add pac
Some checks are pending
Pipelines as Code CI / homelab-ci CI has Started

Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
gwg313 2026-06-28 17:56:19 -04:00
parent ef827b2c69
commit 145721146e
Signed by: gwg313
GPG key ID: 60FF63B4826B7400
35 changed files with 919 additions and 122 deletions

View file

@ -41,7 +41,7 @@ spec:
- name: FORGEJO__ssh__START_SSH_SERVER
value: "false"
- name: FORGEJO__webhook__ALLOWED_HOST_LIST
value: "ci.gwg313.xyz"
value: "ci.gwg313.xyz,pipelines-as-code-controller.pipelines-as-code.svc.cluster.local"
- name: FORGEJO__migrations__ALLOWED_DOMAINS
value: "github.com,*.github.com"
volumeMounts:

View file

@ -18,6 +18,14 @@ spec:
- ports:
- port: "3000"
protocol: TCP
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: pipelines-as-code
app: pipelines-as-code-controller
toPorts:
- ports:
- port: "3000"
protocol: TCP
# ---
# # ----------------------------------------------------
# # CI runner access (in-cluster service)
@ -43,6 +51,29 @@ spec:
# - port: "443"
# protocol: TCP
#
---
# ----------------------------------------------------
# PAC controller webhook delivery (in-cluster)
# ----------------------------------------------------
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-pac-egress
namespace: forgejo
spec:
endpointSelector:
matchLabels:
app: forgejo
egress:
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: pipelines-as-code
app: pipelines-as-code-controller
toPorts:
- ports:
- port: "8082"
protocol: TCP
---
# ----------------------------------------------------
# External git providers (FQDN restricted)
@ -72,22 +103,22 @@ spec:
# OPTIONAL: unrestricted egress (disabled by default)
# Enable ONLY when required for troubleshooting or apps
# ----------------------------------------------------
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-all-egress
namespace: forgejo
spec:
endpointSelector:
matchLabels:
app: forgejo
egress:
- toEntities:
- world
toPorts:
- ports:
- port: "443"
protocol: TCP
- port: "80"
protocol: TCP
# apiVersion: cilium.io/v2
# kind: CiliumNetworkPolicy
# metadata:
# name: allow-all-egress
# namespace: forgejo
# spec:
# endpointSelector:
# matchLabels:
# app: forgejo
#
# egress:
# - toEntities:
# - world
# toPorts:
# - ports:
# - port: "443"
# protocol: TCP
# - port: "80"
# protocol: TCP

View file

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- repository.yaml
- token-sealed.yaml

View file

@ -0,0 +1,15 @@
apiVersion: pipelinesascode.tekton.dev/v1alpha1
kind: Repository
metadata:
name: homelab-gitops
namespace: cicd
spec:
url: https://git.gwg313.xyz/gwg313/homelab-gitops
git_provider:
url: http://forgejo.forgejo.svc.cluster.local
secret:
name: pac-forgejo-token
key: token
webhook_secret:
name: pac-forgejo-token
key: webhook-secret

View file

@ -0,0 +1,15 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: pac-forgejo-token
namespace: cicd
spec:
encryptedData:
token: AgABC/muQ4sYRfEXQDbj+KZioqckISHpdbRTAaYgAbjWtvC788LBnHpEX/nyBU1KxRX4Wn4ZtnlOQ02a9NTnrVPbYw4eLXF7NsugPV1jM5Wcs9DDqz0LjCqwOF8POuwrh73FYTUJeTe2h2sGT5iRn7T0r/LueRhb6pYVb4rF+Wx9zkhNBXz7+diFLFfKxCRvwIYbgITTNro6eHLX7IxrW3Tnb2h4vNK1d5p7bx2nIsDj6xVWkvkqw62snlKKoHAFtyWJZVHPuiH9eXLCaObRWMZVqqBYaz0NxDIzvk6Vf2nabCU7cqe6wqqt17paIXVOcZVaMSvLq9Xl4T96f0xEysJqCxfVGKHTbV3f5gpLHDHMObvcqGkmsLyH1GfWs3kGK4DY7task041bTUs3kiELGR9e5D3JGdlafzfrfUJ0AvxfLEfp0VFrVKnH8sBBiIAygMBXuFCfbKBT0hnaNr7YVKtapZc86hZPAclNDstzOS3TrAUqHbtpKAUUAwQxa1d9rIk4ts6nBy1ak9JErOJLNvtCWpK4IIn58I7FunjXnfYh+s/U/skM6kNicrEizHKWxTy9cTT+r8b5Q2AaGi/uvWb2I7/hET61qcZnIKJpACciSFl3pRYDCPIrTUChWAczcCl1uSChCPMu2MyMGOa7k2NvxPMhxkmR4I8LCvNSNm0llCpE0hCrrbvyMzGE5eA7cXA8AmlrKG10c8xT4ZXXFEl0TUDayrT7E/fvWuIP86li+Z6W8WmMair
webhook-secret: AgC1QZVBm/K8wzYHM+sXOb5zHQU49iTgUL0EHKYC7U+nHS66Wbn0S/GvuXUPgMWQAUfLKKSsXIDOkwEmGXOnqqKnz9GjaOG1Yf0NWWFFRCFyxuN5ooW0lmhFw2s3J76ibmSiulRVF8CjXgPkctIkbPosfrItoiaOtHU2Tjgfh5/IgCI5pK+1pF2oqVoOaDvoygvgJOrq6piLaTCO0gNSBzQ0m6ksWTi8WoVcO7hsgbYemzXHSus9R9X5hHdxGEpLUINjHd4z51Hkg+EtgByXYtXpuThFKGPVkkc4mrn9K89w6+whDRId6VMAlCJEZr79QQTkOdpBpDdyMdzPqvFfQaF6TtMD8XJq78kKxwddhUOIjmc4/E2WlJYbfTlmTksoIl5LC/MZc7TSg2I6G4RNG5QOmOs4drmRo/sG6AKESUYInRvQNTQcOoSaSjgAdXnEMDag9buH9E9kdrJbr0QaGzvTjQnPPbcApsx/kWlbScNgPKHnxIkr45MqZoRJ+HaUpS8RvrNz++9kvDnCFQlLFggDYnNaXpoO4iWEAPIfsQhIPa+K3eBs2tC9aCqaTXI8Ajr7vdhSSN5uhSc82EXS+n8Ztqs2+3CHd1ybiNJVSKKNyJDwSl8dBWPLE0cpobmq5dIfpSRTyDQexH7LtjKZ9lAJ3XOXEalyqQUxuKrAnl3r8GfaeagU1jULpmeK+exaq1WPs06py/btgEBOfE3ks5cSzlGyehtGOgW6C918AEBuqmK349QtvMxx
template:
metadata:
name: pac-forgejo-token
namespace: cicd
type: Opaque

View file

@ -5,3 +5,29 @@ resources:
- https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
- https://storage.googleapis.com/tekton-releases/dashboard/latest/release.yaml
- https://raw.githubusercontent.com/openshift-pipelines/pipelines-as-code/stable/release.k8s.yaml
- namespace.yaml
- service-account.yaml
- tekton-runner-role.yaml
- tekton-runner-binding.yaml
- network-policy.yaml
- tasks/git-clone.yaml
- tasks/kaniko.yaml
- policy-exception.yaml
- pac-network-policy.yaml
- pac-role.yaml
patches:
- patch: |
apiVersion: v1
kind: Namespace
metadata:
name: tekton-pipelines
labels:
policy.home.arpa/allow-hostpath: "true"
- patch: |
apiVersion: v1
kind: Namespace
metadata:
name: pipelines-as-code
labels:
policy.home.arpa/allow-hostpath: "true"

View file

@ -0,0 +1,8 @@
apiVersion: v1
kind: Namespace
metadata:
name: cicd
labels:
app.kubernetes.io/name: cicd
app.kubernetes.io/part-of: tekton
app.kubernetes.io/managed-by: argocd

View file

@ -0,0 +1,36 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: cicd-egress
namespace: cicd
spec:
endpointSelector: {}
egress:
# Tekton entrypoint sidecar updates TaskRun status via the K8s API
- toEntities:
- kube-apiserver
toPorts:
- ports:
- port: "443"
protocol: TCP
# Push built images to Harbor registry in-cluster
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: harbor
app: harbor
toPorts:
- ports:
- port: "80"
protocol: TCP
# Git clone from internal Forgejo
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: forgejo
app: forgejo
toPorts:
- ports:
- port: "3000"
protocol: TCP
# Tool downloads (kubeconform), schema lookups
- toEntities:
- world

View file

@ -0,0 +1,46 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-forgejo-webhook-ingress
namespace: pipelines-as-code
spec:
endpointSelector:
matchLabels:
app: pipelines-as-code-controller
ingress:
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: forgejo
app: forgejo
toPorts:
- ports:
- port: "8082"
protocol: TCP
egress:
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: UDP
- port: "53"
protocol: TCP
rules:
dns:
- matchPattern: "*"
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: forgejo
app: forgejo
toPorts:
- ports:
- port: "3000"
protocol: TCP
- toEntities:
- kube-apiserver
toPorts:
- ports:
- port: "6443"
protocol: TCP

26
apps/tekton/pac-role.yaml Normal file
View file

@ -0,0 +1,26 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pac-task-reader
namespace: cicd
rules:
- apiGroups: ["tekton.dev"]
resources: ["tasks"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pac-controller-cicd-access
namespace: cicd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pac-task-reader
subjects:
- kind: ServiceAccount
name: pipelines-as-code-controller
namespace: pipelines-as-code
- kind: ServiceAccount
name: tekton-pipelines-resolvers
namespace: tekton-pipelines

View file

@ -0,0 +1,54 @@
apiVersion: kyverno.io/v2
kind: PolicyException
metadata:
name: cicd-security-exceptions
namespace: cicd
annotations:
argocd.argoproj.io/sync-wave: "-1"
spec:
exceptions:
- policyName: require-drop-all-capabilities
ruleNames: ["*"]
match:
any:
- resources:
namespaces: [cicd]
kinds: [Pod]
---
apiVersion: kyverno.io/v2
kind: PolicyException
metadata:
name: tekton-hostpath-exception
namespace: tekton-pipelines
annotations:
argocd.argoproj.io/sync-wave: "-1"
spec:
exceptions:
- policyName: disallow-hostpath-volumes
ruleNames:
- no-hostpath
- autogen-no-hostpath
match:
any:
- resources:
namespaces: [tekton-pipelines]
kinds: [Pod, Deployment]
---
apiVersion: kyverno.io/v2
kind: PolicyException
metadata:
name: pac-hostpath-exception
namespace: pipelines-as-code
annotations:
argocd.argoproj.io/sync-wave: "-1"
spec:
exceptions:
- policyName: disallow-hostpath-volumes
ruleNames:
- no-hostpath
- autogen-no-hostpath
match:
any:
- resources:
namespaces: [pipelines-as-code]
kinds: [Pod, Deployment]

View file

@ -0,0 +1,8 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: tekton-runner
namespace: cicd
automountServiceAccountToken: false
imagePullSecrets:
- name: registry-creds

View file

@ -0,0 +1,249 @@
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: git-clone
namespace: cicd
labels:
app.kubernetes.io/version: "0.10"
annotations:
tekton.dev/pipelines.minVersion: "0.38.0"
tekton.dev/categories: Git
tekton.dev/tags: git
tekton.dev/displayName: "git clone"
tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64"
spec:
description: >-
These Tasks are Git tasks to work with repositories used by other tasks
in your Pipeline.
The git-clone Task will clone a repo from the provided url into the
output Workspace. By default the repo will be cloned into the root of
your Workspace. You can clone into a subdirectory by setting this Task's
subdirectory param. This Task also supports sparse checkouts. To perform
a sparse checkout, pass a list of comma separated directory patterns to
this Task's sparseCheckoutDirectories param.
workspaces:
- name: output
description: The git repo will be cloned onto the volume backing this Workspace.
- name: ssh-directory
optional: true
description: |
A .ssh directory with private key, known_hosts, config, etc. Copied to
the user's home before git commands are executed. Used to authenticate
with the git remote when performing the clone. Binding a Secret to this
Workspace is strongly recommended over other volume types.
- name: basic-auth
optional: true
description: |
A Workspace containing a .gitconfig and .git-credentials file. These
will be copied to the user's home before any git commands are run. Any
other files in this Workspace are ignored. It is strongly recommended
to use ssh-directory over basic-auth whenever possible and to bind a
Secret to this Workspace over other volume types.
- name: ssl-ca-directory
optional: true
description: |
A workspace containing CA certificates, this will be used by Git to
verify the peer with when fetching or pushing over HTTPS.
params:
- name: url
description: Repository URL to clone from.
type: string
- name: revision
description: Revision to checkout. (branch, tag, sha, ref, etc...)
type: string
default: ""
- name: refspec
description: Refspec to fetch before checking out revision.
default: ""
- name: submodules
description: Initialize and fetch git submodules.
type: string
default: "true"
- name: depth
description: Perform a shallow clone, fetching only the most recent N commits.
type: string
default: "1"
- name: sslVerify
description: Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.
type: string
default: "true"
- name: crtFileName
description: file name of mounted crt using ssl-ca-directory workspace. default value is ca-bundle.crt.
type: string
default: "ca-bundle.crt"
- name: subdirectory
description: Subdirectory inside the `output` Workspace to clone the repo into.
type: string
default: ""
- name: sparseCheckoutDirectories
description: Define the directory patterns to match or exclude when performing a sparse checkout.
type: string
default: ""
- name: deleteExisting
description: Clean out the contents of the destination directory if it already exists before cloning.
type: string
default: "true"
- name: httpProxy
description: HTTP proxy server for non-SSL requests.
type: string
default: ""
- name: httpsProxy
description: HTTPS proxy server for SSL requests.
type: string
default: ""
- name: noProxy
description: Opt out of proxying HTTP/HTTPS requests.
type: string
default: ""
- name: verbose
description: Log the commands that are executed during `git-clone`'s operation.
type: string
default: "true"
- name: gitInitImage
description: The image providing the git-init binary that this Task runs.
type: string
default: "ghcr.io/tektoncd-catalog/git-clone:v1.1.0"
- name: userHome
description: |
Absolute path to the user's home directory.
type: string
default: "/home/git"
results:
- name: commit
description: The precise commit SHA that was fetched by this Task.
- name: url
description: The precise URL that was fetched by this Task.
- name: committer-date
description: The epoch timestamp of the commit that was fetched by this Task.
steps:
- name: clone
image: "$(params.gitInitImage)"
env:
- name: HOME
value: "$(params.userHome)"
- name: PARAM_URL
value: $(params.url)
- name: PARAM_REVISION
value: $(params.revision)
- name: PARAM_REFSPEC
value: $(params.refspec)
- name: PARAM_SUBMODULES
value: $(params.submodules)
- name: PARAM_DEPTH
value: $(params.depth)
- name: PARAM_SSL_VERIFY
value: $(params.sslVerify)
- name: PARAM_CRT_FILENAME
value: $(params.crtFileName)
- name: PARAM_SUBDIRECTORY
value: $(params.subdirectory)
- name: PARAM_DELETE_EXISTING
value: $(params.deleteExisting)
- name: PARAM_HTTP_PROXY
value: $(params.httpProxy)
- name: PARAM_HTTPS_PROXY
value: $(params.httpsProxy)
- name: PARAM_NO_PROXY
value: $(params.noProxy)
- name: PARAM_VERBOSE
value: $(params.verbose)
- name: PARAM_SPARSE_CHECKOUT_DIRECTORIES
value: $(params.sparseCheckoutDirectories)
- name: PARAM_USER_HOME
value: $(params.userHome)
- name: WORKSPACE_OUTPUT_PATH
value: $(workspaces.output.path)
- name: WORKSPACE_SSH_DIRECTORY_BOUND
value: $(workspaces.ssh-directory.bound)
- name: WORKSPACE_SSH_DIRECTORY_PATH
value: $(workspaces.ssh-directory.path)
- name: WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND
value: $(workspaces.basic-auth.bound)
- name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH
value: $(workspaces.basic-auth.path)
- name: WORKSPACE_SSL_CA_DIRECTORY_BOUND
value: $(workspaces.ssl-ca-directory.bound)
- name: WORKSPACE_SSL_CA_DIRECTORY_PATH
value: $(workspaces.ssl-ca-directory.path)
securityContext:
runAsNonRoot: true
runAsUser: 65532
volumeMounts:
- name: user-home
mountPath: $(params.userHome)
script: |
#!/usr/bin/env sh
set -eu
if [ "${PARAM_VERBOSE}" = "true" ] ; then
set -x
fi
if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then
cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials"
cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" "${PARAM_USER_HOME}/.gitconfig"
chmod 400 "${PARAM_USER_HOME}/.git-credentials"
chmod 400 "${PARAM_USER_HOME}/.gitconfig"
fi
if [ "${WORKSPACE_SSH_DIRECTORY_BOUND}" = "true" ] ; then
cp -R "${WORKSPACE_SSH_DIRECTORY_PATH}" "${PARAM_USER_HOME}"/.ssh
chmod 700 "${PARAM_USER_HOME}"/.ssh
chmod -R 400 "${PARAM_USER_HOME}"/.ssh/*
fi
if [ "${WORKSPACE_SSL_CA_DIRECTORY_BOUND}" = "true" ] ; then
export GIT_SSL_CAPATH="${WORKSPACE_SSL_CA_DIRECTORY_PATH}"
if [ "${PARAM_CRT_FILENAME}" != "" ] ; then
export GIT_SSL_CAINFO="${WORKSPACE_SSL_CA_DIRECTORY_PATH}/${PARAM_CRT_FILENAME}"
fi
fi
CHECKOUT_DIR="${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}"
cleandir() {
# Delete any existing contents of the repo directory if it exists.
#
# We don't just "rm -rf ${CHECKOUT_DIR}" because ${CHECKOUT_DIR} might be "/"
# or the root of a mounted volume.
if [ -d "${CHECKOUT_DIR}" ] ; then
# Delete non-hidden files and directories
rm -rf "${CHECKOUT_DIR:?}"/*
# Delete files and directories starting with . but excluding ..
rm -rf "${CHECKOUT_DIR}"/.[!.]*
# Delete files and directories starting with .. plus any other character
rm -rf "${CHECKOUT_DIR}"/..?*
fi
}
if [ "${PARAM_DELETE_EXISTING}" = "true" ] ; then
cleandir || true
fi
test -z "${PARAM_HTTP_PROXY}" || export HTTP_PROXY="${PARAM_HTTP_PROXY}"
test -z "${PARAM_HTTPS_PROXY}" || export HTTPS_PROXY="${PARAM_HTTPS_PROXY}"
test -z "${PARAM_NO_PROXY}" || export NO_PROXY="${PARAM_NO_PROXY}"
git config --global --add safe.directory "${WORKSPACE_OUTPUT_PATH}"
/ko-app/git-init \
-url="${PARAM_URL}" \
-revision="${PARAM_REVISION}" \
-refspec="${PARAM_REFSPEC}" \
-path="${CHECKOUT_DIR}" \
-sslVerify="${PARAM_SSL_VERIFY}" \
-submodules="${PARAM_SUBMODULES}" \
-depth="${PARAM_DEPTH}" \
-sparseCheckoutDirectories="${PARAM_SPARSE_CHECKOUT_DIRECTORIES}"
cd "${CHECKOUT_DIR}"
RESULT_SHA="$(git rev-parse HEAD)"
EXIT_CODE="$?"
if [ "${EXIT_CODE}" != 0 ] ; then
exit "${EXIT_CODE}"
fi
RESULT_COMMITTER_DATE="$(git log -1 --pretty=%ct)"
printf "%s" "${RESULT_COMMITTER_DATE}" > "$(results.committer-date.path)"
printf "%s" "${RESULT_SHA}" > "$(results.commit.path)"
printf "%s" "${PARAM_URL}" > "$(results.url.path)"
volumes:
- name: user-home
emptyDir: {}

View file

@ -0,0 +1,70 @@
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: kaniko
namespace: cicd
labels:
app.kubernetes.io/version: "0.7"
annotations:
tekton.dev/pipelines.minVersion: "0.43.0"
tekton.dev/categories: Image Build
tekton.dev/tags: image-build
tekton.dev/displayName: "Build and upload container image using Kaniko"
tekton.dev/platforms: "linux/amd64,linux/arm64,linux/ppc64le"
tekton.dev/deprecated: "true"
spec:
description: >-
This Task builds a simple Dockerfile with kaniko and pushes to a registry.
This Task stores the image name and digest as results, allowing Tekton Chains to pick up
that an image was built & sign it.
params:
- name: IMAGE
description: Name (reference) of the image to build.
- name: DOCKERFILE
description: Path to the Dockerfile to build.
default: ./Dockerfile
- name: CONTEXT
description: The build context used by Kaniko.
default: ./
- name: EXTRA_ARGS
type: array
default: []
- name: BUILDER_IMAGE
description: The image on which builds will run (default is v1.5.1)
default: gcr.io/kaniko-project/executor:v1.5.1@sha256:c6166717f7fe0b7da44908c986137ecfeab21f31ec3992f6e128fff8a94be8a5
- name: WRITER_IMAGE
description: The image on which the write-url step will run (default is docker.io/library/bash:5.1.4@sha256:c523c636b722339f41b6a431b44588ab2f762c5de5ec3bd7964420ff982fb1d9)
default: docker.io/library/bash:5.1.4@sha256:c523c636b722339f41b6a431b44588ab2f762c5de5ec3bd7964420ff982fb1d9
workspaces:
- name: source
description: Holds the context and Dockerfile
- name: dockerconfig
description: Includes a docker `config.json`
optional: true
mountPath: /kaniko/.docker
results:
- name: IMAGE_DIGEST
description: Digest of the image just built.
- name: IMAGE_URL
description: URL of the image just built.
steps:
- name: build-and-push
workingDir: $(workspaces.source.path)
image: $(params.BUILDER_IMAGE)
args:
- $(params.EXTRA_ARGS)
- --dockerfile=$(params.DOCKERFILE)
- --context=$(workspaces.source.path)/$(params.CONTEXT) # The user does not need to care the workspace and the source.
- --destination=$(params.IMAGE)
- --digest-file=$(results.IMAGE_DIGEST.path)
# kaniko assumes it is running as root, which means this example fails on platforms
# that default to run containers as random uid (like OpenShift). Adding this securityContext
# makes it explicit that it needs to run as root.
securityContext:
runAsUser: 0
- name: write-url
image: $(params.WRITER_IMAGE)
script: |
set -e
image="$(params.IMAGE)"
printf "%s" "${image}" | tee "$(results.IMAGE_URL.path)"

View file

@ -0,0 +1,15 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tekton-runner
namespace: cicd
subjects:
- kind: ServiceAccount
name: tekton-runner
namespace: cicd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: tekton-runner

View file

@ -0,0 +1,34 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: tekton-runner
namespace: cicd
rules:
- apiGroups: ["tekton.dev"]
resources:
- pipelineruns
- taskruns
verbs:
- get
- list
- watch
- create
- delete
- apiGroups: [""]
resources:
- pods
- pods/log
verbs:
- get
- list
- watch
- apiGroups: [""]
resources:
- configmaps
verbs:
- get
- list
- watch