# Copyright 2021 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. kind: Namespace apiVersion: v1 metadata: name: tekton-chains labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-chains --- apiVersion: v1 kind: Secret metadata: name: signing-secrets namespace: tekton-chains labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-chains # The data is populated at install time. # data: --- apiVersion: v1 kind: ConfigMap metadata: name: chains-config namespace: tekton-chains labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-chains data: artifacts.taskrun.format: slsa/v1 artifacts.taskrun.storage: "oci" artifacts.taskrun.signer: x509 artifacts.pipelinerun.format: slsa/v1 artifacts.pipelinerun.storage: "" artifacts.pipelinerun.signer: x509 artifacts.oci.storage: oci artifacts.oci.format: simplesigning artifacts.oci.signer: x509 transparency.enabled: manual transparency.url: https://rekor.sigstore.dev --- apiVersion: apps/v1 kind: Deployment metadata: name: tekton-chains-controller namespace: tekton-chains labels: app.kubernetes.io/name: controller app.kubernetes.io/component: controller app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-chains pipeline.tekton.dev/release: "v0.23.0" version: "v0.23.0" spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: controller app.kubernetes.io/component: controller app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-chains template: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "false" labels: app: tekton-chains-controller app.kubernetes.io/name: controller app.kubernetes.io/component: controller app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-chains # # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml pipeline.tekton.dev/release: "v0.23.0" version: "v0.23.0" spec: serviceAccountName: tekton-chains-controller containers: - name: tekton-chains-controller image: ghcr.io/tektoncd/chains/controller-92006fd957c0afd31de6a40b3e33b39f:v0.23.0@sha256:7abab31684e1e6afe070145883c3d4bd4e673a55eee48d156675ee22b9cd2c8b volumeMounts: - name: signing-secrets mountPath: /etc/signing-secrets - name: oidc-info mountPath: /var/run/sigstore/cosign env: - name: SYSTEM_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: METRICS_DOMAIN value: tekton.dev/chains - name: CONFIG_OBSERVABILITY_NAME value: tekton-chains-config-observability - name: CONFIG_LEADERELECTION_NAME value: tekton-chains-config-leader-election ports: - name: metrics containerPort: 9090 securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true # User 65532 is the distroless nonroot user ID runAsUser: 65532 runAsGroup: 65532 resources: requests: cpu: 20m memory: 60Mi limits: cpu: 50m memory: 192Mi volumes: - name: signing-secrets secret: secretName: signing-secrets - name: oidc-info projected: sources: # The "public good" instance supports tokens from EKS and GKE by default. # The fulcio URL can also be redirected to an instance that has been # configured to accept other issuers as well. Removing this volume # completely will direct chains to use alternate ambient credentials # (e.g. GKE workload identity, SPIFFE) - serviceAccountToken: path: oidc-token expirationSeconds: 600 # Use as short-lived as possible. audience: sigstore --- # Copyright 2021 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: tekton-chains-controller-cluster-access labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-chains subjects: - kind: ServiceAccount name: tekton-chains-controller namespace: tekton-chains roleRef: kind: ClusterRole name: tekton-chains-controller-cluster-access apiGroup: rbac.authorization.k8s.io --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tekton-chains-controller-cluster-access labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-chains rules: - apiGroups: [""] # Controller needs to watch Pods created by TaskRuns to see them progress. resources: ["pods"] verbs: ["list", "watch"] # Controller needs cluster access to all of the CRDs that it is responsible for # managing. - apiGroups: ["tekton.dev"] resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "pipelineresources", "conditions", "runs"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - apiGroups: ["tekton.dev"] resources: ["taskruns/finalizers", "pipelineruns/finalizers", "runs/finalizers"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - apiGroups: ["tekton.dev"] resources: ["tasks/status", "clustertasks/status", "taskruns/status", "pipelines/status", "pipelineruns/status", "pipelineresources/status", "runs/status"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: # This is the access that the controller needs on a per-namespace basis. name: tekton-chains-controller-tenant-access labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-chains rules: # Read-write access to create Pods, K8s Events and PVCs (for Workspaces) - apiGroups: [""] resources: ["pods", "pods/log", "events", "persistentvolumeclaims"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] # Read-only access to these. - apiGroups: [""] resources: ["configmaps", "limitranges", "secrets", "serviceaccounts"] verbs: ["get", "list", "watch"] # Read-write access to StatefulSets for Affinity Assistant. - apiGroups: ["apps"] resources: ["statefulsets"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] --- # If this ClusterRoleBinding is replaced with a RoleBinding # then the ClusterRole would be namespaced. The access described by # the tekton-pipelines-controller-tenant-access ClusterRole would # be scoped to individual tenant namespaces. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: tekton-chains-controller-tenant-access labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-chains subjects: - kind: ServiceAccount name: tekton-chains-controller namespace: tekton-chains roleRef: kind: ClusterRole name: tekton-chains-controller-tenant-access apiGroup: rbac.authorization.k8s.io --- apiVersion: v1 kind: ServiceAccount metadata: name: tekton-chains-controller namespace: tekton-chains labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-chains --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tekton-chains-leader-election namespace: tekton-chains labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-chains rules: # We uses leases for leaderelection - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: tekton-chains-controller-leaderelection namespace: tekton-chains labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-chains subjects: - kind: ServiceAccount name: tekton-chains-controller namespace: tekton-chains roleRef: kind: Role name: tekton-chains-leader-election apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: tekton-chains-info namespace: tekton-chains labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-chains rules: # All system:authenticated users need to have access # to the chains-info ConfigMap even if they don't # have access to other resources present in the # installed namespace - apiGroups: [""] resources: ["configmaps"] resourceNames: ["chains-info"] verbs: ["get"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: tekton-chains-info namespace: tekton-chains labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-chains subjects: # Giving all system:authenticated users the access to the # ConfigMap which contains version information - kind: Group name: system:authenticated apiGroup: rbac.authorization.k8s.io roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: tekton-chains-info --- # Copyright 2022 The Tekton Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: ConfigMap metadata: name: chains-info namespace: tekton-chains labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-chains data: # Contains chains version which can be queried by external # tools such as CLI. Elevated permissions are given to # this ConfigMap such that even if we don't have access to # other resources in the namespace, we can still access # this ConfigMap. version: "v0.23.0" --- # Copyright 2023 Tekton Authors LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: ConfigMap metadata: name: tekton-chains-config-leader-election namespace: tekton-chains labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-chains data: _example: | ################################ # # # EXAMPLE CONFIGURATION # # # ################################ # This block is not actually functional configuration, # but serves to illustrate the available configuration # options and document them in a way that is accessible # to users that `kubectl edit` this config map. # # These sample configuration options may be copied out of # this example block and unindented to be in the data block # to actually change the configuration. # lease-duration is how long non-leaders will wait to try to acquire the # lock; 15 seconds is the value used by core kubernetes controllers. lease-duration: "60s" # renew-deadline is how long a leader will try to renew the lease before # giving up; 10 seconds is the value used by core kubernetes controllers. renew-deadline: "40s" # retry-period is how long the leader election client waits between tries of # actions; 2 seconds is the value used by core kubernetes controllers. retry-period: "10s" # buckets is the number of buckets used to partition key space of each # Reconciler. If this number is M and the replica number of the controller # is N, the N replicas will compete for the M buckets. The owner of a # bucket will take care of the reconciling for the keys partitioned into # that bucket. buckets: "1" --- # Copyright 2019 Tekton Authors LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: ConfigMap metadata: name: config-logging namespace: tekton-chains labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-chains data: # Common configuration for all knative codebase zap-logger-config: | { "level": "info", "development": false, "sampling": { "initial": 100, "thereafter": 100 }, "outputPaths": ["stdout"], "errorOutputPaths": ["stderr"], "encoding": "json", "encoderConfig": { "timeKey": "ts", "levelKey": "level", "nameKey": "logger", "callerKey": "caller", "messageKey": "msg", "stacktraceKey": "stacktrace", "lineEnding": "", "levelEncoder": "", "timeEncoder": "iso8601", "durationEncoder": "", "callerEncoder": "" } } # Log level overrides loglevel.controller: "info" loglevel.webhook: "info" --- # Copyright 2023 Tekton Authors LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: ConfigMap metadata: name: tekton-chains-config-observability namespace: tekton-chains labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-chains data: _example: | ################################ # # # EXAMPLE CONFIGURATION # # # ################################ # This block is not actually functional configuration, # but serves to illustrate the available configuration # options and document them in a way that is accessible # to users that `kubectl edit` this config map. # # These sample configuration options may be copied out of # this example block and unindented to be in the data block # to actually change the configuration. # # metrics.backend-destination field specifies the system metrics destination. # It supports either prometheus (the default) or stackdriver. # Note: Using Stackdriver will incur additional charges. # metrics.backend-destination: prometheus # # metrics.stackdriver-project-id field specifies the Stackdriver project ID. This # field is optional. When running on GCE, application default credentials will be # used and metrics will be sent to the cluster's project if this field is # not provided. # metrics.stackdriver-project-id: "<your stackdriver project id>" # # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed # to send metrics to Stackdriver using "global" resource type and custom # metric type. Setting this flag to "true" could cause extra Stackdriver # charge. If metrics.backend-destination is not Stackdriver, this is # ignored. # metrics.allow-stackdriver-custom-metrics: "false" --- # Copyright 2023 Tekton Authors LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: Service metadata: name: tekton-chains-metrics namespace: tekton-chains labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-chains app: tekton-chains-controller spec: ports: - name: http-metrics port: 9090 protocol: TCP targetPort: 9090 selector: app.kubernetes.io/name: controller app.kubernetes.io/component: controller app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-chains ---