apiVersion: v1 kind: Namespace metadata: labels: control-plane: controller-manager name: integration-service --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: integration-service/serving-cert controller-gen.kubebuilder.io/version: v0.17.2 name: componentgroups.appstudio.redhat.com spec: group: appstudio.redhat.com names: kind: ComponentGroup listKind: ComponentGroupList plural: componentgroups shortNames: - cg singular: componentgroup scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1beta2 schema: openAPIV3Schema: description: |- ComponentGroup is the Schema for the componentgroups API. ComponentGroup serves as the replacement for the Application CR in the new application/component model. It groups Components together for testing and releasing, supports test serialization, ComponentGroup dependencies, and tracks the Global Candidate List (GCL) for each Component. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: ComponentGroupSpec defines the desired state of ComponentGroup properties: components: description: |- Components is a list of Components (name and branch) that belong to the ComponentGroup. This is the source of truth for logical groupings of versioned Components. items: description: ComponentReference references a Component and its specific branch/version properties: componentVersion: description: |- ComponentVersion references the ComponentVersion for this Component. The ComponentVersion CRD will be implemented by the build team as part of STONEBLD-3604. For now, this contains the branch name and GCL (Global Candidate List) information. properties: context: description: |- Name of the context directory for the component version. Used with Revision type: string name: description: |- Name is the name of the ComponentVersion (typically the branch name like "main", "v1", etc.) This will reference the ComponentVersion CRD once it's implemented. type: string version: description: |- Name of the git revision for the component version. Used as a fallback if the `appstudio.openshift.io/version` label is not set on the build PLR type: string required: - name type: object name: description: Name is the name of the Component pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: - componentVersion - name type: object type: array dependents: description: |- Dependents is a list of ComponentGroup names that are dependent on this ComponentGroup. When a snapshot is created for this ComponentGroup, snapshots will also be created for all dependents. items: type: string type: array snapshotCreator: description: |- SnapshotCreator is an optional field that allows custom logic for Snapshot creation. This field is reserved for future implementation and should not be used yet. properties: taskRef: description: |- TaskRef references a Tekton Task that will create the Snapshot CR. This field is reserved for future use. properties: params: description: Params contains the parameters used to identify the referenced Task items: description: ResolverParameter contains the name and values used to identify the referenced Tekton resource properties: name: type: string value: type: string required: - name - value type: object type: array resolver: description: Resolver is the name of the resolver (e.g., "git", "bundle") type: string required: - params - resolver type: object type: object testGraph: additionalProperties: items: description: TestGraphNode represents a node in the test serialization graph properties: name: description: Name is the name of the IntegrationTestScenario type: string onFail: default: run description: |- OnFail defines how to behave if this IntegrationTestScenario fails. Options: "run" (default) - continue running dependent tests, "skip" - skip dependent tests enum: - run - skip type: string required: - name type: object type: array description: |- TestGraph describes the desired order in which tests associated with the ComponentGroup should be executed. If not specified, all tests will run in parallel. The map key is the test scenario name, and the value is a list of parent test scenarios it depends on. type: object required: - components type: object status: description: ComponentGroupStatus defines the observed state of ComponentGroup properties: conditions: description: Conditions is an array of the ComponentGroup's status conditions items: description: Condition contains details for one aspect of the current state of this API Resource. properties: lastTransitionTime: description: |- lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- message is a human readable message indicating details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: description: |- observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: description: |- reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime - message - reason - status - type type: object type: array globalCandidateList: description: |- The list of recently promoted Components which the integration service uses to create Snapshots items: properties: lastPromotedBuildTime: description: |- Timestamp for build of the LastPromotedImage. Used to prevent regressions resulting from race conditions Format: RFC3339 (e.g., "2025-08-13T12:00:00Z") format: date-time type: string lastPromotedCommit: description: Git commit associated with the build of LastPromotedImage type: string lastPromotedImage: description: |- Location of the last image for this Component to be promoted. If no image has been promoted then the field will be blank type: string name: description: Name of the Component type: string url: description: |- Git URL for the component. Needed by Release service. Can be used along with LastPromotedCommit to access the code that has been promoted type: string version: description: |- Version of the Component. Only required if multiple version of the same Component are in the ComponentGroup type: string required: - name type: object type: array type: object type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: integration-service/serving-cert controller-gen.kubebuilder.io/version: v0.17.2 name: integrationtestscenarios.appstudio.redhat.com spec: conversion: strategy: Webhook webhook: clientConfig: service: name: integration-service-webhook-service namespace: integration-service path: /convert conversionReviewVersions: - v1alpha1 - v1beta1 - v1beta2 group: appstudio.redhat.com names: kind: IntegrationTestScenario listKind: IntegrationTestScenarioList plural: integrationtestscenarios shortNames: - its singular: integrationtestscenario scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .spec.application name: Application type: string deprecated: true deprecationWarning: The v1alpha1 version is deprecated and will be automatically migrated to v1beta1 name: v1alpha1 schema: openAPIV3Schema: description: IntegrationTestScenario is the Schema for the integrationtestscenarios API properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: IntegrationTestScenarioSpec defines the desired state of IntegrationScenario properties: application: description: Application that's associated with the IntegrationTestScenario pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string bundle: description: Tekton Bundle where to find the pipeline type: string contexts: description: Contexts where this IntegrationTestScenario can be applied items: description: TestContext contains the name and values of a Test context properties: description: type: string name: type: string required: - name type: object type: array environment: description: Environment that will be utilized by the test pipeline properties: configuration: description: |- EnvironmentConfiguration contains Environment-specific configurations details, to be used when generating Component/Application GitOps repository resources. properties: env: description: An array of standard environment variables items: description: EnvVarPair describes environment variables to use for the component properties: name: description: Name is the environment variable name type: string value: description: Value is the environment variable value type: string required: - name - value type: object type: array target: description: |- Target is used to reference a DeploymentTargetClaim for a target Environment. The Environment controller uses the referenced DeploymentTargetClaim to access its bounded DeploymentTarget with cluster credential secret. properties: deploymentTargetClaim: description: DeploymentTargetClaimConfig specifies the DeploymentTargetClaim details for a given Environment. properties: claimName: type: string required: - claimName type: object required: - deploymentTargetClaim type: object type: object name: type: string type: description: |- DEPRECATED: EnvironmentType should no longer be used, and has no replacement. - It's original purpose was to indicate whether an environment is POC/Non-POC, but these data were ultimately not required. type: string required: - name - type type: object params: description: Params to pass to the pipeline items: description: PipelineParameter contains the name and values of a Tekton Pipeline parameter properties: name: type: string value: type: string values: items: type: string type: array required: - name type: object type: array pipeline: description: Release Tekton Pipeline to execute type: string required: - application - bundle - pipeline type: object status: description: IntegrationTestScenarioStatus defines the observed state of IntegrationTestScenario properties: conditions: items: description: Condition contains details for one aspect of the current state of this API Resource. properties: lastTransitionTime: description: |- lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- message is a human readable message indicating details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: description: |- observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: description: |- reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime - message - reason - status - type type: object type: array required: - conditions type: object type: object served: true storage: false subresources: status: {} - additionalPrinterColumns: - jsonPath: .spec.application name: Application type: string deprecated: true deprecationWarning: The v1beta1 version is deprecated and will be automatically migrated to v1beta2 name: v1beta1 schema: openAPIV3Schema: description: IntegrationTestScenario is the Schema for the integrationtestscenarios API properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: IntegrationTestScenarioSpec defines the desired state of IntegrationScenario properties: application: description: Application that's associated with the IntegrationTestScenario pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string contexts: description: Contexts where this IntegrationTestScenario can be applied items: description: TestContext contains the name and values of a Test context properties: description: type: string name: type: string required: - name type: object type: array environment: description: Environment that will be utilized by the test pipeline properties: configuration: description: |- EnvironmentConfiguration contains Environment-specific configurations details, to be used when generating Component/Application GitOps repository resources. properties: env: description: An array of standard environment variables items: description: EnvVarPair describes environment variables to use for the component properties: name: description: Name is the environment variable name type: string value: description: Value is the environment variable value type: string required: - name - value type: object type: array target: description: |- Target is used to reference a DeploymentTargetClaim for a target Environment. The Environment controller uses the referenced DeploymentTargetClaim to access its bounded DeploymentTarget with cluster credential secret. properties: deploymentTargetClaim: description: DeploymentTargetClaimConfig specifies the DeploymentTargetClaim details for a given Environment. properties: claimName: type: string required: - claimName type: object required: - deploymentTargetClaim type: object type: object name: type: string type: description: |- DEPRECATED: EnvironmentType should no longer be used, and has no replacement. - It's original purpose was to indicate whether an environment is POC/Non-POC, but these data were ultimately not required. type: string required: - name - type type: object params: description: Params to pass to the pipeline items: description: PipelineParameter contains the name and values of a Tekton Pipeline parameter properties: name: type: string value: type: string values: items: type: string type: array required: - name type: object type: array resolverRef: description: Tekton Resolver where to store the Tekton resolverRef trigger Tekton pipeline used to refer to a Pipeline or Task in a remote location like a git repo. properties: params: description: |- Params contains the parameters used to identify the referenced Tekton resource. Example entries might include "repo" or "path" but the set of params ultimately depends on the chosen resolver. items: description: ResolverParameter contains the name and values used to identify the referenced Tekton resource properties: name: type: string value: type: string required: - name - value type: object type: array resolver: description: Resolver is the name of the resolver that should perform resolution of the referenced Tekton resource, such as "git" or "bundle".. type: string required: - params - resolver type: object required: - application - resolverRef type: object status: description: IntegrationTestScenarioStatus defines the observed state of IntegrationTestScenario properties: conditions: items: description: Condition contains details for one aspect of the current state of this API Resource. properties: lastTransitionTime: description: |- lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- message is a human readable message indicating details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: description: |- observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: description: |- reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime - message - reason - status - type type: object type: array required: - conditions type: object type: object served: true storage: false subresources: status: {} - additionalPrinterColumns: - jsonPath: .spec.application name: Application type: string - jsonPath: .spec.componentGroup name: ComponentGroup type: string name: v1beta2 schema: openAPIV3Schema: description: |- IntegrationTestScenario is the Schema for the integrationtestscenarios API, holds a definiton for integration test with specified attributes like pipeline reference, application and environment. It is a test template triggered after successful creation of a snapshot. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: |- IntegrationTestScenarioSpec defines the desired state of IntegrationScenario Exactly one of Application or ComponentGroup must be specified. oneOf: - required: - application - required: - componentGroup properties: application: description: |- Application that's associated with the IntegrationTestScenario. Mutually exclusive with ComponentGroup - exactly one must be specified. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string componentGroup: description: |- ComponentGroup that's associated with the IntegrationTestScenario. Mutually exclusive with Application - exactly one must be specified. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string contexts: description: Contexts where this IntegrationTestScenario can be applied, for specific component for example items: description: TestContext contains the name and values of a Test context, used by IntegrationTestScenarioSpec Contexts properties: description: type: string name: type: string required: - name type: object type: array dependents: description: List of IntegrationTestScenario which are blocked by the successful completion of this IntegrationTestScenario items: type: string type: array params: description: Params to pass to the pipeline items: description: PipelineParameter contains the name and values of a Tekton Pipeline parameter, used by IntegrationTestScenarioSpec Params properties: name: type: string value: type: string values: items: type: string type: array required: - name type: object type: array resolverRef: description: Tekton Resolver where to store the Tekton resolverRef trigger Tekton pipeline used to refer to a Pipeline or Task in a remote location like a git repo. properties: params: description: |- Params contains the parameters used to identify the referenced Tekton resource. Example entries might include "repo" or "path" but the set of params ultimately depends on the chosen resolver. items: description: ResolverParameter contains the name and values used to identify the referenced Tekton resource properties: name: type: string value: type: string required: - name - value type: object type: array resolver: description: Resolver is the name of the resolver that should perform resolution of the referenced Tekton resource, such as "git" or "bundle".. type: string resourceKind: description: |- ResourceKind defines the kind of resource being resolved. It can either be "pipeline" or "pipelinerun" but defaults to "pipeline" if no value is set type: string required: - params - resolver type: object required: - resolverRef type: object status: description: IntegrationTestScenarioStatus defines the observed state of IntegrationTestScenario described by conditions properties: conditions: items: description: Condition contains details for one aspect of the current state of this API Resource. properties: lastTransitionTime: description: |- lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- message is a human readable message indicating details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: description: |- observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: description: |- reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime - message - reason - status - type type: object type: array required: - conditions type: object type: object served: true storage: true subresources: status: {} --- apiVersion: v1 kind: ServiceAccount metadata: name: integration-service-controller-manager namespace: integration-service --- apiVersion: v1 kind: ServiceAccount metadata: name: integration-service-snapshot-garbage-collector namespace: integration-service --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: integration-service-leader-election-role namespace: integration-service rules: - apiGroups: - "" resources: - configmaps verbs: - get - list - watch - create - update - patch - delete - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - list - watch - create - update - patch - delete - apiGroups: - "" resources: - events verbs: - create - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: integration-service name: integration-service-componentgroup-admin-role rules: - apiGroups: - appstudio.redhat.com resources: - componentgroups verbs: - '*' - apiGroups: - appstudio.redhat.com resources: - componentgroups/status verbs: - '*' --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: integration-service name: integration-service-componentgroup-editor-role rules: - apiGroups: - appstudio.redhat.com resources: - componentgroups verbs: - create - delete - get - list - patch - update - watch - apiGroups: - appstudio.redhat.com resources: - componentgroups/status verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: integration-service name: integration-service-componentgroup-viewer-role rules: - apiGroups: - appstudio.redhat.com resources: - componentgroups verbs: - get - list - watch - apiGroups: - appstudio.redhat.com resources: - componentgroups/status verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: integration-service name: integration-service-integrationtestscenario-admin-role rules: - apiGroups: - appstudio.redhat.com resources: - integrationtestscenarios verbs: - '*' - apiGroups: - appstudio.redhat.com resources: - integrationtestscenarios/status verbs: - '*' --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: integration-service name: integration-service-integrationtestscenario-editor-role rules: - apiGroups: - appstudio.redhat.com resources: - integrationtestscenarios verbs: - create - delete - get - list - patch - update - watch - apiGroups: - appstudio.redhat.com resources: - integrationtestscenarios/status verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: integration-service name: integration-service-integrationtestscenario-viewer-role rules: - apiGroups: - appstudio.redhat.com resources: - integrationtestscenarios verbs: - get - list - watch - apiGroups: - appstudio.redhat.com resources: - integrationtestscenarios/status verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: integration-service-manager-role rules: - apiGroups: - "" resources: - secrets verbs: - get - list - watch - apiGroups: - appstudio.redhat.com resources: - applications - integrationtestscenarios - releases - snapshots verbs: - create - delete - get - list - patch - update - watch - apiGroups: - appstudio.redhat.com resources: - applications/finalizers - components/finalizers - snapshots/finalizers verbs: - update - apiGroups: - appstudio.redhat.com resources: - applications/status - componentgroups/status verbs: - get - apiGroups: - appstudio.redhat.com resources: - componentgroups - environments - releaseplans verbs: - get - list - watch - apiGroups: - appstudio.redhat.com resources: - components verbs: - get - list - patch - update - watch - apiGroups: - appstudio.redhat.com resources: - components/status - environments/status - integrationtestscenarios/status - releaseplans/status - releases/status - snapshots/status verbs: - get - patch - update - apiGroups: - pipelinesascode.tekton.dev resources: - repositories verbs: - get - list - watch - apiGroups: - resolution.tekton.dev resources: - resolutionrequests verbs: - create - delete - get - apiGroups: - tekton.dev resources: - pipelineruns verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - tekton.dev resources: - pipelineruns/finalizers verbs: - update - apiGroups: - tekton.dev resources: - pipelineruns/status verbs: - get - patch - update - apiGroups: - tekton.dev resources: - taskruns verbs: - get - list - watch - apiGroups: - tekton.dev resources: - taskruns/status verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: integration-service-metrics-auth-role rules: - apiGroups: - authentication.k8s.io resources: - tokenreviews verbs: - create - apiGroups: - authorization.k8s.io resources: - subjectaccessreviews verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: integration-service-snapshot-garbage-collector rules: - apiGroups: - appstudio.redhat.com resources: - releases verbs: - get - list - apiGroups: - appstudio.redhat.com resources: - snapshots verbs: - get - list - delete - apiGroups: - "" resources: - namespaces verbs: - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: integration-service-tekton-editor-role rules: - apiGroups: - triggers.tekton.dev resources: - eventlisteners - triggers - triggertemplates verbs: - create - update - patch - delete - watch - list - apiGroups: - "" resources: - persistentvolumeclaims - persistentvolumeclaims/status verbs: - get - list - create - watch - apiGroups: - route.openshift.io resources: - routes verbs: - get - list - create - watch - apiGroups: - resolution.tekton.dev resources: - resolutionrequests verbs: - create - delete - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: konflux-integration-runner rules: - apiGroups: - "" resources: - secrets verbs: - get - list - create - watch - update - patch - apiGroups: - appstudio.redhat.com resources: - enterprisecontractpolicies verbs: - get - list - apiGroups: - tekton.dev resources: - pipelineruns - taskruns verbs: - get - list - create - watch - update - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: integration-service-leader-election-rolebinding namespace: integration-service roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: integration-service-leader-election-role subjects: - kind: ServiceAccount name: integration-service-controller-manager namespace: integration-service --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: integration-service-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: integration-service-manager-role subjects: - kind: ServiceAccount name: integration-service-controller-manager namespace: integration-service --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: integration-service-metrics-auth-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: integration-service-metrics-auth-role subjects: - kind: ServiceAccount name: integration-service-controller-manager namespace: integration-service --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: integration-service-snapshot-garbage-collector roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: integration-service-snapshot-garbage-collector subjects: - kind: ServiceAccount name: integration-service-snapshot-garbage-collector namespace: integration-service --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: integration-service-tekton-role-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: integration-service-tekton-editor-role subjects: - kind: ServiceAccount name: integration-service-controller-manager namespace: integration-service --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kyverno-background-controller-konflux-integration-runner roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: konflux-integration-runner subjects: - kind: ServiceAccount name: kyverno-background-controller namespace: kyverno --- apiVersion: v1 data: controller_manager_config.yaml: | apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 kind: ControllerManagerConfig health: healthProbeBindAddress: :8081 metrics: bindAddress: 127.0.0.1:8080 webhook: port: 9443 leaderElection: leaderElect: true resourceName: f1944211.redhat.com kind: ConfigMap metadata: name: integration-service-manager-config namespace: integration-service --- apiVersion: v1 kind: Service metadata: labels: control-plane: controller-manager name: integration-service-controller-manager-metrics-service namespace: integration-service spec: ports: - name: http port: 8080 protocol: TCP targetPort: 8080 selector: control-plane: controller-manager --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/component: webhook app.kubernetes.io/created-by: integration-service app.kubernetes.io/instance: webhook-service app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: service app.kubernetes.io/part-of: integration-service name: integration-service-webhook-service namespace: integration-service spec: ports: - port: 443 protocol: TCP targetPort: 9443 selector: control-plane: controller-manager --- apiVersion: apps/v1 kind: Deployment metadata: labels: control-plane: controller-manager name: integration-service-controller-manager namespace: integration-service spec: progressDeadlineSeconds: 2147483647 replicas: 1 selector: matchLabels: control-plane: controller-manager template: metadata: annotations: kubectl.kubernetes.io/default-container: manager labels: control-plane: controller-manager spec: containers: - args: - --metrics-bind-address=:8080 - --leader-elect - --lease-duration=30s - --leader-renew-deadline=15s - --leader-elector-retry-period=5s command: - /manager image: quay.io/konflux-ci/integration-service:ef2610ecd344292fb85e01321f7b613c7e621ec5 livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 15 periodSeconds: 20 name: manager ports: - containerPort: 9443 name: webhook-server protocol: TCP - containerPort: 8081 name: probes protocol: TCP readinessProbe: httpGet: path: /readyz port: 8081 initialDelaySeconds: 5 periodSeconds: 10 resources: limits: cpu: 500m memory: 128Mi requests: cpu: 10m memory: 64Mi securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true securityContext: runAsNonRoot: true serviceAccountName: integration-service-controller-manager terminationGracePeriodSeconds: 10 volumes: - name: cert secret: defaultMode: 420 secretName: webhook-server-cert --- apiVersion: batch/v1 kind: CronJob metadata: name: integration-service-snapshot-garbage-collector namespace: integration-service spec: jobTemplate: spec: template: spec: containers: - command: - /snapshotgc - --zap-log-level=debug - --pr-snapshots-to-keep=70 - --non-pr-snapshots-to-keep=640 image: quay.io/konflux-ci/integration-service:ef2610ecd344292fb85e01321f7b613c7e621ec5 imagePullPolicy: Always name: test-gc resources: limits: cpu: 1000m memory: 2000Mi requests: cpu: 1000m memory: 2000Mi securityContext: readOnlyRootFilesystem: true runAsNonRoot: true restartPolicy: Never serviceAccountName: integration-service-snapshot-garbage-collector schedule: 0 */6 * * * --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: labels: app.kubernetes.io/component: certificate app.kubernetes.io/instance: serving-cert app.kubernetes.io/name: certificate name: serving-cert namespace: integration-service spec: dnsNames: - integration-service-webhook-service.integration-service.svc - integration-service-webhook-service.integration-service.svc.cluster.local issuerRef: kind: Issuer name: selfsigned-issuer secretName: webhook-server-cert --- apiVersion: cert-manager.io/v1 kind: Issuer metadata: labels: app.kubernetes.io/component: certificate app.kubernetes.io/instance: serving-cert app.kubernetes.io/name: certificate name: selfsigned-issuer namespace: integration-service spec: selfSigned: {} --- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: annotations: policies.kyverno.io/description: | This policy creates a service account named konflux-integration-runner and binds it to the konflux-integration-runner cluster role in tenant namespaces. name: init-ns-integration namespace: integration-service spec: rules: - generate: apiVersion: v1 generateExisting: true kind: ServiceAccount name: konflux-integration-runner namespace: '{{request.object.metadata.name}}' synchronize: false match: any: - resources: kinds: - Namespace selector: matchLabels: konflux-ci.dev/type: tenant name: create-konflux-integration-runner-serviceaccount skipBackgroundRequests: true - generate: apiVersion: rbac.authorization.k8s.io/v1 data: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: konflux-integration-runner subjects: - kind: ServiceAccount name: konflux-integration-runner namespace: '{{request.object.metadata.name}}' generateExisting: true kind: RoleBinding name: konflux-integration-runner-rolebinding namespace: '{{request.object.metadata.name}}' synchronize: false match: any: - resources: kinds: - Namespace selector: matchLabels: konflux-ci.dev/type: tenant name: create-konflux-integration-runner-rolebinding skipBackgroundRequests: true --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: annotations: cert-manager.io/inject-ca-from: integration-service/serving-cert name: integration-service-mutating-webhook-configuration webhooks: - admissionReviewVersions: - v1 clientConfig: service: name: integration-service-webhook-service namespace: integration-service path: /mutate-appstudio-redhat-com-v1beta2-integrationtestscenario failurePolicy: Ignore name: dintegrationtestscenario.kb.io rules: - apiGroups: - appstudio.redhat.com apiVersions: - v1beta2 operations: - CREATE - UPDATE - DELETE resources: - integrationtestscenarios sideEffects: None - admissionReviewVersions: - v1 clientConfig: service: name: integration-service-webhook-service namespace: integration-service path: /mutate-appstudio-redhat-com-v1alpha1-snapshot failurePolicy: Ignore name: vsnapshot.kb.io rules: - apiGroups: - appstudio.redhat.com apiVersions: - v1alpha1 operations: - CREATE resources: - snapshots sideEffects: None --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: annotations: cert-manager.io/inject-ca-from: integration-service/serving-cert name: integration-service-validating-webhook-configuration webhooks: - admissionReviewVersions: - v1 clientConfig: service: name: integration-service-webhook-service namespace: integration-service path: /validate-appstudio-redhat-com-v1beta2-integrationtestscenario failurePolicy: Fail name: vintegrationtestscenario.kb.io rules: - apiGroups: - appstudio.redhat.com apiVersions: - v1beta2 operations: - CREATE - UPDATE - DELETE resources: - integrationtestscenarios sideEffects: None - admissionReviewVersions: - v1 clientConfig: service: name: integration-service-webhook-service namespace: integration-service path: /validate-appstudio-redhat-com-v1alpha1-snapshot failurePolicy: Ignore name: vsnapshot.kb.io rules: - apiGroups: - appstudio.redhat.com apiVersions: - v1alpha1 operations: - CREATE - UPDATE - DELETE resources: - snapshots sideEffects: None