add tekton

Signed-off-by: gwg313 <gwg313@pm.me>
2026-06-05 20:50:58 +00:00 · 2026-05-18 18:39:13 -04:00 · 2026-05-18 18:39:13 -04:00 · bbbb96bd6a
commit bbbb96bd6a
parent bfce08329d
23 changed files with 199 additions and 111 deletions
--- a/apps/kustomization.yaml
+++ b/apps/kustomization.yaml
@ -3,4 +3,5 @@ kind: Kustomization
 resources:
  - forgejo
  - woodpecker
  - navidrome
--- a/apps/tekton/kustomization.yaml
+++ b/apps/tekton/kustomization.yaml
@ -0,0 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
  - https://storage.googleapis.com/tekton-releases/dashboard/latest/release.yaml
--- a/apps/yopass/deployment.yaml
+++ b/apps/yopass/deployment.yaml
@ -14,7 +14,7 @@ spec:
    spec:
      containers:
        - name: yopass
-          image: jhaals/yopass
+          image: jhaals/yopass:13.1.0
          args:
            - "--memcached=localhost:11211"
          ports:
@ -28,7 +28,7 @@ spec:
              cpu: 100m
              memory: 50Mi
        - name: yopass-memcached
-          image: memcached
+          image: memcached:trixie
          resources:
            limits:
              cpu: 100m
--- a/apps/yopass/kustomization.yaml
+++ b/apps/yopass/kustomization.yaml
@ -0,0 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - deployment.yaml
  - network-policy.yaml
  - route.yaml
  - service.yaml
--- a/apps/yopass/network-policy.yaml
+++ b/apps/yopass/network-policy.yaml
@ -0,0 +1,17 @@
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: allow-ingress
  namespace: yopass
 spec:
  endpointSelector:
    matchLabels:
      app.kubernetes.io/name: yopass
  ingress:
    - fromEntities:
        - ingress
      toPorts:
        - ports:
            - port: "1337"
              protocol: TCP
--- a/apps/yopass/route.yaml
+++ b/apps/yopass/route.yaml
@ -0,0 +1,38 @@
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
  name: yopass
  namespace: yopass
 spec:
  parentRefs:
    - name: shared-edge-gateway
      namespace: cilium-ingress
  hostnames:
    - pastebin.gwg313.xyz
    - pastebin.local.gwg313.xyz
    - pastebin.zerotier.gwg313.xyz
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: yopass
          port: 1337
 ---
 apiVersion: gateway.networking.k8s.io/v1beta1
 kind: ReferenceGrant
 metadata:
  name: allow-gateway-to-yopass
  namespace: yopass
 spec:
  from:
    - group: gateway.networking.k8s.io
      kind: Gateway
      namespace: cilium-ingress
  to:
    - group: ""
      kind: Service
      name: yopass
--- a/apps/yopass/service.yaml
+++ b/apps/yopass/service.yaml
--- a/management/platform-apps/kustomization.yaml
+++ b/management/platform-apps/kustomization.yaml
@ -11,4 +11,6 @@ resources:
  - monitoring.yaml
  - nfs-subdir.yaml
  - forgejo.yaml
  - yopass.yaml
  - tekton.yaml
  - navidrome.yaml
--- a/management/platform-apps/kyverno-policies.yaml
+++ b/management/platform-apps/kyverno-policies.yaml
@ -22,3 +22,4 @@ spec:
      - CreateNamespace=false
      - ServerSideApply=true
      - Replace=true # <-- Policies have immutable fields so this helps deal with updates
      - Force=true
--- a/management/platform-apps/tekton.yaml
+++ b/management/platform-apps/tekton.yaml
@ -0,0 +1,22 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: tekton-pipelines
  namespace: argocd
  annotations:
    argoproj.io/sync-wave: "0" 
 spec:
  project: default
  source:
    repoURL: https://github.com/gwg313/homelab-gitops.git
    targetRevision: main
    path: apps/tekton
  destination:
    server: https://kubernetes.default.svc
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
      - ServerSideApply=true
--- a/management/platform-apps/woodpecker.yaml
+++ b/management/platform-apps/woodpecker.yaml
@ -0,0 +1,23 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: woodpecker
  namespace: argocd
  annotations:
    argoproj.io/sync-wave: "0"
 spec:
  project: default
  source:
    repoURL: https://github.com/gwg313/homelab-gitops.git
    targetRevision: main
    path: apps/woodpecker
  destination:
    server: https://kubernetes.default.svc
    namespace: woodpecker
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
      - ServerSideApply=true
--- a/management/platform-apps/yopass.yaml
+++ b/management/platform-apps/yopass.yaml
@ -0,0 +1,23 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: yopass
  namespace: argocd
  annotations:
    argoproj.io/sync-wave: "0"
 spec:
  project: default
  source:
    repoURL: https://github.com/gwg313/homelab-gitops.git
    targetRevision: main
    path: apps/yopass
  destination:
    server: https://kubernetes.default.svc
    namespace: yopass
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
      - ServerSideApply=true
--- a/platform/kyverno/policies/disallow-latest-tag.yaml
+++ b/platform/kyverno/policies/disallow-latest-tag.yaml
@ -12,6 +12,17 @@ spec:
          - resources:
              kinds:
                - Pod
      exclude:
        any:
          - resources:
              selector:
                matchExpressions:
                  - key: app.kubernetes.io/managed-by
                    operator: In
                    values:
                      - tekton-pipelines
                  - key: tekton.dev/task
                    operator: Exists
      validate:
        message: "Using the 'latest' tag or omitting image tags is forbidden. Use a specific version semantic tag."
        foreach:
--- a/platform/kyverno/policies/generate-ns-network-baseline.yaml
+++ b/platform/kyverno/policies/generate-ns-network-baseline.yaml
@ -30,6 +30,8 @@ spec:
                - sealed-secrets
                - nfs-subdir-external-provisioner
                - monitoring
                - tekton-pipelines-resolvers
                - tekton-pipelines
      generate:
        apiVersion: cilium.io/v2
        kind: CiliumNetworkPolicy
--- a/platform/kyverno/policies/require-requests-limits.yaml
+++ b/platform/kyverno/policies/require-requests-limits.yaml
@ -34,6 +34,8 @@ spec:
                - sealed-secrets
                - nfs-subdir-external-provisioner
                - monitoring
                - tekton-pipelines-resolvers
                - tekton-pipelines
      validate:
        message: "Resource discipline violation: Containers must declare cpu/memory requests and limits."
        pattern:
--- a/woodpecker/certificate.yaml
+++ b/woodpecker/certificate.yaml
@ -1,12 +0,0 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: woodpecker-cert
  namespace: istio-system
 spec:
  secretName: woodpecker-cert
  issuerRef:
    name: letsencrypt-dns
    kind: ClusterIssuer
  dnsNames:
    - ci.gwg313.xyz
--- a/woodpecker/gateway.yaml
+++ b/woodpecker/gateway.yaml
@ -1,18 +0,0 @@
 apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
  name: woodpecker-gateway
  namespace: woodpecker
 spec:
  selector:
    istio: gateway
  servers:
    - port:
        number: 443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        credentialName: woodpecker-cert
      hosts:
        - ci.gwg313.xyz
--- a/woodpecker/route.yaml
+++ b/woodpecker/route.yaml
@ -0,0 +1,41 @@
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
  name: woodpecker
  namespace: woodpecker
 spec:
  parentRefs:
    - name: shared-edge-gateway
      namespace: cilium-ingress
  hostnames:
    - ci.local.gwg313.xyz
    - ci.gwg313.xyz
    - ci.zerotier.gwg313.xyz
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: woodpecker-server
          port: 80
 ---
 apiVersion: gateway.networking.k8s.io/v1beta1
 kind: ReferenceGrant
 metadata:
  name: allow-gateway-to-woodpecker
  namespace: woodpecker
 spec:
  from:
    - group: gateway.networking.k8s.io
      kind: Gateway
      namespace: cilium-ingress
  to:
    - group: ""
      kind: Service
      name: woodpecker-server
--- a/woodpecker/service.yaml
+++ b/woodpecker/service.yaml
@ -1,11 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: woodpecker
  namespace: woodpecker
 spec:
  selector:
    app: woodpecker
  ports:
    - port: 80
      targetPort: 8000
--- a/woodpecker/virtualservice.yaml
+++ b/woodpecker/virtualservice.yaml
@ -1,16 +0,0 @@
 apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
  name: woodpecker
  namespace: woodpecker
 spec:
  gateways:
    - woodpecker-gateway
  hosts:
    - ci.gwg313.xyz
  http:
    - route:
        - destination:
            host: woodpecker-server
            port:
              number: 80
--- a/yopass/certificate.yaml
+++ b/yopass/certificate.yaml
@ -1,13 +0,0 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: yopass-cert
  namespace: istio-system
 spec:
  secretName: yopass-cert
  issuerRef:
    name: letsencrypt-dns
    kind: ClusterIssuer
  dnsNames:
    - pastebin.local.gwg313.xyz
    - pastebin.gwg313.xyz
--- a/yopass/gateway.yaml
+++ b/yopass/gateway.yaml
@ -1,19 +0,0 @@
 apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
  name: yopass-gateway
  namespace: yopass
 spec:
  selector:
    istio: gateway
  servers:
    - port:
        number: 443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        credentialName: yopass-cert
      hosts:
        - pastebin.gwg313.xyz
        - pastebin.local.gwg313.xyz
--- a/yopass/virtualservice.yaml
+++ b/yopass/virtualservice.yaml
@ -1,20 +0,0 @@
 apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
  name: yopass
  namespace: yopass
 spec:
  hosts:
    - pastebin.gwg313.xyz
    - pastebin.local.gwg313.xyz
  gateways:
    - yopass-gateway
  http:
    - match:
        - uri:
            prefix: /
      route:
        - destination:
            host: yopass
            port:
              number: 1337