apiVersion: v1 kind: Namespace metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: build-service control-plane: controller-manager name: build-service --- apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: build-service name: build-service-controller-manager namespace: build-service --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: build-service-build-pipeline-config-read-only namespace: build-service rules: - apiGroups: - "" resourceNames: - build-pipeline-config resources: - configmaps verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: build-service name: build-service-leader-election-role namespace: build-service rules: - apiGroups: - "" resources: - configmaps verbs: - get - list - watch - create - update - patch - delete - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - list - watch - create - update - patch - delete - apiGroups: - "" resources: - events verbs: - create - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: appstudio-pipelines-runner rules: - apiGroups: - "" resources: - secrets verbs: - get - list - apiGroups: - security.openshift.io resourceNames: - appstudio-pipelines-scc resources: - securitycontextconstraints verbs: - use - apiGroups: - appstudio.redhat.com resources: - enterprisecontractpolicies verbs: - get - list - apiGroups: - eaas.konflux-ci.dev resources: - namespaces verbs: - get - create - delete - list - watch - apiGroups: - tekton.dev resources: - pipelineruns - taskruns verbs: - get - list - apiGroups: - ci.openshift.org resources: - testplatformclusters verbs: - '*' --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: build-service-manager-role rules: - apiGroups: - "" resources: - configmaps - secrets verbs: - create - delete - get - list - patch - update - watch - apiGroups: - "" resources: - events verbs: - create - patch - apiGroups: - events.k8s.io resources: - events verbs: - create - patch - apiGroups: - "" resources: - namespaces - services verbs: - get - list - watch - apiGroups: - "" resources: - serviceaccounts verbs: - create - get - list - patch - update - watch - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get - apiGroups: - appstudio.redhat.com resources: - components - components/status verbs: - get - list - patch - update - watch - apiGroups: - appstudio.redhat.com resources: - imagerepositories - imagerepositories/status - releaseplanadmissions verbs: - get - list - watch - apiGroups: - pipelinesascode.tekton.dev resources: - repositories verbs: - create - delete - get - list - patch - update - watch - apiGroups: - rbac.authorization.k8s.io resources: - clusterroles verbs: - get - apiGroups: - rbac.authorization.k8s.io resources: - rolebindings verbs: - create - delete - get - list - patch - update - watch - apiGroups: - route.openshift.io resources: - routes verbs: - get - list - watch - apiGroups: - tekton.dev resources: - pipelineruns verbs: - create - delete - deletecollection - get - list - patch - update - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: build-service-metrics-auth-role rules: - apiGroups: - authentication.k8s.io resources: - tokenreviews verbs: - create - apiGroups: - authorization.k8s.io resources: - subjectaccessreviews verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: build-pipeline-config-read-only-binding namespace: build-service roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: build-service-build-pipeline-config-read-only subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: build-service name: build-service-leader-election-rolebinding namespace: build-service roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: build-service-leader-election-role subjects: - kind: ServiceAccount name: build-service-controller-manager namespace: build-service --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: build-pipeline-runner-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: appstudio-pipelines-runner subjects: - kind: ServiceAccount name: build-service-controller-manager namespace: build-service --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: build-service name: build-service-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: build-service-manager-role subjects: - kind: ServiceAccount name: build-service-controller-manager namespace: build-service --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: build-service-metrics-auth-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: build-service-metrics-auth-role subjects: - kind: ServiceAccount name: build-service-controller-manager namespace: build-service --- apiVersion: v1 data: config.yaml: | default-pipeline-name: docker-build-oci-ta-min pipelines: - name: fbc-builder bundle: quay.io/konflux-ci/tekton-catalog/pipeline-fbc-builder@sha256:b9753ec8c2a2b178dc63aef7a717c25a345d168f32224bc07582bc064e2b0a3a - name: docker-build bundle: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build@sha256:08409339ab4b35c5f728cc3caf8d90d39eb996d20b73d3b851bab1ba5718b57b - name: docker-build-oci-ta bundle: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta@sha256:bfaed0120780c0c33270f61fe32ffeecef4b8310c5e67c9b9512a5d19062f876 - name: tekton-bundle-builder bundle: quay.io/konflux-ci/tekton-catalog/pipeline-tekton-bundle-builder@sha256:52839632f53fc4a101a3a3e89d0ee5a38a390765c85381743922d25349e544cd - name: tekton-bundle-builder-oci-ta bundle: quay.io/konflux-ci/tekton-catalog/pipeline-tekton-bundle-builder-oci-ta@sha256:232242c4ddf8cfcf47f7c3842424f023137cacaccb9a0ba534cab3023d834ad0 - name: docker-build-oci-ta-min bundle: quay.io/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta-min@sha256:3f54861727b893e8ef574a65c8173f980cdcd7da0aed9355fa5ff89e8981662d description: minimal version of the docker-build-oci-ta pipeline, which requires less compute resources. In addition, it doesn't contain tasks which require user provided secrets. kind: ConfigMap metadata: name: build-pipeline-config namespace: build-service --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: build-service control-plane: controller-manager name: build-service-controller-manager-metrics-service namespace: build-service spec: ports: - name: https port: 8443 protocol: TCP targetPort: 8443 selector: control-plane: controller-manager --- apiVersion: apps/v1 kind: Deployment metadata: annotations: ignore-check.kube-linter.io/liveness-port: Keeping upstream configs ignore-check.kube-linter.io/readiness-port: Keeping upstream configs labels: app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: build-service control-plane: controller-manager name: build-service-controller-manager namespace: build-service spec: progressDeadlineSeconds: 2147483647 replicas: 1 selector: matchLabels: control-plane: controller-manager template: metadata: annotations: kubectl.kubernetes.io/default-container: manager labels: control-plane: controller-manager spec: containers: - args: - --metrics-bind-address=:8443 - --leader-elect=false - --health-probe-bind-address=:8081 - -webhook-config-path=/mnt/webhook-config.json command: - /manager image: quay.io/konflux-ci/build-service:04a4744321a7fb747f796da783d51fc322aef598 livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 15 periodSeconds: 20 name: manager readinessProbe: httpGet: path: /readyz port: 8081 initialDelaySeconds: 5 periodSeconds: 10 resources: limits: cpu: 500m memory: 1024Mi requests: cpu: 10m memory: 64Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true volumeMounts: - mountPath: /etc/ssl/certs/ca-custom-bundle.crt name: trusted-ca readOnly: true subPath: ca-bundle.crt - mountPath: /mnt name: webhook-config readOnly: true securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault serviceAccountName: build-service-controller-manager terminationGracePeriodSeconds: 10 volumes: - configMap: items: - key: ca-bundle.crt path: ca-bundle.crt name: trusted-ca optional: true name: trusted-ca - configMap: items: - key: webhook-config.json path: webhook-config.json name: webhook-config optional: true name: webhook-config --- allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: false allowPrivilegedContainer: false allowedCapabilities: - SETFCAP apiVersion: security.openshift.io/v1 defaultAddCapabilities: null fsGroup: type: MustRunAs groups: - system:cluster-admins kind: SecurityContextConstraints metadata: annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true argocd.argoproj.io/sync-wave: "0" name: appstudio-pipelines-scc namespace: build-service priority: 10 readOnlyRootFilesystem: false requiredDropCapabilities: - MKNOD runAsUser: type: RunAsAny seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny users: [] volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - projected - secret