diff --git a/.github/workflows/full_kubeflow_integration_test.yaml b/.github/workflows/full_kubeflow_integration_test.yaml index 6f1b3fcb3..a9a7c51b1 100644 --- a/.github/workflows/full_kubeflow_integration_test.yaml +++ b/.github/workflows/full_kubeflow_integration_test.yaml @@ -95,13 +95,13 @@ jobs: kustomize build apps/model-registry/upstream/options/ui/overlays/istio | kubectl apply -f - - name: Install Spark - run: chmod u+x tests/gh-actions/spark_*.sh && ./tests/gh-actions/spark_install.sh + run: chmod u+x tests/gh-actions/*.sh && ./tests/gh-actions/install_spark.sh - name: Wait for All Pods to be Ready run: kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout 60s --field-selector=status.phase!=Succeeded - name: Install Dependencies - run: pip install pytest kubernetes kfp==2.11.0 kserve pytest-timeout pyyaml requests + run: pip install pytest kubernetes kfp==2.13.0 kserve pytest-timeout pyyaml requests - name: Port-forward the istio-ingress gateway run: ./tests/gh-actions/port_forward_gateway.sh @@ -120,14 +120,14 @@ jobs: - name: Test Pipeline Access with Authorized Token run: | TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)" - python3 tests/gh-actions/pipeline_test.py run_pipeline "${TOKEN}" "${KF_PROFILE}" + python3 tests/gh-actions/test_pipeline.py run_pipeline "${TOKEN}" "${KF_PROFILE}" - name: Test Pipeline Access with Unauthorized Token run: | kubectl create namespace test-unauthorized kubectl create serviceaccount test-unauthorized -n test-unauthorized UNAUTHORIZED_TOKEN=$(kubectl -n test-unauthorized create token test-unauthorized) - python3 tests/gh-actions/pipeline_test.py test_unauthorized_access "$UNAUTHORIZED_TOKEN" "${KF_PROFILE}" + python3 tests/gh-actions/test_pipeline.py test_unauthorized_access "$UNAUTHORIZED_TOKEN" "${KF_PROFILE}" - name: Test Volumes Web Application API run: ./tests/gh-actions/test_volumes_web_application.sh "${KF_PROFILE}" @@ -173,7 +173,7 @@ jobs: # TODO the individual KServe tests is currently being restructured. Afterwards we can also test inferencing - name: Run Spark Test - run: chmod u+x tests/gh-actions/spark_*.sh && ./tests/gh-actions/spark_test.sh "${KF_PROFILE}" + run: chmod u+x tests/gh-actions/*.sh && ./tests/gh-actions/test_spark.sh "${KF_PROFILE}" - name: Test Model Registry Deployment run: | diff --git a/.github/workflows/katib_test.yaml b/.github/workflows/katib_test.yaml index 69fac47db..62f80e683 100644 --- a/.github/workflows/katib_test.yaml +++ b/.github/workflows/katib_test.yaml @@ -54,7 +54,7 @@ jobs: - name: Install Dependencies - run: pip install pytest kubernetes kfp==2.11.0 requests + run: pip install pytest kubernetes kfp==2.13.0 requests - name: Port-forward the istio-ingress gateway run: ./tests/gh-actions/port_forward_gateway.sh diff --git a/.github/workflows/pipeline_swfs_test.yaml b/.github/workflows/pipeline_swfs_test.yaml index 481b7dcdf..db97b4a5d 100644 --- a/.github/workflows/pipeline_swfs_test.yaml +++ b/.github/workflows/pipeline_swfs_test.yaml @@ -67,17 +67,17 @@ jobs: - name: List and deploy test pipeline with authorized ServiceAccount Token run: | - pip3 install kfp==2.12.1 + pip3 install kfp==2.13.0 KF_PROFILE=kubeflow-user-example-com TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)" - python3 tests/gh-actions/pipeline_test.py run_pipeline "${TOKEN}" "${KF_PROFILE}" + python3 tests/gh-actions/test_pipeline.py run_pipeline "${TOKEN}" "${KF_PROFILE}" - name: Fail to list pipelines with unauthorized ServiceAccount Token run: | - pip3 install kfp==2.12.1 + pip3 install kfp==2.13.0 KF_PROFILE=kubeflow-user-example-com TOKEN="$(kubectl -n default create token default)" - python3 tests/gh-actions/pipeline_test.py test_unauthorized_access "${TOKEN}" "${KF_PROFILE}" + python3 tests/gh-actions/test_pipeline.py test_unauthorized_access "${TOKEN}" "${KF_PROFILE}" echo "Test succeeded. Token from unauthorized ServiceAccount cannot list pipelines in $KF_PROFILE namespace." diff --git a/.github/workflows/pipeline_test.yaml b/.github/workflows/pipeline_test.yaml index fd5fd4130..d53cc1569 100644 --- a/.github/workflows/pipeline_test.yaml +++ b/.github/workflows/pipeline_test.yaml @@ -3,7 +3,7 @@ on: pull_request: paths: - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - - .github/workflows/pipeline_test.yaml + - .github/workflows/test_pipeline.yaml - apps/pipeline/upstream/** - tests/gh-actions/install_istio.sh - tests/gh-actions/install_cert_manager.sh @@ -11,7 +11,7 @@ on: - common/cert-manager/** - common/oauth2-proxy/** - common/istio*/** - - tests/gh-actions/pipeline_test.py + - tests/gh-actions/test_pipeline.py - experimental/security/PSS/* jobs: @@ -66,17 +66,17 @@ jobs: - name: List and deploy test pipeline with authorized ServiceAccount Token run: | - pip3 install kfp==2.12.1 + pip3 install kfp==2.13.0 KF_PROFILE=kubeflow-user-example-com TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)" - python3 tests/gh-actions/pipeline_test.py run_pipeline "${TOKEN}" "${KF_PROFILE}" + python3 tests/gh-actions/test_pipeline.py run_pipeline "${TOKEN}" "${KF_PROFILE}" - name: Fail to list pipelines with unauthorized ServiceAccount Token run: | - pip3 install kfp==2.12.1 + pip3 install kfp==2.13.0 KF_PROFILE=kubeflow-user-example-com TOKEN="$(kubectl -n default create token default)" - python3 tests/gh-actions/pipeline_test.py test_unauthorized_access "${TOKEN}" "${KF_PROFILE}" + python3 tests/gh-actions/test_pipeline.py test_unauthorized_access "${TOKEN}" "${KF_PROFILE}" echo "Test succeeded. Token from unauthorized ServiceAccount cannot list pipelines in $KF_PROFILE namespace." diff --git a/.github/workflows/spark_test.yaml b/.github/workflows/spark_test.yaml index a312cc25a..1d8325148 100644 --- a/.github/workflows/spark_test.yaml +++ b/.github/workflows/spark_test.yaml @@ -3,7 +3,7 @@ on: pull_request: paths: - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - - .github/workflows/spark_test.yaml + - .github/workflows/test_spark.yaml - apps/spark/** - tests/gh-actions/spark*.sh - tests/gh-actions/install_istio.sh @@ -47,6 +47,6 @@ jobs: cd apps/spark # TODO remove the debugging lines ls -lah ../../tests/gh-actions/ - chmod u+x ../../tests/gh-actions/spark* - ../../tests/gh-actions/spark_install.sh - ../../tests/gh-actions/spark_test.sh "kubeflow-user-example-com" + chmod u+x ../../tests/gh-actions/*.sh + ../../tests/gh-actions/install_spark.sh + ../../tests/gh-actions/test_spark.sh "kubeflow-user-example-com" diff --git a/.shellcheckrc b/.shellcheckrc index 9c339b78b..f46004acb 100644 --- a/.shellcheckrc +++ b/.shellcheckrc @@ -1,2 +1,2 @@ # ~/.shellcheckrc -disable=SC1017,SC2086,SC2070,SC2046,SC2155,SC2006 +disable=SC1017,SC2086,SC2070,SC2046,SC2155,SC2006,SC1091,SC2164 diff --git a/README.md b/README.md index 7c1c07b0f..9601c0998 100644 --- a/README.md +++ b/README.md @@ -65,7 +65,7 @@ This repository periodically synchronizes all official Kubeflow components from | Katib | apps/katib/upstream | [v0.18.0](https://github.com/kubeflow/katib/tree/v0.18.0/manifests/v1beta1) | | KServe | apps/kserve/kserve | [v0.15.0](https://github.com/kserve/kserve/releases/tag/v0.15.0/install/v0.15.0) | | KServe Models Web Application | apps/kserve/models-web-app | [v0.14.0](https://github.com/kserve/models-web-app/tree/v0.14.0/config) | -| Kubeflow Pipelines | apps/pipeline/upstream | [2.4.1](https://github.com/kubeflow/pipelines/tree/2.4.1/manifests/kustomize) | +| Kubeflow Pipelines | apps/pipeline/upstream | [2.5.0](https://github.com/kubeflow/pipelines/tree/2.5.0/manifests/kustomize) | | Kubeflow Model Registry | apps/model-registry/upstream | [v0.2.16](https://github.com/kubeflow/model-registry/tree/v0.2.16/manifests/kustomize) | The following matrix shows the versions of common components used across different Kubeflow projects: diff --git a/apps/pipeline/upstream/base/application/kustomization.yaml b/apps/pipeline/upstream/base/application/kustomization.yaml index 977dcfe08..1f43d0d78 100644 --- a/apps/pipeline/upstream/base/application/kustomization.yaml +++ b/apps/pipeline/upstream/base/application/kustomization.yaml @@ -1,4 +1,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - application.yaml +- application.yaml diff --git a/apps/pipeline/upstream/base/cache-deployer/cluster-scoped/kustomization.yaml b/apps/pipeline/upstream/base/cache-deployer/cluster-scoped/kustomization.yaml index 2b941ae3f..8dc0ca811 100644 --- a/apps/pipeline/upstream/base/cache-deployer/cluster-scoped/kustomization.yaml +++ b/apps/pipeline/upstream/base/cache-deployer/cluster-scoped/kustomization.yaml @@ -1,11 +1,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization + resources: - - cache-deployer-clusterrole.yaml - - cache-deployer-clusterrolebinding.yaml - # HACK: although a service account(SA) is not a cluster-scoped resource. - # Presence of a SA referred by a clusterrolebinding allows kustomize to auto-add - # namespace for the clusterrolebinding's SA ref. - - cache-deployer-sa.yaml - \ No newline at end of file +- cache-deployer-clusterrole.yaml +- cache-deployer-clusterrolebinding.yaml +# HACK: although a service account(SA) is not a cluster-scoped resource. +# Presence of a SA referred by a clusterrolebinding allows kustomize to auto-add +# namespace for the clusterrolebinding's SA ref. +- cache-deployer-sa.yaml diff --git a/apps/pipeline/upstream/base/cache-deployer/kustomization.yaml b/apps/pipeline/upstream/base/cache-deployer/kustomization.yaml index 22d43ed9c..ca9e0e0d7 100644 --- a/apps/pipeline/upstream/base/cache-deployer/kustomization.yaml +++ b/apps/pipeline/upstream/base/cache-deployer/kustomization.yaml @@ -4,8 +4,10 @@ resources: - cache-deployer-role.yaml - cache-deployer-rolebinding.yaml - cache-deployer-deployment.yaml -commonLabels: - app: cache-deployer images: - name: ghcr.io/kubeflow/kfp-cache-deployer - newTag: 2.4.1 + newTag: 2.5.0 +labels: + - includeSelectors: true + pairs: + app: cache-deployer diff --git a/apps/pipeline/upstream/base/cache/cache-deployment.yaml b/apps/pipeline/upstream/base/cache/cache-deployment.yaml index 75289c891..79592095f 100644 --- a/apps/pipeline/upstream/base/cache/cache-deployment.yaml +++ b/apps/pipeline/upstream/base/cache/cache-deployment.yaml @@ -14,12 +14,13 @@ spec: labels: app: cache-server spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: server securityContext: allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault runAsNonRoot: true runAsUser: 1000 runAsGroup: 0 diff --git a/apps/pipeline/upstream/base/cache/cache-role.yaml b/apps/pipeline/upstream/base/cache/cache-role.yaml index 7c6a45aa3..de613b427 100644 --- a/apps/pipeline/upstream/base/cache/cache-role.yaml +++ b/apps/pipeline/upstream/base/cache/cache-role.yaml @@ -31,20 +31,3 @@ rules: - watch - update - patch -- apiGroups: - - tekton.dev - resources: - - pipelineruns - - customruns - - taskruns - - conditions - - runs - - tasks - verbs: - - create - - get - - list - - watch - - update - - patch - - delete diff --git a/apps/pipeline/upstream/base/cache/kustomization.yaml b/apps/pipeline/upstream/base/cache/kustomization.yaml index 734d1095d..ebcb7433a 100644 --- a/apps/pipeline/upstream/base/cache/kustomization.yaml +++ b/apps/pipeline/upstream/base/cache/kustomization.yaml @@ -6,8 +6,10 @@ resources: - cache-rolebinding.yaml - cache-sa.yaml - cache-service.yaml -commonLabels: - app: cache-server images: - name: ghcr.io/kubeflow/kfp-cache-server - newTag: 2.4.1 + newTag: 2.5.0 +labels: + - includeSelectors: true + pairs: + app: cache-server diff --git a/apps/pipeline/upstream/base/crds/kustomization.yaml b/apps/pipeline/upstream/base/crds/kustomization.yaml new file mode 100644 index 000000000..9268a75f4 --- /dev/null +++ b/apps/pipeline/upstream/base/crds/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- pipelines.kubeflow.org_pipelines.yaml +- pipelines.kubeflow.org_pipelineversions.yaml diff --git a/apps/pipeline/upstream/base/crds/pipelines.kubeflow.org_pipelines.yaml b/apps/pipeline/upstream/base/crds/pipelines.kubeflow.org_pipelines.yaml new file mode 100644 index 000000000..c9681d3b5 --- /dev/null +++ b/apps/pipeline/upstream/base/crds/pipelines.kubeflow.org_pipelines.yaml @@ -0,0 +1,49 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.4 + name: pipelines.pipelines.kubeflow.org +spec: + group: pipelines.kubeflow.org + names: + kind: Pipeline + listKind: PipelineList + plural: pipelines + singular: pipeline + scope: Namespaced + versions: + - name: v2beta1 + schema: + openAPIV3Schema: + description: Pipeline is the Schema for the pipelines API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: PipelineSpec defines the desired state of Pipeline. + properties: + description: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/apps/pipeline/upstream/base/crds/pipelines.kubeflow.org_pipelineversions.yaml b/apps/pipeline/upstream/base/crds/pipelines.kubeflow.org_pipelineversions.yaml new file mode 100644 index 000000000..34d923734 --- /dev/null +++ b/apps/pipeline/upstream/base/crds/pipelines.kubeflow.org_pipelineversions.yaml @@ -0,0 +1,89 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.4 + name: pipelineversions.pipelines.kubeflow.org +spec: + group: pipelines.kubeflow.org + names: + kind: PipelineVersion + listKind: PipelineVersionList + plural: pipelineversions + singular: pipelineversion + scope: Namespaced + versions: + - name: v2beta1 + schema: + openAPIV3Schema: + description: PipelineVersion is the Schema for the pipelineversions API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: PipelineVersionSpec defines the desired state of PipelineVersion. + properties: + codeSourceURL: + type: string + description: + type: string + pipelineName: + type: string + pipelineSpec: + x-kubernetes-preserve-unknown-fields: true + required: + - pipelineSpec + type: object + status: + description: PipelineVersionStatus defines the observed state of PipelineVersion. + properties: + conditions: + items: + description: |- + SimplifiedCondition is a metav1.Condition without lastTransitionTime since the database model doesn't have such + a concept and it allows a default status in the CRD without a controller setting it. + properties: + message: + maxLength: 32768 + type: string + reason: + type: string + status: + enum: + - "True" + - "False" + - Unknown + type: string + type: + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/apps/pipeline/upstream/base/installs/generic/kustomization.yaml b/apps/pipeline/upstream/base/installs/generic/kustomization.yaml index 527a31563..5b4c6d463 100644 --- a/apps/pipeline/upstream/base/installs/generic/kustomization.yaml +++ b/apps/pipeline/upstream/base/installs/generic/kustomization.yaml @@ -2,46 +2,46 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: kubeflow resources: - - ../../pipeline - - ../../cache - - ../../cache-deployer - - pipeline-install-config.yaml - - mysql-secret.yaml +- ../../pipeline +- ../../cache +- ../../cache-deployer +- pipeline-install-config.yaml +- mysql-secret.yaml vars: - - name: kfp-namespace - objref: - kind: Deployment - apiVersion: apps/v1 - name: ml-pipeline - fieldref: - fieldpath: metadata.namespace - - name: kfp-app-name - objref: - kind: ConfigMap - name: pipeline-install-config - apiVersion: v1 - fieldref: - fieldpath: data.appName - - name: kfp-app-version - objref: - kind: ConfigMap - name: pipeline-install-config - apiVersion: v1 - fieldref: - fieldpath: data.appVersion - - name: kfp-artifact-bucket-name - objref: - kind: ConfigMap - name: pipeline-install-config - apiVersion: v1 - fieldref: - fieldpath: data.bucketName - - name: kfp-default-pipeline-root - objref: - kind: ConfigMap - name: pipeline-install-config - apiVersion: v1 - fieldref: - fieldpath: data.defaultPipelineRoot +- fieldref: + fieldPath: metadata.namespace + name: kfp-namespace + objref: + apiVersion: apps/v1 + kind: Deployment + name: ml-pipeline +- fieldref: + fieldPath: data.appName + name: kfp-app-name + objref: + apiVersion: v1 + kind: ConfigMap + name: pipeline-install-config +- fieldref: + fieldPath: data.appVersion + name: kfp-app-version + objref: + apiVersion: v1 + kind: ConfigMap + name: pipeline-install-config +- fieldref: + fieldPath: data.bucketName + name: kfp-artifact-bucket-name + objref: + apiVersion: v1 + kind: ConfigMap + name: pipeline-install-config +- fieldref: + fieldPath: data.defaultPipelineRoot + name: kfp-default-pipeline-root + objref: + apiVersion: v1 + kind: ConfigMap + name: pipeline-install-config configurations: - - params.yaml +- params.yaml diff --git a/apps/pipeline/upstream/base/installs/generic/pipeline-install-config.yaml b/apps/pipeline/upstream/base/installs/generic/pipeline-install-config.yaml index e33764ec8..2593a12c8 100644 --- a/apps/pipeline/upstream/base/installs/generic/pipeline-install-config.yaml +++ b/apps/pipeline/upstream/base/installs/generic/pipeline-install-config.yaml @@ -11,7 +11,7 @@ data: until the changes take effect. A quick way to restart all deployments in a namespace: `kubectl rollout restart deployment -n `. appName: pipeline - appVersion: 2.4.1 + appVersion: 2.5.0 dbHost: mysql # relic to be removed after release dbPort: "3306" # relic to be removed after release dbType: mysql diff --git a/apps/pipeline/upstream/base/installs/generic/postgres/kustomization.yaml b/apps/pipeline/upstream/base/installs/generic/postgres/kustomization.yaml index 573a94d46..f50a2c341 100644 --- a/apps/pipeline/upstream/base/installs/generic/postgres/kustomization.yaml +++ b/apps/pipeline/upstream/base/installs/generic/postgres/kustomization.yaml @@ -8,40 +8,40 @@ resources: - pipeline-install-config.yaml - postgres-secret-extended.yaml vars: -- name: kfp-namespace +- fieldref: + fieldPath: metadata.namespace + name: kfp-namespace objref: - kind: Deployment apiVersion: apps/v1 + kind: Deployment name: ml-pipeline - fieldref: - fieldpath: metadata.namespace -- name: kfp-app-name +- fieldref: + fieldPath: data.appName + name: kfp-app-name objref: + apiVersion: v1 kind: ConfigMap name: pipeline-install-config - apiVersion: v1 - fieldref: - fieldpath: data.appName -- name: kfp-app-version +- fieldref: + fieldPath: data.appVersion + name: kfp-app-version objref: + apiVersion: v1 kind: ConfigMap name: pipeline-install-config - apiVersion: v1 - fieldref: - fieldpath: data.appVersion -- name: kfp-artifact-bucket-name +- fieldref: + fieldPath: data.bucketName + name: kfp-artifact-bucket-name objref: + apiVersion: v1 kind: ConfigMap name: pipeline-install-config - apiVersion: v1 - fieldref: - fieldpath: data.bucketName -- name: kfp-default-pipeline-root +- fieldref: + fieldPath: data.defaultPipelineRoot + name: kfp-default-pipeline-root objref: + apiVersion: v1 kind: ConfigMap name: pipeline-install-config - apiVersion: v1 - fieldref: - fieldpath: data.defaultPipelineRoot configurations: - - params.yaml +- params.yaml diff --git a/apps/pipeline/upstream/base/installs/multi-user/api-service/cluster-role.yaml b/apps/pipeline/upstream/base/installs/multi-user/api-service/cluster-role.yaml index 7d44af77b..14e6e4152 100644 --- a/apps/pipeline/upstream/base/installs/multi-user/api-service/cluster-role.yaml +++ b/apps/pipeline/upstream/base/installs/multi-user/api-service/cluster-role.yaml @@ -35,6 +35,20 @@ rules: - update - patch - delete +- apiGroups: + - kubeflow.org + resources: + - scheduledworkflows/finalizers + verbs: + - update +- apiGroups: + - pipelines.kubeflow.org + resources: + - pipelines + verbs: + - get + - list + - watch - apiGroups: - authorization.k8s.io resources: diff --git a/apps/pipeline/upstream/base/installs/multi-user/api-service/kustomization.yaml b/apps/pipeline/upstream/base/installs/multi-user/api-service/kustomization.yaml index 4650ab569..b18c97d9c 100644 --- a/apps/pipeline/upstream/base/installs/multi-user/api-service/kustomization.yaml +++ b/apps/pipeline/upstream/base/installs/multi-user/api-service/kustomization.yaml @@ -4,6 +4,6 @@ resources: - cluster-role-binding.yaml - cluster-role.yaml configMapGenerator: -- name: pipeline-api-server-config - envs: +- envs: - params.env + name: pipeline-api-server-config diff --git a/apps/pipeline/upstream/base/installs/multi-user/cache/kustomization.yaml b/apps/pipeline/upstream/base/installs/multi-user/cache/kustomization.yaml index ec4dfa886..71117ae04 100644 --- a/apps/pipeline/upstream/base/installs/multi-user/cache/kustomization.yaml +++ b/apps/pipeline/upstream/base/installs/multi-user/cache/kustomization.yaml @@ -1,7 +1,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -commonLabels: - app: cache-server resources: - cluster-role.yaml - cluster-role-binding.yaml +labels: +- includeSelectors: true + pairs: + app: cache-server diff --git a/apps/pipeline/upstream/base/installs/multi-user/kustomization.yaml b/apps/pipeline/upstream/base/installs/multi-user/kustomization.yaml index cca7b491c..33c4127f0 100644 --- a/apps/pipeline/upstream/base/installs/multi-user/kustomization.yaml +++ b/apps/pipeline/upstream/base/installs/multi-user/kustomization.yaml @@ -1,9 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: kubeflow -commonLabels: - app.kubernetes.io/name: kubeflow-pipelines - app.kubernetes.io/component: ml-pipeline resources: - ../../pipeline/cluster-scoped - ../../cache-deployer/cluster-scoped @@ -31,3 +28,8 @@ patches: configurations: - params.yaml +labels: +- includeSelectors: true + pairs: + app.kubernetes.io/component: ml-pipeline + app.kubernetes.io/name: kubeflow-pipelines diff --git a/apps/pipeline/upstream/base/installs/multi-user/pipelines-profile-controller/deployment.yaml b/apps/pipeline/upstream/base/installs/multi-user/pipelines-profile-controller/deployment.yaml index 637183a6d..faa73ccb3 100644 --- a/apps/pipeline/upstream/base/installs/multi-user/pipelines-profile-controller/deployment.yaml +++ b/apps/pipeline/upstream/base/installs/multi-user/pipelines-profile-controller/deployment.yaml @@ -6,7 +6,7 @@ spec: replicas: 1 template: metadata: - annotations: + labels: sidecar.istio.io/inject: "false" spec: containers: @@ -57,4 +57,3 @@ spec: - name: hooks configMap: name: kubeflow-pipelines-profile-controller-code - diff --git a/apps/pipeline/upstream/base/installs/multi-user/pipelines-profile-controller/kustomization.yaml b/apps/pipeline/upstream/base/installs/multi-user/pipelines-profile-controller/kustomization.yaml index b0d366e39..fdb0de233 100644 --- a/apps/pipeline/upstream/base/installs/multi-user/pipelines-profile-controller/kustomization.yaml +++ b/apps/pipeline/upstream/base/installs/multi-user/pipelines-profile-controller/kustomization.yaml @@ -1,16 +1,18 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: kubeflow -commonLabels: - app: kubeflow-pipelines-profile-controller resources: - service.yaml - deployment.yaml - decorator-controller.yaml configMapGenerator: -- name: kubeflow-pipelines-profile-controller-code - files: +- files: - sync.py -- name: kubeflow-pipelines-profile-controller-env - envs: + name: kubeflow-pipelines-profile-controller-code +- envs: - params.env + name: kubeflow-pipelines-profile-controller-env +labels: +- includeSelectors: true + pairs: + app: kubeflow-pipelines-profile-controller diff --git a/apps/pipeline/upstream/base/installs/multi-user/pipelines-ui/kustomization.yaml b/apps/pipeline/upstream/base/installs/multi-user/pipelines-ui/kustomization.yaml index c84d97c05..a607fb9fa 100644 --- a/apps/pipeline/upstream/base/installs/multi-user/pipelines-ui/kustomization.yaml +++ b/apps/pipeline/upstream/base/installs/multi-user/pipelines-ui/kustomization.yaml @@ -1,8 +1,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: kubeflow -commonLabels: - app: ml-pipeline-ui resources: - cluster-role.yaml - cluster-role-binding.yaml +labels: +- includeSelectors: true + pairs: + app: ml-pipeline-ui diff --git a/apps/pipeline/upstream/base/installs/multi-user/scheduled-workflow/cluster-role.yaml b/apps/pipeline/upstream/base/installs/multi-user/scheduled-workflow/cluster-role.yaml index fd868eaad..45a10bb45 100644 --- a/apps/pipeline/upstream/base/installs/multi-user/scheduled-workflow/cluster-role.yaml +++ b/apps/pipeline/upstream/base/installs/multi-user/scheduled-workflow/cluster-role.yaml @@ -15,6 +15,12 @@ rules: - update - patch - delete +- apiGroups: + - pipelines.kubeflow.org + resources: + - runs + verbs: + - create - apiGroups: - kubeflow.org resources: diff --git a/apps/pipeline/upstream/base/metadata/base/kustomization.yaml b/apps/pipeline/upstream/base/metadata/base/kustomization.yaml index 41e17f743..136331138 100644 --- a/apps/pipeline/upstream/base/metadata/base/kustomization.yaml +++ b/apps/pipeline/upstream/base/metadata/base/kustomization.yaml @@ -10,4 +10,4 @@ resources: - metadata-grpc-sa.yaml images: - name: ghcr.io/kubeflow/kfp-metadata-envoy - newTag: 2.4.1 + newTag: 2.5.0 diff --git a/apps/pipeline/upstream/base/metadata/base/metadata-envoy-deployment.yaml b/apps/pipeline/upstream/base/metadata/base/metadata-envoy-deployment.yaml index 3192d840d..4425672b3 100644 --- a/apps/pipeline/upstream/base/metadata/base/metadata-envoy-deployment.yaml +++ b/apps/pipeline/upstream/base/metadata/base/metadata-envoy-deployment.yaml @@ -13,7 +13,6 @@ spec: metadata: labels: component: metadata-envoy - annotations: sidecar.istio.io/inject: "false" spec: containers: diff --git a/apps/pipeline/upstream/base/metadata/base/metadata-grpc-deployment.yaml b/apps/pipeline/upstream/base/metadata/base/metadata-grpc-deployment.yaml index 6a824cc10..a2f419ab6 100644 --- a/apps/pipeline/upstream/base/metadata/base/metadata-grpc-deployment.yaml +++ b/apps/pipeline/upstream/base/metadata/base/metadata-grpc-deployment.yaml @@ -14,6 +14,9 @@ spec: labels: component: metadata-grpc-server spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: container # ! Sync to the same MLMD version: diff --git a/apps/pipeline/upstream/base/metadata/overlays/db/kustomization.yaml b/apps/pipeline/upstream/base/metadata/overlays/db/kustomization.yaml index d28419d86..729f16eaa 100644 --- a/apps/pipeline/upstream/base/metadata/overlays/db/kustomization.yaml +++ b/apps/pipeline/upstream/base/metadata/overlays/db/kustomization.yaml @@ -12,13 +12,13 @@ patches: - path: patches/metadata-grpc-deployment.yaml configMapGenerator: -- name: metadata-db-parameters - envs: +- envs: - params.env + name: metadata-db-parameters secretGenerator: -- name: metadata-db-secrets - envs: +- envs: - secrets.env + name: metadata-db-secrets generatorOptions: disableNameSuffixHash: true @@ -29,10 +29,10 @@ images: newTag: 8.0.3 vars: -- name: MLMD_DB_HOST +- fieldref: + fieldPath: metadata.name + name: MLMD_DB_HOST objref: + apiVersion: v1 kind: Service name: metadata-db - apiVersion: v1 - fieldref: - fieldpath: metadata.name diff --git a/apps/pipeline/upstream/base/metadata/overlays/db/metadata-db-deployment.yaml b/apps/pipeline/upstream/base/metadata/overlays/db/metadata-db-deployment.yaml index f5a7332f4..3101f5d21 100644 --- a/apps/pipeline/upstream/base/metadata/overlays/db/metadata-db-deployment.yaml +++ b/apps/pipeline/upstream/base/metadata/overlays/db/metadata-db-deployment.yaml @@ -16,7 +16,6 @@ spec: name: db labels: component: db - annotations: sidecar.istio.io/inject: "false" spec: containers: @@ -49,4 +48,3 @@ spec: - name: metadata-mysql persistentVolumeClaim: claimName: metadata-mysql - diff --git a/apps/pipeline/upstream/base/metadata/overlays/postgres/kustomization.yaml b/apps/pipeline/upstream/base/metadata/overlays/postgres/kustomization.yaml index 0dd85682a..f975b8f52 100644 --- a/apps/pipeline/upstream/base/metadata/overlays/postgres/kustomization.yaml +++ b/apps/pipeline/upstream/base/metadata/overlays/postgres/kustomization.yaml @@ -12,13 +12,13 @@ patches: - path: patches/metadata-grpc-deployment.yaml configMapGenerator: -- name: metadata-postgres-db-parameters - envs: +- envs: - params.env + name: metadata-postgres-db-parameters secretGenerator: -- name: metadata-postgres-db-secrets - envs: +- envs: - secrets.env + name: metadata-postgres-db-secrets generatorOptions: disableNameSuffixHash: true @@ -28,10 +28,10 @@ images: newTag: 14.7-alpine3.17 vars: -- name: MLMD_DB_HOST +- fieldref: + fieldPath: metadata.name + name: MLMD_DB_HOST objref: + apiVersion: v1 kind: Service name: metadata-postgres-db - apiVersion: v1 - fieldref: - fieldpath: metadata.name diff --git a/apps/pipeline/upstream/base/metadata/overlays/postgres/metadata-db-deployment.yaml b/apps/pipeline/upstream/base/metadata/overlays/postgres/metadata-db-deployment.yaml index 061d109e1..41d2b5176 100644 --- a/apps/pipeline/upstream/base/metadata/overlays/postgres/metadata-db-deployment.yaml +++ b/apps/pipeline/upstream/base/metadata/overlays/postgres/metadata-db-deployment.yaml @@ -16,15 +16,14 @@ spec: name: db labels: component: db - annotations: sidecar.istio.io/inject: "false" spec: containers: - name: db-container image: postgres env: - - name: PGDATA - value: /var/lib/postgresql/data/pgdata + - name: PGDATA + value: /var/lib/postgresql/data/pgdata envFrom: - configMapRef: name: metadata-postgres-db-parameters @@ -40,4 +39,3 @@ spec: - name: metadata-postgres persistentVolumeClaim: claimName: metadata-postgres - diff --git a/apps/pipeline/upstream/base/pipeline/kustomization.yaml b/apps/pipeline/upstream/base/pipeline/kustomization.yaml index 5218d23f0..775e323c6 100644 --- a/apps/pipeline/upstream/base/pipeline/kustomization.yaml +++ b/apps/pipeline/upstream/base/pipeline/kustomization.yaml @@ -36,14 +36,14 @@ resources: - kfp-launcher-configmap.yaml images: - name: ghcr.io/kubeflow/kfp-api-server - newTag: 2.4.1 + newTag: 2.5.0 - name: ghcr.io/kubeflow/kfp-persistence-agent - newTag: 2.4.1 + newTag: 2.5.0 - name: ghcr.io/kubeflow/kfp-scheduled-workflow-controller - newTag: 2.4.1 + newTag: 2.5.0 - name: ghcr.io/kubeflow/kfp-frontend - newTag: 2.4.1 + newTag: 2.5.0 - name: ghcr.io/kubeflow/kfp-viewer-crd-controller - newTag: 2.4.1 + newTag: 2.5.0 - name: ghcr.io/kubeflow/kfp-visualization-server - newTag: 2.4.1 + newTag: 2.5.0 diff --git a/apps/pipeline/upstream/base/pipeline/metadata-writer/kustomization.yaml b/apps/pipeline/upstream/base/pipeline/metadata-writer/kustomization.yaml index 9c66741eb..679a95a61 100644 --- a/apps/pipeline/upstream/base/pipeline/metadata-writer/kustomization.yaml +++ b/apps/pipeline/upstream/base/pipeline/metadata-writer/kustomization.yaml @@ -7,4 +7,4 @@ resources: - metadata-writer-sa.yaml images: - name: ghcr.io/kubeflow/kfp-metadata-writer - newTag: 2.4.1 + newTag: 2.5.0 diff --git a/apps/pipeline/upstream/base/pipeline/metadata-writer/metadata-writer-deployment.yaml b/apps/pipeline/upstream/base/pipeline/metadata-writer/metadata-writer-deployment.yaml index 60408441e..0fa90266a 100644 --- a/apps/pipeline/upstream/base/pipeline/metadata-writer/metadata-writer-deployment.yaml +++ b/apps/pipeline/upstream/base/pipeline/metadata-writer/metadata-writer-deployment.yaml @@ -14,6 +14,10 @@ spec: labels: app: metadata-writer spec: + securityContext: + seccompProfile: + type: RuntimeDefault + containers: - name: main image: ghcr.io/kubeflow/kfp-metadata-writer:dummy @@ -24,8 +28,6 @@ spec: fieldPath: metadata.namespace securityContext: allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault runAsNonRoot: true runAsUser: 1000 runAsGroup: 0 diff --git a/apps/pipeline/upstream/base/pipeline/ml-pipeline-apiserver-deployment.yaml b/apps/pipeline/upstream/base/pipeline/ml-pipeline-apiserver-deployment.yaml index 1346314f7..24b5905b2 100644 --- a/apps/pipeline/upstream/base/pipeline/ml-pipeline-apiserver-deployment.yaml +++ b/apps/pipeline/upstream/base/pipeline/ml-pipeline-apiserver-deployment.yaml @@ -15,159 +15,170 @@ spec: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "true" spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - - env: - - name: LOG_LEVEL - value: "info" - - name: AUTO_UPDATE_PIPELINE_DEFAULT_VERSION - valueFrom: - configMapKeyRef: - name: pipeline-install-config - key: autoUpdatePipelineDefaultVersion - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: OBJECTSTORECONFIG_SECURE - value: "false" - - name: OBJECTSTORECONFIG_BUCKETNAME - valueFrom: - configMapKeyRef: - name: pipeline-install-config - key: bucketName - # relic variables - - name: DBCONFIG_USER - valueFrom: - secretKeyRef: - name: mysql-secret - key: username - - name: DBCONFIG_PASSWORD - valueFrom: - secretKeyRef: - name: mysql-secret - key: password - - name: DBCONFIG_DBNAME - valueFrom: - configMapKeyRef: - name: pipeline-install-config - key: pipelineDb - - name: DBCONFIG_HOST - valueFrom: - configMapKeyRef: - name: pipeline-install-config - key: dbHost - - name: DBCONFIG_PORT - valueFrom: - configMapKeyRef: - name: pipeline-install-config - key: dbPort - # end of relic variables - - name: DBCONFIG_CONMAXLIFETIME - valueFrom: - configMapKeyRef: - name: pipeline-install-config - key: ConMaxLifeTime - - name: DB_DRIVER_NAME - valueFrom: - configMapKeyRef: - name: pipeline-install-config - key: dbType - # MySQL Config - - name: DBCONFIG_MYSQLCONFIG_USER - valueFrom: - secretKeyRef: - name: mysql-secret - key: username - - name: DBCONFIG_MYSQLCONFIG_PASSWORD - valueFrom: - secretKeyRef: - name: mysql-secret - key: password - - name: DBCONFIG_MYSQLCONFIG_DBNAME - valueFrom: - configMapKeyRef: - name: pipeline-install-config - key: pipelineDb - - name: DBCONFIG_MYSQLCONFIG_HOST - valueFrom: - configMapKeyRef: - name: pipeline-install-config - key: mysqlHost - - name: DBCONFIG_MYSQLCONFIG_PORT - valueFrom: - configMapKeyRef: - name: pipeline-install-config - key: mysqlPort - # end of MySQL Config - - name: OBJECTSTORECONFIG_ACCESSKEY - valueFrom: - secretKeyRef: - name: mlpipeline-minio-artifact - key: accesskey - - name: OBJECTSTORECONFIG_SECRETACCESSKEY - valueFrom: - secretKeyRef: - name: mlpipeline-minio-artifact - key: secretkey - image: ghcr.io/kubeflow/kfp-api-server:dummy - imagePullPolicy: IfNotPresent - name: ml-pipeline-api-server - ports: - - name: http - containerPort: 8888 - - name: grpc - containerPort: 8887 - readinessProbe: - exec: - command: - - wget - - -q # quiet - - -S # show server response - - -O - - "-" # Redirect output to stdout - - http://localhost:8888/apis/v1beta1/healthz - initialDelaySeconds: 3 - periodSeconds: 5 - timeoutSeconds: 2 - livenessProbe: - exec: - command: - - wget - - -q # quiet - - -S # show server response - - -O - - "-" # Redirect output to stdout - - http://localhost:8888/apis/v1beta1/healthz - initialDelaySeconds: 3 - periodSeconds: 5 - timeoutSeconds: 2 - # This startup probe provides up to a 60 second grace window before the - # liveness probe takes over to accomodate the occasional database - # migration. - startupProbe: - exec: - command: - - wget - - -q # quiet - - -S # show server response - - -O - - "-" # Redirect output to stdout - - http://localhost:8888/apis/v1beta1/healthz - failureThreshold: 12 - periodSeconds: 5 - timeoutSeconds: 2 - securityContext: - allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 0 - capabilities: - drop: - - ALL - resources: - requests: - cpu: 250m - memory: 500Mi + - env: + # Whether or not to publish component logs to the object store. + - name: PUBLISH_LOGS + value: "true" + - name: LOG_LEVEL + value: "info" + # Driver / launcher log level during pipeline execution + - name: PIPELINE_LOG_LEVEL + value: "1" + - name: AUTO_UPDATE_PIPELINE_DEFAULT_VERSION + valueFrom: + configMapKeyRef: + name: pipeline-install-config + key: autoUpdatePipelineDefaultVersion + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: OBJECTSTORECONFIG_SECURE + value: "false" + - name: OBJECTSTORECONFIG_BUCKETNAME + valueFrom: + configMapKeyRef: + name: pipeline-install-config + key: bucketName + # relic variables + - name: DBCONFIG_USER + valueFrom: + secretKeyRef: + name: mysql-secret + key: username + - name: DBCONFIG_PASSWORD + valueFrom: + secretKeyRef: + name: mysql-secret + key: password + - name: DBCONFIG_DBNAME + valueFrom: + configMapKeyRef: + name: pipeline-install-config + key: pipelineDb + - name: DBCONFIG_HOST + valueFrom: + configMapKeyRef: + name: pipeline-install-config + key: dbHost + - name: DBCONFIG_PORT + valueFrom: + configMapKeyRef: + name: pipeline-install-config + key: dbPort + # end of relic variables + - name: DBCONFIG_CONMAXLIFETIME + valueFrom: + configMapKeyRef: + name: pipeline-install-config + key: ConMaxLifeTime + - name: DB_DRIVER_NAME + valueFrom: + configMapKeyRef: + name: pipeline-install-config + key: dbType + # MySQL Config + - name: DBCONFIG_MYSQLCONFIG_USER + valueFrom: + secretKeyRef: + name: mysql-secret + key: username + - name: DBCONFIG_MYSQLCONFIG_PASSWORD + valueFrom: + secretKeyRef: + name: mysql-secret + key: password + - name: DBCONFIG_MYSQLCONFIG_DBNAME + valueFrom: + configMapKeyRef: + name: pipeline-install-config + key: pipelineDb + - name: DBCONFIG_MYSQLCONFIG_HOST + valueFrom: + configMapKeyRef: + name: pipeline-install-config + key: mysqlHost + - name: DBCONFIG_MYSQLCONFIG_PORT + valueFrom: + configMapKeyRef: + name: pipeline-install-config + key: mysqlPort + # end of MySQL Config + - name: OBJECTSTORECONFIG_ACCESSKEY + valueFrom: + secretKeyRef: + name: mlpipeline-minio-artifact + key: accesskey + - name: OBJECTSTORECONFIG_SECRETACCESSKEY + valueFrom: + secretKeyRef: + name: mlpipeline-minio-artifact + key: secretkey + - name: V2_DRIVER_IMAGE + value: ghcr.io/kubeflow/kfp-driver:2.5.0 + - name: V2_LAUNCHER_IMAGE + value: ghcr.io/kubeflow/kfp-launcher:2.5.0 + image: ghcr.io/kubeflow/kfp-api-server:dummy + imagePullPolicy: IfNotPresent + name: ml-pipeline-api-server + ports: + - name: http + containerPort: 8888 + - name: grpc + containerPort: 8887 + readinessProbe: + exec: + command: + - wget + - -q # quiet + - -S # show server response + - -O + - "-" # Redirect output to stdout + - http://localhost:8888/apis/v1beta1/healthz + initialDelaySeconds: 3 + periodSeconds: 5 + timeoutSeconds: 2 + livenessProbe: + exec: + command: + - wget + - -q # quiet + - -S # show server response + - -O + - "-" # Redirect output to stdout + - http://localhost:8888/apis/v1beta1/healthz + initialDelaySeconds: 3 + periodSeconds: 5 + timeoutSeconds: 2 + # This startup probe provides up to a 60 second grace window before the + # liveness probe takes over to accomodate the occasional database + # migration. + startupProbe: + exec: + command: + - wget + - -q # quiet + - -S # show server response + - -O + - "-" # Redirect output to stdout + - http://localhost:8888/apis/v1beta1/healthz + failureThreshold: 12 + periodSeconds: 5 + timeoutSeconds: 2 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 + capabilities: + drop: + - ALL + resources: + requests: + cpu: 250m + memory: 500Mi serviceAccountName: ml-pipeline diff --git a/apps/pipeline/upstream/base/pipeline/ml-pipeline-apiserver-role.yaml b/apps/pipeline/upstream/base/pipeline/ml-pipeline-apiserver-role.yaml index 9e76ebd7d..59d3926c0 100644 --- a/apps/pipeline/upstream/base/pipeline/ml-pipeline-apiserver-role.yaml +++ b/apps/pipeline/upstream/base/pipeline/ml-pipeline-apiserver-role.yaml @@ -37,6 +37,20 @@ rules: - update - patch - delete +- apiGroups: + - kubeflow.org + resources: + - scheduledworkflows/finalizers + verbs: + - update +- apiGroups: + - pipelines.kubeflow.org + resources: + - pipelines + verbs: + - get + - list + - watch - apiGroups: - authorization.k8s.io resources: @@ -49,33 +63,3 @@ rules: - tokenreviews verbs: - create -- apiGroups: - - tekton.dev - resources: - - pipelineruns - - taskruns - - conditions - - runs - - tasks - - customruns - verbs: - - create - - get - - list - - watch - - update - - patch - - delete -- apiGroups: - - custom.tekton.dev - resources: - - pipelineloops - verbs: - - create - - get - - list - - watch - - update - - patch - - delete - \ No newline at end of file diff --git a/apps/pipeline/upstream/base/pipeline/ml-pipeline-persistenceagent-deployment.yaml b/apps/pipeline/upstream/base/pipeline/ml-pipeline-persistenceagent-deployment.yaml index 7d92df0b0..2803c5804 100644 --- a/apps/pipeline/upstream/base/pipeline/ml-pipeline-persistenceagent-deployment.yaml +++ b/apps/pipeline/upstream/base/pipeline/ml-pipeline-persistenceagent-deployment.yaml @@ -15,6 +15,9 @@ spec: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "true" spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - env: - name: NAMESPACE @@ -39,8 +42,6 @@ spec: name: persistenceagent-sa-token securityContext: allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault runAsNonRoot: true runAsUser: 1000 runAsGroup: 0 diff --git a/apps/pipeline/upstream/base/pipeline/ml-pipeline-persistenceagent-role.yaml b/apps/pipeline/upstream/base/pipeline/ml-pipeline-persistenceagent-role.yaml index a945442ab..63bdd03d6 100644 --- a/apps/pipeline/upstream/base/pipeline/ml-pipeline-persistenceagent-role.yaml +++ b/apps/pipeline/upstream/base/pipeline/ml-pipeline-persistenceagent-role.yaml @@ -33,32 +33,3 @@ rules: verbs: - reportMetrics - readArtifact -- apiGroups: - - tekton.dev - resources: - - pipelineruns - - taskruns - - conditions - - runs - - tasks - - customruns - verbs: - - create - - get - - list - - watch - - update - - patch - - delete -- apiGroups: - - custom.tekton.dev - resources: - - pipelineloops - verbs: - - create - - get - - list - - watch - - update - - patch - - delete diff --git a/apps/pipeline/upstream/base/pipeline/ml-pipeline-scheduledworkflow-deployment.yaml b/apps/pipeline/upstream/base/pipeline/ml-pipeline-scheduledworkflow-deployment.yaml index 045a08823..722ac3230 100644 --- a/apps/pipeline/upstream/base/pipeline/ml-pipeline-scheduledworkflow-deployment.yaml +++ b/apps/pipeline/upstream/base/pipeline/ml-pipeline-scheduledworkflow-deployment.yaml @@ -15,6 +15,9 @@ spec: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "true" spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - image: ghcr.io/kubeflow/kfp-scheduled-workflow-controller:dummy imagePullPolicy: IfNotPresent @@ -33,12 +36,21 @@ spec: key: cronScheduleTimezone securityContext: allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault runAsNonRoot: true runAsUser: 1000 runAsGroup: 0 capabilities: drop: - ALL + volumeMounts: + - mountPath: /var/run/secrets/kubeflow/tokens + name: scheduledworkflow-sa-token serviceAccountName: ml-pipeline-scheduledworkflow + volumes: + - name: scheduledworkflow-sa-token + projected: + sources: + - serviceAccountToken: + path: scheduledworkflow-sa-token + expirationSeconds: 3600 + audience: pipelines.kubeflow.org diff --git a/apps/pipeline/upstream/base/pipeline/ml-pipeline-scheduledworkflow-role.yaml b/apps/pipeline/upstream/base/pipeline/ml-pipeline-scheduledworkflow-role.yaml index 36729d74e..c6f4918f1 100644 --- a/apps/pipeline/upstream/base/pipeline/ml-pipeline-scheduledworkflow-role.yaml +++ b/apps/pipeline/upstream/base/pipeline/ml-pipeline-scheduledworkflow-role.yaml @@ -30,6 +30,12 @@ rules: - update - patch - delete +- apiGroups: + - pipelines.kubeflow.org + resources: + - runs + verbs: + - create - apiGroups: - '' resources: diff --git a/apps/pipeline/upstream/base/pipeline/ml-pipeline-ui-deployment.yaml b/apps/pipeline/upstream/base/pipeline/ml-pipeline-ui-deployment.yaml index 5fe9990ad..c11685ea5 100644 --- a/apps/pipeline/upstream/base/pipeline/ml-pipeline-ui-deployment.yaml +++ b/apps/pipeline/upstream/base/pipeline/ml-pipeline-ui-deployment.yaml @@ -15,6 +15,9 @@ spec: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "true" spec: + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - name: config-volume configMap: @@ -31,8 +34,6 @@ spec: readOnly: true securityContext: allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault runAsNonRoot: true runAsUser: 1000 runAsGroup: 0 @@ -62,6 +63,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: ARGO_ARCHIVE_LOGS + value: "true" + - name: DISABLE_GKE_METADATA + value: "true" readinessProbe: exec: command: diff --git a/apps/pipeline/upstream/base/pipeline/ml-pipeline-viewer-crd-deployment.yaml b/apps/pipeline/upstream/base/pipeline/ml-pipeline-viewer-crd-deployment.yaml index 9370ed9c5..bc42d4781 100644 --- a/apps/pipeline/upstream/base/pipeline/ml-pipeline-viewer-crd-deployment.yaml +++ b/apps/pipeline/upstream/base/pipeline/ml-pipeline-viewer-crd-deployment.yaml @@ -15,6 +15,9 @@ spec: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "true" spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - image: ghcr.io/kubeflow/kfp-viewer-crd-controller:dummy imagePullPolicy: Always @@ -28,8 +31,6 @@ spec: fieldPath: metadata.namespace securityContext: allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault runAsNonRoot: true runAsUser: 1000 runAsGroup: 0 diff --git a/apps/pipeline/upstream/base/pipeline/ml-pipeline-visualization-deployment.yaml b/apps/pipeline/upstream/base/pipeline/ml-pipeline-visualization-deployment.yaml index dc10badc4..e3773c4cf 100644 --- a/apps/pipeline/upstream/base/pipeline/ml-pipeline-visualization-deployment.yaml +++ b/apps/pipeline/upstream/base/pipeline/ml-pipeline-visualization-deployment.yaml @@ -15,6 +15,9 @@ spec: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "true" spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - image: ghcr.io/kubeflow/kfp-visualization-server:dummy imagePullPolicy: IfNotPresent @@ -48,8 +51,6 @@ spec: timeoutSeconds: 2 securityContext: allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault runAsNonRoot: true runAsUser: 1000 runAsGroup: 0 diff --git a/apps/pipeline/upstream/base/pipeline/pipeline-runner-role.yaml b/apps/pipeline/upstream/base/pipeline/pipeline-runner-role.yaml index c81e72894..e81fd91a5 100644 --- a/apps/pipeline/upstream/base/pipeline/pipeline-runner-role.yaml +++ b/apps/pipeline/upstream/base/pipeline/pipeline-runner-role.yaml @@ -78,32 +78,3 @@ rules: - seldondeployments verbs: - '*' -- apiGroups: - - tekton.dev - resources: - - pipelineruns - - taskruns - - conditions - - runs - - tasks - - customruns - verbs: - - create - - get - - list - - watch - - update - - patch - - delete -- apiGroups: - - custom.tekton.dev - resources: - - pipelineloops - verbs: - - create - - get - - list - - watch - - update - - patch - - delete diff --git a/apps/pipeline/upstream/base/postgresql/pipeline/kustomization.yaml b/apps/pipeline/upstream/base/postgresql/pipeline/kustomization.yaml index 59e2d7d99..c9ec8553d 100644 --- a/apps/pipeline/upstream/base/postgresql/pipeline/kustomization.yaml +++ b/apps/pipeline/upstream/base/postgresql/pipeline/kustomization.yaml @@ -1,6 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../../pipeline +- ../../pipeline patches: - - path: ml-pipeline-apiserver-deployment-patch.yaml +- path: ml-pipeline-apiserver-deployment-patch.yaml diff --git a/apps/pipeline/upstream/base/webhook/kustomization.yaml b/apps/pipeline/upstream/base/webhook/kustomization.yaml new file mode 100644 index 000000000..e63298e8d --- /dev/null +++ b/apps/pipeline/upstream/base/webhook/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow + +resources: +- pipelineversion-validating-webhook-config.yaml +- pipelineversion-mutating-webhook-config.yaml + +configurations: +- params.yaml diff --git a/apps/pipeline/upstream/base/webhook/params.yaml b/apps/pipeline/upstream/base/webhook/params.yaml new file mode 100644 index 000000000..911553f62 --- /dev/null +++ b/apps/pipeline/upstream/base/webhook/params.yaml @@ -0,0 +1,13 @@ +varReference: + - path: metadata/annotations + kind: ValidatingWebhookConfiguration + - path: webhooks/clientConfig/service/namespace + kind: ValidatingWebhookConfiguration + - path: webhooks/name + kind: ValidatingWebhookConfiguration + - path: metadata/annotations + kind: MutatingWebhookConfiguration + - path: webhooks/clientConfig/service/namespace + kind: MutatingWebhookConfiguration + - path: webhooks/name + kind: MutatingWebhookConfiguration diff --git a/apps/pipeline/upstream/base/webhook/pipelineversion-mutating-webhook-config.yaml b/apps/pipeline/upstream/base/webhook/pipelineversion-mutating-webhook-config.yaml new file mode 100644 index 000000000..949e2afdf --- /dev/null +++ b/apps/pipeline/upstream/base/webhook/pipelineversion-mutating-webhook-config.yaml @@ -0,0 +1,27 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: pipelineversions.pipelines.kubeflow.org +webhooks: + - name: pipelineversions.pipelines.kubeflow.org + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - pipelines.kubeflow.org + apiVersions: + - v2beta1 + resources: + - pipelineversions + scope: Namespaced + admissionReviewVersions: + - v1 + sideEffects: None + failurePolicy: Fail + clientConfig: + service: + name: ml-pipeline + namespace: $(kfp-namespace) + path: /webhooks/mutate-pipelineversion + port: 8443 diff --git a/apps/pipeline/upstream/base/webhook/pipelineversion-validating-webhook-config.yaml b/apps/pipeline/upstream/base/webhook/pipelineversion-validating-webhook-config.yaml new file mode 100644 index 000000000..9e8ef3069 --- /dev/null +++ b/apps/pipeline/upstream/base/webhook/pipelineversion-validating-webhook-config.yaml @@ -0,0 +1,27 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: pipelineversions.pipelines.kubeflow.org +webhooks: + - name: pipelineversions.pipelines.kubeflow.org + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - pipelines.kubeflow.org + apiVersions: + - v2beta1 + resources: + - pipelineversions + scope: Namespaced + admissionReviewVersions: + - v1 + sideEffects: None + failurePolicy: Fail + clientConfig: + service: + name: ml-pipeline + namespace: $(kfp-namespace) + path: /webhooks/validate-pipelineversion + port: 8443 diff --git a/apps/pipeline/upstream/cluster-scoped-resources-tekton/kustomization.yaml b/apps/pipeline/upstream/cluster-scoped-resources-tekton/kustomization.yaml deleted file mode 100644 index 936b2d782..000000000 --- a/apps/pipeline/upstream/cluster-scoped-resources-tekton/kustomization.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namespace: kubeflow - -resources: -- namespace.yaml -bases: -- ../third-party/application/cluster-scoped -- ../base/pipeline/cluster-scoped -- ../base/cache-deployer/cluster-scoped -vars: -# NOTE: var name must be unique globally to allow composition of multiple kustomize -# packages. Therefore, we added prefix `kfp-cluster-scoped-` to distinguish it from -# others. -- name: kfp-cluster-scoped-namespace - objref: - # cache deployer sa's metadata.namespace will be first transformed by namespace field in kustomization.yaml - # so that we only need to change kustomization.yaml's namespace field for namespace customization. - kind: ServiceAccount - name: kubeflow-pipelines-cache-deployer-sa - apiVersion: v1 - fieldref: - fieldpath: metadata.namespace -configurations: -- params.yaml diff --git a/apps/pipeline/upstream/cluster-scoped-resources-tekton/namespace.yaml b/apps/pipeline/upstream/cluster-scoped-resources-tekton/namespace.yaml deleted file mode 100644 index 3c65856e7..000000000 --- a/apps/pipeline/upstream/cluster-scoped-resources-tekton/namespace.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: '$(kfp-cluster-scoped-namespace)' diff --git a/apps/pipeline/upstream/cluster-scoped-resources-tekton/params.yaml b/apps/pipeline/upstream/cluster-scoped-resources-tekton/params.yaml deleted file mode 100644 index cc253fe26..000000000 --- a/apps/pipeline/upstream/cluster-scoped-resources-tekton/params.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# Allow Kustomize var to replace following fields. -varReference: -- path: metadata/name - kind: Namespace diff --git a/apps/pipeline/upstream/cluster-scoped-resources/kustomization.yaml b/apps/pipeline/upstream/cluster-scoped-resources/kustomization.yaml index db34bc749..3f87409c0 100644 --- a/apps/pipeline/upstream/cluster-scoped-resources/kustomization.yaml +++ b/apps/pipeline/upstream/cluster-scoped-resources/kustomization.yaml @@ -13,14 +13,14 @@ vars: # NOTE: var name must be unique globally to allow composition of multiple kustomize # packages. Therefore, we added prefix `kfp-cluster-scoped-` to distinguish it from # others. -- name: kfp-cluster-scoped-namespace +- fieldref: + fieldPath: metadata.namespace + name: kfp-cluster-scoped-namespace objref: # cache deployer sa's metadata.namespace will be first transformed by namespace field in kustomization.yaml # so that we only need to change kustomization.yaml's namespace field for namespace customization. + apiVersion: v1 kind: ServiceAccount name: kubeflow-pipelines-cache-deployer-sa - apiVersion: v1 - fieldref: - fieldpath: metadata.namespace configurations: - params.yaml diff --git a/apps/pipeline/upstream/env/aws/kustomization.yaml b/apps/pipeline/upstream/env/aws/kustomization.yaml index c3f3ab9af..93a5bc5e8 100644 --- a/apps/pipeline/upstream/env/aws/kustomization.yaml +++ b/apps/pipeline/upstream/env/aws/kustomization.yaml @@ -2,33 +2,38 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: kubeflow resources: - - ../../env/platform-agnostic +- ../../env/platform-agnostic configMapGenerator: - - name: pipeline-install-config - env: params.env - behavior: merge - - name: workflow-controller-configmap - behavior: replace - files: - - config - - name: ml-pipeline-ui-configmap - behavior: replace - files: - - viewer-pod-template.json +- behavior: merge + envs: + - params.env + name: pipeline-install-config +- behavior: replace + files: + - config + name: workflow-controller-configmap +- behavior: replace + files: + - viewer-pod-template.json + name: ml-pipeline-ui-configmap secretGenerator: - - name: mysql-secret - env: secret.env - behavior: merge - - name: mlpipeline-minio-artifact - env: minio-artifact-secret-patch.env - behavior: merge +- behavior: merge + envs: + - secret.env + name: mysql-secret +- behavior: merge + envs: + - minio-artifact-secret-patch.env + name: mlpipeline-minio-artifact generatorOptions: disableNameSuffixHash: true patches: - - path: aws-configuration-pipeline-patch.yaml - - path: aws-configuration-pipeline-ui-patch.yaml +- path: aws-configuration-pipeline-patch.yaml +- path: aws-configuration-pipeline-ui-patch.yaml # Identifier for application manager to apply ownerReference. # The ownerReference ensures the resources get garbage collected # when application is deleted. -commonLabels: - application-crd-id: kubeflow-pipelines +labels: +- includeSelectors: true + pairs: + application-crd-id: kubeflow-pipelines diff --git a/apps/pipeline/upstream/env/azure/kustomization.yaml b/apps/pipeline/upstream/env/azure/kustomization.yaml index 3bc71cfdf..75efe953b 100644 --- a/apps/pipeline/upstream/env/azure/kustomization.yaml +++ b/apps/pipeline/upstream/env/azure/kustomization.yaml @@ -9,17 +9,21 @@ resources: - minio-azure-gateway configMapGenerator: -- name: pipeline-install-config - env: params.env - behavior: merge +- behavior: merge + envs: + - params.env + name: pipeline-install-config secretGenerator: -- name: mysql-secret - env: mysql-secret.env - behavior: merge +- behavior: merge + envs: + - mysql-secret.env + name: mysql-secret # Identifier for application manager to apply ownerReference. # The ownerReference ensures the resources get garbage collected # when application is deleted. -commonLabels: - application-crd-id: kubeflow-pipelines +labels: +- includeSelectors: true + pairs: + application-crd-id: kubeflow-pipelines diff --git a/apps/pipeline/upstream/env/azure/minio-azure-gateway/kustomization.yaml b/apps/pipeline/upstream/env/azure/minio-azure-gateway/kustomization.yaml index db350a6f5..65a0957e2 100644 --- a/apps/pipeline/upstream/env/azure/minio-azure-gateway/kustomization.yaml +++ b/apps/pipeline/upstream/env/azure/minio-azure-gateway/kustomization.yaml @@ -6,8 +6,9 @@ resources: - minio-azure-gateway-service.yaml secretGenerator: -- name: mlpipeline-minio-artifact - env: minio-artifact-secret.env +- envs: + - minio-artifact-secret.env + name: mlpipeline-minio-artifact generatorOptions: # mlpipeline-minio-artifact needs to be referred by exact name - disableNameSuffixHash: true \ No newline at end of file + disableNameSuffixHash: true diff --git a/apps/pipeline/upstream/env/cert-manager/base-webhook-certs/kfp-api-cert-issuer.yaml b/apps/pipeline/upstream/env/cert-manager/base-webhook-certs/kfp-api-cert-issuer.yaml new file mode 100644 index 000000000..9b5f35736 --- /dev/null +++ b/apps/pipeline/upstream/env/cert-manager/base-webhook-certs/kfp-api-cert-issuer.yaml @@ -0,0 +1,6 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: kfp-api-webhook-selfsigned-issuer +spec: + selfSigned: {} diff --git a/apps/pipeline/upstream/env/cert-manager/base-webhook-certs/kfp-api-cert.yaml b/apps/pipeline/upstream/env/cert-manager/base-webhook-certs/kfp-api-cert.yaml new file mode 100644 index 000000000..b849254dd --- /dev/null +++ b/apps/pipeline/upstream/env/cert-manager/base-webhook-certs/kfp-api-cert.yaml @@ -0,0 +1,15 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: kfp-api-webhook-cert +spec: + commonName: kfp-api-webhook-cert + isCA: true + dnsNames: + - ml-pipeline + - ml-pipeline.$(kfp-namespace) + - ml-pipeline.$(kfp-namespace).svc + issuerRef: + kind: Issuer + name: kfp-api-webhook-selfsigned-issuer + secretName: kfp-api-webhook-cert diff --git a/apps/pipeline/upstream/env/cert-manager/base-webhook-certs/kustomization.yaml b/apps/pipeline/upstream/env/cert-manager/base-webhook-certs/kustomization.yaml new file mode 100644 index 000000000..adb624695 --- /dev/null +++ b/apps/pipeline/upstream/env/cert-manager/base-webhook-certs/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ./kfp-api-cert-issuer.yaml +- ./kfp-api-cert.yaml + +configurations: +- params.yaml + +# !!! If you want to customize the namespace, +# please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml +namespace: kubeflow diff --git a/apps/pipeline/upstream/env/cert-manager/base-webhook-certs/params.yaml b/apps/pipeline/upstream/env/cert-manager/base-webhook-certs/params.yaml new file mode 100644 index 000000000..d203c6b96 --- /dev/null +++ b/apps/pipeline/upstream/env/cert-manager/base-webhook-certs/params.yaml @@ -0,0 +1,7 @@ +varReference: + - path: spec/commonName + kind: Certificate + - path: spec/dnsNames + kind: Certificate + - path: spec/issuerRef/name + kind: Certificate diff --git a/apps/pipeline/upstream/env/cert-manager/base/kustomization.yaml b/apps/pipeline/upstream/env/cert-manager/base/kustomization.yaml index 14cacd931..166e8d809 100644 --- a/apps/pipeline/upstream/env/cert-manager/base/kustomization.yaml +++ b/apps/pipeline/upstream/env/cert-manager/base/kustomization.yaml @@ -1,13 +1,15 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: kubeflow +namespace: kubeflow resources: - - cache-cert-issuer.yaml - - cache-cert.yaml - - cache-webhook-config.yaml -commonLabels: - app: cache-server-cert-manager +- cache-cert-issuer.yaml +- cache-cert.yaml +- cache-webhook-config.yaml configurations: - params.yaml +labels: +- includeSelectors: true + pairs: + app: cache-server-cert-manager diff --git a/apps/pipeline/upstream/env/cert-manager/platform-agnostic-k8s-native/kustomization.yaml b/apps/pipeline/upstream/env/cert-manager/platform-agnostic-k8s-native/kustomization.yaml new file mode 100644 index 000000000..18b271808 --- /dev/null +++ b/apps/pipeline/upstream/env/cert-manager/platform-agnostic-k8s-native/kustomization.yaml @@ -0,0 +1,30 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ../../../base/crds +- ../../platform-agnostic +- ../../../base/webhook +- ../base-webhook-certs/ + +# !!! If you want to customize the namespace, +# please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml +namespace: kubeflow + +patches: +- path: patches/deployment.yaml + target: + kind: Deployment + name: ml-pipeline +- path: patches/service.yaml + target: + kind: Service + name: ml-pipeline +- path: patches/validating-webhook.yaml + target: + kind: ValidatingWebhookConfiguration + name: pipelineversions.pipelines.kubeflow.org +- path: patches/mutating-webhook.yaml + target: + kind: MutatingWebhookConfiguration + name: pipelineversions.pipelines.kubeflow.org diff --git a/apps/pipeline/upstream/env/cert-manager/platform-agnostic-k8s-native/patches/deployment.yaml b/apps/pipeline/upstream/env/cert-manager/platform-agnostic-k8s-native/patches/deployment.yaml new file mode 100644 index 000000000..9895c1547 --- /dev/null +++ b/apps/pipeline/upstream/env/cert-manager/platform-agnostic-k8s-native/patches/deployment.yaml @@ -0,0 +1,29 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline +spec: + template: + spec: + containers: + - name: ml-pipeline-api-server + ports: + - containerPort: 8443 + name: webhook + command: + - "/bin/apiserver" + args: + - "--config=/config" + - "--sampleconfig=/config/sample_config.json" + - "-logtostderr=true" + - "--webhookTLSCertPath=/etc/webhook/certs/tls.crt" + - "--webhookTLSKeyPath=/etc/webhook/certs/tls.key" + - "--pipelinesStoreKubernetes=true" + volumeMounts: + - name: webhook-certs + mountPath: /etc/webhook/certs + readOnly: true + volumes: + - name: webhook-certs + secret: + secretName: kfp-api-webhook-cert diff --git a/apps/pipeline/upstream/env/cert-manager/platform-agnostic-k8s-native/patches/mutating-webhook.yaml b/apps/pipeline/upstream/env/cert-manager/platform-agnostic-k8s-native/patches/mutating-webhook.yaml new file mode 100644 index 000000000..35a074db7 --- /dev/null +++ b/apps/pipeline/upstream/env/cert-manager/platform-agnostic-k8s-native/patches/mutating-webhook.yaml @@ -0,0 +1,6 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: pipelineversions.pipelines.kubeflow.org + annotations: + cert-manager.io/inject-ca-from: $(kfp-namespace)/kfp-api-webhook-cert diff --git a/apps/pipeline/upstream/env/cert-manager/platform-agnostic-k8s-native/patches/service.yaml b/apps/pipeline/upstream/env/cert-manager/platform-agnostic-k8s-native/patches/service.yaml new file mode 100644 index 000000000..9870eb7fc --- /dev/null +++ b/apps/pipeline/upstream/env/cert-manager/platform-agnostic-k8s-native/patches/service.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Service +metadata: + name: ml-pipeline +spec: + ports: + - name: webhook + port: 8443 + protocol: TCP + targetPort: 8443 diff --git a/apps/pipeline/upstream/env/cert-manager/platform-agnostic-k8s-native/patches/validating-webhook.yaml b/apps/pipeline/upstream/env/cert-manager/platform-agnostic-k8s-native/patches/validating-webhook.yaml new file mode 100644 index 000000000..5cbc28943 --- /dev/null +++ b/apps/pipeline/upstream/env/cert-manager/platform-agnostic-k8s-native/patches/validating-webhook.yaml @@ -0,0 +1,6 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: pipelineversions.pipelines.kubeflow.org + annotations: + cert-manager.io/inject-ca-from: $(kfp-namespace)/kfp-api-webhook-cert diff --git a/apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user-k8s-native/kustomization.yaml b/apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user-k8s-native/kustomization.yaml new file mode 100644 index 000000000..8fbecf9a0 --- /dev/null +++ b/apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user-k8s-native/kustomization.yaml @@ -0,0 +1,30 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ../../../base/crds +- ../platform-agnostic-multi-user +- ../../../base/webhook +- ../base-webhook-certs/ + +# !!! If you want to customize the namespace, +# please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml +namespace: kubeflow + +patches: +- path: patches/deployment.yaml + target: + kind: Deployment + name: ml-pipeline +- path: patches/service.yaml + target: + kind: Service + name: ml-pipeline +- path: patches/validating-webhook.yaml + target: + kind: ValidatingWebhookConfiguration + name: pipelineversions.pipelines.kubeflow.org +- path: patches/mutating-webhook.yaml + target: + kind: MutatingWebhookConfiguration + name: pipelineversions.pipelines.kubeflow.org diff --git a/apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user-k8s-native/patches/deployment.yaml b/apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user-k8s-native/patches/deployment.yaml new file mode 100644 index 000000000..94c086eba --- /dev/null +++ b/apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user-k8s-native/patches/deployment.yaml @@ -0,0 +1,30 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline +spec: + template: + spec: + containers: + - name: ml-pipeline-api-server + ports: + - containerPort: 8443 + name: webhook + image: domain.local/apiserver:local + command: + - "/bin/apiserver" + args: + - "--config=/config" + - "--sampleconfig=/config/sample_config.json" + - "-logtostderr=true" + - "--webhookTLSCertPath=/etc/webhook/certs/tls.crt" + - "--webhookTLSKeyPath=/etc/webhook/certs/tls.key" + - "--pipelinesStoreKubernetes=true" + volumeMounts: + - name: webhook-certs + mountPath: /etc/webhook/certs + readOnly: true + volumes: + - name: webhook-certs + secret: + secretName: kfp-api-webhook-cert diff --git a/apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user-k8s-native/patches/mutating-webhook.yaml b/apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user-k8s-native/patches/mutating-webhook.yaml new file mode 100644 index 000000000..35a074db7 --- /dev/null +++ b/apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user-k8s-native/patches/mutating-webhook.yaml @@ -0,0 +1,6 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: pipelineversions.pipelines.kubeflow.org + annotations: + cert-manager.io/inject-ca-from: $(kfp-namespace)/kfp-api-webhook-cert diff --git a/apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user-k8s-native/patches/service.yaml b/apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user-k8s-native/patches/service.yaml new file mode 100644 index 000000000..9870eb7fc --- /dev/null +++ b/apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user-k8s-native/patches/service.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Service +metadata: + name: ml-pipeline +spec: + ports: + - name: webhook + port: 8443 + protocol: TCP + targetPort: 8443 diff --git a/apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user-k8s-native/patches/validating-webhook.yaml b/apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user-k8s-native/patches/validating-webhook.yaml new file mode 100644 index 000000000..5cbc28943 --- /dev/null +++ b/apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user-k8s-native/patches/validating-webhook.yaml @@ -0,0 +1,6 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: pipelineversions.pipelines.kubeflow.org + annotations: + cert-manager.io/inject-ca-from: $(kfp-namespace)/kfp-api-webhook-cert diff --git a/apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user/kustomization.yaml b/apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user/kustomization.yaml index 860c6e13a..573468169 100644 --- a/apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user/kustomization.yaml +++ b/apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user/kustomization.yaml @@ -2,30 +2,30 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../../platform-agnostic-multi-user - - ../base +- ../../platform-agnostic-multi-user +- ../base namespace: kubeflow # Pass proper arguments to cache-server to use cert-manager certificate patches: - # Delete the cache deployer as we use the cert-manager instead - - path: patches/delete.clusterrole.cache-deployer.yaml - - path: patches/delete.crb.cache-deployer.yaml - - path: patches/delete.deployment.cache-deployer.yaml - - path: patches/delete.role.cache-deployer.yaml - - path: patches/delete.rolebinding.cache-deployer.yaml - - path: patches/delete.sa.cache-deployer.yaml - - patch: |- - - op: add - path: /spec/template/spec/containers/0/args/- - value: "--tls_cert_filename=tls.crt" - target: - kind: Deployment - name: cache-server - - patch: |- - - op: add - path: /spec/template/spec/containers/0/args/- - value: "--tls_key_filename=tls.key" - target: - kind: Deployment - name: cache-server +# Delete the cache deployer as we use the cert-manager instead +- path: patches/delete.clusterrole.cache-deployer.yaml +- path: patches/delete.crb.cache-deployer.yaml +- path: patches/delete.deployment.cache-deployer.yaml +- path: patches/delete.role.cache-deployer.yaml +- path: patches/delete.rolebinding.cache-deployer.yaml +- path: patches/delete.sa.cache-deployer.yaml +- patch: |- + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--tls_cert_filename=tls.crt" + target: + kind: Deployment + name: cache-server +- patch: |- + - op: add + path: /spec/template/spec/containers/0/args/- + value: "--tls_key_filename=tls.key" + target: + kind: Deployment + name: cache-server diff --git a/apps/pipeline/upstream/env/dev-kind/forward-local-api-endpoint.yaml b/apps/pipeline/upstream/env/dev-kind/forward-local-api-endpoint.yaml index 9c6522749..49092618a 100644 --- a/apps/pipeline/upstream/env/dev-kind/forward-local-api-endpoint.yaml +++ b/apps/pipeline/upstream/env/dev-kind/forward-local-api-endpoint.yaml @@ -15,3 +15,7 @@ subsets: appProtocol: http port: 8888 protocol: TCP + - name: webhook + appProtocol: http + port: 8443 + protocol: TCP diff --git a/apps/pipeline/upstream/env/dev-kind/kustomization.yaml b/apps/pipeline/upstream/env/dev-kind/kustomization.yaml index 8da5d549b..fd65eab59 100644 --- a/apps/pipeline/upstream/env/dev-kind/kustomization.yaml +++ b/apps/pipeline/upstream/env/dev-kind/kustomization.yaml @@ -2,9 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../../base/application - - ./forward-local-api-endpoint.yaml - - ../platform-agnostic +- ../cert-manager/platform-agnostic-k8s-native +- ./forward-local-api-endpoint.yaml # !!! If you want to customize the namespace, # please refer sample/cluster-scoped-resources to update the namespace for cluster-scoped-resources @@ -126,5 +125,42 @@ patches: port: 8887 protocol: TCP targetPort: 8887 + - name: webhook + port: 8443 + protocol: TCP + targetPort: 8443 selector: $patch: delete +- patch: |- + apiVersion: admissionregistration.k8s.io/v1 + kind: ValidatingWebhookConfiguration + metadata: + name: pipelineversions.pipelines.kubeflow.org + webhooks: + - name: pipelineversions.pipelines.kubeflow.org + clientConfig: + service: + name: ml-pipeline-reverse-proxy +- patch: |- + apiVersion: admissionregistration.k8s.io/v1 + kind: MutatingWebhookConfiguration + metadata: + name: pipelineversions.pipelines.kubeflow.org + webhooks: + - name: pipelineversions.pipelines.kubeflow.org + clientConfig: + service: + name: ml-pipeline-reverse-proxy +- patch: |- + apiVersion: cert-manager.io/v1 + kind: Certificate + metadata: + name: kfp-api-webhook-cert + spec: + dnsNames: + - ml-pipeline + - ml-pipeline.$(kfp-namespace) + - ml-pipeline.$(kfp-namespace).svc + - ml-pipeline-reverse-proxy + - ml-pipeline-reverse-proxy.$(kfp-namespace) + - ml-pipeline-reverse-proxy.$(kfp-namespace).svc diff --git a/apps/pipeline/upstream/env/dev/kustomization.yaml b/apps/pipeline/upstream/env/dev/kustomization.yaml index acb58bd4b..5e467de66 100644 --- a/apps/pipeline/upstream/env/dev/kustomization.yaml +++ b/apps/pipeline/upstream/env/dev/kustomization.yaml @@ -2,18 +2,19 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - # Application controller is used to provide Google Cloud Console integration. - - ../../third-party/application - - ../../base/application - - ../platform-agnostic - - ../gcp/inverse-proxy - -# Identifier for application manager to apply ownerReference. -# The ownerReference ensures the resources get garbage collected -# when application is deleted. -commonLabels: - application-crd-id: kubeflow-pipelines +# Application controller is used to provide Google Cloud Console integration. +- ../../third-party/application +- ../../base/application +- ../platform-agnostic +- ../gcp/inverse-proxy # !!! If you want to customize the namespace, # please refer sample/cluster-scoped-resources to update the namespace for cluster-scoped-resources namespace: kubeflow +# Identifier for application manager to apply ownerReference. +# The ownerReference ensures the resources get garbage collected +# when application is deleted. +labels: +- includeSelectors: true + pairs: + application-crd-id: kubeflow-pipelines diff --git a/apps/pipeline/upstream/env/dev/postgresql/kustomization.yaml b/apps/pipeline/upstream/env/dev/postgresql/kustomization.yaml index 2a6c495d0..2799056f5 100644 --- a/apps/pipeline/upstream/env/dev/postgresql/kustomization.yaml +++ b/apps/pipeline/upstream/env/dev/postgresql/kustomization.yaml @@ -2,18 +2,20 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - # Application controller is used to provide Google Cloud Console integration. - - ../../../third-party/application - - ../../../base/application - - ../../platform-agnostic-postgresql - - ../../gcp/inverse-proxy - -# Identifier for application manager to apply ownerReference. -# The ownerReference ensures the resources get garbage collected -# when application is deleted. -commonLabels: - application-crd-id: kubeflow-pipelines +# Application controller is used to provide Google Cloud Console integration. +- ../../../third-party/application +- ../../../base/application +- ../../platform-agnostic-postgresql +- ../../gcp/inverse-proxy # !!! If you want to customize the namespace, # please refer sample/cluster-scoped-resources to update the namespace for cluster-scoped-resources namespace: kubeflow + +# Identifier for application manager to apply ownerReference. +# The ownerReference ensures the resources get garbage collected +# when application is deleted. +labels: +- includeSelectors: true + pairs: + application-crd-id: kubeflow-pipelines diff --git a/apps/pipeline/upstream/env/gcp/inverse-proxy/kustomization.yaml b/apps/pipeline/upstream/env/gcp/inverse-proxy/kustomization.yaml index 323709da2..66a96b647 100644 --- a/apps/pipeline/upstream/env/gcp/inverse-proxy/kustomization.yaml +++ b/apps/pipeline/upstream/env/gcp/inverse-proxy/kustomization.yaml @@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: - name: ghcr.io/kubeflow/kfp-inverse-proxy-agent - newTag: 2.4.1 + newTag: 2.5.0 resources: - proxy-configmap.yaml - proxy-deployment.yaml diff --git a/apps/pipeline/upstream/env/gcp/kustomization.yaml b/apps/pipeline/upstream/env/gcp/kustomization.yaml index d4a81b024..99837f576 100644 --- a/apps/pipeline/upstream/env/gcp/kustomization.yaml +++ b/apps/pipeline/upstream/env/gcp/kustomization.yaml @@ -2,31 +2,35 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - # Application controller is used to provide Google Cloud Console integration. - - ../../third-party/application - - ../../base/application - - ../../base/installs/generic - - ../../base/metadata/base - - ../../third-party/argo/installs/namespace - - inverse-proxy - - minio-gcs-gateway - - cloudsql-proxy +# Application controller is used to provide Google Cloud Console integration. +- ../../third-party/application +- ../../base/application +- ../../base/installs/generic +- ../../base/metadata/base +- ../../third-party/argo/installs/namespace +- inverse-proxy +- minio-gcs-gateway +- cloudsql-proxy -# Identifier for application manager to apply ownerReference. -# The ownerReference ensures the resources get garbage collected -# when application is deleted. -commonLabels: - application-crd-id: kubeflow-pipelines # !!! If you want to customize the namespace, # please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml namespace: kubeflow patches: - - path: gcp-configurations-patch.yaml +- path: gcp-configurations-patch.yaml # Used by Kustomize configMapGenerator: - - name: pipeline-install-config - env: params.env - behavior: merge +- behavior: merge + envs: + - params.env + name: pipeline-install-config + +# Identifier for application manager to apply ownerReference. +# The ownerReference ensures the resources get garbage collected +# when application is deleted. +labels: +- includeSelectors: true + pairs: + application-crd-id: kubeflow-pipelines diff --git a/apps/pipeline/upstream/env/gcp/minio-gcs-gateway/kustomization.yaml b/apps/pipeline/upstream/env/gcp/minio-gcs-gateway/kustomization.yaml index 877ad8174..fa4d6df3e 100644 --- a/apps/pipeline/upstream/env/gcp/minio-gcs-gateway/kustomization.yaml +++ b/apps/pipeline/upstream/env/gcp/minio-gcs-gateway/kustomization.yaml @@ -7,8 +7,9 @@ resources: - minio-gcs-gateway-service.yaml secretGenerator: -- name: mlpipeline-minio-artifact - env: minio-artifact-secret.env +- envs: + - minio-artifact-secret.env + name: mlpipeline-minio-artifact generatorOptions: # mlpipeline-minio-artifact needs to be referred by exact name disableNameSuffixHash: true diff --git a/apps/pipeline/upstream/env/plain-multi-user/kustomization.yaml b/apps/pipeline/upstream/env/plain-multi-user/kustomization.yaml index 47c8daea9..8b6d13f51 100644 --- a/apps/pipeline/upstream/env/plain-multi-user/kustomization.yaml +++ b/apps/pipeline/upstream/env/plain-multi-user/kustomization.yaml @@ -2,21 +2,24 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../../base/installs/multi-user - - ../../base/metadata/base - - ../../base/metadata/options/istio - - ../../third-party/mysql/base - - ../../third-party/mysql/options/istio - - ../../third-party/minio/base - - ../../third-party/minio/options/istio - - ../../third-party/metacontroller/base +- ../../base/installs/multi-user +- ../../base/metadata/base +- ../../base/metadata/options/istio +- ../../third-party/mysql/base +- ../../third-party/mysql/options/istio +- ../../third-party/minio/base +- ../../third-party/minio/options/istio +- ../../third-party/metacontroller/base -# Identifier for application manager to apply ownerReference. -# The ownerReference ensures the resources get garbage collected -# when application is deleted. -commonLabels: - application-crd-id: kubeflow-pipelines # !!! If you want to customize the namespace, # please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml namespace: kubeflow + +# Identifier for application manager to apply ownerReference. +# The ownerReference ensures the resources get garbage collected +# when application is deleted. +labels: +- includeSelectors: true + pairs: + application-crd-id: kubeflow-pipelines diff --git a/apps/pipeline/upstream/env/plain/kustomization.yaml b/apps/pipeline/upstream/env/plain/kustomization.yaml index d3d67e593..a60ce3a8e 100644 --- a/apps/pipeline/upstream/env/plain/kustomization.yaml +++ b/apps/pipeline/upstream/env/plain/kustomization.yaml @@ -2,19 +2,18 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../../cluster-scoped-resources-tekton - - ../../base/installs/generic - - ../../base/metadata/base - - ../../third-party/minio/base - - ../../third-party/mysql/base +- ../../base/installs/generic +- ../../base/metadata/base +- ../../third-party/minio/base +- ../../third-party/mysql/base # Identifier for application manager to apply ownerReference. # The ownerReference ensures the resources get garbage collected # when application is deleted. labels: - - includeSelectors: true - pairs: - application-crd-id: kubeflow-pipelines +- includeSelectors: true + pairs: + application-crd-id: kubeflow-pipelines # !!! If you want to customize the namespace, # please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml diff --git a/apps/pipeline/upstream/env/platform-agnostic-emissary/kustomization.yaml b/apps/pipeline/upstream/env/platform-agnostic-emissary/kustomization.yaml index becb9637e..e4e22ecd4 100644 --- a/apps/pipeline/upstream/env/platform-agnostic-emissary/kustomization.yaml +++ b/apps/pipeline/upstream/env/platform-agnostic-emissary/kustomization.yaml @@ -1,4 +1,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../platform-agnostic +- ../platform-agnostic diff --git a/apps/pipeline/upstream/env/platform-agnostic-multi-user-emissary/kustomization.yaml b/apps/pipeline/upstream/env/platform-agnostic-multi-user-emissary/kustomization.yaml index 1a8ac8df4..6a396aca8 100644 --- a/apps/pipeline/upstream/env/platform-agnostic-multi-user-emissary/kustomization.yaml +++ b/apps/pipeline/upstream/env/platform-agnostic-multi-user-emissary/kustomization.yaml @@ -1,4 +1,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../platform-agnostic-multi-user +- ../platform-agnostic-multi-user diff --git a/apps/pipeline/upstream/env/platform-agnostic-multi-user-legacy/kustomization.yaml b/apps/pipeline/upstream/env/platform-agnostic-multi-user-legacy/kustomization.yaml index e9f799804..e600b13e7 100644 --- a/apps/pipeline/upstream/env/platform-agnostic-multi-user-legacy/kustomization.yaml +++ b/apps/pipeline/upstream/env/platform-agnostic-multi-user-legacy/kustomization.yaml @@ -2,22 +2,25 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../../third-party/metacontroller/base - - ../../base/installs/multi-user - - ../../base/metadata/overlays/db - - ../../base/metadata/options/istio - - ../../third-party/argo/installs/cluster - - ../../third-party/mysql/base - - ../../third-party/mysql/options/istio - - ../../third-party/minio/base - - ../../third-party/minio/options/istio +- ../../third-party/metacontroller/base +- ../../base/installs/multi-user +- ../../base/metadata/overlays/db +- ../../base/metadata/options/istio +- ../../third-party/argo/installs/cluster +- ../../third-party/mysql/base +- ../../third-party/mysql/options/istio +- ../../third-party/minio/base +- ../../third-party/minio/options/istio -# Identifier for application manager to apply ownerReference. -# The ownerReference ensures the resources get garbage collected -# when application is deleted. -commonLabels: - application-crd-id: kubeflow-pipelines # !!! If you want to customize the namespace, # please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml namespace: kubeflow + +# Identifier for application manager to apply ownerReference. +# The ownerReference ensures the resources get garbage collected +# when application is deleted. +labels: +- includeSelectors: true + pairs: + application-crd-id: kubeflow-pipelines diff --git a/apps/pipeline/upstream/env/platform-agnostic-multi-user/kustomization.yaml b/apps/pipeline/upstream/env/platform-agnostic-multi-user/kustomization.yaml index 0abc5ed4d..aa4d6c667 100644 --- a/apps/pipeline/upstream/env/platform-agnostic-multi-user/kustomization.yaml +++ b/apps/pipeline/upstream/env/platform-agnostic-multi-user/kustomization.yaml @@ -2,22 +2,25 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../../third-party/metacontroller/base - - ../../base/installs/multi-user - - ../../base/metadata/base - - ../../base/metadata/options/istio - - ../../third-party/argo/installs/cluster - - ../../third-party/mysql/base - - ../../third-party/mysql/options/istio - - ../../third-party/minio/base - - ../../third-party/minio/options/istio +- ../../third-party/metacontroller/base +- ../../base/installs/multi-user +- ../../base/metadata/base +- ../../base/metadata/options/istio +- ../../third-party/argo/installs/cluster +- ../../third-party/mysql/base +- ../../third-party/mysql/options/istio +- ../../third-party/minio/base +- ../../third-party/minio/options/istio -# Identifier for application manager to apply ownerReference. -# The ownerReference ensures the resources get garbage collected -# when application is deleted. -commonLabels: - application-crd-id: kubeflow-pipelines # !!! If you want to customize the namespace, # please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml namespace: kubeflow + +# Identifier for application manager to apply ownerReference. +# The ownerReference ensures the resources get garbage collected +# when application is deleted. +labels: +- includeSelectors: true + pairs: + application-crd-id: kubeflow-pipelines diff --git a/apps/pipeline/upstream/env/platform-agnostic-postgresql/kustomization.yaml b/apps/pipeline/upstream/env/platform-agnostic-postgresql/kustomization.yaml index c13945a7a..e6e4af386 100644 --- a/apps/pipeline/upstream/env/platform-agnostic-postgresql/kustomization.yaml +++ b/apps/pipeline/upstream/env/platform-agnostic-postgresql/kustomization.yaml @@ -2,18 +2,21 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../../base/installs/generic/postgres - - ../../base/metadata/overlays/postgres - - ../../third-party/argo/installs/namespace - - ../../third-party/minio/base - - ../../third-party/postgresql/base +- ../../base/installs/generic/postgres +- ../../base/metadata/overlays/postgres +- ../../third-party/argo/installs/namespace +- ../../third-party/minio/base +- ../../third-party/postgresql/base -# Identifier for application manager to apply ownerReference. -# The ownerReference ensures the resources get garbage collected -# when application is deleted. -commonLabels: - application-crd-id: kubeflow-pipelines # !!! If you want to customize the namespace, # please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml namespace: kubeflow + +# Identifier for application manager to apply ownerReference. +# The ownerReference ensures the resources get garbage collected +# when application is deleted. +labels: +- includeSelectors: true + pairs: + application-crd-id: kubeflow-pipelines diff --git a/apps/pipeline/upstream/env/platform-agnostic-tekton-multi-user/kustomization.yaml b/apps/pipeline/upstream/env/platform-agnostic-tekton-multi-user/kustomization.yaml deleted file mode 100644 index 9c6389a41..000000000 --- a/apps/pipeline/upstream/env/platform-agnostic-tekton-multi-user/kustomization.yaml +++ /dev/null @@ -1,68 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - ../../third-party/tekton/installs/cluster - - ../../third-party/tekton-custom-task - - ../plain-multi-user - -# Identifier for application manager to apply ownerReference. -# The ownerReference ensures the resources get garbage collected -# when application is deleted. -commonLabels: - application-crd-id: kubeflow-pipelines - -patches: -- path: tekton-config.yaml -- patch: |- - apiVersion: apps/v1 - kind: Deployment - metadata: - name: ml-pipeline - spec: - template: - spec: - containers: - - name: ml-pipeline-api-server - env: - - name: EXECUTIONTYPE - value: PipelineRun -- patch: |- - apiVersion: apps/v1 - kind: Deployment - metadata: - name: ml-pipeline-persistenceagent - spec: - template: - spec: - containers: - - name: ml-pipeline-persistenceagent - env: - - name: EXECUTIONTYPE - value: PipelineRun -- patch: |- - apiVersion: apps/v1 - kind: Deployment - metadata: - name: ml-pipeline-scheduledworkflow - spec: - template: - spec: - containers: - - name: ml-pipeline-scheduledworkflow - env: - - name: EXECUTIONTYPE - value: PipelineRun -- patch: |- - apiVersion: apps/v1 - kind: Deployment - metadata: - name: ml-pipeline-ui - spec: - template: - spec: - containers: - - name: ml-pipeline-ui - env: - - name: POD_LOG_CONTAINER_NAME - value: step-user-main \ No newline at end of file diff --git a/apps/pipeline/upstream/env/platform-agnostic-tekton-multi-user/tekton-config.yaml b/apps/pipeline/upstream/env/platform-agnostic-tekton-multi-user/tekton-config.yaml deleted file mode 100644 index 5707255ac..000000000 --- a/apps/pipeline/upstream/env/platform-agnostic-tekton-multi-user/tekton-config.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: feature-flags - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -data: - running-in-environment-with-injected-sidecars: "true" diff --git a/apps/pipeline/upstream/env/platform-agnostic-tekton/kustomization.yaml b/apps/pipeline/upstream/env/platform-agnostic-tekton/kustomization.yaml deleted file mode 100644 index 9ea37762c..000000000 --- a/apps/pipeline/upstream/env/platform-agnostic-tekton/kustomization.yaml +++ /dev/null @@ -1,70 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: -- ../../third-party/tekton/installs/cluster -- ../../third-party/tekton-custom-task -- ../plain - -# Identifier for application manager to apply ownerReference. -# The ownerReference ensures the resources get garbage collected -# when application is deleted. - -labels: -- includeSelectors: true - pairs: - application-crd-id: kubeflow-pipelines - -patches: -- patch: |- - apiVersion: apps/v1 - kind: Deployment - metadata: - name: ml-pipeline - spec: - template: - spec: - containers: - - name: ml-pipeline-api-server - env: - - name: EXECUTIONTYPE - value: PipelineRun -- patch: |- - apiVersion: apps/v1 - kind: Deployment - metadata: - name: ml-pipeline-persistenceagent - spec: - template: - spec: - containers: - - name: ml-pipeline-persistenceagent - env: - - name: EXECUTIONTYPE - value: PipelineRun -- patch: |- - apiVersion: apps/v1 - kind: Deployment - metadata: - name: ml-pipeline-scheduledworkflow - spec: - template: - spec: - containers: - - name: ml-pipeline-scheduledworkflow - env: - - name: EXECUTIONTYPE - value: PipelineRun -- patch: |- - apiVersion: apps/v1 - kind: Deployment - metadata: - name: ml-pipeline-ui - spec: - template: - spec: - containers: - - name: ml-pipeline-ui - env: - - name: POD_LOG_CONTAINER_NAME - value: step-user-main diff --git a/apps/pipeline/upstream/env/platform-agnostic/kustomization.yaml b/apps/pipeline/upstream/env/platform-agnostic/kustomization.yaml index b1efdbcdc..0a9d90b01 100644 --- a/apps/pipeline/upstream/env/platform-agnostic/kustomization.yaml +++ b/apps/pipeline/upstream/env/platform-agnostic/kustomization.yaml @@ -2,11 +2,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../../base/installs/generic - - ../../base/metadata/base - - ../../third-party/argo/installs/namespace - - ../../third-party/minio/base - - ../../third-party/mysql/base +- ../../base/installs/generic +- ../../base/metadata/base +- ../../third-party/argo/installs/namespace +- ../../third-party/minio/base +- ../../third-party/mysql/base # Identifier for application manager to apply ownerReference. # The ownerReference ensures the resources get garbage collected @@ -16,6 +16,6 @@ resources: # please also update base/cache-deployer/cluster-scoped/cache-deployer-clusterrolebinding.yaml namespace: kubeflow labels: - - includeSelectors: true - pairs: - application-crd-id: kubeflow-pipelines +- includeSelectors: true + pairs: + application-crd-id: kubeflow-pipelines diff --git a/apps/pipeline/upstream/hack/release.sh b/apps/pipeline/upstream/hack/release.sh index 14a2c539e..bbe989497 100755 --- a/apps/pipeline/upstream/hack/release.sh +++ b/apps/pipeline/upstream/hack/release.sh @@ -40,3 +40,14 @@ do done yq w -i "${MANIFEST_DIR}/base/installs/generic/pipeline-install-config.yaml" data.appVersion "$TAG_NAME" + +## Driver & Launcher images are added as environment variables +API_SERVER_MANIFEST="${MANIFEST_DIR}/base/pipeline/ml-pipeline-apiserver-deployment.yaml" + +yq w -i ${API_SERVER_MANIFEST} \ + "spec.template.spec.containers.(name==ml-pipeline-api-server).env.(name==V2_LAUNCHER_IMAGE).value" \ + "ghcr.io/kubeflow/kfp-launcher:${TAG_NAME}" + +yq w -i ${API_SERVER_MANIFEST} \ + "spec.template.spec.containers.(name==ml-pipeline-api-server).env.(name==V2_DRIVER_IMAGE).value" \ + "ghcr.io/kubeflow/kfp-driver:${TAG_NAME}" diff --git a/apps/pipeline/upstream/sample/cluster-scoped-resources/kustomization.yaml b/apps/pipeline/upstream/sample/cluster-scoped-resources/kustomization.yaml index 8b4d2b87c..4c174af93 100644 --- a/apps/pipeline/upstream/sample/cluster-scoped-resources/kustomization.yaml +++ b/apps/pipeline/upstream/sample/cluster-scoped-resources/kustomization.yaml @@ -6,5 +6,5 @@ kind: Kustomization namespace: kubeflow resources: - # Or github.com/kubeflow/pipelines/manifests/kustomize/cluster-scoped-resources?ref=1.0.0 - - ../../cluster-scoped-resources +# Or github.com/kubeflow/pipelines/manifests/kustomize/cluster-scoped-resources?ref=1.0.0 +- ../../cluster-scoped-resources diff --git a/apps/pipeline/upstream/sample/kustomization.yaml b/apps/pipeline/upstream/sample/kustomization.yaml index 6c4d0666a..2302b30e1 100644 --- a/apps/pipeline/upstream/sample/kustomization.yaml +++ b/apps/pipeline/upstream/sample/kustomization.yaml @@ -3,7 +3,7 @@ kind: Kustomization resources: # Or github.com/kubeflow/pipelines/manifests/kustomize/env/gcp?ref=1.0.0 - - ../env/gcp +- ../env/gcp # Kubeflow Pipelines servers are capable of collecting Prometheus metrics. # If you want to monitor your Kubeflow Pipelines servers with those metrics, you'll need a Prometheus server in your Kubeflow Pipelines cluster. # If you don't already have a Prometheus server up, you can uncomment the following configuration files for Prometheus. @@ -11,28 +11,28 @@ resources: # - ../third_party/prometheus # - ../third_party/grafana -# Identifier for application manager to apply ownerReference. -# The ownerReference ensures the resources get garbage collected -# when application is deleted. -commonLabels: - application-crd-id: kubeflow-pipelines # Used by Kustomize configMapGenerator: - - name: pipeline-install-config - env: params.env - behavior: merge +- behavior: merge + envs: + - params.env + name: pipeline-install-config secretGenerator: - - name: mysql-secret - env: params-db-secret.env - behavior: merge +- behavior: merge + envs: + - params-db-secret.env + name: mysql-secret # !!! If you want to customize the namespace, # please also update sample/cluster-scoped-resources/kustomization.yaml's namespace field to the same value namespace: kubeflow -#### Customization ### -# 1. Change values in params.env file -# 2. Change values in params-db-secret.env file for CloudSQL username and password -# 3. kustomize build ./ | kubectl apply -f - -#### + +# Identifier for application manager to apply ownerReference. +# The ownerReference ensures the resources get garbage collected +# when application is deleted. +labels: +- includeSelectors: true + pairs: + application-crd-id: kubeflow-pipelines diff --git a/apps/pipeline/upstream/third-party/application/kustomization.yaml b/apps/pipeline/upstream/third-party/application/kustomization.yaml index c35e3eebc..df84c7854 100644 --- a/apps/pipeline/upstream/third-party/application/kustomization.yaml +++ b/apps/pipeline/upstream/third-party/application/kustomization.yaml @@ -2,8 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - application-controller-deployment.yaml - - application-controller-role.yaml - - application-controller-rolebinding.yaml - - application-controller-sa.yaml - - application-controller-service.yaml +- application-controller-deployment.yaml +- application-controller-role.yaml +- application-controller-rolebinding.yaml +- application-controller-sa.yaml +- application-controller-service.yaml diff --git a/apps/pipeline/upstream/third-party/argo/base/kustomization.yaml b/apps/pipeline/upstream/third-party/argo/base/kustomization.yaml index 023efc5da..f8351753c 100644 --- a/apps/pipeline/upstream/third-party/argo/base/kustomization.yaml +++ b/apps/pipeline/upstream/third-party/argo/base/kustomization.yaml @@ -2,13 +2,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../upstream/manifests/base/workflow-controller +- ../upstream/manifests/base/workflow-controller patches: - - path: workflow-controller-deployment-patch.yaml - - path: workflow-controller-configmap-patch.yaml +- path: workflow-controller-deployment-patch.yaml +- path: workflow-controller-configmap-patch.yaml # Allow Kustomize vars to replace fields defined in params.yaml. # The vars can be defined anywhere. configurations: - - params.yaml +- params.yaml diff --git a/apps/pipeline/upstream/third-party/argo/base/workflow-controller-configmap-patch.yaml b/apps/pipeline/upstream/third-party/argo/base/workflow-controller-configmap-patch.yaml index 2b9b07731..782e2c6fb 100644 --- a/apps/pipeline/upstream/third-party/argo/base/workflow-controller-configmap-patch.yaml +++ b/apps/pipeline/upstream/third-party/argo/base/workflow-controller-configmap-patch.yaml @@ -4,9 +4,9 @@ metadata: name: workflow-controller-configmap data: # References: - # * https://github.com/argoproj/argo-workflows/blob/v3.4.17/config/config.go - # * https://github.com/argoproj/argo-workflows/blob/v3.4.17/docs/workflow-controller-configmap.md - # * https://github.com/argoproj/argo-workflows/blob/v3.4.17/docs/workflow-controller-configmap.yaml + # * https://github.com/argoproj/argo-workflows/blob/v3.5.14/config/config.go + # * https://github.com/argoproj/argo-workflows/blob/v3.5.14/docs/workflow-controller-configmap.md + # * https://github.com/argoproj/argo-workflows/blob/v3.5.14/docs/workflow-controller-configmap.yaml # In artifactRepository.s3.endpoint, $(kfp-namespace) is needed, because in multi-user mode, pipelines may run in other namespaces. artifactRepository: | diff --git a/apps/pipeline/upstream/third-party/argo/base/workflow-controller-deployment-patch.yaml b/apps/pipeline/upstream/third-party/argo/base/workflow-controller-deployment-patch.yaml index 514dfcf85..4724bb467 100644 --- a/apps/pipeline/upstream/third-party/argo/base/workflow-controller-deployment-patch.yaml +++ b/apps/pipeline/upstream/third-party/argo/base/workflow-controller-deployment-patch.yaml @@ -7,12 +7,12 @@ spec: spec: containers: - name: workflow-controller - image: gcr.io/ml-pipeline/workflow-controller:v3.4.17-license-compliance + image: quay.io/argoproj/workflow-controller:v3.5.14 args: - --configmap - workflow-controller-configmap - --executor-image - - gcr.io/ml-pipeline/argoexec:v3.4.17-license-compliance + - quay.io/argoproj/argoexec:v3.5.14 securityContext: seccompProfile: type: RuntimeDefault diff --git a/apps/pipeline/upstream/third-party/argo/installs/namespace/cluster-scoped/kustomization.yaml b/apps/pipeline/upstream/third-party/argo/installs/namespace/cluster-scoped/kustomization.yaml index 3a040301b..91b2fb935 100644 --- a/apps/pipeline/upstream/third-party/argo/installs/namespace/cluster-scoped/kustomization.yaml +++ b/apps/pipeline/upstream/third-party/argo/installs/namespace/cluster-scoped/kustomization.yaml @@ -1,5 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - # Minimal CRDs omit schema validation, recommended for production cluster. - - ../../../upstream/manifests/base/crds/minimal +# Minimal CRDs omit schema validation, recommended for production cluster. +- ../../../upstream/manifests/base/crds/minimal diff --git a/apps/pipeline/upstream/third-party/argo/installs/namespace/kustomization.yaml b/apps/pipeline/upstream/third-party/argo/installs/namespace/kustomization.yaml index 20b823bba..55eb28483 100644 --- a/apps/pipeline/upstream/third-party/argo/installs/namespace/kustomization.yaml +++ b/apps/pipeline/upstream/third-party/argo/installs/namespace/kustomization.yaml @@ -7,12 +7,12 @@ kind: Kustomization # * this separates cluster-scoped resources to its own folder. resources: - - ../../base - - ../../upstream/manifests/namespace-install/workflow-controller-rbac +- ../../base +- ../../upstream/manifests/namespace-install/workflow-controller-rbac patches: - - path: workflow-controller-deployment-patch.json - target: - group: apps - kind: Deployment - name: workflow-controller - version: v1 +- path: workflow-controller-deployment-patch.json + target: + group: apps + kind: Deployment + name: workflow-controller + version: v1 diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/Kptfile b/apps/pipeline/upstream/third-party/argo/upstream/manifests/Kptfile index 237910f82..7859465ee 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/Kptfile +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/Kptfile @@ -7,12 +7,12 @@ upstream: git: repo: https://github.com/argoproj/argo-workflows directory: /manifests - ref: v3.4.17 + ref: v3.5.14 updateStrategy: resource-merge upstreamLock: type: git git: repo: https://github.com/argoproj/argo-workflows directory: /manifests - ref: v3.4.17 - commit: 89cbdb53361cbe59fbe81b887ee82722cce5de54 + ref: v3.5.14 + commit: d94c214176716ece96974fd98ac5107c38d61344 diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_clusterworkflowtemplates.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_clusterworkflowtemplates.yaml index 62892b920..817556270 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_clusterworkflowtemplates.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_clusterworkflowtemplates.yaml @@ -798,6 +798,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -827,6 +829,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -936,6 +949,8 @@ spec: type: object artifactGC: properties: + forceFinalizerRemoval: + type: boolean podMetadata: properties: annotations: @@ -947,6 +962,8 @@ spec: type: string type: object type: object + podSpecPatch: + type: string serviceAccountName: type: string strategy: @@ -1408,6 +1425,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -1437,6 +1456,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -1593,6 +1623,8 @@ spec: type: object gauge: properties: + operation: + type: string realtime: type: boolean value: @@ -1686,6 +1718,8 @@ spec: type: object podGC: properties: + deleteDelayDuration: + type: string labelSelector: properties: matchExpressions: @@ -1840,6 +1874,8 @@ spec: properties: name: type: string + namespace: + type: string type: object semaphore: properties: @@ -1854,6 +1890,8 @@ spec: required: - key type: object + namespace: + type: string type: object type: object templateDefaults: @@ -2573,6 +2611,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -2598,6 +2638,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -4284,6 +4335,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -4313,6 +4366,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -4846,6 +4910,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -4875,6 +4941,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -5459,6 +5536,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -5488,6 +5567,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -6622,6 +6712,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -6651,6 +6743,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -6810,6 +6913,8 @@ spec: type: object gauge: properties: + operation: + type: string realtime: type: boolean value: @@ -7272,6 +7377,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -7301,6 +7408,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -7845,6 +7963,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -7874,6 +7994,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -9229,6 +9360,8 @@ spec: properties: name: type: string + namespace: + type: string type: object semaphore: properties: @@ -9243,6 +9376,8 @@ spec: required: - key type: object + namespace: + type: string type: object type: object timeout: @@ -10662,6 +10797,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -10687,6 +10824,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -12373,6 +12521,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -12402,6 +12552,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -12935,6 +13096,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -12964,6 +13127,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -13548,6 +13722,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -13577,6 +13753,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -14711,6 +14898,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -14740,6 +14929,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -14899,6 +15099,8 @@ spec: type: object gauge: properties: + operation: + type: string realtime: type: boolean value: @@ -15361,6 +15563,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -15390,6 +15594,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -15934,6 +16149,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -15963,6 +16180,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -17318,6 +17546,8 @@ spec: properties: name: type: string + namespace: + type: string type: object semaphore: properties: @@ -17332,6 +17562,8 @@ spec: required: - key type: object + namespace: + type: string type: object type: object timeout: diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_cronworkflows.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_cronworkflows.yaml index bcb408d41..0949d08d4 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_cronworkflows.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_cronworkflows.yaml @@ -819,6 +819,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -848,6 +850,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -957,6 +970,8 @@ spec: type: object artifactGC: properties: + forceFinalizerRemoval: + type: boolean podMetadata: properties: annotations: @@ -968,6 +983,8 @@ spec: type: string type: object type: object + podSpecPatch: + type: string serviceAccountName: type: string strategy: @@ -1429,6 +1446,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -1458,6 +1477,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -1614,6 +1644,8 @@ spec: type: object gauge: properties: + operation: + type: string realtime: type: boolean value: @@ -1707,6 +1739,8 @@ spec: type: object podGC: properties: + deleteDelayDuration: + type: string labelSelector: properties: matchExpressions: @@ -1861,6 +1895,8 @@ spec: properties: name: type: string + namespace: + type: string type: object semaphore: properties: @@ -1875,6 +1911,8 @@ spec: required: - key type: object + namespace: + type: string type: object type: object templateDefaults: @@ -2594,6 +2632,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -2619,6 +2659,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -4305,6 +4356,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -4334,6 +4387,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -4867,6 +4931,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -4896,6 +4962,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -5480,6 +5557,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -5509,6 +5588,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -6643,6 +6733,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -6672,6 +6764,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -6831,6 +6934,8 @@ spec: type: object gauge: properties: + operation: + type: string realtime: type: boolean value: @@ -7293,6 +7398,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -7322,6 +7429,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -7866,6 +7984,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -7895,6 +8015,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -9250,6 +9381,8 @@ spec: properties: name: type: string + namespace: + type: string type: object semaphore: properties: @@ -9264,6 +9397,8 @@ spec: required: - key type: object + namespace: + type: string type: object type: object timeout: @@ -10683,6 +10818,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -10708,6 +10845,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -12394,6 +12542,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -12423,6 +12573,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -12956,6 +13117,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -12985,6 +13148,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -13569,6 +13743,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -13598,6 +13774,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -14732,6 +14919,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -14761,6 +14950,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -14920,6 +15120,8 @@ spec: type: object gauge: properties: + operation: + type: string realtime: type: boolean value: @@ -15382,6 +15584,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -15411,6 +15615,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -15955,6 +16170,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -15984,6 +16201,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -17339,6 +17567,8 @@ spec: properties: name: type: string + namespace: + type: string type: object semaphore: properties: @@ -17353,6 +17583,8 @@ spec: required: - key type: object + namespace: + type: string type: object type: object timeout: diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowartifactgctasks.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowartifactgctasks.yaml index 7db0a5def..f3308c9e9 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowartifactgctasks.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowartifactgctasks.yaml @@ -387,6 +387,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -412,6 +414,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -870,6 +883,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -899,6 +914,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workfloweventbindings.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workfloweventbindings.yaml index 2af403368..4259d24d0 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workfloweventbindings.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workfloweventbindings.yaml @@ -447,6 +447,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -476,6 +478,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflows.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflows.yaml index 90d5dc378..b048baa58 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflows.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflows.yaml @@ -811,6 +811,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -840,6 +842,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -949,6 +962,8 @@ spec: type: object artifactGC: properties: + forceFinalizerRemoval: + type: boolean podMetadata: properties: annotations: @@ -960,6 +975,8 @@ spec: type: string type: object type: object + podSpecPatch: + type: string serviceAccountName: type: string strategy: @@ -1421,6 +1438,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -1450,6 +1469,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -1606,6 +1636,8 @@ spec: type: object gauge: properties: + operation: + type: string realtime: type: boolean value: @@ -1699,6 +1731,8 @@ spec: type: object podGC: properties: + deleteDelayDuration: + type: string labelSelector: properties: matchExpressions: @@ -1853,6 +1887,8 @@ spec: properties: name: type: string + namespace: + type: string type: object semaphore: properties: @@ -1867,6 +1903,8 @@ spec: required: - key type: object + namespace: + type: string type: object type: object templateDefaults: @@ -2586,6 +2624,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -2611,6 +2651,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -4297,6 +4348,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -4326,6 +4379,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -4859,6 +4923,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -4888,6 +4954,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -5472,6 +5549,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -5501,6 +5580,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -6635,6 +6725,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -6664,6 +6756,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -6823,6 +6926,8 @@ spec: type: object gauge: properties: + operation: + type: string realtime: type: boolean value: @@ -7285,6 +7390,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -7314,6 +7421,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -7858,6 +7976,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -7887,6 +8007,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -9242,6 +9373,8 @@ spec: properties: name: type: string + namespace: + type: string type: object semaphore: properties: @@ -9256,6 +9389,8 @@ spec: required: - key type: object + namespace: + type: string type: object type: object timeout: @@ -10675,6 +10810,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -10700,6 +10837,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -12386,6 +12534,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -12415,6 +12565,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -12948,6 +13109,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -12977,6 +13140,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -13561,6 +13735,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -13590,6 +13766,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -14724,6 +14911,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -14753,6 +14942,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -14912,6 +15112,8 @@ spec: type: object gauge: properties: + operation: + type: string realtime: type: boolean value: @@ -15374,6 +15576,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -15403,6 +15607,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -15947,6 +16162,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -15976,6 +16193,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -17331,6 +17559,8 @@ spec: properties: name: type: string + namespace: + type: string type: object semaphore: properties: @@ -17345,6 +17575,8 @@ spec: required: - key type: object + namespace: + type: string type: object type: object timeout: @@ -18950,6 +19182,8 @@ spec: type: boolean artifactory: properties: + keyFormat: + type: string passwordSecret: properties: key: @@ -19113,6 +19347,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean type: object s3: properties: @@ -19129,6 +19365,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -19642,6 +19889,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -19671,6 +19920,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -19795,6 +20055,13 @@ spec: type: string name: type: string + nodeFlag: + properties: + hooked: + type: boolean + retried: + type: boolean + type: object outboundNodes: items: type: string @@ -20209,6 +20476,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -20238,6 +20507,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -20801,6 +21081,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -20830,6 +21112,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -22351,6 +22644,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -22376,6 +22671,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -24062,6 +24368,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -24091,6 +24399,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -24624,6 +24943,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -24653,6 +24974,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -25237,6 +25569,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -25266,6 +25600,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -26400,6 +26745,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -26429,6 +26776,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -26588,6 +26946,8 @@ spec: type: object gauge: properties: + operation: + type: string realtime: type: boolean value: @@ -27050,6 +27410,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -27079,6 +27441,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -27623,6 +27996,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -27652,6 +28027,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -29007,6 +29393,8 @@ spec: properties: name: type: string + namespace: + type: string type: object semaphore: properties: @@ -29021,6 +29409,8 @@ spec: required: - key type: object + namespace: + type: string type: object type: object timeout: @@ -30494,6 +30884,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -30523,6 +30915,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -30632,6 +31035,8 @@ spec: type: object artifactGC: properties: + forceFinalizerRemoval: + type: boolean podMetadata: properties: annotations: @@ -30643,6 +31048,8 @@ spec: type: string type: object type: object + podSpecPatch: + type: string serviceAccountName: type: string strategy: @@ -31104,6 +31511,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -31133,6 +31542,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -31289,6 +31709,8 @@ spec: type: object gauge: properties: + operation: + type: string realtime: type: boolean value: @@ -31382,6 +31804,8 @@ spec: type: object podGC: properties: + deleteDelayDuration: + type: string labelSelector: properties: matchExpressions: @@ -31536,6 +31960,8 @@ spec: properties: name: type: string + namespace: + type: string type: object semaphore: properties: @@ -31550,6 +31976,8 @@ spec: required: - key type: object + namespace: + type: string type: object type: object templateDefaults: @@ -32269,6 +32697,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -32294,6 +32724,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -33980,6 +34421,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -34009,6 +34452,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -34542,6 +34996,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -34571,6 +35027,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -35155,6 +35622,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -35184,6 +35653,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -36318,6 +36798,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -36347,6 +36829,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -36506,6 +36999,8 @@ spec: type: object gauge: properties: + operation: + type: string realtime: type: boolean value: @@ -36968,6 +37463,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -36997,6 +37494,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -37541,6 +38049,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -37570,6 +38080,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -38925,6 +39446,8 @@ spec: properties: name: type: string + namespace: + type: string type: object semaphore: properties: @@ -38939,6 +39462,8 @@ spec: required: - key type: object + namespace: + type: string type: object type: object timeout: @@ -40358,6 +40883,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -40383,6 +40910,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -42069,6 +42607,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -42098,6 +42638,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -42631,6 +43182,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -42660,6 +43213,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -43244,6 +43808,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -43273,6 +43839,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -44407,6 +44984,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -44436,6 +45015,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -44595,6 +45185,8 @@ spec: type: object gauge: properties: + operation: + type: string realtime: type: boolean value: @@ -45057,6 +45649,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -45086,6 +45680,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -45630,6 +46235,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -45659,6 +46266,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -47014,6 +47632,8 @@ spec: properties: name: type: string + namespace: + type: string type: object semaphore: properties: @@ -47028,6 +47648,8 @@ spec: required: - key type: object + namespace: + type: string type: object type: object timeout: @@ -48663,6 +49285,10 @@ spec: type: array type: object type: object + taskResultsCompletionStatus: + additionalProperties: + type: boolean + type: object type: object required: - metadata diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowtaskresults.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowtaskresults.yaml index 656914041..4d3f86a6d 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowtaskresults.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowtaskresults.yaml @@ -436,6 +436,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -465,6 +467,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowtasksets.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowtasksets.yaml index 1d08cc526..ddaecf656 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowtasksets.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowtasksets.yaml @@ -746,6 +746,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -771,6 +773,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -2457,6 +2470,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -2486,6 +2501,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -3019,6 +3045,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -3048,6 +3076,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -3632,6 +3671,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -3661,6 +3702,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -4795,6 +4847,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -4824,6 +4878,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -4983,6 +5048,8 @@ spec: type: object gauge: properties: + operation: + type: string realtime: type: boolean value: @@ -5445,6 +5512,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -5474,6 +5543,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -6018,6 +6098,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -6047,6 +6129,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -7402,6 +7495,8 @@ spec: properties: name: type: string + namespace: + type: string type: object semaphore: properties: @@ -7416,6 +7511,8 @@ spec: required: - key type: object + namespace: + type: string type: object type: object timeout: @@ -8536,6 +8633,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -8565,6 +8664,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowtemplates.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowtemplates.yaml index 110e171d3..c7d7e34b0 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowtemplates.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/full/argoproj.io_workflowtemplates.yaml @@ -797,6 +797,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -826,6 +828,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -935,6 +948,8 @@ spec: type: object artifactGC: properties: + forceFinalizerRemoval: + type: boolean podMetadata: properties: annotations: @@ -946,6 +961,8 @@ spec: type: string type: object type: object + podSpecPatch: + type: string serviceAccountName: type: string strategy: @@ -1407,6 +1424,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -1436,6 +1455,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -1592,6 +1622,8 @@ spec: type: object gauge: properties: + operation: + type: string realtime: type: boolean value: @@ -1685,6 +1717,8 @@ spec: type: object podGC: properties: + deleteDelayDuration: + type: string labelSelector: properties: matchExpressions: @@ -1839,6 +1873,8 @@ spec: properties: name: type: string + namespace: + type: string type: object semaphore: properties: @@ -1853,6 +1889,8 @@ spec: required: - key type: object + namespace: + type: string type: object type: object templateDefaults: @@ -2572,6 +2610,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -2597,6 +2637,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -4283,6 +4334,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -4312,6 +4365,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -4845,6 +4909,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -4874,6 +4940,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -5458,6 +5535,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -5487,6 +5566,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -6621,6 +6711,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -6650,6 +6742,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -6809,6 +6912,8 @@ spec: type: object gauge: properties: + operation: + type: string realtime: type: boolean value: @@ -7271,6 +7376,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -7300,6 +7407,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -7844,6 +7962,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -7873,6 +7993,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -9228,6 +9359,8 @@ spec: properties: name: type: string + namespace: + type: string type: object semaphore: properties: @@ -9242,6 +9375,8 @@ spec: required: - key type: object + namespace: + type: string type: object type: object timeout: @@ -10661,6 +10796,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -10686,6 +10823,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -12372,6 +12520,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -12401,6 +12551,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -12934,6 +13095,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -12963,6 +13126,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -13547,6 +13721,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -13576,6 +13752,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -14710,6 +14897,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -14739,6 +14928,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -14898,6 +15098,8 @@ spec: type: object gauge: properties: + operation: + type: string realtime: type: boolean value: @@ -15360,6 +15562,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -15389,6 +15593,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -15933,6 +16148,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -15962,6 +16179,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: @@ -17317,6 +17545,8 @@ spec: properties: name: type: string + namespace: + type: string type: object semaphore: properties: @@ -17331,6 +17561,8 @@ spec: required: - key type: object + namespace: + type: string type: object type: object timeout: diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/kustomization.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/kustomization.yaml index 25ffbeccf..7f3724b73 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/kustomization.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/kustomization.yaml @@ -1,4 +1,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - minimal +- minimal diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/minimal/argoproj.io_workflowtaskresults.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/minimal/argoproj.io_workflowtaskresults.yaml index 2fd4150bf..7b4327db9 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/minimal/argoproj.io_workflowtaskresults.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/base/crds/minimal/argoproj.io_workflowtaskresults.yaml @@ -435,6 +435,8 @@ spec: type: object securityToken: type: string + useSDKCreds: + type: boolean required: - key type: object @@ -464,6 +466,17 @@ spec: type: object bucket: type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object createBucketIfNotPresent: properties: objectLocking: diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/cluster-install/workflow-controller-rbac/workflow-controller-clusterrole.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/cluster-install/workflow-controller-rbac/workflow-controller-clusterrole.yaml index 53305714f..a65406782 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/cluster-install/workflow-controller-rbac/workflow-controller-clusterrole.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/cluster-install/workflow-controller-rbac/workflow-controller-clusterrole.yaml @@ -105,3 +105,11 @@ rules: - create - get - delete +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + resourceNames: + - argo-workflows-agent-ca-certificates diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/namespace-install/kustomization.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/namespace-install/kustomization.yaml index a3c7fe6fb..f45d0e3a5 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/namespace-install/kustomization.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/namespace-install/kustomization.yaml @@ -1,19 +1,19 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../base - - ./argo-server-rbac - - ./workflow-controller-rbac -patchesJson6902: - - target: - version: v1 - group: apps - kind: Deployment - name: workflow-controller - path: ./overlays/workflow-controller-deployment.yaml - - target: - version: v1 - group: apps - kind: Deployment - name: argo-server - path: ./overlays/argo-server-deployment.yaml +- ../base +- ./argo-server-rbac +- ./workflow-controller-rbac +patches: +- path: ./overlays/workflow-controller-deployment.yaml + target: + group: apps + kind: Deployment + name: workflow-controller + version: v1 +- path: ./overlays/argo-server-deployment.yaml + target: + group: apps + kind: Deployment + name: argo-server + version: v1 diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/agent-role.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/agent-role.yaml index 3796d223e..d9be185fe 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/agent-role.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/agent-role.yaml @@ -1,4 +1,4 @@ -# https://argo-workflows.readthedocs.io/en/release-3.4/workflow-rbac/ +# https://argo-workflows.readthedocs.io/en/release-3.5/workflow-rbac/ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: # kpt-merge: /agent diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/artifactgc-role.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/artifactgc-role.yaml index 4121aaa5f..8052a2c60 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/artifactgc-role.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/artifactgc-role.yaml @@ -1,4 +1,4 @@ -# https://argo-workflows.readthedocs.io/en/release-3.4/workflow-rbac/ +# https://argo-workflows.readthedocs.io/en/release-3.5/workflow-rbac/ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: # kpt-merge: /artifactgc diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/httpbin/kustomization.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/httpbin/kustomization.yaml index 5e7a06a9c..b5c1f840a 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/httpbin/kustomization.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/httpbin/kustomization.yaml @@ -1,6 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - httpbin-deploy.yaml - - httpbin-service.yaml - - my-httpbin-cred-secret.yaml +- httpbin-deploy.yaml +- httpbin-service.yaml +- my-httpbin-cred-secret.yaml diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/kustomization.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/kustomization.yaml index b03beac71..8560cf9a1 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/kustomization.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/kustomization.yaml @@ -1,24 +1,24 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../../namespace-install - - minio - - httpbin - - webhooks - - default.service-account-token-secret.yaml - - argo-server-sso-secret.yaml - - executor/emissary/executor-role.yaml - - executor-default-rolebinding.yaml - - pod-manager-role.yaml - - pod-manager-default-rolebinding.yaml - - workflow-manager-role.yaml - - workflow-manager-default-rolebinding.yaml - - agent-role.yaml - - agent-default-rolebinding.yaml - - artifactgc-role.yaml - - artifactgc-default-rolebinding.yaml - - cluster-workflow-template-rbac.yaml - - artifact-repositories-configmap.yaml -patchesStrategicMerge: - - overlays/workflow-controller-configmap.yaml - - overlays/argo-server-deployment.yaml +- ../../cluster-install +- minio +- httpbin +- webhooks +- default.service-account-token-secret.yaml +- argo-server-sso-secret.yaml +- executor/emissary/executor-role.yaml +- executor-default-rolebinding.yaml +- pod-manager-role.yaml +- pod-manager-default-rolebinding.yaml +- workflow-manager-role.yaml +- workflow-manager-default-rolebinding.yaml +- agent-role.yaml +- agent-default-rolebinding.yaml +- artifactgc-role.yaml +- artifactgc-default-rolebinding.yaml +- cluster-workflow-template-rbac.yaml +- artifact-repositories-configmap.yaml +patches: +- path: overlays/workflow-controller-configmap.yaml +- path: overlays/argo-server-deployment.yaml diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/minio/kustomization.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/minio/kustomization.yaml index 1199d3898..6b8e240e7 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/minio/kustomization.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/minio/kustomization.yaml @@ -1,6 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - minio-deploy.yaml - - minio-service.yaml - - my-minio-cred-secret.yaml +- minio-deploy.yaml +- minio-service.yaml +- my-minio-cred-secret.yaml diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/overlays/argo-server-deployment.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/overlays/argo-server-deployment.yaml index ccc1b0421..f76326f1f 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/overlays/argo-server-deployment.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/overlays/argo-server-deployment.yaml @@ -11,7 +11,6 @@ spec: - name: argo-server args: - server - - --namespaced - --auth-mode - server - --auth-mode diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/prometheus/kustomization.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/prometheus/kustomization.yaml index 32db8231d..17eb100d1 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/prometheus/kustomization.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/prometheus/kustomization.yaml @@ -1,6 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - prometheus-deployment.yaml - - prometheus-config-cluster.yaml - - prometheus-service.yaml +- prometheus-deployment.yaml +- prometheus-config-cluster.yaml +- prometheus-service.yaml diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/prometheus/prometheus-deployment.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/prometheus/prometheus-deployment.yaml index d1ea2cf36..7aa985804 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/prometheus/prometheus-deployment.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/prometheus/prometheus-deployment.yaml @@ -5,7 +5,7 @@ # localhost:9091/graph # # Note: this assumes the workflow-controller is emitting metrics in the default port (9090). This will need to -# be modified if the default is overriden. +# be modified if the default is overridden. apiVersion: apps/v1 kind: Deployment metadata: # kpt-merge: /prometheus diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/webhooks/kustomization.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/webhooks/kustomization.yaml index 290e7cb0a..07699b466 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/webhooks/kustomization.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/base/webhooks/kustomization.yaml @@ -1,8 +1,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - submit-workflow-template-role.yaml - - github.com-sa.yaml - - github.com-secret.yaml - - github.com-rolebinding.yaml - - argo-workflows-webhook-clients-secret.yaml +- submit-workflow-template-role.yaml +- github.com-sa.yaml +- github.com-secret.yaml +- github.com-rolebinding.yaml +- argo-workflows-webhook-clients-secret.yaml diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/minimal/kustomization.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/minimal/kustomization.yaml index b376c091e..8a924f2ad 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/minimal/kustomization.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/minimal/kustomization.yaml @@ -1,6 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../base -patchesStrategicMerge: - - overlays/workflow-controller-configmap.yaml +- ../base +patches: +- path: overlays/workflow-controller-configmap.yaml diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/mysql/kustomization.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/mysql/kustomization.yaml index edacf51ff..b6979aec7 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/mysql/kustomization.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/mysql/kustomization.yaml @@ -1,9 +1,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../base - - argo-mysql-config-secret.yaml - - mysql-deployment.yaml - - mysql-service.yaml -patchesStrategicMerge: - - overlays/workflow-controller-configmap.yaml +- ../base +- argo-mysql-config-secret.yaml +- mysql-deployment.yaml +- mysql-service.yaml +patches: +- path: overlays/workflow-controller-configmap.yaml diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/postgres/kustomization.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/postgres/kustomization.yaml index a70a0cc26..669aa2273 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/postgres/kustomization.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/postgres/kustomization.yaml @@ -1,9 +1,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../base - - argo-postgres-config-secret.yaml - - postgres-deployment.yaml - - postgres-service.yaml -patchesStrategicMerge: - - overlays/workflow-controller-configmap.yaml +- ../base +- argo-postgres-config-secret.yaml +- postgres-deployment.yaml +- postgres-service.yaml +patches: +- path: overlays/workflow-controller-configmap.yaml diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/sso/dex/kustomization.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/sso/dex/kustomization.yaml index 8ea85c17d..045eb1019 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/sso/dex/kustomization.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/sso/dex/kustomization.yaml @@ -1,11 +1,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -commonLabels: - "app.kubernetes.io/part-of": "dex" +labels: +- includeSelectors: true + pairs: + app.kubernetes.io/part-of: dex resources: - - dex-cm.yaml - - dex-role.yaml - - dex-sa.yaml - - dex-rb.yaml - - dex-deploy.yaml - - dev-svc.yaml +- dex-cm.yaml +- dex-role.yaml +- dex-sa.yaml +- dex-rb.yaml +- dex-deploy.yaml +- dev-svc.yaml diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/sso/kustomization.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/sso/kustomization.yaml index 70aafea65..12cf0b3e1 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/sso/kustomization.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/sso/kustomization.yaml @@ -1,8 +1,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../base - - dex -patchesStrategicMerge: - - overlays/workflow-controller-configmap.yaml - - overlays/argo-server-sa.yaml +- ../base +- dex +patches: +- path: overlays/workflow-controller-configmap.yaml +- path: overlays/argo-server-sa.yaml diff --git a/apps/pipeline/upstream/third-party/grafana/kustomization.yaml b/apps/pipeline/upstream/third-party/grafana/kustomization.yaml index fd1cf0261..c6afe8deb 100644 --- a/apps/pipeline/upstream/third-party/grafana/kustomization.yaml +++ b/apps/pipeline/upstream/third-party/grafana/kustomization.yaml @@ -7,5 +7,5 @@ resources: - grafana-sa.yaml - grafana-rolebinding.yaml images: - - name: grafana/grafana - newTag: 5.3.4 +- name: grafana/grafana + newTag: 5.3.4 diff --git a/apps/pipeline/upstream/third-party/metacontroller/base/kustomization.yaml b/apps/pipeline/upstream/third-party/metacontroller/base/kustomization.yaml index 87ead8e26..1f6677078 100644 --- a/apps/pipeline/upstream/third-party/metacontroller/base/kustomization.yaml +++ b/apps/pipeline/upstream/third-party/metacontroller/base/kustomization.yaml @@ -7,8 +7,11 @@ resources: - crd.yaml - service-account.yaml - stateful-set.yaml -commonLabels: - kustomize.component: metacontroller +labels: +- includeSelectors: true + pairs: + kustomize.component: metacontroller + # Update metacontroller CRD: # Copy the upstream file to crd.yaml in this folder. # Upstream file: https://github.com/metacontroller/metacontroller/blob/master/manifests/production/metacontroller-crds-v1.yaml diff --git a/apps/pipeline/upstream/third-party/metacontroller/base/stateful-set.yaml b/apps/pipeline/upstream/third-party/metacontroller/base/stateful-set.yaml index f52bc7094..09a34a4a5 100644 --- a/apps/pipeline/upstream/third-party/metacontroller/base/stateful-set.yaml +++ b/apps/pipeline/upstream/third-party/metacontroller/base/stateful-set.yaml @@ -14,7 +14,6 @@ spec: metadata: labels: app: metacontroller - annotations: sidecar.istio.io/inject: "false" spec: containers: @@ -38,7 +37,7 @@ spec: port: 8081 path: /readyz securityContext: - seccompProfile: + seccompProfile: type: RuntimeDefault capabilities: drop: diff --git a/apps/pipeline/upstream/third-party/minio/base/minio-deployment.yaml b/apps/pipeline/upstream/third-party/minio/base/minio-deployment.yaml index f735bb04d..e42f4903d 100644 --- a/apps/pipeline/upstream/third-party/minio/base/minio-deployment.yaml +++ b/apps/pipeline/upstream/third-party/minio/base/minio-deployment.yaml @@ -18,6 +18,8 @@ spec: securityContext: fsGroup: 1000 fsGroupChangePolicy: "OnRootMismatch" + seccompProfile: + type: RuntimeDefault containers: - args: - server diff --git a/apps/pipeline/upstream/third-party/mysql/base/mysql-deployment.yaml b/apps/pipeline/upstream/third-party/mysql/base/mysql-deployment.yaml index 957523495..1eea4bcbe 100644 --- a/apps/pipeline/upstream/third-party/mysql/base/mysql-deployment.yaml +++ b/apps/pipeline/upstream/third-party/mysql/base/mysql-deployment.yaml @@ -55,8 +55,6 @@ spec: name: mysql securityContext: allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault runAsNonRoot: true runAsUser: 999 runAsGroup: 999 @@ -73,6 +71,8 @@ spec: securityContext: fsGroup: 999 fsGroupChangePolicy: OnRootMismatch + seccompProfile: + type: RuntimeDefault volumes: - name: mysql-persistent-storage persistentVolumeClaim: diff --git a/apps/pipeline/upstream/third-party/openshift-pipelines-custom-task/kustomization.yaml b/apps/pipeline/upstream/third-party/openshift-pipelines-custom-task/kustomization.yaml deleted file mode 100644 index 73c347862..000000000 --- a/apps/pipeline/upstream/third-party/openshift-pipelines-custom-task/kustomization.yaml +++ /dev/null @@ -1,58 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - ../tekton-custom-task - -namespace: openshift-pipelines - -patches: -- patch: |- - - op: remove - path: /spec/template/spec/containers/0/securityContext/runAsUser - target: - group: apps - kind: Deployment - name: tekton-pipelineloop-controller -- patch: |- - - op: remove - path: /spec/template/spec/containers/0/securityContext/runAsUser - target: - group: apps - kind: Deployment - name: tekton-pipelineloop-webhook -- patch: |- - - op: remove - path: /spec/template/spec/containers/0/securityContext/runAsUser - target: - group: apps - kind: Deployment - name: kfp-driver -- patch: |- - - op: remove - path: /spec/template/spec/containers/0/securityContext/runAsUser - target: - group: apps - kind: Deployment - name: kfp-exithandler-controller -- patch: |- - - op: remove - path: /spec/template/spec/containers/0/securityContext/runAsUser - target: - group: apps - kind: Deployment - name: kfp-exithandler-webhook -- patch: |- - - op: remove - path: /spec/template/spec/containers/0/securityContext/runAsUser - target: - group: apps - kind: Deployment - name: kfptask-controller -- patch: |- - - op: remove - path: /spec/template/spec/containers/0/securityContext/runAsUser - target: - group: apps - kind: Deployment - name: kfptask-webhook diff --git a/apps/pipeline/upstream/third-party/openshift/standalone/anyuid-scc.yaml b/apps/pipeline/upstream/third-party/openshift/standalone/anyuid-scc.yaml deleted file mode 100644 index c7c3e13d3..000000000 --- a/apps/pipeline/upstream/third-party/openshift/standalone/anyuid-scc.yaml +++ /dev/null @@ -1,64 +0,0 @@ -apiVersion: security.openshift.io/v1 -kind: SecurityContextConstraints -metadata: - annotations: - kubernetes.io/description: kubeflow-anyuid provides all features of the restricted SCC - but allows users to run with any UID and any GID. - name: kubeflow-anyuid-kfp-tekton -allowHostDirVolumePlugin: false -allowHostIPC: false -allowHostNetwork: false -allowHostPID: false -allowHostPorts: false -allowPrivilegeEscalation: true -allowPrivilegedContainer: true -allowedCapabilities: null -defaultAddCapabilities: null -fsGroup: - type: RunAsAny -groups: -- system:cluster-admins -priority: 10 -readOnlyRootFilesystem: false -requiredDropCapabilities: -- MKNOD -runAsUser: - type: RunAsAny -seLinuxContext: - type: MustRunAs -supplementalGroups: - type: RunAsAny -users: -#Metadata DB accesses files owned by root -- system:serviceaccount:kubeflow:metadatadb -#Minio accesses files owned by root -- system:serviceaccount:kubeflow:minio -#Katib injects container into pods which does not run as non-root user, trying to find Dockerfile for that image and fix it -- system:serviceaccount:kubeflow:default -- system:serviceaccount:kubeflow:pipeline-runner -- system:serviceaccount:kubeflow:kubeflow-pipelines-cache -- system:serviceaccount:kubeflow:kubeflow-pipelines-cache-deployer-sa -- system:serviceaccount:kubeflow:metadata-grpc-server -- system:serviceaccount:kubeflow:kubeflow-pipelines-metadata-writer -- system:serviceaccount:kubeflow:ml-pipeline -- system:serviceaccount:kubeflow:ml-pipeline-persistenceagent -- system:serviceaccount:kubeflow:ml-pipeline-scheduledworkflow -- system:serviceaccount:kubeflow:ml-pipeline-ui -- system:serviceaccount:kubeflow:ml-pipeline-viewer-crd-service-account -- system:serviceaccount:kubeflow:ml-pipeline-visualizationserver -- system:serviceaccount:kubeflow:mysql -- system:serviceaccount:kubeflow:kfp-csi-s3 -- system:serviceaccount:kubeflow:kfp-csi-attacher -- system:serviceaccount:kubeflow:kfp-csi-provisioner -- system:serviceaccount:openshift-pipelines:kfp-driver -- system:serviceaccount:openshift-pipelines:kfp-exithandler-controller -- system:serviceaccount:openshift-pipelines:kfp-exithandler-webhook -- system:serviceaccount:openshift-pipelines:tekton-pipelineloop-controller -- system:serviceaccount:openshift-pipelines:tekton-pipelineloop-webhook -volumes: -- configMap -- downwardAPI -- emptyDir -- persistentVolumeClaim -- projected -- secret diff --git a/apps/pipeline/upstream/third-party/openshift/standalone/kustomization.yaml b/apps/pipeline/upstream/third-party/openshift/standalone/kustomization.yaml deleted file mode 100644 index 707e8b8af..000000000 --- a/apps/pipeline/upstream/third-party/openshift/standalone/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - anyuid-scc.yaml - - privileged-scc.yaml diff --git a/apps/pipeline/upstream/third-party/openshift/standalone/privileged-scc.yaml b/apps/pipeline/upstream/third-party/openshift/standalone/privileged-scc.yaml deleted file mode 100644 index 84b0ceb61..000000000 --- a/apps/pipeline/upstream/third-party/openshift/standalone/privileged-scc.yaml +++ /dev/null @@ -1,65 +0,0 @@ -apiVersion: security.openshift.io/v1 -kind: SecurityContextConstraints -metadata: - annotations: - kubernetes.io/description: kubeflow-anyuid provides all features of the restricted SCC - but allows users to run with any UID and any GID. - name: kubeflow-privileged-kfp-tekton -allowHostDirVolumePlugin: true -allowHostIPC: false -allowHostNetwork: false -allowHostPID: false -allowHostPorts: false -allowPrivilegeEscalation: true -allowPrivilegedContainer: true -allowedCapabilities: null -defaultAddCapabilities: null -fsGroup: - type: RunAsAny -groups: -- system:cluster-admins -priority: 10 -readOnlyRootFilesystem: false -requiredDropCapabilities: -- MKNOD -runAsUser: - type: RunAsAny -seLinuxContext: - type: MustRunAs -supplementalGroups: - type: RunAsAny -users: -#Metadata DB accesses files owned by root -- system:serviceaccount:kubeflow:metadatadb -#Minio accesses files owned by root -- system:serviceaccount:kubeflow:minio -#Katib injects container into pods which does not run as non-root user, trying to find Dockerfile for that image and fix it -- system:serviceaccount:kubeflow:default -- system:serviceaccount:kubeflow:pipeline-runner -- system:serviceaccount:kubeflow:kubeflow-pipelines-cache -- system:serviceaccount:kubeflow:kubeflow-pipelines-cache-deployer-sa -- system:serviceaccount:kubeflow:metadata-grpc-server -- system:serviceaccount:kubeflow:kubeflow-pipelines-metadata-writer -- system:serviceaccount:kubeflow:ml-pipeline -- system:serviceaccount:kubeflow:ml-pipeline-persistenceagent -- system:serviceaccount:kubeflow:ml-pipeline-scheduledworkflow -- system:serviceaccount:kubeflow:ml-pipeline-ui -- system:serviceaccount:kubeflow:ml-pipeline-viewer-crd-service-account -- system:serviceaccount:kubeflow:ml-pipeline-visualizationserver -- system:serviceaccount:kubeflow:mysql -- system:serviceaccount:kubeflow:kfp-csi-s3 -- system:serviceaccount:kubeflow:kfp-csi-attacher -- system:serviceaccount:kubeflow:kfp-csi-provisioner -- system:serviceaccount:openshift-pipelines:kfp-driver -- system:serviceaccount:openshift-pipelines:kfp-exithandler-controller -- system:serviceaccount:openshift-pipelines:kfp-exithandler-webhook -- system:serviceaccount:openshift-pipelines:tekton-pipelineloop-controller -- system:serviceaccount:openshift-pipelines:tekton-pipelineloop-webhook -volumes: -- configMap -- downwardAPI -- emptyDir -- persistentVolumeClaim -- projected -- secret -- hostPath diff --git a/apps/pipeline/upstream/third-party/prometheus/kustomization.yaml b/apps/pipeline/upstream/third-party/prometheus/kustomization.yaml index 9b2d54ef6..7fab6008e 100644 --- a/apps/pipeline/upstream/third-party/prometheus/kustomization.yaml +++ b/apps/pipeline/upstream/third-party/prometheus/kustomization.yaml @@ -8,4 +8,4 @@ resources: - prometheus-service.yaml - prometheus-deployment.yaml images: - - name: prom/prometheus +- name: prom/prometheus diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/200-serviceaccount.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/200-serviceaccount.yaml deleted file mode 100644 index d0c47df18..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/200-serviceaccount.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright 2023 kubeflow.org -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kfp-exithandler-controller - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kfp-exithandler-webhook - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton \ No newline at end of file diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/201-clusterrole.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/201-clusterrole.yaml deleted file mode 100644 index 567e7bdd9..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/201-clusterrole.yaml +++ /dev/null @@ -1,109 +0,0 @@ -# Copyright 2023 kubeflow.org -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kfp-exithandler-controller-cluster-access - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton -rules: - # Controller needs cluster access to all of the CRDs that it is responsible for managing. - - apiGroups: ["tekton.dev"] - resources: ["runs", "customruns", "taskruns", "pipelineruns"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - apiGroups: ["tekton.dev"] - resources: ["runs/status", "customruns/status", "taskruns/status", "pipelineruns/status", "runs/finalizers", "customruns/finalizers",] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - apiGroups: ["custom.tekton.dev"] - resources: ["exithandlers"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - apiGroups: ["apps"] - resources: ["deployments", "deployments/finalizers"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - # This is the access that the controller needs on a per-namespace basis. - name: kfp-exithandler-controller-tenant-access - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton -rules: - - apiGroups: [""] - resources: ["events"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kfp-exithandler-webhook-cluster-access - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton -rules: - # The webhook needs to be able to list and update customresourcedefinitions, - # mainly to update the webhook certificates. - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions", "customresourcedefinitions/status"] - verbs: ["get", "list", "update", "patch", "watch"] - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list", "update", "patch", "watch"] - - apiGroups: ["admissionregistration.k8s.io"] - # The webhook performs a reconciliation on these two resources and continuously - # updates configuration. - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - # knative starts informers on these things, which is why we need get, list and watch. - verbs: ["list", "watch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - # This mutating webhook is responsible for applying defaults to tekton objects - # as they are received. - resourceNames: ["webhook.exithandler.custom.tekton.dev"] - # When there are changes to the configs or secrets, knative updates the mutatingwebhook config - # with the updated certificates or the refreshed set of rules. - verbs: ["get", "update"] - - apiGroups: ["apps"] - resources: ["deployments", "deployments/finalizers"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - # validation.webhook.exithandler.custom.tekton.dev performs schema validation when you, for example, create ExitHandlers. - resourceNames: ["validation.webhook.exithandler.custom.tekton.dev"] - # When there are changes to the configs or secrets, knative updates the validatingwebhook config - # with the updated certificates or the refreshed set of rules. - verbs: ["get", "update"] - - apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - resourceNames: ["tekton-pipelines", "openshift-pipelines"] - verbs: ["use"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kfp-exithandler-leader-election - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton -rules: - # We uses leases for leaderelection - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/201-role.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/201-role.yaml deleted file mode 100644 index b22ced5d4..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/201-role.yaml +++ /dev/null @@ -1,68 +0,0 @@ -# Copyright 2023 kubeflow.org -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kfp-exithandler-controller - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["list", "watch"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["config-leader-election", "config-logging", "config-observability", "object-store-config", "cache-config"] - - apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - resourceNames: ["tekton-pipelines", "openshift-pipelines"] - verbs: ["use"] ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kfp-exithandler-webhook - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["list", "watch"] - # The webhook needs access to these configmaps for logging information. - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["config-logging", "config-observability", "config-leader-election", "object-store-config", "cache-config"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["list", "watch"] - # The webhook daemon makes a reconciliation loop on kfp-exithandler-webhook-certs. Whenever - # the secret changes it updates the webhook configurations with the certificates - # stored in the secret. - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "update"] - resourceNames: ["kfp-exithandler-webhook-certs"] - - apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - resourceNames: ["tekton-pipelines", "openshift-pipelines"] - verbs: ["use"] \ No newline at end of file diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/201-rolebinding.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/201-rolebinding.yaml deleted file mode 100644 index f4ab6064e..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/201-rolebinding.yaml +++ /dev/null @@ -1,49 +0,0 @@ -# Copyright 2023 kubeflow.org -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: kfp-exithandler-controller - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton -subjects: - - kind: ServiceAccount - name: kfp-exithandler-controller - namespace: tekton-pipelines -roleRef: - kind: Role - name: kfp-exithandler-controller - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: kfp-exithandler-webhook - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton -subjects: - - kind: ServiceAccount - name: kfp-exithandler-webhook - namespace: tekton-pipelines -roleRef: - kind: Role - name: kfp-exithandler-webhook - apiGroup: rbac.authorization.k8s.io diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/202-clusterrolebinding.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/202-clusterrolebinding.yaml deleted file mode 100644 index d2bae5c4e..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/202-clusterrolebinding.yaml +++ /dev/null @@ -1,102 +0,0 @@ -# Copyright 2020 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kfp-exithandler-controller-cluster-access - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton -subjects: - - kind: ServiceAccount - name: kfp-exithandler-controller - namespace: tekton-pipelines -roleRef: - kind: ClusterRole - name: kfp-exithandler-controller-cluster-access - apiGroup: rbac.authorization.k8s.io ---- -# If this ClusterRoleBinding is replaced with a RoleBinding -# then the ClusterRole would be namespaced. The access described by -# the kfp-exithandler-controller-tenant-access ClusterRole would -# be scoped to individual tenant namespaces. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kfp-exithandler-controller-tenant-access - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton -subjects: - - kind: ServiceAccount - name: kfp-exithandler-controller - namespace: tekton-pipelines -roleRef: - kind: ClusterRole - name: kfp-exithandler-controller-tenant-access - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kfp-exithandler-controller-leaderelection - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton -subjects: - - kind: ServiceAccount - name: kfp-exithandler-controller - namespace: tekton-pipelines -roleRef: - kind: ClusterRole - name: kfp-exithandler-leader-election - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kfp-exithandler-webhook-cluster-access - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton -subjects: - - kind: ServiceAccount - name: kfp-exithandler-webhook - namespace: tekton-pipelines -roleRef: - kind: ClusterRole - name: kfp-exithandler-webhook-cluster-access - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kfp-exithandler-webhook-leaderelection - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton -subjects: - - kind: ServiceAccount - name: kfp-exithandler-webhook - namespace: tekton-pipelines -roleRef: - kind: ClusterRole - name: kfp-exithandler-leader-election - apiGroup: rbac.authorization.k8s.io diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/300-exithandler-crd.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/300-exithandler-crd.yaml deleted file mode 100644 index cec9357bd..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/300-exithandler-crd.yaml +++ /dev/null @@ -1,52 +0,0 @@ -# Copyright 2023 kubeflow.org -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: exithandlers.custom.tekton.dev - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton - pipeline.tekton.dev/release: "devel" - version: "devel" -spec: - group: custom.tekton.dev - versions: - - name: v1alpha1 - served: true - storage: true - # Opt into the status subresource so metadata.generation - # starts to increment - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - # One can use x-kubernetes-preserve-unknown-fields: true - # at the root of the schema (and inside any properties, additionalProperties) - # to get the traditional CRD behaviour that nothing is pruned, despite - # setting spec.preserveUnknownProperties: false. - # - # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ - # See issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - names: - kind: ExitHandler - plural: exithandlers - categories: - - tekton - - tekton-pipelines - - openshift-pipelines - scope: Namespaced diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/500-controller.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/500-controller.yaml deleted file mode 100644 index e150a4fc3..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/500-controller.yaml +++ /dev/null @@ -1,79 +0,0 @@ -# Copyright 2023 kubeflow.org -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kfp-exithandler-controller - labels: - app.kubernetes.io/name: controller - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/version: "devel" - app.kubernetes.io/part-of: kfp-tekton - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "devel" - # labels below are related to istio and should not be used for resource lookup - version: "devel" -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: controller - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton - template: - metadata: - annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "false" - labels: - app.kubernetes.io/name: controller - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/version: "devel" - app.kubernetes.io/part-of: kfp-tekton - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "devel" - # labels below are related to istio and should not be used for resource lookup - app: kfp-exithandler-controller - version: "devel" - spec: - serviceAccountName: kfp-exithandler-controller - containers: - - name: kfp-exithandler-controller - image: tekton-exithandler-controller:dummy - env: - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CONFIG_LEADERELECTION_NAME - value: config-leader-election - - name: CONFIG_LOGGING_NAME - value: config-logging - - name: CONFIG_OBSERVABILITY_NAME - value: config-observability - - name: METRICS_DOMAIN - value: tekton.dev/pipeline - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - runAsGroup: 65532 - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/500-webhook-configuration.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/500-webhook-configuration.yaml deleted file mode 100644 index 345c57d1f..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/500-webhook-configuration.yaml +++ /dev/null @@ -1,68 +0,0 @@ -# Copyright 2023 kubeflow.org -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: kfp-exithandler-webhook-certs - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton - pipeline.tekton.dev/release: "devel" -# The data is populated at install time. - ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: validation.webhook.exithandler.custom.tekton.dev - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton - pipeline.tekton.dev/release: "devel" -webhooks: -- admissionReviewVersions: - - v1beta1 - clientConfig: - service: - name: kfp-exithandler-webhook - namespace: tekton-pipelines - failurePolicy: Fail - sideEffects: None - name: validation.webhook.exithandler.custom.tekton.dev - ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: webhook.exithandler.custom.tekton.dev - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton - pipeline.tekton.dev/release: "devel" -webhooks: -- admissionReviewVersions: - - v1beta1 - clientConfig: - service: - name: kfp-exithandler-webhook - namespace: tekton-pipelines - failurePolicy: Fail - sideEffects: None - name: webhook.exithandler.custom.tekton.dev - diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/500-webhook.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/500-webhook.yaml deleted file mode 100644 index 2f8a394d3..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/500-webhook.yaml +++ /dev/null @@ -1,122 +0,0 @@ -# Copyright 2023 kubeflow.org -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kfp-exithandler-webhook - namespace: tekton-pipelines - labels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/version: "devel" - app.kubernetes.io/part-of: kfp-tekton - pipeline.tekton.dev/release: "devel" - version: "devel" -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton - template: - metadata: - annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "false" - labels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/version: "devel" - app.kubernetes.io/part-of: kfp-tekton - pipeline.tekton.dev/release: "devel" - app: tekton-pipelines-webhook - version: "devel" - spec: - serviceAccountName: kfp-exithandler-webhook - containers: - - name: webhook - image: tekton-exithandler-webhook:dummy - env: - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - # If you are changing these names, you will also need to update - # the webhook's Role in 200-role.yaml to include the new - # values in the "configmaps" "get" rule. - - name: CONFIG_LOGGING_NAME - value: config-logging - - name: CONFIG_OBSERVABILITY_NAME - value: config-observability - - name: CONFIG_LEADERELECTION_NAME - value: config-leader-election - - name: WEBHOOK_SERVICE_NAME - value: kfp-exithandler-webhook - - name: WEBHOOK_SECRET_NAME - value: kfp-exithandler-webhook-certs - - name: METRICS_DOMAIN - value: tekton.dev/pipeline - ports: - - name: metrics - containerPort: 9090 - - name: profiling - containerPort: 8008 - - name: https-webhook - containerPort: 8443 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - runAsGroup: 65532 - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/version: "devel" - app.kubernetes.io/part-of: kfp-tekton - pipeline.tekton.dev/release: "devel" - app: tekton-pipelines-webhook - version: "devel" - name: kfp-exithandler-webhook - namespace: tekton-pipelines -spec: - ports: - # Define metrics and profiling for them to be accessible within service meshes. - - name: http-metrics - port: 9090 - targetPort: 9090 - - name: http-profiling - port: 8008 - targetPort: 8008 - - name: https-webhook - port: 443 - targetPort: 8443 - selector: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/kustomization.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/kustomization.yaml deleted file mode 100644 index e9cd59886..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/exit-handler/kustomization.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - 200-serviceaccount.yaml - - 201-clusterrole.yaml - - 201-role.yaml - - 201-rolebinding.yaml - - 202-clusterrolebinding.yaml - - 300-exithandler-crd.yaml - - 500-controller.yaml - - 500-webhook-configuration.yaml - - 500-webhook.yaml diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/200-serviceaccount.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/200-serviceaccount.yaml deleted file mode 100644 index d9e470eee..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/200-serviceaccount.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright 2023 kubeflow.org -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kfptask-controller - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kfptask-webhook - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton \ No newline at end of file diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/201-clusterrole.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/201-clusterrole.yaml deleted file mode 100644 index d8da4a5e6..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/201-clusterrole.yaml +++ /dev/null @@ -1,122 +0,0 @@ -# Copyright 2023 kubeflow.org -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kfptask-controller-cluster-access - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton -rules: - # Controller needs cluster access to all of the CRDs that it is responsible for managing. - - apiGroups: ["tekton.dev"] - resources: ["runs", "customruns", "taskruns", "pipelineruns"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - apiGroups: ["tekton.dev"] - resources: ["runs/status", "customruns/status", "taskruns/status", "pipelineruns/status", "runs/finalizers", "customruns/finalizers",] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - apiGroups: ["custom.tekton.dev"] - resources: ["kfptasks"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - apiGroups: ["apps"] - resources: ["deployments", "deployments/finalizers"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - apiGroups: [""] - resources: ["persistentvolumes", "persistentvolumeclaims"] - verbs: ["*"] - - # Controller needs permission to emit events associated with Run CRs. - - apiGroups: [""] - resources: ["events"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - # driver needs to access configmaps to get configuration - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "watch", "list"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - # This is the access that the controller needs on a per-namespace basis. - name: kfptask-controller-tenant-access - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton -rules: - - apiGroups: [""] - resources: ["events"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kfptask-webhook-cluster-access - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton -rules: - # The webhook needs to be able to list and update customresourcedefinitions, - # mainly to update the webhook certificates. - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions", "customresourcedefinitions/status"] - verbs: ["get", "list", "update", "patch", "watch"] - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list", "update", "patch", "watch"] - - apiGroups: ["admissionregistration.k8s.io"] - # The webhook performs a reconciliation on these two resources and continuously - # updates configuration. - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - # knative starts informers on these things, which is why we need get, list and watch. - verbs: ["list", "watch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - # This mutating webhook is responsible for applying defaults to tekton objects - # as they are received. - resourceNames: ["webhook.kfptask.custom.tekton.dev"] - # When there are changes to the configs or secrets, knative updates the mutatingwebhook config - # with the updated certificates or the refreshed set of rules. - verbs: ["get", "update"] - - apiGroups: ["apps"] - resources: ["deployments", "deployments/finalizers"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - # validation.webhook.kfptask.custom.tekton.dev performs schema validation when you, for example, create KfpTasks. - resourceNames: ["validation.webhook.kfptask.custom.tekton.dev"] - # When there are changes to the configs or secrets, knative updates the validatingwebhook config - # with the updated certificates or the refreshed set of rules. - verbs: ["get", "update"] - - apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - resourceNames: ["tekton-pipelines", "openshift-pipelines"] - verbs: ["use"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kfptask-leader-election - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton -rules: - # We uses leases for leaderelection - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/201-role.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/201-role.yaml deleted file mode 100644 index 757ec7c4d..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/201-role.yaml +++ /dev/null @@ -1,96 +0,0 @@ -# Copyright 2023 kubeflow.org -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kfptask-controller - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["list", "watch"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["config-leader-election", "config-logging", "config-observability", "object-store-config", "cache-config"] - - apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - resourceNames: ["tekton-pipelines", "openshift-pipelines"] - verbs: ["use"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get"] - - apiGroups: [""] - resources: ["persistentvolumes", persistentvolumeclaims] - verbs: ["*"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["create", "delete", "get"] - - apiGroups: [""] - resources: ["pods", "pods/exec", "pods/log", "services"] - verbs: ["*"] - - apiGroups: ["", "apps", "extensions"] - resources: ["deployments", "replicasets"] - verbs: ["*"] - - apiGroups: ["kubeflow.org"] - resources: ["*"] - verbs: ["*"] - - apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["*"] - - apiGroups: ["machinelearning.seldon.io"] - resources: ["seldondeployments"] - verbs: ["*"] - - apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - resourceNames: ["tekton-pipelines", "openshift-pipelines"] - verbs: ["use"] ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kfptask-webhook - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["list", "watch"] - # The webhook needs access to these configmaps for logging information. - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["config-logging", "config-observability", "config-leader-election", "object-store-config", "cache-config"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["list", "watch"] - # The webhook daemon makes a reconciliation loop on kfptask-webhook-certs. Whenever - # the secret changes it updates the webhook configurations with the certificates - # stored in the secret. - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "update"] - resourceNames: ["kfptask-webhook-certs"] - - apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - resourceNames: ["tekton-pipelines", "openshift-pipelines"] - verbs: ["use"] \ No newline at end of file diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/201-rolebinding.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/201-rolebinding.yaml deleted file mode 100644 index d8aa0c81f..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/201-rolebinding.yaml +++ /dev/null @@ -1,49 +0,0 @@ -# Copyright 2023 kubeflow.org -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: kfptask-controller - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton -subjects: - - kind: ServiceAccount - name: kfptask-controller - namespace: tekton-pipelines -roleRef: - kind: Role - name: kfptask-controller - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: kfptask-webhook - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton -subjects: - - kind: ServiceAccount - name: kfptask-webhook - namespace: tekton-pipelines -roleRef: - kind: Role - name: kfptask-webhook - apiGroup: rbac.authorization.k8s.io diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/202-clusterrolebinding.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/202-clusterrolebinding.yaml deleted file mode 100644 index 166e0be3d..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/202-clusterrolebinding.yaml +++ /dev/null @@ -1,102 +0,0 @@ -# Copyright 2020 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kfptask-controller-cluster-access - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton -subjects: - - kind: ServiceAccount - name: kfptask-controller - namespace: tekton-pipelines -roleRef: - kind: ClusterRole - name: kfptask-controller-cluster-access - apiGroup: rbac.authorization.k8s.io ---- -# If this ClusterRoleBinding is replaced with a RoleBinding -# then the ClusterRole would be namespaced. The access described by -# the kfptask-controller-tenant-access ClusterRole would -# be scoped to individual tenant namespaces. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kfptask-controller-tenant-access - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton -subjects: - - kind: ServiceAccount - name: kfptask-controller - namespace: tekton-pipelines -roleRef: - kind: ClusterRole - name: kfptask-controller-tenant-access - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kfptask-controller-leaderelection - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton -subjects: - - kind: ServiceAccount - name: kfptask-controller - namespace: tekton-pipelines -roleRef: - kind: ClusterRole - name: kfptask-leader-election - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kfptask-webhook-cluster-access - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton -subjects: - - kind: ServiceAccount - name: kfptask-webhook - namespace: tekton-pipelines -roleRef: - kind: ClusterRole - name: kfptask-webhook-cluster-access - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kfptask-webhook-leaderelection - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton -subjects: - - kind: ServiceAccount - name: kfptask-webhook - namespace: tekton-pipelines -roleRef: - kind: ClusterRole - name: kfptask-leader-election - apiGroup: rbac.authorization.k8s.io diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/300-kfptask-crd.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/300-kfptask-crd.yaml deleted file mode 100644 index 3c97edcd5..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/300-kfptask-crd.yaml +++ /dev/null @@ -1,52 +0,0 @@ -# Copyright 2023 kubeflow.org -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: kfptasks.custom.tekton.dev - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton - pipeline.tekton.dev/release: "devel" - version: "devel" -spec: - group: custom.tekton.dev - versions: - - name: v1alpha1 - served: true - storage: true - # Opt into the status subresource so metadata.generation - # starts to increment - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - # One can use x-kubernetes-preserve-unknown-fields: true - # at the root of the schema (and inside any properties, additionalProperties) - # to get the traditional CRD behaviour that nothing is pruned, despite - # setting spec.preserveUnknownProperties: false. - # - # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ - # See issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - names: - kind: KfpTask - plural: kfptasks - categories: - - tekton - - tekton-pipelines - - openshift-pipelines - scope: Namespaced diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/500-controller.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/500-controller.yaml deleted file mode 100644 index 8a09a8713..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/500-controller.yaml +++ /dev/null @@ -1,79 +0,0 @@ -# Copyright 2023 kubeflow.org -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kfptask-controller - labels: - app.kubernetes.io/name: controller - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/version: "devel" - app.kubernetes.io/part-of: kfp-tekton - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "devel" - # labels below are related to istio and should not be used for resource lookup - version: "devel" -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: controller - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton - template: - metadata: - annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "false" - labels: - app.kubernetes.io/name: controller - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/version: "devel" - app.kubernetes.io/part-of: kfp-tekton - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "devel" - # labels below are related to istio and should not be used for resource lookup - app: kfptask-controller - version: "devel" - spec: - serviceAccountName: kfptask-controller - containers: - - name: kfptask-controller - image: tekton-kfptask-controller:dummy - env: - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CONFIG_LEADERELECTION_NAME - value: config-leader-election - - name: CONFIG_LOGGING_NAME - value: config-logging - - name: CONFIG_OBSERVABILITY_NAME - value: config-observability - - name: METRICS_DOMAIN - value: tekton.dev/pipeline - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - runAsGroup: 65532 - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/500-webhook-configuration.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/500-webhook-configuration.yaml deleted file mode 100644 index 83911000e..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/500-webhook-configuration.yaml +++ /dev/null @@ -1,68 +0,0 @@ -# Copyright 2023 kubeflow.org -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: kfptask-webhook-certs - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton - pipeline.tekton.dev/release: "devel" -# The data is populated at install time. - ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: validation.webhook.kfptask.custom.tekton.dev - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton - pipeline.tekton.dev/release: "devel" -webhooks: -- admissionReviewVersions: - - v1beta1 - clientConfig: - service: - name: kfptask-webhook - namespace: tekton-pipelines - failurePolicy: Fail - sideEffects: None - name: validation.webhook.kfptask.custom.tekton.dev - ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: webhook.kfptask.custom.tekton.dev - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton - pipeline.tekton.dev/release: "devel" -webhooks: -- admissionReviewVersions: - - v1beta1 - clientConfig: - service: - name: kfptask-webhook - namespace: tekton-pipelines - failurePolicy: Fail - sideEffects: None - name: webhook.kfptask.custom.tekton.dev - diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/500-webhook.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/500-webhook.yaml deleted file mode 100644 index 966eb46eb..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/500-webhook.yaml +++ /dev/null @@ -1,122 +0,0 @@ -# Copyright 2023 kubeflow.org -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kfptask-webhook - namespace: tekton-pipelines - labels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/version: "devel" - app.kubernetes.io/part-of: kfp-tekton - pipeline.tekton.dev/release: "devel" - version: "devel" -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton - template: - metadata: - annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "false" - labels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/version: "devel" - app.kubernetes.io/part-of: kfp-tekton - pipeline.tekton.dev/release: "devel" - app: tekton-pipelines-webhook - version: "devel" - spec: - serviceAccountName: kfptask-webhook - containers: - - name: webhook - image: tekton-kfptask-webhook:dummy - env: - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - # If you are changing these names, you will also need to update - # the webhook's Role in 200-role.yaml to include the new - # values in the "configmaps" "get" rule. - - name: CONFIG_LOGGING_NAME - value: config-logging - - name: CONFIG_OBSERVABILITY_NAME - value: config-observability - - name: CONFIG_LEADERELECTION_NAME - value: config-leader-election - - name: WEBHOOK_SERVICE_NAME - value: kfptask-webhook - - name: WEBHOOK_SECRET_NAME - value: kfptask-webhook-certs - - name: METRICS_DOMAIN - value: tekton.dev/pipeline - ports: - - name: metrics - containerPort: 9090 - - name: profiling - containerPort: 8008 - - name: https-webhook - containerPort: 8443 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - runAsGroup: 65532 - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/version: "devel" - app.kubernetes.io/part-of: kfp-tekton - pipeline.tekton.dev/release: "devel" - app: tekton-pipelines-webhook - version: "devel" - name: kfptask-webhook - namespace: tekton-pipelines -spec: - ports: - # Define metrics and profiling for them to be accessible within service meshes. - - name: http-metrics - port: 9090 - targetPort: 9090 - - name: http-profiling - port: 8008 - targetPort: 8008 - - name: https-webhook - port: 443 - targetPort: 8443 - selector: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: kfp-tekton diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/kustomization.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/kustomization.yaml deleted file mode 100644 index de29e865e..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/kfptask/kustomization.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - 200-serviceaccount.yaml - - 201-clusterrole.yaml - - 201-role.yaml - - 201-rolebinding.yaml - - 202-clusterrolebinding.yaml - - 300-kfptask-crd.yaml - - 500-controller.yaml - - 500-webhook-configuration.yaml - - 500-webhook.yaml diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/kustomization.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/kustomization.yaml deleted file mode 100644 index 3af66de58..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/kustomization.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: -- pipeline-loops -- exit-handler -- kfptask -# Deprecated controller -# - driver-controller - -namespace: tekton-pipelines - -images: - - name: quay.io/aipipeline/pipelineloop-controller - newTag: 1.9.2 - - name: quay.io/aipipeline/pipelineloop-webhook - newTag: 1.9.2 - - name: tekton-exithandler-controller - newName: quay.io/aipipeline/tekton-exithandler-controller - newTag: 2.0.5 - - name: tekton-exithandler-webhook - newName: quay.io/aipipeline/tekton-exithandler-webhook - newTag: 2.0.5 - - name: tekton-kfptask-controller - newName: quay.io/aipipeline/tekton-kfptask-controller - newTag: 2.0.5 - - name: tekton-kfptask-webhook - newName: quay.io/aipipeline/tekton-kfptask-webhook - newTag: 2.0.5 - # Deprecated controller - # - name: kfp-v2-dev-driver-controller - # newName: quay.io/aipipeline/tekton-driver - # newTag: 2.0.3 diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/200-serviceaccount.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/200-serviceaccount.yaml deleted file mode 100644 index c995e80bd..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/200-serviceaccount.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: tekton-pipelineloop-controller - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipeline-loops ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: tekton-pipelineloop-webhook - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipeline-loops diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/201-clusterrole.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/201-clusterrole.yaml deleted file mode 100644 index 34281f8b8..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/201-clusterrole.yaml +++ /dev/null @@ -1,95 +0,0 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: tekton-pipelineloop-controller-cluster-access - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipeline-loops -rules: - # Controller needs cluster access to all of the CRDs that it is responsible for managing. - - apiGroups: ["tekton.dev"] - resources: ["runs", "customruns", "taskruns", "pipelineruns"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - apiGroups: ["tekton.dev"] - resources: ["runs/status", "customruns/status", "taskruns/status", "pipelineruns/status", "runs/finalizers", "customruns/finalizers",] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - apiGroups: ["custom.tekton.dev"] - resources: ["pipelineloops", "kfptasks"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - apiGroups: ["apps"] - resources: ["deployments", "deployments/finalizers"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - # This is the access that the controller needs on a per-namespace basis. - name: tekton-pipelineloop-controller-tenant-access - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipeline-loops -rules: - - apiGroups: [""] - resources: ["events"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: tekton-pipelineloop-webhook-cluster-access - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipeline-loops -rules: - # The webhook needs to be able to list and update customresourcedefinitions, - # mainly to update the webhook certificates. - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions", "customresourcedefinitions/status"] - verbs: ["get", "list", "update", "patch", "watch"] - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list", "update", "patch", "watch"] - - apiGroups: ["admissionregistration.k8s.io"] - # The webhook performs a reconciliation on these two resources and continuously - # updates configuration. - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - # knative starts informers on these things, which is why we need get, list and watch. - verbs: ["list", "watch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - # This mutating webhook is responsible for applying defaults to tekton objects - # as they are received. - resourceNames: ["webhook.pipelineloop.custom.tekton.dev"] - # When there are changes to the configs or secrets, knative updates the mutatingwebhook config - # with the updated certificates or the refreshed set of rules. - verbs: ["get", "update"] - - apiGroups: ["apps"] - resources: ["deployments", "deployments/finalizers"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - # validation.webhook.pipelineloop.custom.tekton.dev performs schema validation when you, for example, create PipelineLoops. - resourceNames: ["validation.webhook.pipelineloop.custom.tekton.dev"] - # When there are changes to the configs or secrets, knative updates the validatingwebhook config - # with the updated certificates or the refreshed set of rules. - verbs: ["get", "update"] - - apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - resourceNames: ["tekton-pipelines", "openshift-pipelines"] - verbs: ["use"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: tekton-pipelineloop-leader-election - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipeline-loops -rules: - # We uses leases for leaderelection - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/201-role.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/201-role.yaml deleted file mode 100644 index 04b47b2eb..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/201-role.yaml +++ /dev/null @@ -1,54 +0,0 @@ -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: tekton-pipelineloop-controller - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipeline-loops -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["list", "watch"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["config-leader-election", "config-logging", "config-observability", "object-store-config"] - - apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - resourceNames: ["tekton-pipelines", "openshift-pipelines"] - verbs: ["use"] ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: tekton-pipelineloop-webhook - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipeline-loops -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["list", "watch"] - # The webhook needs access to these configmaps for logging information. - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["config-logging", "config-observability", "config-leader-election", "object-store-config"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["list", "watch"] - # The webhook daemon makes a reconciliation loop on tekton-pipelineloop-webhook-certs. Whenever - # the secret changes it updates the webhook configurations with the certificates - # stored in the secret. - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "update"] - resourceNames: ["tekton-pipelineloop-webhook-certs"] - - apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - resourceNames: ["tekton-pipelines", "openshift-pipelines"] - verbs: ["use"] diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/201-rolebinding.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/201-rolebinding.yaml deleted file mode 100644 index 0d004082b..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/201-rolebinding.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: tekton-pipelineloop-controller - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipeline-loops -subjects: - - kind: ServiceAccount - name: tekton-pipelineloop-controller - namespace: tekton-pipelines -roleRef: - kind: Role - name: tekton-pipelineloop-controller - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: tekton-pipelineloop-webhook - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipeline-loops -subjects: - - kind: ServiceAccount - name: tekton-pipelineloop-webhook - namespace: tekton-pipelines -roleRef: - kind: Role - name: tekton-pipelineloop-webhook - apiGroup: rbac.authorization.k8s.io diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/202-clusterrolebinding.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/202-clusterrolebinding.yaml deleted file mode 100644 index 9a8e8bc34..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/202-clusterrolebinding.yaml +++ /dev/null @@ -1,88 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: tekton-pipelineloop-controller-cluster-access - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipeline-loops -subjects: - - kind: ServiceAccount - name: tekton-pipelineloop-controller - namespace: tekton-pipelines -roleRef: - kind: ClusterRole - name: tekton-pipelineloop-controller-cluster-access - apiGroup: rbac.authorization.k8s.io ---- -# If this ClusterRoleBinding is replaced with a RoleBinding -# then the ClusterRole would be namespaced. The access described by -# the tekton-pipelineloop-controller-tenant-access ClusterRole would -# be scoped to individual tenant namespaces. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: tekton-pipelineloop-controller-tenant-access - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipeline-loops -subjects: - - kind: ServiceAccount - name: tekton-pipelineloop-controller - namespace: tekton-pipelines -roleRef: - kind: ClusterRole - name: tekton-pipelineloop-controller-tenant-access - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: tekton-pipelineloop-controller-leaderelection - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipeline-loops -subjects: - - kind: ServiceAccount - name: tekton-pipelineloop-controller - namespace: tekton-pipelines -roleRef: - kind: ClusterRole - name: tekton-pipelineloop-leader-election - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: tekton-pipelineloop-webhook-cluster-access - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipeline-loops -subjects: - - kind: ServiceAccount - name: tekton-pipelineloop-webhook - namespace: tekton-pipelines -roleRef: - kind: ClusterRole - name: tekton-pipelineloop-webhook-cluster-access - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: tekton-pipelineloop-webhook-leaderelection - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipeline-loops -subjects: - - kind: ServiceAccount - name: tekton-pipelineloop-webhook - namespace: tekton-pipelines -roleRef: - kind: ClusterRole - name: tekton-pipelineloop-leader-election - apiGroup: rbac.authorization.k8s.io diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/203-object-store-config.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/203-object-store-config.yaml deleted file mode 100644 index 967b9ad48..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/203-object-store-config.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2020 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: object-store-config - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines-loops -data: - enable: "false" - defaultBucketName: "pipelineloop-logs" - ibmStyleCredentials: "false" - region: "us-south" - accessKey: "minio" - secretKey: "minio123" - # Below are IBM cloud specific credentials, available if the flag ibmStyleCredentials is true. - apiKey: "" - serviceInstanceID: "crn:v1:bluemix:public:cloud-object-storage:global:a/ID-dummy-1231231231-123abcdefgh:dummy-values::" - serviceEndpoint: "http://minio-service.kubeflow:9000" - authEndpoint: "https://iam.cloud.ibm.com/identity/token" diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/204-cache-config.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/204-cache-config.yaml deleted file mode 100644 index b64ca72f3..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/204-cache-config.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright 2020 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: cache-config - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines-loops -data: - disabled: "true" - driver: "mysql" - host: "mysql.kubeflow.svc.cluster.local" - port: "3306" - dbName: "cachedb" - user: "root" - password: "" - timeout: "6m" - extraParams: "" - mysqlDBGroupConcatMaxLen: "4194304" diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/300-pipelineloop.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/300-pipelineloop.yaml deleted file mode 100644 index de3b3efee..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/300-pipelineloop.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: pipelineloops.custom.tekton.dev - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipeline-loops - pipeline.tekton.dev/release: "devel" - version: "devel" -spec: - group: custom.tekton.dev - versions: - - name: v1alpha1 - served: true - storage: true - # Opt into the status subresource so metadata.generation - # starts to increment - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - # One can use x-kubernetes-preserve-unknown-fields: true - # at the root of the schema (and inside any properties, additionalProperties) - # to get the traditional CRD behaviour that nothing is pruned, despite - # setting spec.preserveUnknownProperties: false. - # - # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ - # See issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - names: - kind: PipelineLoop - plural: pipelineloops - categories: - - tekton - - tekton-pipelines - - openshift-pipelines - scope: Namespaced diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/301-breaktask.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/301-breaktask.yaml deleted file mode 100644 index 4efdfe4ce..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/301-breaktask.yaml +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright 2020 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: breaktasks.custom.tekton.dev - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipeline-loops - pipeline.tekton.dev/release: "devel" - version: "devel" -spec: - group: custom.tekton.dev - versions: - - name: v1alpha1 - served: true - storage: true - # Opt into the status subresource so metadata.generation - # starts to increment - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - # One can use x-kubernetes-preserve-unknown-fields: true - # at the root of the schema (and inside any properties, additionalProperties) - # to get the traditional CRD behaviour that nothing is pruned, despite - # setting spec.preserveUnknownProperties: false. - # - # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ - # See issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - names: - kind: BreakTask - plural: breaktasks - categories: - - tekton - - tekton-pipelines - scope: Namespaced diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/500-controller.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/500-controller.yaml deleted file mode 100644 index e58fc23b9..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/500-controller.yaml +++ /dev/null @@ -1,68 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tekton-pipelineloop-controller - namespace: tekton-pipelines - labels: - app.kubernetes.io/name: controller - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/version: "devel" - app.kubernetes.io/part-of: tekton-pipeline-loops - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "devel" - # labels below are related to istio and should not be used for resource lookup - version: "devel" -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: controller - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipeline-loops - template: - metadata: - annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "false" - labels: - app.kubernetes.io/name: controller - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/version: "devel" - app.kubernetes.io/part-of: tekton-pipeline-loops - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "devel" - # labels below are related to istio and should not be used for resource lookup - app: tekton-pipelineloop-controller - version: "devel" - spec: - serviceAccountName: tekton-pipelineloop-controller - containers: - - name: tekton-pipelineloop-controller - image: quay.io/aipipeline/pipelineloop-controller:nightly - env: - - name: KFPV2 - value: "true" - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CONFIG_LEADERELECTION_NAME - value: config-leader-election - - name: CONFIG_LOGGING_NAME - value: config-logging - - name: CONFIG_OBSERVABILITY_NAME - value: config-observability - - name: METRICS_DOMAIN - value: tekton.dev/pipeline - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - runAsGroup: 65532 - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/500-webhook-configuration.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/500-webhook-configuration.yaml deleted file mode 100644 index 49e335b09..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/500-webhook-configuration.yaml +++ /dev/null @@ -1,53 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: tekton-pipelineloop-webhook-certs - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipeline-loops - pipeline.tekton.dev/release: "devel" -# The data is populated at install time. - ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: validation.webhook.pipelineloop.custom.tekton.dev - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipeline-loops - pipeline.tekton.dev/release: "devel" -webhooks: -- admissionReviewVersions: - - v1beta1 - clientConfig: - service: - name: tekton-pipelineloop-webhook - namespace: tekton-pipelines - failurePolicy: Fail - sideEffects: None - name: validation.webhook.pipelineloop.custom.tekton.dev - ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: webhook.pipelineloop.custom.tekton.dev - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipeline-loops - pipeline.tekton.dev/release: "devel" -webhooks: -- admissionReviewVersions: - - v1beta1 - clientConfig: - service: - name: tekton-pipelineloop-webhook - namespace: tekton-pipelines - failurePolicy: Fail - sideEffects: None - name: webhook.pipelineloop.custom.tekton.dev diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/500-webhook.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/500-webhook.yaml deleted file mode 100644 index ca53147f7..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/500-webhook.yaml +++ /dev/null @@ -1,108 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tekton-pipelineloop-webhook - namespace: tekton-pipelines - labels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/version: "devel" - app.kubernetes.io/part-of: tekton-pipeline-loops - pipeline.tekton.dev/release: "devel" - version: "devel" -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipeline-loops - template: - metadata: - annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "false" - labels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/version: "devel" - app.kubernetes.io/part-of: tekton-pipeline-loops - pipeline.tekton.dev/release: "devel" - app: tekton-pipelines-webhook - version: "devel" - spec: - serviceAccountName: tekton-pipelineloop-webhook - containers: - - name: webhook - image: quay.io/aipipeline/pipelineloop-webhook:nightly - env: - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - # If you are changing these names, you will also need to update - # the webhook's Role in 200-role.yaml to include the new - # values in the "configmaps" "get" rule. - - name: CONFIG_LOGGING_NAME - value: config-logging - - name: CONFIG_OBSERVABILITY_NAME - value: config-observability - - name: CONFIG_LEADERELECTION_NAME - value: config-leader-election - - name: WEBHOOK_SERVICE_NAME - value: tekton-pipelineloop-webhook - - name: WEBHOOK_SECRET_NAME - value: tekton-pipelineloop-webhook-certs - - name: METRICS_DOMAIN - value: tekton.dev/pipeline - ports: - - name: metrics - containerPort: 9090 - - name: profiling - containerPort: 8008 - - name: https-webhook - containerPort: 8443 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - runAsGroup: 65532 - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/version: "devel" - app.kubernetes.io/part-of: tekton-pipeline-loops - pipeline.tekton.dev/release: "devel" - app: tekton-pipelines-webhook - version: "devel" - name: tekton-pipelineloop-webhook - namespace: tekton-pipelines -spec: - ports: - # Define metrics and profiling for them to be accessible within service meshes. - - name: http-metrics - port: 9090 - targetPort: 9090 - - name: http-profiling - port: 8008 - targetPort: 8008 - - name: https-webhook - port: 443 - targetPort: 8443 - selector: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipeline-loops diff --git a/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/kustomization.yaml b/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/kustomization.yaml deleted file mode 100644 index f888cfc5e..000000000 --- a/apps/pipeline/upstream/third-party/tekton-custom-task/pipeline-loops/kustomization.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - 200-serviceaccount.yaml - - 201-clusterrole.yaml - - 201-role.yaml - - 201-rolebinding.yaml - - 202-clusterrolebinding.yaml - - 203-object-store-config.yaml - - 204-cache-config.yaml - - 300-pipelineloop.yaml - - 301-breaktask.yaml - - 500-controller.yaml - - 500-webhook-configuration.yaml - - 500-webhook.yaml diff --git a/apps/pipeline/upstream/third-party/tekton/README.md b/apps/pipeline/upstream/third-party/tekton/README.md deleted file mode 100644 index 7ac8432b7..000000000 --- a/apps/pipeline/upstream/third-party/tekton/README.md +++ /dev/null @@ -1,10 +0,0 @@ -# Tekton manifests - -## Upgrade the Tekton Manifest Release - -To upgrade the Tekton pipeline or Tekton dashboard manifest to the latest release, run the following commands in this directory - -```shell -curl -L https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml --output upstream/manifests/base/tektoncd-install/tekton-release.yaml -curl -L https://storage.googleapis.com/tekton-releases/dashboard/latest/release.yaml --output upstream/manifests/base/tektoncd-dashboard/tekton-dashboard-release.yaml -``` diff --git a/apps/pipeline/upstream/third-party/tekton/base/kustomization.yaml b/apps/pipeline/upstream/third-party/tekton/base/kustomization.yaml deleted file mode 100644 index 632bff25a..000000000 --- a/apps/pipeline/upstream/third-party/tekton/base/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -bases: -- ../upstream/manifests/base/tektoncd-install diff --git a/apps/pipeline/upstream/third-party/tekton/installs/cluster/kustomization.yaml b/apps/pipeline/upstream/third-party/tekton/installs/cluster/kustomization.yaml deleted file mode 100644 index 2e9e7974b..000000000 --- a/apps/pipeline/upstream/third-party/tekton/installs/cluster/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -bases: - - ../../base diff --git a/apps/pipeline/upstream/third-party/tekton/upstream/manifests/base/kustomization.yaml b/apps/pipeline/upstream/third-party/tekton/upstream/manifests/base/kustomization.yaml deleted file mode 100644 index a654682cb..000000000 --- a/apps/pipeline/upstream/third-party/tekton/upstream/manifests/base/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: -- tektoncd-install -- tektoncd-dashboard diff --git a/apps/pipeline/upstream/third-party/tekton/upstream/manifests/base/tektoncd-dashboard/kustomization.yaml b/apps/pipeline/upstream/third-party/tekton/upstream/manifests/base/tektoncd-dashboard/kustomization.yaml deleted file mode 100644 index 53e07828a..000000000 --- a/apps/pipeline/upstream/third-party/tekton/upstream/manifests/base/tektoncd-dashboard/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- tekton-dashboard-release.yaml -namespace: tekton-pipelines diff --git a/apps/pipeline/upstream/third-party/tekton/upstream/manifests/base/tektoncd-dashboard/tekton-dashboard-release.yaml b/apps/pipeline/upstream/third-party/tekton/upstream/manifests/base/tektoncd-dashboard/tekton-dashboard-release.yaml deleted file mode 100644 index 0b7dd653f..000000000 --- a/apps/pipeline/upstream/third-party/tekton/upstream/manifests/base/tektoncd-dashboard/tekton-dashboard-release.yaml +++ /dev/null @@ -1,335 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-dashboard - name: extensions.dashboard.tekton.dev -spec: - group: dashboard.tekton.dev - names: - categories: - - tekton - - tekton-dashboard - kind: Extension - plural: extensions - shortNames: - - ext - - exts - preserveUnknownFields: false - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.apiVersion - name: API version - type: string - - jsonPath: .spec.name - name: Kind - type: string - - jsonPath: .spec.displayname - name: Display name - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true - subresources: - status: {} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-dashboard - name: tekton-dashboard - namespace: tekton-pipelines ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-dashboard - name: tekton-dashboard-info - namespace: tekton-pipelines -rules: - - apiGroups: - - "" - resourceNames: - - dashboard-info - resources: - - configmaps - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-dashboard - name: tekton-dashboard-backend -rules: - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - apiGroups: - - security.openshift.io - resources: - - securitycontextconstraints - verbs: - - use - - apiGroups: - - tekton.dev - resources: - - clustertasks - verbs: - - get - - list - - watch - - apiGroups: - - triggers.tekton.dev - resources: - - clusterinterceptors - - clustertriggerbindings - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-dashboard - name: tekton-dashboard-tenant -rules: - - apiGroups: - - dashboard.tekton.dev - resources: - - extensions - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - - namespaces - - pods - - pods/log - verbs: - - get - - list - - watch - - apiGroups: - - tekton.dev - resources: - - tasks - - taskruns - - pipelines - - pipelineruns - - customruns - verbs: - - get - - list - - watch - - apiGroups: - - triggers.tekton.dev - resources: - - eventlisteners - - interceptors - - triggerbindings - - triggers - - triggertemplates - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-dashboard - name: tekton-dashboard-info - namespace: tekton-pipelines -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: tekton-dashboard-info -subjects: - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-dashboard - rbac.dashboard.tekton.dev/subject: tekton-dashboard - name: tekton-dashboard-backend -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tekton-dashboard-backend -subjects: - - kind: ServiceAccount - name: tekton-dashboard - namespace: tekton-pipelines ---- -apiVersion: v1 -data: - version: v0.41.0 -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-dashboard - name: dashboard-info - namespace: tekton-pipelines ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: tekton-dashboard - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/name: dashboard - app.kubernetes.io/part-of: tekton-dashboard - app.kubernetes.io/version: v0.41.0 - dashboard.tekton.dev/release: v0.41.0 - version: v0.41.0 - name: tekton-dashboard - namespace: tekton-pipelines -spec: - ports: - - name: http - port: 9097 - protocol: TCP - targetPort: 9097 - selector: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/name: dashboard - app.kubernetes.io/part-of: tekton-dashboard ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: tekton-dashboard - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/name: dashboard - app.kubernetes.io/part-of: tekton-dashboard - app.kubernetes.io/version: v0.41.0 - dashboard.tekton.dev/release: v0.41.0 - version: v0.41.0 - name: tekton-dashboard - namespace: tekton-pipelines -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/name: dashboard - app.kubernetes.io/part-of: tekton-dashboard - template: - metadata: - labels: - app: tekton-dashboard - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/name: dashboard - app.kubernetes.io/part-of: tekton-dashboard - app.kubernetes.io/version: v0.41.0 - name: tekton-dashboard - spec: - containers: - - args: - - --port=9097 - - --logout-url= - - --pipelines-namespace=tekton-pipelines - - --triggers-namespace=tekton-pipelines - - --read-only=true - - --log-level=info - - --log-format=json - - --namespace= - - --namespaces= - - --stream-logs=true - - --external-logs= - env: - - name: INSTALLED_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: gcr.io/tekton-releases/github.com/tektoncd/dashboard/cmd/dashboard:v0.41.0@sha256:698b458f98789177571182b8d092d49e44cd814ab8bbd3434e6ea66d538196c1 - livenessProbe: - httpGet: - path: /health - port: 9097 - name: tekton-dashboard - ports: - - containerPort: 9097 - readinessProbe: - httpGet: - path: /readiness - port: 9097 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault - nodeSelector: - kubernetes.io/os: linux - serviceAccountName: tekton-dashboard - volumes: [] - ---- ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-dashboard - rbac.dashboard.tekton.dev/subject: tekton-dashboard - name: tekton-dashboard-tenant -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tekton-dashboard-tenant -subjects: - - kind: ServiceAccount - name: tekton-dashboard - namespace: tekton-pipelines diff --git a/apps/pipeline/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/kustomization.yaml b/apps/pipeline/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/kustomization.yaml deleted file mode 100644 index 62fd8a48b..000000000 --- a/apps/pipeline/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/kustomization.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- tekton-release.yaml -patchesStrategicMerge: -- tekton-config.yaml -- tekton-default.yaml -patchesJson6902: -- target: - group: apps - version: v1 - kind: Deployment - name: tekton-pipelines-controller - namespace: tekton-pipelines - path: tekton-controller.yaml -images: -- name: $(registry)/$(controller) - newName: $(registry)/$(controller) - newTag: latest -- name: $(registry)/$(webhook) - newName: $(registry)/$(webhook) - newTag: latest diff --git a/apps/pipeline/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-config.yaml b/apps/pipeline/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-config.yaml deleted file mode 100644 index e66f1a50a..000000000 --- a/apps/pipeline/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-config.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: feature-flags - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -data: - running-in-environment-with-injected-sidecars: "false" diff --git a/apps/pipeline/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-controller.yaml b/apps/pipeline/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-controller.yaml deleted file mode 100644 index ddd4b74a1..000000000 --- a/apps/pipeline/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-controller.yaml +++ /dev/null @@ -1,18 +0,0 @@ -- op: add - path: /spec/template/spec/containers/0/args/0 - value: "4" -- op: add - path: /spec/template/spec/containers/0/args/0 - value: "-threads-per-controller" -- op: add - path: /spec/template/spec/containers/0/args/0 - value: "50" -- op: add - path: /spec/template/spec/containers/0/args/0 - value: "-kube-api-burst" -- op: add - path: /spec/template/spec/containers/0/args/0 - value: "50" -- op: add - path: /spec/template/spec/containers/0/args/0 - value: "-kube-api-qps" diff --git a/apps/pipeline/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-default.yaml b/apps/pipeline/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-default.yaml deleted file mode 100644 index 8755f6e02..000000000 --- a/apps/pipeline/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-default.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-defaults - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -data: - default-timeout-minutes: "0" \ No newline at end of file diff --git a/apps/pipeline/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-release.yaml b/apps/pipeline/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-release.yaml deleted file mode 100644 index aa826b635..000000000 --- a/apps/pipeline/upstream/third-party/tekton/upstream/manifests/base/tektoncd-install/tekton-release.yaml +++ /dev/null @@ -1,3463 +0,0 @@ -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Namespace -metadata: - name: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pod-security.kubernetes.io/enforce: restricted - ---- -# Copyright 2020-2022 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: tekton-pipelines-controller-cluster-access - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -rules: - - apiGroups: [""] - # Controller needs to watch Pods created by TaskRuns to see them progress. - resources: ["pods"] - verbs: ["list", "watch"] - - apiGroups: [""] - # Controller needs to get the list of cordoned nodes over the course of a single run - resources: ["nodes"] - verbs: ["list"] - # Controller needs cluster access to all of the CRDs that it is responsible for - # managing. - - apiGroups: ["tekton.dev"] - resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "customruns", "stepactions"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - apiGroups: ["tekton.dev"] - resources: ["verificationpolicies"] - verbs: ["get", "list", "watch"] - - apiGroups: ["tekton.dev"] - resources: ["taskruns/finalizers", "pipelineruns/finalizers", "customruns/finalizers"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - apiGroups: ["tekton.dev"] - resources: ["tasks/status", "clustertasks/status", "taskruns/status", "pipelines/status", "pipelineruns/status", "customruns/status", "verificationpolicies/status", "stepactions/status"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - # resolution.tekton.dev - - apiGroups: ["resolution.tekton.dev"] - resources: ["resolutionrequests", "resolutionrequests/status"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - # This is the access that the controller needs on a per-namespace basis. - name: tekton-pipelines-controller-tenant-access - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -rules: - # Read-write access to create Pods and PVCs (for Workspaces) - - apiGroups: [""] - resources: ["pods", "persistentvolumeclaims"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - # Write permissions to publish events. - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "update", "patch"] - # Read-only access to these. - - apiGroups: [""] - resources: ["configmaps", "limitranges", "secrets", "serviceaccounts"] - verbs: ["get", "list", "watch"] - # Read-write access to StatefulSets for Affinity Assistant. - - apiGroups: ["apps"] - resources: ["statefulsets"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: tekton-pipelines-webhook-cluster-access - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -rules: - # The webhook needs to be able to get and update customresourcedefinitions, - # mainly to update the webhook certificates. - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions", "customresourcedefinitions/status"] - verbs: ["get", "update", "patch"] - resourceNames: - - pipelines.tekton.dev - - pipelineruns.tekton.dev - - tasks.tekton.dev - - clustertasks.tekton.dev - - taskruns.tekton.dev - - resolutionrequests.resolution.tekton.dev - - customruns.tekton.dev - - verificationpolicies.tekton.dev - - stepactions.tekton.dev - # knative.dev/pkg needs list/watch permissions to set up informers for the webhook. - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["list", "watch"] - - apiGroups: ["admissionregistration.k8s.io"] - # The webhook performs a reconciliation on these two resources and continuously - # updates configuration. - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - # knative starts informers on these things, which is why we need get, list and watch. - verbs: ["list", "watch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - # This mutating webhook is responsible for applying defaults to tekton objects - # as they are received. - resourceNames: ["webhook.pipeline.tekton.dev"] - # When there are changes to the configs or secrets, knative updates the mutatingwebhook config - # with the updated certificates or the refreshed set of rules. - verbs: ["get", "update", "delete"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - # validation.webhook.pipeline.tekton.dev performs schema validation when you, for example, create TaskRuns. - # config.webhook.pipeline.tekton.dev validates the logging configuration against knative's logging structure - resourceNames: ["validation.webhook.pipeline.tekton.dev", "config.webhook.pipeline.tekton.dev"] - # When there are changes to the configs or secrets, knative updates the validatingwebhook config - # with the updated certificates or the refreshed set of rules. - verbs: ["get", "update", "delete"] - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get"] - # The webhook configured the namespace as the OwnerRef on various cluster-scoped resources, - # which requires we can Get the system namespace. - resourceNames: ["tekton-pipelines"] - - apiGroups: [""] - resources: ["namespaces/finalizers"] - verbs: ["update"] - # The webhook configured the namespace as the OwnerRef on various cluster-scoped resources, - # which requires we can update the system namespace finalizers. - resourceNames: ["tekton-pipelines"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: tekton-events-controller-cluster-access - labels: - app.kubernetes.io/component: events - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -rules: - - apiGroups: ["tekton.dev"] - resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "customruns"] - verbs: ["get", "list", "watch"] - ---- -# Copyright 2020 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: tekton-pipelines-controller - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["list", "watch"] - # The controller needs access to these configmaps for logging information and runtime configuration. - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["config-logging", "config-observability", "feature-flags", "config-leader-election-controller", "config-registry-cert"] ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: tekton-pipelines-webhook - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["list", "watch"] - # The webhook needs access to these configmaps for logging information. - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["config-logging", "config-observability", "config-leader-election-webhook", "feature-flags"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["list", "watch"] - # The webhook daemon makes a reconciliation loop on webhook-certs. Whenever - # the secret changes it updates the webhook configurations with the certificates - # stored in the secret. - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "update"] - resourceNames: ["webhook-certs"] ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: tekton-pipelines-events-controller - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: events - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["list", "watch"] - # The controller needs access to these configmaps for logging information and runtime configuration. - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["config-logging", "config-observability", "feature-flags", "config-leader-election-events", "config-registry-cert"] ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: tekton-pipelines-leader-election - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -rules: - # We uses leases for leaderelection - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: tekton-pipelines-info - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -rules: - # All system:authenticated users needs to have access - # of the pipelines-info ConfigMap even if they don't - # have access to the other resources present in the - # installed namespace. - - apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["pipelines-info"] - verbs: ["get"] - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -apiVersion: v1 -kind: ServiceAccount -metadata: - name: tekton-pipelines-controller - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: tekton-pipelines-webhook - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: tekton-events-controller - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: events - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: tekton-pipelines-controller-cluster-access - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -subjects: - - kind: ServiceAccount - name: tekton-pipelines-controller - namespace: tekton-pipelines -roleRef: - kind: ClusterRole - name: tekton-pipelines-controller-cluster-access - apiGroup: rbac.authorization.k8s.io ---- -# If this ClusterRoleBinding is replaced with a RoleBinding -# then the ClusterRole would be namespaced. The access described by -# the tekton-pipelines-controller-tenant-access ClusterRole would -# be scoped to individual tenant namespaces. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: tekton-pipelines-controller-tenant-access - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -subjects: - - kind: ServiceAccount - name: tekton-pipelines-controller - namespace: tekton-pipelines -roleRef: - kind: ClusterRole - name: tekton-pipelines-controller-tenant-access - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: tekton-pipelines-webhook-cluster-access - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -subjects: - - kind: ServiceAccount - name: tekton-pipelines-webhook - namespace: tekton-pipelines -roleRef: - kind: ClusterRole - name: tekton-pipelines-webhook-cluster-access - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: tekton-events-controller-cluster-access - labels: - app.kubernetes.io/component: events - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -subjects: - - kind: ServiceAccount - name: tekton-events-controller - namespace: tekton-pipelines -roleRef: - kind: ClusterRole - name: tekton-events-controller-cluster-access - apiGroup: rbac.authorization.k8s.io - ---- -# Copyright 2020 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: tekton-pipelines-controller - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -subjects: - - kind: ServiceAccount - name: tekton-pipelines-controller - namespace: tekton-pipelines -roleRef: - kind: Role - name: tekton-pipelines-controller - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: tekton-pipelines-webhook - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -subjects: - - kind: ServiceAccount - name: tekton-pipelines-webhook - namespace: tekton-pipelines -roleRef: - kind: Role - name: tekton-pipelines-webhook - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: tekton-pipelines-controller-leaderelection - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -subjects: - - kind: ServiceAccount - name: tekton-pipelines-controller - namespace: tekton-pipelines -roleRef: - kind: Role - name: tekton-pipelines-leader-election - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: tekton-pipelines-webhook-leaderelection - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -subjects: - - kind: ServiceAccount - name: tekton-pipelines-webhook - namespace: tekton-pipelines -roleRef: - kind: Role - name: tekton-pipelines-leader-election - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: tekton-pipelines-info - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -subjects: - # Giving all system:authenticated users the access of the - # ConfigMap which contains version information. - - kind: Group - name: system:authenticated - apiGroup: rbac.authorization.k8s.io -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: tekton-pipelines-info ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: tekton-pipelines-events-controller - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: events - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -subjects: - - kind: ServiceAccount - name: tekton-events-controller - namespace: tekton-pipelines -roleRef: - kind: Role - name: tekton-pipelines-events-controller - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: tekton-events-controller-leaderelection - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: events - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -subjects: - - kind: ServiceAccount - name: tekton-events-controller - namespace: tekton-pipelines -roleRef: - kind: Role - name: tekton-pipelines-leader-election - apiGroup: rbac.authorization.k8s.io - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: clustertasks.tekton.dev - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.53.2" - version: "v0.53.2" -spec: - group: tekton.dev - preserveUnknownFields: false - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - # One can use x-kubernetes-preserve-unknown-fields: true - # at the root of the schema (and inside any properties, additionalProperties) - # to get the traditional CRD behaviour that nothing is pruned, despite - # setting spec.preserveUnknownProperties: false. - # - # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ - # See issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - # Opt into the status subresource so metadata.generation - # starts to increment - subresources: - status: {} - names: - kind: ClusterTask - plural: clustertasks - singular: clustertask - categories: - - tekton - - tekton-pipelines - scope: Cluster - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: ["v1beta1"] - clientConfig: - service: - name: tekton-pipelines-webhook - namespace: tekton-pipelines - ---- -# Copyright 2020 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: customruns.tekton.dev - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.53.2" - version: "v0.53.2" -spec: - group: tekton.dev - preserveUnknownFields: false - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - # One can use x-kubernetes-preserve-unknown-fields: true - # at the root of the schema (and inside any properties, additionalProperties) - # to get the traditional CRD behaviour that nothing is pruned, despite - # setting spec.preserveUnknownProperties: false. - # - # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ - # See issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - name: Succeeded - type: string - jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status" - - name: Reason - type: string - jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" - - name: StartTime - type: date - jsonPath: .status.startTime - - name: CompletionTime - type: date - jsonPath: .status.completionTime - # Opt into the status subresource so metadata.generation - # starts to increment - subresources: - status: {} - names: - kind: CustomRun - plural: customruns - singular: customrun - categories: - - tekton - - tekton-pipelines - scope: Namespaced - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: pipelines.tekton.dev - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.53.2" - version: "v0.53.2" -spec: - group: tekton.dev - preserveUnknownFields: false - versions: - - name: v1beta1 - served: true - storage: false - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - # One can use x-kubernetes-preserve-unknown-fields: true - # at the root of the schema (and inside any properties, additionalProperties) - # to get the traditional CRD behaviour that nothing is pruned, despite - # setting spec.preserveUnknownProperties: false. - # - # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ - # See issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - # OpenAPIV3 schema allows Kubernetes to perform validation on the schema fields - # and use the schema in tooling such as `kubectl explain`. - # Using "x-kubernetes-preserve-unknown-fields: true" - # at the root of the schema (or within it) allows arbitrary fields. - # We currently perform our own validation separately. - # See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#specifying-a-structural-schema - # for more info. - x-kubernetes-preserve-unknown-fields: true - # Opt into the status subresource so metadata.generation - # starts to increment - subresources: - status: {} - names: - kind: Pipeline - plural: pipelines - singular: pipeline - categories: - - tekton - - tekton-pipelines - scope: Namespaced - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: ["v1beta1", "v1"] - clientConfig: - service: - name: tekton-pipelines-webhook - namespace: tekton-pipelines - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: pipelineruns.tekton.dev - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.53.2" - version: "v0.53.2" -spec: - group: tekton.dev - preserveUnknownFields: false - versions: - - name: v1beta1 - served: true - storage: false - schema: - openAPIV3Schema: - type: object - # One can use x-kubernetes-preserve-unknown-fields: true - # at the root of the schema (and inside any properties, additionalProperties) - # to get the traditional CRD behaviour that nothing is pruned, despite - # setting spec.preserveUnknownProperties: false. - # - # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ - # See issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - name: Succeeded - type: string - jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status" - - name: Reason - type: string - jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" - - name: StartTime - type: date - jsonPath: .status.startTime - - name: CompletionTime - type: date - jsonPath: .status.completionTime - # Opt into the status subresource so metadata.generation - # starts to increment - subresources: - status: {} - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - # One can use x-kubernetes-preserve-unknown-fields: true - # at the root of the schema (and inside any properties, additionalProperties) - # to get the traditional CRD behaviour that nothing is pruned, despite - # setting spec.preserveUnknownProperties: false. - # - # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ - # See issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - name: Succeeded - type: string - jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status" - - name: Reason - type: string - jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" - - name: StartTime - type: date - jsonPath: .status.startTime - - name: CompletionTime - type: date - jsonPath: .status.completionTime - # Opt into the status subresource so metadata.generation - # starts to increment - subresources: - status: {} - names: - kind: PipelineRun - plural: pipelineruns - singular: pipelinerun - categories: - - tekton - - tekton-pipelines - shortNames: - - pr - - prs - scope: Namespaced - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: ["v1beta1", "v1"] - clientConfig: - service: - name: tekton-pipelines-webhook - namespace: tekton-pipelines - ---- -# Copyright 2022 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: resolutionrequests.resolution.tekton.dev - labels: - resolution.tekton.dev/release: devel -spec: - group: resolution.tekton.dev - scope: Namespaced - names: - kind: ResolutionRequest - plural: resolutionrequests - singular: resolutionrequest - categories: - - tekton - - tekton-pipelines - shortNames: - - resolutionrequest - - resolutionrequests - versions: - - name: v1alpha1 - served: true - deprecated: true - storage: false - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - # One can use x-kubernetes-preserve-unknown-fields: true - # at the root of the schema (and inside any properties, additionalProperties) - # to get the traditional CRD behaviour that nothing is pruned, despite - # setting spec.preserveUnknownProperties: false. - # - # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ - # See issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - name: Succeeded - type: string - jsonPath: ".status.conditions[?(@.type=='Succeeded')].status" - - name: Reason - type: string - jsonPath: ".status.conditions[?(@.type=='Succeeded')].reason" - - name: v1beta1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - # One can use x-kubernetes-preserve-unknown-fields: true - # at the root of the schema (and inside any properties, additionalProperties) - # to get the traditional CRD behaviour that nothing is pruned, despite - # setting spec.preserveUnknownProperties: false. - # - # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ - # See issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - name: OwnerKind - type: string - jsonPath: ".metadata.ownerReferences[0].kind" - - name: Owner - type: string - jsonPath: ".metadata.ownerReferences[0].name" - - name: Succeeded - type: string - jsonPath: ".status.conditions[?(@.type=='Succeeded')].status" - - name: Reason - type: string - jsonPath: ".status.conditions[?(@.type=='Succeeded')].reason" - - name: StartTime - type: string - jsonPath: .metadata.creationTimestamp - - name: EndTime - type: string - jsonPath: .status.conditions[?(@.type=='Succeeded')].lastTransitionTime - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: ["v1alpha1", "v1beta1"] - clientConfig: - service: - name: tekton-pipelines-webhook - namespace: tekton-pipelines - ---- -# Copyright 2023 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: stepactions.tekton.dev - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.53.2" - version: "v0.53.2" -spec: - group: tekton.dev - preserveUnknownFields: false - versions: - - name: v1alpha1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - # One can use x-kubernetes-preserve-unknown-fields: true - # at the root of the schema (and inside any properties, additionalProperties) - # to get the traditional CRD behaviour that nothing is pruned, despite - # setting spec.preserveUnknownProperties: false. - # - # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ - # See issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - # Opt into the status subresource so metadata.generation - # starts to increment - subresources: - status: {} - names: - kind: StepAction - plural: stepactions - singular: stepaction - categories: - - tekton - - tekton-pipelines - scope: Namespaced - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: tasks.tekton.dev - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.53.2" - version: "v0.53.2" -spec: - group: tekton.dev - preserveUnknownFields: false - versions: - - name: v1beta1 - served: true - storage: false - schema: - openAPIV3Schema: - type: object - # One can use x-kubernetes-preserve-unknown-fields: true - # at the root of the schema (and inside any properties, additionalProperties) - # to get the traditional CRD behaviour that nothing is pruned, despite - # setting spec.preserveUnknownProperties: false. - # - # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ - # See issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - # Opt into the status subresource so metadata.generation - # starts to increment - subresources: - status: {} - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - # TODO(#1461): Add OpenAPIV3 schema - # OpenAPIV3 schema allows Kubernetes to perform validation on the schema fields - # and use the schema in tooling such as `kubectl explain`. - # Using "x-kubernetes-preserve-unknown-fields: true" - # at the root of the schema (or within it) allows arbitrary fields. - # We currently perform our own validation separately. - # See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#specifying-a-structural-schema - # for more info. - x-kubernetes-preserve-unknown-fields: true - # Opt into the status subresource so metadata.generation - # starts to increment - subresources: - status: {} - names: - kind: Task - plural: tasks - singular: task - categories: - - tekton - - tekton-pipelines - scope: Namespaced - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: ["v1beta1", "v1"] - clientConfig: - service: - name: tekton-pipelines-webhook - namespace: tekton-pipelines - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: taskruns.tekton.dev - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.53.2" - version: "v0.53.2" -spec: - group: tekton.dev - preserveUnknownFields: false - versions: - - name: v1beta1 - served: true - storage: false - schema: - openAPIV3Schema: - type: object - # One can use x-kubernetes-preserve-unknown-fields: true - # at the root of the schema (and inside any properties, additionalProperties) - # to get the traditional CRD behaviour that nothing is pruned, despite - # setting spec.preserveUnknownProperties: false. - # - # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ - # See issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - name: Succeeded - type: string - jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status" - - name: Reason - type: string - jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" - - name: StartTime - type: date - jsonPath: .status.startTime - - name: CompletionTime - type: date - jsonPath: .status.completionTime - # Opt into the status subresource so metadata.generation - # starts to increment - subresources: - status: {} - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - # One can use x-kubernetes-preserve-unknown-fields: true - # at the root of the schema (and inside any properties, additionalProperties) - # to get the traditional CRD behaviour that nothing is pruned, despite - # setting spec.preserveUnknownProperties: false. - # - # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ - # See issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - name: Succeeded - type: string - jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status" - - name: Reason - type: string - jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" - - name: StartTime - type: date - jsonPath: .status.startTime - - name: CompletionTime - type: date - jsonPath: .status.completionTime - # Opt into the status subresource so metadata.generation - # starts to increment - subresources: - status: {} - names: - kind: TaskRun - plural: taskruns - singular: taskrun - categories: - - tekton - - tekton-pipelines - shortNames: - - tr - - trs - scope: Namespaced - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: ["v1beta1", "v1"] - clientConfig: - service: - name: tekton-pipelines-webhook - namespace: tekton-pipelines - ---- -# Copyright 2022 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: verificationpolicies.tekton.dev - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.53.2" - version: "v0.53.2" -spec: - group: tekton.dev - versions: - - name: v1alpha1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - # One can use x-kubernetes-preserve-unknown-fields: true - # at the root of the schema (and inside any properties, additionalProperties) - # to get the traditional CRD behaviour that nothing is pruned, despite - # setting spec.preserveUnknownProperties: false. - # - # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/ - # See issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - names: - kind: VerificationPolicy - plural: verificationpolicies - singular: verificationpolicy - categories: - - tekton - - tekton-pipelines - scope: Namespaced - ---- -# Copyright 2020 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: webhook-certs - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.53.2" -# The data is populated at install time. ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: validation.webhook.pipeline.tekton.dev - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.53.2" -webhooks: - - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: tekton-pipelines-webhook - namespace: tekton-pipelines - failurePolicy: Fail - sideEffects: None - name: validation.webhook.pipeline.tekton.dev ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: webhook.pipeline.tekton.dev - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.53.2" -webhooks: - - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: tekton-pipelines-webhook - namespace: tekton-pipelines - failurePolicy: Fail - sideEffects: None - name: webhook.pipeline.tekton.dev ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: config.webhook.pipeline.tekton.dev - labels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pipeline.tekton.dev/release: "v0.53.2" -webhooks: - - admissionReviewVersions: ["v1"] - clientConfig: - service: - name: tekton-pipelines-webhook - namespace: tekton-pipelines - failurePolicy: Fail - sideEffects: None - name: config.webhook.pipeline.tekton.dev - objectSelector: - matchLabels: - app.kubernetes.io/part-of: tekton-pipelines - ---- -# Copyright 2019-2022 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: tekton-aggregate-edit - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - tekton.dev - resources: - - tasks - - taskruns - - pipelines - - pipelineruns - - runs - - customruns - - stepactions - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - ---- -# Copyright 2019-2022 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: tekton-aggregate-view - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - rbac.authorization.k8s.io/aggregate-to-view: "true" -rules: - - apiGroups: - - tekton.dev - resources: - - tasks - - taskruns - - pipelines - - pipelineruns - - runs - - customruns - - stepactions - verbs: - - get - - list - - watch - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-defaults - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -data: - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - ################################ - - # This block is not actually functional configuration, - # but serves to illustrate the available configuration - # options and document them in a way that is accessible - # to users that `kubectl edit` this config map. - # - # These sample configuration options may be copied out of - # this example block and unindented to be in the data block - # to actually change the configuration. - - # default-timeout-minutes contains the default number of - # minutes to use for TaskRun and PipelineRun, if none is specified. - default-timeout-minutes: "60" # 60 minutes - - # default-service-account contains the default service account name - # to use for TaskRun and PipelineRun, if none is specified. - default-service-account: "default" - - # default-managed-by-label-value contains the default value given to the - # "app.kubernetes.io/managed-by" label applied to all Pods created for - # TaskRuns. If a user's requested TaskRun specifies another value for this - # label, the user's request supercedes. - default-managed-by-label-value: "tekton-pipelines" - - # default-pod-template contains the default pod template to use for - # TaskRun and PipelineRun. If a pod template is specified on the - # PipelineRun, the default-pod-template is merged with that one. - # default-pod-template: - - # default-affinity-assistant-pod-template contains the default pod template - # to use for affinity assistant pods. If a pod template is specified on the - # PipelineRun, the default-affinity-assistant-pod-template is merged with - # that one. - # default-affinity-assistant-pod-template: - - # default-cloud-events-sink contains the default CloudEvents sink to be - # used for TaskRun and PipelineRun, when no sink is specified. - # Note that right now it is still not possible to set a PipelineRun or - # TaskRun specific sink, so the default is the only option available. - # If no sink is specified, no CloudEvent is generated - # default-cloud-events-sink: - - # default-task-run-workspace-binding contains the default workspace - # configuration provided for any Workspaces that a Task declares - # but that a TaskRun does not explicitly provide. - # default-task-run-workspace-binding: | - # emptyDir: {} - - # default-max-matrix-combinations-count contains the default maximum number - # of combinations from a Matrix, if none is specified. - default-max-matrix-combinations-count: "256" - - # default-forbidden-env contains comma seperated environment variables that cannot be - # overridden by podTemplate. - default-forbidden-env: - - # default-resolver-type contains the default resolver type to be used in the cluster, - # no default-resolver-type is specified by default - default-resolver-type: - ---- -# Copyright 2023 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-events - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -data: - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - ################################ - - # This block is not actually functional configuration, - # but serves to illustrate the available configuration - # options and document them in a way that is accessible - # to users that `kubectl edit` this config map. - # - # These sample configuration options may be copied out of - # this example block and unindented to be in the data block - # to actually change the configuration. - - # formats contains a comma seperated list of event formats to be used - # the only format supported today is "tektonv1". An empty string is not - # a valid configuration. To disable events, do not specify the sink. - formats: "tektonv1" - - # sink contains the event sink to be used for TaskRun, PipelineRun and - # CustomRun. If no sink is specified, no CloudEvent is generated. - # This setting supercedes the "default-cloud-events-sink" from the - # "config-defaults" config map - sink: "https://events.sink/cdevents" - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: feature-flags - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -data: - # Setting this flag to "true" will prevent Tekton to create an - # Affinity Assistant for every TaskRun sharing a PVC workspace - # - # The default behaviour is for Tekton to create Affinity Assistants - # - # See more in the Affinity Assistant documentation - # https://github.com/tektoncd/pipeline/blob/main/docs/affinityassistants.md - # or https://github.com/tektoncd/pipeline/pull/2630 for more info. - # - # Note: This feature flag is deprecated and will be removed in release v0.60. Consider using `coschedule` feature flag to configure Affinity Assistant behavior. - disable-affinity-assistant: "false" - # Setting this flag will determine how PipelineRun Pods are scheduled with Affinity Assistant. - # Acceptable values are "workspaces" (default), "pipelineruns", "isolate-pipelinerun", or "disabled". - # - # Setting it to "workspaces" will schedule all the taskruns sharing the same PVC-based workspace in a pipelinerun to the same node. - # Setting it to "pipelineruns" will schedule all the taskruns in a pipelinerun to the same node. - # Setting it to "isolate-pipelinerun" will schedule all the taskruns in a pipelinerun to the same node, - # and only allows one pipelinerun to run on a node at a time. - # Setting it to "disabled" will not apply any coschedule policy. - # - # See more in the Affinity Assistant documentation - # https://github.com/tektoncd/pipeline/blob/main/docs/affinityassistants.md - coschedule: "workspaces" - # Setting this flag to "true" will prevent Tekton scanning attached - # service accounts and injecting any credentials it finds into your - # Steps. - # - # The default behaviour currently is for Tekton to search service - # accounts for secrets matching a specified format and automatically - # mount those into your Steps. - # - # Note: setting this to "true" will prevent PipelineResources from - # working. - # - # See https://github.com/tektoncd/pipeline/issues/2791 for more - # info. - disable-creds-init: "false" - # Setting this flag to "false" will stop Tekton from waiting for a - # TaskRun's sidecar containers to be running before starting the first - # step. This will allow Tasks to be run in environments that don't - # support the DownwardAPI volume type, but may lead to unintended - # behaviour if sidecars are used. - # - # See https://github.com/tektoncd/pipeline/issues/4937 for more info. - await-sidecar-readiness: "true" - # This option should be set to false when Pipelines is running in a - # cluster that does not use injected sidecars such as Istio. Setting - # it to false should decrease the time it takes for a TaskRun to start - # running. For clusters that use injected sidecars, setting this - # option to false can lead to unexpected behavior. - # - # See https://github.com/tektoncd/pipeline/issues/2080 for more info. - running-in-environment-with-injected-sidecars: "true" - # Setting this flag to "true" will require that any Git SSH Secret - # offered to Tekton must have known_hosts included. - # - # See https://github.com/tektoncd/pipeline/issues/2981 for more - # info. - require-git-ssh-secret-known-hosts: "false" - # Setting this flag to "true" enables the use of Tekton OCI bundle. - # This is an experimental feature and thus should still be considered - # an alpha feature. - enable-tekton-oci-bundles: "false" - # Setting this flag will determine which gated features are enabled. - # Acceptable values are "stable", "beta", or "alpha". - enable-api-fields: "beta" - # Setting this flag to "true" enables CloudEvents for CustomRuns and Runs, as long as a - # CloudEvents sink is configured in the config-defaults config map - send-cloudevents-for-runs: "false" - # This flag affects the behavior of taskruns and pipelineruns in cases where no VerificationPolicies match them. - # If it is set to "fail", TaskRuns and PipelineRuns will fail verification if no matching policies are found. - # If it is set to "warn", TaskRuns and PipelineRuns will run to completion if no matching policies are found, and an error will be logged. - # If it is set to "ignore", TaskRuns and PipelineRuns will run to completion if no matching policies are found, and no error will be logged. - trusted-resources-verification-no-match-policy: "ignore" - # Setting this flag to "true" enables populating the "provenance" field in TaskRun - # and PipelineRun status. This field contains metadata about resources used - # in the TaskRun/PipelineRun such as the source from where a remote Task/Pipeline - # definition was fetched. - enable-provenance-in-status: "true" - # Setting this flag will determine how Tekton pipelines will handle non-falsifiable provenance. - # If set to "spire", then SPIRE will be used to ensure non-falsifiable provenance. - # If set to "none", then Tekton will not have non-falsifiable provenance. - # This is an experimental feature and thus should still be considered an alpha feature. - enforce-nonfalsifiability: "none" - # Setting this flag will determine how Tekton pipelines will handle extracting results from the task. - # Acceptable values are "termination-message" or "sidecar-logs". - # "sidecar-logs" is an experimental feature and thus should still be considered - # an alpha feature. - results-from: "termination-message" - # Setting this flag will determine the upper limit of each task result - # This flag is optional and only associated with the previous flag, results-from - # When results-from is set to "sidecar-logs", this flag can be used to configure the upper limit of a task result - # max-result-size: "4096" - # Setting this flag to "true" will limit privileges for containers injected by Tekton into TaskRuns. - # This allows TaskRuns to run in namespaces with "restricted" pod security standards. - # Not all Kubernetes implementations support this option. - set-security-context: "false" - # Setting this flag to "true" will keep pod on cancellation - # allowing examination of the logs on the pods from cancelled taskruns - keep-pod-on-cancel: "false" - # Setting this flag to "true" will enable the CEL evaluation in WhenExpression - enable-cel-in-whenexpression: "false" - # Setting this flag to "true" will enable the use of StepActions in Steps - # This feature is in preview mode and not implemented yet. Please check #7259 for updates. - enable-step-actions: "false" - ---- -# Copyright 2021 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: pipelines-info - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -data: - # Contains pipelines version which can be queried by external - # tools such as CLI. Elevated permissions are already given to - # this ConfigMap such that even if we don't have access to - # other resources in the namespace we still can have access to - # this ConfigMap. - version: "v0.53.2" - ---- -# Copyright 2020 Tekton Authors LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-leader-election-controller - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -data: - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - ################################ - # This block is not actually functional configuration, - # but serves to illustrate the available configuration - # options and document them in a way that is accessible - # to users that `kubectl edit` this config map. - # - # These sample configuration options may be copied out of - # this example block and unindented to be in the data block - # to actually change the configuration. - # lease-duration is how long non-leaders will wait to try to acquire the - # lock; 15 seconds is the value used by core kubernetes controllers. - lease-duration: "60s" - # renew-deadline is how long a leader will try to renew the lease before - # giving up; 10 seconds is the value used by core kubernetes controllers. - renew-deadline: "40s" - # retry-period is how long the leader election client waits between tries of - # actions; 2 seconds is the value used by core kubernetes controllers. - retry-period: "10s" - # buckets is the number of buckets used to partition key space of each - # Reconciler. If this number is M and the replica number of the controller - # is N, the N replicas will compete for the M buckets. The owner of a - # bucket will take care of the reconciling for the keys partitioned into - # that bucket. - buckets: "1" - ---- -# Copyright 2023 Tekton Authors LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-leader-election-events - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -data: - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - ################################ - # This block is not actually functional configuration, - # but serves to illustrate the available configuration - # options and document them in a way that is accessible - # to users that `kubectl edit` this config map. - # - # These sample configuration options may be copied out of - # this example block and unindented to be in the data block - # to actually change the configuration. - # lease-duration is how long non-leaders will wait to try to acquire the - # lock; 15 seconds is the value used by core kubernetes controllers. - lease-duration: "60s" - # renew-deadline is how long a leader will try to renew the lease before - # giving up; 10 seconds is the value used by core kubernetes controllers. - renew-deadline: "40s" - # retry-period is how long the leader election client waits between tries of - # actions; 2 seconds is the value used by core kubernetes controllers. - retry-period: "10s" - # buckets is the number of buckets used to partition key space of each - # Reconciler. If this number is M and the replica number of the controller - # is N, the N replicas will compete for the M buckets. The owner of a - # bucket will take care of the reconciling for the keys partitioned into - # that bucket. - buckets: "1" - ---- -# Copyright 2023 Tekton Authors LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-leader-election-webhook - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -data: - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - ################################ - # This block is not actually functional configuration, - # but serves to illustrate the available configuration - # options and document them in a way that is accessible - # to users that `kubectl edit` this config map. - # - # These sample configuration options may be copied out of - # this example block and unindented to be in the data block - # to actually change the configuration. - # lease-duration is how long non-leaders will wait to try to acquire the - # lock; 15 seconds is the value used by core kubernetes controllers. - lease-duration: "60s" - # renew-deadline is how long a leader will try to renew the lease before - # giving up; 10 seconds is the value used by core kubernetes controllers. - renew-deadline: "40s" - # retry-period is how long the leader election client waits between tries of - # actions; 2 seconds is the value used by core kubernetes controllers. - retry-period: "10s" - # buckets is the number of buckets used to partition key space of each - # Reconciler. If this number is M and the replica number of the controller - # is N, the N replicas will compete for the M buckets. The owner of a - # bucket will take care of the reconciling for the keys partitioned into - # that bucket. - buckets: "1" - ---- -# Copyright 2019 Tekton Authors LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-logging - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -data: - zap-logger-config: | - { - "level": "info", - "development": false, - "sampling": { - "initial": 100, - "thereafter": 100 - }, - "outputPaths": ["stdout"], - "errorOutputPaths": ["stderr"], - "encoding": "json", - "encoderConfig": { - "timeKey": "timestamp", - "levelKey": "severity", - "nameKey": "logger", - "callerKey": "caller", - "messageKey": "message", - "stacktraceKey": "stacktrace", - "lineEnding": "", - "levelEncoder": "", - "timeEncoder": "iso8601", - "durationEncoder": "", - "callerEncoder": "" - } - } - # Log level overrides - loglevel.controller: "info" - loglevel.webhook: "info" - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-observability - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -data: - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - ################################ - - # This block is not actually functional configuration, - # but serves to illustrate the available configuration - # options and document them in a way that is accessible - # to users that `kubectl edit` this config map. - # - # These sample configuration options may be copied out of - # this example block and unindented to be in the data block - # to actually change the configuration. - - # metrics.backend-destination field specifies the system metrics destination. - # It supports either prometheus (the default) or stackdriver. - # Note: Using Stackdriver will incur additional charges. - metrics.backend-destination: prometheus - - # metrics.stackdriver-project-id field specifies the Stackdriver project ID. This - # field is optional. When running on GCE, application default credentials will be - # used and metrics will be sent to the cluster's project if this field is - # not provided. - metrics.stackdriver-project-id: "" - - # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed - # to send metrics to Stackdriver using "global" resource type and custom - # metric type. Setting this flag to "true" could cause extra Stackdriver - # charge. If metrics.backend-destination is not Stackdriver, this is - # ignored. - metrics.allow-stackdriver-custom-metrics: "false" - metrics.taskrun.level: "task" - metrics.taskrun.duration-type: "histogram" - metrics.pipelinerun.level: "pipeline" - metrics.pipelinerun.duration-type: "histogram" - metrics.count.enable-reason: "false" - ---- -# Copyright 2020 Tekton Authors LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-registry-cert - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -# data: -# # Registry's self-signed certificate -# cert: | - ---- -# Copyright 2022 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-spire - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -data: - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - ################################ - # This block is not actually functional configuration, - # but serves to illustrate the available configuration - # options and document them in a way that is accessible - # to users that `kubectl edit` this config map. - # - # These sample configuration options may be copied out of - # this example block and unindented to be in the data block - # to actually change the configuration. - # - # spire-trust-domain specifies the SPIRE trust domain to use. - # spire-trust-domain: "example.org" - # - # spire-socket-path specifies the SPIRE agent socket for SPIFFE workload API. - # spire-socket-path: "unix:///spiffe-workload-api/spire-agent.sock" - # - # spire-server-addr specifies the SPIRE server address for workload/node registration. - # spire-server-addr: "spire-server.spire.svc.cluster.local:8081" - # - # spire-node-alias-prefix specifies the SPIRE node alias prefix to use. - # spire-node-alias-prefix: "/tekton-node/" - ---- -# Copyright 2023 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-tracing - namespace: tekton-pipelines - labels: - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -data: - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - ################################ - # This block is not actually functional configuration, - # but serves to illustrate the available configuration - # options and document them in a way that is accessible - # to users that `kubectl edit` this config map. - # - # These sample configuration options may be copied out of - # this example block and unindented to be in the data block - # to actually change the configuration. - # - # Enable sending traces to defined endpoint by setting this to true - enabled: "true" - # - # API endpoint to send the traces to - # (optional): The default value is given below - endpoint: "http://jaeger-collector.jaeger.svc.cluster.local:14268/api/traces" - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tekton-pipelines-controller - namespace: tekton-pipelines - labels: - app.kubernetes.io/name: controller - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.53.2" - app.kubernetes.io/part-of: tekton-pipelines - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.53.2" - # labels below are related to istio and should not be used for resource lookup - version: "v0.53.2" -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: controller - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - template: - metadata: - labels: - app.kubernetes.io/name: controller - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.53.2" - app.kubernetes.io/part-of: tekton-pipelines - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.53.2" - # labels below are related to istio and should not be used for resource lookup - app: tekton-pipelines-controller - version: "v0.53.2" - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: NotIn - values: - - windows - serviceAccountName: tekton-pipelines-controller - containers: - - name: tekton-pipelines-controller - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/controller:v0.53.2@sha256:2cab05747826e7c32e2c588f0fefd354e03f643bd33dbe20533eada00562e6b1 - args: [ - # These images are built on-demand by `ko resolve` and are replaced - # by image references by digest. - "-entrypoint-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/entrypoint:v0.53.2@sha256:7a4269475491e3e9b70e173de6871596e63a9eefd792f2127ca7004145915a76", "-nop-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/nop:v0.53.2@sha256:1793eb2b13d86e084d603ec174904176e5e68b7161be9ed66786deda8f728f30", "-sidecarlogresults-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/sidecarlogresults:v0.53.2@sha256:cf55af7c850b6f6b83d7565b728969cc6cf548ae0c72abf7261c42ce07eefe2d", "-workingdirinit-image", "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/workingdirinit:v0.53.2@sha256:5c0b96d1f1ac9a5c1d8fa50ba07a1174812190707c4abb939b6c41b0b8e72093", - # The shell image must allow root in order to create directories and copy files to PVCs. - # cgr.dev/chainguard/busybox as of April 14 2022 - # image shall not contains tag, so it will be supported on a runtime like cri-o - "-shell-image", "cgr.dev/chainguard/busybox@sha256:19f02276bf8dbdd62f069b922f10c65262cc34b710eea26ff928129a736be791", - # for script mode to work with windows we need a powershell image - # pinning to nanoserver tag as of July 15 2021 - "-shell-image-win", "mcr.microsoft.com/powershell:nanoserver@sha256:b6d5ff841b78bdf2dfed7550000fd4f3437385b8fa686ec0f010be24777654d6"] - volumeMounts: - - name: config-logging - mountPath: /etc/config-logging - - name: config-registry-cert - mountPath: /etc/config-registry-cert - env: - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - # If you are changing these names, you will also need to update - # the controller's Role in 200-role.yaml to include the new - # values in the "configmaps" "get" rule. - - name: CONFIG_DEFAULTS_NAME - value: config-defaults - - name: CONFIG_LOGGING_NAME - value: config-logging - - name: CONFIG_OBSERVABILITY_NAME - value: config-observability - - name: CONFIG_FEATURE_FLAGS_NAME - value: feature-flags - - name: CONFIG_LEADERELECTION_NAME - value: config-leader-election-controller - - name: CONFIG_SPIRE - value: config-spire - - name: SSL_CERT_FILE - value: /etc/config-registry-cert/cert - - name: SSL_CERT_DIR - value: /etc/ssl/certs - - name: METRICS_DOMAIN - value: tekton.dev/pipeline - # The following variables can be uncommented with correct values to enable Jaeger tracing - #- name: OTEL_EXPORTER_JAEGER_ENDPOINT - # value: http://jaeger-collector.jaeger:14268/api/traces - #- name: OTEL_EXPORTER_JAEGER_USER - # value: username - #- name: OTEL_EXPORTER_JAEGER_PASSWORD - # value: password - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - # User 65532 is the nonroot user ID - runAsUser: 65532 - runAsGroup: 65532 - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - ports: - - name: metrics - containerPort: 9090 - - name: profiling - containerPort: 8008 - - name: probes - containerPort: 8080 - livenessProbe: - httpGet: - path: /health - port: probes - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - readinessProbe: - httpGet: - path: /readiness - port: probes - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - volumes: - - name: config-logging - configMap: - name: config-logging - - name: config-registry-cert - configMap: - name: config-registry-cert ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/name: controller - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.53.2" - app.kubernetes.io/part-of: tekton-pipelines - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.53.2" - # labels below are related to istio and should not be used for resource lookup - app: tekton-pipelines-controller - version: "v0.53.2" - name: tekton-pipelines-controller - namespace: tekton-pipelines -spec: - ports: - - name: http-metrics - port: 9090 - protocol: TCP - targetPort: 9090 - - name: http-profiling - port: 8008 - targetPort: 8008 - - name: probes - port: 8080 - selector: - app.kubernetes.io/name: controller - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - ---- -# Copyright 2023 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tekton-events-controller - namespace: tekton-pipelines - labels: - app.kubernetes.io/name: events - app.kubernetes.io/component: events - app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.53.2" - app.kubernetes.io/part-of: tekton-pipelines - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.53.2" - # labels below are related to istio and should not be used for resource lookup - version: "v0.53.2" -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: events - app.kubernetes.io/component: events - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - template: - metadata: - labels: - app.kubernetes.io/name: events - app.kubernetes.io/component: events - app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.53.2" - app.kubernetes.io/part-of: tekton-pipelines - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.53.2" - # labels below are related to istio and should not be used for resource lookup - app: tekton-events-controller - version: "v0.53.2" - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: NotIn - values: - - windows - serviceAccountName: tekton-events-controller - containers: - - name: tekton-events-controller - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/events:v0.53.2@sha256:0cf6f0be5319efdd8909ed8f987837d89146fd0632a744bf6d54bf83e5b13ca0 - args: [] - volumeMounts: - - name: config-logging - mountPath: /etc/config-logging - - name: config-registry-cert - mountPath: /etc/config-registry-cert - env: - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - # If you are changing these names, you will also need to update - # the controller's Role in 200-role.yaml to include the new - # values in the "configmaps" "get" rule. - - name: CONFIG_DEFAULTS_NAME - value: config-defaults - - name: CONFIG_LOGGING_NAME - value: config-logging - - name: CONFIG_OBSERVABILITY_NAME - value: config-observability - - name: CONFIG_LEADERELECTION_NAME - value: config-leader-election-events - - name: SSL_CERT_FILE - value: /etc/config-registry-cert/cert - - name: SSL_CERT_DIR - value: /etc/ssl/certs - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - # User 65532 is the nonroot user ID - runAsUser: 65532 - runAsGroup: 65532 - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - ports: - - name: metrics - containerPort: 9090 - - name: profiling - containerPort: 8008 - - name: probes - containerPort: 8080 - livenessProbe: - httpGet: - path: /health - port: probes - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - readinessProbe: - httpGet: - path: /readiness - port: probes - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - volumes: - - name: config-logging - configMap: - name: config-logging - - name: config-registry-cert - configMap: - name: config-registry-cert ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/name: events - app.kubernetes.io/component: events - app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.53.2" - app.kubernetes.io/part-of: tekton-pipelines - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.53.2" - # labels below are related to istio and should not be used for resource lookup - app: tekton-events-controller - version: "v0.53.2" - name: tekton-events-controller - namespace: tekton-pipelines -spec: - ports: - - name: http-metrics - port: 9090 - protocol: TCP - targetPort: 9090 - - name: http-profiling - port: 8008 - targetPort: 8008 - - name: probes - port: 8080 - selector: - app.kubernetes.io/name: events - app.kubernetes.io/component: events - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - ---- -# Copyright 2022 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Namespace -metadata: - name: tekton-pipelines-resolvers - labels: - app.kubernetes.io/component: resolvers - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - pod-security.kubernetes.io/enforce: restricted - ---- -# Copyright 2022 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - # ClusterRole for resolvers to monitor and update resolutionrequests. - name: tekton-pipelines-resolvers-resolution-request-updates - labels: - app.kubernetes.io/component: resolvers - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -rules: - - apiGroups: ["resolution.tekton.dev"] - resources: ["resolutionrequests", "resolutionrequests/status"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["tekton.dev"] - resources: ["tasks", "pipelines"] - verbs: ["get", "list"] - # Read-only access to these. - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] - ---- -# Copyright 2022 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: tekton-pipelines-resolvers-namespace-rbac - namespace: tekton-pipelines-resolvers - labels: - app.kubernetes.io/component: resolvers - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -rules: - # Needed to watch and load configuration and secret data. - - apiGroups: [""] - resources: ["configmaps", "secrets"] - verbs: ["get", "list", "update", "watch"] - # This is needed by leader election to run the controller in HA. - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - ---- -# Copyright 2022 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: tekton-pipelines-resolvers - namespace: tekton-pipelines-resolvers - labels: - app.kubernetes.io/component: resolvers - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - ---- -# Copyright 2021 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: tekton-pipelines-resolvers - labels: - app.kubernetes.io/component: resolvers - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -subjects: - - kind: ServiceAccount - name: tekton-pipelines-resolvers - namespace: tekton-pipelines-resolvers -roleRef: - kind: ClusterRole - name: tekton-pipelines-resolvers-resolution-request-updates - apiGroup: rbac.authorization.k8s.io - ---- -# Copyright 2021 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: tekton-pipelines-resolvers-namespace-rbac - namespace: tekton-pipelines-resolvers - labels: - app.kubernetes.io/component: resolvers - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -subjects: - - kind: ServiceAccount - name: tekton-pipelines-resolvers - namespace: tekton-pipelines-resolvers -roleRef: - kind: Role - name: tekton-pipelines-resolvers-namespace-rbac - apiGroup: rbac.authorization.k8s.io - ---- -# Copyright 2022 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: bundleresolver-config - namespace: tekton-pipelines-resolvers - labels: - app.kubernetes.io/component: resolvers - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -data: - # the default service account name to use for bundle requests. - default-service-account: "default" - # The default layer kind in the bundle image. - default-kind: "task" - ---- -# Copyright 2022 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: cluster-resolver-config - namespace: tekton-pipelines-resolvers - labels: - app.kubernetes.io/component: resolvers - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -data: - # The default kind to fetch. - default-kind: "task" - # The default namespace to look for resources in. - default-namespace: "" - # An optional comma-separated list of namespaces which the resolver is allowed to access. Defaults to empty, meaning all namespaces are allowed. - allowed-namespaces: "" - # An optional comma-separated list of namespaces which the resolver is blocked from accessing. Defaults to empty, meaning all namespaces are allowed. - blocked-namespaces: "" - ---- -# Copyright 2019 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: resolvers-feature-flags - namespace: tekton-pipelines-resolvers - labels: - app.kubernetes.io/component: resolvers - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -data: - # Setting this flag to "true" enables remote resolution of Tekton OCI bundles. - enable-bundles-resolver: "true" - # Setting this flag to "true" enables remote resolution of tasks and pipelines via the Tekton Hub. - enable-hub-resolver: "true" - # Setting this flag to "true" enables remote resolution of tasks and pipelines from Git repositories. - enable-git-resolver: "true" - # Setting this flag to "true" enables remote resolution of tasks and pipelines from other namespaces within the cluster. - enable-cluster-resolver: "true" - ---- -# Copyright 2020 Tekton Authors LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-leader-election-resolvers - namespace: tekton-pipelines-resolvers - labels: - app.kubernetes.io/component: resolvers - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -data: - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - ################################ - # This block is not actually functional configuration, - # but serves to illustrate the available configuration - # options and document them in a way that is accessible - # to users that `kubectl edit` this config map. - # - # These sample configuration options may be copied out of - # this example block and unindented to be in the data block - # to actually change the configuration. - # lease-duration is how long non-leaders will wait to try to acquire the - # lock; 15 seconds is the value used by core kubernetes controllers. - lease-duration: "60s" - # renew-deadline is how long a leader will try to renew the lease before - # giving up; 10 seconds is the value used by core kubernetes controllers. - renew-deadline: "40s" - # retry-period is how long the leader election client waits between tries of - # actions; 2 seconds is the value used by core kubernetes controllers. - retry-period: "10s" - # buckets is the number of buckets used to partition key space of each - # Reconciler. If this number is M and the replica number of the controller - # is N, the N replicas will compete for the M buckets. The owner of a - # bucket will take care of the reconciling for the keys partitioned into - # that bucket. - buckets: "1" - ---- -# Copyright 2019 Tekton Authors LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-logging - namespace: tekton-pipelines-resolvers - labels: - app.kubernetes.io/component: resolvers - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -data: - zap-logger-config: | - { - "level": "info", - "development": false, - "sampling": { - "initial": 100, - "thereafter": 100 - }, - "outputPaths": ["stdout"], - "errorOutputPaths": ["stderr"], - "encoding": "json", - "encoderConfig": { - "timeKey": "timestamp", - "levelKey": "severity", - "nameKey": "logger", - "callerKey": "caller", - "messageKey": "message", - "stacktraceKey": "stacktrace", - "lineEnding": "", - "levelEncoder": "", - "timeEncoder": "iso8601", - "durationEncoder": "", - "callerEncoder": "" - } - } - # Log level overrides - loglevel.controller: "info" - loglevel.webhook: "info" - ---- -# Copyright 2022 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-observability - namespace: tekton-pipelines-resolvers - labels: - app.kubernetes.io/component: resolvers - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -data: - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - ################################ - - # This block is not actually functional configuration, - # but serves to illustrate the available configuration - # options and document them in a way that is accessible - # to users that `kubectl edit` this config map. - # - # These sample configuration options may be copied out of - # this example block and unindented to be in the data block - # to actually change the configuration. - - # metrics.backend-destination field specifies the system metrics destination. - # It supports either prometheus (the default) or stackdriver. - # Note: Using stackdriver will incur additional charges - metrics.backend-destination: prometheus - - # metrics.request-metrics-backend-destination specifies the request metrics - # destination. If non-empty, it enables queue proxy to send request metrics. - # Currently supported values: prometheus, stackdriver. - metrics.request-metrics-backend-destination: prometheus - - # metrics.stackdriver-project-id field specifies the stackdriver project ID. This - # field is optional. When running on GCE, application default credentials will be - # used if this field is not provided. - metrics.stackdriver-project-id: "" - - # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed to send metrics to - # Stackdriver using "global" resource type and custom metric type if the - # metrics are not supported by "knative_revision" resource type. Setting this - # flag to "true" could cause extra Stackdriver charge. - # If metrics.backend-destination is not Stackdriver, this is ignored. - metrics.allow-stackdriver-custom-metrics: "false" - ---- -# Copyright 2022 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: git-resolver-config - namespace: tekton-pipelines-resolvers - labels: - app.kubernetes.io/component: resolvers - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -data: - # The maximum amount of time a single anonymous cloning resolution may take. - fetch-timeout: "1m" - # The git url to fetch the remote resource from when using anonymous cloning. - default-url: "https://github.com/tektoncd/catalog.git" - # The git revision to fetch the remote resource from with either anonymous cloning or the authenticated API. - default-revision: "main" - # The SCM type to use with the authenticated API. Can be github, gitlab, gitea, bitbucketserver, bitbucketcloud - scm-type: "github" - # The SCM server URL to use with the authenticated API. Not needed when using github.com, gitlab.com, or BitBucket Cloud - server-url: "" - # The Kubernetes secret containing the API token for the SCM provider. Required when using the authenticated API. - api-token-secret-name: "" - # The key in the API token secret containing the actual token. Required when using the authenticated API. - api-token-secret-key: "" - # The namespace containing the API token secret. Defaults to "default". - api-token-secret-namespace: "default" - # The default organization to look for repositories under when using the authenticated API, - # if not specified in the resolver parameters. Optional. - default-org: "" - ---- -# Copyright 2022 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: hubresolver-config - namespace: tekton-pipelines-resolvers - labels: - app.kubernetes.io/component: resolvers - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines -data: - # the default Tekton Hub catalog from where to pull the resource. - default-tekton-hub-catalog: "Tekton" - # the default Artifact Hub Task catalog from where to pull the resource. - default-artifact-hub-task-catalog: "tekton-catalog-tasks" - # the default Artifact Hub Pipeline catalog from where to pull the resource. - default-artifact-hub-pipeline-catalog: "tekton-catalog-pipelines" - # the default layer kind in the hub image. - default-kind: "task" - # the default hub source to pull the resource from. - default-type: "artifact" - ---- -# Copyright 2022 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tekton-pipelines-remote-resolvers - namespace: tekton-pipelines-resolvers - labels: - app.kubernetes.io/name: resolvers - app.kubernetes.io/component: resolvers - app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.53.2" - app.kubernetes.io/part-of: tekton-pipelines - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.53.2" - # labels below are related to istio and should not be used for resource lookup - version: "v0.53.2" -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: resolvers - app.kubernetes.io/component: resolvers - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - template: - metadata: - labels: - app.kubernetes.io/name: resolvers - app.kubernetes.io/component: resolvers - app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.53.2" - app.kubernetes.io/part-of: tekton-pipelines - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.53.2" - # labels below are related to istio and should not be used for resource lookup - app: tekton-pipelines-resolvers - version: "v0.53.2" - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: resolvers - app.kubernetes.io/component: resolvers - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - topologyKey: kubernetes.io/hostname - weight: 100 - serviceAccountName: tekton-pipelines-resolvers - containers: - - name: controller - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/resolvers:v0.53.2@sha256:6578d145acd9cd288e501023429439334de15de8bd77af132c57a1d5f982e940 - resources: - requests: - cpu: 100m - memory: 100Mi - limits: - cpu: 1000m - memory: 4Gi - ports: - - name: metrics - containerPort: 9090 - - name: profiling - containerPort: 8008 - # This must match the value of the environment variable PROBES_PORT. - - name: probes - containerPort: 8080 - env: - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - # If you are changing these names, you will also need to update - # the controller's Role in 200-role.yaml to include the new - # values in the "configmaps" "get" rule. - - name: CONFIG_LOGGING_NAME - value: config-logging - - name: CONFIG_OBSERVABILITY_NAME - value: config-observability - - name: CONFIG_FEATURE_FLAGS_NAME - value: feature-flags - - name: CONFIG_LEADERELECTION_NAME - value: config-leader-election-resolvers - - name: METRICS_DOMAIN - value: tekton.dev/resolution - - name: PROBES_PORT - value: "8080" - # Override this env var to set a private hub api endpoint - - name: ARTIFACT_HUB_API - value: "https://artifacthub.io/" - - name: TEKTON_HUB_API - value: "https://api.hub.tekton.dev/" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - "ALL" - seccompProfile: - type: RuntimeDefault - ---- -# Copyright 2023 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/name: resolvers - app.kubernetes.io/component: resolvers - app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.53.2" - app.kubernetes.io/part-of: tekton-pipelines - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.53.2" - # labels below are related to istio and should not be used for resource lookup - app: tekton-pipelines-remote-resolvers - version: "v0.53.2" - name: tekton-pipelines-remote-resolvers - namespace: tekton-pipelines-resolvers -spec: - ports: - - name: http-metrics - port: 9090 - protocol: TCP - targetPort: 9090 - - name: http-profiling - port: 8008 - targetPort: 8008 - - name: probes - port: 8080 - selector: - app.kubernetes.io/name: resolvers - app.kubernetes.io/component: resolvers - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - ---- -# Copyright 2020 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: tekton-pipelines-webhook - namespace: tekton-pipelines - labels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.53.2" - app.kubernetes.io/part-of: tekton-pipelines - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.53.2" - # labels below are related to istio and should not be used for resource lookup - version: "v0.53.2" -spec: - minReplicas: 1 - maxReplicas: 5 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: tekton-pipelines-webhook - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: 100 - ---- -# Copyright 2020 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apps/v1 -kind: Deployment -metadata: - # Note: the Deployment name must be the same as the Service name specified in - # config/400-webhook-service.yaml. If you change this name, you must also - # change the value of WEBHOOK_SERVICE_NAME below. - name: tekton-pipelines-webhook - namespace: tekton-pipelines - labels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.53.2" - app.kubernetes.io/part-of: tekton-pipelines - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.53.2" - # labels below are related to istio and should not be used for resource lookup - version: "v0.53.2" -spec: - selector: - matchLabels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - template: - metadata: - labels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.53.2" - app.kubernetes.io/part-of: tekton-pipelines - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.53.2" - # labels below are related to istio and should not be used for resource lookup - app: tekton-pipelines-webhook - version: "v0.53.2" - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: NotIn - values: - - windows - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - topologyKey: kubernetes.io/hostname - weight: 100 - serviceAccountName: tekton-pipelines-webhook - containers: - - name: webhook - # This is the Go import path for the binary that is containerized - # and substituted here. - image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/webhook:v0.53.2@sha256:1e8f8be3b51be378747b4589dde970582f50e1e69f59527f0a9aa7a75c5833e3 - # Resource request required for autoscaler to take any action for a metric - resources: - requests: - cpu: 100m - memory: 100Mi - limits: - cpu: 500m - memory: 500Mi - env: - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - # If you are changing these names, you will also need to update - # the webhook's Role in 200-role.yaml to include the new - # values in the "configmaps" "get" rule. - - name: CONFIG_LOGGING_NAME - value: config-logging - - name: CONFIG_OBSERVABILITY_NAME - value: config-observability - - name: CONFIG_LEADERELECTION_NAME - value: config-leader-election-webhook - - name: CONFIG_FEATURE_FLAGS_NAME - value: feature-flags - # If you change PROBES_PORT, you will also need to change the - # containerPort "probes" to the same value. - - name: PROBES_PORT - value: "8080" - # If you change WEBHOOK_PORT, you will also need to change the - # containerPort "https-webhook" to the same value. - - name: WEBHOOK_PORT - value: "8443" - # if you change WEBHOOK_ADMISSION_CONTROLLER_NAME, you will also need to update - # the webhooks.name in 500-webhooks.yaml to include the new names of admission webhooks. - # Additionally, you will also need to change the resource names (metadata.name) of - # "MutatingWebhookConfiguration" and "ValidatingWebhookConfiguration" in 500-webhooks.yaml - # to reflect the change in the name of the admission webhook. - # Followed by changing the webhook's Role in 200-clusterrole.yaml to update the "resourceNames" of - # "mutatingwebhookconfigurations" and "validatingwebhookconfigurations" resources. - - name: WEBHOOK_ADMISSION_CONTROLLER_NAME - value: webhook.pipeline.tekton.dev - - name: WEBHOOK_SERVICE_NAME - value: tekton-pipelines-webhook - - name: WEBHOOK_SECRET_NAME - value: webhook-certs - - name: METRICS_DOMAIN - value: tekton.dev/pipeline - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - # User 65532 is the distroless nonroot user ID - runAsUser: 65532 - runAsGroup: 65532 - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - ports: - - name: metrics - containerPort: 9090 - - name: profiling - containerPort: 8008 - # This must match the value of the environment variable WEBHOOK_PORT. - - name: https-webhook - containerPort: 8443 - # This must match the value of the environment variable PROBES_PORT. - - name: probes - containerPort: 8080 - livenessProbe: - httpGet: - path: /health - port: probes - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - readinessProbe: - httpGet: - path: /readiness - port: probes - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/version: "v0.53.2" - app.kubernetes.io/part-of: tekton-pipelines - # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml - pipeline.tekton.dev/release: "v0.53.2" - # labels below are related to istio and should not be used for resource lookup - app: tekton-pipelines-webhook - version: "v0.53.2" - name: tekton-pipelines-webhook - namespace: tekton-pipelines -spec: - ports: - # Define metrics and profiling for them to be accessible within service meshes. - - name: http-metrics - port: 9090 - targetPort: metrics - - name: http-profiling - port: 8008 - targetPort: profiling - - name: https-webhook - port: 443 - targetPort: https-webhook - - name: probes - port: 8080 - targetPort: probes - selector: - app.kubernetes.io/name: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-pipelines - ---- diff --git a/scripts/lib.sh b/scripts/library.sh similarity index 100% rename from scripts/lib.sh rename to scripts/library.sh diff --git a/scripts/synchronize-istio-cni-manifests.sh b/scripts/synchronize-istio-cni-manifests.sh index d51c3dcb7..a7a899a8d 100644 --- a/scripts/synchronize-istio-cni-manifests.sh +++ b/scripts/synchronize-istio-cni-manifests.sh @@ -2,7 +2,7 @@ # This script helps to create a PR to update the Istio CNI manifests SCRIPT_DIRECTORY=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -source "${SCRIPT_DIRECTORY}/lib.sh" +source "${SCRIPT_DIRECTORY}/library.sh" setup_error_handling diff --git a/scripts/synchronize-istio-manifests.sh b/scripts/synchronize-istio-manifests.sh index 68484daa4..820fa30d7 100644 --- a/scripts/synchronize-istio-manifests.sh +++ b/scripts/synchronize-istio-manifests.sh @@ -3,7 +3,7 @@ # Source the common library functions SCRIPT_DIRECTORY=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -source "${SCRIPT_DIRECTORY}/lib.sh" +source "${SCRIPT_DIRECTORY}/library.sh" setup_error_handling diff --git a/scripts/synchronize-katib-manifests.sh b/scripts/synchronize-katib-manifests.sh index 92e09f5af..7ae208d73 100644 --- a/scripts/synchronize-katib-manifests.sh +++ b/scripts/synchronize-katib-manifests.sh @@ -2,7 +2,7 @@ # This script helps to create a PR to update the Katib manifests SCRIPT_DIRECTORY=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -source "${SCRIPT_DIRECTORY}/lib.sh" +source "${SCRIPT_DIRECTORY}/library.sh" setup_error_handling diff --git a/scripts/synchronize-knative-manifests.sh b/scripts/synchronize-knative-manifests.sh index 17bea5c5b..c5f4c1fcf 100644 --- a/scripts/synchronize-knative-manifests.sh +++ b/scripts/synchronize-knative-manifests.sh @@ -2,7 +2,7 @@ # This script helps to create a PR to update the Knative manifests SCRIPT_DIRECTORY=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -source "${SCRIPT_DIRECTORY}/lib.sh" +source "${SCRIPT_DIRECTORY}/library.sh" setup_error_handling diff --git a/scripts/synchronize-kserve-kserve-manifests.sh b/scripts/synchronize-kserve-kserve-manifests.sh index d1c260f78..ae4b50f60 100644 --- a/scripts/synchronize-kserve-kserve-manifests.sh +++ b/scripts/synchronize-kserve-kserve-manifests.sh @@ -2,7 +2,7 @@ # This script helps to create a PR to update the KServe manifests SCRIPT_DIRECTORY=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -source "${SCRIPT_DIRECTORY}/lib.sh" +source "${SCRIPT_DIRECTORY}/library.sh" setup_error_handling diff --git a/scripts/synchronize-kserve-web-application-manifests.sh b/scripts/synchronize-kserve-web-application-manifests.sh index 6f0ade506..f0436f143 100644 --- a/scripts/synchronize-kserve-web-application-manifests.sh +++ b/scripts/synchronize-kserve-web-application-manifests.sh @@ -2,7 +2,7 @@ # This script helps to create a PR to update the KServe Models Web App manifests SCRIPT_DIRECTORY=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -source "${SCRIPT_DIRECTORY}/lib.sh" +source "${SCRIPT_DIRECTORY}/library.sh" setup_error_handling diff --git a/scripts/synchronize-kubeflow-manifests.sh b/scripts/synchronize-kubeflow-manifests.sh index 493b0962b..a7bf4fd90 100644 --- a/scripts/synchronize-kubeflow-manifests.sh +++ b/scripts/synchronize-kubeflow-manifests.sh @@ -2,7 +2,7 @@ # This script helps to create a PR to update the Kubeflow manifests SCRIPT_DIRECTORY=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -source "${SCRIPT_DIRECTORY}/lib.sh" +source "${SCRIPT_DIRECTORY}/library.sh" setup_error_handling diff --git a/scripts/synchronize-model-registry-manifests.sh b/scripts/synchronize-model-registry-manifests.sh index ae55ed222..fda9f9f19 100644 --- a/scripts/synchronize-model-registry-manifests.sh +++ b/scripts/synchronize-model-registry-manifests.sh @@ -2,7 +2,7 @@ # This script helps to create a PR to update the Model Registry manifests SCRIPT_DIRECTORY=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -source "${SCRIPT_DIRECTORY}/lib.sh" +source "${SCRIPT_DIRECTORY}/library.sh" setup_error_handling diff --git a/scripts/synchronize-pipelines-manifests.sh b/scripts/synchronize-pipelines-manifests.sh index 6c2a82f4d..9ae353a5e 100644 --- a/scripts/synchronize-pipelines-manifests.sh +++ b/scripts/synchronize-pipelines-manifests.sh @@ -2,14 +2,14 @@ # This script helps to create a PR to update the Kubeflow Pipelines manifests SCRIPT_DIRECTORY=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -source "${SCRIPT_DIRECTORY}/lib.sh" +source "${SCRIPT_DIRECTORY}/library.sh" setup_error_handling COMPONENT_NAME="pipelines" REPOSITORY_NAME="kubeflow/pipelines" REPOSITORY_URL="https://github.com/kubeflow/pipelines.git" -COMMIT="2.4.1" +COMMIT="2.5.0" REPOSITORY_DIRECTORY="pipelines" SOURCE_DIRECTORY=${SOURCE_DIRECTORY:=/tmp/kubeflow-${COMPONENT_NAME}} BRANCH_NAME=${BRANCH_NAME:=synchronize-kubeflow-${COMPONENT_NAME}-manifests-${COMMIT?}} diff --git a/scripts/synchronize-spark-operator-manifests.sh b/scripts/synchronize-spark-operator-manifests.sh index 21379113f..4a4e29689 100755 --- a/scripts/synchronize-spark-operator-manifests.sh +++ b/scripts/synchronize-spark-operator-manifests.sh @@ -2,7 +2,7 @@ # This script helps to create a PR to update the Spark Operator manifests SCRIPT_DIRECTORY=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -source "${SCRIPT_DIRECTORY}/lib.sh" +source "${SCRIPT_DIRECTORY}/library.sh" setup_error_handling diff --git a/scripts/synchronize-training-operator-manifests.sh b/scripts/synchronize-training-operator-manifests.sh index 9e863d1ee..cb2469667 100644 --- a/scripts/synchronize-training-operator-manifests.sh +++ b/scripts/synchronize-training-operator-manifests.sh @@ -2,7 +2,7 @@ # This script helps to create a PR to update the Training Operator manifests SCRIPT_DIRECTORY=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -source "${SCRIPT_DIRECTORY}/lib.sh" +source "${SCRIPT_DIRECTORY}/library.sh" setup_error_handling diff --git a/scripts/template.sh b/scripts/template.sh index 1a0c21ee5..bc1fb2e49 100644 --- a/scripts/template.sh +++ b/scripts/template.sh @@ -4,7 +4,7 @@ # Source the common library functions SCRIPT_DIRECTORY=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -source "${SCRIPT_DIRECTORY}/lib.sh" +source "${SCRIPT_DIRECTORY}/library.sh" setup_error_handling diff --git a/tests/gh-actions/spark_install.sh b/tests/gh-actions/install_spark.sh similarity index 100% rename from tests/gh-actions/spark_install.sh rename to tests/gh-actions/install_spark.sh diff --git a/tests/gh-actions/pipeline_test.py b/tests/gh-actions/test_pipeline.py similarity index 100% rename from tests/gh-actions/pipeline_test.py rename to tests/gh-actions/test_pipeline.py diff --git a/tests/gh-actions/spark_test.sh b/tests/gh-actions/test_spark.sh similarity index 100% rename from tests/gh-actions/spark_test.sh rename to tests/gh-actions/test_spark.sh