diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml new file mode 100644 index 000000000000..912111bab4b8 --- /dev/null +++ b/.github/workflows/backend.yml @@ -0,0 +1,83 @@ +name: KFP Tekton backend unit tests + +on: + push: + branches: [master] + + # Run tests for any PRs which change the backend code + pull_request: + paths: + - 'go.mod' + - 'backend/**' + - 'scripts/deploy/github/**' + - 'manifests/kustomize/**' + +env: + GITHUB_ACTION: "true" + SETUPTOOLS_USE_DISTUTILS: "stdlib" + +jobs: + run-go-unittests: + runs-on: ubuntu-latest + steps: + - name: Install Go + uses: actions/setup-go@v4 + with: + go-version: 1.20.x + - name: Checkout code + uses: actions/checkout@v4 + - name: "run go unit tests" + run: go test -v -cover ./backend/... + backend-integration: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Create k8s Kind Cluster + uses: container-tools/kind-action@v2 + with: + cluster_name: kfp-tekton + kubectl_version: v1.29.2 + version: v0.17.0 + node_image: kindest/node:v1.29.2 + - name: build images + run: ./scripts/deploy/github/build-images.sh + - name: Set up Python 3.10 + uses: actions/setup-python@v4 + with: + python-version: '3.10' + - name: "deploy kfp-tekton" + run: ./scripts/deploy/github/deploy-kfp.sh + - name: Install sdk + run: | + python3 -m venv .venv + . .venv/bin/activate + pip install -e sdk/python + - name: "flip coin test" + run: | + . .venv/bin/activate + TEST_SCRIPT="test-flip-coin.sh" ./scripts/deploy/github/e2e-test.sh + - name: "static loop test" + run: | + . .venv/bin/activate + TEST_SCRIPT="test-static-loop.sh" ./scripts/deploy/github/e2e-test.sh + - name: "dynamic loop test" + run: | + . .venv/bin/activate + TEST_SCRIPT="test-dynamic-loop.sh" ./scripts/deploy/github/e2e-test.sh + - name: "secret as env" + run: | + . .venv/bin/activate + TEST_SCRIPT="test-secret-as-env.sh" ./scripts/deploy/github/e2e-test.sh + - name: "secret as volume" + run: | + . .venv/bin/activate + TEST_SCRIPT="test-secret-as-volume.sh" ./scripts/deploy/github/e2e-test.sh + - name: "use env" + run: | + . .venv/bin/activate + TEST_SCRIPT="test-env.sh" ./scripts/deploy/github/e2e-test.sh + - name: "use volume" + run: | + . .venv/bin/activate + TEST_SCRIPT="test-volume.sh" ./scripts/deploy/github/e2e-test.sh diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000000..2f0b0b472e01 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,72 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + schedule: + # Every Friday at 19:39 + - cron: '39 19 * * 5' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'go', 'javascript', 'python' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] + # Use only 'java' to analyze code written in Java, Kotlin or both + # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" diff --git a/manifests/kustomize/cluster-scoped-resources-tekton/kustomization.yaml b/manifests/kustomize/cluster-scoped-resources-tekton/kustomization.yaml new file mode 100644 index 000000000000..ea1a04a385cf --- /dev/null +++ b/manifests/kustomize/cluster-scoped-resources-tekton/kustomization.yaml @@ -0,0 +1,27 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: kubeflow + +resources: +- namespace.yaml +bases: +- ../third-party/application/cluster-scoped +# - ../third-party/argo/installs/namespace/cluster-scoped +- ../base/pipeline/cluster-scoped +- ../base/cache-deployer/cluster-scoped +vars: +# NOTE: var name must be unique globally to allow composition of multiple kustomize +# packages. Therefore, we added prefix `kfp-cluster-scoped-` to distinguish it from +# others. +- name: kfp-cluster-scoped-namespace + objref: + # cache deployer sa's metadata.namespace will be first transformed by namespace field in kustomization.yaml + # so that we only need to change kustomization.yaml's namespace field for namespace customization. + kind: ServiceAccount + name: kubeflow-pipelines-cache-deployer-sa + apiVersion: v1 + fieldref: + fieldpath: metadata.namespace +configurations: +- params.yaml diff --git a/manifests/kustomize/cluster-scoped-resources-tekton/namespace.yaml b/manifests/kustomize/cluster-scoped-resources-tekton/namespace.yaml new file mode 100644 index 000000000000..3c65856e7b73 --- /dev/null +++ b/manifests/kustomize/cluster-scoped-resources-tekton/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: '$(kfp-cluster-scoped-namespace)' diff --git a/manifests/kustomize/cluster-scoped-resources-tekton/params.yaml b/manifests/kustomize/cluster-scoped-resources-tekton/params.yaml new file mode 100644 index 000000000000..cc253fe26603 --- /dev/null +++ b/manifests/kustomize/cluster-scoped-resources-tekton/params.yaml @@ -0,0 +1,4 @@ +# Allow Kustomize var to replace following fields. +varReference: +- path: metadata/name + kind: Namespace diff --git a/manifests/kustomize/env/plain-multi-user/kustomization.yaml b/manifests/kustomize/env/plain-multi-user/kustomization.yaml new file mode 100644 index 000000000000..47c8daea9cf7 --- /dev/null +++ b/manifests/kustomize/env/plain-multi-user/kustomization.yaml @@ -0,0 +1,22 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base/installs/multi-user + - ../../base/metadata/base + - ../../base/metadata/options/istio + - ../../third-party/mysql/base + - ../../third-party/mysql/options/istio + - ../../third-party/minio/base + - ../../third-party/minio/options/istio + - ../../third-party/metacontroller/base + +# Identifier for application manager to apply ownerReference. +# The ownerReference ensures the resources get garbage collected +# when application is deleted. +commonLabels: + application-crd-id: kubeflow-pipelines + +# !!! If you want to customize the namespace, +# please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml +namespace: kubeflow diff --git a/manifests/kustomize/env/plain/kustomization.yaml b/manifests/kustomize/env/plain/kustomization.yaml new file mode 100644 index 000000000000..7bf943cab335 --- /dev/null +++ b/manifests/kustomize/env/plain/kustomization.yaml @@ -0,0 +1,19 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../cluster-scoped-resources-tekton + - ../../base/installs/generic + - ../../base/metadata/base + - ../../third-party/minio/base + - ../../third-party/mysql/base + +# Identifier for application manager to apply ownerReference. +# The ownerReference ensures the resources get garbage collected +# when application is deleted. +commonLabels: + application-crd-id: kubeflow-pipelines + +# !!! If you want to customize the namespace, +# please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml +namespace: kubeflow diff --git a/manifests/kustomize/env/platform-agnostic-tekton-multi-user/kustomization.yaml b/manifests/kustomize/env/platform-agnostic-tekton-multi-user/kustomization.yaml new file mode 100644 index 000000000000..586bb03dadf8 --- /dev/null +++ b/manifests/kustomize/env/platform-agnostic-tekton-multi-user/kustomization.yaml @@ -0,0 +1,70 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../third-party/tekton/installs/cluster + - ../../third-party/tekton-custom-task + - ../plain-multi-user + +# Identifier for application manager to apply ownerReference. +# The ownerReference ensures the resources get garbage collected +# when application is deleted. +commonLabels: + application-crd-id: kubeflow-pipelines + +patchesStrategicMerge: +- tekton-config.yaml + +patches: +- patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: ml-pipeline + spec: + template: + spec: + containers: + - name: ml-pipeline-api-server + env: + - name: EXECUTIONTYPE + value: PipelineRun +- patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: ml-pipeline-persistenceagent + spec: + template: + spec: + containers: + - name: ml-pipeline-persistenceagent + env: + - name: EXECUTIONTYPE + value: PipelineRun +- patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: ml-pipeline-scheduledworkflow + spec: + template: + spec: + containers: + - name: ml-pipeline-scheduledworkflow + env: + - name: EXECUTIONTYPE + value: PipelineRun +- patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: ml-pipeline-ui + spec: + template: + spec: + containers: + - name: ml-pipeline-ui + env: + - name: POD_LOG_CONTAINER_NAME + value: step-user-main \ No newline at end of file diff --git a/manifests/kustomize/env/platform-agnostic-tekton-multi-user/tekton-config.yaml b/manifests/kustomize/env/platform-agnostic-tekton-multi-user/tekton-config.yaml new file mode 100644 index 000000000000..5707255acdd9 --- /dev/null +++ b/manifests/kustomize/env/platform-agnostic-tekton-multi-user/tekton-config.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: feature-flags + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + running-in-environment-with-injected-sidecars: "true" diff --git a/manifests/kustomize/env/platform-agnostic-tekton/kustomization.yaml b/manifests/kustomize/env/platform-agnostic-tekton/kustomization.yaml new file mode 100644 index 000000000000..9ea37762cbfa --- /dev/null +++ b/manifests/kustomize/env/platform-agnostic-tekton/kustomization.yaml @@ -0,0 +1,70 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ../../third-party/tekton/installs/cluster +- ../../third-party/tekton-custom-task +- ../plain + +# Identifier for application manager to apply ownerReference. +# The ownerReference ensures the resources get garbage collected +# when application is deleted. + +labels: +- includeSelectors: true + pairs: + application-crd-id: kubeflow-pipelines + +patches: +- patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: ml-pipeline + spec: + template: + spec: + containers: + - name: ml-pipeline-api-server + env: + - name: EXECUTIONTYPE + value: PipelineRun +- patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: ml-pipeline-persistenceagent + spec: + template: + spec: + containers: + - name: ml-pipeline-persistenceagent + env: + - name: EXECUTIONTYPE + value: PipelineRun +- patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: ml-pipeline-scheduledworkflow + spec: + template: + spec: + containers: + - name: ml-pipeline-scheduledworkflow + env: + - name: EXECUTIONTYPE + value: PipelineRun +- patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: ml-pipeline-ui + spec: + template: + spec: + containers: + - name: ml-pipeline-ui + env: + - name: POD_LOG_CONTAINER_NAME + value: step-user-main diff --git a/manifests/kustomize/third-party/openshift-pipelines-custom-task/kustomization.yaml b/manifests/kustomize/third-party/openshift-pipelines-custom-task/kustomization.yaml new file mode 100644 index 000000000000..73c347862d28 --- /dev/null +++ b/manifests/kustomize/third-party/openshift-pipelines-custom-task/kustomization.yaml @@ -0,0 +1,58 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../tekton-custom-task + +namespace: openshift-pipelines + +patches: +- patch: |- + - op: remove + path: /spec/template/spec/containers/0/securityContext/runAsUser + target: + group: apps + kind: Deployment + name: tekton-pipelineloop-controller +- patch: |- + - op: remove + path: /spec/template/spec/containers/0/securityContext/runAsUser + target: + group: apps + kind: Deployment + name: tekton-pipelineloop-webhook +- patch: |- + - op: remove + path: /spec/template/spec/containers/0/securityContext/runAsUser + target: + group: apps + kind: Deployment + name: kfp-driver +- patch: |- + - op: remove + path: /spec/template/spec/containers/0/securityContext/runAsUser + target: + group: apps + kind: Deployment + name: kfp-exithandler-controller +- patch: |- + - op: remove + path: /spec/template/spec/containers/0/securityContext/runAsUser + target: + group: apps + kind: Deployment + name: kfp-exithandler-webhook +- patch: |- + - op: remove + path: /spec/template/spec/containers/0/securityContext/runAsUser + target: + group: apps + kind: Deployment + name: kfptask-controller +- patch: |- + - op: remove + path: /spec/template/spec/containers/0/securityContext/runAsUser + target: + group: apps + kind: Deployment + name: kfptask-webhook diff --git a/manifests/kustomize/third-party/openshift/standalone/anyuid-scc.yaml b/manifests/kustomize/third-party/openshift/standalone/anyuid-scc.yaml new file mode 100644 index 000000000000..c7c3e13d3892 --- /dev/null +++ b/manifests/kustomize/third-party/openshift/standalone/anyuid-scc.yaml @@ -0,0 +1,64 @@ +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + annotations: + kubernetes.io/description: kubeflow-anyuid provides all features of the restricted SCC + but allows users to run with any UID and any GID. + name: kubeflow-anyuid-kfp-tekton +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: true +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: RunAsAny +groups: +- system:cluster-admins +priority: 10 +readOnlyRootFilesystem: false +requiredDropCapabilities: +- MKNOD +runAsUser: + type: RunAsAny +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny +users: +#Metadata DB accesses files owned by root +- system:serviceaccount:kubeflow:metadatadb +#Minio accesses files owned by root +- system:serviceaccount:kubeflow:minio +#Katib injects container into pods which does not run as non-root user, trying to find Dockerfile for that image and fix it +- system:serviceaccount:kubeflow:default +- system:serviceaccount:kubeflow:pipeline-runner +- system:serviceaccount:kubeflow:kubeflow-pipelines-cache +- system:serviceaccount:kubeflow:kubeflow-pipelines-cache-deployer-sa +- system:serviceaccount:kubeflow:metadata-grpc-server +- system:serviceaccount:kubeflow:kubeflow-pipelines-metadata-writer +- system:serviceaccount:kubeflow:ml-pipeline +- system:serviceaccount:kubeflow:ml-pipeline-persistenceagent +- system:serviceaccount:kubeflow:ml-pipeline-scheduledworkflow +- system:serviceaccount:kubeflow:ml-pipeline-ui +- system:serviceaccount:kubeflow:ml-pipeline-viewer-crd-service-account +- system:serviceaccount:kubeflow:ml-pipeline-visualizationserver +- system:serviceaccount:kubeflow:mysql +- system:serviceaccount:kubeflow:kfp-csi-s3 +- system:serviceaccount:kubeflow:kfp-csi-attacher +- system:serviceaccount:kubeflow:kfp-csi-provisioner +- system:serviceaccount:openshift-pipelines:kfp-driver +- system:serviceaccount:openshift-pipelines:kfp-exithandler-controller +- system:serviceaccount:openshift-pipelines:kfp-exithandler-webhook +- system:serviceaccount:openshift-pipelines:tekton-pipelineloop-controller +- system:serviceaccount:openshift-pipelines:tekton-pipelineloop-webhook +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret diff --git a/manifests/kustomize/third-party/openshift/standalone/kustomization.yaml b/manifests/kustomize/third-party/openshift/standalone/kustomization.yaml new file mode 100644 index 000000000000..707e8b8aff6e --- /dev/null +++ b/manifests/kustomize/third-party/openshift/standalone/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - anyuid-scc.yaml + - privileged-scc.yaml diff --git a/manifests/kustomize/third-party/openshift/standalone/privileged-scc.yaml b/manifests/kustomize/third-party/openshift/standalone/privileged-scc.yaml new file mode 100644 index 000000000000..84b0ceb618f2 --- /dev/null +++ b/manifests/kustomize/third-party/openshift/standalone/privileged-scc.yaml @@ -0,0 +1,65 @@ +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + annotations: + kubernetes.io/description: kubeflow-anyuid provides all features of the restricted SCC + but allows users to run with any UID and any GID. + name: kubeflow-privileged-kfp-tekton +allowHostDirVolumePlugin: true +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: true +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: RunAsAny +groups: +- system:cluster-admins +priority: 10 +readOnlyRootFilesystem: false +requiredDropCapabilities: +- MKNOD +runAsUser: + type: RunAsAny +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny +users: +#Metadata DB accesses files owned by root +- system:serviceaccount:kubeflow:metadatadb +#Minio accesses files owned by root +- system:serviceaccount:kubeflow:minio +#Katib injects container into pods which does not run as non-root user, trying to find Dockerfile for that image and fix it +- system:serviceaccount:kubeflow:default +- system:serviceaccount:kubeflow:pipeline-runner +- system:serviceaccount:kubeflow:kubeflow-pipelines-cache +- system:serviceaccount:kubeflow:kubeflow-pipelines-cache-deployer-sa +- system:serviceaccount:kubeflow:metadata-grpc-server +- system:serviceaccount:kubeflow:kubeflow-pipelines-metadata-writer +- system:serviceaccount:kubeflow:ml-pipeline +- system:serviceaccount:kubeflow:ml-pipeline-persistenceagent +- system:serviceaccount:kubeflow:ml-pipeline-scheduledworkflow +- system:serviceaccount:kubeflow:ml-pipeline-ui +- system:serviceaccount:kubeflow:ml-pipeline-viewer-crd-service-account +- system:serviceaccount:kubeflow:ml-pipeline-visualizationserver +- system:serviceaccount:kubeflow:mysql +- system:serviceaccount:kubeflow:kfp-csi-s3 +- system:serviceaccount:kubeflow:kfp-csi-attacher +- system:serviceaccount:kubeflow:kfp-csi-provisioner +- system:serviceaccount:openshift-pipelines:kfp-driver +- system:serviceaccount:openshift-pipelines:kfp-exithandler-controller +- system:serviceaccount:openshift-pipelines:kfp-exithandler-webhook +- system:serviceaccount:openshift-pipelines:tekton-pipelineloop-controller +- system:serviceaccount:openshift-pipelines:tekton-pipelineloop-webhook +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +- hostPath diff --git a/manifests/kustomize/third-party/tekton-custom-task/exit-handler/200-serviceaccount.yaml b/manifests/kustomize/third-party/tekton-custom-task/exit-handler/200-serviceaccount.yaml new file mode 100644 index 000000000000..d0c47df18ef3 --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/exit-handler/200-serviceaccount.yaml @@ -0,0 +1,33 @@ +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kfp-exithandler-controller + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kfp-exithandler-webhook + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton \ No newline at end of file diff --git a/manifests/kustomize/third-party/tekton-custom-task/exit-handler/201-clusterrole.yaml b/manifests/kustomize/third-party/tekton-custom-task/exit-handler/201-clusterrole.yaml new file mode 100644 index 000000000000..567e7bdd9f78 --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/exit-handler/201-clusterrole.yaml @@ -0,0 +1,109 @@ +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kfp-exithandler-controller-cluster-access + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +rules: + # Controller needs cluster access to all of the CRDs that it is responsible for managing. + - apiGroups: ["tekton.dev"] + resources: ["runs", "customruns", "taskruns", "pipelineruns"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["tekton.dev"] + resources: ["runs/status", "customruns/status", "taskruns/status", "pipelineruns/status", "runs/finalizers", "customruns/finalizers",] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["custom.tekton.dev"] + resources: ["exithandlers"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["apps"] + resources: ["deployments", "deployments/finalizers"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + # This is the access that the controller needs on a per-namespace basis. + name: kfp-exithandler-controller-tenant-access + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kfp-exithandler-webhook-cluster-access + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +rules: + # The webhook needs to be able to list and update customresourcedefinitions, + # mainly to update the webhook certificates. + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions", "customresourcedefinitions/status"] + verbs: ["get", "list", "update", "patch", "watch"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "update", "patch", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + # The webhook performs a reconciliation on these two resources and continuously + # updates configuration. + resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] + # knative starts informers on these things, which is why we need get, list and watch. + verbs: ["list", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + # This mutating webhook is responsible for applying defaults to tekton objects + # as they are received. + resourceNames: ["webhook.exithandler.custom.tekton.dev"] + # When there are changes to the configs or secrets, knative updates the mutatingwebhook config + # with the updated certificates or the refreshed set of rules. + verbs: ["get", "update"] + - apiGroups: ["apps"] + resources: ["deployments", "deployments/finalizers"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + # validation.webhook.exithandler.custom.tekton.dev performs schema validation when you, for example, create ExitHandlers. + resourceNames: ["validation.webhook.exithandler.custom.tekton.dev"] + # When there are changes to the configs or secrets, knative updates the validatingwebhook config + # with the updated certificates or the refreshed set of rules. + verbs: ["get", "update"] + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: ["tekton-pipelines", "openshift-pipelines"] + verbs: ["use"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kfp-exithandler-leader-election + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +rules: + # We uses leases for leaderelection + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] diff --git a/manifests/kustomize/third-party/tekton-custom-task/exit-handler/201-role.yaml b/manifests/kustomize/third-party/tekton-custom-task/exit-handler/201-role.yaml new file mode 100644 index 000000000000..b22ced5d452a --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/exit-handler/201-role.yaml @@ -0,0 +1,68 @@ +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kfp-exithandler-controller + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["list", "watch"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["config-leader-election", "config-logging", "config-observability", "object-store-config", "cache-config"] + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: ["tekton-pipelines", "openshift-pipelines"] + verbs: ["use"] +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kfp-exithandler-webhook + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["list", "watch"] + # The webhook needs access to these configmaps for logging information. + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["config-logging", "config-observability", "config-leader-election", "object-store-config", "cache-config"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["list", "watch"] + # The webhook daemon makes a reconciliation loop on kfp-exithandler-webhook-certs. Whenever + # the secret changes it updates the webhook configurations with the certificates + # stored in the secret. + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "update"] + resourceNames: ["kfp-exithandler-webhook-certs"] + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: ["tekton-pipelines", "openshift-pipelines"] + verbs: ["use"] \ No newline at end of file diff --git a/manifests/kustomize/third-party/tekton-custom-task/exit-handler/201-rolebinding.yaml b/manifests/kustomize/third-party/tekton-custom-task/exit-handler/201-rolebinding.yaml new file mode 100644 index 000000000000..f4ab6064e7ad --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/exit-handler/201-rolebinding.yaml @@ -0,0 +1,49 @@ +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kfp-exithandler-controller + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +subjects: + - kind: ServiceAccount + name: kfp-exithandler-controller + namespace: tekton-pipelines +roleRef: + kind: Role + name: kfp-exithandler-controller + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kfp-exithandler-webhook + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +subjects: + - kind: ServiceAccount + name: kfp-exithandler-webhook + namespace: tekton-pipelines +roleRef: + kind: Role + name: kfp-exithandler-webhook + apiGroup: rbac.authorization.k8s.io diff --git a/manifests/kustomize/third-party/tekton-custom-task/exit-handler/202-clusterrolebinding.yaml b/manifests/kustomize/third-party/tekton-custom-task/exit-handler/202-clusterrolebinding.yaml new file mode 100644 index 000000000000..d2bae5c4e3c8 --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/exit-handler/202-clusterrolebinding.yaml @@ -0,0 +1,102 @@ +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kfp-exithandler-controller-cluster-access + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +subjects: + - kind: ServiceAccount + name: kfp-exithandler-controller + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: kfp-exithandler-controller-cluster-access + apiGroup: rbac.authorization.k8s.io +--- +# If this ClusterRoleBinding is replaced with a RoleBinding +# then the ClusterRole would be namespaced. The access described by +# the kfp-exithandler-controller-tenant-access ClusterRole would +# be scoped to individual tenant namespaces. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kfp-exithandler-controller-tenant-access + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +subjects: + - kind: ServiceAccount + name: kfp-exithandler-controller + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: kfp-exithandler-controller-tenant-access + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kfp-exithandler-controller-leaderelection + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +subjects: + - kind: ServiceAccount + name: kfp-exithandler-controller + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: kfp-exithandler-leader-election + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kfp-exithandler-webhook-cluster-access + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +subjects: + - kind: ServiceAccount + name: kfp-exithandler-webhook + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: kfp-exithandler-webhook-cluster-access + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kfp-exithandler-webhook-leaderelection + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +subjects: + - kind: ServiceAccount + name: kfp-exithandler-webhook + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: kfp-exithandler-leader-election + apiGroup: rbac.authorization.k8s.io diff --git a/manifests/kustomize/third-party/tekton-custom-task/exit-handler/300-exithandler-crd.yaml b/manifests/kustomize/third-party/tekton-custom-task/exit-handler/300-exithandler-crd.yaml new file mode 100644 index 000000000000..cec9357bd804 --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/exit-handler/300-exithandler-crd.yaml @@ -0,0 +1,52 @@ +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: exithandlers.custom.tekton.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton + pipeline.tekton.dev/release: "devel" + version: "devel" +spec: + group: custom.tekton.dev + versions: + - name: v1alpha1 + served: true + storage: true + # Opt into the status subresource so metadata.generation + # starts to increment + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true + names: + kind: ExitHandler + plural: exithandlers + categories: + - tekton + - tekton-pipelines + - openshift-pipelines + scope: Namespaced diff --git a/manifests/kustomize/third-party/tekton-custom-task/exit-handler/500-controller.yaml b/manifests/kustomize/third-party/tekton-custom-task/exit-handler/500-controller.yaml new file mode 100644 index 000000000000..e150a4fc33a7 --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/exit-handler/500-controller.yaml @@ -0,0 +1,79 @@ +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kfp-exithandler-controller + labels: + app.kubernetes.io/name: controller + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/version: "devel" + app.kubernetes.io/part-of: kfp-tekton + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "devel" + # labels below are related to istio and should not be used for resource lookup + version: "devel" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: controller + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" + labels: + app.kubernetes.io/name: controller + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/version: "devel" + app.kubernetes.io/part-of: kfp-tekton + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "devel" + # labels below are related to istio and should not be used for resource lookup + app: kfp-exithandler-controller + version: "devel" + spec: + serviceAccountName: kfp-exithandler-controller + containers: + - name: kfp-exithandler-controller + image: tekton-exithandler-controller:dummy + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LEADERELECTION_NAME + value: config-leader-election + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: METRICS_DOMAIN + value: tekton.dev/pipeline + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault diff --git a/manifests/kustomize/third-party/tekton-custom-task/exit-handler/500-webhook-configuration.yaml b/manifests/kustomize/third-party/tekton-custom-task/exit-handler/500-webhook-configuration.yaml new file mode 100644 index 000000000000..345c57d1f746 --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/exit-handler/500-webhook-configuration.yaml @@ -0,0 +1,68 @@ +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Secret +metadata: + name: kfp-exithandler-webhook-certs + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton + pipeline.tekton.dev/release: "devel" +# The data is populated at install time. + +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: validation.webhook.exithandler.custom.tekton.dev + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton + pipeline.tekton.dev/release: "devel" +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: kfp-exithandler-webhook + namespace: tekton-pipelines + failurePolicy: Fail + sideEffects: None + name: validation.webhook.exithandler.custom.tekton.dev + +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: webhook.exithandler.custom.tekton.dev + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton + pipeline.tekton.dev/release: "devel" +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: kfp-exithandler-webhook + namespace: tekton-pipelines + failurePolicy: Fail + sideEffects: None + name: webhook.exithandler.custom.tekton.dev + diff --git a/manifests/kustomize/third-party/tekton-custom-task/exit-handler/500-webhook.yaml b/manifests/kustomize/third-party/tekton-custom-task/exit-handler/500-webhook.yaml new file mode 100644 index 000000000000..2f8a394d3f5a --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/exit-handler/500-webhook.yaml @@ -0,0 +1,122 @@ +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kfp-exithandler-webhook + namespace: tekton-pipelines + labels: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/version: "devel" + app.kubernetes.io/part-of: kfp-tekton + pipeline.tekton.dev/release: "devel" + version: "devel" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" + labels: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/version: "devel" + app.kubernetes.io/part-of: kfp-tekton + pipeline.tekton.dev/release: "devel" + app: tekton-pipelines-webhook + version: "devel" + spec: + serviceAccountName: kfp-exithandler-webhook + containers: + - name: webhook + image: tekton-exithandler-webhook:dummy + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + # If you are changing these names, you will also need to update + # the webhook's Role in 200-role.yaml to include the new + # values in the "configmaps" "get" rule. + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: CONFIG_LEADERELECTION_NAME + value: config-leader-election + - name: WEBHOOK_SERVICE_NAME + value: kfp-exithandler-webhook + - name: WEBHOOK_SECRET_NAME + value: kfp-exithandler-webhook-certs + - name: METRICS_DOMAIN + value: tekton.dev/pipeline + ports: + - name: metrics + containerPort: 9090 + - name: profiling + containerPort: 8008 + - name: https-webhook + containerPort: 8443 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/version: "devel" + app.kubernetes.io/part-of: kfp-tekton + pipeline.tekton.dev/release: "devel" + app: tekton-pipelines-webhook + version: "devel" + name: kfp-exithandler-webhook + namespace: tekton-pipelines +spec: + ports: + # Define metrics and profiling for them to be accessible within service meshes. + - name: http-metrics + port: 9090 + targetPort: 9090 + - name: http-profiling + port: 8008 + targetPort: 8008 + - name: https-webhook + port: 443 + targetPort: 8443 + selector: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton diff --git a/manifests/kustomize/third-party/tekton-custom-task/exit-handler/kustomization.yaml b/manifests/kustomize/third-party/tekton-custom-task/exit-handler/kustomization.yaml new file mode 100644 index 000000000000..e9cd59886611 --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/exit-handler/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - 200-serviceaccount.yaml + - 201-clusterrole.yaml + - 201-role.yaml + - 201-rolebinding.yaml + - 202-clusterrolebinding.yaml + - 300-exithandler-crd.yaml + - 500-controller.yaml + - 500-webhook-configuration.yaml + - 500-webhook.yaml diff --git a/manifests/kustomize/third-party/tekton-custom-task/kfptask/200-serviceaccount.yaml b/manifests/kustomize/third-party/tekton-custom-task/kfptask/200-serviceaccount.yaml new file mode 100644 index 000000000000..d9e470eeeaab --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/kfptask/200-serviceaccount.yaml @@ -0,0 +1,33 @@ +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kfptask-controller + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kfptask-webhook + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton \ No newline at end of file diff --git a/manifests/kustomize/third-party/tekton-custom-task/kfptask/201-clusterrole.yaml b/manifests/kustomize/third-party/tekton-custom-task/kfptask/201-clusterrole.yaml new file mode 100644 index 000000000000..d8da4a5e6163 --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/kfptask/201-clusterrole.yaml @@ -0,0 +1,122 @@ +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kfptask-controller-cluster-access + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +rules: + # Controller needs cluster access to all of the CRDs that it is responsible for managing. + - apiGroups: ["tekton.dev"] + resources: ["runs", "customruns", "taskruns", "pipelineruns"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["tekton.dev"] + resources: ["runs/status", "customruns/status", "taskruns/status", "pipelineruns/status", "runs/finalizers", "customruns/finalizers",] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["custom.tekton.dev"] + resources: ["kfptasks"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["apps"] + resources: ["deployments", "deployments/finalizers"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: [""] + resources: ["persistentvolumes", "persistentvolumeclaims"] + verbs: ["*"] + + # Controller needs permission to emit events associated with Run CRs. + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + + # driver needs to access configmaps to get configuration + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "watch", "list"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + # This is the access that the controller needs on a per-namespace basis. + name: kfptask-controller-tenant-access + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kfptask-webhook-cluster-access + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +rules: + # The webhook needs to be able to list and update customresourcedefinitions, + # mainly to update the webhook certificates. + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions", "customresourcedefinitions/status"] + verbs: ["get", "list", "update", "patch", "watch"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "update", "patch", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + # The webhook performs a reconciliation on these two resources and continuously + # updates configuration. + resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] + # knative starts informers on these things, which is why we need get, list and watch. + verbs: ["list", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + # This mutating webhook is responsible for applying defaults to tekton objects + # as they are received. + resourceNames: ["webhook.kfptask.custom.tekton.dev"] + # When there are changes to the configs or secrets, knative updates the mutatingwebhook config + # with the updated certificates or the refreshed set of rules. + verbs: ["get", "update"] + - apiGroups: ["apps"] + resources: ["deployments", "deployments/finalizers"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + # validation.webhook.kfptask.custom.tekton.dev performs schema validation when you, for example, create KfpTasks. + resourceNames: ["validation.webhook.kfptask.custom.tekton.dev"] + # When there are changes to the configs or secrets, knative updates the validatingwebhook config + # with the updated certificates or the refreshed set of rules. + verbs: ["get", "update"] + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: ["tekton-pipelines", "openshift-pipelines"] + verbs: ["use"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kfptask-leader-election + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +rules: + # We uses leases for leaderelection + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] diff --git a/manifests/kustomize/third-party/tekton-custom-task/kfptask/201-role.yaml b/manifests/kustomize/third-party/tekton-custom-task/kfptask/201-role.yaml new file mode 100644 index 000000000000..757ec7c4d6b9 --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/kfptask/201-role.yaml @@ -0,0 +1,96 @@ +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kfptask-controller + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["list", "watch"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["config-leader-election", "config-logging", "config-observability", "object-store-config", "cache-config"] + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: ["tekton-pipelines", "openshift-pipelines"] + verbs: ["use"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: [""] + resources: ["persistentvolumes", persistentvolumeclaims] + verbs: ["*"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["create", "delete", "get"] + - apiGroups: [""] + resources: ["pods", "pods/exec", "pods/log", "services"] + verbs: ["*"] + - apiGroups: ["", "apps", "extensions"] + resources: ["deployments", "replicasets"] + verbs: ["*"] + - apiGroups: ["kubeflow.org"] + resources: ["*"] + verbs: ["*"] + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["*"] + - apiGroups: ["machinelearning.seldon.io"] + resources: ["seldondeployments"] + verbs: ["*"] + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: ["tekton-pipelines", "openshift-pipelines"] + verbs: ["use"] +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kfptask-webhook + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["list", "watch"] + # The webhook needs access to these configmaps for logging information. + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["config-logging", "config-observability", "config-leader-election", "object-store-config", "cache-config"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["list", "watch"] + # The webhook daemon makes a reconciliation loop on kfptask-webhook-certs. Whenever + # the secret changes it updates the webhook configurations with the certificates + # stored in the secret. + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "update"] + resourceNames: ["kfptask-webhook-certs"] + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: ["tekton-pipelines", "openshift-pipelines"] + verbs: ["use"] \ No newline at end of file diff --git a/manifests/kustomize/third-party/tekton-custom-task/kfptask/201-rolebinding.yaml b/manifests/kustomize/third-party/tekton-custom-task/kfptask/201-rolebinding.yaml new file mode 100644 index 000000000000..d8aa0c81f037 --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/kfptask/201-rolebinding.yaml @@ -0,0 +1,49 @@ +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kfptask-controller + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +subjects: + - kind: ServiceAccount + name: kfptask-controller + namespace: tekton-pipelines +roleRef: + kind: Role + name: kfptask-controller + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kfptask-webhook + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +subjects: + - kind: ServiceAccount + name: kfptask-webhook + namespace: tekton-pipelines +roleRef: + kind: Role + name: kfptask-webhook + apiGroup: rbac.authorization.k8s.io diff --git a/manifests/kustomize/third-party/tekton-custom-task/kfptask/202-clusterrolebinding.yaml b/manifests/kustomize/third-party/tekton-custom-task/kfptask/202-clusterrolebinding.yaml new file mode 100644 index 000000000000..166e0be3daf0 --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/kfptask/202-clusterrolebinding.yaml @@ -0,0 +1,102 @@ +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kfptask-controller-cluster-access + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +subjects: + - kind: ServiceAccount + name: kfptask-controller + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: kfptask-controller-cluster-access + apiGroup: rbac.authorization.k8s.io +--- +# If this ClusterRoleBinding is replaced with a RoleBinding +# then the ClusterRole would be namespaced. The access described by +# the kfptask-controller-tenant-access ClusterRole would +# be scoped to individual tenant namespaces. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kfptask-controller-tenant-access + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +subjects: + - kind: ServiceAccount + name: kfptask-controller + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: kfptask-controller-tenant-access + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kfptask-controller-leaderelection + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +subjects: + - kind: ServiceAccount + name: kfptask-controller + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: kfptask-leader-election + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kfptask-webhook-cluster-access + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +subjects: + - kind: ServiceAccount + name: kfptask-webhook + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: kfptask-webhook-cluster-access + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kfptask-webhook-leaderelection + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton +subjects: + - kind: ServiceAccount + name: kfptask-webhook + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: kfptask-leader-election + apiGroup: rbac.authorization.k8s.io diff --git a/manifests/kustomize/third-party/tekton-custom-task/kfptask/300-kfptask-crd.yaml b/manifests/kustomize/third-party/tekton-custom-task/kfptask/300-kfptask-crd.yaml new file mode 100644 index 000000000000..3c97edcd596a --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/kfptask/300-kfptask-crd.yaml @@ -0,0 +1,52 @@ +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: kfptasks.custom.tekton.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton + pipeline.tekton.dev/release: "devel" + version: "devel" +spec: + group: custom.tekton.dev + versions: + - name: v1alpha1 + served: true + storage: true + # Opt into the status subresource so metadata.generation + # starts to increment + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true + names: + kind: KfpTask + plural: kfptasks + categories: + - tekton + - tekton-pipelines + - openshift-pipelines + scope: Namespaced diff --git a/manifests/kustomize/third-party/tekton-custom-task/kfptask/500-controller.yaml b/manifests/kustomize/third-party/tekton-custom-task/kfptask/500-controller.yaml new file mode 100644 index 000000000000..8a09a8713941 --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/kfptask/500-controller.yaml @@ -0,0 +1,79 @@ +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kfptask-controller + labels: + app.kubernetes.io/name: controller + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/version: "devel" + app.kubernetes.io/part-of: kfp-tekton + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "devel" + # labels below are related to istio and should not be used for resource lookup + version: "devel" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: controller + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" + labels: + app.kubernetes.io/name: controller + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/version: "devel" + app.kubernetes.io/part-of: kfp-tekton + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "devel" + # labels below are related to istio and should not be used for resource lookup + app: kfptask-controller + version: "devel" + spec: + serviceAccountName: kfptask-controller + containers: + - name: kfptask-controller + image: tekton-kfptask-controller:dummy + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LEADERELECTION_NAME + value: config-leader-election + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: METRICS_DOMAIN + value: tekton.dev/pipeline + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault diff --git a/manifests/kustomize/third-party/tekton-custom-task/kfptask/500-webhook-configuration.yaml b/manifests/kustomize/third-party/tekton-custom-task/kfptask/500-webhook-configuration.yaml new file mode 100644 index 000000000000..83911000e989 --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/kfptask/500-webhook-configuration.yaml @@ -0,0 +1,68 @@ +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Secret +metadata: + name: kfptask-webhook-certs + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton + pipeline.tekton.dev/release: "devel" +# The data is populated at install time. + +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: validation.webhook.kfptask.custom.tekton.dev + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton + pipeline.tekton.dev/release: "devel" +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: kfptask-webhook + namespace: tekton-pipelines + failurePolicy: Fail + sideEffects: None + name: validation.webhook.kfptask.custom.tekton.dev + +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: webhook.kfptask.custom.tekton.dev + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton + pipeline.tekton.dev/release: "devel" +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: kfptask-webhook + namespace: tekton-pipelines + failurePolicy: Fail + sideEffects: None + name: webhook.kfptask.custom.tekton.dev + diff --git a/manifests/kustomize/third-party/tekton-custom-task/kfptask/500-webhook.yaml b/manifests/kustomize/third-party/tekton-custom-task/kfptask/500-webhook.yaml new file mode 100644 index 000000000000..966eb46eb34e --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/kfptask/500-webhook.yaml @@ -0,0 +1,122 @@ +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kfptask-webhook + namespace: tekton-pipelines + labels: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/version: "devel" + app.kubernetes.io/part-of: kfp-tekton + pipeline.tekton.dev/release: "devel" + version: "devel" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" + labels: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/version: "devel" + app.kubernetes.io/part-of: kfp-tekton + pipeline.tekton.dev/release: "devel" + app: tekton-pipelines-webhook + version: "devel" + spec: + serviceAccountName: kfptask-webhook + containers: + - name: webhook + image: tekton-kfptask-webhook:dummy + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + # If you are changing these names, you will also need to update + # the webhook's Role in 200-role.yaml to include the new + # values in the "configmaps" "get" rule. + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: CONFIG_LEADERELECTION_NAME + value: config-leader-election + - name: WEBHOOK_SERVICE_NAME + value: kfptask-webhook + - name: WEBHOOK_SECRET_NAME + value: kfptask-webhook-certs + - name: METRICS_DOMAIN + value: tekton.dev/pipeline + ports: + - name: metrics + containerPort: 9090 + - name: profiling + containerPort: 8008 + - name: https-webhook + containerPort: 8443 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/version: "devel" + app.kubernetes.io/part-of: kfp-tekton + pipeline.tekton.dev/release: "devel" + app: tekton-pipelines-webhook + version: "devel" + name: kfptask-webhook + namespace: tekton-pipelines +spec: + ports: + # Define metrics and profiling for them to be accessible within service meshes. + - name: http-metrics + port: 9090 + targetPort: 9090 + - name: http-profiling + port: 8008 + targetPort: 8008 + - name: https-webhook + port: 443 + targetPort: 8443 + selector: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: kfp-tekton diff --git a/manifests/kustomize/third-party/tekton-custom-task/kfptask/kustomization.yaml b/manifests/kustomize/third-party/tekton-custom-task/kfptask/kustomization.yaml new file mode 100644 index 000000000000..de29e865e9ef --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/kfptask/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - 200-serviceaccount.yaml + - 201-clusterrole.yaml + - 201-role.yaml + - 201-rolebinding.yaml + - 202-clusterrolebinding.yaml + - 300-kfptask-crd.yaml + - 500-controller.yaml + - 500-webhook-configuration.yaml + - 500-webhook.yaml diff --git a/manifests/kustomize/third-party/tekton-custom-task/kustomization.yaml b/manifests/kustomize/third-party/tekton-custom-task/kustomization.yaml new file mode 100644 index 000000000000..3af66de5803c --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/kustomization.yaml @@ -0,0 +1,33 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- pipeline-loops +- exit-handler +- kfptask +# Deprecated controller +# - driver-controller + +namespace: tekton-pipelines + +images: + - name: quay.io/aipipeline/pipelineloop-controller + newTag: 1.9.2 + - name: quay.io/aipipeline/pipelineloop-webhook + newTag: 1.9.2 + - name: tekton-exithandler-controller + newName: quay.io/aipipeline/tekton-exithandler-controller + newTag: 2.0.5 + - name: tekton-exithandler-webhook + newName: quay.io/aipipeline/tekton-exithandler-webhook + newTag: 2.0.5 + - name: tekton-kfptask-controller + newName: quay.io/aipipeline/tekton-kfptask-controller + newTag: 2.0.5 + - name: tekton-kfptask-webhook + newName: quay.io/aipipeline/tekton-kfptask-webhook + newTag: 2.0.5 + # Deprecated controller + # - name: kfp-v2-dev-driver-controller + # newName: quay.io/aipipeline/tekton-driver + # newTag: 2.0.3 diff --git a/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/200-serviceaccount.yaml b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/200-serviceaccount.yaml new file mode 100644 index 000000000000..c995e80bd67f --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/200-serviceaccount.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tekton-pipelineloop-controller + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipeline-loops +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tekton-pipelineloop-webhook + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipeline-loops diff --git a/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/201-clusterrole.yaml b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/201-clusterrole.yaml new file mode 100644 index 000000000000..34281f8b89b8 --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/201-clusterrole.yaml @@ -0,0 +1,95 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-pipelineloop-controller-cluster-access + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipeline-loops +rules: + # Controller needs cluster access to all of the CRDs that it is responsible for managing. + - apiGroups: ["tekton.dev"] + resources: ["runs", "customruns", "taskruns", "pipelineruns"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["tekton.dev"] + resources: ["runs/status", "customruns/status", "taskruns/status", "pipelineruns/status", "runs/finalizers", "customruns/finalizers",] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["custom.tekton.dev"] + resources: ["pipelineloops", "kfptasks"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["apps"] + resources: ["deployments", "deployments/finalizers"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + # This is the access that the controller needs on a per-namespace basis. + name: tekton-pipelineloop-controller-tenant-access + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipeline-loops +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-pipelineloop-webhook-cluster-access + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipeline-loops +rules: + # The webhook needs to be able to list and update customresourcedefinitions, + # mainly to update the webhook certificates. + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions", "customresourcedefinitions/status"] + verbs: ["get", "list", "update", "patch", "watch"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "update", "patch", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + # The webhook performs a reconciliation on these two resources and continuously + # updates configuration. + resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] + # knative starts informers on these things, which is why we need get, list and watch. + verbs: ["list", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + # This mutating webhook is responsible for applying defaults to tekton objects + # as they are received. + resourceNames: ["webhook.pipelineloop.custom.tekton.dev"] + # When there are changes to the configs or secrets, knative updates the mutatingwebhook config + # with the updated certificates or the refreshed set of rules. + verbs: ["get", "update"] + - apiGroups: ["apps"] + resources: ["deployments", "deployments/finalizers"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + # validation.webhook.pipelineloop.custom.tekton.dev performs schema validation when you, for example, create PipelineLoops. + resourceNames: ["validation.webhook.pipelineloop.custom.tekton.dev"] + # When there are changes to the configs or secrets, knative updates the validatingwebhook config + # with the updated certificates or the refreshed set of rules. + verbs: ["get", "update"] + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: ["tekton-pipelines", "openshift-pipelines"] + verbs: ["use"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-pipelineloop-leader-election + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipeline-loops +rules: + # We uses leases for leaderelection + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] diff --git a/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/201-role.yaml b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/201-role.yaml new file mode 100644 index 000000000000..04b47b2eba3e --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/201-role.yaml @@ -0,0 +1,54 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-pipelineloop-controller + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipeline-loops +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["list", "watch"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["config-leader-election", "config-logging", "config-observability", "object-store-config"] + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: ["tekton-pipelines", "openshift-pipelines"] + verbs: ["use"] +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-pipelineloop-webhook + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipeline-loops +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["list", "watch"] + # The webhook needs access to these configmaps for logging information. + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["config-logging", "config-observability", "config-leader-election", "object-store-config"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["list", "watch"] + # The webhook daemon makes a reconciliation loop on tekton-pipelineloop-webhook-certs. Whenever + # the secret changes it updates the webhook configurations with the certificates + # stored in the secret. + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "update"] + resourceNames: ["tekton-pipelineloop-webhook-certs"] + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: ["tekton-pipelines", "openshift-pipelines"] + verbs: ["use"] diff --git a/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/201-rolebinding.yaml b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/201-rolebinding.yaml new file mode 100644 index 000000000000..0d004082b688 --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/201-rolebinding.yaml @@ -0,0 +1,35 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: tekton-pipelineloop-controller + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipeline-loops +subjects: + - kind: ServiceAccount + name: tekton-pipelineloop-controller + namespace: tekton-pipelines +roleRef: + kind: Role + name: tekton-pipelineloop-controller + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: tekton-pipelineloop-webhook + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipeline-loops +subjects: + - kind: ServiceAccount + name: tekton-pipelineloop-webhook + namespace: tekton-pipelines +roleRef: + kind: Role + name: tekton-pipelineloop-webhook + apiGroup: rbac.authorization.k8s.io diff --git a/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/202-clusterrolebinding.yaml b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/202-clusterrolebinding.yaml new file mode 100644 index 000000000000..9a8e8bc34921 --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/202-clusterrolebinding.yaml @@ -0,0 +1,88 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tekton-pipelineloop-controller-cluster-access + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipeline-loops +subjects: + - kind: ServiceAccount + name: tekton-pipelineloop-controller + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: tekton-pipelineloop-controller-cluster-access + apiGroup: rbac.authorization.k8s.io +--- +# If this ClusterRoleBinding is replaced with a RoleBinding +# then the ClusterRole would be namespaced. The access described by +# the tekton-pipelineloop-controller-tenant-access ClusterRole would +# be scoped to individual tenant namespaces. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tekton-pipelineloop-controller-tenant-access + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipeline-loops +subjects: + - kind: ServiceAccount + name: tekton-pipelineloop-controller + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: tekton-pipelineloop-controller-tenant-access + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tekton-pipelineloop-controller-leaderelection + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipeline-loops +subjects: + - kind: ServiceAccount + name: tekton-pipelineloop-controller + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: tekton-pipelineloop-leader-election + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tekton-pipelineloop-webhook-cluster-access + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipeline-loops +subjects: + - kind: ServiceAccount + name: tekton-pipelineloop-webhook + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: tekton-pipelineloop-webhook-cluster-access + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tekton-pipelineloop-webhook-leaderelection + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipeline-loops +subjects: + - kind: ServiceAccount + name: tekton-pipelineloop-webhook + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: tekton-pipelineloop-leader-election + apiGroup: rbac.authorization.k8s.io diff --git a/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/203-object-store-config.yaml b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/203-object-store-config.yaml new file mode 100644 index 000000000000..967b9ad48694 --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/203-object-store-config.yaml @@ -0,0 +1,34 @@ +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: object-store-config + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines-loops +data: + enable: "false" + defaultBucketName: "pipelineloop-logs" + ibmStyleCredentials: "false" + region: "us-south" + accessKey: "minio" + secretKey: "minio123" + # Below are IBM cloud specific credentials, available if the flag ibmStyleCredentials is true. + apiKey: "" + serviceInstanceID: "crn:v1:bluemix:public:cloud-object-storage:global:a/ID-dummy-1231231231-123abcdefgh:dummy-values::" + serviceEndpoint: "http://minio-service.kubeflow:9000" + authEndpoint: "https://iam.cloud.ibm.com/identity/token" diff --git a/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/204-cache-config.yaml b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/204-cache-config.yaml new file mode 100644 index 000000000000..b64ca72f3f63 --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/204-cache-config.yaml @@ -0,0 +1,33 @@ +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: cache-config + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines-loops +data: + disabled: "true" + driver: "mysql" + host: "mysql.kubeflow.svc.cluster.local" + port: "3306" + dbName: "cachedb" + user: "root" + password: "" + timeout: "6m" + extraParams: "" + mysqlDBGroupConcatMaxLen: "4194304" diff --git a/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/300-pipelineloop.yaml b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/300-pipelineloop.yaml new file mode 100644 index 000000000000..de3b3efee2ce --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/300-pipelineloop.yaml @@ -0,0 +1,38 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: pipelineloops.custom.tekton.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipeline-loops + pipeline.tekton.dev/release: "devel" + version: "devel" +spec: + group: custom.tekton.dev + versions: + - name: v1alpha1 + served: true + storage: true + # Opt into the status subresource so metadata.generation + # starts to increment + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true + names: + kind: PipelineLoop + plural: pipelineloops + categories: + - tekton + - tekton-pipelines + - openshift-pipelines + scope: Namespaced diff --git a/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/301-breaktask.yaml b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/301-breaktask.yaml new file mode 100644 index 000000000000..4efdfe4ce3e1 --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/301-breaktask.yaml @@ -0,0 +1,51 @@ +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: breaktasks.custom.tekton.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipeline-loops + pipeline.tekton.dev/release: "devel" + version: "devel" +spec: + group: custom.tekton.dev + versions: + - name: v1alpha1 + served: true + storage: true + # Opt into the status subresource so metadata.generation + # starts to increment + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true + names: + kind: BreakTask + plural: breaktasks + categories: + - tekton + - tekton-pipelines + scope: Namespaced diff --git a/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-controller.yaml b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-controller.yaml new file mode 100644 index 000000000000..e58fc23b9710 --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-controller.yaml @@ -0,0 +1,68 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tekton-pipelineloop-controller + namespace: tekton-pipelines + labels: + app.kubernetes.io/name: controller + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/version: "devel" + app.kubernetes.io/part-of: tekton-pipeline-loops + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "devel" + # labels below are related to istio and should not be used for resource lookup + version: "devel" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: controller + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipeline-loops + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" + labels: + app.kubernetes.io/name: controller + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/version: "devel" + app.kubernetes.io/part-of: tekton-pipeline-loops + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "devel" + # labels below are related to istio and should not be used for resource lookup + app: tekton-pipelineloop-controller + version: "devel" + spec: + serviceAccountName: tekton-pipelineloop-controller + containers: + - name: tekton-pipelineloop-controller + image: quay.io/aipipeline/pipelineloop-controller:nightly + env: + - name: KFPV2 + value: "true" + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LEADERELECTION_NAME + value: config-leader-election + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: METRICS_DOMAIN + value: tekton.dev/pipeline + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault diff --git a/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-webhook-configuration.yaml b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-webhook-configuration.yaml new file mode 100644 index 000000000000..49e335b097bc --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-webhook-configuration.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +kind: Secret +metadata: + name: tekton-pipelineloop-webhook-certs + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipeline-loops + pipeline.tekton.dev/release: "devel" +# The data is populated at install time. + +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: validation.webhook.pipelineloop.custom.tekton.dev + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipeline-loops + pipeline.tekton.dev/release: "devel" +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: tekton-pipelineloop-webhook + namespace: tekton-pipelines + failurePolicy: Fail + sideEffects: None + name: validation.webhook.pipelineloop.custom.tekton.dev + +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: webhook.pipelineloop.custom.tekton.dev + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipeline-loops + pipeline.tekton.dev/release: "devel" +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: tekton-pipelineloop-webhook + namespace: tekton-pipelines + failurePolicy: Fail + sideEffects: None + name: webhook.pipelineloop.custom.tekton.dev diff --git a/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-webhook.yaml b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-webhook.yaml new file mode 100644 index 000000000000..ca53147f7107 --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/500-webhook.yaml @@ -0,0 +1,108 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tekton-pipelineloop-webhook + namespace: tekton-pipelines + labels: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/version: "devel" + app.kubernetes.io/part-of: tekton-pipeline-loops + pipeline.tekton.dev/release: "devel" + version: "devel" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipeline-loops + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" + labels: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/version: "devel" + app.kubernetes.io/part-of: tekton-pipeline-loops + pipeline.tekton.dev/release: "devel" + app: tekton-pipelines-webhook + version: "devel" + spec: + serviceAccountName: tekton-pipelineloop-webhook + containers: + - name: webhook + image: quay.io/aipipeline/pipelineloop-webhook:nightly + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + # If you are changing these names, you will also need to update + # the webhook's Role in 200-role.yaml to include the new + # values in the "configmaps" "get" rule. + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: CONFIG_LEADERELECTION_NAME + value: config-leader-election + - name: WEBHOOK_SERVICE_NAME + value: tekton-pipelineloop-webhook + - name: WEBHOOK_SECRET_NAME + value: tekton-pipelineloop-webhook-certs + - name: METRICS_DOMAIN + value: tekton.dev/pipeline + ports: + - name: metrics + containerPort: 9090 + - name: profiling + containerPort: 8008 + - name: https-webhook + containerPort: 8443 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/version: "devel" + app.kubernetes.io/part-of: tekton-pipeline-loops + pipeline.tekton.dev/release: "devel" + app: tekton-pipelines-webhook + version: "devel" + name: tekton-pipelineloop-webhook + namespace: tekton-pipelines +spec: + ports: + # Define metrics and profiling for them to be accessible within service meshes. + - name: http-metrics + port: 9090 + targetPort: 9090 + - name: http-profiling + port: 8008 + targetPort: 8008 + - name: https-webhook + port: 443 + targetPort: 8443 + selector: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipeline-loops diff --git a/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/kustomization.yaml b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/kustomization.yaml new file mode 100644 index 000000000000..f888cfc5e043 --- /dev/null +++ b/manifests/kustomize/third-party/tekton-custom-task/pipeline-loops/kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - 200-serviceaccount.yaml + - 201-clusterrole.yaml + - 201-role.yaml + - 201-rolebinding.yaml + - 202-clusterrolebinding.yaml + - 203-object-store-config.yaml + - 204-cache-config.yaml + - 300-pipelineloop.yaml + - 301-breaktask.yaml + - 500-controller.yaml + - 500-webhook-configuration.yaml + - 500-webhook.yaml diff --git a/manifests/kustomize/third-party/tekton/README.md b/manifests/kustomize/third-party/tekton/README.md new file mode 100644 index 000000000000..7ac8432b7f6b --- /dev/null +++ b/manifests/kustomize/third-party/tekton/README.md @@ -0,0 +1,10 @@ +# Tekton manifests + +## Upgrade the Tekton Manifest Release + +To upgrade the Tekton pipeline or Tekton dashboard manifest to the latest release, run the following commands in this directory + +```shell +curl -L https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml --output upstream/manifests/base/tektoncd-install/tekton-release.yaml +curl -L https://storage.googleapis.com/tekton-releases/dashboard/latest/release.yaml --output upstream/manifests/base/tektoncd-dashboard/tekton-dashboard-release.yaml +``` diff --git a/manifests/kustomize/third-party/tekton/base/kustomization.yaml b/manifests/kustomize/third-party/tekton/base/kustomization.yaml new file mode 100644 index 000000000000..632bff25aafe --- /dev/null +++ b/manifests/kustomize/third-party/tekton/base/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +bases: +- ../upstream/manifests/base/tektoncd-install diff --git a/manifests/kustomize/third-party/tekton/installs/cluster/kustomization.yaml b/manifests/kustomize/third-party/tekton/installs/cluster/kustomization.yaml new file mode 100644 index 000000000000..2e9e7974b3e7 --- /dev/null +++ b/manifests/kustomize/third-party/tekton/installs/cluster/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +bases: + - ../../base diff --git a/manifests/kustomize/third-party/tekton/upstream/manifests/base/kustomization.yaml b/manifests/kustomize/third-party/tekton/upstream/manifests/base/kustomization.yaml new file mode 100644 index 000000000000..a654682cb476 --- /dev/null +++ b/manifests/kustomize/third-party/tekton/upstream/manifests/base/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- tektoncd-install +- tektoncd-dashboard diff --git a/manifests/kustomize/third-party/tekton/upstream/manifests/base/tektoncd-dashboard/kustomization.yaml b/manifests/kustomize/third-party/tekton/upstream/manifests/base/tektoncd-dashboard/kustomization.yaml new file mode 100644 index 000000000000..53e07828a4b8 --- /dev/null +++ b/manifests/kustomize/third-party/tekton/upstream/manifests/base/tektoncd-dashboard/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- tekton-dashboard-release.yaml +namespace: tekton-pipelines diff --git a/manifests/kustomize/third-party/tekton/upstream/manifests/base/tektoncd-dashboard/tekton-dashboard-release.yaml b/manifests/kustomize/third-party/tekton/upstream/manifests/base/tektoncd-dashboard/tekton-dashboard-release.yaml new file mode 100644 index 000000000000..0b7dd653f9f0 --- /dev/null +++ b/manifests/kustomize/third-party/tekton/upstream/manifests/base/tektoncd-dashboard/tekton-dashboard-release.yaml @@ -0,0 +1,335 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/component: dashboard + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-dashboard + name: extensions.dashboard.tekton.dev +spec: + group: dashboard.tekton.dev + names: + categories: + - tekton + - tekton-dashboard + kind: Extension + plural: extensions + shortNames: + - ext + - exts + preserveUnknownFields: false + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.apiVersion + name: API version + type: string + - jsonPath: .spec.name + name: Kind + type: string + - jsonPath: .spec.displayname + name: Display name + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: dashboard + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-dashboard + name: tekton-dashboard + namespace: tekton-pipelines +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-dashboard + name: tekton-dashboard-info + namespace: tekton-pipelines +rules: + - apiGroups: + - "" + resourceNames: + - dashboard-info + resources: + - configmaps + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: dashboard + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-dashboard + name: tekton-dashboard-backend +rules: + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + verbs: + - use + - apiGroups: + - tekton.dev + resources: + - clustertasks + verbs: + - get + - list + - watch + - apiGroups: + - triggers.tekton.dev + resources: + - clusterinterceptors + - clustertriggerbindings + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: dashboard + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-dashboard + name: tekton-dashboard-tenant +rules: + - apiGroups: + - dashboard.tekton.dev + resources: + - extensions + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + - namespaces + - pods + - pods/log + verbs: + - get + - list + - watch + - apiGroups: + - tekton.dev + resources: + - tasks + - taskruns + - pipelines + - pipelineruns + - customruns + verbs: + - get + - list + - watch + - apiGroups: + - triggers.tekton.dev + resources: + - eventlisteners + - interceptors + - triggerbindings + - triggers + - triggertemplates + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-dashboard + name: tekton-dashboard-info + namespace: tekton-pipelines +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: tekton-dashboard-info +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:authenticated +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: dashboard + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-dashboard + rbac.dashboard.tekton.dev/subject: tekton-dashboard + name: tekton-dashboard-backend +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tekton-dashboard-backend +subjects: + - kind: ServiceAccount + name: tekton-dashboard + namespace: tekton-pipelines +--- +apiVersion: v1 +data: + version: v0.41.0 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-dashboard + name: dashboard-info + namespace: tekton-pipelines +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: tekton-dashboard + app.kubernetes.io/component: dashboard + app.kubernetes.io/instance: default + app.kubernetes.io/name: dashboard + app.kubernetes.io/part-of: tekton-dashboard + app.kubernetes.io/version: v0.41.0 + dashboard.tekton.dev/release: v0.41.0 + version: v0.41.0 + name: tekton-dashboard + namespace: tekton-pipelines +spec: + ports: + - name: http + port: 9097 + protocol: TCP + targetPort: 9097 + selector: + app.kubernetes.io/component: dashboard + app.kubernetes.io/instance: default + app.kubernetes.io/name: dashboard + app.kubernetes.io/part-of: tekton-dashboard +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: tekton-dashboard + app.kubernetes.io/component: dashboard + app.kubernetes.io/instance: default + app.kubernetes.io/name: dashboard + app.kubernetes.io/part-of: tekton-dashboard + app.kubernetes.io/version: v0.41.0 + dashboard.tekton.dev/release: v0.41.0 + version: v0.41.0 + name: tekton-dashboard + namespace: tekton-pipelines +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: dashboard + app.kubernetes.io/instance: default + app.kubernetes.io/name: dashboard + app.kubernetes.io/part-of: tekton-dashboard + template: + metadata: + labels: + app: tekton-dashboard + app.kubernetes.io/component: dashboard + app.kubernetes.io/instance: default + app.kubernetes.io/name: dashboard + app.kubernetes.io/part-of: tekton-dashboard + app.kubernetes.io/version: v0.41.0 + name: tekton-dashboard + spec: + containers: + - args: + - --port=9097 + - --logout-url= + - --pipelines-namespace=tekton-pipelines + - --triggers-namespace=tekton-pipelines + - --read-only=true + - --log-level=info + - --log-format=json + - --namespace= + - --namespaces= + - --stream-logs=true + - --external-logs= + env: + - name: INSTALLED_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: gcr.io/tekton-releases/github.com/tektoncd/dashboard/cmd/dashboard:v0.41.0@sha256:698b458f98789177571182b8d092d49e44cd814ab8bbd3434e6ea66d538196c1 + livenessProbe: + httpGet: + path: /health + port: 9097 + name: tekton-dashboard + ports: + - containerPort: 9097 + readinessProbe: + httpGet: + path: /readiness + port: 9097 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + nodeSelector: + kubernetes.io/os: linux + serviceAccountName: tekton-dashboard + volumes: [] + +--- +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: dashboard + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-dashboard + rbac.dashboard.tekton.dev/subject: tekton-dashboard + name: tekton-dashboard-tenant +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tekton-dashboard-tenant +subjects: + - kind: ServiceAccount + name: tekton-dashboard + namespace: tekton-pipelines diff --git a/manifests/kustomize/third-party/tekton/upstream/manifests/base/tektoncd-install/kustomization.yaml b/manifests/kustomize/third-party/tekton/upstream/manifests/base/tektoncd-install/kustomization.yaml new file mode 100644 index 000000000000..62fd8a48b760 --- /dev/null +++ b/manifests/kustomize/third-party/tekton/upstream/manifests/base/tektoncd-install/kustomization.yaml @@ -0,0 +1,22 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- tekton-release.yaml +patchesStrategicMerge: +- tekton-config.yaml +- tekton-default.yaml +patchesJson6902: +- target: + group: apps + version: v1 + kind: Deployment + name: tekton-pipelines-controller + namespace: tekton-pipelines + path: tekton-controller.yaml +images: +- name: $(registry)/$(controller) + newName: $(registry)/$(controller) + newTag: latest +- name: $(registry)/$(webhook) + newName: $(registry)/$(webhook) + newTag: latest diff --git a/manifests/kustomize/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-config.yaml b/manifests/kustomize/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-config.yaml new file mode 100644 index 000000000000..e66f1a50adbd --- /dev/null +++ b/manifests/kustomize/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-config.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: feature-flags + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + running-in-environment-with-injected-sidecars: "false" diff --git a/manifests/kustomize/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-controller.yaml b/manifests/kustomize/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-controller.yaml new file mode 100644 index 000000000000..ddd4b74a1b05 --- /dev/null +++ b/manifests/kustomize/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-controller.yaml @@ -0,0 +1,18 @@ +- op: add + path: /spec/template/spec/containers/0/args/0 + value: "4" +- op: add + path: /spec/template/spec/containers/0/args/0 + value: "-threads-per-controller" +- op: add + path: /spec/template/spec/containers/0/args/0 + value: "50" +- op: add + path: /spec/template/spec/containers/0/args/0 + value: "-kube-api-burst" +- op: add + path: /spec/template/spec/containers/0/args/0 + value: "50" +- op: add + path: /spec/template/spec/containers/0/args/0 + value: "-kube-api-qps" diff --git a/manifests/kustomize/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-default.yaml b/manifests/kustomize/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-default.yaml new file mode 100644 index 000000000000..8755f6e02394 --- /dev/null +++ b/manifests/kustomize/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-default.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-defaults + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + default-timeout-minutes: "0" \ No newline at end of file diff --git a/manifests/kustomize/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-release.yaml b/manifests/kustomize/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-release.yaml new file mode 100644 index 000000000000..aa826b635223 --- /dev/null +++ b/manifests/kustomize/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-release.yaml @@ -0,0 +1,3463 @@ +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Namespace +metadata: + name: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pod-security.kubernetes.io/enforce: restricted + +--- +# Copyright 2020-2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-pipelines-controller-cluster-access + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +rules: + - apiGroups: [""] + # Controller needs to watch Pods created by TaskRuns to see them progress. + resources: ["pods"] + verbs: ["list", "watch"] + - apiGroups: [""] + # Controller needs to get the list of cordoned nodes over the course of a single run + resources: ["nodes"] + verbs: ["list"] + # Controller needs cluster access to all of the CRDs that it is responsible for + # managing. + - apiGroups: ["tekton.dev"] + resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "customruns", "stepactions"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["tekton.dev"] + resources: ["verificationpolicies"] + verbs: ["get", "list", "watch"] + - apiGroups: ["tekton.dev"] + resources: ["taskruns/finalizers", "pipelineruns/finalizers", "customruns/finalizers"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + - apiGroups: ["tekton.dev"] + resources: ["tasks/status", "clustertasks/status", "taskruns/status", "pipelines/status", "pipelineruns/status", "customruns/status", "verificationpolicies/status", "stepactions/status"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + # resolution.tekton.dev + - apiGroups: ["resolution.tekton.dev"] + resources: ["resolutionrequests", "resolutionrequests/status"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + # This is the access that the controller needs on a per-namespace basis. + name: tekton-pipelines-controller-tenant-access + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +rules: + # Read-write access to create Pods and PVCs (for Workspaces) + - apiGroups: [""] + resources: ["pods", "persistentvolumeclaims"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + # Write permissions to publish events. + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "update", "patch"] + # Read-only access to these. + - apiGroups: [""] + resources: ["configmaps", "limitranges", "secrets", "serviceaccounts"] + verbs: ["get", "list", "watch"] + # Read-write access to StatefulSets for Affinity Assistant. + - apiGroups: ["apps"] + resources: ["statefulsets"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-pipelines-webhook-cluster-access + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +rules: + # The webhook needs to be able to get and update customresourcedefinitions, + # mainly to update the webhook certificates. + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions", "customresourcedefinitions/status"] + verbs: ["get", "update", "patch"] + resourceNames: + - pipelines.tekton.dev + - pipelineruns.tekton.dev + - tasks.tekton.dev + - clustertasks.tekton.dev + - taskruns.tekton.dev + - resolutionrequests.resolution.tekton.dev + - customruns.tekton.dev + - verificationpolicies.tekton.dev + - stepactions.tekton.dev + # knative.dev/pkg needs list/watch permissions to set up informers for the webhook. + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["list", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + # The webhook performs a reconciliation on these two resources and continuously + # updates configuration. + resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] + # knative starts informers on these things, which is why we need get, list and watch. + verbs: ["list", "watch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + # This mutating webhook is responsible for applying defaults to tekton objects + # as they are received. + resourceNames: ["webhook.pipeline.tekton.dev"] + # When there are changes to the configs or secrets, knative updates the mutatingwebhook config + # with the updated certificates or the refreshed set of rules. + verbs: ["get", "update", "delete"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + # validation.webhook.pipeline.tekton.dev performs schema validation when you, for example, create TaskRuns. + # config.webhook.pipeline.tekton.dev validates the logging configuration against knative's logging structure + resourceNames: ["validation.webhook.pipeline.tekton.dev", "config.webhook.pipeline.tekton.dev"] + # When there are changes to the configs or secrets, knative updates the validatingwebhook config + # with the updated certificates or the refreshed set of rules. + verbs: ["get", "update", "delete"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get"] + # The webhook configured the namespace as the OwnerRef on various cluster-scoped resources, + # which requires we can Get the system namespace. + resourceNames: ["tekton-pipelines"] + - apiGroups: [""] + resources: ["namespaces/finalizers"] + verbs: ["update"] + # The webhook configured the namespace as the OwnerRef on various cluster-scoped resources, + # which requires we can update the system namespace finalizers. + resourceNames: ["tekton-pipelines"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-events-controller-cluster-access + labels: + app.kubernetes.io/component: events + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +rules: + - apiGroups: ["tekton.dev"] + resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "customruns"] + verbs: ["get", "list", "watch"] + +--- +# Copyright 2020 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-pipelines-controller + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["list", "watch"] + # The controller needs access to these configmaps for logging information and runtime configuration. + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["config-logging", "config-observability", "feature-flags", "config-leader-election-controller", "config-registry-cert"] +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-pipelines-webhook + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["list", "watch"] + # The webhook needs access to these configmaps for logging information. + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["config-logging", "config-observability", "config-leader-election-webhook", "feature-flags"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["list", "watch"] + # The webhook daemon makes a reconciliation loop on webhook-certs. Whenever + # the secret changes it updates the webhook configurations with the certificates + # stored in the secret. + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "update"] + resourceNames: ["webhook-certs"] +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-pipelines-events-controller + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: events + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["list", "watch"] + # The controller needs access to these configmaps for logging information and runtime configuration. + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["config-logging", "config-observability", "feature-flags", "config-leader-election-events", "config-registry-cert"] +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-pipelines-leader-election + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +rules: + # We uses leases for leaderelection + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: tekton-pipelines-info + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +rules: + # All system:authenticated users needs to have access + # of the pipelines-info ConfigMap even if they don't + # have access to the other resources present in the + # installed namespace. + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["pipelines-info"] + verbs: ["get"] + +--- +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tekton-pipelines-controller + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tekton-pipelines-webhook + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tekton-events-controller + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: events + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + +--- +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tekton-pipelines-controller-cluster-access + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +subjects: + - kind: ServiceAccount + name: tekton-pipelines-controller + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: tekton-pipelines-controller-cluster-access + apiGroup: rbac.authorization.k8s.io +--- +# If this ClusterRoleBinding is replaced with a RoleBinding +# then the ClusterRole would be namespaced. The access described by +# the tekton-pipelines-controller-tenant-access ClusterRole would +# be scoped to individual tenant namespaces. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tekton-pipelines-controller-tenant-access + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +subjects: + - kind: ServiceAccount + name: tekton-pipelines-controller + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: tekton-pipelines-controller-tenant-access + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tekton-pipelines-webhook-cluster-access + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +subjects: + - kind: ServiceAccount + name: tekton-pipelines-webhook + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: tekton-pipelines-webhook-cluster-access + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tekton-events-controller-cluster-access + labels: + app.kubernetes.io/component: events + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +subjects: + - kind: ServiceAccount + name: tekton-events-controller + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: tekton-events-controller-cluster-access + apiGroup: rbac.authorization.k8s.io + +--- +# Copyright 2020 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: tekton-pipelines-controller + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +subjects: + - kind: ServiceAccount + name: tekton-pipelines-controller + namespace: tekton-pipelines +roleRef: + kind: Role + name: tekton-pipelines-controller + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: tekton-pipelines-webhook + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +subjects: + - kind: ServiceAccount + name: tekton-pipelines-webhook + namespace: tekton-pipelines +roleRef: + kind: Role + name: tekton-pipelines-webhook + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: tekton-pipelines-controller-leaderelection + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +subjects: + - kind: ServiceAccount + name: tekton-pipelines-controller + namespace: tekton-pipelines +roleRef: + kind: Role + name: tekton-pipelines-leader-election + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: tekton-pipelines-webhook-leaderelection + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +subjects: + - kind: ServiceAccount + name: tekton-pipelines-webhook + namespace: tekton-pipelines +roleRef: + kind: Role + name: tekton-pipelines-leader-election + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: tekton-pipelines-info + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +subjects: + # Giving all system:authenticated users the access of the + # ConfigMap which contains version information. + - kind: Group + name: system:authenticated + apiGroup: rbac.authorization.k8s.io +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: tekton-pipelines-info +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: tekton-pipelines-events-controller + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: events + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +subjects: + - kind: ServiceAccount + name: tekton-events-controller + namespace: tekton-pipelines +roleRef: + kind: Role + name: tekton-pipelines-events-controller + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: tekton-events-controller-leaderelection + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: events + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +subjects: + - kind: ServiceAccount + name: tekton-events-controller + namespace: tekton-pipelines +roleRef: + kind: Role + name: tekton-pipelines-leader-election + apiGroup: rbac.authorization.k8s.io + +--- +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clustertasks.tekton.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pipeline.tekton.dev/release: "v0.53.2" + version: "v0.53.2" +spec: + group: tekton.dev + preserveUnknownFields: false + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true + # Opt into the status subresource so metadata.generation + # starts to increment + subresources: + status: {} + names: + kind: ClusterTask + plural: clustertasks + singular: clustertask + categories: + - tekton + - tekton-pipelines + scope: Cluster + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1beta1"] + clientConfig: + service: + name: tekton-pipelines-webhook + namespace: tekton-pipelines + +--- +# Copyright 2020 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: customruns.tekton.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pipeline.tekton.dev/release: "v0.53.2" + version: "v0.53.2" +spec: + group: tekton.dev + preserveUnknownFields: false + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - name: Succeeded + type: string + jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status" + - name: Reason + type: string + jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" + - name: StartTime + type: date + jsonPath: .status.startTime + - name: CompletionTime + type: date + jsonPath: .status.completionTime + # Opt into the status subresource so metadata.generation + # starts to increment + subresources: + status: {} + names: + kind: CustomRun + plural: customruns + singular: customrun + categories: + - tekton + - tekton-pipelines + scope: Namespaced + +--- +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: pipelines.tekton.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pipeline.tekton.dev/release: "v0.53.2" + version: "v0.53.2" +spec: + group: tekton.dev + preserveUnknownFields: false + versions: + - name: v1beta1 + served: true + storage: false + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + # OpenAPIV3 schema allows Kubernetes to perform validation on the schema fields + # and use the schema in tooling such as `kubectl explain`. + # Using "x-kubernetes-preserve-unknown-fields: true" + # at the root of the schema (or within it) allows arbitrary fields. + # We currently perform our own validation separately. + # See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#specifying-a-structural-schema + # for more info. + x-kubernetes-preserve-unknown-fields: true + # Opt into the status subresource so metadata.generation + # starts to increment + subresources: + status: {} + names: + kind: Pipeline + plural: pipelines + singular: pipeline + categories: + - tekton + - tekton-pipelines + scope: Namespaced + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1beta1", "v1"] + clientConfig: + service: + name: tekton-pipelines-webhook + namespace: tekton-pipelines + +--- +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: pipelineruns.tekton.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pipeline.tekton.dev/release: "v0.53.2" + version: "v0.53.2" +spec: + group: tekton.dev + preserveUnknownFields: false + versions: + - name: v1beta1 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - name: Succeeded + type: string + jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status" + - name: Reason + type: string + jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" + - name: StartTime + type: date + jsonPath: .status.startTime + - name: CompletionTime + type: date + jsonPath: .status.completionTime + # Opt into the status subresource so metadata.generation + # starts to increment + subresources: + status: {} + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - name: Succeeded + type: string + jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status" + - name: Reason + type: string + jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" + - name: StartTime + type: date + jsonPath: .status.startTime + - name: CompletionTime + type: date + jsonPath: .status.completionTime + # Opt into the status subresource so metadata.generation + # starts to increment + subresources: + status: {} + names: + kind: PipelineRun + plural: pipelineruns + singular: pipelinerun + categories: + - tekton + - tekton-pipelines + shortNames: + - pr + - prs + scope: Namespaced + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1beta1", "v1"] + clientConfig: + service: + name: tekton-pipelines-webhook + namespace: tekton-pipelines + +--- +# Copyright 2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: resolutionrequests.resolution.tekton.dev + labels: + resolution.tekton.dev/release: devel +spec: + group: resolution.tekton.dev + scope: Namespaced + names: + kind: ResolutionRequest + plural: resolutionrequests + singular: resolutionrequest + categories: + - tekton + - tekton-pipelines + shortNames: + - resolutionrequest + - resolutionrequests + versions: + - name: v1alpha1 + served: true + deprecated: true + storage: false + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - name: Succeeded + type: string + jsonPath: ".status.conditions[?(@.type=='Succeeded')].status" + - name: Reason + type: string + jsonPath: ".status.conditions[?(@.type=='Succeeded')].reason" + - name: v1beta1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - name: OwnerKind + type: string + jsonPath: ".metadata.ownerReferences[0].kind" + - name: Owner + type: string + jsonPath: ".metadata.ownerReferences[0].name" + - name: Succeeded + type: string + jsonPath: ".status.conditions[?(@.type=='Succeeded')].status" + - name: Reason + type: string + jsonPath: ".status.conditions[?(@.type=='Succeeded')].reason" + - name: StartTime + type: string + jsonPath: .metadata.creationTimestamp + - name: EndTime + type: string + jsonPath: .status.conditions[?(@.type=='Succeeded')].lastTransitionTime + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1alpha1", "v1beta1"] + clientConfig: + service: + name: tekton-pipelines-webhook + namespace: tekton-pipelines + +--- +# Copyright 2023 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: stepactions.tekton.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pipeline.tekton.dev/release: "v0.53.2" + version: "v0.53.2" +spec: + group: tekton.dev + preserveUnknownFields: false + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true + # Opt into the status subresource so metadata.generation + # starts to increment + subresources: + status: {} + names: + kind: StepAction + plural: stepactions + singular: stepaction + categories: + - tekton + - tekton-pipelines + scope: Namespaced + +--- +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tasks.tekton.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pipeline.tekton.dev/release: "v0.53.2" + version: "v0.53.2" +spec: + group: tekton.dev + preserveUnknownFields: false + versions: + - name: v1beta1 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true + # Opt into the status subresource so metadata.generation + # starts to increment + subresources: + status: {} + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + # TODO(#1461): Add OpenAPIV3 schema + # OpenAPIV3 schema allows Kubernetes to perform validation on the schema fields + # and use the schema in tooling such as `kubectl explain`. + # Using "x-kubernetes-preserve-unknown-fields: true" + # at the root of the schema (or within it) allows arbitrary fields. + # We currently perform our own validation separately. + # See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#specifying-a-structural-schema + # for more info. + x-kubernetes-preserve-unknown-fields: true + # Opt into the status subresource so metadata.generation + # starts to increment + subresources: + status: {} + names: + kind: Task + plural: tasks + singular: task + categories: + - tekton + - tekton-pipelines + scope: Namespaced + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1beta1", "v1"] + clientConfig: + service: + name: tekton-pipelines-webhook + namespace: tekton-pipelines + +--- +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: taskruns.tekton.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pipeline.tekton.dev/release: "v0.53.2" + version: "v0.53.2" +spec: + group: tekton.dev + preserveUnknownFields: false + versions: + - name: v1beta1 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - name: Succeeded + type: string + jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status" + - name: Reason + type: string + jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" + - name: StartTime + type: date + jsonPath: .status.startTime + - name: CompletionTime + type: date + jsonPath: .status.completionTime + # Opt into the status subresource so metadata.generation + # starts to increment + subresources: + status: {} + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - name: Succeeded + type: string + jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status" + - name: Reason + type: string + jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" + - name: StartTime + type: date + jsonPath: .status.startTime + - name: CompletionTime + type: date + jsonPath: .status.completionTime + # Opt into the status subresource so metadata.generation + # starts to increment + subresources: + status: {} + names: + kind: TaskRun + plural: taskruns + singular: taskrun + categories: + - tekton + - tekton-pipelines + shortNames: + - tr + - trs + scope: Namespaced + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1beta1", "v1"] + clientConfig: + service: + name: tekton-pipelines-webhook + namespace: tekton-pipelines + +--- +# Copyright 2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: verificationpolicies.tekton.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pipeline.tekton.dev/release: "v0.53.2" + version: "v0.53.2" +spec: + group: tekton.dev + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + # One can use x-kubernetes-preserve-unknown-fields: true + # at the root of the schema (and inside any properties, additionalProperties) + # to get the traditional CRD behaviour that nothing is pruned, despite + # setting spec.preserveUnknownProperties: false. + # + # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ + # See issue: https://github.com/knative/serving/issues/912 + x-kubernetes-preserve-unknown-fields: true + names: + kind: VerificationPolicy + plural: verificationpolicies + singular: verificationpolicy + categories: + - tekton + - tekton-pipelines + scope: Namespaced + +--- +# Copyright 2020 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Secret +metadata: + name: webhook-certs + namespace: tekton-pipelines + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pipeline.tekton.dev/release: "v0.53.2" +# The data is populated at install time. +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: validation.webhook.pipeline.tekton.dev + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pipeline.tekton.dev/release: "v0.53.2" +webhooks: + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: tekton-pipelines-webhook + namespace: tekton-pipelines + failurePolicy: Fail + sideEffects: None + name: validation.webhook.pipeline.tekton.dev +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: webhook.pipeline.tekton.dev + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pipeline.tekton.dev/release: "v0.53.2" +webhooks: + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: tekton-pipelines-webhook + namespace: tekton-pipelines + failurePolicy: Fail + sideEffects: None + name: webhook.pipeline.tekton.dev +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: config.webhook.pipeline.tekton.dev + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pipeline.tekton.dev/release: "v0.53.2" +webhooks: + - admissionReviewVersions: ["v1"] + clientConfig: + service: + name: tekton-pipelines-webhook + namespace: tekton-pipelines + failurePolicy: Fail + sideEffects: None + name: config.webhook.pipeline.tekton.dev + objectSelector: + matchLabels: + app.kubernetes.io/part-of: tekton-pipelines + +--- +# Copyright 2019-2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tekton-aggregate-edit + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: + - tekton.dev + resources: + - tasks + - taskruns + - pipelines + - pipelineruns + - runs + - customruns + - stepactions + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + +--- +# Copyright 2019-2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tekton-aggregate-view + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: + - apiGroups: + - tekton.dev + resources: + - tasks + - taskruns + - pipelines + - pipelineruns + - runs + - customruns + - stepactions + verbs: + - get + - list + - watch + +--- +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-defaults + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # default-timeout-minutes contains the default number of + # minutes to use for TaskRun and PipelineRun, if none is specified. + default-timeout-minutes: "60" # 60 minutes + + # default-service-account contains the default service account name + # to use for TaskRun and PipelineRun, if none is specified. + default-service-account: "default" + + # default-managed-by-label-value contains the default value given to the + # "app.kubernetes.io/managed-by" label applied to all Pods created for + # TaskRuns. If a user's requested TaskRun specifies another value for this + # label, the user's request supercedes. + default-managed-by-label-value: "tekton-pipelines" + + # default-pod-template contains the default pod template to use for + # TaskRun and PipelineRun. If a pod template is specified on the + # PipelineRun, the default-pod-template is merged with that one. + # default-pod-template: + + # default-affinity-assistant-pod-template contains the default pod template + # to use for affinity assistant pods. If a pod template is specified on the + # PipelineRun, the default-affinity-assistant-pod-template is merged with + # that one. + # default-affinity-assistant-pod-template: + + # default-cloud-events-sink contains the default CloudEvents sink to be + # used for TaskRun and PipelineRun, when no sink is specified. + # Note that right now it is still not possible to set a PipelineRun or + # TaskRun specific sink, so the default is the only option available. + # If no sink is specified, no CloudEvent is generated + # default-cloud-events-sink: + + # default-task-run-workspace-binding contains the default workspace + # configuration provided for any Workspaces that a Task declares + # but that a TaskRun does not explicitly provide. + # default-task-run-workspace-binding: | + # emptyDir: {} + + # default-max-matrix-combinations-count contains the default maximum number + # of combinations from a Matrix, if none is specified. + default-max-matrix-combinations-count: "256" + + # default-forbidden-env contains comma seperated environment variables that cannot be + # overridden by podTemplate. + default-forbidden-env: + + # default-resolver-type contains the default resolver type to be used in the cluster, + # no default-resolver-type is specified by default + default-resolver-type: + +--- +# Copyright 2023 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-events + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # formats contains a comma seperated list of event formats to be used + # the only format supported today is "tektonv1". An empty string is not + # a valid configuration. To disable events, do not specify the sink. + formats: "tektonv1" + + # sink contains the event sink to be used for TaskRun, PipelineRun and + # CustomRun. If no sink is specified, no CloudEvent is generated. + # This setting supercedes the "default-cloud-events-sink" from the + # "config-defaults" config map + sink: "https://events.sink/cdevents" + +--- +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: feature-flags + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + # Setting this flag to "true" will prevent Tekton to create an + # Affinity Assistant for every TaskRun sharing a PVC workspace + # + # The default behaviour is for Tekton to create Affinity Assistants + # + # See more in the Affinity Assistant documentation + # https://github.com/tektoncd/pipeline/blob/main/docs/affinityassistants.md + # or https://github.com/tektoncd/pipeline/pull/2630 for more info. + # + # Note: This feature flag is deprecated and will be removed in release v0.60. Consider using `coschedule` feature flag to configure Affinity Assistant behavior. + disable-affinity-assistant: "false" + # Setting this flag will determine how PipelineRun Pods are scheduled with Affinity Assistant. + # Acceptable values are "workspaces" (default), "pipelineruns", "isolate-pipelinerun", or "disabled". + # + # Setting it to "workspaces" will schedule all the taskruns sharing the same PVC-based workspace in a pipelinerun to the same node. + # Setting it to "pipelineruns" will schedule all the taskruns in a pipelinerun to the same node. + # Setting it to "isolate-pipelinerun" will schedule all the taskruns in a pipelinerun to the same node, + # and only allows one pipelinerun to run on a node at a time. + # Setting it to "disabled" will not apply any coschedule policy. + # + # See more in the Affinity Assistant documentation + # https://github.com/tektoncd/pipeline/blob/main/docs/affinityassistants.md + coschedule: "workspaces" + # Setting this flag to "true" will prevent Tekton scanning attached + # service accounts and injecting any credentials it finds into your + # Steps. + # + # The default behaviour currently is for Tekton to search service + # accounts for secrets matching a specified format and automatically + # mount those into your Steps. + # + # Note: setting this to "true" will prevent PipelineResources from + # working. + # + # See https://github.com/tektoncd/pipeline/issues/2791 for more + # info. + disable-creds-init: "false" + # Setting this flag to "false" will stop Tekton from waiting for a + # TaskRun's sidecar containers to be running before starting the first + # step. This will allow Tasks to be run in environments that don't + # support the DownwardAPI volume type, but may lead to unintended + # behaviour if sidecars are used. + # + # See https://github.com/tektoncd/pipeline/issues/4937 for more info. + await-sidecar-readiness: "true" + # This option should be set to false when Pipelines is running in a + # cluster that does not use injected sidecars such as Istio. Setting + # it to false should decrease the time it takes for a TaskRun to start + # running. For clusters that use injected sidecars, setting this + # option to false can lead to unexpected behavior. + # + # See https://github.com/tektoncd/pipeline/issues/2080 for more info. + running-in-environment-with-injected-sidecars: "true" + # Setting this flag to "true" will require that any Git SSH Secret + # offered to Tekton must have known_hosts included. + # + # See https://github.com/tektoncd/pipeline/issues/2981 for more + # info. + require-git-ssh-secret-known-hosts: "false" + # Setting this flag to "true" enables the use of Tekton OCI bundle. + # This is an experimental feature and thus should still be considered + # an alpha feature. + enable-tekton-oci-bundles: "false" + # Setting this flag will determine which gated features are enabled. + # Acceptable values are "stable", "beta", or "alpha". + enable-api-fields: "beta" + # Setting this flag to "true" enables CloudEvents for CustomRuns and Runs, as long as a + # CloudEvents sink is configured in the config-defaults config map + send-cloudevents-for-runs: "false" + # This flag affects the behavior of taskruns and pipelineruns in cases where no VerificationPolicies match them. + # If it is set to "fail", TaskRuns and PipelineRuns will fail verification if no matching policies are found. + # If it is set to "warn", TaskRuns and PipelineRuns will run to completion if no matching policies are found, and an error will be logged. + # If it is set to "ignore", TaskRuns and PipelineRuns will run to completion if no matching policies are found, and no error will be logged. + trusted-resources-verification-no-match-policy: "ignore" + # Setting this flag to "true" enables populating the "provenance" field in TaskRun + # and PipelineRun status. This field contains metadata about resources used + # in the TaskRun/PipelineRun such as the source from where a remote Task/Pipeline + # definition was fetched. + enable-provenance-in-status: "true" + # Setting this flag will determine how Tekton pipelines will handle non-falsifiable provenance. + # If set to "spire", then SPIRE will be used to ensure non-falsifiable provenance. + # If set to "none", then Tekton will not have non-falsifiable provenance. + # This is an experimental feature and thus should still be considered an alpha feature. + enforce-nonfalsifiability: "none" + # Setting this flag will determine how Tekton pipelines will handle extracting results from the task. + # Acceptable values are "termination-message" or "sidecar-logs". + # "sidecar-logs" is an experimental feature and thus should still be considered + # an alpha feature. + results-from: "termination-message" + # Setting this flag will determine the upper limit of each task result + # This flag is optional and only associated with the previous flag, results-from + # When results-from is set to "sidecar-logs", this flag can be used to configure the upper limit of a task result + # max-result-size: "4096" + # Setting this flag to "true" will limit privileges for containers injected by Tekton into TaskRuns. + # This allows TaskRuns to run in namespaces with "restricted" pod security standards. + # Not all Kubernetes implementations support this option. + set-security-context: "false" + # Setting this flag to "true" will keep pod on cancellation + # allowing examination of the logs on the pods from cancelled taskruns + keep-pod-on-cancel: "false" + # Setting this flag to "true" will enable the CEL evaluation in WhenExpression + enable-cel-in-whenexpression: "false" + # Setting this flag to "true" will enable the use of StepActions in Steps + # This feature is in preview mode and not implemented yet. Please check #7259 for updates. + enable-step-actions: "false" + +--- +# Copyright 2021 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: pipelines-info + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + # Contains pipelines version which can be queried by external + # tools such as CLI. Elevated permissions are already given to + # this ConfigMap such that even if we don't have access to + # other resources in the namespace we still can have access to + # this ConfigMap. + version: "v0.53.2" + +--- +# Copyright 2020 Tekton Authors LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-leader-election-controller + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + # lease-duration is how long non-leaders will wait to try to acquire the + # lock; 15 seconds is the value used by core kubernetes controllers. + lease-duration: "60s" + # renew-deadline is how long a leader will try to renew the lease before + # giving up; 10 seconds is the value used by core kubernetes controllers. + renew-deadline: "40s" + # retry-period is how long the leader election client waits between tries of + # actions; 2 seconds is the value used by core kubernetes controllers. + retry-period: "10s" + # buckets is the number of buckets used to partition key space of each + # Reconciler. If this number is M and the replica number of the controller + # is N, the N replicas will compete for the M buckets. The owner of a + # bucket will take care of the reconciling for the keys partitioned into + # that bucket. + buckets: "1" + +--- +# Copyright 2023 Tekton Authors LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-leader-election-events + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + # lease-duration is how long non-leaders will wait to try to acquire the + # lock; 15 seconds is the value used by core kubernetes controllers. + lease-duration: "60s" + # renew-deadline is how long a leader will try to renew the lease before + # giving up; 10 seconds is the value used by core kubernetes controllers. + renew-deadline: "40s" + # retry-period is how long the leader election client waits between tries of + # actions; 2 seconds is the value used by core kubernetes controllers. + retry-period: "10s" + # buckets is the number of buckets used to partition key space of each + # Reconciler. If this number is M and the replica number of the controller + # is N, the N replicas will compete for the M buckets. The owner of a + # bucket will take care of the reconciling for the keys partitioned into + # that bucket. + buckets: "1" + +--- +# Copyright 2023 Tekton Authors LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-leader-election-webhook + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + # lease-duration is how long non-leaders will wait to try to acquire the + # lock; 15 seconds is the value used by core kubernetes controllers. + lease-duration: "60s" + # renew-deadline is how long a leader will try to renew the lease before + # giving up; 10 seconds is the value used by core kubernetes controllers. + renew-deadline: "40s" + # retry-period is how long the leader election client waits between tries of + # actions; 2 seconds is the value used by core kubernetes controllers. + retry-period: "10s" + # buckets is the number of buckets used to partition key space of each + # Reconciler. If this number is M and the replica number of the controller + # is N, the N replicas will compete for the M buckets. The owner of a + # bucket will take care of the reconciling for the keys partitioned into + # that bucket. + buckets: "1" + +--- +# Copyright 2019 Tekton Authors LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-logging + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + zap-logger-config: | + { + "level": "info", + "development": false, + "sampling": { + "initial": 100, + "thereafter": 100 + }, + "outputPaths": ["stdout"], + "errorOutputPaths": ["stderr"], + "encoding": "json", + "encoderConfig": { + "timeKey": "timestamp", + "levelKey": "severity", + "nameKey": "logger", + "callerKey": "caller", + "messageKey": "message", + "stacktraceKey": "stacktrace", + "lineEnding": "", + "levelEncoder": "", + "timeEncoder": "iso8601", + "durationEncoder": "", + "callerEncoder": "" + } + } + # Log level overrides + loglevel.controller: "info" + loglevel.webhook: "info" + +--- +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-observability + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # metrics.backend-destination field specifies the system metrics destination. + # It supports either prometheus (the default) or stackdriver. + # Note: Using Stackdriver will incur additional charges. + metrics.backend-destination: prometheus + + # metrics.stackdriver-project-id field specifies the Stackdriver project ID. This + # field is optional. When running on GCE, application default credentials will be + # used and metrics will be sent to the cluster's project if this field is + # not provided. + metrics.stackdriver-project-id: "" + + # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed + # to send metrics to Stackdriver using "global" resource type and custom + # metric type. Setting this flag to "true" could cause extra Stackdriver + # charge. If metrics.backend-destination is not Stackdriver, this is + # ignored. + metrics.allow-stackdriver-custom-metrics: "false" + metrics.taskrun.level: "task" + metrics.taskrun.duration-type: "histogram" + metrics.pipelinerun.level: "pipeline" + metrics.pipelinerun.duration-type: "histogram" + metrics.count.enable-reason: "false" + +--- +# Copyright 2020 Tekton Authors LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-registry-cert + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +# data: +# # Registry's self-signed certificate +# cert: | + +--- +# Copyright 2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-spire + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + # + # spire-trust-domain specifies the SPIRE trust domain to use. + # spire-trust-domain: "example.org" + # + # spire-socket-path specifies the SPIRE agent socket for SPIFFE workload API. + # spire-socket-path: "unix:///spiffe-workload-api/spire-agent.sock" + # + # spire-server-addr specifies the SPIRE server address for workload/node registration. + # spire-server-addr: "spire-server.spire.svc.cluster.local:8081" + # + # spire-node-alias-prefix specifies the SPIRE node alias prefix to use. + # spire-node-alias-prefix: "/tekton-node/" + +--- +# Copyright 2023 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-tracing + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + # + # Enable sending traces to defined endpoint by setting this to true + enabled: "true" + # + # API endpoint to send the traces to + # (optional): The default value is given below + endpoint: "http://jaeger-collector.jaeger.svc.cluster.local:14268/api/traces" + +--- +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tekton-pipelines-controller + namespace: tekton-pipelines + labels: + app.kubernetes.io/name: controller + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/version: "v0.53.2" + app.kubernetes.io/part-of: tekton-pipelines + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "v0.53.2" + # labels below are related to istio and should not be used for resource lookup + version: "v0.53.2" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: controller + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + template: + metadata: + labels: + app.kubernetes.io/name: controller + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/version: "v0.53.2" + app.kubernetes.io/part-of: tekton-pipelines + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "v0.53.2" + # labels below are related to istio and should not be used for resource lookup + app: tekton-pipelines-controller + version: "v0.53.2" + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: NotIn + values: + - windows + serviceAccountName: tekton-pipelines-controller + containers: + - name: tekton-pipelines-controller + image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/controller:v0.53.2@sha256:2cab05747826e7c32e2c588f0fefd354e03f643bd33dbe20533eada00562e6b1 + args: [ + # These images are built on-demand by `ko resolve` and are replaced + # by image references by digest. + "-entrypoint-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/entrypoint:v0.53.2@sha256:7a4269475491e3e9b70e173de6871596e63a9eefd792f2127ca7004145915a76", "-nop-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/nop:v0.53.2@sha256:1793eb2b13d86e084d603ec174904176e5e68b7161be9ed66786deda8f728f30", "-sidecarlogresults-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/sidecarlogresults:v0.53.2@sha256:cf55af7c850b6f6b83d7565b728969cc6cf548ae0c72abf7261c42ce07eefe2d", "-workingdirinit-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/workingdirinit:v0.53.2@sha256:5c0b96d1f1ac9a5c1d8fa50ba07a1174812190707c4abb939b6c41b0b8e72093", + # The shell image must allow root in order to create directories and copy files to PVCs. + # cgr.dev/chainguard/busybox as of April 14 2022 + # image shall not contains tag, so it will be supported on a runtime like cri-o + "-shell-image", "cgr.dev/chainguard/busybox@sha256:19f02276bf8dbdd62f069b922f10c65262cc34b710eea26ff928129a736be791", + # for script mode to work with windows we need a powershell image + # pinning to nanoserver tag as of July 15 2021 + "-shell-image-win", "mcr.microsoft.com/powershell:nanoserver@sha256:b6d5ff841b78bdf2dfed7550000fd4f3437385b8fa686ec0f010be24777654d6"] + volumeMounts: + - name: config-logging + mountPath: /etc/config-logging + - name: config-registry-cert + mountPath: /etc/config-registry-cert + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + # If you are changing these names, you will also need to update + # the controller's Role in 200-role.yaml to include the new + # values in the "configmaps" "get" rule. + - name: CONFIG_DEFAULTS_NAME + value: config-defaults + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: CONFIG_FEATURE_FLAGS_NAME + value: feature-flags + - name: CONFIG_LEADERELECTION_NAME + value: config-leader-election-controller + - name: CONFIG_SPIRE + value: config-spire + - name: SSL_CERT_FILE + value: /etc/config-registry-cert/cert + - name: SSL_CERT_DIR + value: /etc/ssl/certs + - name: METRICS_DOMAIN + value: tekton.dev/pipeline + # The following variables can be uncommented with correct values to enable Jaeger tracing + #- name: OTEL_EXPORTER_JAEGER_ENDPOINT + # value: http://jaeger-collector.jaeger:14268/api/traces + #- name: OTEL_EXPORTER_JAEGER_USER + # value: username + #- name: OTEL_EXPORTER_JAEGER_PASSWORD + # value: password + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + # User 65532 is the nonroot user ID + runAsUser: 65532 + runAsGroup: 65532 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + ports: + - name: metrics + containerPort: 9090 + - name: profiling + containerPort: 8008 + - name: probes + containerPort: 8080 + livenessProbe: + httpGet: + path: /health + port: probes + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /readiness + port: probes + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + volumes: + - name: config-logging + configMap: + name: config-logging + - name: config-registry-cert + configMap: + name: config-registry-cert +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: controller + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/version: "v0.53.2" + app.kubernetes.io/part-of: tekton-pipelines + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "v0.53.2" + # labels below are related to istio and should not be used for resource lookup + app: tekton-pipelines-controller + version: "v0.53.2" + name: tekton-pipelines-controller + namespace: tekton-pipelines +spec: + ports: + - name: http-metrics + port: 9090 + protocol: TCP + targetPort: 9090 + - name: http-profiling + port: 8008 + targetPort: 8008 + - name: probes + port: 8080 + selector: + app.kubernetes.io/name: controller + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + +--- +# Copyright 2023 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tekton-events-controller + namespace: tekton-pipelines + labels: + app.kubernetes.io/name: events + app.kubernetes.io/component: events + app.kubernetes.io/instance: default + app.kubernetes.io/version: "v0.53.2" + app.kubernetes.io/part-of: tekton-pipelines + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "v0.53.2" + # labels below are related to istio and should not be used for resource lookup + version: "v0.53.2" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: events + app.kubernetes.io/component: events + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + template: + metadata: + labels: + app.kubernetes.io/name: events + app.kubernetes.io/component: events + app.kubernetes.io/instance: default + app.kubernetes.io/version: "v0.53.2" + app.kubernetes.io/part-of: tekton-pipelines + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "v0.53.2" + # labels below are related to istio and should not be used for resource lookup + app: tekton-events-controller + version: "v0.53.2" + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: NotIn + values: + - windows + serviceAccountName: tekton-events-controller + containers: + - name: tekton-events-controller + image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/events:v0.53.2@sha256:0cf6f0be5319efdd8909ed8f987837d89146fd0632a744bf6d54bf83e5b13ca0 + args: [] + volumeMounts: + - name: config-logging + mountPath: /etc/config-logging + - name: config-registry-cert + mountPath: /etc/config-registry-cert + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + # If you are changing these names, you will also need to update + # the controller's Role in 200-role.yaml to include the new + # values in the "configmaps" "get" rule. + - name: CONFIG_DEFAULTS_NAME + value: config-defaults + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: CONFIG_LEADERELECTION_NAME + value: config-leader-election-events + - name: SSL_CERT_FILE + value: /etc/config-registry-cert/cert + - name: SSL_CERT_DIR + value: /etc/ssl/certs + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + # User 65532 is the nonroot user ID + runAsUser: 65532 + runAsGroup: 65532 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + ports: + - name: metrics + containerPort: 9090 + - name: profiling + containerPort: 8008 + - name: probes + containerPort: 8080 + livenessProbe: + httpGet: + path: /health + port: probes + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /readiness + port: probes + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + volumes: + - name: config-logging + configMap: + name: config-logging + - name: config-registry-cert + configMap: + name: config-registry-cert +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: events + app.kubernetes.io/component: events + app.kubernetes.io/instance: default + app.kubernetes.io/version: "v0.53.2" + app.kubernetes.io/part-of: tekton-pipelines + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "v0.53.2" + # labels below are related to istio and should not be used for resource lookup + app: tekton-events-controller + version: "v0.53.2" + name: tekton-events-controller + namespace: tekton-pipelines +spec: + ports: + - name: http-metrics + port: 9090 + protocol: TCP + targetPort: 9090 + - name: http-profiling + port: 8008 + targetPort: 8008 + - name: probes + port: 8080 + selector: + app.kubernetes.io/name: events + app.kubernetes.io/component: events + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + +--- +# Copyright 2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Namespace +metadata: + name: tekton-pipelines-resolvers + labels: + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pod-security.kubernetes.io/enforce: restricted + +--- +# Copyright 2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + # ClusterRole for resolvers to monitor and update resolutionrequests. + name: tekton-pipelines-resolvers-resolution-request-updates + labels: + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +rules: + - apiGroups: ["resolution.tekton.dev"] + resources: ["resolutionrequests", "resolutionrequests/status"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["tekton.dev"] + resources: ["tasks", "pipelines"] + verbs: ["get", "list"] + # Read-only access to these. + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + +--- +# Copyright 2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-pipelines-resolvers-namespace-rbac + namespace: tekton-pipelines-resolvers + labels: + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +rules: + # Needed to watch and load configuration and secret data. + - apiGroups: [""] + resources: ["configmaps", "secrets"] + verbs: ["get", "list", "update", "watch"] + # This is needed by leader election to run the controller in HA. + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] + +--- +# Copyright 2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tekton-pipelines-resolvers + namespace: tekton-pipelines-resolvers + labels: + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + +--- +# Copyright 2021 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tekton-pipelines-resolvers + labels: + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +subjects: + - kind: ServiceAccount + name: tekton-pipelines-resolvers + namespace: tekton-pipelines-resolvers +roleRef: + kind: ClusterRole + name: tekton-pipelines-resolvers-resolution-request-updates + apiGroup: rbac.authorization.k8s.io + +--- +# Copyright 2021 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: tekton-pipelines-resolvers-namespace-rbac + namespace: tekton-pipelines-resolvers + labels: + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +subjects: + - kind: ServiceAccount + name: tekton-pipelines-resolvers + namespace: tekton-pipelines-resolvers +roleRef: + kind: Role + name: tekton-pipelines-resolvers-namespace-rbac + apiGroup: rbac.authorization.k8s.io + +--- +# Copyright 2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: bundleresolver-config + namespace: tekton-pipelines-resolvers + labels: + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + # the default service account name to use for bundle requests. + default-service-account: "default" + # The default layer kind in the bundle image. + default-kind: "task" + +--- +# Copyright 2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: cluster-resolver-config + namespace: tekton-pipelines-resolvers + labels: + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + # The default kind to fetch. + default-kind: "task" + # The default namespace to look for resources in. + default-namespace: "" + # An optional comma-separated list of namespaces which the resolver is allowed to access. Defaults to empty, meaning all namespaces are allowed. + allowed-namespaces: "" + # An optional comma-separated list of namespaces which the resolver is blocked from accessing. Defaults to empty, meaning all namespaces are allowed. + blocked-namespaces: "" + +--- +# Copyright 2019 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: resolvers-feature-flags + namespace: tekton-pipelines-resolvers + labels: + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + # Setting this flag to "true" enables remote resolution of Tekton OCI bundles. + enable-bundles-resolver: "true" + # Setting this flag to "true" enables remote resolution of tasks and pipelines via the Tekton Hub. + enable-hub-resolver: "true" + # Setting this flag to "true" enables remote resolution of tasks and pipelines from Git repositories. + enable-git-resolver: "true" + # Setting this flag to "true" enables remote resolution of tasks and pipelines from other namespaces within the cluster. + enable-cluster-resolver: "true" + +--- +# Copyright 2020 Tekton Authors LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-leader-election-resolvers + namespace: tekton-pipelines-resolvers + labels: + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + # lease-duration is how long non-leaders will wait to try to acquire the + # lock; 15 seconds is the value used by core kubernetes controllers. + lease-duration: "60s" + # renew-deadline is how long a leader will try to renew the lease before + # giving up; 10 seconds is the value used by core kubernetes controllers. + renew-deadline: "40s" + # retry-period is how long the leader election client waits between tries of + # actions; 2 seconds is the value used by core kubernetes controllers. + retry-period: "10s" + # buckets is the number of buckets used to partition key space of each + # Reconciler. If this number is M and the replica number of the controller + # is N, the N replicas will compete for the M buckets. The owner of a + # bucket will take care of the reconciling for the keys partitioned into + # that bucket. + buckets: "1" + +--- +# Copyright 2019 Tekton Authors LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-logging + namespace: tekton-pipelines-resolvers + labels: + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + zap-logger-config: | + { + "level": "info", + "development": false, + "sampling": { + "initial": 100, + "thereafter": 100 + }, + "outputPaths": ["stdout"], + "errorOutputPaths": ["stderr"], + "encoding": "json", + "encoderConfig": { + "timeKey": "timestamp", + "levelKey": "severity", + "nameKey": "logger", + "callerKey": "caller", + "messageKey": "message", + "stacktraceKey": "stacktrace", + "lineEnding": "", + "levelEncoder": "", + "timeEncoder": "iso8601", + "durationEncoder": "", + "callerEncoder": "" + } + } + # Log level overrides + loglevel.controller: "info" + loglevel.webhook: "info" + +--- +# Copyright 2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-observability + namespace: tekton-pipelines-resolvers + labels: + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that `kubectl edit` this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # metrics.backend-destination field specifies the system metrics destination. + # It supports either prometheus (the default) or stackdriver. + # Note: Using stackdriver will incur additional charges + metrics.backend-destination: prometheus + + # metrics.request-metrics-backend-destination specifies the request metrics + # destination. If non-empty, it enables queue proxy to send request metrics. + # Currently supported values: prometheus, stackdriver. + metrics.request-metrics-backend-destination: prometheus + + # metrics.stackdriver-project-id field specifies the stackdriver project ID. This + # field is optional. When running on GCE, application default credentials will be + # used if this field is not provided. + metrics.stackdriver-project-id: "" + + # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed to send metrics to + # Stackdriver using "global" resource type and custom metric type if the + # metrics are not supported by "knative_revision" resource type. Setting this + # flag to "true" could cause extra Stackdriver charge. + # If metrics.backend-destination is not Stackdriver, this is ignored. + metrics.allow-stackdriver-custom-metrics: "false" + +--- +# Copyright 2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: git-resolver-config + namespace: tekton-pipelines-resolvers + labels: + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + # The maximum amount of time a single anonymous cloning resolution may take. + fetch-timeout: "1m" + # The git url to fetch the remote resource from when using anonymous cloning. + default-url: "https://github.com/tektoncd/catalog.git" + # The git revision to fetch the remote resource from with either anonymous cloning or the authenticated API. + default-revision: "main" + # The SCM type to use with the authenticated API. Can be github, gitlab, gitea, bitbucketserver, bitbucketcloud + scm-type: "github" + # The SCM server URL to use with the authenticated API. Not needed when using github.com, gitlab.com, or BitBucket Cloud + server-url: "" + # The Kubernetes secret containing the API token for the SCM provider. Required when using the authenticated API. + api-token-secret-name: "" + # The key in the API token secret containing the actual token. Required when using the authenticated API. + api-token-secret-key: "" + # The namespace containing the API token secret. Defaults to "default". + api-token-secret-namespace: "default" + # The default organization to look for repositories under when using the authenticated API, + # if not specified in the resolver parameters. Optional. + default-org: "" + +--- +# Copyright 2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: hubresolver-config + namespace: tekton-pipelines-resolvers + labels: + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +data: + # the default Tekton Hub catalog from where to pull the resource. + default-tekton-hub-catalog: "Tekton" + # the default Artifact Hub Task catalog from where to pull the resource. + default-artifact-hub-task-catalog: "tekton-catalog-tasks" + # the default Artifact Hub Pipeline catalog from where to pull the resource. + default-artifact-hub-pipeline-catalog: "tekton-catalog-pipelines" + # the default layer kind in the hub image. + default-kind: "task" + # the default hub source to pull the resource from. + default-type: "artifact" + +--- +# Copyright 2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tekton-pipelines-remote-resolvers + namespace: tekton-pipelines-resolvers + labels: + app.kubernetes.io/name: resolvers + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/version: "v0.53.2" + app.kubernetes.io/part-of: tekton-pipelines + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "v0.53.2" + # labels below are related to istio and should not be used for resource lookup + version: "v0.53.2" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: resolvers + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + template: + metadata: + labels: + app.kubernetes.io/name: resolvers + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/version: "v0.53.2" + app.kubernetes.io/part-of: tekton-pipelines + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "v0.53.2" + # labels below are related to istio and should not be used for resource lookup + app: tekton-pipelines-resolvers + version: "v0.53.2" + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/name: resolvers + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + topologyKey: kubernetes.io/hostname + weight: 100 + serviceAccountName: tekton-pipelines-resolvers + containers: + - name: controller + image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/resolvers:v0.53.2@sha256:6578d145acd9cd288e501023429439334de15de8bd77af132c57a1d5f982e940 + resources: + requests: + cpu: 100m + memory: 100Mi + limits: + cpu: 1000m + memory: 4Gi + ports: + - name: metrics + containerPort: 9090 + - name: profiling + containerPort: 8008 + # This must match the value of the environment variable PROBES_PORT. + - name: probes + containerPort: 8080 + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + # If you are changing these names, you will also need to update + # the controller's Role in 200-role.yaml to include the new + # values in the "configmaps" "get" rule. + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: CONFIG_FEATURE_FLAGS_NAME + value: feature-flags + - name: CONFIG_LEADERELECTION_NAME + value: config-leader-election-resolvers + - name: METRICS_DOMAIN + value: tekton.dev/resolution + - name: PROBES_PORT + value: "8080" + # Override this env var to set a private hub api endpoint + - name: ARTIFACT_HUB_API + value: "https://artifacthub.io/" + - name: TEKTON_HUB_API + value: "https://api.hub.tekton.dev/" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - "ALL" + seccompProfile: + type: RuntimeDefault + +--- +# Copyright 2023 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: resolvers + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/version: "v0.53.2" + app.kubernetes.io/part-of: tekton-pipelines + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "v0.53.2" + # labels below are related to istio and should not be used for resource lookup + app: tekton-pipelines-remote-resolvers + version: "v0.53.2" + name: tekton-pipelines-remote-resolvers + namespace: tekton-pipelines-resolvers +spec: + ports: + - name: http-metrics + port: 9090 + protocol: TCP + targetPort: 9090 + - name: http-profiling + port: 8008 + targetPort: 8008 + - name: probes + port: 8080 + selector: + app.kubernetes.io/name: resolvers + app.kubernetes.io/component: resolvers + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + +--- +# Copyright 2020 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: tekton-pipelines-webhook + namespace: tekton-pipelines + labels: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/version: "v0.53.2" + app.kubernetes.io/part-of: tekton-pipelines + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "v0.53.2" + # labels below are related to istio and should not be used for resource lookup + version: "v0.53.2" +spec: + minReplicas: 1 + maxReplicas: 5 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: tekton-pipelines-webhook + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 100 + +--- +# Copyright 2020 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + # Note: the Deployment name must be the same as the Service name specified in + # config/400-webhook-service.yaml. If you change this name, you must also + # change the value of WEBHOOK_SERVICE_NAME below. + name: tekton-pipelines-webhook + namespace: tekton-pipelines + labels: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/version: "v0.53.2" + app.kubernetes.io/part-of: tekton-pipelines + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "v0.53.2" + # labels below are related to istio and should not be used for resource lookup + version: "v0.53.2" +spec: + selector: + matchLabels: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + template: + metadata: + labels: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/version: "v0.53.2" + app.kubernetes.io/part-of: tekton-pipelines + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "v0.53.2" + # labels below are related to istio and should not be used for resource lookup + app: tekton-pipelines-webhook + version: "v0.53.2" + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: NotIn + values: + - windows + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + topologyKey: kubernetes.io/hostname + weight: 100 + serviceAccountName: tekton-pipelines-webhook + containers: + - name: webhook + # This is the Go import path for the binary that is containerized + # and substituted here. + image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/webhook:v0.53.2@sha256:1e8f8be3b51be378747b4589dde970582f50e1e69f59527f0a9aa7a75c5833e3 + # Resource request required for autoscaler to take any action for a metric + resources: + requests: + cpu: 100m + memory: 100Mi + limits: + cpu: 500m + memory: 500Mi + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + # If you are changing these names, you will also need to update + # the webhook's Role in 200-role.yaml to include the new + # values in the "configmaps" "get" rule. + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: CONFIG_LEADERELECTION_NAME + value: config-leader-election-webhook + - name: CONFIG_FEATURE_FLAGS_NAME + value: feature-flags + # If you change PROBES_PORT, you will also need to change the + # containerPort "probes" to the same value. + - name: PROBES_PORT + value: "8080" + # If you change WEBHOOK_PORT, you will also need to change the + # containerPort "https-webhook" to the same value. + - name: WEBHOOK_PORT + value: "8443" + # if you change WEBHOOK_ADMISSION_CONTROLLER_NAME, you will also need to update + # the webhooks.name in 500-webhooks.yaml to include the new names of admission webhooks. + # Additionally, you will also need to change the resource names (metadata.name) of + # "MutatingWebhookConfiguration" and "ValidatingWebhookConfiguration" in 500-webhooks.yaml + # to reflect the change in the name of the admission webhook. + # Followed by changing the webhook's Role in 200-clusterrole.yaml to update the "resourceNames" of + # "mutatingwebhookconfigurations" and "validatingwebhookconfigurations" resources. + - name: WEBHOOK_ADMISSION_CONTROLLER_NAME + value: webhook.pipeline.tekton.dev + - name: WEBHOOK_SERVICE_NAME + value: tekton-pipelines-webhook + - name: WEBHOOK_SECRET_NAME + value: webhook-certs + - name: METRICS_DOMAIN + value: tekton.dev/pipeline + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + # User 65532 is the distroless nonroot user ID + runAsUser: 65532 + runAsGroup: 65532 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + ports: + - name: metrics + containerPort: 9090 + - name: profiling + containerPort: 8008 + # This must match the value of the environment variable WEBHOOK_PORT. + - name: https-webhook + containerPort: 8443 + # This must match the value of the environment variable PROBES_PORT. + - name: probes + containerPort: 8080 + livenessProbe: + httpGet: + path: /health + port: probes + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /readiness + port: probes + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/version: "v0.53.2" + app.kubernetes.io/part-of: tekton-pipelines + # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml + pipeline.tekton.dev/release: "v0.53.2" + # labels below are related to istio and should not be used for resource lookup + app: tekton-pipelines-webhook + version: "v0.53.2" + name: tekton-pipelines-webhook + namespace: tekton-pipelines +spec: + ports: + # Define metrics and profiling for them to be accessible within service meshes. + - name: http-metrics + port: 9090 + targetPort: metrics + - name: http-profiling + port: 8008 + targetPort: profiling + - name: https-webhook + port: 443 + targetPort: https-webhook + - name: probes + port: 8080 + targetPort: probes + selector: + app.kubernetes.io/name: webhook + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + +--- diff --git a/scripts/deploy/github/build-images.sh b/scripts/deploy/github/build-images.sh new file mode 100755 index 000000000000..ffa6db2e216f --- /dev/null +++ b/scripts/deploy/github/build-images.sh @@ -0,0 +1,33 @@ +#!/bin/bash +# +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# source: https://raw.githubusercontent.com/open-toolchain/commons/master/scripts/check_registry.sh + +# Remove the x if you need no print out of each command +set -e + +REGISTRY="${REGISTRY:-kind-registry:5000}" +TAG="${TAG:-latest}" + +docker system prune -a -f + +docker build -q -t "${REGISTRY}/apiserver:${TAG}" -f backend/Dockerfile . && docker push "${REGISTRY}/apiserver:${TAG}" & +docker build -q -t "${REGISTRY}/persistenceagent:${TAG}" -f backend/Dockerfile.persistenceagent . && docker push "${REGISTRY}/persistenceagent:${TAG}" & +docker build -q -t "${REGISTRY}/scheduledworkflow:${TAG}" -f backend/Dockerfile.scheduledworkflow . && docker push "${REGISTRY}/scheduledworkflow:${TAG}" & + +wait + +# clean up intermittent build caches to free up disk space +docker system prune -a -f diff --git a/scripts/deploy/github/deploy-kfp.sh b/scripts/deploy/github/deploy-kfp.sh new file mode 100755 index 000000000000..55b45e43bbc7 --- /dev/null +++ b/scripts/deploy/github/deploy-kfp.sh @@ -0,0 +1,55 @@ +#!/bin/bash +# +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Remove the x if you need no print out of each command +set -e + +REGISTRY="${REGISTRY:-kind-registry:5000}" +EXIT_CODE=0 + +C_DIR="${BASH_SOURCE%/*}" +if [[ ! -d "$C_DIR" ]]; then C_DIR="$PWD"; fi +source "${C_DIR}/helper-functions.sh" + +kubectl apply -k "manifests/kustomize/cluster-scoped-resources/" +kubectl wait crd/applications.app.k8s.io --for condition=established --timeout=60s || EXIT_CODE=$? +if [[ $EXIT_CODE -ne 0 ]] +then + echo "Failed to deploy cluster-scoped resources." + exit $EXIT_CODE +fi + +# Deploy manifest +kubectl apply -k "scripts/deploy/github/manifests" || EXIT_CODE=$? +if [[ $EXIT_CODE -ne 0 ]] +then + echo "Deploy unsuccessful. Failure applying $KUSTOMIZE_DIR." + exit 1 +fi + +# Check if all pods are running - allow 20 retries (10 minutes) +wait_for_pods kubeflow 40 30 || EXIT_CODE=$? +if [[ $EXIT_CODE -ne 0 ]] +then + echo "Deploy unsuccessful. Not all pods running." + exit 1 +fi + +echo "List Tekton control plane: " +kubectl get pod -n tekton-pipelines + +echo "Finished kfp-tekton deployment." + diff --git a/scripts/deploy/github/e2e-test.sh b/scripts/deploy/github/e2e-test.sh new file mode 100755 index 000000000000..a1a01a211b38 --- /dev/null +++ b/scripts/deploy/github/e2e-test.sh @@ -0,0 +1,46 @@ +#!/bin/bash +# +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Remove the x if you need no print out of each command +set -e + +# Need the following env +# - KUBEFLOW_NS: kubeflow namespace + +KUBEFLOW_NS="${KUBEFLOW_NS:-kubeflow}" +TEST_SCRIPT="${TEST_SCRIPT:="test-flip-coin.sh"}" + +C_DIR="${BASH_SOURCE%/*}" +if [[ ! -d "$C_DIR" ]]; then C_DIR="$PWD"; fi + +POD_NAME=$(kubectl get pod -n kubeflow -l app=ml-pipeline -o json | jq -r '.items[] | .metadata.name ') +kubectl port-forward -n "$KUBEFLOW_NS" "$POD_NAME" 8888:8888 2>&1 > /dev/null & +# wait for the port-forward +sleep 5 + +if [ -n "$TEST_SCRIPT" ]; then + source "${C_DIR}/${TEST_SCRIPT}" +fi + +kill %1 + +if [[ "$RESULT" -ne 0 ]]; then + echo "e2e test ${STATUS_MSG}" + exit 1 +fi + +echo "e2e test ${STATUS_MSG}" + diff --git a/scripts/deploy/github/helper-functions.sh b/scripts/deploy/github/helper-functions.sh new file mode 100644 index 000000000000..d22e2d781a08 --- /dev/null +++ b/scripts/deploy/github/helper-functions.sh @@ -0,0 +1,250 @@ +#!/bin/bash +# +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +retry() { + local max=$1; shift + local interval=$1; shift + + until "$@"; do + echo "trying.." + max=$((max-1)) + if [[ "$max" -eq 0 ]]; then + return 1 + fi + sleep "$interval" + done +} + +wait_for_namespace () { + if [[ $# -ne 3 ]] + then + echo "Usage: wait_for_namespace namespace max_retries sleep_time" + return 1 + fi + + local namespace=$1 + local max_retries=$2 + local sleep_time=$3 + + local i=0 + + while [[ $i -lt $max_retries ]] + do + if kubectl get ns | grep -qow "$namespace" + then + return 0 + fi + echo "$namespace not found. Checking again in ${sleep_time}s." + sleep "$sleep_time" + i=$((i+1)) + done + + return 1 +} + +wait_for_pods () { + if [[ $# -ne 3 ]] + then + echo "Usage: wait_for_pods namespace max_retries sleep_time" + return 1 + fi + + local namespace=$1 + local max_retries=$2 + local sleep_time=$3 + + local i=0 + + while [[ $i -lt $max_retries ]] + do + local pods + local statuses + local num_pods + local num_running + pods=$(kubectl get pod -n "$namespace") + # echo "$pods" + # kubectl get pvc -n "$namespace" + + if [[ -z $pods ]] + then + echo "no pod is up yet" + else + # Using quotations around variables to keep column format in echo + # Remove 1st line (header line) -> trim whitespace -> cut statuses column (3rd column) + # Might be overkill to parse down to specific columns :). + statuses=$(echo "$pods" | tail -n +2 | tr -s ' ' | cut -d ' ' -f 3) + num_pods=$(echo "$statuses" | wc -l | xargs) + num_running=$(echo "$statuses" | grep -ow "Running\|Completed" | wc -l | xargs) + + local msg="${num_running}/${num_pods} pods running in \"${namespace}\"." + + if [[ $num_running -ne $num_pods ]] + then + # for debugging + # kubectl get pod -n "$namespace" | grep '0/1' | awk '{print $1}' | xargs kubectl describe pod -n "$namespace" + echo "$msg Checking again in ${sleep_time}s." + else + echo "$msg" + return 0 + fi + fi + + sleep "$sleep_time" + i=$((i+1)) + done + + return 1 +} + +deploy_with_retries () { + if [[ $# -ne 4 ]] + then + echo "Usage: deploy_with_retries (-f FILENAME | -k DIRECTORY) manifest max_retries sleep_time" + return 1 + fi + + local flag="$1" + local manifest="$2" + local max_retries="$3" + local sleep_time="$4" + + local i=0 + + while [[ $i -lt $max_retries ]] + do + local exit_code=0 + + kubectl apply "$flag" "$manifest" || exit_code=$? + + if [[ $exit_code -eq 0 ]] + then + return 0 + fi + + echo "Deploy unsuccessful with error code $exit_code. Trying again in ${sleep_time}s." + sleep "$sleep_time" + i=$((i+1)) + done + + return 1 +} + +wait_for_pod () { + local namespace=$1 + local pod_name=$2 + local max_tries=$3 + local sleep_time=$4 + + until pod_is_running "$namespace" "$pod_name"; do + max_tries=$((max_tries-1)) + if [[ "$max_tries" -eq 0 ]]; then + return 1 + fi + echo "Checking again in $sleep_time" + sleep "$sleep_time" + done + + return 0 +} + +pod_is_running () { + local namespace=$1 + local pod_name=$2 + + local pod_status + + # May have unexpected results if pod_name has multiple matches + pod_status=$(kubectl get pod -n "$namespace" | grep "$pod_name*" | head -1 | awk '{print $3}') + + if [ "$pod_status" = "Running" ]; then + return 0 + fi + + return 1 +} + +wait_for_pipeline_run () { + local run_name=$1 + local max_tries=$2 + local sleep_time=$3 + + until pipeline_run_is_success "$run_name"; do + max_tries=$((max_tries-1)) + if [[ "$max_tries" -eq 0 ]]; then + return 1 + fi + echo "Checking pipeline run again in $sleep_time" + sleep "$sleep_time" + done + + return 0 +} + +wait_for_pipeline_run_rev () { + local run_name=$1 + local max_tries=$2 + local sleep_time=$3 + + until [ "$(pipeline_run_is_success_rev "$run_name")" = "0" ]; do + max_tries=$((max_tries-1)) + if [[ "$max_tries" -eq 0 ]]; then + echo "1" + return + fi + sleep "$sleep_time" + done + + echo "0" + return +} + +pipeline_run_is_success () { + local run_name=$1 + + local run_status + + # May have unexpected results if run_status has multiple matches + run_status=$(kubectl get pipelineruns "$run_name" | tail -1 | awk '{print $2}') + + if [ "$run_status" = "True" ]; then + return 0 + elif [ "$run_status" = "False" ]; then + echo "Run Failed" + exit 1 + fi + + return 1 +} + +pipeline_run_is_success_rev () { + local run_name=$1 + + local run_status + + # May have unexpected results if run_status has multiple matches + run_status=$(kubectl get pipelineruns "$run_name" | tail -1 | awk '{print $2}') + + if [ "$run_status" = "True" ]; then + echo "0" + return + elif [ "$run_status" = "False" ]; then + echo "1" + return + fi + + echo "1" + return +} diff --git a/scripts/deploy/github/manifests/kustomization.yaml b/scripts/deploy/github/manifests/kustomization.yaml new file mode 100644 index 000000000000..36a24779ede9 --- /dev/null +++ b/scripts/deploy/github/manifests/kustomization.yaml @@ -0,0 +1,111 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow + +resources: +- ../../../../manifests/kustomize/base/installs/generic +- ../../../../manifests/kustomize/base/metadata/base +- ../../../../manifests/kustomize/third-party/tekton/installs/cluster +- ../../../../manifests/kustomize/third-party/tekton-custom-task +- ../../../../manifests/kustomize/third-party/minio/base +- ../../../../manifests/kustomize/third-party/mysql/base + +# Identifier for application manager to apply ownerReference. +# The ownerReference ensures the resources get garbage collected +# when application is deleted. + +images: +- name: gcr.io/ml-pipeline/api-server + newName: kind-registry:5000/apiserver + newTag: latest +- name: gcr.io/ml-pipeline/persistenceagent + newName: kind-registry:5000/persistenceagent + newTag: latest +- name: gcr.io/ml-pipeline/scheduledworkflow + newName: kind-registry:5000/scheduledworkflow + newTag: latest +- name: '*/aipipeline/tekton-exithandler-controller' + newTag: latest +- name: '*/aipipeline/tekton-exithandler-webhook' + newTag: latest +- name: '*/aipipeline/tekton-kfptask-controller' + newTag: latest +- name: '*/aipipeline/tekton-kfptask-webhook' + newTag: latest + +labels: +- includeSelectors: true + pairs: + application-crd-id: kubeflow-pipelines + +patches: +- patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: ml-pipeline + spec: + template: + spec: + containers: + - name: ml-pipeline-api-server + env: + - name: EXECUTIONTYPE + value: PipelineRun +- patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: ml-pipeline-persistenceagent + spec: + template: + spec: + containers: + - name: ml-pipeline-persistenceagent + env: + - name: EXECUTIONTYPE + value: PipelineRun +- patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: ml-pipeline-scheduledworkflow + spec: + template: + spec: + containers: + - name: ml-pipeline-scheduledworkflow + env: + - name: EXECUTIONTYPE + value: PipelineRun +- patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: ml-pipeline-ui + spec: + template: + spec: + containers: + - name: ml-pipeline-ui + env: + - name: POD_LOG_CONTAINER_NAME + value: step-user-main +- patch: |- + apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: mysql-pv-claim + spec: + resources: + requests: + storage: 5Gi +- patch: |- + apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: minio-pvc + spec: + resources: + requests: + storage: 5Gi diff --git a/scripts/deploy/github/re-tag.sh b/scripts/deploy/github/re-tag.sh new file mode 100755 index 000000000000..59bf4f8a3e78 --- /dev/null +++ b/scripts/deploy/github/re-tag.sh @@ -0,0 +1,37 @@ +#!/bin/bash +# +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# source: https://raw.githubusercontent.com/open-toolchain/commons/master/scripts/check_registry.sh + +# Remove the x if you need no print out of each command +set -e + +REGISTRY1="${REGISTRY1:-docker.io/aipipeline}" +REGISTRY2="${REGISTRY2:-gcr.io/ml-pipeline}" +TAG1="${TAG1:-latest}" +TAG2="${TAG2:-latest}" + +docker system prune -a -f + +declare -a IMAGES=(apiserver persistenceagent scheduledworkflow tekton-driver) + +for IMAGE in "${IMAGES[@]}"; do + docker pull "${REGISTRY1}/${IMAGE}:${TAG1}" + docker tag "${REGISTRY1}/${IMAGE}:${TAG1}" "${REGISTRY2}/${IMAGE}:${TAG2}" + docker push "${REGISTRY2}/${IMAGE}:${TAG2}" +done + +# clean up intermittent build caches to free up disk space +docker system prune -a -f diff --git a/scripts/deploy/github/test-dynamic-loop.sh b/scripts/deploy/github/test-dynamic-loop.sh new file mode 100755 index 000000000000..016a9b7cfbac --- /dev/null +++ b/scripts/deploy/github/test-dynamic-loop.sh @@ -0,0 +1,27 @@ +#!/bin/bash +# +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +C_DIR="${BASH_SOURCE%/*}" +if [[ ! -d "$C_DIR" ]]; then C_DIR="$PWD"; fi +source "${C_DIR}/test-pipeline.sh" + +RESULT=0 +run_test_case "loop_output" "samples/core/loop_output/loop_output.py" "SUCCEEDED" 20 || RESULT=$? + +STATUS_MSG=PASSED +if [[ "$RESULT" -ne 0 ]]; then + STATUS_MSG=FAILED +fi diff --git a/scripts/deploy/github/test-env.sh b/scripts/deploy/github/test-env.sh new file mode 100755 index 000000000000..20197505fe90 --- /dev/null +++ b/scripts/deploy/github/test-env.sh @@ -0,0 +1,33 @@ +#!/bin/bash +# +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +KUBEFLOW_NS="${KUBEFLOW_NS:-kubeflow}" + +C_DIR="${BASH_SOURCE%/*}" +if [[ ! -d "$C_DIR" ]]; then C_DIR="$PWD"; fi +source "${C_DIR}/test-pipeline.sh" + +# need kfp-kubernetes for this test case +# unfortunately, we can't install it from kubernetes_platform/python +pip install kfp-kubernetes + +RESULT=0 +run_test_case "use-env" "samples/v2/pipeline_with_env.py" "SUCCEEDED" 5 || RESULT=$? + +STATUS_MSG=PASSED +if [[ "$RESULT" -ne 0 ]]; then + STATUS_MSG=FAILED +fi diff --git a/scripts/deploy/github/test-flip-coin.sh b/scripts/deploy/github/test-flip-coin.sh new file mode 100755 index 000000000000..471dde917d13 --- /dev/null +++ b/scripts/deploy/github/test-flip-coin.sh @@ -0,0 +1,27 @@ +#!/bin/bash +# +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +C_DIR="${BASH_SOURCE%/*}" +if [[ ! -d "$C_DIR" ]]; then C_DIR="$PWD"; fi +source "${C_DIR}/test-pipeline.sh" + +RESULT=0 +run_test_case "flip-coin" "samples/core/condition/condition_v2.py" "SUCCEEDED" 20 || RESULT=$? + +STATUS_MSG=PASSED +if [[ "$RESULT" -ne 0 ]]; then + STATUS_MSG=FAILED +fi diff --git a/scripts/deploy/github/test-pipeline.sh b/scripts/deploy/github/test-pipeline.sh new file mode 100755 index 000000000000..8a09ab99a5e8 --- /dev/null +++ b/scripts/deploy/github/test-pipeline.sh @@ -0,0 +1,97 @@ +#!/bin/bash +# +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +retry() { + local max=$1; shift + local interval=$1; shift + + until "$@"; do + echo "trying.." + max=$((max-1)) + if [[ "$max" -eq 0 ]]; then + return 1 + fi + sleep "$interval" + done +} + +# compile the python to a pipeline yaml, upload the pipeline, create a run, +# and wait until the run finishes. +run_test_case() { + if [[ $# -ne 4 ]] + then + echo "Usage: run_test_case test-case-name python-file condition-string wait-time" + return 1 + fi + local REV=1 + local TEST_CASE=$1 + shift + local PY_FILE=$1 + shift + local F_STATUS=$1 + shift + local DURATION=$1 + shift + local PIPELINE_ID + local RUN_ID + local KFP_COMMAND="kfp" + local PIPELINE_NAME="${TEST_CASE}-$((RANDOM%10000+1))" + local YAML_FILE=$(echo "${PY_FILE}" | sed "s/\.py$/\.yaml/") + + echo " ===== ${TEST_CASE} =====" + $KFP_COMMAND dsl compile --py "${PY_FILE}" --output "${YAML_FILE}" + retry 3 3 $KFP_COMMAND --endpoint http://localhost:8888 pipeline create -p "$PIPELINE_NAME" "${YAML_FILE}" 2>&1 || : + PIPELINE_ID=$($KFP_COMMAND --endpoint http://localhost:8888 pipeline list 2>&1| grep "$PIPELINE_NAME" | awk '{print $1}') + if [[ -z "$PIPELINE_ID" ]]; then + echo "Failed to upload pipeline" + return "$REV" + fi + VERSION_ID=$($KFP_COMMAND --endpoint http://localhost:8888 pipeline list-versions "${PIPELINE_ID}" 2>&1| grep "$PIPELINE_NAME" | awk '{print $1}') + + local RUN_NAME="${PIPELINE_NAME}-run" + retry 3 3 $KFP_COMMAND --endpoint http://localhost:8888 run create -e "exp-${TEST_CASE}" -r "$RUN_NAME" -p "$PIPELINE_ID" -v "$VERSION_ID" 2>&1 || : + RUN_ID=$($KFP_COMMAND --endpoint http://localhost:8888 run list 2>&1| grep "$RUN_NAME" | awk '{print $1}') + if [[ -z "$RUN_ID" ]]; then + echo "Failed to submit a run for ${TEST_CASE} pipeline" + return "$REV" + fi + + local RUN_STATUS + ENDTIME=$(date -ud "$DURATION minute" +%s) + while [[ "$(date -u +%s)" -le "$ENDTIME" ]]; do + RUN_STATUS=$($KFP_COMMAND --endpoint http://localhost:8888 run list 2>&1| grep "$RUN_NAME" | awk '{print $4}') + if [[ "$RUN_STATUS" == "$F_STATUS" ]]; then + REV=0 + break; + fi + echo " Status of ${TEST_CASE} run: $RUN_STATUS" + if [[ "$RUN_STATUS" == "FAILED" ]]; then + REV=1 + break; + fi + sleep 10 + done + + if [[ "$REV" -eq 0 ]]; then + echo " ===== ${TEST_CASE} PASSED =====" + else + echo " ===== ${TEST_CASE} FAILED =====" + fi + + echo 'y' | $KFP_COMMAND --endpoint http://localhost:8888 run delete "$RUN_ID" || : + + return "$REV" +} diff --git a/scripts/deploy/github/test-secret-as-env.sh b/scripts/deploy/github/test-secret-as-env.sh new file mode 100755 index 000000000000..b203182c8aeb --- /dev/null +++ b/scripts/deploy/github/test-secret-as-env.sh @@ -0,0 +1,39 @@ +#!/bin/bash +# +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +KUBEFLOW_NS="${KUBEFLOW_NS:-kubeflow}" + +C_DIR="${BASH_SOURCE%/*}" +if [[ ! -d "$C_DIR" ]]; then C_DIR="$PWD"; fi +source "${C_DIR}/test-pipeline.sh" + +# need kfp-kubernetes for this test case +# unfortunately, we can't install it from kubernetes_platform/python +pip install kfp-kubernetes + +# create the secret +kubectl create secret -n "$KUBEFLOW_NS" generic "user-gcp-sa" --from-literal="type=service_account" || true + +RESULT=0 +run_test_case "secret-env" "samples/v2/pipeline_with_secret_as_env.py" "SUCCEEDED" 5 || RESULT=$? + +# remove secret after the test finishes +kubectl delete secret -n "$KUBEFLOW_NS" "user-gcp-sa" + +STATUS_MSG=PASSED +if [[ "$RESULT" -ne 0 ]]; then + STATUS_MSG=FAILED +fi diff --git a/scripts/deploy/github/test-secret-as-volume.sh b/scripts/deploy/github/test-secret-as-volume.sh new file mode 100755 index 000000000000..f65c3e262629 --- /dev/null +++ b/scripts/deploy/github/test-secret-as-volume.sh @@ -0,0 +1,39 @@ +#!/bin/bash +# +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +KUBEFLOW_NS="${KUBEFLOW_NS:-kubeflow}" + +C_DIR="${BASH_SOURCE%/*}" +if [[ ! -d "$C_DIR" ]]; then C_DIR="$PWD"; fi +source "${C_DIR}/test-pipeline.sh" + +# need kfp-kubernetes for this test case +# unfortunately, we can't install it from kubernetes_platform/python +pip install kfp-kubernetes + +# create the secret +kubectl create secret -n "$KUBEFLOW_NS" generic "user-gcp-sa" --from-literal="type=service_account" || true + +RESULT=0 +run_test_case "secret-volume" "samples/v2/pipeline_with_secret_as_volume.py" "SUCCEEDED" 5 || RESULT=$? + +# remove secret after the test finishes +kubectl delete secret -n "$KUBEFLOW_NS" "user-gcp-sa" + +STATUS_MSG=PASSED +if [[ "$RESULT" -ne 0 ]]; then + STATUS_MSG=FAILED +fi diff --git a/scripts/deploy/github/test-static-loop.sh b/scripts/deploy/github/test-static-loop.sh new file mode 100755 index 000000000000..84fea57e5ab1 --- /dev/null +++ b/scripts/deploy/github/test-static-loop.sh @@ -0,0 +1,27 @@ +#!/bin/bash +# +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +C_DIR="${BASH_SOURCE%/*}" +if [[ ! -d "$C_DIR" ]]; then C_DIR="$PWD"; fi +source "${C_DIR}/test-pipeline.sh" + +RESULT=0 +run_test_case "static-loop" "samples/core/loop_static/loop_static.py" "SUCCEEDED" 20 || RESULT=$? + +STATUS_MSG=PASSED +if [[ "$RESULT" -ne 0 ]]; then + STATUS_MSG=FAILED +fi diff --git a/scripts/deploy/github/test-volume.sh b/scripts/deploy/github/test-volume.sh new file mode 100755 index 000000000000..87fe2f0356f7 --- /dev/null +++ b/scripts/deploy/github/test-volume.sh @@ -0,0 +1,33 @@ +#!/bin/bash +# +# Copyright 2023 kubeflow.org +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +KUBEFLOW_NS="${KUBEFLOW_NS:-kubeflow}" + +C_DIR="${BASH_SOURCE%/*}" +if [[ ! -d "$C_DIR" ]]; then C_DIR="$PWD"; fi +source "${C_DIR}/test-pipeline.sh" + +# need kfp-kubernetes for this test case +# unfortunately, we can't install it from kubernetes_platform/python +pip install kfp-kubernetes + +RESULT=0 +run_test_case "use-volume" "samples/v2/pipeline_with_volume.py" "SUCCEEDED" 10 || RESULT=$? + +STATUS_MSG=PASSED +if [[ "$RESULT" -ne 0 ]]; then + STATUS_MSG=FAILED +fi