config/100-deployment.yaml

# Copyright 2021 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

kind: Namespace
apiVersion: v1
metadata:
  name: tekton-chains
  labels:
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-chains
---
apiVersion: v1
kind: Secret
metadata:
  name: signing-secrets
  namespace: tekton-chains
  labels:
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-chains
# The data is populated at install time.
# data:
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: chains-config
  namespace: tekton-chains
  labels:
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-chains
# The data can be tweaked at install time, it is commented out
# because these are the default settings.
# data:
#   artifacts.taskrun.format: tekton
#   artifacts.taskrun.storage: tekton
#   artifacts.taskrun.signer: x509
#   artifacts.oci.storage: oci
#   artifacts.oci.format: simplesigning
#   artifacts.oci.signer: x509
#   transparency.enabled: false
#   transparency.url: https://rekor.sigstore.dev
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tekton-chains-controller
  namespace: tekton-chains
  labels:
    app.kubernetes.io/name: controller
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-chains
    pipeline.tekton.dev/release: "devel"
    version: "devel"
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: controller
      app.kubernetes.io/component: controller
      app.kubernetes.io/instance: default
      app.kubernetes.io/part-of: tekton-chains
  template:
    metadata:
      annotations:
        cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
      labels:
        app: tekton-chains-controller
        app.kubernetes.io/name: controller
        app.kubernetes.io/component: controller
        app.kubernetes.io/instance: default
        app.kubernetes.io/part-of: tekton-chains
        # # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
        pipeline.tekton.dev/release: "devel"
        version: "devel"
    spec:
      serviceAccountName: tekton-chains-controller
      containers:
        - name: tekton-chains-controller
          image: ko://github.com/tektoncd/chains/cmd/controller
          volumeMounts:
            - name: signing-secrets
              mountPath: /etc/signing-secrets
            - name: oidc-info
              mountPath: /var/run/sigstore/cosign
          env:
            - name: SYSTEM_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: METRICS_DOMAIN
              value: tekton.dev/chains
            - name: CONFIG_OBSERVABILITY_NAME
              value: tekton-chains-config-observability
            - name: CONFIG_LEADERELECTION_NAME
              value: tekton-chains-config-leader-election

          ports:
            - name: metrics
              containerPort: 9090
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            # User 65532 is the distroless nonroot user ID
            runAsUser: 65532
            runAsGroup: 65532
      volumes:
        - name: signing-secrets
          secret:
            secretName: signing-secrets
        - name: oidc-info
          projected:
            sources:
              # The "public good" instance supports tokens from EKS and GKE by default.
              # The fulcio URL can also be redirected to an instance that has been
              # configured to accept other issuers as well.  Removing this volume
              # completely will direct chains to use alternate ambient credentials
              # (e.g. GKE workload identity, SPIFFE)
              - serviceAccountToken:
                  path: oidc-token
                  expirationSeconds: 600 # Use as short-lived as possible.
                  audience: sigstore