# Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: Namespace metadata: name: tekton-pipelines --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: tekton-pipelines spec: privileged: false allowPrivilegeEscalation: false volumes: - 'emptyDir' - 'configMap' - 'secret' hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAs' ranges: - min: 1 max: 65535 fsGroup: rule: 'MustRunAs' ranges: - min: 1 max: 65535 --- # Copyright 2020 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tekton-pipelines-controller-cluster-access rules: - apiGroups: [""] # Namespace access is required because the controller timeout handling logic # iterates over all namespaces and times out any PipelineRuns that have expired. # Pod access is required because the taskrun controller wants to be updated when # a Pod underlying a TaskRun changes state. resources: ["namespaces", "pods"] verbs: ["list", "watch"] # Controller needs cluster access to all of the CRDs that it is responsible for # managing. - apiGroups: ["tekton.dev"] resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "pipelineresources", "conditions"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - apiGroups: ["tekton.dev"] resources: ["taskruns/finalizers", "pipelineruns/finalizers"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - apiGroups: ["tekton.dev"] resources: ["tasks/status", "clustertasks/status", "taskruns/status", "pipelines/status", "pipelineruns/status", "pipelineresources/status"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - apiGroups: ["policy"] resources: ["podsecuritypolicies"] resourceNames: ["tekton-pipelines"] verbs: ["use"] --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: # This is the access that the controller needs on a per-namespace basis. name: tekton-pipelines-controller-tenant-access rules: - apiGroups: [""] resources: ["pods", "pods/log", "secrets", "events", "serviceaccounts", "configmaps", "persistentvolumeclaims", "limitranges"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] # Unclear if this access is actually required. Simply a hold-over from the previous # incarnation of the controller's ClusterRole. - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - apiGroups: ["apps"] resources: ["deployments/finalizers"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tekton-pipelines-webhook-cluster-access rules: - # The webhook needs to be able to list and update customresourcedefinitions, # mainly to update the webhook certificates. apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions", "customresourcedefinitions/status"] verbs: ["get", "list", "update", "patch", "watch"] - apiGroups: ["admissionregistration.k8s.io"] # The webhook performs a reconciliation on these two resources and continuously # updates configuration. resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] # knative starts informers on these things, which is why we need get, list and watch. verbs: ["list", "watch"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations"] # This mutating webhook is responsible for applying defaults to tekton objects # as they are received. resourceNames: ["webhook.pipeline.tekton.dev"] # When there are changes to the configs or secrets, knative updates the mutatingwebhook config # with the updated certificates or the refreshed set of rules. verbs: ["get", "update"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["validatingwebhookconfigurations"] # validation.webhook.pipeline.tekton.dev performs schema validation when you, for example, create TaskRuns. # config.webhook.pipeline.tekton.dev validates the logging configuration against knative's logging structure resourceNames: ["validation.webhook.pipeline.tekton.dev", "config.webhook.pipeline.tekton.dev"] # When there are changes to the configs or secrets, knative updates the validatingwebhook config # with the updated certificates or the refreshed set of rules. verbs: ["get", "update"] - apiGroups: ["policy"] resources: ["podsecuritypolicies"] resourceNames: ["tekton-pipelines"] verbs: ["use"] --- # Copyright 2020 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tekton-pipelines-controller namespace: tekton-pipelines rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["list", "watch"] - # The controller needs access to these configmaps for logging information and runtime configuration. apiGroups: [""] resources: ["configmaps"] verbs: ["get"] resourceNames: ["config-logging", "config-observability", "config-artifact-bucket", "config-artifact-pvc", "feature-flags", "config-leader-election"] --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tekton-pipelines-webhook namespace: tekton-pipelines rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["list", "watch"] - # The webhook needs access to these configmaps for logging information. apiGroups: [""] resources: ["configmaps"] verbs: ["get"] resourceNames: ["config-logging", "config-observability"] - apiGroups: [""] resources: ["secrets"] verbs: ["list", "watch"] - # The webhook daemon makes a reconciliation loop on webhook-certs. Whenever # the secret changes it updates the webhook configurations with the certificates # stored in the secret. apiGroups: [""] resources: ["secrets"] verbs: ["get", "update"] resourceNames: ["webhook-certs"] --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: ServiceAccount metadata: name: tekton-pipelines-controller namespace: tekton-pipelines --- apiVersion: v1 kind: ServiceAccount metadata: name: tekton-pipelines-webhook namespace: tekton-pipelines --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: tekton-pipelines-controller-cluster-access subjects: - kind: ServiceAccount name: tekton-pipelines-controller namespace: tekton-pipelines roleRef: kind: ClusterRole name: tekton-pipelines-controller-cluster-access apiGroup: rbac.authorization.k8s.io --- # If this ClusterRoleBinding is replaced with a RoleBinding # then the ClusterRole would be namespaced. The access described by # the tekton-pipelines-controller-tenant-access ClusterRole would # be scoped to individual tenant namespaces. apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: tekton-pipelines-controller-tenant-access subjects: - kind: ServiceAccount name: tekton-pipelines-controller namespace: tekton-pipelines roleRef: kind: ClusterRole name: tekton-pipelines-controller-tenant-access apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: tekton-pipelines-webhook-cluster-access subjects: - kind: ServiceAccount name: tekton-pipelines-webhook namespace: tekton-pipelines roleRef: kind: ClusterRole name: tekton-pipelines-webhook-cluster-access apiGroup: rbac.authorization.k8s.io --- # Copyright 2020 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: tekton-pipelines-controller namespace: tekton-pipelines subjects: - kind: ServiceAccount name: tekton-pipelines-controller namespace: tekton-pipelines roleRef: kind: Role name: tekton-pipelines-controller apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: tekton-pipelines-webhook namespace: tekton-pipelines subjects: - kind: ServiceAccount name: tekton-pipelines-webhook namespace: tekton-pipelines roleRef: kind: Role name: tekton-pipelines-webhook apiGroup: rbac.authorization.k8s.io --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: clustertasks.tekton.dev labels: pipeline.tekton.dev/release: "devel" version: "devel" spec: group: tekton.dev preserveUnknownFields: false validation: openAPIV3Schema: type: object # One can use x-kubernetes-preserve-unknown-fields: true # at the root of the schema (and inside any properties, additionalProperties) # to get the traditional CRD behaviour that nothing is pruned, despite # setting spec.preserveUnknownProperties: false. # # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ # See issue: https://github.com/knative/serving/issues/912 x-kubernetes-preserve-unknown-fields: true versions: - name: v1alpha1 served: true storage: true - name: v1beta1 served: true storage: false names: kind: ClusterTask plural: clustertasks categories: - tekton - tekton-pipelines scope: Cluster # Opt into the status subresource so metadata.generation # starts to increment subresources: status: {} conversion: strategy: Webhook webhookClientConfig: service: name: tekton-pipelines-webhook namespace: tekton-pipelines --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: conditions.tekton.dev labels: pipeline.tekton.dev/release: "devel" version: "devel" spec: group: tekton.dev names: kind: Condition plural: conditions categories: - tekton - tekton-pipelines scope: Namespaced # Opt into the status subresource so metadata.generation # starts to increment subresources: status: {} version: v1alpha1 --- # Copyright 2018 The Knative Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: images.caching.internal.knative.dev labels: knative.dev/crd-install: "true" spec: group: caching.internal.knative.dev version: v1alpha1 names: kind: Image plural: images singular: image categories: - knative-internal - caching shortNames: - img scope: Namespaced subresources: status: {} --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: pipelines.tekton.dev labels: pipeline.tekton.dev/release: "devel" version: "devel" spec: group: tekton.dev preserveUnknownFields: false validation: openAPIV3Schema: type: object # One can use x-kubernetes-preserve-unknown-fields: true # at the root of the schema (and inside any properties, additionalProperties) # to get the traditional CRD behaviour that nothing is pruned, despite # setting spec.preserveUnknownProperties: false. # # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ # See issue: https://github.com/knative/serving/issues/912 x-kubernetes-preserve-unknown-fields: true versions: - name: v1alpha1 served: true storage: true - name: v1beta1 served: true storage: false names: kind: Pipeline plural: pipelines categories: - tekton - tekton-pipelines scope: Namespaced # Opt into the status subresource so metadata.generation # starts to increment subresources: status: {} conversion: strategy: Webhook webhookClientConfig: service: name: tekton-pipelines-webhook namespace: tekton-pipelines --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: pipelineruns.tekton.dev labels: pipeline.tekton.dev/release: "devel" version: "devel" spec: group: tekton.dev preserveUnknownFields: false validation: openAPIV3Schema: type: object # One can use x-kubernetes-preserve-unknown-fields: true # at the root of the schema (and inside any properties, additionalProperties) # to get the traditional CRD behaviour that nothing is pruned, despite # setting spec.preserveUnknownProperties: false. # # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ # See issue: https://github.com/knative/serving/issues/912 x-kubernetes-preserve-unknown-fields: true versions: - name: v1alpha1 served: true storage: true - name: v1beta1 served: true storage: false names: kind: PipelineRun plural: pipelineruns categories: - tekton - tekton-pipelines shortNames: - pr - prs scope: Namespaced additionalPrinterColumns: - name: Succeeded type: string JSONPath: ".status.conditions[?(@.type==\"Succeeded\")].status" - name: Reason type: string JSONPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" - name: StartTime type: date JSONPath: .status.startTime - name: CompletionTime type: date JSONPath: .status.completionTime # Opt into the status subresource so metadata.generation # starts to increment subresources: status: {} conversion: strategy: Webhook webhookClientConfig: service: name: tekton-pipelines-webhook namespace: tekton-pipelines --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: pipelineresources.tekton.dev labels: pipeline.tekton.dev/release: "devel" version: "devel" spec: group: tekton.dev names: kind: PipelineResource plural: pipelineresources categories: - tekton - tekton-pipelines scope: Namespaced # Opt into the status subresource so metadata.generation # starts to increment subresources: status: {} version: v1alpha1 --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: tasks.tekton.dev labels: pipeline.tekton.dev/release: "devel" version: "devel" spec: group: tekton.dev preserveUnknownFields: false validation: openAPIV3Schema: type: object # One can use x-kubernetes-preserve-unknown-fields: true # at the root of the schema (and inside any properties, additionalProperties) # to get the traditional CRD behaviour that nothing is pruned, despite # setting spec.preserveUnknownProperties: false. # # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ # See issue: https://github.com/knative/serving/issues/912 x-kubernetes-preserve-unknown-fields: true versions: - name: v1alpha1 served: true storage: true - name: v1beta1 served: true storage: false names: kind: Task plural: tasks categories: - tekton - tekton-pipelines scope: Namespaced # Opt into the status subresource so metadata.generation # starts to increment subresources: status: {} conversion: strategy: Webhook webhookClientConfig: service: name: tekton-pipelines-webhook namespace: tekton-pipelines --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: taskruns.tekton.dev labels: pipeline.tekton.dev/release: "devel" version: "devel" spec: group: tekton.dev preserveUnknownFields: false validation: openAPIV3Schema: type: object # One can use x-kubernetes-preserve-unknown-fields: true # at the root of the schema (and inside any properties, additionalProperties) # to get the traditional CRD behaviour that nothing is pruned, despite # setting spec.preserveUnknownProperties: false. # # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ # See issue: https://github.com/knative/serving/issues/912 x-kubernetes-preserve-unknown-fields: true versions: - name: v1alpha1 served: true storage: true - name: v1beta1 served: true storage: false names: kind: TaskRun plural: taskruns categories: - tekton - tekton-pipelines shortNames: - tr - trs scope: Namespaced additionalPrinterColumns: - name: Succeeded type: string JSONPath: ".status.conditions[?(@.type==\"Succeeded\")].status" - name: Reason type: string JSONPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" - name: StartTime type: date JSONPath: .status.startTime - name: CompletionTime type: date JSONPath: .status.completionTime # Opt into the status subresource so metadata.generation # starts to increment subresources: status: {} conversion: strategy: Webhook webhookClientConfig: service: name: tekton-pipelines-webhook namespace: tekton-pipelines --- # Copyright 2020 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: Secret metadata: name: webhook-certs namespace: tekton-pipelines labels: pipeline.tekton.dev/release: devel # The data is populated at install time. --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: name: validation.webhook.pipeline.tekton.dev labels: pipeline.tekton.dev/release: devel webhooks: - admissionReviewVersions: - v1beta1 clientConfig: service: name: tekton-pipelines-webhook namespace: tekton-pipelines failurePolicy: Fail sideEffects: None name: validation.webhook.pipeline.tekton.dev --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration metadata: name: webhook.pipeline.tekton.dev labels: pipeline.tekton.dev/release: devel webhooks: - admissionReviewVersions: - v1beta1 clientConfig: service: name: tekton-pipelines-webhook namespace: tekton-pipelines failurePolicy: Fail sideEffects: None name: webhook.pipeline.tekton.dev --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: name: config.webhook.pipeline.tekton.dev labels: pipeline.tekton.dev/release: devel webhooks: - admissionReviewVersions: - v1beta1 clientConfig: service: name: tekton-pipelines-webhook namespace: tekton-pipelines failurePolicy: Fail sideEffects: None name: config.webhook.pipeline.tekton.dev namespaceSelector: matchExpressions: - key: pipeline.tekton.dev/release operator: Exists --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: tekton-aggregate-edit labels: rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" rules: - apiGroups: - tekton.dev resources: - tasks - taskruns - pipelines - pipelineruns - pipelineresources - conditions verbs: - create - delete - deletecollection - get - list - patch - update - watch --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: tekton-aggregate-view labels: rbac.authorization.k8s.io/aggregate-to-view: "true" rules: - apiGroups: - tekton.dev resources: - tasks - taskruns - pipelines - pipelineruns - pipelineresources - conditions verbs: - get - list - watch --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: ConfigMap metadata: name: config-artifact-bucket namespace: tekton-pipelines # data: # # location of the gcs bucket to be used for artifact storage # location: "gs://bucket-name" # # name of the secret that will contain the credentials for the service account # # with access to the bucket # bucket.service.account.secret.name: # # The key in the secret with the required service account json # bucket.service.account.secret.key: --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: ConfigMap metadata: name: config-artifact-pvc namespace: tekton-pipelines # data: # # size of the PVC volume # size: 5Gi # # # storage class of the PVC volume # storageClassName: storage-class-name --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: ConfigMap metadata: name: config-defaults namespace: tekton-pipelines data: _example: |- ################################ # # # EXAMPLE CONFIGURATION # # # ################################ # This block is not actually functional configuration, # but serves to illustrate the available configuration # options and document them in a way that is accessible # to users that `kubectl edit` this config map. # # These sample configuration options may be copied out of # this example block and unindented to be in the data block # to actually change the configuration. # default-timeout-minutes contains the default number of # minutes to use for TaskRun and PipelineRun, if none is specified. default-timeout-minutes: "60" # 60 minutes # default-service-account contains the default service account name # to use for TaskRun and PipelineRun, if none is specified. default-service-account: "default" # default-managed-by-label-value contains the default value given to the # "app.kubernetes.io/managed-by" label applied to all Pods created for # TaskRuns. If a user's requested TaskRun specifies another value for this # label, the user's request supercedes. default-managed-by-label-value: "tekton-pipelines" # default-pod-template contains the default pod template to use # TaskRun and PipelineRun, if none is specified. If a pod template # is specified, the default pod template is ignored. # default-pod-template: --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: ConfigMap metadata: name: feature-flags namespace: tekton-pipelines data: # Setting this flag to "true" will prevent Tekton overriding your # Task container's $HOME environment variable. # # The default behaviour currently is for Tekton to override the # $HOME environment variable but this will change in an upcoming # release. # # See https://github.com/tektoncd/pipeline/issues/2013 for more # info. disable-home-env-overwrite: "false" # Setting this flag to "true" will prevent Tekton overriding your # Task container's working directory. # # The default behaviour currently is for Tekton to override the # working directory if not set by the user but this will change # in an upcoming release. # # See https://github.com/tektoncd/pipeline/issues/1836 for more # info. disable-working-directory-overwrite: "false" --- # Copyright 2020 Tekton Authors LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: ConfigMap metadata: name: config-leader-election namespace: tekton-pipelines data: # An inactive but valid configuration follows; see example. resourceLock: "leases" leaseDuration: "15s" renewDeadline: "10s" retryPeriod: "2s" --- # Copyright 2019 Tekton Authors LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: ConfigMap metadata: name: config-logging namespace: tekton-pipelines data: # Common configuration for all knative codebase zap-logger-config: | { "level": "info", "development": false, "sampling": { "initial": 100, "thereafter": 100 }, "outputPaths": ["stdout"], "errorOutputPaths": ["stderr"], "encoding": "json", "encoderConfig": { "timeKey": "", "levelKey": "level", "nameKey": "logger", "callerKey": "caller", "messageKey": "msg", "stacktraceKey": "stacktrace", "lineEnding": "", "levelEncoder": "", "timeEncoder": "", "durationEncoder": "", "callerEncoder": "" } } # Log level overrides loglevel.controller: "info" loglevel.webhook: "info" --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: ConfigMap metadata: name: config-observability namespace: tekton-pipelines data: _example: | ################################ # # # EXAMPLE CONFIGURATION # # # ################################ # This block is not actually functional configuration, # but serves to illustrate the available configuration # options and document them in a way that is accessible # to users that `kubectl edit` this config map. # # These sample configuration options may be copied out of # this example block and unindented to be in the data block # to actually change the configuration. # metrics.backend-destination field specifies the system metrics destination. # It supports either prometheus (the default) or stackdriver. # Note: Using Stackdriver will incur additional charges. metrics.backend-destination: prometheus # metrics.stackdriver-project-id field specifies the Stackdriver project ID. This # field is optional. When running on GCE, application default credentials will be # used and metrics will be sent to the cluster's project if this field is # not provided. metrics.stackdriver-project-id: "" # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed # to send metrics to Stackdriver using "global" resource type and custom # metric type. Setting this flag to "true" could cause extra Stackdriver # charge. If metrics.backend-destination is not Stackdriver, this is # ignored. metrics.allow-stackdriver-custom-metrics: "false" --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: apps/v1 kind: Deployment metadata: name: tekton-pipelines-controller namespace: tekton-pipelines labels: app.kubernetes.io/name: tekton-pipelines app.kubernetes.io/component: controller pipeline.tekton.dev/release: "v0.12.1" version: "v0.12.1" spec: replicas: 1 selector: matchLabels: app: tekton-pipelines-controller template: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "false" labels: app: tekton-pipelines-controller app.kubernetes.io/name: tekton-pipelines app.kubernetes.io/component: controller # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml pipeline.tekton.dev/release: "v0.12.1" version: "v0.12.1" spec: serviceAccountName: tekton-pipelines-controller containers: - name: tekton-pipelines-controller image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/controller:v0.12.1@sha256:0ca86ec6f246f49c1ac643357fd1c8e73a474aaa216548807b1216a9ff12f7be args: [ # These images are built on-demand by `ko resolve` and are replaced # by image references by digest. "-kubeconfig-writer-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/kubeconfigwriter:v0.12.1@sha256:67dcd447b0c624befa12843ce9cc0bcfc502179bdb28d59563d761a7f3968509", "-creds-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/creds-init:v0.12.1@sha256:6266d023172dde7fa421f626074b4e7eedc7d7d5ff561c033d6d63ebfff4a2f2", "-git-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.12.1@sha256:d82c78288699dd6ee40c852b146cb3bd89b322b42fb3bc4feec28ea54bb7b36c", "-entrypoint-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/entrypoint:v0.12.1@sha256:7f3db925f7660673a74b0e1030e65540adea36fe361ab7f06f5b5c47cdcef47d", "-imagedigest-exporter-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/imagedigestexporter:v0.12.1@sha256:e8f08214baad9054bbed7be2b8617c6964b9a1c5405cf59eabcc3d3267a6253f", "-pr-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/pullrequest-init:v0.12.1@sha256:71e0226346e0d3d57af7c35b6cb907d42d3142e845b0f865ba0c86d3e248f3cb", "-build-gcs-fetcher-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/vendor/github.com/googlecloudplatform/cloud-builders/gcs-fetcher/cmd/gcs-fetcher:v0.12.1@sha256:ae5721bf0d883947c3c13f519ca26129792f4058d5f9dfedd50174d9e7acb2bc", # These images are pulled from Dockerhub, by digest, as of April 15, 2020. "-nop-image", "tianon/true@sha256:009cce421096698832595ce039aa13fa44327d96beedb84282a69d3dbcf5a81b", "-shell-image", "busybox@sha256:a2490cec4484ee6c1068ba3a05f89934010c85242f736280b35343483b2264b6", "-gsutil-image", "google/cloud-sdk@sha256:6e8676464c7581b2dc824956b112a61c95e4144642bec035e6db38e3384cae2e"] volumeMounts: - name: config-logging mountPath: /etc/config-logging env: - name: SYSTEM_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - # If you are changing these names, you will also need to update # the controller's Role in 200-role.yaml to include the new # values in the "configmaps" "get" rule. name: CONFIG_LOGGING_NAME value: config-logging - name: CONFIG_OBSERVABILITY_NAME value: config-observability - name: CONFIG_ARTIFACT_BUCKET_NAME value: config-artifact-bucket - name: CONFIG_ARTIFACT_PVC_NAME value: config-artifact-pvc - name: CONFIG_FEATURE_FLAGS_NAME value: feature-flags - name: CONFIG_LEADERELECTION_NAME value: config-leader-election - name: METRICS_DOMAIN value: tekton.dev/pipeline volumes: - name: config-logging configMap: name: config-logging --- apiVersion: v1 kind: Service metadata: labels: app: tekton-pipelines-controller pipeline.tekton.dev/release: "v0.12.1" version: "v0.12.1" name: tekton-pipelines-controller namespace: tekton-pipelines spec: ports: - name: http-metrics port: 9090 protocol: TCP targetPort: 9090 selector: app: tekton-pipelines-controller --- # Copyright 2019 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: apps/v1 kind: Deployment metadata: # Note: the Deployment name must be the same as the Service name specified in # config/400-webhook-service.yaml. If you change this name, you must also # change the value of WEBHOOK_SERVICE_NAME below. name: tekton-pipelines-webhook namespace: tekton-pipelines labels: app.kubernetes.io/name: tekton-pipelines app.kubernetes.io/component: webhook-controller pipeline.tekton.dev/release: "v0.12.1" version: "v0.12.1" spec: replicas: 1 selector: matchLabels: app: tekton-pipelines-webhook role: webhook template: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "false" labels: app: tekton-pipelines-webhook role: webhook app.kubernetes.io/name: tekton-pipelines app.kubernetes.io/component: webhook-controller pipeline.tekton.dev/release: "v0.12.1" version: "v0.12.1" spec: serviceAccountName: tekton-pipelines-webhook containers: - name: webhook # This is the Go import path for the binary that is containerized # and substituted here. image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/webhook:v0.12.1@sha256:69f065d493244dbd50563b96f5474bf6590821a6308fd8c69c5ef06cf4d988b2 env: - name: SYSTEM_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - # If you are changing these names, you will also need to update # the webhook's Role in 200-role.yaml to include the new # values in the "configmaps" "get" rule. name: CONFIG_LOGGING_NAME value: config-logging - name: CONFIG_OBSERVABILITY_NAME value: config-observability - name: CONFIG_LEADERELECTION_NAME value: config-leader-election - name: WEBHOOK_SERVICE_NAME value: tekton-pipelines-webhook - name: WEBHOOK_SECRET_NAME value: webhook-certs - name: METRICS_DOMAIN value: tekton.dev/pipeline securityContext: allowPrivilegeEscalation: false ports: - name: metrics containerPort: 9090 - name: profiling containerPort: 8008 - name: https-webhook containerPort: 8443 --- apiVersion: v1 kind: Service metadata: labels: app: tekton-pipelines-webhook role: webhook pipeline.tekton.dev/release: v0.12.1 version: "v0.12.1" name: tekton-pipelines-webhook namespace: tekton-pipelines spec: ports: - # Define metrics and profiling for them to be accessible within service meshes. name: http-metrics port: 9090 targetPort: 9090 - name: http-profiling port: 8008 targetPort: 8008 - name: https-webhook port: 443 targetPort: 8443 selector: app: tekton-pipelines-webhook role: webhook ---