PERF(tekton): remove CPU limits for stability

- Remove CPU limit from tekton-pipelines-webhook
- Remove CPU limit from tekton-pipelines-remote-resolvers

argocd-image-updater/kustomization.yaml

@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - argocd.yaml
-  - manifests/secret.yaml

argocd/argocd.yaml

@@ -41,6 +41,9 @@ spec:
         duration: 5s
         factor: 2
         maxDuration: 3m
+    managedNamespaceMetadata:
+      labels:
+        goldilocks.fairwinds.com/enabled: 'true'
   # Ignore differences for self-managed resources
   ignoreDifferences:
     - group: ""

argocd/helm-values.yaml

@@ -53,7 +53,7 @@ controller:
   # Memory optimization environment variables
   env:
     - name: GOMEMLIMIT
-      value: "400MiB"
+      value: "800MiB"
     - name: GOGC
       value: "50"
 
@@ -61,13 +61,13 @@ controller:
   args:
     appResyncPeriod: "0"
 
-  # Resource settings
+  # Resource settings (no CPU limit for stability)
   resources:
     requests:
-      cpu: 250m
-      memory: 1700Mi
+      cpu: 22m
+      memory: 1388Mi
     limits:
-      memory: 1700Mi
+      memory: 1861Mi
 
 # =============================================================================
 # API SERVER (Deployment)
@@ -92,13 +92,13 @@ server:
       traefik.ingress.kubernetes.io/router.middlewares: authelia-authelia-auth@kubernetescrd
     tls: true
 
-  # Resource settings
+  # Resource settings (no CPU limit for stability)
   resources:
     requests:
       cpu: 15m
-      memory: 138Mi
+      memory: 163Mi
     limits:
-      memory: 138Mi
+      memory: 218Mi
 
 # =============================================================================
 # REPO SERVER (Deployment)
@@ -113,17 +113,27 @@ repoServer:
     serviceMonitor:
       enabled: true
 
+  # Resource settings (no CPU limit for stability)
   resources:
     requests:
       cpu: 15m
-      memory: 1536Mi
+      memory: 225Mi
     limits:
-      memory: 1536Mi
+      memory: 1310Mi
+
+  # Probe settings (increase timeout for stability under load)
+  livenessProbe:
+    enabled: true
+    timeoutSeconds: 5
+  readinessProbe:
+    enabled: true
+    timeoutSeconds: 5
 
 # =============================================================================
 # REDIS (Deployment)
 # =============================================================================
 redis:
+  # Resource settings (no CPU limit for stability)
   resources:
     requests:
       cpu: 15m

argocd/image-updater-manifests/image-updater-secret.yaml

@@ -19,11 +19,11 @@ spec:
   data:
     - secretKey: USERNAME
       remoteRef:
-        key: zot
+        key: storage/zot
         property: USERNAME
     - secretKey: PASSWORD
       remoteRef:
-        key: zot
+        key: storage/zot
         property: PASSWORD
 ---
 apiVersion: external-secrets.io/v1
@@ -42,9 +42,41 @@ spec:
   data:
     - secretKey: username
       remoteRef:
-        key: github
+        key: platform/github
         property: username
     - secretKey: password
       remoteRef:
-        key: github
+        key: platform/github
+        property: password
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-creds
+  namespace: argocd
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: gitea-creds
+    creationPolicy: Owner
+    template:
+      metadata:
+        labels:
+          argocd.argoproj.io/secret-type: repo-creds
+      data:
+        type: git
+        url: https://github0213.com
+        username: "{{ .username }}"
+        password: "{{ .password }}"
+  data:
+    - secretKey: username
+      remoteRef:
+        key: platform/gitea
+        property: username
+    - secretKey: password
+      remoteRef:
+        key: platform/gitea
         property: password

argocd/image-updater.yaml

@@ -11,13 +11,13 @@ spec:
       targetRevision: 0.11.0
       helm:
         valueFiles:
-          - $values/argocd-image-updater/helm-values.yaml
+          - $values/argocd/image-updater-values.yaml
     - repoURL: https://github.com/K3S-HOME/platform.git
       targetRevision: main
       ref: values
     - repoURL: https://github.com/K3S-HOME/platform.git
       targetRevision: main
-      path: argocd-image-updater/manifests
+      path: argocd/image-updater-manifests
   destination:
     server: https://kubernetes.default.svc
     namespace: argocd

argocd/kustomization.yaml

@@ -3,6 +3,9 @@ kind: Kustomization
 resources:
   # ArgoCD Application (self-managed via Helm chart)
   - argocd.yaml
+  # ArgoCD Image Updater Application
+  - image-updater.yaml
   # Additional manifests (applied alongside Helm chart)
   - manifests/namespace.yaml
   - manifests/webhook-ingress.yaml
+  - manifests/priority-classes.yaml

cert-manager/helm-values.yaml

@@ -1,70 +0,0 @@
-# Cert-Manager Helm Values
-# Chart: https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager
-
-# Install CRDs with Helm
-installCRDs: true
-
-replicaCount: 1
-
-resources:
-  requests:
-    cpu: 23m
-    memory: 115Mi
-  limits:
-    memory: 115Mi
-
-webhook:
-  replicaCount: 1
-  resources:
-    requests:
-      cpu: 23m
-      memory: 115Mi
-    limits:
-      memory: 115Mi
-  # Affinity - Soft Anti-Affinity to spread pods across nodes
-  affinity:
-    podAntiAffinity:
-      preferredDuringSchedulingIgnoredDuringExecution:
-        - weight: 100
-          podAffinityTerm:
-            labelSelector:
-              matchLabels:
-                app.kubernetes.io/name: cert-manager-webhook
-            topologyKey: kubernetes.io/hostname
-
-cainjector:
-  replicaCount: 1
-  resources:
-    requests:
-      cpu: 23m
-      memory: 230Mi
-    limits:
-      memory: 230Mi
-  # Affinity - Soft Anti-Affinity to spread pods across nodes
-  affinity:
-    podAntiAffinity:
-      preferredDuringSchedulingIgnoredDuringExecution:
-        - weight: 100
-          podAffinityTerm:
-            labelSelector:
-              matchLabels:
-                app.kubernetes.io/name: cert-manager-cainjector
-            topologyKey: kubernetes.io/hostname
-
-# Affinity - Soft Anti-Affinity to spread pods across nodes
-affinity:
-  podAntiAffinity:
-    preferredDuringSchedulingIgnoredDuringExecution:
-      - weight: 100
-        podAffinityTerm:
-          labelSelector:
-            matchLabels:
-              app.kubernetes.io/name: cert-manager
-          topologyKey: kubernetes.io/hostname
-
-# Prometheus metrics
-prometheus:
-  enabled: true
-  servicemonitor:
-    enabled: false
-

cert-manager/manifests/cluster-issuer.yaml

@@ -1,41 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-prod
-spec:
-  acme:
-    # Let's Encrypt Production 서버
-    # 실제 운영 환경에서 사용
-    # Rate limit: 50 certificates per registered domain per week
-    server: https://acme-v02.api.letsencrypt.org/directory
-
-    # 인증서 만료 알림을 받을 이메일 주소
-    email: bluemayne0213@icloud.com
-
-    # ACME 계정의 private key를 저장할 Secret 이름
-    privateKeySecretRef:
-      name: letsencrypt-prod
-
-    # HTTP-01 challenge를 사용하여 도메인 소유권 검증
-    # Traefik Ingress를 통해 /.well-known/acme-challenge/ 경로로 검증
-    solvers:
-    - http01:
-        ingress:
-          class: traefik
----
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-staging
-spec:
-  acme:
-    # Let's Encrypt Staging 서버
-    # 테스트용 - 브라우저에서 신뢰하지 않지만 rate limit 없음
-    server: https://acme-staging-v02.api.letsencrypt.org/directory
-    email: bluemayne0213@icloud.com
-    privateKeySecretRef:
-      name: letsencrypt-staging
-    solvers:
-    - http01:
-        ingress:
-          class: traefik

gitea/argocd.yaml

@@ -1,28 +1,28 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: cert-manager
+  name: gitea
   namespace: argocd
   finalizers:
   - resources-finalizer.argocd.argoproj.io
 spec:
   project: default
   sources:
-  - repoURL: https://charts.jetstack.io
-    chart: cert-manager
-    targetRevision: v1.16.2
+  - repoURL: https://dl.gitea.com/charts/
+    chart: gitea
+    targetRevision: 12.4.0
     helm:
       valueFiles:
-      - $values/cert-manager/helm-values.yaml
+      - $values/gitea/helm-values.yaml
   - repoURL: https://github.com/K3S-HOME/platform.git
     targetRevision: main
     ref: values
   - repoURL: https://github.com/K3S-HOME/platform.git
     targetRevision: main
-    path: cert-manager
+    path: gitea
   destination:
     server: https://kubernetes.default.svc
-    namespace: cert-manager
+    namespace: gitea
   syncPolicy:
     automated:
       prune: true

gitea/helm-values.yaml

@@ -0,0 +1,137 @@
+# Gitea Helm Chart Values
+# Self-contained deployment with SQLite and local-path storage
+
+# =============================================================================
+# DISABLE ALL EXTERNAL DEPENDENCIES
+# =============================================================================
+postgresql-ha:
+  enabled: false
+
+postgresql:
+  enabled: false
+
+valkey-cluster:
+  enabled: false
+
+valkey:
+  enabled: false
+
+# =============================================================================
+# PERSISTENCE - local-path StorageClass
+# =============================================================================
+persistence:
+  enabled: true
+  create: true
+  mount: true
+  size: 10Gi
+  accessModes:
+  - ReadWriteOnce
+  storageClass: local-path-retain
+  annotations:
+    helm.sh/resource-policy: keep
+
+# =============================================================================
+# ADMIN USER
+# =============================================================================
+gitea:
+  admin:
+    existingSecret: gitea-admin-secret
+    username: Mayne0213
+    email: bluemayne0213@icloud.com
+    passwordMode: keepUpdated
+
+  # Gitea configuration (app.ini)
+  config:
+    APP_NAME: Gitea - K3S-HOME
+
+    server:
+      DOMAIN: github0213.com
+      ROOT_URL: https://github0213.com
+      HTTP_PORT: 3000
+      SSH_DOMAIN: github0213.com
+      SSH_PORT: 22
+      SSH_LISTEN_PORT: 2222
+      LFS_START_SERVER: true
+
+    database:
+      DB_TYPE: sqlite3
+      PATH: /data/gitea/gitea.db
+      SQLITE_TIMEOUT: 500
+      SQLITE_JOURNAL_MODE: WAL
+
+    session:
+      PROVIDER: memory
+
+    cache:
+      ADAPTER: memory
+
+    queue:
+      TYPE: level
+
+    security:
+      INSTALL_LOCK: true
+
+    service:
+      DISABLE_REGISTRATION: false
+      REQUIRE_SIGNIN_VIEW: false
+      DEFAULT_KEEP_EMAIL_PRIVATE: true
+
+    log:
+      MODE: console
+      LEVEL: info
+
+    actions:
+      ENABLED: true
+      DEFAULT_ACTIONS_URL: github
+
+# =============================================================================
+# INGRESS
+# =============================================================================
+ingress:
+  enabled: true
+  className: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+  hosts:
+  - host: github0213.com
+    paths:
+    - path: /
+      pathType: Prefix
+  tls:
+  - secretName: github-tls
+    hosts:
+    - github0213.com
+
+# =============================================================================
+# RESOURCES (no CPU limit for stability)
+# =============================================================================
+resources:
+  requests:
+    cpu: 15m
+    memory: 247Mi
+  limits:
+    memory: 333Mi
+
+# =============================================================================
+# POD CONFIGURATION
+# =============================================================================
+strategy:
+  type: Recreate
+
+tolerations:
+- key: node-role.kubernetes.io/control-plane
+  operator: Exists
+  effect: NoSchedule
+
+nodeSelector:
+  node-role.kubernetes.io/control-plane: "true"
+
+priorityClassName: high-priority
+
+# =============================================================================
+# SSH SERVICE
+# =============================================================================
+service:
+  ssh:
+    type: ClusterIP
+    port: 22

gitea/kustomization.yaml

@@ -1,4 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- manifests/cluster-issuer.yaml
+- redirect.yaml
+namespace: gitea

gitea/redirect.yaml

@@ -0,0 +1,70 @@
+# Traefik Middleware for GitHub redirect
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect-to-github
+  namespace: gitea
+spec:
+  redirectRegex:
+    regex: ".*"
+    replacement: "https://github.com/mayne0213"
+    permanent: true
+---
+# IngressRoute for HTTPS
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitea-redirect-https
+  namespace: gitea
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`gitea0213.kro.kr`) || Host(`www.gitea0213.kro.kr`)
+      kind: Rule
+      middlewares:
+        - name: redirect-to-github
+      services:
+        - name: noop@internal
+          kind: TraefikService
+  tls:
+    secretName: gitea-tls
+    domains:
+      - main: gitea0213.kro.kr
+        sans:
+          - www.gitea0213.kro.kr
+---
+# IngressRoute for HTTP (redirect to HTTPS first, then to GitHub)
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitea-redirect-http
+  namespace: gitea
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`gitea0213.kro.kr`) || Host(`www.gitea0213.kro.kr`)
+      kind: Rule
+      middlewares:
+        - name: redirect-to-github
+      services:
+        - name: noop@internal
+          kind: TraefikService
+---
+# Certificate for TLS
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gitea-certificate
+  namespace: gitea
+spec:
+  secretName: gitea-tls
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+  dnsNames:
+    - gitea0213.kro.kr
+    - www.gitea0213.kro.kr

kustomization.yaml

@@ -6,8 +6,13 @@ resources:
   - application.yaml
 
   # Core infrastructure
-  - priority-classes/argocd.yaml
-  - cert-manager/argocd.yaml
   - traefik/argocd.yaml
-  - argocd-image-updater/argocd.yaml
   - argocd/argocd.yaml
+  - argocd/image-updater.yaml
+  - gitea/argocd.yaml
+
+  # Tekton CI/CD Platform
+  - tekton/pipeline/argocd.yaml
+  - tekton/triggers/argocd.yaml
+  - tekton/dashboard/argocd.yaml
+  - tekton/ci-cd/argocd.yaml

priority-classes/argocd.yaml

@@ -1,17 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: priority-classes
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: https://github.com/K3S-HOME/platform.git
-    targetRevision: HEAD
-    path: priority-classes/manifests
-  destination:
-    server: https://kubernetes.default.svc
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true

priority-classes/manifests/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - priority-classes.yaml

tekton/ci-cd/argocd.yaml

@@ -0,0 +1,33 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: tekton-ci-cd
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/compare-options: IgnoreExtraneous
+spec:
+  project: default
+  source:
+    repoURL: https://github0213.com/K3S-HOME/platform.git
+    targetRevision: main
+    path: tekton/ci-cd/manifests
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: tekton-pipelines
+  syncPolicy:
+    automated:
+      prune: false
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true
+    - PrunePropagationPolicy=foreground
+    - PruneLast=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+  revisionHistoryLimit: 10

tekton/ci-cd/manifests/cleanup-cronjob.yaml

@@ -0,0 +1,36 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: tekton-cleanup
+  namespace: tekton-pipelines
+spec:
+  schedule: "0 * * * *"  # Every hour
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      ttlSecondsAfterFinished: 300
+      template:
+        spec:
+          serviceAccountName: tekton-triggers-sa
+          containers:
+          - name: cleanup
+            image: bitnami/kubectl:latest
+            command:
+            - /bin/sh
+            - -c
+            - |
+              echo "Cleaning up completed PipelineRuns older than 1 hour..."
+              kubectl get pipelineruns -n tekton-pipelines \
+                -o jsonpath='{range .items[?(@.status.conditions[0].status=="True")]}{.metadata.name}{" "}{.metadata.creationTimestamp}{"\n"}{end}' | \
+              while read name timestamp; do
+                if [ -n "$name" ]; then
+                  age=$(( ($(date +%s) - $(date -d "$timestamp" +%s 2>/dev/null || date -j -f "%Y-%m-%dT%H:%M:%SZ" "$timestamp" +%s)) / 60 ))
+                  if [ "$age" -gt 60 ]; then
+                    echo "Deleting PipelineRun: $name (age: ${age}m)"
+                    kubectl delete pipelinerun "$name" -n tekton-pipelines
+                  fi
+                fi
+              done
+              echo "Cleanup complete"
+          restartPolicy: OnFailure

tekton/ci-cd/manifests/kustomization.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  # Secrets
+  - secrets/zot-registry-secret.yaml
+  - secrets/gitea-credentials.yaml
+  # Tasks
+  - tasks/git-clone.yaml
+  - tasks/buildah-build-push.yaml
+  # Pipelines
+  - pipelines/nextjs-pipeline.yaml
+  - pipelines/fastapi-pipeline.yaml
+  - pipelines/python-pipeline.yaml
+  # Triggers
+  - triggers/
+  # Cleanup
+  - cleanup-cronjob.yaml

tekton/ci-cd/manifests/pipelines/fastapi-pipeline.yaml

@@ -0,0 +1,61 @@
+apiVersion: tekton.dev/v1
+kind: Pipeline
+metadata:
+  name: fastapi-build-deploy
+  namespace: tekton-pipelines
+spec:
+  description: Build FastAPI app and push to Zot registry
+  params:
+    - name: git-url
+      description: Git repository URL
+      type: string
+    - name: git-revision
+      description: Git revision (branch/tag/sha)
+      type: string
+      default: main
+    - name: app-name
+      description: Application name
+      type: string
+    - name: context-dir
+      description: Docker build context directory
+      type: string
+      default: ./fastapi
+  workspaces:
+    - name: shared-workspace
+      description: Shared workspace for all tasks
+    - name: docker-credentials
+      description: Docker registry credentials
+  tasks:
+    - name: clone
+      taskRef:
+        name: git-clone
+      params:
+        - name: url
+          value: $(params.git-url)
+        - name: revision
+          value: $(params.git-revision)
+        - name: deleteExisting
+          value: "true"
+      workspaces:
+        - name: output
+          workspace: shared-workspace
+
+    - name: build-push
+      taskRef:
+        name: buildah-build-push
+      runAfter:
+        - clone
+      params:
+        - name: IMAGE
+          value: zot0213.kro.kr/$(params.app-name)
+        - name: TAG
+          value: $(params.git-revision)
+        - name: DOCKERFILE
+          value: ./Dockerfile
+        - name: CONTEXT
+          value: $(params.context-dir)
+      workspaces:
+        - name: source
+          workspace: shared-workspace
+        - name: dockerconfig
+          workspace: docker-credentials

tekton/ci-cd/manifests/pipelines/nextjs-pipeline.yaml

@@ -0,0 +1,67 @@
+apiVersion: tekton.dev/v1
+kind: Pipeline
+metadata:
+  name: nextjs-build-deploy
+  namespace: tekton-pipelines
+spec:
+  description: Build Next.js app and push to Zot registry
+  params:
+    - name: git-url
+      description: Git repository URL
+      type: string
+    - name: git-revision
+      description: Git revision (branch/tag/sha)
+      type: string
+      default: main
+    - name: app-name
+      description: Application name
+      type: string
+    - name: context-dir
+      description: Docker build context directory
+      type: string
+      default: ./nextjs
+    - name: build-args
+      description: Build arguments (key=value format, one per line)
+      type: string
+      default: ""
+  workspaces:
+    - name: shared-workspace
+      description: Shared workspace for all tasks
+    - name: docker-credentials
+      description: Docker registry credentials
+  tasks:
+    - name: clone
+      taskRef:
+        name: git-clone
+      params:
+        - name: url
+          value: $(params.git-url)
+        - name: revision
+          value: $(params.git-revision)
+        - name: deleteExisting
+          value: "true"
+      workspaces:
+        - name: output
+          workspace: shared-workspace
+
+    - name: build-push
+      taskRef:
+        name: buildah-build-push
+      runAfter:
+        - clone
+      params:
+        - name: IMAGE
+          value: zot0213.kro.kr/$(params.app-name)
+        - name: TAG
+          value: $(params.git-revision)
+        - name: DOCKERFILE
+          value: ./Dockerfile
+        - name: CONTEXT
+          value: $(params.context-dir)
+        - name: BUILD_ARGS
+          value: $(params.build-args)
+      workspaces:
+        - name: source
+          workspace: shared-workspace
+        - name: dockerconfig
+          workspace: docker-credentials

tekton/ci-cd/manifests/pipelines/python-pipeline.yaml

@@ -0,0 +1,61 @@
+apiVersion: tekton.dev/v1
+kind: Pipeline
+metadata:
+  name: python-build-deploy
+  namespace: tekton-pipelines
+spec:
+  description: Build Python app (LangGraph/Chainlit) and push to Zot registry
+  params:
+    - name: git-url
+      description: Git repository URL
+      type: string
+    - name: git-revision
+      description: Git revision (branch/tag/sha)
+      type: string
+      default: main
+    - name: app-name
+      description: Application name
+      type: string
+    - name: context-dir
+      description: Docker build context directory
+      type: string
+      default: ./langgraph
+  workspaces:
+    - name: shared-workspace
+      description: Shared workspace for all tasks
+    - name: docker-credentials
+      description: Docker registry credentials
+  tasks:
+    - name: clone
+      taskRef:
+        name: git-clone
+      params:
+        - name: url
+          value: $(params.git-url)
+        - name: revision
+          value: $(params.git-revision)
+        - name: deleteExisting
+          value: "true"
+      workspaces:
+        - name: output
+          workspace: shared-workspace
+
+    - name: build-push
+      taskRef:
+        name: buildah-build-push
+      runAfter:
+        - clone
+      params:
+        - name: IMAGE
+          value: zot0213.kro.kr/$(params.app-name)
+        - name: TAG
+          value: $(params.git-revision)
+        - name: DOCKERFILE
+          value: ./Dockerfile
+        - name: CONTEXT
+          value: $(params.context-dir)
+      workspaces:
+        - name: source
+          workspace: shared-workspace
+        - name: dockerconfig
+          workspace: docker-credentials

tekton/ci-cd/manifests/secrets/gitea-credentials.yaml

@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-credentials
+  namespace: tekton-pipelines
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: gitea-credentials
+    creationPolicy: Owner
+  data:
+    - secretKey: username
+      remoteRef:
+        key: platform/gitea
+        property: username
+    - secretKey: password
+      remoteRef:
+        key: platform/gitea
+        property: password

tekton/ci-cd/manifests/secrets/zot-registry-secret.yaml

@@ -0,0 +1,27 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: zot-registry-credentials
+  namespace: tekton-pipelines
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: zot-registry-credentials
+    creationPolicy: Owner
+    template:
+      type: kubernetes.io/dockerconfigjson
+      data:
+        .dockerconfigjson: |
+          {"auths":{"zot0213.kro.kr":{"username":"{{ .USERNAME }}","password":"{{ .PASSWORD }}","auth":"{{ printf "%s:%s" .USERNAME .PASSWORD | b64enc }}"}}}
+  data:
+    - secretKey: USERNAME
+      remoteRef:
+        key: storage/zot
+        property: USERNAME
+    - secretKey: PASSWORD
+      remoteRef:
+        key: storage/zot
+        property: PASSWORD

tekton/ci-cd/manifests/tasks/buildah-build-push.yaml

@@ -0,0 +1,90 @@
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  name: buildah-build-push
+  namespace: tekton-pipelines
+spec:
+  description: Build container image with Buildah and push as OCI manifest list
+  params:
+    - name: IMAGE
+      description: Image reference without tag (registry/repo)
+      type: string
+    - name: TAG
+      description: Image tag (e.g., commit SHA or branch)
+      type: string
+      default: latest
+    - name: DOCKERFILE
+      description: Path to Dockerfile
+      type: string
+      default: ./Dockerfile
+    - name: CONTEXT
+      description: Build context directory
+      type: string
+      default: .
+    - name: BUILD_ARGS
+      description: Build arguments (key=value format, one per line)
+      type: string
+      default: ""
+  workspaces:
+    - name: source
+      description: Source code workspace
+    - name: dockerconfig
+      description: Docker config for registry auth
+      optional: true
+  results:
+    - name: IMAGE_DIGEST
+      description: Digest of built image
+    - name: IMAGE_URL
+      description: Full URL of pushed image with digest
+  steps:
+    - name: build-and-push
+      image: quay.io/buildah/stable:v1.33
+      securityContext:
+        privileged: true
+      workingDir: $(workspaces.source.path)
+      env:
+        - name: BUILD_ARGS
+          value: $(params.BUILD_ARGS)
+      script: |
+        #!/usr/bin/env bash
+        set -ex
+
+        IMAGE="$(params.IMAGE)"
+        TAG="$(params.TAG)"
+        REGISTRY=$(echo "$IMAGE" | cut -d'/' -f1)
+        DOCKER_CONFIG="$(workspaces.dockerconfig.path)/.dockerconfigjson"
+
+        # Login to registry
+        if [ -f "$DOCKER_CONFIG" ]; then
+          USER=$(sed -n 's/.*"username":"\([^"]*\)".*/\1/p' "$DOCKER_CONFIG")
+          PASS=$(sed -n 's/.*"password":"\([^"]*\)".*/\1/p' "$DOCKER_CONFIG")
+          buildah login -u "$USER" -p "$PASS" "$REGISTRY"
+        fi
+
+        # Parse build args
+        BUILD_ARGS_FLAGS=""
+        while IFS= read -r line; do
+          [ -n "$line" ] && BUILD_ARGS_FLAGS="$BUILD_ARGS_FLAGS --build-arg $line"
+        done <<< "$BUILD_ARGS"
+
+        # Build OCI image
+        buildah bud --platform linux/arm64 --format oci \
+          -f $(params.DOCKERFILE) -t localhost/build:local $BUILD_ARGS_FLAGS $(params.CONTEXT)
+
+        # Create and push manifest list with :latest tag
+        buildah manifest create ${IMAGE}:latest
+        buildah manifest add ${IMAGE}:latest localhost/build:local
+        buildah manifest push --all --digestfile /tmp/image-digest \
+          ${IMAGE}:latest docker://${IMAGE}:latest
+
+        # Also push with specific tag if not 'latest'
+        if [ "$TAG" != "latest" ]; then
+          buildah manifest create ${IMAGE}:${TAG}
+          buildah manifest add ${IMAGE}:${TAG} localhost/build:local
+          buildah manifest push --all ${IMAGE}:${TAG} docker://${IMAGE}:${TAG}
+        fi
+
+        # Output results
+        DIGEST=$(cat /tmp/image-digest)
+        echo -n "$DIGEST" | tee $(results.IMAGE_DIGEST.path)
+        echo -n "${IMAGE}:latest@${DIGEST}" | tee $(results.IMAGE_URL.path)

tekton/ci-cd/manifests/tasks/git-clone.yaml

@@ -0,0 +1,57 @@
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  name: git-clone
+  namespace: tekton-pipelines
+  labels:
+    app.kubernetes.io/version: "1.0"
+spec:
+  description: Clone a git repository using standard git
+  workspaces:
+    - name: output
+      description: The git repo will be cloned onto the volume backing this Workspace.
+  params:
+    - name: url
+      description: Repository URL to clone from.
+      type: string
+    - name: revision
+      description: Revision to checkout (branch, tag, sha, ref).
+      type: string
+      default: "main"
+    - name: depth
+      description: Perform a shallow clone, fetching only the most recent N commits.
+      type: string
+      default: "1"
+    - name: deleteExisting
+      description: Clean out the contents of the destination directory if it already exists.
+      type: string
+      default: "true"
+  results:
+    - name: commit
+      description: The precise commit SHA that was fetched by this Task.
+    - name: url
+      description: The precise URL that was fetched by this Task.
+  steps:
+    - name: clone
+      image: alpine/git:latest
+      script: |
+        #!/bin/sh
+        set -ex
+
+        CHECKOUT_DIR="$(workspaces.output.path)"
+
+        if [ "$(params.deleteExisting)" = "true" ] && [ -d "${CHECKOUT_DIR}" ]; then
+          rm -rf "${CHECKOUT_DIR:?}/"* || true
+          rm -rf "${CHECKOUT_DIR}"/.[!.]* || true
+        fi
+
+        cd "${CHECKOUT_DIR}"
+
+        git clone --depth="$(params.depth)" --branch="$(params.revision)" \
+          "$(params.url)" .
+
+        RESULT_SHA="$(git rev-parse HEAD)"
+        printf "%s" "${RESULT_SHA}" > "$(results.commit.path)"
+        printf "%s" "$(params.url)" > "$(results.url.path)"
+
+        echo "Cloned $(params.url) at ${RESULT_SHA}"

tekton/ci-cd/manifests/triggers/eventlistener.yaml

@@ -0,0 +1,138 @@
+apiVersion: triggers.tekton.dev/v1beta1
+kind: EventListener
+metadata:
+  name: gitea-listener
+  namespace: tekton-pipelines
+spec:
+  serviceAccountName: tekton-triggers-sa
+  triggers:
+    - name: gitea-push-nextjs
+      interceptors:
+        - ref:
+            name: "github"
+          params:
+            - name: "secretRef"
+              value:
+                secretName: gitea-webhook-secret
+                secretKey: webhook-secret
+            - name: "eventTypes"
+              value: ["push"]
+        - ref:
+            name: "cel"
+          params:
+            - name: "filter"
+              value: "body.ref.startsWith('refs/heads/main')"
+            - name: "overlays"
+              value:
+                - key: branch_name
+                  expression: "body.ref.split('/')[2]"
+        - ref:
+            name: "cel"
+          params:
+            - name: "filter"
+              value: "body.repository.name in ['jovies', 'jotion', 'jaejadle', 'portfolio', 'todo']"
+      bindings:
+        - ref: gitea-push-binding
+      template:
+        ref: nextjs-build-template
+    - name: gitea-push-fastapi
+      interceptors:
+        - ref:
+            name: "github"
+          params:
+            - name: "secretRef"
+              value:
+                secretName: gitea-webhook-secret
+                secretKey: webhook-secret
+            - name: "eventTypes"
+              value: ["push"]
+        - ref:
+            name: "cel"
+          params:
+            - name: "filter"
+              value: "body.ref.startsWith('refs/heads/main')"
+            - name: "overlays"
+              value:
+                - key: branch_name
+                  expression: "body.ref.split('/')[2]"
+        - ref:
+            name: "cel"
+          params:
+            - name: "filter"
+              value: "body.repository.name in ['joossam', 'mas']"
+      bindings:
+        - ref: gitea-push-binding
+      template:
+        ref: fastapi-build-template
+    # Develop branch triggers for -dev deployments
+    - name: gitea-push-nextjs-dev
+      interceptors:
+        - ref:
+            name: "github"
+          params:
+            - name: "secretRef"
+              value:
+                secretName: gitea-webhook-secret
+                secretKey: webhook-secret
+            - name: "eventTypes"
+              value: ["push"]
+        - ref:
+            name: "cel"
+          params:
+            - name: "filter"
+              value: "body.ref.startsWith('refs/heads/develop')"
+            - name: "overlays"
+              value:
+                - key: branch_name
+                  expression: "body.ref.split('/')[2]"
+        - ref:
+            name: "cel"
+          params:
+            - name: "filter"
+              value: "body.repository.name in ['jaejadle']"
+      bindings:
+        - ref: gitea-push-binding
+      template:
+        ref: nextjs-dev-build-template
+    - name: gitea-push-fastapi-dev
+      interceptors:
+        - ref:
+            name: "github"
+          params:
+            - name: "secretRef"
+              value:
+                secretName: gitea-webhook-secret
+                secretKey: webhook-secret
+            - name: "eventTypes"
+              value: ["push"]
+        - ref:
+            name: "cel"
+          params:
+            - name: "filter"
+              value: "body.ref.startsWith('refs/heads/develop')"
+            - name: "overlays"
+              value:
+                - key: branch_name
+                  expression: "body.ref.split('/')[2]"
+        - ref:
+            name: "cel"
+          params:
+            - name: "filter"
+              value: "body.repository.name in ['joossam']"
+      bindings:
+        - ref: gitea-push-binding
+      template:
+        ref: fastapi-dev-build-template
+  resources:
+    kubernetesResource:
+      spec:
+        template:
+          spec:
+            serviceAccountName: tekton-triggers-sa
+            containers:
+              - resources:
+                  requests:
+                    memory: "128Mi"
+                    cpu: "50m"
+                  limits:
+                    memory: "128Mi"

tekton/ci-cd/manifests/triggers/ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: tekton-triggers-ingress
+  namespace: tekton-pipelines
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+spec:
+  ingressClassName: traefik
+  tls:
+    - hosts:
+        - tekton0213.kro.kr
+      secretName: tekton-triggers-tls
+  rules:
+    - host: tekton0213.kro.kr
+      http:
+        paths:
+          - path: /hooks
+            pathType: Prefix
+            backend:
+              service:
+                name: el-gitea-listener
+                port:
+                  number: 8080

tekton/ci-cd/manifests/triggers/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - rbac.yaml
+  - secret.yaml
+  - triggerbinding.yaml
+  - triggertemplate.yaml
+  - eventlistener.yaml
+  - ingress.yaml

tekton/ci-cd/manifests/triggers/rbac.yaml

@@ -0,0 +1,60 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tekton-triggers-sa
+  namespace: tekton-pipelines
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: tekton-triggers-role
+  namespace: tekton-pipelines
+rules:
+  - apiGroups: ["triggers.tekton.dev"]
+    resources: ["eventlisteners", "triggerbindings", "triggertemplates", "triggers", "interceptors"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["tekton.dev"]
+    resources: ["pipelineruns", "pipelineresources"]
+    verbs: ["create", "delete", "get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["configmaps", "secrets", "serviceaccounts"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["create", "delete", "get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tekton-triggers-rolebinding
+  namespace: tekton-pipelines
+subjects:
+  - kind: ServiceAccount
+    name: tekton-triggers-sa
+    namespace: tekton-pipelines
+roleRef:
+  kind: Role
+  name: tekton-triggers-role
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tekton-triggers-clusterrole
+rules:
+  - apiGroups: ["triggers.tekton.dev"]
+    resources: ["clustertriggerbindings", "clusterinterceptors"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tekton-triggers-clusterrolebinding
+subjects:
+  - kind: ServiceAccount
+    name: tekton-triggers-sa
+    namespace: tekton-pipelines
+roleRef:
+  kind: ClusterRole
+  name: tekton-triggers-clusterrole
+  apiGroup: rbac.authorization.k8s.io

tekton/ci-cd/manifests/triggers/secret.yaml

@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-webhook-secret
+  namespace: tekton-pipelines
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: gitea-webhook-secret
+    creationPolicy: Owner
+  data:
+    - secretKey: webhook-secret
+      remoteRef:
+        key: platform/tekton
+        property: GITEA_WEBHOOK_SECRET

tekton/ci-cd/manifests/triggers/triggerbinding.yaml

@@ -0,0 +1,17 @@
+apiVersion: triggers.tekton.dev/v1beta1
+kind: TriggerBinding
+metadata:
+  name: gitea-push-binding
+  namespace: tekton-pipelines
+spec:
+  params:
+    - name: git-url
+      value: $(body.repository.clone_url)
+    - name: git-revision
+      value: $(body.after)
+    - name: git-branch
+      value: $(extensions.branch_name)
+    - name: repo-name
+      value: $(body.repository.name)
+    - name: repo-full-name
+      value: $(body.repository.full_name)

tekton/ci-cd/manifests/triggers/triggertemplate.yaml

@@ -0,0 +1,219 @@
+apiVersion: triggers.tekton.dev/v1beta1
+kind: TriggerTemplate
+metadata:
+  name: nextjs-build-template
+  namespace: tekton-pipelines
+spec:
+  params:
+    - name: git-url
+      description: Git repository URL
+    - name: git-revision
+      description: Git commit SHA
+    - name: git-branch
+      description: Git branch name
+    - name: repo-name
+      description: Repository name
+    - name: repo-full-name
+      description: Full repository name (org/repo)
+  resourcetemplates:
+    - apiVersion: tekton.dev/v1
+      kind: PipelineRun
+      metadata:
+        generateName: $(tt.params.repo-name)-build-
+        namespace: tekton-pipelines
+        labels:
+          tekton.dev/pipeline: nextjs-build-deploy
+          app: $(tt.params.repo-name)
+          branch: $(tt.params.git-branch)
+      spec:
+        timeouts:
+          pipeline: 30m
+        pipelineRef:
+          name: nextjs-build-deploy
+        params:
+          - name: git-url
+            value: $(tt.params.git-url)
+          - name: git-revision
+            value: $(tt.params.git-branch)
+          - name: app-name
+            value: $(tt.params.repo-name)
+          - name: context-dir
+            value: ./nextjs
+        workspaces:
+          - name: shared-workspace
+            volumeClaimTemplate:
+              spec:
+                accessModes:
+                  - ReadWriteOnce
+                storageClassName: local-path
+                resources:
+                  requests:
+                    storage: 1Gi
+          - name: docker-credentials
+            secret:
+              secretName: zot-registry-credentials
+---
+apiVersion: triggers.tekton.dev/v1beta1
+kind: TriggerTemplate
+metadata:
+  name: nextjs-dev-build-template
+  namespace: tekton-pipelines
+spec:
+  params:
+    - name: git-url
+      description: Git repository URL
+    - name: git-revision
+      description: Git commit SHA
+    - name: git-branch
+      description: Git branch name
+    - name: repo-name
+      description: Repository name
+    - name: repo-full-name
+      description: Full repository name (org/repo)
+  resourcetemplates:
+    - apiVersion: tekton.dev/v1
+      kind: PipelineRun
+      metadata:
+        generateName: $(tt.params.repo-name)-dev-build-
+        namespace: tekton-pipelines
+        labels:
+          tekton.dev/pipeline: nextjs-build-deploy
+          app: $(tt.params.repo-name)-dev
+          branch: $(tt.params.git-branch)
+      spec:
+        timeouts:
+          pipeline: 30m
+        pipelineRef:
+          name: nextjs-build-deploy
+        params:
+          - name: git-url
+            value: $(tt.params.git-url)
+          - name: git-revision
+            value: $(tt.params.git-branch)
+          - name: app-name
+            value: $(tt.params.repo-name)-dev
+          - name: context-dir
+            value: ./nextjs
+        workspaces:
+          - name: shared-workspace
+            volumeClaimTemplate:
+              spec:
+                accessModes:
+                  - ReadWriteOnce
+                storageClassName: local-path
+                resources:
+                  requests:
+                    storage: 1Gi
+          - name: docker-credentials
+            secret:
+              secretName: zot-registry-credentials
+---
+apiVersion: triggers.tekton.dev/v1beta1
+kind: TriggerTemplate
+metadata:
+  name: fastapi-build-template
+  namespace: tekton-pipelines
+spec:
+  params:
+    - name: git-url
+      description: Git repository URL
+    - name: git-revision
+      description: Git commit SHA
+    - name: git-branch
+      description: Git branch name
+    - name: repo-name
+      description: Repository name
+    - name: repo-full-name
+      description: Full repository name (org/repo)
+  resourcetemplates:
+    - apiVersion: tekton.dev/v1
+      kind: PipelineRun
+      metadata:
+        generateName: $(tt.params.repo-name)-build-
+        namespace: tekton-pipelines
+        labels:
+          tekton.dev/pipeline: fastapi-build-deploy
+          app: $(tt.params.repo-name)
+          branch: $(tt.params.git-branch)
+      spec:
+        timeouts:
+          pipeline: 30m
+        pipelineRef:
+          name: fastapi-build-deploy
+        params:
+          - name: git-url
+            value: $(tt.params.git-url)
+          - name: git-revision
+            value: $(tt.params.git-branch)
+          - name: app-name
+            value: $(tt.params.repo-name)
+          - name: context-dir
+            value: ./fastapi
+        workspaces:
+          - name: shared-workspace
+            volumeClaimTemplate:
+              spec:
+                accessModes:
+                  - ReadWriteOnce
+                storageClassName: local-path
+                resources:
+                  requests:
+                    storage: 1Gi
+          - name: docker-credentials
+            secret:
+              secretName: zot-registry-credentials
+---
+apiVersion: triggers.tekton.dev/v1beta1
+kind: TriggerTemplate
+metadata:
+  name: fastapi-dev-build-template
+  namespace: tekton-pipelines
+spec:
+  params:
+    - name: git-url
+      description: Git repository URL
+    - name: git-revision
+      description: Git commit SHA
+    - name: git-branch
+      description: Git branch name
+    - name: repo-name
+      description: Repository name
+    - name: repo-full-name
+      description: Full repository name (org/repo)
+  resourcetemplates:
+    - apiVersion: tekton.dev/v1
+      kind: PipelineRun
+      metadata:
+        generateName: $(tt.params.repo-name)-dev-build-
+        namespace: tekton-pipelines
+        labels:
+          tekton.dev/pipeline: fastapi-build-deploy
+          app: $(tt.params.repo-name)-dev
+          branch: $(tt.params.git-branch)
+      spec:
+        timeouts:
+          pipeline: 30m
+        pipelineRef:
+          name: fastapi-build-deploy
+        params:
+          - name: git-url
+            value: $(tt.params.git-url)
+          - name: git-revision
+            value: $(tt.params.git-branch)
+          - name: app-name
+            value: $(tt.params.repo-name)-dev
+          - name: context-dir
+            value: ./fastapi
+        workspaces:
+          - name: shared-workspace
+            volumeClaimTemplate:
+              spec:
+                accessModes:
+                  - ReadWriteOnce
+                storageClassName: local-path
+                resources:
+                  requests:
+                    storage: 1Gi
+          - name: docker-credentials
+            secret:
+              secretName: zot-registry-credentials

tekton/dashboard/argocd.yaml

@@ -0,0 +1,40 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: tekton-dashboard
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://github0213.com/K3S-HOME/platform.git
+    targetRevision: main
+    path: tekton/dashboard
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: tekton-pipelines
+  ignoreDifferences:
+  - group: apiextensions.k8s.io
+    kind: CustomResourceDefinition
+    jsonPointers:
+    - /status
+    - /spec/preserveUnknownFields
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - PrunePropagationPolicy=foreground
+    - PruneLast=true
+    - RespectIgnoreDifferences=true
+    - Replace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+  revisionHistoryLimit: 10

tekton/dashboard/kustomization.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- https://infra.tekton.dev/tekton-releases/dashboard/latest/release-full.yaml
+- manifests/ingress.yaml
+
+patches:
+- target:
+    group: apiextensions.k8s.io
+    version: v1
+    kind: CustomResourceDefinition
+  patch: |-
+    - op: replace
+      path: /metadata/labels/app.kubernetes.io~1instance
+      value: tekton-dashboard

tekton/dashboard/manifests/ingress.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: tekton-dashboard
+  namespace: tekton-pipelines
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    traefik.ingress.kubernetes.io/router.middlewares: authelia-authelia-auth@kubernetescrd
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - tekton0213.kro.kr
+    secretName: tekton-dashboard-tls
+  rules:
+  - host: tekton0213.kro.kr
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: tekton-dashboard
+            port:
+              number: 9097

tekton/pipeline/argocd.yaml

@@ -0,0 +1,45 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: tekton-pipeline
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://github0213.com/K3S-HOME/platform.git
+    targetRevision: main
+    path: tekton/pipeline
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: tekton-pipelines
+  ignoreDifferences:
+  - group: apiextensions.k8s.io
+    kind: CustomResourceDefinition
+    jsonPointers:
+    - /status
+    - /spec/preserveUnknownFields
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - PrunePropagationPolicy=foreground
+    - PruneLast=true
+    - RespectIgnoreDifferences=true
+    - Replace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+    managedNamespaceMetadata:
+      labels:
+        pod-security.kubernetes.io/enforce: privileged
+        pod-security.kubernetes.io/warn: privileged
+        goldilocks.fairwinds.com/enabled: 'true'
+  revisionHistoryLimit: 10

tekton/pipeline/kustomization.yaml

@@ -0,0 +1,43 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
+
+patches:
+- target:
+    group: apiextensions.k8s.io
+    version: v1
+    kind: CustomResourceDefinition
+  patch: |-
+    - op: replace
+      path: /metadata/labels/app.kubernetes.io~1instance
+      value: tekton-pipeline
+- target:
+    version: v1
+    kind: Namespace
+    name: tekton-pipelines
+  patch: |-
+    - op: replace
+      path: /metadata/labels/pod-security.kubernetes.io~1enforce
+      value: privileged
+    - op: add
+      path: /metadata/labels/pod-security.kubernetes.io~1warn
+      value: privileged
+# Remove CPU limits for stability
+- target:
+    group: apps
+    version: v1
+    kind: Deployment
+    name: tekton-pipelines-webhook
+  patch: |-
+    - op: remove
+      path: /spec/template/spec/containers/0/resources/limits/cpu
+- target:
+    group: apps
+    version: v1
+    kind: Deployment
+    name: tekton-pipelines-remote-resolvers
+  patch: |-
+    - op: remove
+      path: /spec/template/spec/containers/0/resources/limits/cpu

tekton/triggers/argocd.yaml

@@ -0,0 +1,40 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: tekton-triggers
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://github0213.com/K3S-HOME/platform.git
+    targetRevision: main
+    path: tekton/triggers
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: tekton-pipelines
+  ignoreDifferences:
+  - group: apiextensions.k8s.io
+    kind: CustomResourceDefinition
+    jsonPointers:
+    - /status
+    - /spec/preserveUnknownFields
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - PrunePropagationPolicy=foreground
+    - PruneLast=true
+    - RespectIgnoreDifferences=true
+    - Replace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+  revisionHistoryLimit: 10

tekton/triggers/kustomization.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml
+- https://storage.googleapis.com/tekton-releases/triggers/latest/interceptors.yaml
+
+patches:
+- target:
+    group: apiextensions.k8s.io
+    version: v1
+    kind: CustomResourceDefinition
+  patch: |-
+    - op: replace
+      path: /metadata/labels/app.kubernetes.io~1instance
+      value: tekton-triggers

traefik/helm-values.yaml

@@ -28,39 +28,17 @@ spec:
                   app.kubernetes.io/name: traefik
               topologyKey: kubernetes.io/hostname
 
-    # Control-plane 노드에도 배치 허용
-    tolerations:
-      - key: node-role.kubernetes.io/control-plane
-        operator: Exists
-
-    # Traefik Dashboard 활성화
-    dashboard:
-      enabled: true
-
-    # API 활성화 (Dashboard에서 필요)
-    api:
-      dashboard: true
-
     # Cross-namespace middleware 허용
     providers:
       kubernetesCRD:
         allowCrossNamespace: true
 
-    # CLI 추가 인자
-    additionalArguments:
-      - "--api.insecure=true"
-
     # ports 설정
     ports:
       traefik:
         expose:
           default: true
 
-    # svclb tolerations for control-plane node
-    service:
-      annotations:
-        svccontroller.k3s.cattle.io/tolerations: '[{"key":"node-role.kubernetes.io/control-plane","operator":"Exists","effect":"NoSchedule"}]'
-
     # Prometheus metrics
     metrics:
       prometheus: