# Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: tekton-triggers spec: privileged: false allowPrivilegeEscalation: false volumes: - 'emptyDir' - 'configMap' - 'secret' hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAs' ranges: - min: 1 max: 65535 fsGroup: rule: 'MustRunAs' ranges: - min: 1 max: 65535 --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tekton-triggers-admin rules: - apiGroups: [""] resources: ["configmaps", "secrets", "services"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - apiGroups: ["apps"] resources: ["deployments", "deployments/finalizers"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - apiGroups: ["triggers.tekton.dev"] resources: ["clustertriggerbindings", "eventlisteners", "triggerbindings", "triggertemplates", "eventlisteners/finalizers"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - apiGroups: ["triggers.tekton.dev"] resources: ["clustertriggerbindings/status", "eventlisteners/status", "triggerbindings/status", "triggertemplates/status"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - apiGroups: ["policy"] resources: ["podsecuritypolicies"] resourceNames: ["tekton-triggers"] verbs: ["use"] --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: ServiceAccount metadata: name: tekton-triggers-controller namespace: tekton-pipelines --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: tekton-triggers-controller-admin subjects: - kind: ServiceAccount name: tekton-triggers-controller namespace: tekton-pipelines roleRef: kind: ClusterRole name: tekton-triggers-admin apiGroup: rbac.authorization.k8s.io --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: clustertriggerbindings.triggers.tekton.dev spec: group: triggers.tekton.dev scope: Cluster versions: - name: v1alpha1 served: true storage: true names: kind: ClusterTriggerBinding plural: clustertriggerbindings singular: clustertriggerbinding shortNames: - ctb categories: - tekton - tekton-triggers subresources: status: {} version: v1alpha1 --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: eventlisteners.triggers.tekton.dev spec: group: triggers.tekton.dev scope: Namespaced versions: - name: v1alpha1 served: true storage: true names: kind: EventListener plural: eventlisteners singular: eventlistener shortNames: - el categories: - tekton - tekton-triggers # Opt into the status subresource so metadata.generation # starts to increment subresources: status: {} version: v1alpha1 --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: triggerbindings.triggers.tekton.dev spec: group: triggers.tekton.dev scope: Namespaced versions: - name: v1alpha1 served: true storage: true names: kind: TriggerBinding plural: triggerbindings singular: triggerbinding shortNames: - tb categories: - tekton - tekton-triggers # Opt into the status subresource so metadata.generation # starts to increment subresources: status: {} version: v1alpha1 --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: triggertemplates.triggers.tekton.dev spec: group: triggers.tekton.dev scope: Namespaced versions: - name: v1alpha1 served: true storage: true names: kind: TriggerTemplate plural: triggertemplates singular: triggertemplate shortNames: - tt categories: - tekton - tekton-triggers # Opt into the status subresource so metadata.generation # starts to increment subresources: status: {} version: v1alpha1 --- # Copyright 2020 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: Secret metadata: name: triggers-webhook-certs namespace: tekton-pipelines labels: triggers.tekton.dev/release: devel # The data is populated at install time. --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: name: validation.webhook.triggers.tekton.dev labels: triggers.tekton.dev/release: devel webhooks: - admissionReviewVersions: - v1beta1 clientConfig: service: name: tekton-triggers-webhook namespace: tekton-pipelines failurePolicy: Fail sideEffects: None name: validation.webhook.triggers.tekton.dev --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration metadata: name: webhook.triggers.tekton.dev labels: triggers.tekton.dev/release: devel webhooks: - admissionReviewVersions: - v1beta1 clientConfig: service: name: tekton-triggers-webhook namespace: tekton-pipelines failurePolicy: Fail sideEffects: None name: webhook.triggers.tekton.dev --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: name: config.webhook.triggers.tekton.dev labels: triggers.tekton.dev/release: devel webhooks: - admissionReviewVersions: - v1beta1 clientConfig: service: name: tekton-triggers-webhook namespace: tekton-pipelines failurePolicy: Fail sideEffects: None name: config.webhook.triggers.tekton.dev namespaceSelector: matchExpressions: - key: triggers.tekton.dev/release operator: Exists --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: tekton-triggers-aggregate-edit labels: rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" rules: - apiGroups: - tekton.dev resources: - clustertriggerbindings - eventlisteners - triggerbindings - triggertemplates verbs: - create - delete - deletecollection - get - list - patch - update - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: tekton-triggers-aggregate-view labels: rbac.authorization.k8s.io/aggregate-to-view: "true" rules: - apiGroups: - tekton.dev resources: - clustertriggerbindings - eventlisteners - triggerbindings - triggertemplates verbs: - get - list - watch --- # Copyright 2019 Tekton Authors LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: ConfigMap metadata: name: config-logging-triggers namespace: tekton-pipelines data: # Common configuration for all knative codebase zap-logger-config: | { "level": "info", "development": false, "sampling": { "initial": 100, "thereafter": 100 }, "outputPaths": ["stdout"], "errorOutputPaths": ["stderr"], "encoding": "json", "encoderConfig": { "timeKey": "", "levelKey": "level", "nameKey": "logger", "callerKey": "caller", "messageKey": "msg", "stacktraceKey": "stacktrace", "lineEnding": "", "levelEncoder": "", "timeEncoder": "", "durationEncoder": "", "callerEncoder": "" } } # Log level overrides loglevel.controller: "info" loglevel.webhook: "info" loglevel.eventlistener: "info" --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: ConfigMap metadata: name: config-observability-triggers namespace: tekton-pipelines data: _example: | ################################ # # # EXAMPLE CONFIGURATION # # # ################################ # This block is not actually functional configuration, # but serves to illustrate the available configuration # options and document them in a way that is accessible # to users that `kubectl edit` this config map. # # These sample configuration options may be copied out of # this example block and unindented to be in the data block # to actually change the configuration. # metrics.backend-destination field specifies the system metrics destination. # It supports either prometheus (the default) or stackdriver. # Note: Using stackdriver will incur additional charges metrics.backend-destination: prometheus # metrics.stackdriver-project-id field specifies the stackdriver project ID. This # field is optional. When running on GCE, application default credentials will be # used if this field is not provided. metrics.stackdriver-project-id: "" # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed to send metrics to # Stackdriver using "global" resource type and custom metric type if the # metrics are not supported by "knative_revision" resource type. Setting this # flag to "true" could cause extra Stackdriver charge. # If metrics.backend-destination is not Stackdriver, this is ignored. metrics.allow-stackdriver-custom-metrics: "false" --- # Copyright 2019 Tekton Authors LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: Service metadata: labels: app: tekton-triggers-controller version: "v0.4.0" triggers.tekton.dev/release: "v0.4.0" name: tekton-triggers-controller namespace: tekton-pipelines spec: ports: - name: http-metrics port: 9090 protocol: TCP targetPort: 9090 selector: app: tekton-triggers-controller --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: apps/v1 kind: Deployment metadata: name: tekton-triggers-controller namespace: tekton-pipelines labels: app.kubernetes.io/name: tekton-triggers app.kubernetes.io/component: controller # tekton.dev/release value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml triggers.tekton.dev/release: "v0.4.0" spec: replicas: 1 selector: matchLabels: app: tekton-triggers-controller template: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "false" labels: app: tekton-triggers-controller triggers.tekton.dev/release: "v0.4.0" # version value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml version: "v0.4.0" spec: serviceAccountName: tekton-triggers-controller containers: - name: tekton-triggers-controller image: gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/controller@sha256:bf3517ddccace756e39cee0f0012bbe879c6b28d962a1c904a415e7c60ce5bc2 args: ["-logtostderr", "-stderrthreshold", "INFO", "-el-image", "gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/eventlistenersink@sha256:76c208ec1d73d9733dcaf850240e1b3990e5977709a03c2bd98ad5b20fab9867", "-el-port", "8080", "-period-seconds", "10", "-failure-threshold", "1"] env: - name: SYSTEM_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: CONFIG_LOGGING_NAME value: config-logging-triggers - name: CONFIG_OBSERVABILITY_NAME value: config-observability-triggers - name: METRICS_DOMAIN value: tekton.dev/triggers --- apiVersion: v1 kind: Service metadata: labels: app: tekton-triggers-webhook version: "v0.4.0" triggers.tekton.dev/release: "v0.4.0" name: tekton-triggers-webhook namespace: tekton-pipelines spec: ports: - name: https-webhook port: 443 targetPort: 8443 selector: app: tekton-triggers-webhook --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: apps/v1 kind: Deployment metadata: name: tekton-triggers-webhook namespace: tekton-pipelines labels: app.kubernetes.io/name: tekton-triggers app.kubernetes.io/component: webhook-controller # tekton.dev/release value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml triggers.tekton.dev/release: "v0.4.0" spec: replicas: 1 selector: matchLabels: app: tekton-triggers-webhook template: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "false" labels: app: tekton-triggers-webhook triggers.tekton.dev/release: "v0.4.0" # version value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml version: "v0.4.0" role: webhook app.kubernetes.io/name: tekton-triggers app.kubernetes.io/component: webhook-controller spec: serviceAccountName: tekton-triggers-controller containers: - name: webhook # This is the Go import path for the binary that is containerized # and substituted here. image: gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/webhook@sha256:d7f1526a9294e671c500f0071b61e050262fb27fb633b54d764a556969855764 env: - name: SYSTEM_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: CONFIG_LOGGING_NAME value: config-logging-triggers - name: WEBHOOK_SERVICE_NAME value: tekton-triggers-webhook - name: METRICS_DOMAIN value: tekton.dev/triggers ports: - name: metrics containerPort: 9090 - name: profiling containerPort: 8008 - name: https-webhook containerPort: 8443 ---