namespace: name: tekton-pipelines create: true labels: pod-security.kubernetes.io/enforce: restricted app.kubernetes.io/part-of: tekton-pipelines auth: git: username: "admin" password: "" url: https://github.com docker: # if specified use the docker config.json style secret like this: # https://github.com/tektoncd/pipeline/blob/master/docs/auth.md#configuring-docker-authentication-for-docker configJson: "" serviceaccount: enabled: true annotations: {} # Values for tekton-pipelines-controller controller: deployment: image: ghcr.io/tektoncd/pipeline/controller-10a3e32792f33651396d02b6855a6e36:v0.69.1@sha256:3f42d35f8c1231a1c4366c57140bcfe115edd106b5af79555757e56e9224c6b7 labels: {} pod: labels: {} annotations: {} # specifies the name of an optional kubernetes secret to mount environment variables from for things like HTTP proxy envFromSecret: "tekton-env" # Add node affinity tolerations for tekton-pipeline-controller. Add additional matchExpressions below. Default is set. affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/os operator: NotIn values: - windows tolerations: [] nodeSelector: {} resources: {} # Values for tekton-pipelines-webhook webhook: deployment: labels: {} pod: labels: {} # specifies the name of an optional kubernetes secret to mount environment variables from for things like HTTP proxy envFromSecret: "tekton-env" # Add node affinity tolerations for tekton-pipelines-webhook. Add additional matchExpressions below. Default is set. affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/os operator: NotIn values: - windows tolerations: [] nodeSelector: {} # Values to amend tekton-pipelines-remote-resolvers remoteresolver: affinity: {} tolerations: [] nodeSelector: {} resources: requests: cpu: 100m memory: 100Mi limits: cpu: 1000m memory: 4Gi # configuration to put in the config-defaults ConfigMap configDefaults: _example: | ################################ # # # EXAMPLE CONFIGURATION # # # ################################ # This block is not actually functional configuration, # but serves to illustrate the available configuration # options and document them in a way that is accessible # to users that `kubectl edit` this config map. # # These sample configuration options may be copied out of # this example block and unindented to be in the data block # to actually change the configuration. # default-timeout-minutes contains the default number of # minutes to use for TaskRun and PipelineRun, if none is specified. default-timeout-minutes: "60" # 60 minutes # default-service-account contains the default service account name # to use for TaskRun and PipelineRun, if none is specified. default-service-account: "default" # default-managed-by-label-value contains the default value given to the # "app.kubernetes.io/managed-by" label applied to all Pods created for # TaskRuns. If a user's requested TaskRun specifies another value for this # label, the user's request supercedes. default-managed-by-label-value: "tekton-pipelines" # default-pod-template contains the default pod template to use for # TaskRun and PipelineRun. If a pod template is specified on the # PipelineRun, the default-pod-template is merged with that one. # default-pod-template: # default-affinity-assistant-pod-template contains the default pod template # to use for affinity assistant pods. If a pod template is specified on the # PipelineRun, the default-affinity-assistant-pod-template is merged with # that one. # default-affinity-assistant-pod-template: # default-cloud-events-sink contains the default CloudEvents sink to be # used for TaskRun and PipelineRun, when no sink is specified. # Note that right now it is still not possible to set a PipelineRun or # TaskRun specific sink, so the default is the only option available. # If no sink is specified, no CloudEvent is generated # default-cloud-events-sink: # default-task-run-workspace-binding contains the default workspace # configuration provided for any Workspaces that a Task declares # but that a TaskRun does not explicitly provide. # default-task-run-workspace-binding: | # emptyDir: {} # default-max-matrix-combinations-count contains the default maximum number # of combinations from a Matrix, if none is specified. default-max-matrix-combinations-count: "256" # default-forbidden-env contains comma seperated environment variables that cannot be # overridden by podTemplate. default-forbidden-env: # default-resolver-type contains the default resolver type to be used in the cluster, # no default-resolver-type is specified by default default-resolver-type: # default-imagepullbackoff-timeout contains the default duration to wait # before requeuing the TaskRun to retry, specifying 0 here is equivalent to fail fast # possible values could be 1m, 5m, 10s, 1h, etc # default-imagepullbackoff-timeout: "5m" # default-maximum-resolution-timeout specifies the default duration used by the # resolution controller before timing out when exceeded. # Possible values include "1m", "5m", "10s", "1h", etc. # Example: default-maximum-resolution-timeout: "1m" # default-container-resource-requirements allow users to update default resource requirements # to a init-containers and containers of a pods create by the controller # Onet: All the resource requirements are applied to init-containers and containers # only if the existing resource requirements are empty. # default-container-resource-requirements: | # place-scripts: # updates resource requirements of a 'place-scripts' container # requests: # memory: "64Mi" # cpu: "250m" # limits: # memory: "128Mi" # cpu: "500m" # # prepare: # updates resource requirements of a 'prepare' container # requests: # memory: "64Mi" # cpu: "250m" # limits: # memory: "256Mi" # cpu: "500m" # # working-dir-initializer: # updates resource requirements of a 'working-dir-initializer' container # requests: # memory: "64Mi" # cpu: "250m" # limits: # memory: "512Mi" # cpu: "500m" # # prefix-scripts: # updates resource requirements of containers which starts with 'scripts-' # requests: # memory: "64Mi" # cpu: "250m" # limits: # memory: "128Mi" # cpu: "500m" # # prefix-sidecar-scripts: # updates resource requirements of containers which starts with 'sidecar-scripts-' # requests: # memory: "64Mi" # cpu: "250m" # limits: # memory: "128Mi" # cpu: "500m" # # default: # updates resource requirements of init-containers and containers which has empty resource resource requirements # requests: # memory: "64Mi" # cpu: "250m" # limits: # memory: "256Mi" # cpu: "500m" gitResolverConfig: # The maximum amount of time a single anonymous cloning resolution may take. fetch-timeout: "1m" # The git url to fetch the remote resource from when using anonymous cloning. default-url: "https://github.com/tektoncd/catalog.git" # The git revision to fetch the remote resource from with either anonymous cloning or the authenticated API. default-revision: "main" # The SCM type to use with the authenticated API. Can be github, gitlab, gitea, bitbucketserver, bitbucketcloud scm-type: "github" # The SCM server URL to use with the authenticated API. Not needed when using github.com, gitlab.com, or BitBucket Cloud server-url: "" # The Kubernetes secret containing the API token for the SCM provider. Required when using the authenticated API. api-token-secret-name: "" # The key in the API token secret containing the actual token. Required when using the authenticated API. api-token-secret-key: "" # The namespace containing the API token secret. Defaults to "default". api-token-secret-namespace: "default" # The default organization to look for repositories under when using the authenticated API, # if not specified in the resolver parameters. Optional. default-org: "" # feature flags to put in feature-flags ConfigMap featureFlags: # Setting this flag to "true" will prevent Tekton to create an # Affinity Assistant for every TaskRun sharing a PVC workspace # # The default behaviour is for Tekton to create Affinity Assistants # # See more in the Affinity Assistant documentation # https://github.com/tektoncd/pipeline/blob/main/docs/affinityassistants.md # or https://github.com/tektoncd/pipeline/pull/2630 for more info. # # Note: This feature flag is deprecated and will be removed in release v0.60. Consider using `coschedule` feature flag to configure Affinity Assistant behavior. disable-affinity-assistant: "false" # Setting this flag will determine how PipelineRun Pods are scheduled with Affinity Assistant. # Acceptable values are "workspaces" (default), "pipelineruns", "isolate-pipelinerun", or "disabled". # # Setting it to "workspaces" will schedule all the taskruns sharing the same PVC-based workspace in a pipelinerun to the same node. # Setting it to "pipelineruns" will schedule all the taskruns in a pipelinerun to the same node. # Setting it to "isolate-pipelinerun" will schedule all the taskruns in a pipelinerun to the same node, # and only allows one pipelinerun to run on a node at a time. # Setting it to "disabled" will not apply any coschedule policy. # # See more in the Affinity Assistant documentation # https://github.com/tektoncd/pipeline/blob/main/docs/affinityassistants.md coschedule: "workspaces" # Setting this flag to "true" will prevent Tekton scanning attached # service accounts and injecting any credentials it finds into your # Steps. # # The default behaviour currently is for Tekton to search service # accounts for secrets matching a specified format and automatically # mount those into your Steps. # # Note: setting this to "true" will prevent PipelineResources from # working. # # See https://github.com/tektoncd/pipeline/issues/2791 for more # info. disable-creds-init: "false" # Setting this flag to "false" will stop Tekton from waiting for a # TaskRun's sidecar containers to be running before starting the first # step. This will allow Tasks to be run in environments that don't # support the DownwardAPI volume type, but may lead to unintended # behaviour if sidecars are used. # # See https://github.com/tektoncd/pipeline/issues/4937 for more info. await-sidecar-readiness: "true" # This option should be set to false when Pipelines is running in a # cluster that does not use injected sidecars such as Istio. Setting # it to false should decrease the time it takes for a TaskRun to start # running. For clusters that use injected sidecars, setting this # option to false can lead to unexpected behavior. # # See https://github.com/tektoncd/pipeline/issues/2080 for more info. running-in-environment-with-injected-sidecars: "true" # Setting this flag to "true" will require that any Git SSH Secret # offered to Tekton must have known_hosts included. # # See https://github.com/tektoncd/pipeline/issues/2981 for more # info. require-git-ssh-secret-known-hosts: "false" # Setting this flag to "true" enables the use of Tekton OCI bundle. # This is an experimental feature and thus should still be considered # an alpha feature. enable-tekton-oci-bundles: "false" # Setting this flag will determine which gated features are enabled. # Acceptable values are "stable", "beta", or "alpha". enable-api-fields: "beta" # Setting this flag to "true" enables CloudEvents for CustomRuns and Runs, as long as a # CloudEvents sink is configured in the config-defaults config map send-cloudevents-for-runs: "false" # This flag affects the behavior of taskruns and pipelineruns in cases where no VerificationPolicies match them. # If it is set to "fail", TaskRuns and PipelineRuns will fail verification if no matching policies are found. # If it is set to "warn", TaskRuns and PipelineRuns will run to completion if no matching policies are found, and an error will be logged. # If it is set to "ignore", TaskRuns and PipelineRuns will run to completion if no matching policies are found, and no error will be logged. trusted-resources-verification-no-match-policy: "ignore" # Setting this flag to "true" enables populating the "provenance" field in TaskRun # and PipelineRun status. This field contains metadata about resources used # in the TaskRun/PipelineRun such as the source from where a remote Task/Pipeline # definition was fetched. enable-provenance-in-status: "true" # Setting this flag will determine how Tekton pipelines will handle non-falsifiable provenance. # If set to "spire", then SPIRE will be used to ensure non-falsifiable provenance. # If set to "none", then Tekton will not have non-falsifiable provenance. # This is an experimental feature and thus should still be considered an alpha feature. enforce-nonfalsifiability: "none" # Setting this flag will determine how Tekton pipelines will handle extracting results from the task. # Acceptable values are "termination-message" or "sidecar-logs". # "sidecar-logs" is now a beta feature. results-from: "termination-message" # Setting this flag will determine the upper limit of each task result # This flag is optional and only associated with the previous flag, results-from # When results-from is set to "sidecar-logs", this flag can be used to configure the upper limit of a task result # max-result-size: "4096" # Setting this flag to "true" will limit privileges for containers injected by Tekton into TaskRuns. # This allows TaskRuns to run in namespaces with "restricted" pod security standards. # Not all Kubernetes implementations support this option. set-security-context: "false" # Setting this flag to "true" will set readOnlyRootFilesystem in securityContext for all containers used in TaskRuns and AffinityAssistant. set-security-context-read-only-root-filesystem: "false" # Setting this flag to "true" will keep pod on cancellation # allowing examination of the logs on the pods from cancelled taskruns keep-pod-on-cancel: "false" # Setting this flag to "true" will enable the CEL evaluation in WhenExpression enable-cel-in-whenexpression: "false" # Setting this flag to "true" will enable the use of StepActions in Steps # This feature is in preview mode and not implemented yet. Please check #7259 for updates. enable-step-actions: "false" # Setting this flag to "true" will enable the use of Artifacts in Steps # This feature is in preview mode and not implemented yet. Please check #7693 for updates. enable-artifacts: "false" # Setting this flag to "true" will enable the built-in param input validation via param enum. enable-param-enum: "false" # Setting this flag to "pipeline,pipelinerun,taskrun" will prevent users from creating # embedded spec Taskruns or Pipelineruns for Pipeline, Pipelinerun and taskrun # respectively. We can specify "pipeline" to disable for Pipeline resource only. # "pipelinerun" for Pipelinerun and "taskrun" for Taskrun. Or a combination of # these. disable-inline-spec: "" # Setting this flag to "true" will enable the use of concise resolver syntax enable-concise-resolver-syntax: "false" # Setthing this flag to "true" will enable native Kubernetes Sidecar support enable-kubernetes-sidecar: "false"