diff --git a/charts/tekton-triggers/templates/clusterrole_admin-triggers.yaml b/charts/tekton-triggers/templates/clusterrole-admin.yaml similarity index 95% rename from charts/tekton-triggers/templates/clusterrole_admin-triggers.yaml rename to charts/tekton-triggers/templates/clusterrole-admin.yaml index b87b944a..7fe1fc5f 100644 --- a/charts/tekton-triggers/templates/clusterrole_admin-triggers.yaml +++ b/charts/tekton-triggers/templates/clusterrole-admin.yaml @@ -1,4 +1,4 @@ -{{- define "clusterrole_admin-triggers" -}} +{{- define "clusterrole-admin" -}} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 @@ -93,4 +93,4 @@ rules: - watch ... {{- end -}} -{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "clusterrole_admin-triggers" ) }} +{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "clusterrole-admin" ) }} diff --git a/charts/tekton-triggers/templates/clusterrole_aggregate_edit-triggers.yaml b/charts/tekton-triggers/templates/clusterrole-aggregate_edit.yaml similarity index 87% rename from charts/tekton-triggers/templates/clusterrole_aggregate_edit-triggers.yaml rename to charts/tekton-triggers/templates/clusterrole-aggregate_edit.yaml index 4034e090..107905bc 100644 --- a/charts/tekton-triggers/templates/clusterrole_aggregate_edit-triggers.yaml +++ b/charts/tekton-triggers/templates/clusterrole-aggregate_edit.yaml @@ -1,4 +1,4 @@ -{{- define "clusterrole_aggregate_edit-triggers" -}} +{{- define "clusterrole-aggregate_edit" -}} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -27,4 +27,4 @@ rules: - watch ... {{- end -}} -{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "clusterrole_aggregate_edit-triggers" ) }} +{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "clusterrole-aggregate_edit" ) }} diff --git a/charts/tekton-triggers/templates/clusterrole_aggregate_view-triggers.yaml b/charts/tekton-triggers/templates/clusterrole-aggregate_view.yaml similarity index 84% rename from charts/tekton-triggers/templates/clusterrole_aggregate_view-triggers.yaml rename to charts/tekton-triggers/templates/clusterrole-aggregate_view.yaml index 5cd251de..f6cab3ca 100644 --- a/charts/tekton-triggers/templates/clusterrole_aggregate_view-triggers.yaml +++ b/charts/tekton-triggers/templates/clusterrole-aggregate_view.yaml @@ -1,4 +1,4 @@ -{{- define "clusterrole_aggregate_view-triggers" -}} +{{- define "clusterrole-aggregate_view" -}} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -21,4 +21,4 @@ rules: - watch ... {{- end -}} -{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "clusterrole_aggregate_view-triggers" ) }} +{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "clusterrole-aggregate_view" ) }} diff --git a/charts/tekton-triggers/templates/clusterrolebinding_controller-triggers.yaml b/charts/tekton-triggers/templates/clusterrolebinding-controller_admin.yaml similarity index 82% rename from charts/tekton-triggers/templates/clusterrolebinding_controller-triggers.yaml rename to charts/tekton-triggers/templates/clusterrolebinding-controller_admin.yaml index b7d5b62a..0e6ca263 100644 --- a/charts/tekton-triggers/templates/clusterrolebinding_controller-triggers.yaml +++ b/charts/tekton-triggers/templates/clusterrolebinding-controller_admin.yaml @@ -1,4 +1,4 @@ -{{- define "clusterrolebinding_controller-triggers" -}} +{{- define "clusterrolebinding-controller_admin" -}} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -15,4 +15,4 @@ subjects: namespace: {{ $.Release.Namespace }} ... {{- end -}} -{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "clusterrolebinding_controller-triggers" ) }} +{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "clusterrolebinding-controller_admin" ) }} diff --git a/charts/tekton-triggers/templates/clusterrolebinding-webhook_admin.yaml b/charts/tekton-triggers/templates/clusterrolebinding-webhook_admin.yaml new file mode 100644 index 00000000..f39c0dcc --- /dev/null +++ b/charts/tekton-triggers/templates/clusterrolebinding-webhook_admin.yaml @@ -0,0 +1,18 @@ +{{- define "clusterrolebinding-webhook_admin" -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: {{- include "helpers.labels.labels" (dict "Global" $ "Component" "tekton" "PartOf" "tekton-triggers") | nindent 4 }} + name: tekton-triggers-webhook-admin +roleRef: + kind: ClusterRole + name: tekton-triggers-admin + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: tekton-triggers-webhook + namespace: {{ $.Release.Namespace }} +... +{{- end -}} +{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "clusterrolebinding-webhook_admin" ) }} diff --git a/charts/tekton-triggers/templates/config_logging-triggers.yaml b/charts/tekton-triggers/templates/config-logging.yaml similarity index 84% rename from charts/tekton-triggers/templates/config_logging-triggers.yaml rename to charts/tekton-triggers/templates/config-logging.yaml index a68b487b..b8be5048 100644 --- a/charts/tekton-triggers/templates/config_logging-triggers.yaml +++ b/charts/tekton-triggers/templates/config-logging.yaml @@ -1,4 +1,4 @@ -{{- define "config_logging-triggers" -}} +{{- define "config-logging" -}} --- apiVersion: v1 kind: ConfigMap @@ -12,4 +12,4 @@ data: loglevel.eventlistener: {{ $.Values.config.loglevel.eventlistener | quote }} ... {{- end -}} -{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "config_logging-triggers" ) }} +{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "config-logging" ) }} diff --git a/charts/tekton-triggers/templates/config_observability-triggers.yaml b/charts/tekton-triggers/templates/config-observability.yaml similarity index 69% rename from charts/tekton-triggers/templates/config_observability-triggers.yaml rename to charts/tekton-triggers/templates/config-observability.yaml index 7570c867..4f80027a 100644 --- a/charts/tekton-triggers/templates/config_observability-triggers.yaml +++ b/charts/tekton-triggers/templates/config-observability.yaml @@ -1,4 +1,4 @@ -{{- define "config_observability-triggers" -}} +{{- define "config-observability" -}} --- apiVersion: v1 kind: ConfigMap @@ -7,4 +7,4 @@ metadata: data: {{- $.Values.configobservability | toYaml | nindent 2 }} {{- end -}} -{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "config_observability-triggers" ) }} +{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "config-observability" ) }} diff --git a/charts/tekton-triggers/templates/config_validation-triggers.yaml b/charts/tekton-triggers/templates/config-validation.yaml similarity index 86% rename from charts/tekton-triggers/templates/config_validation-triggers.yaml rename to charts/tekton-triggers/templates/config-validation.yaml index 23640bcb..d25893ae 100644 --- a/charts/tekton-triggers/templates/config_validation-triggers.yaml +++ b/charts/tekton-triggers/templates/config-validation.yaml @@ -1,4 +1,4 @@ -{{- define "config_validation-triggers" -}} +{{- define "config-validation" -}} --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration @@ -20,4 +20,4 @@ webhooks: operator: Exists ... {{- end -}} -{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "config_validation-triggers" ) }} +{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "config-validation" ) }} diff --git a/charts/tekton-triggers/templates/deployment-webhook.yaml b/charts/tekton-triggers/templates/deployment-webhook.yaml index c3ddea2a..439f8b26 100644 --- a/charts/tekton-triggers/templates/deployment-webhook.yaml +++ b/charts/tekton-triggers/templates/deployment-webhook.yaml @@ -21,7 +21,7 @@ spec: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "false" spec: - serviceAccountName: tekton-triggers-controller + serviceAccountName: tekton-triggers-webhook nodeSelector: {{- include "helpers.pod.node_selector" ( dict "Global" $ "Application" "tekton_webhook" ) | nindent 8 }} terminationGracePeriodSeconds: 30 containers: @@ -51,6 +51,20 @@ spec: securityContext: allowPrivilegeEscalation: false runAsUser: 65532 + readinessProbe: + httpGet: + path: / + scheme: HTTPS + port: {{ $.Values.params.endpoints.ports.webhook.target }} + initialDelaySeconds: 30 + periodSeconds: 15 + livenessProbe: + httpGet: + path: / + scheme: HTTPS + port: {{ $.Values.params.endpoints.ports.webhook.target }} + initialDelaySeconds: 60 + periodSeconds: 30 volumes: [] ... {{- end -}} diff --git a/charts/tekton-triggers/templates/webhook-triggers.yaml b/charts/tekton-triggers/templates/mutatingwebhookconfig-webhook.yaml similarity index 82% rename from charts/tekton-triggers/templates/webhook-triggers.yaml rename to charts/tekton-triggers/templates/mutatingwebhookconfig-webhook.yaml index 3f33b91a..fccb86d4 100644 --- a/charts/tekton-triggers/templates/webhook-triggers.yaml +++ b/charts/tekton-triggers/templates/mutatingwebhookconfig-webhook.yaml @@ -1,4 +1,4 @@ -{{- define "webhook-triggers" -}} +{{- define "mutatingwebhookconfig-webhook" -}} --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration @@ -16,4 +16,4 @@ webhooks: name: webhook.triggers.tekton.dev ... {{- end -}} -{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "webhook-triggers" ) }} +{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "mutatingwebhookconfig-webhook" ) }} diff --git a/charts/tekton-triggers/templates/role-admin.yaml b/charts/tekton-triggers/templates/role-admin.yaml new file mode 100644 index 00000000..447e1aa0 --- /dev/null +++ b/charts/tekton-triggers/templates/role-admin.yaml @@ -0,0 +1,19 @@ +{{- define "role_admin-triggers" -}} +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: {{- include "helpers.labels.labels" (dict "Global" $ "Component" "tekton" "PartOf" "tekton-triggers") | nindent 4 }} + name: tekton-triggers-admin + namespace: {{ $.Release.Namespace }} +rules: + - apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - tekton-triggers + verbs: + - use +{{- end -}} +{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "role_admin-triggers" ) }} diff --git a/charts/tekton-triggers/templates/role_admin-triggers.yaml b/charts/tekton-triggers/templates/role-webhook_admin.yaml similarity index 84% rename from charts/tekton-triggers/templates/role_admin-triggers.yaml rename to charts/tekton-triggers/templates/role-webhook_admin.yaml index ecfc50c9..1c353f22 100644 --- a/charts/tekton-triggers/templates/role_admin-triggers.yaml +++ b/charts/tekton-triggers/templates/role-webhook_admin.yaml @@ -1,10 +1,10 @@ -{{- define "role_admin-triggers" -}} +{{- define "role-webhook_admin" -}} --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: {{- include "helpers.labels.labels" (dict "Global" $ "Component" "tekton" "PartOf" "tekton-triggers") | nindent 4 }} - name: tekton-triggers-admin + name: tekton-triggers-admin-webhook namespace: {{ $.Release.Namespace }} rules: - apiGroups: @@ -28,4 +28,4 @@ rules: - patch - watch {{- end -}} -{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "role_admin-triggers" ) }} +{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "role-webhook_admin" ) }} diff --git a/charts/tekton-triggers/templates/rolebinding_controller-triggers.yaml b/charts/tekton-triggers/templates/rolebinding-controller_admin.yaml similarity index 83% rename from charts/tekton-triggers/templates/rolebinding_controller-triggers.yaml rename to charts/tekton-triggers/templates/rolebinding-controller_admin.yaml index d65b7dc4..f8a7965f 100644 --- a/charts/tekton-triggers/templates/rolebinding_controller-triggers.yaml +++ b/charts/tekton-triggers/templates/rolebinding-controller_admin.yaml @@ -1,4 +1,4 @@ -{{- define "rolebinding_controller-triggers" -}} +{{- define "rolebinding-controller_admin" -}} --- apiVersion: rbac.authorization.k8s.io/v1 @@ -18,4 +18,4 @@ roleRef: name: tekton-triggers-admin apiGroup: rbac.authorization.k8s.io {{- end -}} -{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "rolebinding_controller-triggers" ) }} +{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "rolebinding-controller_admin" ) }} diff --git a/charts/tekton-triggers/templates/rolebinding-webhook_admin.yaml b/charts/tekton-triggers/templates/rolebinding-webhook_admin.yaml new file mode 100644 index 00000000..b50464c2 --- /dev/null +++ b/charts/tekton-triggers/templates/rolebinding-webhook_admin.yaml @@ -0,0 +1,20 @@ +{{- define "rolebinding-webhook_admin" -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: tekton-triggers-webhook-admin + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: tekton-triggers + app.kubernetes.io/part-of: tekton-triggers +subjects: + - kind: ServiceAccount + name: tekton-triggers-webhook + namespace: {{ $.Release.Namespace }} +roleRef: + kind: Role + name: tekton-triggers-admin-webhook + apiGroup: rbac.authorization.k8s.io +{{- end -}} +{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "rolebinding-webhook_admin" ) }} diff --git a/charts/tekton-triggers/templates/serviceaccount-webhook.yaml b/charts/tekton-triggers/templates/serviceaccount-webhook.yaml new file mode 100644 index 00000000..fef9474f --- /dev/null +++ b/charts/tekton-triggers/templates/serviceaccount-webhook.yaml @@ -0,0 +1,11 @@ +{{- define "serviceaccount-webhook" -}} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: {{- include "helpers.labels.labels" (dict "Global" $ "Component" "tekton" "PartOf" "tekton-triggers") | nindent 4 }} + name: tekton-triggers-webhook + namespace: {{ $.Release.Namespace }} +... +{{- end -}} +{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "serviceaccount-webhook" ) }} diff --git a/charts/tekton-triggers/templates/webhook_validation-triggers.yaml b/charts/tekton-triggers/templates/validatingwebhookconfig-webhook.yaml similarity index 82% rename from charts/tekton-triggers/templates/webhook_validation-triggers.yaml rename to charts/tekton-triggers/templates/validatingwebhookconfig-webhook.yaml index 252db19c..9afca960 100644 --- a/charts/tekton-triggers/templates/webhook_validation-triggers.yaml +++ b/charts/tekton-triggers/templates/validatingwebhookconfig-webhook.yaml @@ -1,4 +1,4 @@ -{{- define "webhook_validation-triggers" -}} +{{- define "validatingwebhookconfig-webhook" -}} --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration @@ -16,4 +16,4 @@ webhooks: name: validation.webhook.triggers.tekton.dev ... {{- end -}} -{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "webhook_validation-triggers" ) }} +{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "validatingwebhookconfig-webhook" ) }} diff --git a/tools/gate/tekton/300-test.sh b/tools/gate/tekton/300-test.sh index 6e2ba712..c355d3a3 100755 --- a/tools/gate/tekton/300-test.sh +++ b/tools/gate/tekton/300-test.sh @@ -4,35 +4,16 @@ set -eux TEKTON_NS="tekton-pipelines" -# Runs the tekton pipeline trigger test -function retry { - local n=1 - local max=5 - local delay=10 - - while true; do - "$@" && break || { - if [[ $n -lt $max ]]; then - (( n++ )) - sleep $delay - else - echo "failed after $n attempts." >&2 - exit 1 - fi - } - done -} - sleep 60 kubectl -n $TEKTON_NS apply -f ./tools/gate/tekton/yaml/role-resources/secret.yaml kubectl -n $TEKTON_NS apply -f ./tools/gate/tekton/yaml/role-resources/serviceaccount.yaml kubectl -n $TEKTON_NS apply -f ./tools/gate/tekton/yaml/role-resources/clustertriggerbinding-roles kubectl -n $TEKTON_NS apply -f ./tools/gate/tekton/yaml/role-resources/triggerbinding-roles -retry kubectl -n $TEKTON_NS apply -f ./tools/gate/tekton/yaml/triggertemplates/triggertemplate.yaml -retry kubectl -n $TEKTON_NS apply -f ./tools/gate/tekton/yaml/triggerbindings/triggerbinding.yaml -retry kubectl -n $TEKTON_NS apply -f ./tools/gate/tekton/yaml/triggerbindings/triggerbinding-message.yaml -retry kubectl -n $TEKTON_NS apply -f ./tools/gate/tekton/yaml/eventlisteners/eventlistener.yaml +kubectl -n $TEKTON_NS apply -f ./tools/gate/tekton/yaml/triggertemplates/triggertemplate.yaml +kubectl -n $TEKTON_NS apply -f ./tools/gate/tekton/yaml/triggerbindings/triggerbinding.yaml +kubectl -n $TEKTON_NS apply -f ./tools/gate/tekton/yaml/triggerbindings/triggerbinding-message.yaml +kubectl -n $TEKTON_NS apply -f ./tools/gate/tekton/yaml/eventlisteners/eventlistener.yaml kubectl -n $TEKTON_NS get svc kubectl -n $TEKTON_NS get pod