diff --git a/components/pipeline-service/development/dev-only-pipeline-service-storage-configuration.yaml b/components/pipeline-service/development/dev-only-pipeline-service-storage-configuration.yaml index 7d8cb948a1f..543fda3c054 100644 --- a/components/pipeline-service/development/dev-only-pipeline-service-storage-configuration.yaml +++ b/components/pipeline-service/development/dev-only-pipeline-service-storage-configuration.yaml @@ -53,7 +53,7 @@ metadata: namespace: openshift-gitops spec: destination: - namespace: tekton-results + namespace: openshift-pipelines server: https://kubernetes.default.svc project: default source: @@ -129,7 +129,7 @@ metadata: labels: app: minio name: storage - namespace: tekton-results + namespace: openshift-pipelines spec: certConfig: {} configuration: diff --git a/components/pipeline-service/development/main-pipeline-service-configuration.yaml b/components/pipeline-service/development/main-pipeline-service-configuration.yaml index c4b02dac6d1..2acc842b0a3 100644 --- a/components/pipeline-service/development/main-pipeline-service-configuration.yaml +++ b/components/pipeline-service/development/main-pipeline-service-configuration.yaml @@ -9,16 +9,6 @@ metadata: name: openshift-pipelines --- apiVersion: v1 -kind: Namespace -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "-1" - labels: - argocd.argoproj.io/managed-by: openshift-gitops - name: tekton-results ---- -apiVersion: v1 kind: ServiceAccount metadata: annotations: @@ -51,29 +41,7 @@ metadata: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true argocd.argoproj.io/sync-wave: "0" name: metrics-reader - namespace: tekton-results ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-api - namespace: tekton-results ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-watcher - namespace: tekton-results + namespace: openshift-pipelines --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -97,28 +65,6 @@ rules: - delete --- apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/name: tekton-results-info - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-info - namespace: tekton-results -rules: -- apiGroups: - - "" - resourceNames: - - tekton-results-info - resources: - - configmaps - verbs: - - get - - describe ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: @@ -289,98 +235,6 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - rbac.authorization.k8s.io/aggregate-to-admin: "true" - name: tekton-results-admin -rules: -- apiGroups: - - results.tekton.dev - resources: - - results - - records - - logs - verbs: - - create - - update - - get - - list - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-api -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: tekton-results-readonly -rules: -- apiGroups: - - results.tekton.dev - resources: - - results - - records - - logs - - summary - verbs: - - get - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-readwrite -rules: -- apiGroups: - - results.tekton.dev - resources: - - results - - records - - logs - verbs: - - create - - update - - get - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole metadata: annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true @@ -393,93 +247,6 @@ rules: - get --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-watcher -rules: -- apiGroups: - - results.tekton.dev - resources: - - logs - - results - - records - verbs: - - create - - get - - update -- apiGroups: - - tekton.dev - resources: - - pipelineruns - - taskruns - verbs: - - get - - list - - patch - - update - - watch - - delete -- apiGroups: - - "" - resources: - - configmaps - - pods - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - pods/log - verbs: - - get -- apiGroups: - - tekton.dev - resources: - - pipelines - verbs: - - get -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - create - - update - - delete - - patch - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: tekton-results-watcher-rbac -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: annotations: @@ -514,26 +281,6 @@ subjects: name: system:authenticated --- apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/name: tekton-results-info - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-info - namespace: tekton-results -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: tekton-results-info -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: @@ -626,264 +373,7 @@ roleRef: subjects: - kind: ServiceAccount name: metrics-reader - namespace: tekton-results ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-api -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tekton-results-api -subjects: -- kind: ServiceAccount - name: tekton-results-api - namespace: tekton-results ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-watcher -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tekton-results-watcher -subjects: -- kind: ServiceAccount - name: tekton-results-watcher - namespace: tekton-results ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: tekton-results-watcher-logs -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tekton-results-admin -subjects: -- kind: ServiceAccount - name: tekton-results-watcher - namespace: tekton-results ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: tekton-results-watcher-rbac -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tekton-results-watcher-rbac -subjects: -- kind: ServiceAccount - name: tekton-results-watcher - namespace: tekton-results ---- -apiVersion: v1 -data: - config.env: | - DB_USER= - DB_PASSWORD= - DB_HOST= - DB_PORT=5432 - DB_NAME= - DB_SSLMODE=verify-full - DB_SSLROOTCERT=/etc/tls/db/tekton-results-db-ca.pem - DB_ENABLE_AUTO_MIGRATION=true - SERVER_PORT=8080 - PROMETHEUS_PORT=9090 - PROMETHEUS_HISTOGRAM=true - TLS_PATH=/etc/tls - AUTH_DISABLE=false - AUTH_IMPERSONATE=true - LOG_LEVEL=info - LOGS_API=false - LOGS_TYPE=File - LOGS_BUFFER_SIZE=5242880 - LOGS_PATH=/logs - S3_BUCKET_NAME= - S3_ENDPOINT= - S3_HOSTNAME_IMMUTABLE=false - S3_REGION= - S3_ACCESS_KEY_ID= - S3_SECRET_ACCESS_KEY= - S3_MULTI_PART_SIZE=5242880 - GCS_BUCKET_NAME= - STORAGE_EMULATOR_HOST= - K8S_QPS=50 - K8S_BURST=100 - PROFILING=true - PROFILING_PORT=6060 -kind: ConfigMap -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-api-config - namespace: tekton-results ---- -apiVersion: v1 -data: - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - ################################ - # This block is not actually functional configuration, - # but serves to illustrate the available configuration - # options and document them in a way that is accessible - # to users that `kubectl edit` this config map. - # - # These sample configuration options may be copied out of - # this example block and unindented to be in the data block - # to actually change the configuration. - # lease-duration is how long non-leaders will wait to try to acquire the - # lock; 15 seconds is the value used by core kubernetes controllers. - lease-duration: "60s" - # renew-deadline is how long a leader will try to renew the lease before - # giving up; 10 seconds is the value used by core kubernetes controllers. - renew-deadline: "40s" - # retry-period is how long the leader election client waits between tries of - # actions; 2 seconds is the value used by core kubernetes controllers. - retry-period: "10s" - # buckets is the number of buckets used to partition key space of each - # Reconciler. If this number is M and the replica number of the controller - # is N, the N replicas will compete for the M buckets. The owner of a - # bucket will take care of the reconciling for the keys partitioned into - # that bucket. - buckets: "1" -kind: ConfigMap -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/name: tekton-results-leader-election - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-config-leader-election - namespace: tekton-results ---- -apiVersion: v1 -data: - loglevel.controller: info - loglevel.watcher: info - zap-logger-config: | - { - "level": "info", - "development": false, - "outputPaths": ["stdout"], - "errorOutputPaths": ["stderr"], - "encoding": "json", - "encoderConfig": { - "timeKey": "ts", - "levelKey": "level", - "nameKey": "logger", - "callerKey": "caller", - "messageKey": "msg", - "stacktraceKey": "stacktrace", - "lineEnding": "", - "levelEncoder": "", - "timeEncoder": "iso8601", - "durationEncoder": "string", - "callerEncoder": "" - } - } -kind: ConfigMap -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - labels: - app.kubernetes.io/name: tekton-results-logging - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-config-logging - namespace: tekton-results ---- -apiVersion: v1 -data: - profiling.enable: "true" - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - ################################ - - # This block is not actually functional configuration, - # but serves to illustrate the available configuration - # options and document them in a way that is accessible - # to users that `kubectl edit` this config map. - # - # These sample configuration options may be copied out of - # this example block and unindented to be in the data block - # to actually change the configuration. - - # metrics.backend-destination field specifies the system metrics destination. - # It supports either prometheus (the default) or stackdriver. - # Note: Using Stackdriver will incur additional charges. - metrics.backend-destination: prometheus - - # metrics.stackdriver-project-id field specifies the Stackdriver project ID. This - # field is optional. When running on GCE, application default credentials will be - # used and metrics will be sent to the cluster's project if this field is - # not provided. - metrics.stackdriver-project-id: "" - - # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed - # to send metrics to Stackdriver using "global" resource type and custom - # metric type. Setting this flag to "true" could cause extra Stackdriver - # charge. If metrics.backend-destination is not Stackdriver, this is - # ignored. - metrics.allow-stackdriver-custom-metrics: "false" - metrics.taskrun.level: "task" - metrics.taskrun.duration-type: "histogram" - metrics.pipelinerun.level: "pipeline" - metrics.pipelinerun.duration-type: "histogram" -kind: ConfigMap -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/name: tekton-results-observability - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-config-observability - namespace: tekton-results ---- -apiVersion: v1 -data: - version: devel -kind: ConfigMap -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/name: tekton-results-info - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-info - namespace: tekton-results + namespace: openshift-pipelines --- apiVersion: v1 kind: Secret @@ -893,7 +383,7 @@ metadata: argocd.argoproj.io/sync-wave: "0" kubernetes.io/service-account.name: metrics-reader name: metrics-reader - namespace: tekton-results + namespace: openshift-pipelines type: kubernetes.io/service-account-token --- apiVersion: v1 @@ -940,58 +430,6 @@ spec: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-chains --- -apiVersion: v1 -kind: Service -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - service.beta.openshift.io/serving-cert-secret-name: tekton-results-tls - labels: - app.kubernetes.io/name: tekton-results-api - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-api-service - namespace: tekton-results -spec: - ports: - - name: server - port: 8080 - protocol: TCP - targetPort: 8080 - - name: metrics - port: 9443 - protocol: TCP - targetPort: metrics - - name: profiling - port: 6060 - protocol: TCP - targetPort: 6060 - selector: - app.kubernetes.io/name: tekton-results-api ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "2" - labels: - app.kubernetes.io/name: tekton-results-watcher - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-watcher - namespace: tekton-results -spec: - ports: - - name: watchermetrics - port: 8443 - targetPort: watchermetrics - - name: profiling - port: 8008 - selector: - app.kubernetes.io/name: tekton-results-watcher ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -1035,369 +473,6 @@ spec: restartPolicy: Always serviceAccountName: pipeline-service-exporter --- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - labels: - app.kubernetes.io/name: tekton-results-api - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-api - namespace: tekton-results -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: tekton-results-api - template: - metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - cluster-autoscaler.kubernetes.io/safe-to-evict: "false" - labels: - app.kubernetes.io/name: tekton-results-api - app.kubernetes.io/version: devel - spec: - containers: - - env: - - name: LOGS_API - value: "true" - - name: LOGS_TYPE - value: S3 - - name: S3_HOSTNAME_IMMUTABLE - value: "true" - - name: S3_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - key: aws_access_key_id - name: tekton-results-s3 - - name: S3_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - key: aws_secret_access_key - name: tekton-results-s3 - - name: S3_REGION - valueFrom: - secretKeyRef: - key: aws_region - name: tekton-results-s3 - - name: S3_BUCKET_NAME - valueFrom: - secretKeyRef: - key: bucket - name: tekton-results-s3 - - name: S3_ENDPOINT - valueFrom: - secretKeyRef: - key: endpoint - name: tekton-results-s3 - - name: DB_USER - valueFrom: - secretKeyRef: - key: db.user - name: tekton-results-database - - name: DB_PASSWORD - valueFrom: - secretKeyRef: - key: db.password - name: tekton-results-database - - name: DB_HOST - valueFrom: - secretKeyRef: - key: db.host - name: tekton-results-database - - name: DB_NAME - valueFrom: - secretKeyRef: - key: db.name - name: tekton-results-database - image: quay.io/konflux-ci/tekton-results-api:e35af9274c0df84386b73aae8df0ad496ad175df - livenessProbe: - httpGet: - path: /healthz - port: 8080 - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - name: api - readinessProbe: - httpGet: - path: /healthz - port: 8080 - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 100m - memory: 512Mi - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - startupProbe: - failureThreshold: 10 - httpGet: - path: /healthz - port: 8080 - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - volumeMounts: - - mountPath: /etc/ssl/certs/s3-cert.crt - name: ca-s3 - subPath: s3-cert.crt - - mountPath: /etc/tls/db - name: db-tls-ca - readOnly: true - - mountPath: /etc/tekton/results - name: config - readOnly: true - - mountPath: /etc/tls - name: tls - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:9443 - - --upstream=http://127.0.0.1:9090/ - - --logtostderr=true - - --v=6 - image: registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.12 - name: kube-rbac-proxy - ports: - - containerPort: 9443 - name: metrics - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - initContainers: - - args: - - -c - - | - mc --config-dir /tmp config host add minio "$S3_ENDPOINT" "$S3_ACCESS_KEY_ID" "$S3_SECRET_ACCESS_KEY" && - if [ -z "$(mc --config-dir /tmp ls minio | grep "$S3_BUCKET_NAME")" ]; then - mc --config-dir /tmp mb --with-lock --region "$S3_REGION" minio/"$S3_BUCKET_NAME" && - echo "Minio bucket $S3_BUCKET_NAME successfully created." - fi - command: - - /bin/bash - env: - - name: S3_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - key: aws_access_key_id - name: tekton-results-s3 - - name: S3_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - key: aws_secret_access_key - name: tekton-results-s3 - - name: S3_REGION - valueFrom: - secretKeyRef: - key: aws_region - name: tekton-results-s3 - - name: S3_BUCKET_NAME - valueFrom: - secretKeyRef: - key: bucket - name: tekton-results-s3 - - name: S3_ENDPOINT - valueFrom: - secretKeyRef: - key: endpoint - name: tekton-results-s3 - image: quay.io/minio/mc:RELEASE.2023-01-28T20-29-38Z - imagePullPolicy: Always - name: mc - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 5m - memory: 32Mi - securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - volumeMounts: - - mountPath: /etc/ssl/certs/s3-cert.crt - name: ca-s3 - subPath: s3-cert.crt - - mountPath: /tmp - name: tmp-mc-volume - serviceAccountName: tekton-results-api - volumes: - - name: ca-s3 - secret: - items: - - key: public.crt - path: s3-cert.crt - secretName: storage-tls - - emptyDir: {} - name: tmp-mc-volume - - configMap: - name: rds-root-crt - name: db-tls-ca - - configMap: - name: tekton-results-api-config - name: config - - name: tls - secret: - secretName: tekton-results-tls ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "2" - labels: - app.kubernetes.io/name: tekton-results-watcher - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-watcher - namespace: tekton-results -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: tekton-results-watcher - template: - metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - cluster-autoscaler.kubernetes.io/safe-to-evict: "false" - labels: - app.kubernetes.io/name: tekton-results-watcher - app.kubernetes.io/version: devel - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: NotIn - values: - - windows - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: tekton-results-watcher - topologyKey: kubernetes.io/hostname - weight: 100 - containers: - - args: - - -api_addr - - tekton-results-api-service.tekton-results.svc.cluster.local:8080 - - -auth_mode - - token - - -check_owner=false - - -completed_run_grace_period=2h - env: - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CONFIG_LOGGING_NAME - value: tekton-results-config-logging - - name: CONFIG_LEADERELECTION_NAME - value: tekton-results-config-leader-election - - name: CONFIG_OBSERVABILITY_NAME - value: tekton-results-config-observability - - name: METRICS_DOMAIN - value: tekton.dev/results - - name: TEKTON_RESULTS_API_SERVICE - value: tekton-results-api-service.tekton-pipelines.svc.cluster.local:8080 - - name: AUTH_MODE - value: token - image: quay.io/redhat-appstudio/tekton-results-watcher:bae7851ff584423503af324200f52cd28ca99116 - name: watcher - ports: - - containerPort: 9090 - name: metrics - - containerPort: 8008 - name: profiling - resources: - limits: - cpu: 250m - memory: 2Gi - requests: - cpu: 100m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /etc/tls - name: tls - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:9090/ - - --logtostderr=true - - --v=6 - image: registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.12 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: watchermetrics - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - serviceAccountName: tekton-results-watcher - volumes: - - name: tls - secret: - secretName: tekton-results-tls ---- apiVersion: batch/v1 kind: CronJob metadata: @@ -1591,7 +666,7 @@ metadata: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true argocd.argoproj.io/sync-wave: "0" name: tekton-results-api - namespace: tekton-results + namespace: openshift-pipelines spec: endpoints: - bearerTokenSecret: @@ -1614,7 +689,7 @@ metadata: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true argocd.argoproj.io/sync-wave: "0" name: tekton-results-watcher - namespace: tekton-results + namespace: openshift-pipelines spec: endpoints: - bearerTokenSecret: @@ -1873,32 +948,6 @@ spec: - name: AUTOINSTALL_COMPONENTS value: "false" --- -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - haproxy.router.openshift.io/hsts_header: max-age=63072000 - haproxy.router.openshift.io/timeout: 86410s - openshift.io/host.generated: "true" - router.openshift.io/haproxy.health.check.interval: 86400s - labels: - app.kubernetes.io/part-of: tekton-results - name: tekton-results - namespace: tekton-results -spec: - port: - targetPort: server - tls: - insecureEdgeTerminationPolicy: Redirect - termination: reencrypt - to: - kind: Service - name: tekton-results-api-service - weight: 100 - wildcardPolicy: None ---- allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false @@ -1938,3 +987,347 @@ volumes: - persistentVolumeClaim - projected - secret +--- +apiVersion: operator.tekton.dev/v1alpha1 +kind: TektonResult +metadata: + name: result +spec: + targetNamespace: openshift-pipelines + logs_api: true + log_level: debug + db_port: 5432 + db_host: tekton-results-postgres-service.openshift-pipelines.svc.cluster.local + db_sslmode: verify-full + db_sslrootcert: /etc/tls/db/tekton-results-db-ca.pem + logs_path: /logs + logs_type: File + logs_buffer_size: 5242880 + auth_disable: true + tls_hostname_override: tekton-results-api-service.openshift-pipelines.svc.cluster.local + db_enable_auto_migration: true + server_port: 8080 + prometheus_port: 9090 + prometheus_histogram: true + s3_hostname_immutable: false + k8s_qps: 50 + k8s_burst: 100 + profiling: true + profiling_port: 6060 + options: + deployments: + tekton-results-watcher: + spec: + template: + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: NotIn + values: + - windows + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/name: tekton-results-watcher + topologyKey: kubernetes.io/hostname + weight: 100 + containers: + - name: watcher + args: + - -api_addr + - tekton-results-api-service.openshift-pipelines.svc.cluster.local:8080 + - -auth_mode + - token + - -check_owner=false + - -completed_run_grace_period=2h + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: tekton-results-config-logging + - name: CONFIG_LEADERELECTION_NAME + value: tekton-results-config-leader-election + - name: CONFIG_OBSERVABILITY_NAME + value: tekton-results-config-observability + - name: METRICS_DOMAIN + value: tekton.dev/results + - name: TEKTON_RESULTS_API_SERVICE + value: tekton-results-api-service.tekton-pipelines.svc.cluster.local:8080 + - name: AUTH_MODE + value: token + ports: + - containerPort: 9090 + name: metrics + - containerPort: 8008 + name: profiling + resources: + limits: + cpu: 250m + memory: 2Gi + requests: + cpu: 100m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/tls + name: tls + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:9090/ + - --logtostderr=true + - --v=6 + image: registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.12 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: watchermetrics + protocol: TCP + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + serviceAccountName: tekton-results-watcher + volumes: + - name: tls + secret: + secretName: tekton-results-tls + tekton-results-api: + spec: + template: + spec: + containers: + - name: api + env: + - name: LOGS_API + value: "true" + - name: LOGS_TYPE + value: S3 + - name: S3_HOSTNAME_IMMUTABLE + value: "true" + - name: S3_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + key: aws_access_key_id + name: tekton-results-s3 + - name: S3_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + key: aws_secret_access_key + name: tekton-results-s3 + - name: S3_REGION + valueFrom: + secretKeyRef: + key: aws_region + name: tekton-results-s3 + - name: S3_BUCKET_NAME + valueFrom: + secretKeyRef: + key: bucket + name: tekton-results-s3 + - name: S3_ENDPOINT + valueFrom: + secretKeyRef: + key: endpoint + name: tekton-results-s3 + - name: DB_USER + valueFrom: + secretKeyRef: + key: db.user + name: tekton-results-database + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: db.password + name: tekton-results-database + - name: DB_HOST + valueFrom: + secretKeyRef: + key: db.host + name: tekton-results-database + - name: DB_NAME + valueFrom: + secretKeyRef: + key: db.name + name: tekton-results-database + livenessProbe: + httpGet: + path: /healthz + port: 8080 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /healthz + port: 8080 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 100m + memory: 512Mi + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 10 + httpGet: + path: /healthz + port: 8080 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + volumeMounts: + - mountPath: /etc/ssl/certs/s3-cert.crt + name: ca-s3 + subPath: s3-cert.crt + - mountPath: /etc/tls/db + name: db-tls-ca + readOnly: true + - mountPath: /etc/tekton/results + name: config + readOnly: true + - mountPath: /etc/tls + name: tls + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:9443 + - --upstream=http://127.0.0.1:9090/ + - --logtostderr=true + - --v=6 + image: registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.12 + name: kube-rbac-proxy + ports: + - containerPort: 9443 + name: metrics + protocol: TCP + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + initContainers: + - args: + - -c + - | + mc --config-dir /tmp config host add minio "$S3_ENDPOINT" "$S3_ACCESS_KEY_ID" "$S3_SECRET_ACCESS_KEY" && + if [ -z "$(mc --config-dir /tmp ls minio | grep "$S3_BUCKET_NAME")" ]; then + mc --config-dir /tmp mb --with-lock --region "$S3_REGION" minio/"$S3_BUCKET_NAME" && + echo "Minio bucket $S3_BUCKET_NAME successfully created." + fi + command: + - /bin/bash + env: + - name: S3_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + key: aws_access_key_id + name: tekton-results-s3 + - name: S3_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + key: aws_secret_access_key + name: tekton-results-s3 + - name: S3_REGION + valueFrom: + secretKeyRef: + key: aws_region + name: tekton-results-s3 + - name: S3_BUCKET_NAME + valueFrom: + secretKeyRef: + key: bucket + name: tekton-results-s3 + - name: S3_ENDPOINT + valueFrom: + secretKeyRef: + key: endpoint + name: tekton-results-s3 + image: quay.io/minio/mc:RELEASE.2023-01-28T20-29-38Z + imagePullPolicy: Always + name: mc + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 5m + memory: 32Mi + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/ssl/certs/s3-cert.crt + name: ca-s3 + subPath: s3-cert.crt + - mountPath: /tmp + name: tmp-mc-volume + serviceAccountName: tekton-results-api + volumes: + - name: ca-s3 + secret: + items: + - key: public.crt + path: s3-cert.crt + secretName: storage-tls + - emptyDir: {} + name: tmp-mc-volume + - configMap: + name: rds-root-crt + name: db-tls-ca + - configMap: + name: tekton-results-api-config + name: config + - name: tls + secret: + secretName: tekton-results-tls diff --git a/hack/secret-creator/create-plnsvc-secrets.sh b/hack/secret-creator/create-plnsvc-secrets.sh index 558a9354d53..0d4862602b7 100755 --- a/hack/secret-creator/create-plnsvc-secrets.sh +++ b/hack/secret-creator/create-plnsvc-secrets.sh @@ -9,20 +9,20 @@ main() { } create_namespace() { - if kubectl get namespace tekton-results &>/dev/null; then + if kubectl get namespace openshift-pipelines &>/dev/null; then echo "tekton-results namespace already exists, skipping creation" return fi - kubectl create namespace tekton-results -o yaml --dry-run=client | kubectl apply -f- + kubectl create namespace openshift-pipelines -o yaml --dry-run=client | kubectl apply -f- } create_db_secret() { echo "Creating DB secret" >&2 - if kubectl get secret -n tekton-results tekton-results-database &>/dev/null; then + if kubectl get secret -n openshift-pipelines tekton-results-database &>/dev/null; then echo "DB secret already exists, skipping creation" return fi - kubectl create secret generic -n tekton-results tekton-results-database \ + kubectl create secret generic -n openshift-pipelines tekton-results-database \ --from-literal=db.user=tekton \ --from-literal=db.password="$(openssl rand -base64 20)" \ --from-literal=db.host="postgres-postgresql.tekton-results.svc.cluster.local" \ @@ -31,13 +31,13 @@ create_db_secret() { create_s3_secret() { echo "Creating S3 secret" >&2 - if kubectl get secret -n tekton-results tekton-results-s3 &>/dev/null; then + if kubectl get secret -n openshift-pipelines tekton-results-s3 &>/dev/null; then echo "S3 secret already exists, skipping creation" return fi USER=minio PASS="$(openssl rand -base64 20)" - kubectl create secret generic -n tekton-results tekton-results-s3 \ + kubectl create secret generic -n openshift-pipelines tekton-results-s3 \ --from-literal=aws_access_key_id="$USER" \ --from-literal=aws_secret_access_key="$PASS" \ --from-literal=aws_region='not-applicable' \ @@ -45,7 +45,7 @@ create_s3_secret() { --from-literal=endpoint='https://minio.tekton-results.svc.cluster.local' echo "Creating MinIO config" >&2 - if kubectl get secret -n tekton-results minio-storage-configuration &>/dev/null; then + if kubectl get secret -n openshift-pipelines minio-storage-configuration &>/dev/null; then echo "MinIO config already exists, skipping creation" return fi @@ -67,7 +67,7 @@ EOF create_db_cert_secret_and_configmap() { echo "Creating Postgres TLS certs" >&2 - if kubectl get secret -n tekton-results postgresql-tls &>/dev/null; then + if kubectl get secret -n openshift-pipelines postgresql-tls &>/dev/null; then echo "Postgres DB cert secret already exists, skipping creation" return fi @@ -99,11 +99,11 @@ create_db_cert_secret_and_configmap() { -out ".tmp/tekton-results/tls.crt" \ > /dev/null cat ".tmp/tekton-results/ca.crt" > ".tmp/tekton-results/tekton-results-db-ca.pem" - kubectl create secret generic -n tekton-results postgresql-tls \ + kubectl create secret generic -n openshift-pipelines postgresql-tls \ --from-file=.tmp/tekton-results/ca.crt \ --from-file=.tmp/tekton-results/tls.crt \ --from-file=.tmp/tekton-results/tls.key - kubectl create configmap -n tekton-results rds-root-crt \ + kubectl create configmap -n openshift-pipelines rds-root-crt \ --from-file=.tmp/tekton-results/tekton-results-db-ca.pem }