From 7f4e3bff8a56a906453f7dfea4b6e810125623bb Mon Sep 17 00:00:00 2001 From: Mayne0213 Date: Sat, 10 Jan 2026 22:09:49 +0900 Subject: [PATCH] feat: add plain zot credentials for crane --- gitea-runner/manifests/zot-plain-secret.yaml | 22 ++++ tekton/ci-cd/argocd.yaml | 28 +++++ tekton/ci-cd/manifests/kustomization.yaml | 16 +++ .../manifests/pipelines/fastapi-pipeline.yaml | 59 ++++++++++ .../manifests/pipelines/nextjs-pipeline.yaml | 65 +++++++++++ .../manifests/pipelines/python-pipeline.yaml | 59 ++++++++++ .../manifests/secrets/github-credentials.yaml | 18 +++ .../secrets/zot-registry-secret.yaml | 27 +++++ .../manifests/tasks/buildah-build-push.yaml | 71 ++++++++++++ tekton/ci-cd/manifests/tasks/git-clone.yaml | 57 ++++++++++ .../manifests/triggers/eventlistener.yaml | 79 +++++++++++++ tekton/ci-cd/manifests/triggers/ingress.yaml | 24 ++++ .../manifests/triggers/kustomization.yaml | 10 ++ tekton/ci-cd/manifests/triggers/rbac.yaml | 60 ++++++++++ tekton/ci-cd/manifests/triggers/secret.yaml | 18 +++ .../manifests/triggers/triggerbinding.yaml | 17 +++ .../manifests/triggers/triggertemplate.yaml | 105 ++++++++++++++++++ tekton/dashboard/argocd.yaml | 40 +++++++ tekton/dashboard/kustomization.yaml | 16 +++ tekton/dashboard/manifests/ingress.yaml | 25 +++++ tekton/pipeline/argocd.yaml | 44 ++++++++ tekton/pipeline/kustomization.yaml | 26 +++++ tekton/triggers/argocd.yaml | 40 +++++++ tekton/triggers/kustomization.yaml | 16 +++ 24 files changed, 942 insertions(+) create mode 100644 gitea-runner/manifests/zot-plain-secret.yaml create mode 100644 tekton/ci-cd/argocd.yaml create mode 100644 tekton/ci-cd/manifests/kustomization.yaml create mode 100644 tekton/ci-cd/manifests/pipelines/fastapi-pipeline.yaml create mode 100644 tekton/ci-cd/manifests/pipelines/nextjs-pipeline.yaml create mode 100644 tekton/ci-cd/manifests/pipelines/python-pipeline.yaml create mode 100644 tekton/ci-cd/manifests/secrets/github-credentials.yaml create mode 100644 tekton/ci-cd/manifests/secrets/zot-registry-secret.yaml create mode 100644 tekton/ci-cd/manifests/tasks/buildah-build-push.yaml create mode 100644 tekton/ci-cd/manifests/tasks/git-clone.yaml create mode 100644 tekton/ci-cd/manifests/triggers/eventlistener.yaml create mode 100644 tekton/ci-cd/manifests/triggers/ingress.yaml create mode 100644 tekton/ci-cd/manifests/triggers/kustomization.yaml create mode 100644 tekton/ci-cd/manifests/triggers/rbac.yaml create mode 100644 tekton/ci-cd/manifests/triggers/secret.yaml create mode 100644 tekton/ci-cd/manifests/triggers/triggerbinding.yaml create mode 100644 tekton/ci-cd/manifests/triggers/triggertemplate.yaml create mode 100644 tekton/dashboard/argocd.yaml create mode 100644 tekton/dashboard/kustomization.yaml create mode 100644 tekton/dashboard/manifests/ingress.yaml create mode 100644 tekton/pipeline/argocd.yaml create mode 100644 tekton/pipeline/kustomization.yaml create mode 100644 tekton/triggers/argocd.yaml create mode 100644 tekton/triggers/kustomization.yaml diff --git a/gitea-runner/manifests/zot-plain-secret.yaml b/gitea-runner/manifests/zot-plain-secret.yaml new file mode 100644 index 0000000..9ffcec5 --- /dev/null +++ b/gitea-runner/manifests/zot-plain-secret.yaml @@ -0,0 +1,22 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: zot-registry-credentials-plain + namespace: gitea +spec: + refreshInterval: 1h + secretStoreRef: + kind: ClusterSecretStore + name: vault-backend + target: + name: zot-registry-credentials-plain + creationPolicy: Owner + data: + - secretKey: username + remoteRef: + key: zot + property: USERNAME + - secretKey: password + remoteRef: + key: zot + property: PASSWORD diff --git a/tekton/ci-cd/argocd.yaml b/tekton/ci-cd/argocd.yaml new file mode 100644 index 0000000..2e98365 --- /dev/null +++ b/tekton/ci-cd/argocd.yaml @@ -0,0 +1,28 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: tekton-ci-cd + namespace: argocd + annotations: + argocd.argoproj.io/compare-options: IgnoreExtraneous +spec: + project: default + source: + repoURL: https://github.com/K3S-HOME/platform.git + targetRevision: main + path: tekton/ci-cd/manifests + destination: + server: https://kubernetes.default.svc + namespace: tekton-pipelines + syncPolicy: + automated: + prune: false + selfHeal: true + syncOptions: + - CreateNamespace=true + retry: + limit: 5 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m diff --git a/tekton/ci-cd/manifests/kustomization.yaml b/tekton/ci-cd/manifests/kustomization.yaml new file mode 100644 index 0000000..1ac4ae0 --- /dev/null +++ b/tekton/ci-cd/manifests/kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + # Secrets + - secrets/zot-registry-secret.yaml + - secrets/github-credentials.yaml + # Tasks + - tasks/git-clone.yaml + - tasks/buildah-build-push.yaml + # Pipelines + - pipelines/nextjs-pipeline.yaml + - pipelines/fastapi-pipeline.yaml + - pipelines/python-pipeline.yaml + # Triggers + - triggers/ diff --git a/tekton/ci-cd/manifests/pipelines/fastapi-pipeline.yaml b/tekton/ci-cd/manifests/pipelines/fastapi-pipeline.yaml new file mode 100644 index 0000000..f4c6ac6 --- /dev/null +++ b/tekton/ci-cd/manifests/pipelines/fastapi-pipeline.yaml @@ -0,0 +1,59 @@ +apiVersion: tekton.dev/v1 +kind: Pipeline +metadata: + name: fastapi-build-deploy + namespace: tekton-pipelines +spec: + description: Build FastAPI app and push to Zot registry + params: + - name: git-url + description: Git repository URL + type: string + - name: git-revision + description: Git revision (branch/tag/sha) + type: string + default: main + - name: app-name + description: Application name + type: string + - name: context-dir + description: Docker build context directory + type: string + default: ./fastapi + workspaces: + - name: shared-workspace + description: Shared workspace for all tasks + - name: docker-credentials + description: Docker registry credentials + tasks: + - name: clone + taskRef: + name: git-clone + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.git-revision) + - name: deleteExisting + value: "true" + workspaces: + - name: output + workspace: shared-workspace + + - name: build-push + taskRef: + name: buildah-build-push + runAfter: + - clone + params: + - name: IMAGE + value: zot0213.kro.kr/$(params.app-name):$(params.git-revision) + - name: DOCKERFILE + value: ./Dockerfile + - name: CONTEXT + value: $(params.context-dir) + workspaces: + - name: source + workspace: shared-workspace + - name: dockerconfig + workspace: docker-credentials diff --git a/tekton/ci-cd/manifests/pipelines/nextjs-pipeline.yaml b/tekton/ci-cd/manifests/pipelines/nextjs-pipeline.yaml new file mode 100644 index 0000000..c22f110 --- /dev/null +++ b/tekton/ci-cd/manifests/pipelines/nextjs-pipeline.yaml @@ -0,0 +1,65 @@ +apiVersion: tekton.dev/v1 +kind: Pipeline +metadata: + name: nextjs-build-deploy + namespace: tekton-pipelines +spec: + description: Build Next.js app and push to Zot registry + params: + - name: git-url + description: Git repository URL + type: string + - name: git-revision + description: Git revision (branch/tag/sha) + type: string + default: main + - name: app-name + description: Application name + type: string + - name: context-dir + description: Docker build context directory + type: string + default: ./nextjs + - name: build-args + description: Build arguments (key=value format, one per line) + type: string + default: "" + workspaces: + - name: shared-workspace + description: Shared workspace for all tasks + - name: docker-credentials + description: Docker registry credentials + tasks: + - name: clone + taskRef: + name: git-clone + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.git-revision) + - name: deleteExisting + value: "true" + workspaces: + - name: output + workspace: shared-workspace + + - name: build-push + taskRef: + name: buildah-build-push + runAfter: + - clone + params: + - name: IMAGE + value: zot0213.kro.kr/$(params.app-name):$(params.git-revision) + - name: DOCKERFILE + value: ./Dockerfile + - name: CONTEXT + value: $(params.context-dir) + - name: BUILD_ARGS + value: $(params.build-args) + workspaces: + - name: source + workspace: shared-workspace + - name: dockerconfig + workspace: docker-credentials diff --git a/tekton/ci-cd/manifests/pipelines/python-pipeline.yaml b/tekton/ci-cd/manifests/pipelines/python-pipeline.yaml new file mode 100644 index 0000000..fc22dd7 --- /dev/null +++ b/tekton/ci-cd/manifests/pipelines/python-pipeline.yaml @@ -0,0 +1,59 @@ +apiVersion: tekton.dev/v1 +kind: Pipeline +metadata: + name: python-build-deploy + namespace: tekton-pipelines +spec: + description: Build Python app (LangGraph/Chainlit) and push to Zot registry + params: + - name: git-url + description: Git repository URL + type: string + - name: git-revision + description: Git revision (branch/tag/sha) + type: string + default: main + - name: app-name + description: Application name + type: string + - name: context-dir + description: Docker build context directory + type: string + default: ./langgraph + workspaces: + - name: shared-workspace + description: Shared workspace for all tasks + - name: docker-credentials + description: Docker registry credentials + tasks: + - name: clone + taskRef: + name: git-clone + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.git-revision) + - name: deleteExisting + value: "true" + workspaces: + - name: output + workspace: shared-workspace + + - name: build-push + taskRef: + name: buildah-build-push + runAfter: + - clone + params: + - name: IMAGE + value: zot0213.kro.kr/$(params.app-name):$(params.git-revision) + - name: DOCKERFILE + value: ./Dockerfile + - name: CONTEXT + value: $(params.context-dir) + workspaces: + - name: source + workspace: shared-workspace + - name: dockerconfig + workspace: docker-credentials diff --git a/tekton/ci-cd/manifests/secrets/github-credentials.yaml b/tekton/ci-cd/manifests/secrets/github-credentials.yaml new file mode 100644 index 0000000..2ef14d6 --- /dev/null +++ b/tekton/ci-cd/manifests/secrets/github-credentials.yaml @@ -0,0 +1,18 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: github-credentials + namespace: tekton-pipelines +spec: + refreshInterval: 1h + secretStoreRef: + kind: ClusterSecretStore + name: vault-backend + target: + name: github-credentials + creationPolicy: Owner + data: + - secretKey: token + remoteRef: + key: github + property: PAT diff --git a/tekton/ci-cd/manifests/secrets/zot-registry-secret.yaml b/tekton/ci-cd/manifests/secrets/zot-registry-secret.yaml new file mode 100644 index 0000000..4553fd2 --- /dev/null +++ b/tekton/ci-cd/manifests/secrets/zot-registry-secret.yaml @@ -0,0 +1,27 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: zot-registry-credentials + namespace: tekton-pipelines +spec: + refreshInterval: 1h + secretStoreRef: + kind: ClusterSecretStore + name: vault-backend + target: + name: zot-registry-credentials + creationPolicy: Owner + template: + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: | + {"auths":{"zot0213.kro.kr":{"username":"{{ .USERNAME }}","password":"{{ .PASSWORD }}","auth":"{{ printf "%s:%s" .USERNAME .PASSWORD | b64enc }}"}}} + data: + - secretKey: USERNAME + remoteRef: + key: zot + property: USERNAME + - secretKey: PASSWORD + remoteRef: + key: zot + property: PASSWORD diff --git a/tekton/ci-cd/manifests/tasks/buildah-build-push.yaml b/tekton/ci-cd/manifests/tasks/buildah-build-push.yaml new file mode 100644 index 0000000..b8dc5b0 --- /dev/null +++ b/tekton/ci-cd/manifests/tasks/buildah-build-push.yaml @@ -0,0 +1,71 @@ +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: buildah-build-push + namespace: tekton-pipelines +spec: + description: Build container image with Buildah and push to registry + params: + - name: IMAGE + description: Full image reference (registry/repo:tag) + type: string + - name: DOCKERFILE + description: Path to Dockerfile + type: string + default: ./Dockerfile + - name: CONTEXT + description: Build context directory + type: string + default: . + - name: BUILD_ARGS + description: Build arguments (key=value format, one per line) + type: string + default: "" + workspaces: + - name: source + description: Source code workspace + - name: dockerconfig + description: Docker config for registry auth + optional: true + results: + - name: IMAGE_DIGEST + description: Digest of built image + - name: IMAGE_URL + description: Full URL of pushed image + steps: + - name: build-and-push + image: quay.io/buildah/stable:v1.33 + securityContext: + privileged: true + workingDir: $(workspaces.source.path) + env: + - name: BUILD_ARGS + value: $(params.BUILD_ARGS) + script: | + #!/usr/bin/env bash + set -ex + + REGISTRY=$(echo "$(params.IMAGE)" | cut -d'/' -f1) + DOCKER_CONFIG="$(workspaces.dockerconfig.path)/.dockerconfigjson" + + # Login to registry + if [ -f "$DOCKER_CONFIG" ]; then + USER=$(sed -n 's/.*"username":"\([^"]*\)".*/\1/p' "$DOCKER_CONFIG") + PASS=$(sed -n 's/.*"password":"\([^"]*\)".*/\1/p' "$DOCKER_CONFIG") + buildah login -u "$USER" -p "$PASS" "$REGISTRY" + fi + + # Parse build args + BUILD_ARGS_FLAGS="" + while IFS= read -r line; do + [ -n "$line" ] && BUILD_ARGS_FLAGS="$BUILD_ARGS_FLAGS --build-arg $line" + done <<< "$BUILD_ARGS" + + # Build and push + buildah bud --platform linux/arm64 --format docker \ + -f $(params.DOCKERFILE) -t $(params.IMAGE) $BUILD_ARGS_FLAGS $(params.CONTEXT) + buildah push --digestfile /tmp/image-digest $(params.IMAGE) + + # Output results + cat /tmp/image-digest | tee $(results.IMAGE_DIGEST.path) + echo -n "$(params.IMAGE)" | tee $(results.IMAGE_URL.path) diff --git a/tekton/ci-cd/manifests/tasks/git-clone.yaml b/tekton/ci-cd/manifests/tasks/git-clone.yaml new file mode 100644 index 0000000..4c7a912 --- /dev/null +++ b/tekton/ci-cd/manifests/tasks/git-clone.yaml @@ -0,0 +1,57 @@ +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: git-clone + namespace: tekton-pipelines + labels: + app.kubernetes.io/version: "1.0" +spec: + description: Clone a git repository using standard git + workspaces: + - name: output + description: The git repo will be cloned onto the volume backing this Workspace. + params: + - name: url + description: Repository URL to clone from. + type: string + - name: revision + description: Revision to checkout (branch, tag, sha, ref). + type: string + default: "main" + - name: depth + description: Perform a shallow clone, fetching only the most recent N commits. + type: string + default: "1" + - name: deleteExisting + description: Clean out the contents of the destination directory if it already exists. + type: string + default: "true" + results: + - name: commit + description: The precise commit SHA that was fetched by this Task. + - name: url + description: The precise URL that was fetched by this Task. + steps: + - name: clone + image: alpine/git:latest + script: | + #!/bin/sh + set -ex + + CHECKOUT_DIR="$(workspaces.output.path)" + + if [ "$(params.deleteExisting)" = "true" ] && [ -d "${CHECKOUT_DIR}" ]; then + rm -rf "${CHECKOUT_DIR:?}/"* || true + rm -rf "${CHECKOUT_DIR}"/.[!.]* || true + fi + + cd "${CHECKOUT_DIR}" + + git clone --depth="$(params.depth)" --branch="$(params.revision)" \ + "$(params.url)" . + + RESULT_SHA="$(git rev-parse HEAD)" + printf "%s" "${RESULT_SHA}" > "$(results.commit.path)" + printf "%s" "$(params.url)" > "$(results.url.path)" + + echo "Cloned $(params.url) at ${RESULT_SHA}" diff --git a/tekton/ci-cd/manifests/triggers/eventlistener.yaml b/tekton/ci-cd/manifests/triggers/eventlistener.yaml new file mode 100644 index 0000000..708680a --- /dev/null +++ b/tekton/ci-cd/manifests/triggers/eventlistener.yaml @@ -0,0 +1,79 @@ +apiVersion: triggers.tekton.dev/v1beta1 +kind: EventListener +metadata: + name: github-listener + namespace: tekton-pipelines +spec: + serviceAccountName: tekton-triggers-sa + triggers: + - name: github-push-nextjs + interceptors: + - ref: + name: "github" + params: + - name: "secretRef" + value: + secretName: github-webhook-secret + secretKey: webhook-secret + - name: "eventTypes" + value: ["push"] + - ref: + name: "cel" + params: + - name: "filter" + value: "body.ref.startsWith('refs/heads/main')" + - name: "overlays" + value: + - key: branch_name + expression: "body.ref.split('/')[2]" + - ref: + name: "cel" + params: + - name: "filter" + value: "body.repository.name in ['jovies', 'jotion', 'jaejadle', 'portfolio', 'todo']" + bindings: + - ref: github-push-binding + template: + ref: nextjs-build-template + - name: github-push-fastapi + interceptors: + - ref: + name: "github" + params: + - name: "secretRef" + value: + secretName: github-webhook-secret + secretKey: webhook-secret + - name: "eventTypes" + value: ["push"] + - ref: + name: "cel" + params: + - name: "filter" + value: "body.ref.startsWith('refs/heads/main')" + - name: "overlays" + value: + - key: branch_name + expression: "body.ref.split('/')[2]" + - ref: + name: "cel" + params: + - name: "filter" + value: "body.repository.name in ['joossam', 'mas']" + bindings: + - ref: github-push-binding + template: + ref: fastapi-build-template + resources: + kubernetesResource: + spec: + template: + spec: + serviceAccountName: tekton-triggers-sa + containers: + - resources: + requests: + memory: "64Mi" + cpu: "50m" + limits: + memory: "128Mi" diff --git a/tekton/ci-cd/manifests/triggers/ingress.yaml b/tekton/ci-cd/manifests/triggers/ingress.yaml new file mode 100644 index 0000000..330ee31 --- /dev/null +++ b/tekton/ci-cd/manifests/triggers/ingress.yaml @@ -0,0 +1,24 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: tekton-triggers-ingress + namespace: tekton-pipelines + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" +spec: + ingressClassName: traefik + tls: + - hosts: + - tekton0213.kro.kr + secretName: tekton-triggers-tls + rules: + - host: tekton0213.kro.kr + http: + paths: + - path: /hooks + pathType: Prefix + backend: + service: + name: el-github-listener + port: + number: 8080 diff --git a/tekton/ci-cd/manifests/triggers/kustomization.yaml b/tekton/ci-cd/manifests/triggers/kustomization.yaml new file mode 100644 index 0000000..bf9c57e --- /dev/null +++ b/tekton/ci-cd/manifests/triggers/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - rbac.yaml + - secret.yaml + - triggerbinding.yaml + - triggertemplate.yaml + - eventlistener.yaml + - ingress.yaml diff --git a/tekton/ci-cd/manifests/triggers/rbac.yaml b/tekton/ci-cd/manifests/triggers/rbac.yaml new file mode 100644 index 0000000..80f8d8b --- /dev/null +++ b/tekton/ci-cd/manifests/triggers/rbac.yaml @@ -0,0 +1,60 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tekton-triggers-sa + namespace: tekton-pipelines +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: tekton-triggers-role + namespace: tekton-pipelines +rules: + - apiGroups: ["triggers.tekton.dev"] + resources: ["eventlisteners", "triggerbindings", "triggertemplates", "triggers", "interceptors"] + verbs: ["get", "list", "watch"] + - apiGroups: ["tekton.dev"] + resources: ["pipelineruns", "pipelineresources"] + verbs: ["create", "delete", "get", "list", "watch"] + - apiGroups: [""] + resources: ["configmaps", "secrets", "serviceaccounts"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["create", "delete", "get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: tekton-triggers-rolebinding + namespace: tekton-pipelines +subjects: + - kind: ServiceAccount + name: tekton-triggers-sa + namespace: tekton-pipelines +roleRef: + kind: Role + name: tekton-triggers-role + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tekton-triggers-clusterrole +rules: + - apiGroups: ["triggers.tekton.dev"] + resources: ["clustertriggerbindings", "clusterinterceptors"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tekton-triggers-clusterrolebinding +subjects: + - kind: ServiceAccount + name: tekton-triggers-sa + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: tekton-triggers-clusterrole + apiGroup: rbac.authorization.k8s.io diff --git a/tekton/ci-cd/manifests/triggers/secret.yaml b/tekton/ci-cd/manifests/triggers/secret.yaml new file mode 100644 index 0000000..5d5ec91 --- /dev/null +++ b/tekton/ci-cd/manifests/triggers/secret.yaml @@ -0,0 +1,18 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: github-webhook-secret + namespace: tekton-pipelines +spec: + refreshInterval: 1h + secretStoreRef: + name: vault-backend + kind: ClusterSecretStore + target: + name: github-webhook-secret + creationPolicy: Owner + data: + - secretKey: webhook-secret + remoteRef: + key: tekton + property: GITHUB_WEBHOOK_SECRET diff --git a/tekton/ci-cd/manifests/triggers/triggerbinding.yaml b/tekton/ci-cd/manifests/triggers/triggerbinding.yaml new file mode 100644 index 0000000..760b1b0 --- /dev/null +++ b/tekton/ci-cd/manifests/triggers/triggerbinding.yaml @@ -0,0 +1,17 @@ +apiVersion: triggers.tekton.dev/v1beta1 +kind: TriggerBinding +metadata: + name: github-push-binding + namespace: tekton-pipelines +spec: + params: + - name: git-url + value: $(body.repository.clone_url) + - name: git-revision + value: $(body.after) + - name: git-branch + value: $(extensions.branch_name) + - name: repo-name + value: $(body.repository.name) + - name: repo-full-name + value: $(body.repository.full_name) diff --git a/tekton/ci-cd/manifests/triggers/triggertemplate.yaml b/tekton/ci-cd/manifests/triggers/triggertemplate.yaml new file mode 100644 index 0000000..17d9a9e --- /dev/null +++ b/tekton/ci-cd/manifests/triggers/triggertemplate.yaml @@ -0,0 +1,105 @@ +apiVersion: triggers.tekton.dev/v1beta1 +kind: TriggerTemplate +metadata: + name: nextjs-build-template + namespace: tekton-pipelines +spec: + params: + - name: git-url + description: Git repository URL + - name: git-revision + description: Git commit SHA + - name: git-branch + description: Git branch name + - name: repo-name + description: Repository name + - name: repo-full-name + description: Full repository name (org/repo) + resourcetemplates: + - apiVersion: tekton.dev/v1 + kind: PipelineRun + metadata: + generateName: $(tt.params.repo-name)-build- + namespace: tekton-pipelines + labels: + tekton.dev/pipeline: nextjs-build-deploy + app: $(tt.params.repo-name) + branch: $(tt.params.git-branch) + spec: + pipelineRef: + name: nextjs-build-deploy + params: + - name: git-url + value: $(tt.params.git-url) + - name: git-revision + value: $(tt.params.git-branch) + - name: app-name + value: $(tt.params.repo-name) + - name: context-dir + value: ./nextjs + workspaces: + - name: shared-workspace + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteOnce + storageClassName: local-path + resources: + requests: + storage: 1Gi + - name: docker-credentials + secret: + secretName: zot-registry-credentials +--- +apiVersion: triggers.tekton.dev/v1beta1 +kind: TriggerTemplate +metadata: + name: fastapi-build-template + namespace: tekton-pipelines +spec: + params: + - name: git-url + description: Git repository URL + - name: git-revision + description: Git commit SHA + - name: git-branch + description: Git branch name + - name: repo-name + description: Repository name + - name: repo-full-name + description: Full repository name (org/repo) + resourcetemplates: + - apiVersion: tekton.dev/v1 + kind: PipelineRun + metadata: + generateName: $(tt.params.repo-name)-build- + namespace: tekton-pipelines + labels: + tekton.dev/pipeline: fastapi-build-deploy + app: $(tt.params.repo-name) + branch: $(tt.params.git-branch) + spec: + pipelineRef: + name: fastapi-build-deploy + params: + - name: git-url + value: $(tt.params.git-url) + - name: git-revision + value: $(tt.params.git-branch) + - name: app-name + value: $(tt.params.repo-name) + - name: context-dir + value: ./fastapi + workspaces: + - name: shared-workspace + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteOnce + storageClassName: local-path + resources: + requests: + storage: 1Gi + - name: docker-credentials + secret: + secretName: zot-registry-credentials diff --git a/tekton/dashboard/argocd.yaml b/tekton/dashboard/argocd.yaml new file mode 100644 index 0000000..8d1d619 --- /dev/null +++ b/tekton/dashboard/argocd.yaml @@ -0,0 +1,40 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: tekton-dashboard + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://github.com/K3S-HOME/platform.git + targetRevision: main + path: tekton/dashboard + destination: + server: https://kubernetes.default.svc + namespace: tekton-pipelines + ignoreDifferences: + - group: apiextensions.k8s.io + kind: CustomResourceDefinition + jsonPointers: + - /status + - /spec/preserveUnknownFields + syncPolicy: + automated: + prune: true + selfHeal: true + allowEmpty: false + syncOptions: + - CreateNamespace=true + - PrunePropagationPolicy=foreground + - PruneLast=true + - RespectIgnoreDifferences=true + - Replace=true + retry: + limit: 5 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m + revisionHistoryLimit: 10 diff --git a/tekton/dashboard/kustomization.yaml b/tekton/dashboard/kustomization.yaml new file mode 100644 index 0000000..efce579 --- /dev/null +++ b/tekton/dashboard/kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- https://infra.tekton.dev/tekton-releases/dashboard/latest/release-full.yaml +- manifests/ingress.yaml + +patches: +- target: + group: apiextensions.k8s.io + version: v1 + kind: CustomResourceDefinition + patch: |- + - op: replace + path: /metadata/labels/app.kubernetes.io~1instance + value: tekton-dashboard diff --git a/tekton/dashboard/manifests/ingress.yaml b/tekton/dashboard/manifests/ingress.yaml new file mode 100644 index 0000000..8b164e5 --- /dev/null +++ b/tekton/dashboard/manifests/ingress.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: tekton-dashboard + namespace: tekton-pipelines + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + traefik.ingress.kubernetes.io/router.middlewares: authelia-authelia-auth@kubernetescrd +spec: + ingressClassName: traefik + tls: + - hosts: + - tekton0213.kro.kr + secretName: tekton-dashboard-tls + rules: + - host: tekton0213.kro.kr + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: tekton-dashboard + port: + number: 9097 diff --git a/tekton/pipeline/argocd.yaml b/tekton/pipeline/argocd.yaml new file mode 100644 index 0000000..0eac2dc --- /dev/null +++ b/tekton/pipeline/argocd.yaml @@ -0,0 +1,44 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: tekton-pipeline + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://github.com/K3S-HOME/platform.git + targetRevision: main + path: tekton/pipeline + destination: + server: https://kubernetes.default.svc + namespace: tekton-pipelines + ignoreDifferences: + - group: apiextensions.k8s.io + kind: CustomResourceDefinition + jsonPointers: + - /status + - /spec/preserveUnknownFields + syncPolicy: + automated: + prune: true + selfHeal: true + allowEmpty: false + syncOptions: + - CreateNamespace=true + - PrunePropagationPolicy=foreground + - PruneLast=true + - RespectIgnoreDifferences=true + - Replace=true + retry: + limit: 5 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m + managedNamespaceMetadata: + labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged + revisionHistoryLimit: 10 diff --git a/tekton/pipeline/kustomization.yaml b/tekton/pipeline/kustomization.yaml new file mode 100644 index 0000000..0c2ff8e --- /dev/null +++ b/tekton/pipeline/kustomization.yaml @@ -0,0 +1,26 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml + +patches: +- target: + group: apiextensions.k8s.io + version: v1 + kind: CustomResourceDefinition + patch: |- + - op: replace + path: /metadata/labels/app.kubernetes.io~1instance + value: tekton-pipeline +- target: + version: v1 + kind: Namespace + name: tekton-pipelines + patch: |- + - op: replace + path: /metadata/labels/pod-security.kubernetes.io~1enforce + value: privileged + - op: add + path: /metadata/labels/pod-security.kubernetes.io~1warn + value: privileged diff --git a/tekton/triggers/argocd.yaml b/tekton/triggers/argocd.yaml new file mode 100644 index 0000000..f86bfd9 --- /dev/null +++ b/tekton/triggers/argocd.yaml @@ -0,0 +1,40 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: tekton-triggers + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://github.com/K3S-HOME/platform.git + targetRevision: main + path: tekton/triggers + destination: + server: https://kubernetes.default.svc + namespace: tekton-pipelines + ignoreDifferences: + - group: apiextensions.k8s.io + kind: CustomResourceDefinition + jsonPointers: + - /status + - /spec/preserveUnknownFields + syncPolicy: + automated: + prune: true + selfHeal: true + allowEmpty: false + syncOptions: + - CreateNamespace=true + - PrunePropagationPolicy=foreground + - PruneLast=true + - RespectIgnoreDifferences=true + - Replace=true + retry: + limit: 5 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m + revisionHistoryLimit: 10 diff --git a/tekton/triggers/kustomization.yaml b/tekton/triggers/kustomization.yaml new file mode 100644 index 0000000..ba2bf12 --- /dev/null +++ b/tekton/triggers/kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml +- https://storage.googleapis.com/tekton-releases/triggers/latest/interceptors.yaml + +patches: +- target: + group: apiextensions.k8s.io + version: v1 + kind: CustomResourceDefinition + patch: |- + - op: replace + path: /metadata/labels/app.kubernetes.io~1instance + value: tekton-triggers