apiVersion: apps/v1 kind: Deployment metadata: name: tekton-pipelines-controller namespace: tekton-pipelines labels: app.kubernetes.io/component: tekton-pipelines-controller # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml pipeline.tekton.dev/release: "v0.21.0" spec: replicas: 1 selector: matchLabels: app.kubernetes.io/component: tekton-pipelines-controller template: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "false" labels: app.kubernetes.io/component: tekton-pipelines-controller app.kubernetes.io/version: "v0.21.0" # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml pipeline.tekton.dev/release: "v0.21.0" # labels below are related to istio and should not be used for resource lookup app: tekton-pipelines-controller spec: serviceAccountName: tekton-pipelines-controller containers: - name: tekton-pipelines-controller image: $(tekton-registry)/$(controller) args: [ # Version, to be replace at release time "-version", "v0.21.0", # These images are built on-demand by `ko resolve` and are replaced # by image references by digest. "-kubeconfig-writer-image", $(tekton-registry)/$(kubeconfigwriter), "-git-image", $(tekton-registry)/$(git-init), "-entrypoint-image", $(tekton-registry)/$(entrypoint), "-nop-image", $(tekton-registry)/$(nop), "-imagedigest-exporter-image", $(tekton-registry)/$(imagedigestexporter), "-pr-image", $(tekton-registry)/$(pullrequest-init), "-build-gcs-fetcher-image", $(tekton-registry)/$(gcs-fetcher), # This is gcr.io/google.com/cloudsdktool/cloud-sdk:302.0.0-slim "-gsutil-image", $(gsutil-registry)/$(gsutil), # The shell image must be root in order to create directories and copy files to PVCs. # gcr.io/distroless/base:debug as of November 15, 2020 # image shall not contains tag, so it will be supported on a runtime like cri-o "-shell-image", $(bash-registry)/$(bash)] volumeMounts: - name: config-logging mountPath: /etc/config-logging - name: config-registry-cert mountPath: /etc/config-registry-cert env: - name: SYSTEM_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace # If you are changing these names, you will also need to update # the controller's Role in 200-role.yaml to include the new # values in the "configmaps" "get" rule. - name: CONFIG_DEFAULTS_NAME value: config-defaults - name: CONFIG_LOGGING_NAME value: config-logging - name: CONFIG_OBSERVABILITY_NAME value: config-observability - name: CONFIG_ARTIFACT_BUCKET_NAME value: config-artifact-bucket - name: CONFIG_ARTIFACT_PVC_NAME value: config-artifact-pvc - name: CONFIG_FEATURE_FLAGS_NAME value: feature-flags - name: CONFIG_LEADERELECTION_NAME value: config-leader-election - name: SSL_CERT_FILE value: /etc/config-registry-cert/cert - name: SSL_CERT_DIR value: /etc/ssl/certs - name: METRICS_DOMAIN value: tekton.dev/pipeline securityContext: allowPrivilegeEscalation: false capabilities: drop: - all # User 65532 is the distroless nonroot user ID runAsUser: 65532 runAsGroup: 65532 ports: - name: probes containerPort: 8080 livenessProbe: httpGet: path: /health port: probes scheme: HTTP initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 readinessProbe: httpGet: path: /readiness port: probes scheme: HTTP initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 volumes: - name: config-logging configMap: name: config-logging - name: config-registry-cert configMap: name: config-registry-cert --- apiVersion: apps/v1 kind: Deployment metadata: name: tekton-pipelines-webhook namespace: tekton-pipelines labels: app.kubernetes.io/component: tekton-pipelines-webhook app.kubernetes.io/version: "v0.21.0" # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml pipeline.tekton.dev/release: "v0.21.0" spec: replicas: 1 selector: matchLabels: app.kubernetes.io/component: tekton-pipelines-webhook template: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "false" labels: app.kubernetes.io/component: tekton-pipelines-webhook app.kubernetes.io/version: "v0.21.0" # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml pipeline.tekton.dev/release: "v0.21.0" # labels below are related to istio and should not be used for resource lookup app: tekton-pipelines-webhook spec: affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchLabels: app.kubernetes.io/name: webhook app.kubernetes.io/component: webhook app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-pipelines topologyKey: kubernetes.io/hostname weight: 100 serviceAccountName: tekton-pipelines-webhook containers: - name: webhook # This is the Go import path for the binary that is containerized # and substituted here. image: $(tekton-registry)/$(webhook) # Resource request required for autoscaler to take any action for a metric resources: requests: cpu: 100m memory: 100Mi limits: cpu: 500m memory: 500Mi env: - name: SYSTEM_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace # If you are changing these names, you will also need to update # the webhook's Role in 200-role.yaml to include the new # values in the "configmaps" "get" rule. - name: CONFIG_LOGGING_NAME value: config-logging - name: CONFIG_OBSERVABILITY_NAME value: config-observability - name: CONFIG_LEADERELECTION_NAME value: config-leader-election - name: WEBHOOK_SERVICE_NAME value: tekton-pipelines-webhook - name: WEBHOOK_SECRET_NAME value: webhook-certs - name: METRICS_DOMAIN value: tekton.dev/pipeline securityContext: allowPrivilegeEscalation: false capabilities: drop: - all # User 65532 is the distroless nonroot user ID runAsUser: 65532 runAsGroup: 65532 ports: - name: metrics containerPort: 9090 - name: profiling containerPort: 8008 - name: https-webhook containerPort: 8443 - name: probes containerPort: 8080 livenessProbe: httpGet: path: /health port: probes scheme: HTTP initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 readinessProbe: httpGet: path: /readiness port: probes scheme: HTTP initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5