From b4a404dea9b6eed2bbbb15f749543c08f5fc7794 Mon Sep 17 00:00:00 2001 From: Khurram Baig Date: Mon, 14 Nov 2022 23:03:58 +0530 Subject: [PATCH] Add Example for NamespacedInterceptor Example utilizes Core Interceptor from v0.19 Triggers. --- .../v1alpha1/namespacedinterceptor/README.md | 32 ++++ .../namespacedinterceptor/eventlistener.yaml | 37 ++++ .../interceptors-deployment.yaml | 160 ++++++++++++++++++ .../namespacedinterceptor/interceptors.yaml | 25 +++ .../v1alpha1/namespacedinterceptor/rbac.yaml | 29 ++++ 5 files changed, 283 insertions(+) create mode 100644 examples/v1alpha1/namespacedinterceptor/README.md create mode 100644 examples/v1alpha1/namespacedinterceptor/eventlistener.yaml create mode 100644 examples/v1alpha1/namespacedinterceptor/interceptors-deployment.yaml create mode 100644 examples/v1alpha1/namespacedinterceptor/interceptors.yaml create mode 100644 examples/v1alpha1/namespacedinterceptor/rbac.yaml diff --git a/examples/v1alpha1/namespacedinterceptor/README.md b/examples/v1alpha1/namespacedinterceptor/README.md new file mode 100644 index 000000000..4e34307f2 --- /dev/null +++ b/examples/v1alpha1/namespacedinterceptor/README.md @@ -0,0 +1,32 @@ +## NamespacedInterceptor + +Creates a NamespacedInterceptor and an EventListener which utilizes this Interceptor. + +### Try it out locally: + +1. To create the NamespacedInterceptor and all related resources, run: + + ```bash + kubectl apply -f . + ``` + +1. Port forward: + + ```bash + kubectl port-forward service/el-example-interceptor-cel 8080 & + ``` + +1. Test by sending the sample payload. + + ```bash + curl -k -v -H 'X-GitHub-Event: pull_request' -H 'X-Hub-Signature: sha1=8d7c4d33686fd908394208a07d997b8f5bd70aa6' -H 'Content-Type: application/json' -d '{"head_commit":{"id":"28911bbb5a3e2ea034daf1f6be0a822d50e31e73"},"action": "opened", "pull_request":{"head":{"sha": "28911bbb5a3e2ea034daf1f6be0a822d50e31e73"}},"repository":{"clone_url": "https://github.com/tektoncd/triggers.git", "url":"https://github.com/tektoncd/triggers.git"}}' http://localhost:8080 + ``` + + The response status code should be `202 Accepted` + + +1. You should see a new TaskRun that got created: + + ```bash + kubectl get taskruns | grep example-interceptor-run- + ``` diff --git a/examples/v1alpha1/namespacedinterceptor/eventlistener.yaml b/examples/v1alpha1/namespacedinterceptor/eventlistener.yaml new file mode 100644 index 000000000..9c3a46bc6 --- /dev/null +++ b/examples/v1alpha1/namespacedinterceptor/eventlistener.yaml @@ -0,0 +1,37 @@ +apiVersion: triggers.tekton.dev/v1alpha1 +kind: EventListener +metadata: + name: example-interceptor-cel +spec: + serviceAccountName: tekton-triggers-example-sa + triggers: + - name: cel-trig + interceptors: + - ref: + name: "example-interceptor-cel" + kind: NamespacedInterceptor + params: + - name: "filter" + value: "header.match('X-GitHub-Event', 'pull_request')" + bindings: + - name: gitrevision + value: $(body.head_commit.id) + - name: gitrepositoryurl + value: $(body.repository.url) + template: + spec: + params: + - name: gitrevision + - name: gitrepositoryurl + resourcetemplates: + - apiVersion: tekton.dev/v1beta1 + kind: TaskRun + metadata: + generateName: example-interceptor-run- + spec: + taskSpec: + steps: + - image: ubuntu + script: | + #! /bin/bash + echo "Revision is : $(tt.params.gitrevision). RepoURL is $(tt.params.gitrepositoryurl)" diff --git a/examples/v1alpha1/namespacedinterceptor/interceptors-deployment.yaml b/examples/v1alpha1/namespacedinterceptor/interceptors-deployment.yaml new file mode 100644 index 000000000..d870ce470 --- /dev/null +++ b/examples/v1alpha1/namespacedinterceptor/interceptors-deployment.yaml @@ -0,0 +1,160 @@ +# Copyright 2022 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: ServiceAccount +metadata: + name: example-interceptor-cel +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: example-interceptor-cel +subjects: + - kind: ServiceAccount + name: example-interceptor-cel + namespace: default +roleRef: + kind: ClusterRole + name: example-interceptor-cel + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: example-interceptor-cel-secrets +subjects: + - kind: ServiceAccount + name: example-interceptor-cel + namespace: default +roleRef: + kind: ClusterRole + name: example-interceptor-cel-secrets + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: example-interceptor-cel + namespace: default +subjects: + - kind: ServiceAccount + name: example-interceptor-cel + namespace: default +roleRef: + kind: Role + name: example-interceptor-cel + apiGroup: rbac.authorization.k8s.io +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: example-interceptor-cel + namespace: default +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: example-interceptor-cel +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: example-interceptor-cel-secrets +rules: + - apiGroups: ["triggers.tekton.dev"] + resources: ["clusterinterceptors"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "update"] + resourceNames: ["example-interceptor-cel-certs"] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: example-interceptor-cel + name: example-interceptor-cel +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: example-interceptor-cel + template: + metadata: + labels: + app.kubernetes.io/component: example-interceptor-cel + spec: + containers: + - args: + - -logtostderr + - -stderrthreshold + - INFO + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: "gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/interceptors:v0.19.0@sha256:69fb65c702c74d086851b4c9852bd63b057b08fa5f8d54ddd1c0585e5f66dec1" + imagePullPolicy: IfNotPresent + name: example-interceptor-cel + readinessProbe: + failureThreshold: 3 + httpGet: + path: /ready + port: 8082 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + serviceAccount: example-interceptor-cel + serviceAccountName: example-interceptor-cel + terminationGracePeriodSeconds: 30 +--- +apiVersion: v1 +kind: Service +metadata: + name: example-interceptor-cel +spec: + ports: + - name: "http" + port: 8082 + targetPort: 8082 + selector: + app.kubernetes.io/component: example-interceptor-cel diff --git a/examples/v1alpha1/namespacedinterceptor/interceptors.yaml b/examples/v1alpha1/namespacedinterceptor/interceptors.yaml new file mode 100644 index 000000000..72fcfb0a9 --- /dev/null +++ b/examples/v1alpha1/namespacedinterceptor/interceptors.yaml @@ -0,0 +1,25 @@ +# Copyright 2021 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: triggers.tekton.dev/v1alpha1 +kind: Interceptor +metadata: + name: example-interceptor-cel +spec: + clientConfig: + service: + name: example-interceptor-cel + namespace: default + path: cel + port: 8082 diff --git a/examples/v1alpha1/namespacedinterceptor/rbac.yaml b/examples/v1alpha1/namespacedinterceptor/rbac.yaml new file mode 100644 index 000000000..7e441ecc1 --- /dev/null +++ b/examples/v1alpha1/namespacedinterceptor/rbac.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tekton-triggers-example-sa +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: triggers-example-eventlistener-binding +subjects: +- kind: ServiceAccount + name: tekton-triggers-example-sa +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tekton-triggers-eventlistener-roles +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: triggers-example-eventlistener-clusterbinding +subjects: +- kind: ServiceAccount + name: tekton-triggers-example-sa + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tekton-triggers-eventlistener-clusterroles