forked from tektoncd/chains
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path100-deployment.yaml
129 lines (128 loc) · 4.28 KB
/
100-deployment.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
# Copyright 2021 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
kind: Namespace
apiVersion: v1
metadata:
name: tekton-chains
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-chains
---
apiVersion: v1
kind: Secret
metadata:
name: signing-secrets
namespace: tekton-chains
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-chains
# The data is populated at install time.
# data:
---
apiVersion: v1
kind: ConfigMap
metadata:
name: chains-config
namespace: tekton-chains
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-chains
# The data can be tweaked at install time, it is commented out
# because these are the default settings.
# data:
# artifacts.taskrun.format: tekton
# artifacts.taskrun.storage: tekton
# artifacts.taskrun.signer: x509
# artifacts.oci.storage: oci
# artifacts.oci.format: simplesigning
# artifacts.oci.signer: x509
# transparency.enabled: false
# transparency.url: https://rekor.sigstore.dev
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tekton-chains-controller
namespace: tekton-chains
labels:
app.kubernetes.io/name: controller
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-chains
pipeline.tekton.dev/release: "devel"
version: "devel"
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: controller
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-chains
template:
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
labels:
app: tekton-chains-controller
app.kubernetes.io/name: controller
app.kubernetes.io/component: controller
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-chains
# # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
pipeline.tekton.dev/release: "devel"
version: "devel"
spec:
serviceAccountName: tekton-chains-controller
containers:
- name: tekton-chains-controller
image: ko://github.com/tektoncd/chains/cmd/controller
volumeMounts:
- name: signing-secrets
mountPath: /etc/signing-secrets
- name: oidc-info
mountPath: /var/run/sigstore/cosign
env:
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: METRICS_DOMAIN
value: tekton.dev/chains
- name: CONFIG_OBSERVABILITY_NAME
value: tekton-chains-config-observability
ports:
- name: metrics
containerPort: 9090
securityContext:
allowPrivilegeEscalation: false
# User 65532 is the distroless nonroot user ID
runAsUser: 65532
runAsGroup: 65532
volumes:
- name: signing-secrets
secret:
secretName: signing-secrets
- name: oidc-info
projected:
sources:
# The "public good" instance supports tokens from EKS and GKE by default.
# The fulcio URL can also be redirected to an instance that has been
# configured to accept other issuers as well. Removing this volume
# completely will direct chains to use alternate ambient credentials
# (e.g. GKE workload identity, SPIFFE)
- serviceAccountToken:
path: oidc-token
expirationSeconds: 600 # Use as short-lived as possible.
audience: sigstore