps: - - args: - - apply - - -f - - $(inputs.params.pathToResourceFiles)/$(inputs.params.apply-directory) - - -n - - $(inputs.params.target-namespace) - command: - - kubectl - image: lachlanevenson/k8s-kubectl@sha256:9713d6c1c6d83bdd4b3744d295fd0efce8f6cc149eb3083e86ae0911aa52ee73 - name: kubectl-apply ---