config/controller.yaml

# Copyright 2019 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: tekton-pipelines-controller
  namespace: tekton-pipelines
  labels:
    app.kubernetes.io/name: controller
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: default
    app.kubernetes.io/version: "devel"
    app.kubernetes.io/part-of: tekton-pipelines
    # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
    pipeline.tekton.dev/release: "devel"
    # labels below are related to istio and should not be used for resource lookup
    version: "devel"
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: controller
      app.kubernetes.io/component: controller
      app.kubernetes.io/instance: default
      app.kubernetes.io/part-of: tekton-pipelines
  template:
    metadata:
      annotations:
        cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
      labels:
        app.kubernetes.io/name: controller
        app.kubernetes.io/component: controller
        app.kubernetes.io/instance: default
        app.kubernetes.io/version: "devel"
        app.kubernetes.io/part-of: tekton-pipelines
        # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
        pipeline.tekton.dev/release: "devel"
        # labels below are related to istio and should not be used for resource lookup
        app: tekton-pipelines-controller
        version: "devel"
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                - key: kubernetes.io/os
                  operator: NotIn
                  values:
                  - windows
      serviceAccountName: tekton-pipelines-controller
      containers:
      - name: tekton-pipelines-controller
        image: ko://github.com/tektoncd/pipeline/cmd/controller
        args: [
          # Version, to be replace at release time
          "-version", "devel",
          # These images are built on-demand by `ko resolve` and are replaced
          # by image references by digest.
          "-kubeconfig-writer-image", "ko://github.com/tektoncd/pipeline/cmd/kubeconfigwriter",
          "-git-image", "ko://github.com/tektoncd/pipeline/cmd/git-init",
          "-entrypoint-image", "ko://github.com/tektoncd/pipeline/cmd/entrypoint",
          "-nop-image", "ko://github.com/tektoncd/pipeline/cmd/nop",
          "-imagedigest-exporter-image", "ko://github.com/tektoncd/pipeline/cmd/imagedigestexporter",
          "-pr-image", "ko://github.com/tektoncd/pipeline/cmd/pullrequest-init",

          # This is gcr.io/google.com/cloudsdktool/cloud-sdk:302.0.0-slim
          "-gsutil-image", "gcr.io/google.com/cloudsdktool/cloud-sdk@sha256:27b2c22bf259d9bc1a291e99c63791ba0c27a04d2db0a43241ba0f1f20f4067f",
          # The shell image must be root in order to create directories and copy files to PVCs.
          # gcr.io/distroless/base:debug as of Apirl 17, 2021
          # image shall not contains tag, so it will be supported on a runtime like cri-o
          "-shell-image", "gcr.io/distroless/base@sha256:aa4fd987555ea10e1a4ec8765da8158b5ffdfef1e72da512c7ede509bc9966c4"
        ]
        volumeMounts:
        - name: config-logging
          mountPath: /etc/config-logging
        - name: config-registry-cert
          mountPath: /etc/config-registry-cert
        env:
        - name: SYSTEM_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        # These phony AWS credentials are here to work around a bug in the aws go sdk
        # that causes extremely long delays in the execution of tasks after the initial
        # deployment of the Tekton Pipelines controller. See issue https://github.com/tektoncd/pipeline/issues/4087
        # for more information.
        - name: AWS_ACCESS_KEY_ID
          value: foobarbaz
        - name: AWS_SECRET_ACCESS_KEY
          value: foobarbaz
        - name: AWS_DEFAULT_REGION
          value: foobarbaz

        # If you are changing these names, you will also need to update
        # the controller's Role in 200-role.yaml to include the new
        # values in the "configmaps" "get" rule.
        - name: CONFIG_DEFAULTS_NAME
          value: config-defaults
        - name: CONFIG_LOGGING_NAME
          value: config-logging
        - name: CONFIG_OBSERVABILITY_NAME
          value: config-observability
        - name: CONFIG_ARTIFACT_BUCKET_NAME
          value: config-artifact-bucket
        - name: CONFIG_ARTIFACT_PVC_NAME
          value: config-artifact-pvc
        - name: CONFIG_FEATURE_FLAGS_NAME
          value: feature-flags
        - name: CONFIG_LEADERELECTION_NAME
          value: config-leader-election
        - name: SSL_CERT_FILE
          value: /etc/config-registry-cert/cert
        - name: SSL_CERT_DIR
          value: /etc/ssl/certs
        - name: METRICS_DOMAIN
          value: tekton.dev/pipeline
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - all
          # User 65532 is the distroless nonroot user ID
          runAsUser: 65532
          runAsGroup: 65532
        ports:
        - name: probes
          containerPort: 8080
        livenessProbe:
          httpGet:
            path: /health
            port: probes
            scheme: HTTP
          initialDelaySeconds: 5
          periodSeconds: 10
          timeoutSeconds: 5
        readinessProbe:
          httpGet:
            path: /readiness
            port: probes
            scheme: HTTP
          initialDelaySeconds: 5
          periodSeconds: 10
          timeoutSeconds: 5
      volumes:
        - name: config-logging
          configMap:
            name: config-logging
        - name: config-registry-cert
          configMap:
            name: config-registry-cert
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/name: controller
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: default
    app.kubernetes.io/version: "devel"
    app.kubernetes.io/part-of: tekton-pipelines
    # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
    pipeline.tekton.dev/release: "devel"
    # labels below are related to istio and should not be used for resource lookup
    app: tekton-pipelines-controller
    version: "devel"
  name: tekton-pipelines-controller
  namespace: tekton-pipelines
spec:
  ports:
  - name: http-metrics
    port: 9090
    protocol: TCP
    targetPort: 9090
  - name: probes
    port: 8080
  selector:
    app.kubernetes.io/name: controller
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-pipelines