-
Notifications
You must be signed in to change notification settings - Fork 51
Expand file tree
/
Copy pathvalues.yaml
More file actions
381 lines (365 loc) · 19 KB
/
values.yaml
File metadata and controls
381 lines (365 loc) · 19 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
# Set to false to skip ClusterRole and ClusterRoleBinding installation
# Useful when RBAC is managed separately by cluster admins
createClusterRoles: true
# Create aggregated roles that extend existing cluster roles
# Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
createAggregateRoles: true
namespace:
name: tekton-pipelines
create: true
labels:
pod-security.kubernetes.io/enforce: restricted
app.kubernetes.io/part-of: tekton-pipelines
auth:
git:
username: "admin"
password: ""
url: https://github.com
docker:
# if specified use the docker config.json style secret like this:
# https://github.com/tektoncd/pipeline/blob/master/docs/auth.md#configuring-docker-authentication-for-docker
configJson: ""
serviceaccount:
enabled: true
annotations: {}
# Values for tekton-pipelines-controller
controller:
deployment:
image: ghcr.io/tektoncd/pipeline/controller-10a3e32792f33651396d02b6855a6e36:v1.9.2@sha256:a6833aa4bd352d33335d4a9329fce13e44407773c703d71099aa07d0f2846826
labels: {}
images:
entrypoint: "ghcr.io/tektoncd/pipeline/entrypoint-bff0a22da108bc2f16c818c97641a296:v1.9.2@sha256:f9b98c1f7fc4a747dc0d118def8bbde58c81da31c5d80e2d70f7f67b2cf16982"
nop: "ghcr.io/tektoncd/pipeline/nop-8eac7c133edad5df719dc37b36b62482:v1.9.2@sha256:5a125c13f79fe80d09eca799293efa775ba37aed1322a18a49f11052401dac21"
sidecarlogresults: "ghcr.io/tektoncd/pipeline/sidecarlogresults-7501c6a20d741631510a448b48ab098f:v1.9.2@sha256:0623a2085539a1aac38c2b89da59cc544839c7085684861e24737068a80acaa0"
workingdirinit: "ghcr.io/tektoncd/pipeline/workingdirinit-0c558922ec6a1b739e550e349f2d5fc1:v1.9.2@sha256:57f4e62abb27e460ec1cef38c911ab9b53ca5f3757b88828e8d2c24e5718112e"
shellImage: "cgr.dev/chainguard/busybox@sha256:19f02276bf8dbdd62f069b922f10c65262cc34b710eea26ff928129a736be791"
shellImageWin: "mcr.microsoft.com/powershell:nanoserver@sha256:b6d5ff841b78bdf2dfed7550000fd4f3437385b8fa686ec0f010be24777654d6"
pod:
labels: {}
annotations: {}
# specifies the name of an optional kubernetes secret to mount environment variables from for things like HTTP proxy
envFromSecret: "tekton-env"
# Add node affinity tolerations for tekton-pipeline-controller. Add additional matchExpressions below. Default is set.
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: NotIn
values:
- windows
tolerations: []
nodeSelector: {}
resources: {}
# Values for tekton-pipelines-webhook
webhook:
deployment:
image: ghcr.io/tektoncd/pipeline/webhook-d4749e605405422fd87700164e31b2d1:v1.9.2@sha256:60189c3482571001d2be2f3cb5b9ca41a10b885fe12e743847ebe0f5ccfb788a
labels: {}
pod:
labels: {}
# specifies the name of an optional kubernetes secret to mount environment variables from for things like HTTP proxy
envFromSecret: "tekton-env"
# Add node affinity tolerations for tekton-pipelines-webhook. Add additional matchExpressions below. Default is set.
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: NotIn
values:
- windows
tolerations: []
nodeSelector: {}
# Values to amend tekton-pipelines-remote-resolvers
remoteresolver:
deployment:
image: ghcr.io/tektoncd/pipeline/resolvers-ff86b24f130c42b88983d3c13993056d:v1.9.2@sha256:e83af2b69c5546ad6bfca67c2903ce92ef6012c1b3bcab54b5c7b38121228a58
affinity: {}
tolerations: []
nodeSelector: {}
resources:
requests:
cpu: 100m
memory: 100Mi
limits:
cpu: 1000m
memory: 4Gi
# Values for tekton-events-controller
eventscontroller:
deployment:
image: ghcr.io/tektoncd/pipeline/events-a9042f7efb0cbade2a868a1ee5ddd52c:v1.9.2@sha256:3cfd35631998087b2eafb40705fe9e0fae115e5f3c4aaec56c942e179fd6c14e
# configuration to put in the config-defaults ConfigMap
configDefaults:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# default-timeout-minutes contains the default number of
# minutes to use for TaskRun and PipelineRun, if none is specified.
default-timeout-minutes: "60" # 60 minutes
# default-service-account contains the default service account name
# to use for TaskRun and PipelineRun, if none is specified.
default-service-account: "default"
# default-managed-by-label-value contains the default value given to the
# "app.kubernetes.io/managed-by" label applied to all Pods created for
# TaskRuns. If a user's requested TaskRun specifies another value for this
# label, the user's request supercedes.
default-managed-by-label-value: "tekton-pipelines"
# default-pod-template contains the default pod template to use for
# TaskRun and PipelineRun. If a pod template is specified on the
# PipelineRun, the default-pod-template is merged with that one.
# default-pod-template:
# default-affinity-assistant-pod-template contains the default pod template
# to use for affinity assistant pods. If a pod template is specified on the
# PipelineRun, the default-affinity-assistant-pod-template is merged with
# that one.
# default-affinity-assistant-pod-template:
# default-cloud-events-sink contains the default CloudEvents sink to be
# used for TaskRun and PipelineRun, when no sink is specified.
# Note that right now it is still not possible to set a PipelineRun or
# TaskRun specific sink, so the default is the only option available.
# If no sink is specified, no CloudEvent is generated
# default-cloud-events-sink:
# default-task-run-workspace-binding contains the default workspace
# configuration provided for any Workspaces that a Task declares
# but that a TaskRun does not explicitly provide.
# default-task-run-workspace-binding: |
# emptyDir: {}
# default-max-matrix-combinations-count contains the default maximum number
# of combinations from a Matrix, if none is specified.
default-max-matrix-combinations-count: "256"
# default-forbidden-env contains comma seperated environment variables that cannot be
# overridden by podTemplate.
default-forbidden-env:
# default-resolver-type contains the default resolver type to be used in the cluster,
# no default-resolver-type is specified by default
default-resolver-type:
# default-imagepullbackoff-timeout contains the default duration to wait
# before requeuing the TaskRun to retry, specifying 0 here is equivalent to fail fast
# possible values could be 1m, 5m, 10s, 1h, etc
# default-imagepullbackoff-timeout: "5m"
# default-maximum-resolution-timeout specifies the default duration used by the
# resolution controller before timing out when exceeded.
# Possible values include "1m", "5m", "10s", "1h", etc.
# Example: default-maximum-resolution-timeout: "1m"
# default-container-resource-requirements allow users to update default resource requirements
# to a init-containers and containers of a pods create by the controller
# Onet: All the resource requirements are applied to init-containers and containers
# only if the existing resource requirements are empty.
# default-container-resource-requirements: |
# place-scripts: # updates resource requirements of a 'place-scripts' container
# requests:
# memory: "64Mi"
# cpu: "250m"
# limits:
# memory: "128Mi"
# cpu: "500m"
#
# prepare: # updates resource requirements of a 'prepare' container
# requests:
# memory: "64Mi"
# cpu: "250m"
# limits:
# memory: "256Mi"
# cpu: "500m"
#
# working-dir-initializer: # updates resource requirements of a 'working-dir-initializer' container
# requests:
# memory: "64Mi"
# cpu: "250m"
# limits:
# memory: "512Mi"
# cpu: "500m"
#
# prefix-scripts: # updates resource requirements of containers which starts with 'scripts-'
# requests:
# memory: "64Mi"
# cpu: "250m"
# limits:
# memory: "128Mi"
# cpu: "500m"
#
# prefix-sidecar-scripts: # updates resource requirements of containers which starts with 'sidecar-scripts-'
# requests:
# memory: "64Mi"
# cpu: "250m"
# limits:
# memory: "128Mi"
# cpu: "500m"
#
# default: # updates resource requirements of init-containers and containers which has empty resource resource requirements
# requests:
# memory: "64Mi"
# cpu: "250m"
# limits:
# memory: "256Mi"
# cpu: "500m"
# default-sidecar-log-polling-interval specifies the polling interval for the Tekton sidecar log results container.
# This controls how frequently the sidecar checks for step completion files written by steps in a TaskRun.
# Lower values (e.g., "10ms") make the sidecar more responsive but may increase CPU usage; higher values (e.g., "1s")
# reduce resource usage but may delay result collection.
# This value is used by the sidecar-tekton-log-results container and can be tuned for performance or test scenarios.
# Example values: "100ms", "500ms", "1s"
default-sidecar-log-polling-interval: "100ms"
# default-step-ref-concurrency-limit specifies the concurrency limit for resolving step references.
# This setting controls the maximum number of concurrent goroutines used to resolve
# step references (`step.ref` fields) simultaneously. This limit acts as a throttle
# to prevent overwhelming remote servers (e.g., git providers, OCI registries) or
# the Kubernetes API server, especially when a TaskRun contains many steps that
# reference StepActions.
default-step-ref-concurrency-limit: "5"
gitResolverConfig:
# The maximum amount of time a single anonymous cloning resolution may take.
fetch-timeout: "1m"
# The git url to fetch the remote resource from when using anonymous cloning.
default-url: "https://github.com/tektoncd/catalog.git"
# The git revision to fetch the remote resource from with either anonymous cloning or the authenticated API.
default-revision: "main"
# The SCM type to use with the authenticated API. Can be github, gitlab, gitea, bitbucketserver, bitbucketcloud
scm-type: "github"
# The SCM server URL to use with the authenticated API. Not needed when using github.com, gitlab.com, or BitBucket Cloud
server-url: ""
# The Kubernetes secret containing the API token for the SCM provider. Required when using the authenticated API.
api-token-secret-name: ""
# The key in the API token secret containing the actual token. Required when using the authenticated API.
api-token-secret-key: ""
# The namespace containing the API token secret. Defaults to "default".
api-token-secret-namespace: "default"
# The default organization to look for repositories under when using the authenticated API,
# if not specified in the resolver parameters. Optional.
default-org: ""
# Optional: Default cache mode for this resolver. Valid values: "always", "never", "auto" (default: "auto")
# "always" - Always cache resolved resources
# "never" - Never cache resolved resources
# "auto" - Only cache when revision is a commit hash
# default-cache-mode: "auto"
# feature flags to put in feature-flags ConfigMap
featureFlags:
# Setting this flag will determine how PipelineRun Pods are scheduled with Affinity Assistant.
# Acceptable values are "workspaces" (default), "pipelineruns", "isolate-pipelinerun", or "disabled".
#
# Setting it to "workspaces" will schedule all the taskruns sharing the same PVC-based workspace in a pipelinerun to the same node.
# Setting it to "pipelineruns" will schedule all the taskruns in a pipelinerun to the same node.
# Setting it to "isolate-pipelinerun" will schedule all the taskruns in a pipelinerun to the same node,
# and only allows one pipelinerun to run on a node at a time.
# Setting it to "disabled" will not apply any coschedule policy.
#
# See more in the Affinity Assistant documentation
# https://github.com/tektoncd/pipeline/blob/main/docs/affinityassistants.md
coschedule: "workspaces"
# Setting this flag to "true" will prevent Tekton scanning attached
# service accounts and injecting any credentials it finds into your
# Steps.
#
# The default behaviour currently is for Tekton to search service
# accounts for secrets matching a specified format and automatically
# mount those into your Steps.
#
# Note: setting this to "true" will prevent PipelineResources from
# working.
#
# See https://github.com/tektoncd/pipeline/issues/2791 for more
# info.
disable-creds-init: "false"
# Setting this flag to "false" will stop Tekton from waiting for a
# TaskRun's sidecar containers to be running before starting the first
# step. This will allow Tasks to be run in environments that don't
# support the DownwardAPI volume type, but may lead to unintended
# behaviour if sidecars are used.
#
# See https://github.com/tektoncd/pipeline/issues/4937 for more info.
await-sidecar-readiness: "true"
# This option should be set to false when Pipelines is running in a
# cluster that does not use injected sidecars such as Istio. Setting
# it to false should decrease the time it takes for a TaskRun to start
# running. For clusters that use injected sidecars, setting this
# option to false can lead to unexpected behavior.
#
# See https://github.com/tektoncd/pipeline/issues/2080 for more info.
running-in-environment-with-injected-sidecars: "true"
# Setting this flag to "true" will require that any Git SSH Secret
# offered to Tekton must have known_hosts included.
#
# See https://github.com/tektoncd/pipeline/issues/2981 for more
# info.
require-git-ssh-secret-known-hosts: "false"
# Setting this flag to "true" enables the use of Tekton OCI bundle.
# This is an experimental feature and thus should still be considered
# an alpha feature.
enable-tekton-oci-bundles: "false"
# Setting this flag will determine which gated features are enabled.
# Acceptable values are "stable", "beta", or "alpha".
enable-api-fields: "beta"
# Setting this flag to "true" enables CloudEvents for CustomRuns and Runs, as long as a
# CloudEvents sink is configured in the config-defaults config map
send-cloudevents-for-runs: "false"
# This flag affects the behavior of taskruns and pipelineruns in cases where no VerificationPolicies match them.
# If it is set to "fail", TaskRuns and PipelineRuns will fail verification if no matching policies are found.
# If it is set to "warn", TaskRuns and PipelineRuns will run to completion if no matching policies are found, and an error will be logged.
# If it is set to "ignore", TaskRuns and PipelineRuns will run to completion if no matching policies are found, and no error will be logged.
trusted-resources-verification-no-match-policy: "ignore"
# Setting this flag to "true" enables populating the "provenance" field in TaskRun
# and PipelineRun status. This field contains metadata about resources used
# in the TaskRun/PipelineRun such as the source from where a remote Task/Pipeline
# definition was fetched.
enable-provenance-in-status: "true"
# Setting this flag will determine how Tekton pipelines will handle non-falsifiable provenance.
# If set to "spire", then SPIRE will be used to ensure non-falsifiable provenance.
# If set to "none", then Tekton will not have non-falsifiable provenance.
# This is an experimental feature and thus should still be considered an alpha feature.
enforce-nonfalsifiability: "none"
# Setting this flag will determine how Tekton pipelines will handle extracting results from the task.
# Acceptable values are "termination-message" or "sidecar-logs".
# "sidecar-logs" is now a beta feature.
results-from: "termination-message"
# Setting this flag will determine the upper limit of each task result
# This flag is optional and only associated with the previous flag, results-from
# When results-from is set to "sidecar-logs", this flag can be used to configure the upper limit of a task result
# max-result-size: "4096"
# Setting this flag to "true" will limit privileges for containers injected by Tekton into TaskRuns.
# This allows TaskRuns to run in namespaces with "restricted" pod security standards.
# Not all Kubernetes implementations support this option.
set-security-context: "false"
# Setting this flag to "true" will set readOnlyRootFilesystem in securityContext for all containers used in TaskRuns and AffinityAssistant.
set-security-context-read-only-root-filesystem: "false"
# Setting this flag to "true" will keep pod on cancellation
# allowing examination of the logs on the pods from cancelled taskruns
keep-pod-on-cancel: "false"
# Setting this flag to "true" will enable the CEL evaluation in WhenExpression
enable-cel-in-whenexpression: "false"
# Setting this flag to "true" will enable the use of Artifacts in Steps
# This feature is in preview mode and not implemented yet. Please check #7693 for updates.
enable-artifacts: "false"
# Setting this flag to "true" will enable the built-in param input validation via param enum.
enable-param-enum: "false"
# Setting this flag to "pipeline,pipelinerun,taskrun" will prevent users from creating
# embedded spec Taskruns or Pipelineruns for Pipeline, Pipelinerun and taskrun
# respectively. We can specify "pipeline" to disable for Pipeline resource only.
# "pipelinerun" for Pipelinerun and "taskrun" for Taskrun. Or a combination of
# these.
disable-inline-spec: ""
# Setting this flag to "true" will enable the use of concise resolver syntax
enable-concise-resolver-syntax: "false"
# Setthing this flag to "true" will enable native Kubernetes Sidecar support
enable-kubernetes-sidecar: "false"
# Setting this flag to "false" will have no effect since StepActions are a stable feature
enable-step-actions: "true"
# Controls whether exponential backoff is enabled when creating TaskRuns or CustomRuns.
# If set to "true", the controller will use exponential backoff when retrying failed create operations,
# which can help mitigate issues caused by temporary API server or webhook unavailability.
# If set to "false", exponential backoff will be disabled.
# For advanced tuning of backoff parameters, update the 'wait-exponential-backoff' ConfigMap.
enable-wait-exponential-backoff: "false"