Skip to content

ElementalCognition/tekton-toolbox

Repository files navigation

tekton-toolbox

Toolbox for Tekton

Overview

A set of tools and services which simplify a process to work with Tekton.

Simple flow

  1. :octocat: GitHub Webhook
    • 📥 Receive payload
  2. ⚙️ Kube-Pipeline-Config
    • 📁 Retrieve default PipelineRun config from ConfigMap
  3. :octocat: GitHub-Pipeline-Config
    • 📜 Get .tekton.yaml from the repository
  4. Pipeline-Config-Trigger
    • 🔀 Merge and generate configs for PipelineRuns

Interceptors setup

To deploy interceptor (the same approach works for each cluster interceptor listed abouve) e.g kube-pipeline-config

k8s deployment must have the following ENV vars:

- name: SYSTEM_NAMESPACE
  value: tekton-pipelines
- name: INTERCEPTER_NAME  # Keep k8s service name and clusterintercepter name the same.
  value: kube-pipeline-config
- name: SVC_NAMESPACE
  valueFrom:
    fieldRef:
      fieldPath: metadata.namespace

k8s deployment must use https to check readiness and liveness:

readinessProbe:
  httpGet:
    path: /health
    port: 8443
    scheme: HTTPS
  initialDelaySeconds: 5
livenessProbe:
  httpGet:
    path: /health
    port: 8443
    scheme: HTTPS

Interceptor will listens only on 8443 port HTTPS on start, an interceptor will check if the secret (the secret name has the interceptor's name) with certificates exists. If it's missing interceptor will create one and fill it with the data. Next start and/or redeploy will check if it exists and use existing certs. Custom resource kind: ClusterInterceptor will be created by the interceptor and updated with caBundle taking ca-cert.pem from the secret.

IMPORTANT

If a cert secret was deleted, certificates will be regenerated and caBundle will be updated accordingly. You MUST restart deploy/el-github-listener and deploy/el-events-listener otherwise events-listeners will with X509 SelfSign certificate error.