-
Notifications
You must be signed in to change notification settings - Fork 155
Expand file tree
/
Copy path100-deployment.yaml
More file actions
155 lines (153 loc) · 5.24 KB
/
100-deployment.yaml
File metadata and controls
155 lines (153 loc) · 5.24 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
# Copyright 2021 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
kind: Namespace
apiVersion: v1
metadata:
name: tekton-chains
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-chains
---
apiVersion: v1
kind: Secret
metadata:
name: signing-secrets
namespace: tekton-chains
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-chains
# The data is populated at install time.
# data:
---
apiVersion: v1
kind: ConfigMap
metadata:
name: chains-config
namespace: tekton-chains
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-chains
# The data can be tweaked at install time, it is commented out
# because these are the default settings.
# data:
# artifacts.taskrun.format: tekton
# artifacts.taskrun.storage: tekton
# artifacts.taskrun.signer: x509
# artifacts.oci.storage: oci
# artifacts.oci.format: simplesigning
# artifacts.oci.signer: x509
# transparency.enabled: false
# transparency.url: https://rekor.sigstore.dev
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tekton-chains-controller
namespace: tekton-chains
labels:
app.kubernetes.io/name: controller
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-chains
pipeline.tekton.dev/release: "devel"
version: "devel"
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: controller
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-chains
template:
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
labels:
app: tekton-chains-controller
app.kubernetes.io/name: controller
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-chains
# # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
pipeline.tekton.dev/release: "devel"
version: "devel"
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: NotIn
values:
- windows
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: controller
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-chains
topologyKey: kubernetes.io/hostname
weight: 100
serviceAccountName: tekton-chains-controller
containers:
- name: tekton-chains-controller
image: ko://github.com/tektoncd/chains/cmd/controller
volumeMounts:
- name: signing-secrets
mountPath: /etc/signing-secrets
- name: oidc-info
mountPath: /var/run/sigstore/cosign
env:
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: METRICS_DOMAIN
value: tekton.dev/chains
- name: CONFIG_OBSERVABILITY_NAME
value: tekton-chains-config-observability
- name: CONFIG_LEADERELECTION_NAME
value: tekton-chains-config-leader-election
- name: KUBERNETES_MIN_VERSION
value: "v1.28.0"
ports:
- name: metrics
containerPort: 9090
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
# User 65532 is the distroless nonroot user ID
runAsUser: 65532
runAsGroup: 65532
volumes:
- name: signing-secrets
secret:
secretName: signing-secrets
- name: oidc-info
projected:
sources:
# The "public good" instance supports tokens from EKS and GKE by default.
# The fulcio URL can also be redirected to an instance that has been
# configured to accept other issuers as well. Removing this volume
# completely will direct chains to use alternate ambient credentials
# (e.g. GKE workload identity, SPIFFE)
- serviceAccountToken:
path: oidc-token
expirationSeconds: 600 # Use as short-lived as possible.
audience: sigstore