6 changed files with 500 additions and 631 deletions
--- a/tekton/1-Install/1-pipeline.yaml
+++ b/tekton/1-Install/1-pipeline.yaml
@ -11,7 +11,6 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 apiVersion: v1
 kind: Namespace
 metadata:
@ -31,7 +30,6 @@ metadata:
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
@ -62,34 +60,24 @@ spec:
      max: 65535
 ---
 # Copyright 2020 The Tekton Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: tekton-pipelines-controller-cluster-access
+  name: tekton-pipelines-admin
 rules:
 - apiGroups: [""]
-  # Namespace access is required because the controller timeout handling logic
+  resources: ["pods", "pods/log", "namespaces", "secrets", "events", "serviceaccounts",
-  # iterates over all namespaces and times out any PipelineRuns that have expired.
+    "configmaps", "persistentvolumeclaims", "limitranges"]
-  # Pod access is required because the taskrun controller wants to be updated when
+  verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
-  # a Pod underlying a TaskRun changes state.
+- apiGroups: ["apps"]
-  resources: ["namespaces", "pods"]
+  resources: ["deployments"]
-  verbs: ["list", "watch"]
+  verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
-  # Controller needs cluster access to all of the CRDs that it is responsible for
+- apiGroups: ["apps"]
-  # managing.
+  resources: ["deployments/finalizers"]
  verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
 - apiGroups: ["admissionregistration.k8s.io"]
  resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
  verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
 - apiGroups: ["tekton.dev"]
  resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "pipelineresources",
    "conditions"]
@ -105,118 +93,6 @@ rules:
  resources: ["podsecuritypolicies"]
  resourceNames: ["tekton-pipelines"]
  verbs: ["use"]
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  # This is the access that the controller needs on a per-namespace basis.
  name: tekton-pipelines-controller-tenant-access
 rules:
 - apiGroups: [""]
  resources: ["pods", "pods/log", "secrets", "events", "serviceaccounts", "configmaps",
    "persistentvolumeclaims", "limitranges"]
  verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
  # Unclear if this access is actually required.  Simply a hold-over from the previous
  # incarnation of the controller's ClusterRole.
 - apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
 - apiGroups: ["apps"]
  resources: ["deployments/finalizers"]
  verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: tekton-pipelines-webhook-cluster-access
 rules:
 - # The webhook needs to be able to list and update customresourcedefinitions,
  # mainly to update the webhook certificates.
  apiGroups: ["apiextensions.k8s.io"]
  resources: ["customresourcedefinitions", "customresourcedefinitions/status"]
  verbs: ["get", "list", "update", "patch", "watch"]
 - apiGroups: ["admissionregistration.k8s.io"]
  # The webhook performs a reconciliation on these two resources and continuously
  # updates configuration.
  resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
  # knative starts informers on these things, which is why we need get, list and watch.
  verbs: ["list", "watch"]
 - apiGroups: ["admissionregistration.k8s.io"]
  resources: ["mutatingwebhookconfigurations"]
  # This mutating webhook is responsible for applying defaults to tekton objects
  # as they are received.
  resourceNames: ["webhook.pipeline.tekton.dev"]
  # When there are changes to the configs or secrets, knative updates the mutatingwebhook config
  # with the updated certificates or the refreshed set of rules.
  verbs: ["get", "update"]
 - apiGroups: ["admissionregistration.k8s.io"]
  resources: ["validatingwebhookconfigurations"]
  # validation.webhook.pipeline.tekton.dev performs schema validation when you, for example, create TaskRuns.
  # config.webhook.pipeline.tekton.dev validates the logging configuration against knative's logging structure
  resourceNames: ["validation.webhook.pipeline.tekton.dev", "config.webhook.pipeline.tekton.dev"]
  # When there are changes to the configs or secrets, knative updates the validatingwebhook config
  # with the updated certificates or the refreshed set of rules.
  verbs: ["get", "update"]
 - apiGroups: ["policy"]
  resources: ["podsecuritypolicies"]
  resourceNames: ["tekton-pipelines"]
  verbs: ["use"]
 ---
 # Copyright 2020 The Tekton Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: tekton-pipelines-controller
  namespace: tekton-pipelines
 rules:
 - apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["list", "watch"]
 - # The controller needs access to these configmaps for logging information and runtime configuration.
  apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get"]
  resourceNames: ["config-logging", "config-observability", "config-artifact-bucket",
    "config-artifact-pvc", "feature-flags", "config-leader-election"]
 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: tekton-pipelines-webhook
  namespace: tekton-pipelines
 rules:
 - apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["list", "watch"]
 - # The webhook needs access to these configmaps for logging information.
  apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get"]
  resourceNames: ["config-logging", "config-observability"]
 - apiGroups: [""]
  resources: ["secrets"]
  verbs: ["list", "watch"]
 - # The webhook daemon makes a reconciliation loop on webhook-certs. Whenever
  # the secret changes it updates the webhook configurations with the certificates
  # stored in the secret.
  apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "update"]
  resourceNames: ["webhook-certs"]
 ---
 # Copyright 2019 The Tekton Authors
@ -237,12 +113,6 @@ kind: ServiceAccount
 metadata:
  name: tekton-pipelines-controller
  namespace: tekton-pipelines
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: tekton-pipelines-webhook
  namespace: tekton-pipelines
 ---
 # Copyright 2019 The Tekton Authors
@ -258,91 +128,17 @@ metadata:
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
-  name: tekton-pipelines-controller-cluster-access
+  name: tekton-pipelines-controller-admin
 subjects:
 - kind: ServiceAccount
  name: tekton-pipelines-controller
  namespace: tekton-pipelines
 roleRef:
  kind: ClusterRole
-  name: tekton-pipelines-controller-cluster-access
+  name: tekton-pipelines-admin
  apiGroup: rbac.authorization.k8s.io
 ---
 # If this ClusterRoleBinding is replaced with a RoleBinding
 # then the ClusterRole would be namespaced. The access described by
 # the tekton-pipelines-controller-tenant-access ClusterRole would
 # be scoped to individual tenant namespaces.
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: tekton-pipelines-controller-tenant-access
 subjects:
 - kind: ServiceAccount
  name: tekton-pipelines-controller
  namespace: tekton-pipelines
 roleRef:
  kind: ClusterRole
  name: tekton-pipelines-controller-tenant-access
  apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: tekton-pipelines-webhook-cluster-access
 subjects:
 - kind: ServiceAccount
  name: tekton-pipelines-webhook
  namespace: tekton-pipelines
 roleRef:
  kind: ClusterRole
  name: tekton-pipelines-webhook-cluster-access
  apiGroup: rbac.authorization.k8s.io
 ---
 # Copyright 2020 The Tekton Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
  name: tekton-pipelines-controller
  namespace: tekton-pipelines
 subjects:
 - kind: ServiceAccount
  name: tekton-pipelines-controller
  namespace: tekton-pipelines
 roleRef:
  kind: Role
  name: tekton-pipelines-controller
  apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
  name: tekton-pipelines-webhook
  namespace: tekton-pipelines
 subjects:
 - kind: ServiceAccount
  name: tekton-pipelines-webhook
  namespace: tekton-pipelines
 roleRef:
  kind: Role
  name: tekton-pipelines-webhook
  apiGroup: rbac.authorization.k8s.io
 ---
@ -359,28 +155,12 @@ roleRef:
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: clustertasks.tekton.dev
  labels:
    pipeline.tekton.dev/release: "devel"
    version: "devel"
 spec:
  group: tekton.dev
  preserveUnknownFields: false
  validation:
    openAPIV3Schema:
      type: object
      # One can use x-kubernetes-preserve-unknown-fields: true
      # at the root of the schema (and inside any properties, additionalProperties)
      # to get the traditional CRD behaviour that nothing is pruned, despite
      # setting spec.preserveUnknownProperties: false.
      #
      # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/
      # See issue: https://github.com/knative/serving/issues/912
      x-kubernetes-preserve-unknown-fields: true
  versions:
  - name: v1alpha1
    served: true
@ -399,12 +179,7 @@ spec:
  # starts to increment
  subresources:
    status: {}
-  conversion:
+  version: v1alpha1
    strategy: Webhook
    webhookClientConfig:
      service:
        name: tekton-pipelines-webhook
        namespace: tekton-pipelines
 ---
 # Copyright 2019 The Tekton Authors
@ -420,14 +195,10 @@ spec:
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: conditions.tekton.dev
  labels:
    pipeline.tekton.dev/release: "devel"
    version: "devel"
 spec:
  group: tekton.dev
  names:
@ -457,7 +228,6 @@ spec:
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
@ -494,28 +264,12 @@ spec:
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: pipelines.tekton.dev
  labels:
    pipeline.tekton.dev/release: "devel"
    version: "devel"
 spec:
  group: tekton.dev
  preserveUnknownFields: false
  validation:
    openAPIV3Schema:
      type: object
      # One can use x-kubernetes-preserve-unknown-fields: true
      # at the root of the schema (and inside any properties, additionalProperties)
      # to get the traditional CRD behaviour that nothing is pruned, despite
      # setting spec.preserveUnknownProperties: false.
      #
      # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/
      # See issue: https://github.com/knative/serving/issues/912
      x-kubernetes-preserve-unknown-fields: true
  versions:
  - name: v1alpha1
    served: true
@ -534,12 +288,7 @@ spec:
  # starts to increment
  subresources:
    status: {}
-  conversion:
+  version: v1alpha1
    strategy: Webhook
    webhookClientConfig:
      service:
        name: tekton-pipelines-webhook
        namespace: tekton-pipelines
 ---
 # Copyright 2019 The Tekton Authors
@ -555,28 +304,12 @@ spec:
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: pipelineruns.tekton.dev
  labels:
    pipeline.tekton.dev/release: "devel"
    version: "devel"
 spec:
  group: tekton.dev
  preserveUnknownFields: false
  validation:
    openAPIV3Schema:
      type: object
      # One can use x-kubernetes-preserve-unknown-fields: true
      # at the root of the schema (and inside any properties, additionalProperties)
      # to get the traditional CRD behaviour that nothing is pruned, despite
      # setting spec.preserveUnknownProperties: false.
      #
      # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/
      # See issue: https://github.com/knative/serving/issues/912
      x-kubernetes-preserve-unknown-fields: true
  versions:
  - name: v1alpha1
    served: true
@ -611,12 +344,7 @@ spec:
  # starts to increment
  subresources:
    status: {}
-  conversion:
+  version: v1alpha1
    strategy: Webhook
    webhookClientConfig:
      service:
        name: tekton-pipelines-webhook
        namespace: tekton-pipelines
 ---
 # Copyright 2019 The Tekton Authors
@ -632,14 +360,10 @@ spec:
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: pipelineresources.tekton.dev
  labels:
    pipeline.tekton.dev/release: "devel"
    version: "devel"
 spec:
  group: tekton.dev
  names:
@ -669,28 +393,12 @@ spec:
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: tasks.tekton.dev
  labels:
    pipeline.tekton.dev/release: "devel"
    version: "devel"
 spec:
  group: tekton.dev
  preserveUnknownFields: false
  validation:
    openAPIV3Schema:
      type: object
      # One can use x-kubernetes-preserve-unknown-fields: true
      # at the root of the schema (and inside any properties, additionalProperties)
      # to get the traditional CRD behaviour that nothing is pruned, despite
      # setting spec.preserveUnknownProperties: false.
      #
      # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/
      # See issue: https://github.com/knative/serving/issues/912
      x-kubernetes-preserve-unknown-fields: true
  versions:
  - name: v1alpha1
    served: true
@ -709,12 +417,7 @@ spec:
  # starts to increment
  subresources:
    status: {}
-  conversion:
+  version: v1alpha1
    strategy: Webhook
    webhookClientConfig:
      service:
        name: tekton-pipelines-webhook
        namespace: tekton-pipelines
 ---
 # Copyright 2019 The Tekton Authors
@ -730,28 +433,12 @@ spec:
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: taskruns.tekton.dev
  labels:
    pipeline.tekton.dev/release: "devel"
    version: "devel"
 spec:
  group: tekton.dev
  preserveUnknownFields: false
  validation:
    openAPIV3Schema:
      type: object
      # One can use x-kubernetes-preserve-unknown-fields: true
      # at the root of the schema (and inside any properties, additionalProperties)
      # to get the traditional CRD behaviour that nothing is pruned, despite
      # setting spec.preserveUnknownProperties: false.
      #
      # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/
      # See issue: https://github.com/knative/serving/issues/912
      x-kubernetes-preserve-unknown-fields: true
  versions:
  - name: v1alpha1
    served: true
@ -786,12 +473,7 @@ spec:
  # starts to increment
  subresources:
    status: {}
-  conversion:
+  version: v1alpha1
    strategy: Webhook
    webhookClientConfig:
      service:
        name: tekton-pipelines-webhook
        namespace: tekton-pipelines
 ---
 # Copyright 2020 The Tekton Authors
@ -816,6 +498,20 @@ metadata:
  labels:
    pipeline.tekton.dev/release: devel
 # The data is populated at install time.
 # Copyright 2020 The Tekton Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: ValidatingWebhookConfiguration
@ -833,6 +529,20 @@ webhooks:
  failurePolicy: Fail
  sideEffects: None
  name: validation.webhook.pipeline.tekton.dev
 # Copyright 2020 The Tekton Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: MutatingWebhookConfiguration
@ -850,6 +560,20 @@ webhooks:
  failurePolicy: Fail
  sideEffects: None
  name: webhook.pipeline.tekton.dev
 # Copyright 2020 The Tekton Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ---
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: ValidatingWebhookConfiguration
@ -873,20 +597,6 @@ webhooks:
      operator: Exists
 ---
 # Copyright 2019 The Tekton Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@ -915,20 +625,6 @@ rules:
  - watch
 ---
 # Copyright 2019 The Tekton Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@ -1104,33 +800,6 @@ data:
  # info.
  disable-working-directory-overwrite: "false"
 ---
 # Copyright 2020 Tekton Authors LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: config-leader-election
  namespace: tekton-pipelines
 data:
  # An inactive but valid configuration follows; see example.
  resourceLock: "leases"
  leaseDuration: "15s"
  renewDeadline: "10s"
  retryPeriod: "2s"
 ---
 # Copyright 2019 Tekton Authors LLC
 #
@ -1251,7 +920,6 @@ data:
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@ -1260,8 +928,8 @@ metadata:
  labels:
    app.kubernetes.io/name: tekton-pipelines
    app.kubernetes.io/component: controller
-    pipeline.tekton.dev/release: "v0.12.1"
+    pipeline.tekton.dev/release: "v0.11.2"
-    version: "v0.12.1"
+    version: "v0.11.2"
 spec:
  replicas: 1
  selector:
@ -1276,27 +944,21 @@ spec:
        app.kubernetes.io/name: tekton-pipelines
        app.kubernetes.io/component: controller
        # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
-        pipeline.tekton.dev/release: "v0.12.1"
+        pipeline.tekton.dev/release: "v0.11.2"
-        version: "v0.12.1"
+        version: "v0.11.2"
    spec:
      serviceAccountName: tekton-pipelines-controller
      containers:
      - name: tekton-pipelines-controller
-        image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/controller:v0.12.1@sha256:0ca86ec6f246f49c1ac643357fd1c8e73a474aaa216548807b1216a9ff12f7be
+        image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/controller:v0.11.2@sha256:0791513ec1176da38c403eb81220406e987f78f3e58608bd57be1adc45bc9aac
-        args: [
+        args: ["-kubeconfig-writer-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/kubeconfigwriter:v0.11.2@sha256:d01fa1db8abcad318d05e62e35153a91c6c995949e52133520d9e4735e9a486c",
-          # These images are built on-demand by `ko resolve` and are replaced
+          "-creds-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/creds-init:v0.11.2@sha256:ced427e48b143bc821aedd4a0936fa2caef3f208d70efe68ccba786c12b2c943",
-          # by image references by digest.
+          "-git-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.11.2@sha256:bee98bfe6807e8f4e0a31b4e786fd1f7f459e653ed1a22b1a25999f33fa9134a",
-          "-kubeconfig-writer-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/kubeconfigwriter:v0.12.1@sha256:67dcd447b0c624befa12843ce9cc0bcfc502179bdb28d59563d761a7f3968509",
+          "-nop-image", "tianon/true", "-shell-image", "busybox", "-gsutil-image",
-          "-creds-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/creds-init:v0.12.1@sha256:6266d023172dde7fa421f626074b4e7eedc7d7d5ff561c033d6d63ebfff4a2f2",
+          "google/cloud-sdk", "-entrypoint-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/entrypoint:v0.11.2@sha256:bc5beb48ca4f87013ccb466bf739d6c99ef9f1ddf51899c73ead99f242b4e57d",
-          "-git-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.12.1@sha256:d82c78288699dd6ee40c852b146cb3bd89b322b42fb3bc4feec28ea54bb7b36c",
+          "-imagedigest-exporter-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/imagedigestexporter:v0.11.2@sha256:7a03343deaeaa6b2d779df37417f9bf76cb5f67b36dd298e5bb69a0f625a2b38",
-          "-entrypoint-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/entrypoint:v0.12.1@sha256:7f3db925f7660673a74b0e1030e65540adea36fe361ab7f06f5b5c47cdcef47d",
+          "-pr-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/pullrequest-init:v0.11.2@sha256:3a395509e0d75786eafe96f68d22afc7c4d23a2a76ffc77218b25e8c6c81f6ba",
-          "-imagedigest-exporter-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/imagedigestexporter:v0.12.1@sha256:e8f08214baad9054bbed7be2b8617c6964b9a1c5405cf59eabcc3d3267a6253f",
+          "-build-gcs-fetcher-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/vendor/github.com/googlecloudplatform/cloud-builders/gcs-fetcher/cmd/gcs-fetcher:v0.11.2@sha256:a020c8510b15870a5b059708197ac7c4ef0d1cbd668eb0872105ad658d509f67"]
          "-pr-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/pullrequest-init:v0.12.1@sha256:71e0226346e0d3d57af7c35b6cb907d42d3142e845b0f865ba0c86d3e248f3cb",
          "-build-gcs-fetcher-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/vendor/github.com/googlecloudplatform/cloud-builders/gcs-fetcher/cmd/gcs-fetcher:v0.12.1@sha256:ae5721bf0d883947c3c13f519ca26129792f4058d5f9dfedd50174d9e7acb2bc",
          # These images are pulled from Dockerhub, by digest, as of April 15, 2020.
          "-nop-image", "tianon/true@sha256:009cce421096698832595ce039aa13fa44327d96beedb84282a69d3dbcf5a81b",
          "-shell-image", "busybox@sha256:a2490cec4484ee6c1068ba3a05f89934010c85242f736280b35343483b2264b6",
          "-gsutil-image", "google/cloud-sdk@sha256:6e8676464c7581b2dc824956b112a61c95e4144642bec035e6db38e3384cae2e"]
        volumeMounts:
        - name: config-logging
          mountPath: /etc/config-logging
@ -1305,21 +967,10 @@ spec:
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
-        - # If you are changing these names, you will also need to update
+        - name: CONFIG_LOGGING_NAME
          # the controller's Role in 200-role.yaml to include the new
          # values in the "configmaps" "get" rule.
          name: CONFIG_LOGGING_NAME
          value: config-logging
        - name: CONFIG_OBSERVABILITY_NAME
          value: config-observability
        - name: CONFIG_ARTIFACT_BUCKET_NAME
          value: config-artifact-bucket
        - name: CONFIG_ARTIFACT_PVC_NAME
          value: config-artifact-pvc
        - name: CONFIG_FEATURE_FLAGS_NAME
          value: feature-flags
        - name: CONFIG_LEADERELECTION_NAME
          value: config-leader-election
        - name: METRICS_DOMAIN
          value: tekton.dev/pipeline
      volumes:
@ -1332,8 +983,8 @@ kind: Service
 metadata:
  labels:
    app: tekton-pipelines-controller
-    pipeline.tekton.dev/release: "v0.12.1"
+    pipeline.tekton.dev/release: "v0.11.2"
-    version: "v0.12.1"
+    version: "v0.11.2"
  name: tekton-pipelines-controller
  namespace: tekton-pipelines
 spec:
@ -1371,8 +1022,8 @@ metadata:
  labels:
    app.kubernetes.io/name: tekton-pipelines
    app.kubernetes.io/component: webhook-controller
-    pipeline.tekton.dev/release: "v0.12.1"
+    pipeline.tekton.dev/release: "v0.11.2"
-    version: "v0.12.1"
+    version: "v0.11.2"
 spec:
  replicas: 1
  selector:
@ -1388,33 +1039,26 @@ spec:
        role: webhook
        app.kubernetes.io/name: tekton-pipelines
        app.kubernetes.io/component: webhook-controller
-        pipeline.tekton.dev/release: "v0.12.1"
+        pipeline.tekton.dev/release: "v0.11.2"
-        version: "v0.12.1"
+        version: "v0.11.2"
    spec:
-      serviceAccountName: tekton-pipelines-webhook
+      serviceAccountName: tekton-pipelines-controller
      containers:
      - name: webhook
        # This is the Go import path for the binary that is containerized
        # and substituted here.
-        image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/webhook:v0.12.1@sha256:69f065d493244dbd50563b96f5474bf6590821a6308fd8c69c5ef06cf4d988b2
+        image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/webhook:v0.11.2@sha256:9826548f3bd8cc0c4187ca0ab5ab8114009874625828a23301c1f60be4f294fa
        env:
        - name: SYSTEM_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
-        - # If you are changing these names, you will also need to update
+        - name: CONFIG_LOGGING_NAME
          # the webhook's Role in 200-role.yaml to include the new
          # values in the "configmaps" "get" rule.
          name: CONFIG_LOGGING_NAME
          value: config-logging
        - name: CONFIG_OBSERVABILITY_NAME
          value: config-observability
        - name: CONFIG_LEADERELECTION_NAME
          value: config-leader-election
        - name: WEBHOOK_SERVICE_NAME
          value: tekton-pipelines-webhook
        - name: WEBHOOK_SECRET_NAME
          value: webhook-certs
        - name: METRICS_DOMAIN
          value: tekton.dev/pipeline
        securityContext:
@ -1433,8 +1077,8 @@ metadata:
  labels:
    app: tekton-pipelines-webhook
    role: webhook
-    pipeline.tekton.dev/release: v0.12.1
+    pipeline.tekton.dev/release: v0.11.2
-    version: "v0.12.1"
+    version: "v0.11.2"
  name: tekton-pipelines-webhook
  namespace: tekton-pipelines
 spec:
--- a/tekton/1-Install/2-triggers.yaml
+++ b/tekton/1-Install/2-triggers.yaml
@ -16,9 +16,6 @@ apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
  name: tekton-triggers
  labels:
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-triggers
 spec:
  privileged: false
  allowPrivilegeEscalation: false
@ -63,9 +60,6 @@ kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: tekton-triggers-admin
  labels:
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-triggers
 rules:
 - apiGroups: [""]
  resources: ["configmaps", "secrets", "services"]
@ -109,9 +103,6 @@ kind: ServiceAccount
 metadata:
  name: tekton-triggers-controller
  namespace: tekton-pipelines
  labels:
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-triggers
 ---
 # Copyright 2019 The Tekton Authors
@ -132,9 +123,6 @@ apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: tekton-triggers-controller-admin
  labels:
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-triggers
 subjects:
 - kind: ServiceAccount
  name: tekton-triggers-controller
@ -163,11 +151,6 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: clustertriggerbindings.triggers.tekton.dev
  labels:
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-triggers
    triggers.tekton.dev/release: "devel"
    version: "devel"
 spec:
  group: triggers.tekton.dev
  scope: Cluster
@ -207,11 +190,6 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: eventlisteners.triggers.tekton.dev
  labels:
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-triggers
    triggers.tekton.dev/release: "devel"
    version: "devel"
 spec:
  group: triggers.tekton.dev
  scope: Namespaced
@ -253,11 +231,6 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: triggerbindings.triggers.tekton.dev
  labels:
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-triggers
    triggers.tekton.dev/release: "devel"
    version: "devel"
 spec:
  group: triggers.tekton.dev
  scope: Namespaced
@ -299,11 +272,6 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: triggertemplates.triggers.tekton.dev
  labels:
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-triggers
    triggers.tekton.dev/release: "devel"
    version: "devel"
 spec:
  group: triggers.tekton.dev
  scope: Namespaced
@ -347,9 +315,6 @@ metadata:
  name: triggers-webhook-certs
  namespace: tekton-pipelines
  labels:
    app.kubernetes.io/component: webhook
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-triggers
    triggers.tekton.dev/release: devel
 # The data is populated at install time.
 ---
@ -358,9 +323,6 @@ kind: ValidatingWebhookConfiguration
 metadata:
  name: validation.webhook.triggers.tekton.dev
  labels:
    app.kubernetes.io/component: webhook
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-triggers
    triggers.tekton.dev/release: devel
 webhooks:
 - admissionReviewVersions:
@ -378,9 +340,6 @@ kind: MutatingWebhookConfiguration
 metadata:
  name: webhook.triggers.tekton.dev
  labels:
    app.kubernetes.io/component: webhook
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-triggers
    triggers.tekton.dev/release: devel
 webhooks:
 - admissionReviewVersions:
@ -398,9 +357,6 @@ kind: ValidatingWebhookConfiguration
 metadata:
  name: config.webhook.triggers.tekton.dev
  labels:
    app.kubernetes.io/component: webhook
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-triggers
    triggers.tekton.dev/release: devel
 webhooks:
 - admissionReviewVersions:
@ -418,32 +374,16 @@ webhooks:
      operator: Exists
 ---
 # Copyright 2019 The Tekton Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: tekton-triggers-aggregate-edit
  labels:
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-triggers
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
 rules:
 - apiGroups:
-  - triggers.tekton.dev
+  - tekton.dev
  resources:
  - clustertriggerbindings
  - eventlisteners
@ -460,31 +400,15 @@ rules:
  - watch
 ---
 # Copyright 2019 The Tekton Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: tekton-triggers-aggregate-view
  labels:
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-triggers
    rbac.authorization.k8s.io/aggregate-to-view: "true"
 rules:
 - apiGroups:
-  - triggers.tekton.dev
+  - tekton.dev
  resources:
  - clustertriggerbindings
  - eventlisteners
@ -515,9 +439,6 @@ kind: ConfigMap
 metadata:
  name: config-logging-triggers
  namespace: tekton-pipelines
  labels:
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-triggers
 data:
  # Common configuration for all knative codebase
  zap-logger-config: |
@ -570,9 +491,6 @@ kind: ConfigMap
 metadata:
  name: config-observability-triggers
  namespace: tekton-pipelines
  labels:
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-triggers
 data:
  _example: |
    ################################
@ -626,14 +544,9 @@ apiVersion: v1
 kind: Service
 metadata:
  labels:
    app.kubernetes.io/name: controller
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: default
    app.kubernetes.io/version: v0.5.0
    app.kubernetes.io/part-of: tekton-triggers
    triggers.tekton.dev/release: "v0.5.0"
    app: tekton-triggers-controller
-    version: "v0.5.0"
+    version: "v0.4.0"
    triggers.tekton.dev/release: "v0.4.0"
  name: tekton-triggers-controller
  namespace: tekton-pipelines
 spec:
@ -643,10 +556,7 @@ spec:
    protocol: TCP
    targetPort: 9090
  selector:
-    app.kubernetes.io/name: controller
+    app: tekton-triggers-controller
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-triggers
 ---
 # Copyright 2019 The Tekton Authors
@ -669,41 +579,30 @@ metadata:
  name: tekton-triggers-controller
  namespace: tekton-pipelines
  labels:
-    app.kubernetes.io/name: controller
+    app.kubernetes.io/name: tekton-triggers
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: default
    app.kubernetes.io/version: v0.5.0
    app.kubernetes.io/part-of: tekton-triggers
    # tekton.dev/release value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml
-    triggers.tekton.dev/release: "v0.5.0"
+    triggers.tekton.dev/release: "v0.4.0"
 spec:
  replicas: 1
  selector:
    matchLabels:
-      app.kubernetes.io/name: controller
+      app: tekton-triggers-controller
      app.kubernetes.io/component: controller
      app.kubernetes.io/instance: default
      app.kubernetes.io/part-of: tekton-triggers
  template:
    metadata:
      annotations:
        cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
      labels:
        app.kubernetes.io/name: controller
        app.kubernetes.io/component: controller
        app.kubernetes.io/instance: default
        app.kubernetes.io/version: v0.5.0
        app.kubernetes.io/part-of: tekton-triggers
        app: tekton-triggers-controller
-        triggers.tekton.dev/release: "v0.5.0"
+        triggers.tekton.dev/release: "v0.4.0"
        # version value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml
-        version: "v0.5.0"
+        version: "v0.4.0"
    spec:
      serviceAccountName: tekton-triggers-controller
      containers:
      - name: tekton-triggers-controller
-        image: gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/controller@sha256:5d71b1706da0e1a1673e3bdb1e230b28534698e1cb5b8604540083024fd7d58d
+        image: gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/controller@sha256:bf3517ddccace756e39cee0f0012bbe879c6b28d962a1c904a415e7c60ce5bc2
-        args: ["-logtostderr", "-stderrthreshold", "INFO", "-el-image", "gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/eventlistenersink@sha256:ddb43420d5e51065aeb730dc06ce555822590ebfd5b820835f875e3159d99901",
+        args: ["-logtostderr", "-stderrthreshold", "INFO", "-el-image", "gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/eventlistenersink@sha256:76c208ec1d73d9733dcaf850240e1b3990e5977709a03c2bd98ad5b20fab9867",
          "-el-port", "8080", "-period-seconds", "10", "-failure-threshold", "1"]
        env:
        - name: SYSTEM_NAMESPACE
@ -718,44 +617,22 @@ spec:
          value: tekton.dev/triggers
 ---
 # Copyright 2019 The Tekton Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 apiVersion: v1
 kind: Service
 metadata:
  labels:
    app: tekton-triggers-webhook
    version: "v0.4.0"
    triggers.tekton.dev/release: "v0.4.0"
  name: tekton-triggers-webhook
  namespace: tekton-pipelines
  labels:
    app.kubernetes.io/name: webhook
    app.kubernetes.io/component: webhook
    app.kubernetes.io/instance: default
    app.kubernetes.io/version: v0.5.0
    app.kubernetes.io/part-of: tekton-triggers
    app: tekton-triggers-webhook
    version: "v0.5.0"
    triggers.tekton.dev/release: "v0.5.0"
 spec:
  ports:
  - name: https-webhook
    port: 443
    targetPort: 8443
  selector:
-    app.kubernetes.io/name: webhook
+    app: tekton-triggers-webhook
    app.kubernetes.io/component: webhook
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-triggers
 ---
 # Copyright 2019 The Tekton Authors
@ -778,42 +655,34 @@ metadata:
  name: tekton-triggers-webhook
  namespace: tekton-pipelines
  labels:
-    app.kubernetes.io/name: webhook
+    app.kubernetes.io/name: tekton-triggers
-    app.kubernetes.io/component: webhook
+    app.kubernetes.io/component: webhook-controller
    app.kubernetes.io/instance: default
    app.kubernetes.io/version: v0.5.0
    app.kubernetes.io/part-of: tekton-triggers
    # tekton.dev/release value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml
-    triggers.tekton.dev/release: "v0.5.0"
+    triggers.tekton.dev/release: "v0.4.0"
 spec:
  replicas: 1
  selector:
    matchLabels:
-      app.kubernetes.io/name: webhook
+      app: tekton-triggers-webhook
      app.kubernetes.io/component: webhook
      app.kubernetes.io/instance: default
      app.kubernetes.io/part-of: tekton-triggers
  template:
    metadata:
      annotations:
        cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
      labels:
        app.kubernetes.io/name: webhook
        app.kubernetes.io/component: webhook
        app.kubernetes.io/instance: default
        app.kubernetes.io/version: v0.5.0
        app.kubernetes.io/part-of: tekton-triggers
        app: tekton-triggers-webhook
-        triggers.tekton.dev/release: "v0.5.0"
+        triggers.tekton.dev/release: "v0.4.0"
        # version value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml
-        version: "v0.5.0"
+        version: "v0.4.0"
        role: webhook
        app.kubernetes.io/name: tekton-triggers
        app.kubernetes.io/component: webhook-controller
    spec:
      serviceAccountName: tekton-triggers-controller
      containers:
      - name: webhook
        # This is the Go import path for the binary that is containerized
        # and substituted here.
-        image: gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/webhook@sha256:c6986c68804ce3832bd1894249a39d37a0a46b3458a1cb29697a17b37df674ef
+        image: gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/webhook@sha256:d7f1526a9294e671c500f0071b61e050262fb27fb633b54d764a556969855764
        env:
        - name: SYSTEM_NAMESPACE
          valueFrom:
@ -823,8 +692,6 @@ spec:
          value: config-logging-triggers
        - name: WEBHOOK_SERVICE_NAME
          value: tekton-triggers-webhook
        - name: WEBHOOK_SECRET_NAME
          value: triggers-webhook-certs
        - name: METRICS_DOMAIN
          value: tekton.dev/triggers
        ports:
--- a/tekton/1-Install/3-webhooks.yaml
+++ b/tekton/1-Install/3-webhooks.yaml
@ -261,7 +261,7 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    tekton-dashboard-bundle-location: web/extension.33e1ae7b.js
+    tekton-dashboard-bundle-location: web/extension.c591f714.js
    tekton-dashboard-display-name: Webhooks
    tekton-dashboard-endpoints: webhooks.web
  labels:
@ -298,7 +298,7 @@ spec:
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
-        image: gcr.io/tekton-releases/github.com/tektoncd/experimental/webhooks-extension/cmd/interceptor@sha256:f029e6b5bbeae6efaff1ebd4db6d8bce17cfed3ed93ed8999428c6fb1e09a946
+        image: gcr.io/tekton-releases/github.com/tektoncd/experimental/webhooks-extension/cmd/interceptor@sha256:657d40a9116ef0b6f886f94fa7980755e3267dd34017f2fd9b713b63ddfc0d55
        name: validate
      serviceAccountName: tekton-webhooks-extension
 ---
@ -339,7 +339,7 @@ spec:
          valueFrom:
            fieldRef:
              fieldPath: spec.serviceAccountName
-        image: gcr.io/tekton-releases/github.com/tektoncd/experimental/webhooks-extension/cmd/extension@sha256:b76dedeb9dae1a88fe359fab3ac6cac058d7bf9d41906b9b22a20f67e671dd7c
+        image: gcr.io/tekton-releases/github.com/tektoncd/experimental/webhooks-extension/cmd/extension@sha256:e7bcffbd2db6b874dbb4b4e71fc0c089acf7ccb803df896d9592063b649ac292
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
@ -354,3 +354,303 @@ spec:
            port: 8080
      serviceAccountName: tekton-webhooks-extension
 ---
 apiVersion: tekton.dev/v1beta1
 kind: Task
 metadata:
  name: monitor-task
  namespace: tekton-pipelines
 spec:
  params:
  - description: The statuses url
    name: statusesurl
    type: string
  - default: Success
    description: The text to use in the situation where a PipelineRun has succeeded.
    name: commentsuccess
    type: string
  - default: Failed
    description: The text to use in the situation where a PipelineRun has failed.
    name: commentfailure
    type: string
  - default: Unknown
    description: The text to use in the situation where a PipelineRun has timed out.
    name: commenttimeout
    type: string
  - default: Missing
    description: The text to use in the situation where a PipelineRun cannot be found.
    name: commentmissing
    type: string
  - default: http://localhost:9097/
    description: The URL to the PipelineRuns page of the dashboard
    name: dashboard-url
    type: string
  - default: github
    description: The Git provider ("github" or "gitlab")
    name: provider
    type: string
  - description: The Git API URL for the repository
    name: apiurl
    type: string
  - default: "false"
    description: Whether or not to verify SSL Certificates from the git server ("true"
      or "false")
    name: insecure-skip-tls-verify
    type: string
  - description: The secret containing the access token to access the git server
    name: secret
    type: string
  resources:
    inputs:
    - name: pull-request
      type: pullRequest
    outputs:
    - name: pull-request
      type: pullRequest
  steps:
  - args:
    - -ce
    - "set -e\ncat <<EOF | python\nimport time, os, json, requests, pprint, shutil,
      distutils.util\nfrom kubernetes import client, config\ndef diff(li1, li2): \n
      \ li_dif = [i for i in li1 + li2 if i not in li1 or i not in li2] \n  return
      li_dif\nconfig.load_incluster_config()\napi_instance = client.CustomObjectsApi(client.ApiClient(client.Configuration()))\ngitPRcontext
      = \"Tekton\"\ngitPRurl = \"\"  \nif not \"$URL\".startswith(\"http\"):\n  pipelineRunURLPrefix
      = \"http://\" + \"$URL\"\nelse:\n  pipelineRunURLPrefix = \"$URL\"    \nverifySSL
      = not bool(distutils.util.strtobool(\"$SKIPSSLVERIFY\"))\nif \"$GITPROVIDER\"
      == \"github\":\n  statusurl = \"$STATUSES_URL\"\n  pendingData = {\n    \"state\":
      \"pending\",\n    \"description\": \"pipelines in progress\",\n    \"target_url\":
      pipelineRunURLPrefix + \"/#/pipelineruns\",\n    \"context\": \"Tekton\"\n  }\n
      \ resp = requests.post(statusurl, json.dumps(pendingData), headers = {'Content-Type':
      'application/json', 'Authorization': \"Token $GITTOKEN\"}, verify=verifySSL)\n
      \ print(resp)\nif \"$GITPROVIDER\" == \"gitlab\":\n  statusurl = \"$GITAPIURL\"
      + \"/\" + \"$STATUSES_URL\" + \"?state=pending&name=Tekton&target_url=\" + pipelineRunURLPrefix
      + \"/#/pipelineruns\"\n  resp = requests.post(statusurl, headers = {'Authorization':
      \"Bearer $GITTOKEN\"}, verify=verifySSL)\n  print(resp)\nlabelToCheck = \"triggers.tekton.dev/triggers-eventid=$EVENTID\"\nrunsPassed
      = []\nrunsFailed = []\nrunsIncomplete = []\nrunsMissing = []\nfailed = 0\ni
      = range(180)\ninitial_runs = api_instance.list_cluster_custom_object(\"tekton.dev\",
      \"v1beta1\", \"pipelineruns\", label_selector=labelToCheck)[\"items\"]\nfor
      x in i:\n    time.sleep( 10 )\n    runsPassed = []\n    runsFailed = []\n    runsIncomplete
      = []\n    # To test this we need a webhook that will kick off two Pipelines\n
      \   # We will then delete one PipelineRun and observe it is correctly picked
      up as missing\n    # This is easiest done by reopening an existing PullRequest\n
      \   # It's important to delete the PipelineRun only after the monitor task is
      already running because \n    # the first thing it's going to do is figure out
      the PipelineRuns to watch over\n    failed = 0\n    \n    found_runs = api_instance.list_cluster_custom_object(\"tekton.dev\",
      \"v1beta1\", \"pipelineruns\", label_selector=labelToCheck)[\"items\"]\n    missingRuns
      = diff(initial_runs, found_runs)\n    if len(missingRuns) > 0:\n      for missingRun
      in missingRuns:\n        pr = missingRun[\"metadata\"][\"name\"]\n        namespace
      = missingRun[\"metadata\"][\"namespace\"]\n        pipeline = missingRun[\"spec\"][\"pipelineRef\"][\"name\"]\n
      \       link = pipelineRunURLPrefix + \"/#/namespaces/\" + namespace + \"/pipelineruns/\"\n
      \       data = \"[**$COMMENT_MISSING**](\" + link + \") | \" + pipeline + \"
      | \" + pr + \" | \" + namespace\n        if data not in runsMissing:\n          #
      Don't add duplicates. Fear not, once this run is found it'll be removed\n          runsMissing.append(data)\n
      \   if len(found_runs) > 0:\n      for entry in found_runs:\n        pr = entry[\"metadata\"][\"name\"]\n
      \       namespace = entry[\"metadata\"][\"namespace\"]\n        pipeline = entry[\"spec\"][\"pipelineRef\"][\"name\"]\n
      \       link = pipelineRunURLPrefix + \"/#/namespaces/\" + namespace + \"/pipelineruns/\"
      + pr\n        missingLink = pipelineRunURLPrefix + \"/#/namespaces/\" + namespace
      + \"/pipelineruns/\"\n        missingDataEntry = \"[**$COMMENT_MISSING**](\"
      + missingLink + \") | \" + pipeline + \" | \" + pr + \" | \" + namespace\n        if
      missingDataEntry in runsMissing:\n          runsMissing.remove(missingDataEntry)\n
      \       print(\"Checking PipelineRun \" + pr + \" in namespace \" + namespace)\n
      \       if entry[\"status\"][\"conditions\"][0][\"status\"] == u'True' and entry[\"status\"][\"conditions\"][0][\"type\"]
      == u'Succeeded':\n          print(\"Success - pipelinerun \" + pr + \" in namespace
      \" + namespace)\n          runsPassed.append(\"[**$COMMENT_SUCCESS**](\" + link
      + \") | \" + pipeline + \" | \" +  pr + \" | \" + namespace)\n          continue\n
      \       if entry[\"status\"][\"conditions\"][0][\"status\"] == u'False' and
      entry[\"status\"][\"conditions\"][0][\"type\"] == u'Succeeded':\n          failed
      =+ 1\n          print(\"Failed - PipelineRun \" + pr + \" in namespace \" +
      namespace)\n          runsFailed.append(\"[**$COMMENT_FAILURE**](\" + link +
      \") | \" + pipeline + \" | \" + pr + \" | \" + namespace)\n          continue\n
      \       link = pipelineRunURLPrefix + \"/#/namespaces/\" + namespace + \"/pipelineruns/\"
      + pr\n        runsIncomplete.append(\"[**$COMMENT_TIMEOUT**](\" + link + \")
      | \" + pipeline + \" | \" + pr + \" | \" + namespace)\n      if len(runsIncomplete)
      == 0:\n        break\n    else:\n      break\ngitPRdescription = \"All pipelines
      succeeded!\"\ngitPRcode = \"success\"\nif failed > 0:\n  gitPRdescription =
      str(failed) + \" pipeline(s) failed!\"\n  gitPRcode = \"failure\"\nif len(runsMissing)
      > 0:\n  gitPRdescription = \"Pipeline(s) missing!\"\n  gitPRcode = \"failure\"\nif
      len(runsIncomplete) > 0:\n  print(\"Some PipelineRuns had not completed when
      the monitor reached its timeout\")\n  gitPRdescription = \"timed out monitoring
      PipelineRuns\"\n  gitPRcode = \"error\"\n\nresults = runsPassed + runsFailed
      + runsIncomplete + runsMissing\n\nif (results == []):\n  gitPRdescription =
      \"No PipelineRuns were ever found for my PullRequest!\"\n  gitPRcode = \"error\"\n
      \ data = \"**$COMMENT_MISSING** | N/A | No PipelineRuns were ever detected,
      failing the build | N/A\"\n  runsMissing.append(data)    \n       \n  results
      = runsMissing\n\ncomment = (\"## Tekton Status Report \\n\\n\"\n           \"Status
      | Pipeline | PipelineRun | Namespace\\n\"\n           \":----- | :------- |
      :--------------- | :--------\\n\"\n           ) + \"\\n\".join(results)\n\nshutil.copyfile(\"/workspace/pull-request/pr.json\",\"/workspace/output/pull-request/pr.json\")\n#
      Preserve existing comments\nshutil.copytree(\"/workspace/pull-request/comments\",\"/workspace/output/pull-request/comments\")\nhandle
      = open(\"/workspace/output/pull-request/comments/newcomment.json\", 'w')\nhandle.write(comment)\nhandle.close()\nif
      not \"$URL\".startswith(\"http\"):\n  detailsURL = \"http://\" + \"$URL\" +
      \"/#/pipelineruns\"\nelse:\n  detailsURL = \"$URL\" + \"/#/pipelineruns\"\nprint(\"Set
      details url to \" + detailsURL)\nstatus = json.dumps(dict(Label=gitPRcontext,state=gitPRcode,Desc=gitPRdescription,Target=detailsURL))\nprint(\"Setting
      status to \" + status)\nif not os.path.exists(\"/workspace/output/pull-request/status\"):\n
      \ os.makedirs(\"/workspace/output/pull-request/status\")\nhandle = open(\"/workspace/output/pull-request/status/Tekton.json\",
      'w')\nhandle.write(status)\nhandle.close()\nif not os.path.exists(\"/workspace/output/pull-request/labels\"):\n
      \ shutil.copytree(\"/workspace/pull-request/labels\",\"/workspace/output/pull-request/labels\")\nshutil.copyfile(\"/workspace/pull-request/base.json\",\"/workspace/output/pull-request/base.json\")
      \nshutil.copyfile(\"/workspace/pull-request/head.json\",\"/workspace/output/pull-request/head.json\")\nEOF\n"
    command:
    - /bin/bash
    env:
    - name: EVENTID
      valueFrom:
        fieldRef:
          fieldPath: metadata.labels['triggers.tekton.dev/triggers-eventid']
    - name: COMMENT_SUCCESS
      value: $(inputs.params.commentsuccess)
    - name: COMMENT_FAILURE
      value: $(inputs.params.commentfailure)
    - name: COMMENT_TIMEOUT
      value: $(inputs.params.commenttimeout)
    - name: COMMENT_MISSING
      value: $(inputs.params.commentmissing)
    - name: URL
      value: $(inputs.params.dashboard-url)
    - name: STATUSES_URL
      value: $(inputs.params.statusesurl)
    - name: GITPROVIDER
      value: $(inputs.params.provider)
    - name: GITAPIURL
      value: $(inputs.params.apiurl)
    - name: SKIPSSLVERIFY
      value: $(inputs.params.insecure-skip-tls-verify)
    - name: GITTOKEN
      valueFrom:
        secretKeyRef:
          key: accessToken
          name: $(inputs.params.secret)
    image: maiwj/kubernetes-python-client@sha256:74a868a0dff5c8ada64472db3efd09d205d4f877d14d2d3226511adbb25cfea3
    name: check
 ---
 apiVersion: triggers.tekton.dev/v1alpha1
 kind: TriggerBinding
 metadata:
  name: monitor-task-github-binding
  namespace: tekton-pipelines
 spec:
  params:
  - name: pullrequesturl
    value: $(body.pull_request.html_url)
  - name: statusesurl
    value: $(body.pull_request.statuses_url)
 ---
 apiVersion: triggers.tekton.dev/v1alpha1
 kind: TriggerBinding
 metadata:
  name: monitor-task-gitlab-binding
  namespace: tekton-pipelines
 spec:
  params:
  - name: pullrequesturl
    value: $(body.object_attributes.url)
  - name: statusesurl
    value: projects/$(body.project.id)/statuses/$(body.object_attributes.last_commit.id)
 ---
 apiVersion: triggers.tekton.dev/v1alpha1
 kind: TriggerTemplate
 metadata:
  name: monitor-task-template
  namespace: tekton-pipelines
 spec:
  params:
  - description: The pull request url
    name: pullrequesturl
    type: string
  - description: The statuses url
    name: statusesurl
    type: string
  - default: github-secrets
    description: The git secret name
    name: gitsecretname
    type: string
  - default: token
    description: The git secret key name
    name: gitsecretkeyname
    type: string
  - default: Success
    description: The text of the success comment
    name: commentsuccess
    type: string
  - default: Failed
    description: The text of the failure comment
    name: commentfailure
    type: string
  - default: Unknown
    description: The text of the timeout comment
    name: commenttimeout
    type: string
  - default: Missing
    description: The text of the missing comment
    name: commentmissing
    type: string
  - default: http://localhost:9097/
    description: The URL to the pipelineruns page of the dashboard
    name: dashboardurl
    type: string
  - default: github
    description: The git provider, "github" or "gitlab"
    name: provider
    type: string
  - default: ""
    description: The git api URL for the repository
    name: apiurl
    type: string
  - default: "false"
    description: Whether or not to skip SSL validation of certificates ("true" or
      "false")
    name: insecure-skip-tls-verify
    type: string
  resourcetemplates:
  - apiVersion: tekton.dev/v1alpha1
    kind: PipelineResource
    metadata:
      name: pull-request-$(uid)
      namespace: tekton-pipelines
    spec:
      params:
      - name: url
        value: $(params.pullrequesturl)
      - name: insecure-skip-tls-verify
        value: $(params.insecure-skip-tls-verify)
      secrets:
      - fieldName: authToken
        secretKey: $(params.gitsecretkeyname)
        secretName: $(params.gitsecretname)
      type: pullRequest
  - apiVersion: tekton.dev/v1beta1
    kind: TaskRun
    metadata:
      generateName: monitor-taskrun-
      namespace: tekton-pipelines
    spec:
      params:
      - name: commentsuccess
        value: $(params.commentsuccess)
      - name: commentfailure
        value: $(params.commentfailure)
      - name: commenttimeout
        value: $(params.commenttimeout)
      - name: dashboard-url
        value: $(params.dashboardurl)
      - name: secret
        value: $(params.gitsecretname)
      - name: statusesurl
        value: $(params.statusesurl)
      - name: provider
        value: $(params.provider)
      - name: apiurl
        value: $(params.apiurl)
      - name: insecure-skip-tls-verify
        value: $(params.insecure-skip-tls-verify)
      resources:
        inputs:
        - name: pull-request
          resourceRef:
            name: pull-request-$(uid)
        outputs:
        - name: pull-request
          resourceRef:
            name: pull-request-$(uid)
      serviceAccountName: tekton-webhooks-extension
      taskRef:
        name: monitor-task
 ---
--- a/tekton/1-Install/4-dashboard.yaml
+++ b/tekton/1-Install/4-dashboard.yaml
@ -49,6 +49,7 @@ rules:
 - apiGroups:
  - ""
  resources:
  - secrets
  - configmaps
  verbs:
  - create
@ -124,17 +125,6 @@ rules:
  - delete
  - patch
  - add
 - apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - delete
 - apiGroups:
  - apiextensions.k8s.io
  resources:
@ -194,6 +184,7 @@ rules:
 - apiGroups:
  - ""
  resources:
  - secrets
  - configmaps
  verbs:
  - get
@ -281,8 +272,8 @@ kind: Service
 metadata:
  labels:
    app: tekton-dashboard
-    dashboard.tekton.dev/release: v0.6.1.5
+    dashboard.tekton.dev/release: v0.6.1
-    version: v0.6.1.5
+    version: v0.6.1
  name: tekton-dashboard
  namespace: tekton-pipelines
 spec:
@ -299,8 +290,8 @@ kind: Deployment
 metadata:
  labels:
    app: tekton-dashboard
-    dashboard.tekton.dev/release: v0.6.1.5
+    dashboard.tekton.dev/release: v0.6.1
-    version: v0.6.1.5
+    version: v0.6.1
  name: tekton-dashboard
  namespace: tekton-pipelines
 spec:
@ -322,17 +313,13 @@ spec:
          value: "false"
        - name: WEB_RESOURCES_DIR
          value: /var/run/ko/web
-        - name: CSRF_SECURE_COOKIE
+        - name: PIPELINE_RUN_SERVICE_ACCOUNT
-          value: "false"
+          value: ""
        - name: TRIGGERS_NAMESPACE
          value: tekton-pipelines
        - name: PIPELINE_NAMESPACE
          value: tekton-pipelines
        - name: INSTALLED_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
-        image: gcr.io/tekton-releases/github.com/tektoncd/dashboard/cmd/dashboard@sha256:ca22f87e8bec86cf91833aa3996cf9d316313628870eb74c1ea9a73bea77c83d
+        image: gcr.io/tekton-releases/github.com/tektoncd/dashboard/cmd/dashboard@sha256:de969ff4ced12c94701bd039137edf5fc66bbc5ccd19f09324c1d7fcfc47e5f1
        livenessProbe:
          httpGet:
            path: /health
@ -345,5 +332,78 @@ spec:
            path: /readiness
            port: 9097
      serviceAccountName: tekton-dashboard
 ---
 apiVersion: tekton.dev/v1beta1
 kind: Pipeline
 metadata:
  name: pipeline0
  namespace: tekton-pipelines
 spec:
  params:
  - default: /workspace/git-source
    description: The path to the resource files to apply
    name: pathToResourceFiles
    type: string
  - default: .
    description: The directory from which resources are to be applied
    name: apply-directory
    type: string
  - default: tekton-pipelines
    description: The namespace in which to create the resources being imported
    name: target-namespace
    type: string
  resources:
  - name: git-source
    type: git
  tasks:
  - name: pipeline0-task
    params:
    - name: pathToResourceFiles
      value: $(params.pathToResourceFiles)
    - name: apply-directory
      value: $(params.apply-directory)
    - name: target-namespace
      value: $(params.target-namespace)
    resources:
      inputs:
      - name: git-source
        resource: git-source
    taskRef:
      name: pipeline0-task
 ---
 apiVersion: tekton.dev/v1beta1
 kind: Task
 metadata:
  name: pipeline0-task
  namespace: tekton-pipelines
 spec:
  params:
  - default: /workspace/git-source
    description: The path to the resource files to apply
    name: pathToResourceFiles
    type: string
  - default: .
    description: The directory from which resources are to be applied
    name: apply-directory
    type: string
  - default: tekton-pipelines
    description: The namespace where created resources will go
    name: target-namespace
    type: string
  resources:
    inputs:
    - name: git-source
      type: git
  steps:
  - args:
    - apply
    - -f
    - $(inputs.params.pathToResourceFiles)/$(inputs.params.apply-directory)
    - -n
    - $(inputs.params.target-namespace)
    command:
    - kubectl
    image: lachlanevenson/k8s-kubectl@sha256:9713d6c1c6d83bdd4b3744d295fd0efce8f6cc149eb3083e86ae0911aa52ee73
    name: kubectl-apply
 ---
--- a/tekton/pipelines/pr.yaml
+++ b/tekton/pipelines/pr.yaml
@ -11,8 +11,6 @@ spec:
      type: string
    - name: projectname
      type: string
    - name: prid
      type: string
  resources:
    - name: git-source
      type: git
--- a/terraform/kubernetes-cluster.tf
+++ b/terraform/kubernetes-cluster.tf
@ -1,7 +1,7 @@
 resource "scaleway_k8s_cluster_beta" "k8s-cluster" {
  name             = "cluster-fun"
  description      = ""
-  version          = "1.18.3"
+  version          = "1.18.2"
  cni              = "weave"
  enable_dashboard = false
  ingress          = "traefik"