diff --git a/argo-cd-apps/base/all-clusters/infra-deployments/monitoring-workload-logging/monitoring-workload-logging.yaml b/argo-cd-apps/base/all-clusters/infra-deployments/monitoring-workload-logging/monitoring-workload-logging.yaml index b7aa2f8b207..1a9d1e80e2d 100644 --- a/argo-cd-apps/base/all-clusters/infra-deployments/monitoring-workload-logging/monitoring-workload-logging.yaml +++ b/argo-cd-apps/base/all-clusters/infra-deployments/monitoring-workload-logging/monitoring-workload-logging.yaml @@ -35,8 +35,6 @@ spec: values.clusterDir: kflux-rhel-p01 - nameNormalized: kflux-osp-p01 values.clusterDir: kflux-osp-p01 - - nameNormalized: pentest-p01 - values.clusterDir: pentest-p01 template: metadata: name: monitoring-workload-logging-{{nameNormalized}} diff --git a/argo-cd-apps/base/all-clusters/infra-deployments/monitoring-workload-prometheus/monitoring-workload-prometheus.yaml b/argo-cd-apps/base/all-clusters/infra-deployments/monitoring-workload-prometheus/monitoring-workload-prometheus.yaml index 6ffaa3d44ec..655cc076697 100644 --- a/argo-cd-apps/base/all-clusters/infra-deployments/monitoring-workload-prometheus/monitoring-workload-prometheus.yaml +++ b/argo-cd-apps/base/all-clusters/infra-deployments/monitoring-workload-prometheus/monitoring-workload-prometheus.yaml @@ -39,8 +39,6 @@ spec: values.clusterDir: kflux-rhel-p01 - nameNormalized: kflux-osp-p01 values.clusterDir: kflux-osp-p01 - - nameNormalized: pentest-p01 - values.clusterDir: pentest-p01 template: metadata: name: monitoring-workload-prometheus-{{nameNormalized}} diff --git a/argo-cd-apps/base/member/infra-deployments/build-service/build-service.yaml b/argo-cd-apps/base/member/infra-deployments/build-service/build-service.yaml index 4c7e68e3c2c..6467fcf3823 100644 --- a/argo-cd-apps/base/member/infra-deployments/build-service/build-service.yaml +++ b/argo-cd-apps/base/member/infra-deployments/build-service/build-service.yaml @@ -31,8 +31,6 @@ spec: values.clusterDir: kflux-rhel-p01 - nameNormalized: kflux-osp-p01 values.clusterDir: kflux-osp-p01 - - nameNormalized: pentest-p01 - values.clusterDir: pentest-p01 template: metadata: name: build-service-{{nameNormalized}} diff --git a/argo-cd-apps/base/member/infra-deployments/etcd-defrag/etcd-defrag.yaml b/argo-cd-apps/base/member/infra-deployments/etcd-defrag/etcd-defrag.yaml index 9d2219ac336..8fe94026c4d 100644 --- a/argo-cd-apps/base/member/infra-deployments/etcd-defrag/etcd-defrag.yaml +++ b/argo-cd-apps/base/member/infra-deployments/etcd-defrag/etcd-defrag.yaml @@ -34,8 +34,6 @@ spec: values.clusterDir: kflux-rhel-p01 - nameNormalized: kflux-osp-p01 values.clusterDir: kflux-osp-p01 - - nameNormalized: pentest-p01 - values.clusterDir: pentest-p01 template: metadata: name: etcd-defrag-{{nameNormalized}} diff --git a/argo-cd-apps/base/member/infra-deployments/etcd-shield/etcd-shield.yaml b/argo-cd-apps/base/member/infra-deployments/etcd-shield/etcd-shield.yaml index 1e91180cb94..9bdbdcece3f 100644 --- a/argo-cd-apps/base/member/infra-deployments/etcd-shield/etcd-shield.yaml +++ b/argo-cd-apps/base/member/infra-deployments/etcd-shield/etcd-shield.yaml @@ -34,8 +34,6 @@ spec: values.clusterDir: kflux-rhel-p01 - nameNormalized: kflux-osp-p01 values.clusterDir: kflux-osp-p01 - - nameNormalized: pentest-p01 - values.clusterDir: pentest-p01 template: metadata: name: etcd-shield-{{nameNormalized}} diff --git a/argo-cd-apps/base/member/infra-deployments/integration/integration.yaml b/argo-cd-apps/base/member/infra-deployments/integration/integration.yaml index 99a24792c5c..3eb44a4a894 100644 --- a/argo-cd-apps/base/member/infra-deployments/integration/integration.yaml +++ b/argo-cd-apps/base/member/infra-deployments/integration/integration.yaml @@ -31,8 +31,6 @@ spec: values.clusterDir: kflux-rhel-p01 - nameNormalized: kflux-osp-p01 values.clusterDir: kflux-osp-p01 - - nameNormalized: pentest-p01 - values.clusterDir: pentest-p01 template: metadata: name: integration-{{nameNormalized}} diff --git a/argo-cd-apps/base/member/infra-deployments/konflux-info/konflux-info.yaml b/argo-cd-apps/base/member/infra-deployments/konflux-info/konflux-info.yaml index 6ee19dd22fb..d63b9517b9d 100644 --- a/argo-cd-apps/base/member/infra-deployments/konflux-info/konflux-info.yaml +++ b/argo-cd-apps/base/member/infra-deployments/konflux-info/konflux-info.yaml @@ -36,8 +36,6 @@ spec: values.clusterDir: kflux-rhel-p01 - nameNormalized: kflux-osp-p01 values.clusterDir: kflux-osp-p01 - - nameNormalized: pentest-p01 - values.clusterDir: pentest-p01 template: metadata: name: konflux-info-{{nameNormalized}} diff --git a/argo-cd-apps/base/member/infra-deployments/konflux-rbac/konflux-rbac.yaml b/argo-cd-apps/base/member/infra-deployments/konflux-rbac/konflux-rbac.yaml index 2be1d67036b..d8fa425b1c8 100644 --- a/argo-cd-apps/base/member/infra-deployments/konflux-rbac/konflux-rbac.yaml +++ b/argo-cd-apps/base/member/infra-deployments/konflux-rbac/konflux-rbac.yaml @@ -37,8 +37,6 @@ spec: values.clusterDir: kflux-rhel-p01 - nameNormalized: kflux-osp-p01 values.clusterDir: kflux-osp-p01 - - nameNormalized: pentest-p01 - values.clusterDir: pentest-p01 template: metadata: name: konflux-rbac-{{nameNormalized}} diff --git a/argo-cd-apps/base/member/infra-deployments/konflux-ui/konflux-ui.yaml b/argo-cd-apps/base/member/infra-deployments/konflux-ui/konflux-ui.yaml index 35c2166a14c..9020e7fc94f 100644 --- a/argo-cd-apps/base/member/infra-deployments/konflux-ui/konflux-ui.yaml +++ b/argo-cd-apps/base/member/infra-deployments/konflux-ui/konflux-ui.yaml @@ -38,8 +38,6 @@ spec: values.clusterDir: kflux-rhel-p01 - nameNormalized: kflux-osp-p01 values.clusterDir: kflux-osp-p01 - - nameNormalized: pentest-p01 - values.clusterDir: pentest-p01 template: metadata: name: konflux-ui-{{nameNormalized}} diff --git a/argo-cd-apps/base/member/infra-deployments/kubearchive/kubearchive.yaml b/argo-cd-apps/base/member/infra-deployments/kubearchive/kubearchive.yaml index 0531485c2c2..bb332e49587 100644 --- a/argo-cd-apps/base/member/infra-deployments/kubearchive/kubearchive.yaml +++ b/argo-cd-apps/base/member/infra-deployments/kubearchive/kubearchive.yaml @@ -27,8 +27,6 @@ spec: values.clusterDir: stone-prod-p01 - nameNormalized: stone-prod-p02 values.clusterDir: stone-prod-p02 - - nameNormalized: pentest-p01 - values.clusterDir: pentest-p01 # Public - nameNormalized: stone-prd-rh01 values.clusterDir: stone-prd-rh01 diff --git a/argo-cd-apps/base/member/infra-deployments/kyverno/kyverno.yaml b/argo-cd-apps/base/member/infra-deployments/kyverno/kyverno.yaml index 4d966f95d98..f1a372bdb1d 100644 --- a/argo-cd-apps/base/member/infra-deployments/kyverno/kyverno.yaml +++ b/argo-cd-apps/base/member/infra-deployments/kyverno/kyverno.yaml @@ -35,8 +35,6 @@ spec: values.clusterDir: kflux-rhel-p01 - nameNormalized: kflux-osp-p01 values.clusterDir: kflux-osp-p01 - - nameNormalized: pentest-p01 - values.clusterDir: pentest-p01 template: metadata: name: kyverno-{{nameNormalized}} diff --git a/argo-cd-apps/base/member/infra-deployments/mintmaker/mintmaker.yaml b/argo-cd-apps/base/member/infra-deployments/mintmaker/mintmaker.yaml index 0afbd17b73f..056ca5292fd 100644 --- a/argo-cd-apps/base/member/infra-deployments/mintmaker/mintmaker.yaml +++ b/argo-cd-apps/base/member/infra-deployments/mintmaker/mintmaker.yaml @@ -31,8 +31,6 @@ spec: values.clusterDir: kflux-rhel-p01 - nameNormalized: kflux-osp-p01 values.clusterDir: kflux-osp-p01 - - nameNormalized: pentest-p01 - values.clusterDir: pentest-p01 template: metadata: name: mintmaker-{{nameNormalized}} diff --git a/argo-cd-apps/base/member/infra-deployments/multi-platform-controller/multi-platform-controller.yaml b/argo-cd-apps/base/member/infra-deployments/multi-platform-controller/multi-platform-controller.yaml index 802d01d3f24..23bdfb8d963 100644 --- a/argo-cd-apps/base/member/infra-deployments/multi-platform-controller/multi-platform-controller.yaml +++ b/argo-cd-apps/base/member/infra-deployments/multi-platform-controller/multi-platform-controller.yaml @@ -31,8 +31,6 @@ spec: values.clusterDir: kflux-rhel-p01 - nameNormalized: kflux-osp-p01 values.clusterDir: kflux-osp-p01 - - nameNormalized: pentest-p01 - values.clusterDir: pentest-p01 template: metadata: name: multi-platform-controller-{{nameNormalized}} diff --git a/argo-cd-apps/base/member/infra-deployments/namespace-lister/namespace-lister.yaml b/argo-cd-apps/base/member/infra-deployments/namespace-lister/namespace-lister.yaml index 969b420f16a..4d67147fbe9 100644 --- a/argo-cd-apps/base/member/infra-deployments/namespace-lister/namespace-lister.yaml +++ b/argo-cd-apps/base/member/infra-deployments/namespace-lister/namespace-lister.yaml @@ -39,8 +39,6 @@ spec: values.clusterDir: kflux-rhel-p01 - nameNormalized: kflux-osp-p01 values.clusterDir: kflux-osp-p01 - - nameNormalized: pentest-p01 - values.clusterDir: pentest-p01 template: metadata: name: namespace-lister-{{nameNormalized}} diff --git a/argo-cd-apps/base/member/infra-deployments/pipeline-service/pipeline-service.yaml b/argo-cd-apps/base/member/infra-deployments/pipeline-service/pipeline-service.yaml index 7628c4b94f1..a8eb788d18a 100644 --- a/argo-cd-apps/base/member/infra-deployments/pipeline-service/pipeline-service.yaml +++ b/argo-cd-apps/base/member/infra-deployments/pipeline-service/pipeline-service.yaml @@ -35,8 +35,6 @@ spec: values.clusterDir: kflux-rhel-p01 - nameNormalized: kflux-osp-p01 values.clusterDir: kflux-osp-p01 - - nameNormalized: pentest-p01 - values.clusterDir: pentest-p01 template: metadata: name: pipeline-service-{{nameNormalized}} diff --git a/argo-cd-apps/base/member/infra-deployments/vector-kubearchive-log-collector/vector-kubearchive-log-collector.yaml b/argo-cd-apps/base/member/infra-deployments/vector-kubearchive-log-collector/vector-kubearchive-log-collector.yaml index 48f4b745712..9cb4c741ef2 100644 --- a/argo-cd-apps/base/member/infra-deployments/vector-kubearchive-log-collector/vector-kubearchive-log-collector.yaml +++ b/argo-cd-apps/base/member/infra-deployments/vector-kubearchive-log-collector/vector-kubearchive-log-collector.yaml @@ -29,8 +29,6 @@ spec: values.clusterDir: stone-prod-p01 - nameNormalized: stone-prod-p02 values.clusterDir: stone-prod-p02 - # - nameNormalized: pentest-p01 - # values.clusterDir: pentest-p01 # Public - nameNormalized: stone-prd-rh01 values.clusterDir: stone-prd-rh01 diff --git a/argo-cd-apps/base/monitoring-blackbox/monitoring-blackbox.yaml b/argo-cd-apps/base/monitoring-blackbox/monitoring-blackbox.yaml index 336569be306..fe0e3ed0afe 100644 --- a/argo-cd-apps/base/monitoring-blackbox/monitoring-blackbox.yaml +++ b/argo-cd-apps/base/monitoring-blackbox/monitoring-blackbox.yaml @@ -25,8 +25,6 @@ spec: values.clusterDir: kflux-ocp-p01 - nameNormalized: kflux-osp-p01 values.clusterDir: kflux-osp-p01 - - nameNormalized: pentest-p01 - values.clusterDir: pentest-p01 - nameNormalized: stone-prd-rh01 values.clusterDir: stone-prd-rh01 - nameNormalized: kflux-prd-rh02 diff --git a/argo-cd-apps/base/smee-client/smee-client.yaml b/argo-cd-apps/base/smee-client/smee-client.yaml index 6558d73023e..a1820432308 100644 --- a/argo-cd-apps/base/smee-client/smee-client.yaml +++ b/argo-cd-apps/base/smee-client/smee-client.yaml @@ -28,8 +28,6 @@ spec: values.clusterDir: kflux-rhel-p01 - nameNormalized: kflux-osp-p01 values.clusterDir: kflux-osp-p01 - - nameNormalized: pentest-p01 - values.clusterDir: pentest-p01 template: metadata: name: smee-client-{{nameNormalized}} diff --git a/components/authentication/production/pentest-p01/kustomization.yaml b/components/authentication/production/pentest-p01/kustomization.yaml deleted file mode 100644 index 48c2e849040..00000000000 --- a/components/authentication/production/pentest-p01/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ../base -components: - - ../../k-components/ldap-url-patch diff --git a/components/backup/production/pentest-p01/backup-s3-credentials-patch.yaml b/components/backup/production/pentest-p01/backup-s3-credentials-patch.yaml deleted file mode 100644 index f2c7f98a55e..00000000000 --- a/components/backup/production/pentest-p01/backup-s3-credentials-patch.yaml +++ /dev/null @@ -1,6 +0,0 @@ -- op: replace - path: /spec/dataFrom/0/extract/key - value: production/platform/terraform/generated/pentest-p01/backup-bucket -- op: replace - path: /spec/secretStoreRef/name - value: appsre-stonesoup-vault diff --git a/components/backup/production/pentest-p01/dpa-bucket-patch.yaml b/components/backup/production/pentest-p01/dpa-bucket-patch.yaml deleted file mode 100644 index 26712c7b8ab..00000000000 --- a/components/backup/production/pentest-p01/dpa-bucket-patch.yaml +++ /dev/null @@ -1,3 +0,0 @@ -- op: replace - path: /spec/backupLocations/0/velero/objectStorage/bucket - value: backup-pentest-p01 diff --git a/components/backup/production/pentest-p01/dpa-kmskeyid-patch.yaml b/components/backup/production/pentest-p01/dpa-kmskeyid-patch.yaml deleted file mode 100644 index 02a9ff0f49f..00000000000 --- a/components/backup/production/pentest-p01/dpa-kmskeyid-patch.yaml +++ /dev/null @@ -1,5 +0,0 @@ -- op: remove - path: /spec/backupLocations/0/velero/config/kmsKeyId -#- op: replace -# path: /spec/backupLocations/0/velero/config/kmsKeyId -# value: TODO - variable needs to be populated diff --git a/components/backup/production/pentest-p01/kustomization.yaml b/components/backup/production/pentest-p01/kustomization.yaml deleted file mode 100644 index 4ee8993e936..00000000000 --- a/components/backup/production/pentest-p01/kustomization.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ../../base/member -patches: - - target: - group: external-secrets.io - version: v1beta1 - kind: ExternalSecret - name: backup-s3-credentials - path: backup-s3-credentials-patch.yaml - - target: - group: oadp.openshift.io - version: v1alpha1 - kind: DataProtectionApplication - name: velero-aws - path: dpa-bucket-patch.yaml - - target: - group: oadp.openshift.io - version: v1alpha1 - kind: DataProtectionApplication - name: velero-aws - path: dpa-kmskeyid-patch.yaml diff --git a/components/build-service/production/pentest-p01/kustomization.yaml b/components/build-service/production/pentest-p01/kustomization.yaml deleted file mode 100644 index aaca1ae27fe..00000000000 --- a/components/build-service/production/pentest-p01/kustomization.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- ../base -namespace: build-service -patches: - - path: pipelines-as-code-secret-path.yaml - target: - name: pipelines-as-code-secret - group: external-secrets.io - version: v1beta1 - kind: ExternalSecret - -configMapGenerator: - - name: webhook-config - files: - - webhook-config.json - -components: - - ../../components/webhook-config diff --git a/components/build-service/production/pentest-p01/pipelines-as-code-secret-path.yaml b/components/build-service/production/pentest-p01/pipelines-as-code-secret-path.yaml deleted file mode 100644 index 01bc7c23a62..00000000000 --- a/components/build-service/production/pentest-p01/pipelines-as-code-secret-path.yaml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- op: add - path: /spec/dataFrom/0/extract/key - value: production/platform/ansible/generated/pentest-p01/github-app diff --git a/components/build-service/production/pentest-p01/webhook-config.json b/components/build-service/production/pentest-p01/webhook-config.json deleted file mode 100644 index d05dbea88ec..00000000000 --- a/components/build-service/production/pentest-p01/webhook-config.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "https://github.com": "https://smee-smee.apps.rosa.kflux-c-prd-e01.yo5u.p3.openshiftapps.com/redhathookpentestp01", - "https://gitlab.com": "https://smee-smee.apps.rosa.kflux-c-prd-e01.yo5u.p3.openshiftapps.com/redhathookpentestp01" -} diff --git a/components/cost-management/production/pentest-p01/cost-management-config-source-patch.yaml b/components/cost-management/production/pentest-p01/cost-management-config-source-patch.yaml deleted file mode 100644 index f9f71844ed2..00000000000 --- a/components/cost-management/production/pentest-p01/cost-management-config-source-patch.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- op: add - path: /spec/source/name - value: "pentest-p01" -- op: replace - path: /spec/authentication/type - value: service-account -- op: add - path: /spec/authentication/secret_name - value: konflux-service-account diff --git a/components/cost-management/production/pentest-p01/kustomization.yaml b/components/cost-management/production/pentest-p01/kustomization.yaml deleted file mode 100644 index 4336edc7629..00000000000 --- a/components/cost-management/production/pentest-p01/kustomization.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ../base - -patches: - - path: cost-management-config-source-patch.yaml - target: - name: costmanagementmetricsconfig - group: costmanagement-metrics-cfg.openshift.io - version: v1beta1 - kind: CostManagementMetricsConfig diff --git a/components/etcd-shield/production/pentest-p01/kustomization.yaml b/components/etcd-shield/production/pentest-p01/kustomization.yaml deleted file mode 100644 index bdf7ce4f415..00000000000 --- a/components/etcd-shield/production/pentest-p01/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- ../base diff --git a/components/integration/production/pentest-p01/console-url-config-patch.json b/components/integration/production/pentest-p01/console-url-config-patch.json deleted file mode 100644 index 03cb79dd6fc..00000000000 --- a/components/integration/production/pentest-p01/console-url-config-patch.json +++ /dev/null @@ -1,12 +0,0 @@ -[ - { - "op": "replace", - "path": "/data/CONSOLE_URL", - "value": "https://konflux-ui.apps.pentest-p01.xfj6.p1.openshiftapps.com/ns/{{ .Namespace }}/pipelinerun/{{ .PipelineRunName }}" - }, - { - "op": "replace", - "path": "/data/CONSOLE_URL_TASKLOG", - "value": "https://konflux-ui.apps.pentest-p01.xfj6.p1.openshiftapps.com/ns/{{ .Namespace }}/pipelinerun/{{ .PipelineRunName }}/logs/{{ .TaskName }}" - } -] diff --git a/components/integration/production/pentest-p01/kustomization.yaml b/components/integration/production/pentest-p01/kustomization.yaml deleted file mode 100644 index ec2f28f5928..00000000000 --- a/components/integration/production/pentest-p01/kustomization.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- ../base -patches: - - path: pipelines-as-code-secret-path.yaml - target: - name: pipelines-as-code-secret - group: external-secrets.io - version: v1beta1 - kind: ExternalSecret - - path: console-url-config-patch.json - target: - kind: ConfigMap - name: integration-config -components: - - ../../rh-certs diff --git a/components/integration/production/pentest-p01/pipelines-as-code-secret-path.yaml b/components/integration/production/pentest-p01/pipelines-as-code-secret-path.yaml deleted file mode 100644 index 01bc7c23a62..00000000000 --- a/components/integration/production/pentest-p01/pipelines-as-code-secret-path.yaml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- op: add - path: /spec/dataFrom/0/extract/key - value: production/platform/ansible/generated/pentest-p01/github-app diff --git a/components/knative-eventing/production/pentest-p01/kustomization.yaml b/components/knative-eventing/production/pentest-p01/kustomization.yaml deleted file mode 100644 index 736651a7210..00000000000 --- a/components/knative-eventing/production/pentest-p01/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ../base diff --git a/components/konflux-info/production/pentest-p01/info.json b/components/konflux-info/production/pentest-p01/info.json deleted file mode 100644 index 4248ec08d91..00000000000 --- a/components/konflux-info/production/pentest-p01/info.json +++ /dev/null @@ -1,56 +0,0 @@ -{ - "environment": "production", - "integrations": { - "github": { - "application_url": "https://github.com/apps/red-hat-konflux-pentest-p01" - }, - "sbom_server": { - "url": "https://atlas.build.devshift.net/sbom/content/", - "sbom_sha": "https://atlas.build.devshift.net/sboms/" - }, - "image_controller": { - "enabled": true, - "notifications": [ - { - "title": "SBOM-event-to-Bombino", - "event": "repo_push", - "method": "webhook", - "config": { - "url": "https://bombino.api.redhat.com/v1/sbom/quay/push" - } - } - ] - } - }, - "rbac": [ - { - "displayName": "admin", - "description": "Full access to Konflux resources including secrets", - "roleRef": { - "apiGroup": "rbac.authorization.k8s.io", - "kind": "ClusterRole", - "name": "konflux-admin-user-actions" - } - }, - { - "displayName": "maintainer", - "description": "Partial access to Konflux resources without access to secrets", - "roleRef": { - "apiGroup": "rbac.authorization.k8s.io", - "kind": "ClusterRole", - "name": "konflux-maintainer-user-actions" - } - }, - { - "displayName": "contributor", - "description": "View access to Konflux resources without access to secrets", - "roleRef": { - "apiGroup": "rbac.authorization.k8s.io", - "kind": "ClusterRole", - "name": "konflux-contributor-user-actions" - } - } - ], - "statusPageUrl": "https://grafana.app-sre.devshift.net/d/aes1ns0htwni8a/konflux-status-page?var-cluster=pentest-p01", - "visibility": "public" -} diff --git a/components/konflux-info/production/pentest-p01/kustomization.yaml b/components/konflux-info/production/pentest-p01/kustomization.yaml deleted file mode 100644 index 3c1dbeb8d97..00000000000 --- a/components/konflux-info/production/pentest-p01/kustomization.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ../../base - -generatorOptions: - disableNameSuffixHash: true - -configMapGenerator: - - name: konflux-public-info - files: - - info.json - -namespace: konflux-info diff --git a/components/konflux-rbac/production/pentest-p01/kustomization.yaml b/components/konflux-rbac/production/pentest-p01/kustomization.yaml deleted file mode 100644 index dd624e504b3..00000000000 --- a/components/konflux-rbac/production/pentest-p01/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -kind: Kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -resources: - - ../base diff --git a/components/konflux-ui/production/pentest-p01/add-service-certs-patch.yaml b/components/konflux-ui/production/pentest-p01/add-service-certs-patch.yaml deleted file mode 100644 index b636793bf10..00000000000 --- a/components/konflux-ui/production/pentest-p01/add-service-certs-patch.yaml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- op: add - path: /metadata/annotations/service.beta.openshift.io~1serving-cert-secret-name - value: serving-cert diff --git a/components/konflux-ui/production/pentest-p01/configure-oauth-proxy-secret.yaml b/components/konflux-ui/production/pentest-p01/configure-oauth-proxy-secret.yaml deleted file mode 100644 index d8b283551d6..00000000000 --- a/components/konflux-ui/production/pentest-p01/configure-oauth-proxy-secret.yaml +++ /dev/null @@ -1,122 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: konflux-oauth-proxy-generator ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: konflux-oauth-proxy-generator-role -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - list - - create - - get - - update - - patch - - delete -- apiGroups: - - apps - resources: - - deployments - verbs: - - get - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: konflux-oauth-proxy-generator-role-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: konflux-oauth-proxy-generator-role -subjects: -- kind: ServiceAccount - name: konflux-oauth-proxy-generator - namespace: konflux-ui ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: konflux-generate-oauth-proxy-secrets - annotations: - argocd.argoproj.io/sync-options: Force=true,Replace=true -spec: - template: - spec: - containers: - - command: - - /bin/bash - - -c - - | - set -o errexit - set -o nounset - set -o pipefail - - namespace="$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)" - client_secret=oauth2-proxy-client-secret - cookie_secret=oauth2-proxy-cookie-secret - - echo "Generating/updating $cookie_secret" - - # The cookie secret needs to be 16, 24, or 32 bytes long. - # kubectl is re-encoding the value of cookie_secret, so when it's being served - # to oauth2-proxy, it's actually the 24 bytes string which was the output of - # openssl's encoding. - # Need to make sure this is consistent, or find a different approach. - random_pass=$(openssl rand -base64 16) - kubectl create secret generic $cookie_secret \ - --namespace "$namespace" \ - --from-literal="cookie-secret=${random_pass}" \ - --dry-run=client \ - -o yaml \ - | kubectl apply -f - - - - echo "Generating/updating $client_secret" - - random_pass=$(openssl rand -base64 20) - kubectl create secret generic $client_secret \ - --namespace "$namespace" \ - --from-literal="client-secret=${random_pass}" \ - --dry-run=client \ - -o yaml \ - | kubectl apply -f - - - echo "Restarting the proxy deployment" - if kubectl -n "$namespace" get deployment/proxy; then - kubectl -n "$namespace" rollout restart deployment/proxy - else - echo "skipping restart" - fi - - echo "Restarting the dex deployment" - if kubectl -n "$namespace" get deployment/dex; then - kubectl -n "$namespace" rollout restart deployment/dex - else - echo "skipping dex restart" - fi - - image: quay.io/konflux-ci/appstudio-utils:a24d0b7eef84bbd5798697f9cdc4f25a2910cb1d@sha256:ea8593128e0d686b8e270e13ec84204f5831484237dee822f27f5124e00b1a6b - imagePullPolicy: Always - name: konflux-oauth-client-secret-generation - resources: - limits: - cpu: 100m - memory: 512Mi - requests: - cpu: 10m - memory: 512Mi - securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - dnsPolicy: ClusterFirst - restartPolicy: Never - serviceAccountName: konflux-oauth-proxy-generator - terminationGracePeriodSeconds: 30 diff --git a/components/konflux-ui/production/pentest-p01/dex-config.yaml b/components/konflux-ui/production/pentest-p01/dex-config.yaml deleted file mode 100644 index 4e1b2ea62bb..00000000000 --- a/components/konflux-ui/production/pentest-p01/dex-config.yaml +++ /dev/null @@ -1,32 +0,0 @@ -issuer: https://konflux-ui.apps.pentest-p01.xfj6.p1.openshiftapps.com/idp -storage: - type: kubernetes - config: - inCluster: true -web: - https: 0.0.0.0:9443 - tlsCert: /etc/dex/tls/tls.crt - tlsKey: /etc/dex/tls/tls.key -oauth2: - skipApprovalScreen: true -staticClients: -- id: oauth2-proxy - redirectURIs: - - https://konflux-ui.apps.pentest-p01.xfj6.p1.openshiftapps.com/oauth2/callback - name: 'oauth2-proxy' - secretEnv: 'OAUTH2_CLIENT_SECRET' - -telemetry: - http: 0.0.0.0:5558 - -connectors: - - type: openshift - id: openshift - name: OpenShift - config: - # OpenShift API - issuer: https://api.pentest-p01.xfj6.p1.openshiftapps.com:6443 - # Credentials can be string literals or pulled from the environment. - clientID: system:serviceaccount:konflux-ui:dex-client - clientSecret: $OPENSHIFT_OAUTH_CLIENT_SECRET - redirectURI: https://konflux-ui.apps.pentest-p01.xfj6.p1.openshiftapps.com/idp/callback diff --git a/components/konflux-ui/production/pentest-p01/kustomization.yaml b/components/konflux-ui/production/pentest-p01/kustomization.yaml deleted file mode 100644 index 68c263f83d6..00000000000 --- a/components/konflux-ui/production/pentest-p01/kustomization.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ../base - - configure-oauth-proxy-secret.yaml - -configMapGenerator: - - name: dex - files: - - dex-config.yaml - -patches: - - path: add-service-certs-patch.yaml - target: - group: "" - version: v1 - kind: Service - name: proxy - - path: oauth2-proxy-args-patch.yaml - target: - group: apps - version: v1 - kind: Deployment - name: proxy - - path: remove-run-as-user-proxy-patch.yaml - target: - group: apps - version: v1 - kind: Deployment - name: proxy - - path: set-replicas-patch.yaml - target: - group: apps - version: v1 - kind: Deployment - - path: set-redirect-uri.yaml - target: - name: dex-client - kind: ServiceAccount - - path: set-hostname.yaml - target: - kind: Route - version: v1 - -namespace: konflux-ui diff --git a/components/konflux-ui/production/pentest-p01/oauth2-proxy-args-patch.yaml b/components/konflux-ui/production/pentest-p01/oauth2-proxy-args-patch.yaml deleted file mode 100644 index c597bdad2d4..00000000000 --- a/components/konflux-ui/production/pentest-p01/oauth2-proxy-args-patch.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -- op: replace - path: /spec/template/spec/containers/2/args - value: - - --provider - - oidc - - --provider-display-name - - "Dex" - - --client-id - - oauth2-proxy - - --http-address - - "127.0.0.1:6000" - - --redirect-url - - https://konflux-ui.apps.pentest-p01.xfj6.p1.openshiftapps.com/oauth2/callback - - --oidc-issuer-url - - https://konflux-ui.apps.pentest-p01.xfj6.p1.openshiftapps.com/idp - - "true" - - --cookie-name - - __Host-konflux-ci-cookie - - --email-domain - - "*" - - --insecure-oidc-allow-unverified-email - - "true" - - --set-xauthrequest - - "true" - - --whitelist-domain - - konflux-ui.apps.pentest-p01.xfj6.p1.openshiftapps.com - - --skip-provider-button diff --git a/components/konflux-ui/production/pentest-p01/remove-run-as-user-proxy-patch.yaml b/components/konflux-ui/production/pentest-p01/remove-run-as-user-proxy-patch.yaml deleted file mode 100644 index a19cfc5b2b3..00000000000 --- a/components/konflux-ui/production/pentest-p01/remove-run-as-user-proxy-patch.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- op: remove - path: /spec/template/spec/initContainers/0/securityContext/runAsUser - -- op: remove - path: /spec/template/spec/initContainers/1/securityContext/runAsUser - -- op: remove - path: /spec/template/spec/containers/0/securityContext/runAsUser - -- op: remove - path: /spec/template/spec/containers/1/securityContext/runAsUser - -- op: remove - path: /spec/template/spec/containers/2/securityContext/runAsUser - -- op: remove - path: /spec/template/spec/containers/3/securityContext/runAsUser diff --git a/components/konflux-ui/production/pentest-p01/set-hostname.yaml b/components/konflux-ui/production/pentest-p01/set-hostname.yaml deleted file mode 100644 index 244fb210106..00000000000 --- a/components/konflux-ui/production/pentest-p01/set-hostname.yaml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- op: add - path: /spec/host - value: konflux-ui.apps.pentest-p01.xfj6.p1.openshiftapps.com diff --git a/components/konflux-ui/production/pentest-p01/set-redirect-uri.yaml b/components/konflux-ui/production/pentest-p01/set-redirect-uri.yaml deleted file mode 100644 index 285c6f6cb3f..00000000000 --- a/components/konflux-ui/production/pentest-p01/set-redirect-uri.yaml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- op: add - path: /metadata/annotations/serviceaccounts.openshift.io~1oauth-redirecturi.konflux - value: https://konflux-ui.apps.pentest-p01.xfj6.p1.openshiftapps.com/idp/callback diff --git a/components/konflux-ui/production/pentest-p01/set-replicas-patch.yaml b/components/konflux-ui/production/pentest-p01/set-replicas-patch.yaml deleted file mode 100644 index e044d9c762f..00000000000 --- a/components/konflux-ui/production/pentest-p01/set-replicas-patch.yaml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- op: add - path: /spec/replicas - value: 3 diff --git a/components/kubearchive/production/pentest-p01/kubearchive.yaml b/components/kubearchive/production/pentest-p01/kubearchive.yaml deleted file mode 100644 index 44a723811e4..00000000000 --- a/components/kubearchive/production/pentest-p01/kubearchive.yaml +++ /dev/null @@ -1,1761 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - app.kubernetes.io/component: namespace - app.kubernetes.io/name: kubearchive - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: kubearchive/kubearchive-operator-certificate - controller-gen.kubebuilder.io/version: v0.17.3 - name: clusterkubearchiveconfigs.kubearchive.org -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: webhook-service - namespace: kubearchive - path: /convert - conversionReviewVersions: - - v1 - group: kubearchive.org - names: - kind: ClusterKubeArchiveConfig - listKind: ClusterKubeArchiveConfigList - plural: clusterkubearchiveconfigs - shortNames: - - ckac - - ckacs - singular: clusterkubearchiveconfig - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: ClusterKubeArchiveConfig is the Schema for the clusterkubearchiveconfigs API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClusterKubeArchiveConfigSpec defines the desired state of ClusterKubeArchiveConfig - properties: - resources: - items: - properties: - archiveOnDelete: - type: string - archiveWhen: - type: string - deleteWhen: - type: string - keepLastWhen: - items: - properties: - count: - type: integer - name: - type: string - sortBy: - default: metadata.creationTimestamp - type: string - when: - type: string - required: - - count - - name - - when - type: object - type: array - selector: - properties: - apiVersion: - type: string - kind: - type: string - required: - - apiVersion - - kind - type: object - type: object - type: array - required: - - resources - type: object - status: - description: ClusterKubeArchiveConfigStatus defines the observed state of ClusterKubeArchiveConfig - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: kubearchive/kubearchive-operator-certificate - controller-gen.kubebuilder.io/version: v0.17.3 - name: clustervacuumconfigs.kubearchive.org -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: webhook-service - namespace: kubearchive - path: /convert - conversionReviewVersions: - - v1 - group: kubearchive.org - names: - kind: ClusterVacuumConfig - listKind: ClusterVacuumConfigList - plural: clustervacuumconfigs - shortNames: - - cvc - - cvcs - singular: clustervacuumconfig - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: ClusterVacuumConfig is the Schema for the clustervacuumconfigs API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClusterVacuumConfigSpec defines the desired state of ClusterVacuumConfig resource - properties: - namespaces: - additionalProperties: - properties: - resources: - items: - properties: - apiVersion: - type: string - kind: - type: string - required: - - apiVersion - - kind - type: object - type: array - type: object - type: object - type: object - status: - description: ClusterVacuumConfigStatus defines the observed state of ClusterVacuumConfig resource - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: kubearchive/kubearchive-operator-certificate - controller-gen.kubebuilder.io/version: v0.17.3 - name: kubearchiveconfigs.kubearchive.org -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: webhook-service - namespace: kubearchive - path: /convert - conversionReviewVersions: - - v1 - group: kubearchive.org - names: - kind: KubeArchiveConfig - listKind: KubeArchiveConfigList - plural: kubearchiveconfigs - shortNames: - - kac - - kacs - singular: kubearchiveconfig - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: KubeArchiveConfig is the Schema for the kubearchiveconfigs API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: KubeArchiveConfigSpec defines the desired state of KubeArchiveConfig - properties: - resources: - items: - properties: - archiveOnDelete: - type: string - archiveWhen: - type: string - deleteWhen: - type: string - keepLastWhen: - properties: - keep: - items: - properties: - count: - type: integer - sortBy: - default: metadata.creationTimestamp - type: string - when: - type: string - required: - - count - - when - type: object - type: array - override: - items: - properties: - count: - type: integer - name: - type: string - required: - - count - - name - type: object - type: array - type: object - selector: - properties: - apiVersion: - type: string - kind: - type: string - required: - - apiVersion - - kind - type: object - type: object - type: array - required: - - resources - type: object - status: - description: KubeArchiveConfigStatus defines the observed state of KubeArchiveConfig - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: kubearchive/kubearchive-operator-certificate - controller-gen.kubebuilder.io/version: v0.17.3 - name: namespacevacuumconfigs.kubearchive.org -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: webhook-service - namespace: kubearchive - path: /convert - conversionReviewVersions: - - v1 - group: kubearchive.org - names: - kind: NamespaceVacuumConfig - listKind: NamespaceVacuumConfigList - plural: namespacevacuumconfigs - shortNames: - - nvc - - nvcs - singular: namespacevacuumconfig - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: NamespaceVacuumConfig is the Schema for the namespacevacuumconfigs API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: VacuumListSpec defines the desired state of VacuumList resource - properties: - resources: - items: - properties: - apiVersion: - type: string - kind: - type: string - required: - - apiVersion - - kind - type: object - type: array - type: object - status: - description: NamespaceVacuumConfigStatus defines the observed state of NamespaceVacuumConfig resource - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: kubearchive/kubearchive-operator-certificate - controller-gen.kubebuilder.io/version: v0.17.3 - name: sinkfilters.kubearchive.org -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: webhook-service - namespace: kubearchive - path: /convert - conversionReviewVersions: - - v1 - group: kubearchive.org - names: - kind: SinkFilter - listKind: SinkFilterList - plural: sinkfilters - shortNames: - - sf - - sfs - singular: sinkfilter - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: SinkFilter is the Schema for the sinkfilters API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: SinkFilterSpec defines the desired state of SinkFilter resource - properties: - cluster: - items: - properties: - archiveOnDelete: - type: string - archiveWhen: - type: string - deleteWhen: - type: string - keepLastWhen: - items: - properties: - count: - type: integer - name: - type: string - sortBy: - default: metadata.creationTimestamp - type: string - when: - type: string - required: - - count - - name - - when - type: object - type: array - selector: - properties: - apiVersion: - type: string - kind: - type: string - required: - - apiVersion - - kind - type: object - type: object - type: array - namespaces: - additionalProperties: - items: - properties: - archiveOnDelete: - type: string - archiveWhen: - type: string - deleteWhen: - type: string - keepLastWhen: - properties: - keep: - items: - properties: - count: - type: integer - sortBy: - default: metadata.creationTimestamp - type: string - when: - type: string - required: - - count - - when - type: object - type: array - override: - items: - properties: - count: - type: integer - name: - type: string - required: - - count - - name - type: object - type: array - type: object - selector: - properties: - apiVersion: - type: string - kind: - type: string - required: - - apiVersion - - kind - type: object - type: object - type: array - type: object - required: - - namespaces - type: object - status: - description: SinkFilterStatus defines the observed state of SinkFilter resource - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: api-server - app.kubernetes.io/name: kubearchive-api-server - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-api-server - namespace: kubearchive ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: operator - app.kubernetes.io/name: kubearchive-vacuum - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-cluster-vacuum - namespace: kubearchive ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: operator - app.kubernetes.io/name: kubearchive-operator - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-operator - namespace: kubearchive ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: sink - app.kubernetes.io/name: kubearchive-sink - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-sink - namespace: kubearchive ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: operator - app.kubernetes.io/name: kubearchive-operator-leader-election - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-operator-leader-election - namespace: kubearchive -rules: - - apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: operator - app.kubernetes.io/name: kubearchive-vacuum - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-vacuum - namespace: kubearchive -rules: - - apiGroups: - - kubearchive.org - resources: - - sinkfilters - - clustervacuumconfigs - verbs: - - get - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: api-server - app.kubernetes.io/name: kubearchive-api-server - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-api-server -rules: - - apiGroups: - - authorization.k8s.io - - authentication.k8s.io - resources: - - subjectaccessreviews - - tokenreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: kubearchive-edit - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: kubearchive-edit -rules: - - apiGroups: - - kubearchive.org - resources: - - clusterkubearchiveconfigs - - clustervacuumconfigs - - kubearchiveconfigs - - namespacevacuumconfigs - - sinkfilters - verbs: - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kubearchive-operator -rules: - - apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - update - - watch - - apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - create - - delete - - get - - list - - update - - watch - - apiGroups: - - kubearchive.org - resources: - - clusterkubearchiveconfigs - - clustervacuums - - kubearchiveconfigs - - namespacevacuums - - sinkfilters - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - kubearchive.org - resources: - - clusterkubearchiveconfigs/finalizers - - kubearchiveconfigs/finalizers - - sinkfilters/finalizers - verbs: - - update - - apiGroups: - - kubearchive.org - resources: - - clusterkubearchiveconfigs/status - - kubearchiveconfigs/status - - sinkfilters/status - verbs: - - get - - patch - - update - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - verbs: - - bind - - create - - delete - - escalate - - get - - list - - patch - - update - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - rolebindings - - roles - verbs: - - bind - - create - - delete - - escalate - - get - - list - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: operator - app.kubernetes.io/name: kubearchive-operator-config-editor - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-operator-config-editor -rules: - - apiGroups: - - kubearchive.org - resources: - - kubearchiveconfigs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - kubearchive.org - resources: - - kubearchiveconfigs/status - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: operator - app.kubernetes.io/name: kubearchive-operator-config-viewer - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-operator-config-viewer -rules: - - apiGroups: - - kubearchive.org - resources: - - kubearchiveconfigs - verbs: - - get - - list - - watch - - apiGroups: - - kubearchive.org - resources: - - kubearchiveconfigs/status - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: kubearchive-view - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: kubearchive-view -rules: - - apiGroups: - - kubearchive.org - resources: - - clusterkubearchiveconfigs - - clustervacuumconfigs - - kubearchiveconfigs - - namespacevacuumconfigs - - sinkfilters - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: operator - app.kubernetes.io/name: kubearchive-operator-leader-election - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-operator-leader-election - namespace: kubearchive -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: kubearchive-operator-leader-election -subjects: - - kind: ServiceAccount - name: kubearchive-operator - namespace: kubearchive ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: operator - app.kubernetes.io/name: kubearchive-vacuum - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-vacuum - namespace: kubearchive -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: kubearchive-vacuum -subjects: - - kind: ServiceAccount - name: kubearchive-cluster-vacuum - namespace: kubearchive ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/component: api-server - app.kubernetes.io/name: kubearchive-api-server - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-api-server -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kubearchive-api-server -subjects: - - kind: ServiceAccount - name: kubearchive-api-server - namespace: kubearchive ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/component: operator - app.kubernetes.io/name: kubearchive-operator - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-operator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kubearchive-operator -subjects: - - kind: ServiceAccount - name: kubearchive-operator - namespace: kubearchive ---- -apiVersion: v1 -data: null -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/component: logging - app.kubernetes.io/name: kubearchive-logging - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-logging - namespace: kubearchive ---- -apiVersion: v1 -data: - resources.yaml: | - - selector: - kind: "--all--" - apiVersion: "--all--" - workers: 3 -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/component: operator - app.kubernetes.io/name: kubearchive-operator - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-operator - namespace: kubearchive ---- -apiVersion: v1 -data: - DATABASE_DB: a3ViZWFyY2hpdmU= - DATABASE_KIND: cG9zdGdyZXNxbA== - DATABASE_PASSWORD: RGF0YWJhczNQYXNzdzByZA== - DATABASE_PORT: NTQzMg== - DATABASE_URL: a3ViZWFyY2hpdmUtcncucG9zdGdyZXNxbC5zdmMuY2x1c3Rlci5sb2NhbA== - DATABASE_USER: a3ViZWFyY2hpdmU= -kind: Secret -metadata: - labels: - app.kubernetes.io/component: database - app.kubernetes.io/name: kubearchive-database-credentials - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-database-credentials - namespace: kubearchive -type: Opaque ---- -apiVersion: v1 -data: - Authorization: QmFzaWMgWVdSdGFXNDZjR0Z6YzNkdmNtUT0= -kind: Secret -metadata: - labels: - app.kubernetes.io/component: logging - app.kubernetes.io/name: kubearchive-logging - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-logging - namespace: kubearchive -type: Opaque ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: api-server - app.kubernetes.io/name: kubearchive-api-server - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-api-server - namespace: kubearchive -spec: - ports: - - name: server - port: 8081 - protocol: TCP - targetPort: 8081 - selector: - app: kubearchive-api-server ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: operator - app.kubernetes.io/name: kubearchive-operator-webhooks - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-operator-webhooks - namespace: kubearchive -spec: - ports: - - name: webhook-server - port: 443 - protocol: TCP - targetPort: 9443 - - name: pprof-server - port: 8082 - protocol: TCP - targetPort: 8082 - selector: - control-plane: controller-manager ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: sink - app.kubernetes.io/name: kubearchive-sink - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-sink - namespace: kubearchive -spec: - ports: - - port: 80 - protocol: TCP - targetPort: 8080 - selector: - app: kubearchive-sink ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: api-server - app.kubernetes.io/name: kubearchive-api-server - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-api-server - namespace: kubearchive -spec: - replicas: 1 - selector: - matchLabels: - app: kubearchive-api-server - template: - metadata: - labels: - app: kubearchive-api-server - spec: - containers: - - env: - - name: KUBEARCHIVE_ENABLE_PPROF - value: "true" - - name: LOG_LEVEL - value: INFO - - name: KLOG_LEVEL - value: "0" - - name: GIN_MODE - value: release - - name: KUBEARCHIVE_OTEL_MODE - value: disabled - - name: OTEL_EXPORTER_OTLP_ENDPOINT - value: "" - - name: KUBEARCHIVE_OTLP_SEND_LOGS - value: "false" - - name: OTEL_GO_X_DEPRECATED_RUNTIME_METRICS - value: "false" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: CACHE_EXPIRATION_AUTHORIZED - value: 10m - - name: CACHE_EXPIRATION_UNAUTHORIZED - value: 1m - - name: KUBEARCHIVE_LOGGING_DIR - value: /data/logging - - name: AUTH_IMPERSONATE - value: "false" - envFrom: - - secretRef: - name: kubearchive-database-credentials - image: quay.io/kubearchive/api:v1.15.0@sha256:71542a0c7d92addfaf7ce41fbe0413a18b6996b57919a77e31ca21d4b5ebc3f8 - livenessProbe: - httpGet: - path: /livez - port: 8081 - scheme: HTTPS - name: kubearchive-api-server - ports: - - containerPort: 8081 - name: server - protocol: TCP - - containerPort: 8888 - name: pprof - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - scheme: HTTPS - resources: - limits: - cpu: 700m - memory: 256Mi - requests: - cpu: 200m - memory: 230Mi - volumeMounts: - - mountPath: /etc/kubearchive/ssl/ - name: tls-secret - readOnly: true - - mountPath: /data/logging - name: logging-secret - serviceAccountName: kubearchive-api-server - volumes: - - name: tls-secret - secret: - secretName: kubearchive-api-server-tls - - name: logging-secret - secret: - secretName: kubearchive-logging ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: operator - app.kubernetes.io/name: kubearchive-operator - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-operator - namespace: kubearchive -spec: - replicas: 1 - selector: - matchLabels: - control-plane: controller-manager - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: manager - labels: - control-plane: controller-manager - spec: - containers: - - args: - - --health-probe-bind-address=:8081 - - --leader-elect - env: - - name: KUBEARCHIVE_ENABLE_PPROF - value: "true" - - name: LOG_LEVEL - value: INFO - - name: KLOG_LEVEL - value: "0" - - name: KUBEARCHIVE_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: KUBEARCHIVE_OTEL_MODE - value: disabled - - name: OTEL_EXPORTER_OTLP_ENDPOINT - value: "" - - name: KUBEARCHIVE_OTLP_SEND_LOGS - value: "false" - - name: OTEL_GO_X_DEPRECATED_RUNTIME_METRICS - value: "false" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - image: quay.io/kubearchive/operator:v1.15.0@sha256:7d363f268261b4b284196cb081f317fc0998c453dfe7a0cbd4888ae6706a9078 - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - - containerPort: 8888 - name: pprof-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - mountPath: /etc/kubearchive/config - name: operator-config - readOnly: true - securityContext: - runAsNonRoot: true - runAsUser: 1000 - serviceAccountName: kubearchive-operator - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: kubearchive-operator-tls - - configMap: - defaultMode: 420 - name: kubearchive-operator - name: operator-config ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: sink - app.kubernetes.io/name: kubearchive-sink - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-sink - namespace: kubearchive -spec: - replicas: 1 - selector: - matchLabels: - app: kubearchive-sink - template: - metadata: - labels: - app: kubearchive-sink - spec: - containers: - - env: - - name: KUBEARCHIVE_ENABLE_PPROF - value: "true" - - name: GIN_MODE - value: release - - name: LOG_LEVEL - value: INFO - - name: KLOG_LEVEL - value: "0" - - name: KUBEARCHIVE_OTEL_MODE - value: disabled - - name: OTEL_EXPORTER_OTLP_ENDPOINT - value: "" - - name: KUBEARCHIVE_OTLP_SEND_LOGS - value: "false" - - name: OTEL_GO_X_DEPRECATED_RUNTIME_METRICS - value: "false" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: KUBEARCHIVE_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: KUBEARCHIVE_LOGGING_DIR - value: /data/logging - envFrom: - - secretRef: - name: kubearchive-database-credentials - image: quay.io/kubearchive/sink:v1.15.0@sha256:009a2ef650dd3ce84c9208cba50c20a8eea0b3c7c1699ef853af3590bf274aed - livenessProbe: - httpGet: - path: /livez - port: 8080 - name: kubearchive-sink - ports: - - containerPort: 8080 - name: sink - protocol: TCP - - containerPort: 8888 - name: pprof - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8080 - timeoutSeconds: 4 - resources: - limits: - cpu: 200m - memory: 256Mi - requests: - cpu: 200m - memory: 230Mi - volumeMounts: - - mountPath: /data/logging - name: logging-config - serviceAccountName: kubearchive-sink - volumes: - - configMap: - name: kubearchive-logging - name: logging-config ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - labels: - app.kubernetes.io/component: operator - app.kubernetes.io/name: kubearchive-vacuum - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: cluster-vacuum - namespace: kubearchive -spec: - jobTemplate: - spec: - template: - spec: - containers: - - args: - - --type - - cluster - - --config - - cluster-vacuum - command: - - /ko-app/vacuum - env: - - name: KUBEARCHIVE_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: quay.io/kubearchive/vacuum:v1.15.0@sha256:8a8129519078542e7d45524d4e2f5c4b782bc81f384927fd72ec361e318fbf99 - name: vacuum - restartPolicy: Never - serviceAccount: kubearchive-cluster-vacuum - schedule: '* */3 * * *' - suspend: true ---- -apiVersion: batch/v1 -kind: Job -metadata: - labels: - app.kubernetes.io/component: kubearchive - app.kubernetes.io/name: kubearchive-schema-migration - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-schema-migration - namespace: kubearchive -spec: - backoffLimit: 4 - parallelism: 1 - suspend: true - template: - spec: - containers: - - args: - - set -o errexit; git clone https://github.com/kubearchive/kubearchive --depth=1 --branch=${KUBEARCHIVE_VERSION} /tmp/kubearchive; cd /tmp/kubearchive; export QUOTED_PASSWORD=$(python3 -c "import urllib.parse; print(urllib.parse.quote('${DATABASE_PASSWORD}', ''))"); curl --silent -L https://github.com/golang-migrate/migrate/releases/download/${MIGRATE_VERSION}/migrate.linux-amd64.tar.gz | tar xvz migrate; ./migrate -verbose -path integrations/database/postgresql/migrations/ -database postgresql://${DATABASE_USER}:${QUOTED_PASSWORD}@${DATABASE_URL}:${DATABASE_PORT}/${DATABASE_DB} up - command: - - /bin/sh - - -c - env: - - name: KUBEARCHIVE_VERSION - value: v1.15.0 - - name: MIGRATE_VERSION - value: v4.18.3 - envFrom: - - secretRef: - name: kubearchive-database-credentials - image: quay.io/fedora/python-311:20240911 - name: migration - resources: - limits: - cpu: 10m - memory: 64Mi - requests: - cpu: 10m - memory: 64Mi - securityContext: - runAsNonRoot: true - restartPolicy: Never ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - labels: - app.kubernetes.io/component: api-server - app.kubernetes.io/name: kubearchive-api-server-certificate - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-api-server-certificate - namespace: kubearchive -spec: - commonName: kubearchive-api-server - dnsNames: - - localhost - - kubearchive-api-server - - kubearchive-api-server.kubearchive.svc - duration: 720h - isCA: false - issuerRef: - group: cert-manager.io - kind: Issuer - name: kubearchive - privateKey: - algorithm: ECDSA - size: 256 - renewBefore: 360h - secretName: kubearchive-api-server-tls - subject: - organizations: - - kubearchive - usages: - - digital signature - - key encipherment ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - labels: - app.kubernetes.io/component: certs - app.kubernetes.io/name: kubearchive-ca - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-ca - namespace: kubearchive -spec: - commonName: kubearchive-ca-certificate - isCA: true - issuerRef: - group: cert-manager.io - kind: Issuer - name: kubearchive-ca - privateKey: - algorithm: ECDSA - size: 256 - secretName: kubearchive-ca ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - labels: - app.kubernetes.io/component: operator - app.kubernetes.io/name: kubearchive-operator-certificate - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-operator-certificate - namespace: kubearchive -spec: - dnsNames: - - kubearchive-operator-webhooks.kubearchive.svc - - kubearchive-operator-webhooks.kubearchive.svc.cluster.local - issuerRef: - kind: Issuer - name: kubearchive - secretName: kubearchive-operator-tls ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - labels: - app.kubernetes.io/component: certs - app.kubernetes.io/name: kubearchive - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive - namespace: kubearchive -spec: - ca: - secretName: kubearchive-ca ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - labels: - app.kubernetes.io/component: certs - app.kubernetes.io/name: kubearchive-ca - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-ca - namespace: kubearchive -spec: - selfSigned: {} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: kubearchive/kubearchive-operator-certificate - labels: - app.kubernetes.io/component: operator - app.kubernetes.io/name: kubearchive-mutating-webhook-configuration - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-mutating-webhook-configuration -webhooks: - - admissionReviewVersions: - - v1 - clientConfig: - service: - name: kubearchive-operator-webhooks - namespace: kubearchive - path: /mutate-kubearchive-org-v1-kubearchiveconfig - failurePolicy: Fail - name: mkubearchiveconfig.kb.io - rules: - - apiGroups: - - kubearchive.org - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - kubearchiveconfigs - sideEffects: None - - admissionReviewVersions: - - v1 - clientConfig: - service: - name: kubearchive-operator-webhooks - namespace: kubearchive - path: /mutate-kubearchive-org-v1-clusterkubearchiveconfig - failurePolicy: Fail - name: mclusterkubearchiveconfig.kb.io - rules: - - apiGroups: - - kubearchive.org - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - clusterkubearchiveconfigs - sideEffects: None - - admissionReviewVersions: - - v1 - clientConfig: - service: - name: kubearchive-operator-webhooks - namespace: kubearchive - path: /mutate-kubearchive-org-v1-sinkfilter - failurePolicy: Fail - name: msinkfilter.kb.io - rules: - - apiGroups: - - kubearchive.org - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - sinkfilters - sideEffects: None - - admissionReviewVersions: - - v1 - clientConfig: - service: - name: kubearchive-operator-webhooks - namespace: kubearchive - path: /mutate-kubearchive-org-v1-namespacevacuumconfig - failurePolicy: Fail - name: mnamespacevacuumconfig.kb.io - rules: - - apiGroups: - - kubearchive.org - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - namespacevacuumconfigs - sideEffects: None - - admissionReviewVersions: - - v1 - clientConfig: - service: - name: kubearchive-operator-webhooks - namespace: kubearchive - path: /mutate-kubearchive-org-v1-clustervacuumconfig - failurePolicy: Fail - name: mclustervacuumconfig.kb.io - rules: - - apiGroups: - - kubearchive.org - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - clustervacuumconfigs - sideEffects: None ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: kubearchive/kubearchive-operator-certificate - labels: - app.kubernetes.io/component: operator - app.kubernetes.io/name: kubearchive-validating-webhook-configuration - app.kubernetes.io/part-of: kubearchive - app.kubernetes.io/version: v1.15.0 - name: kubearchive-validating-webhook-configuration -webhooks: - - admissionReviewVersions: - - v1 - clientConfig: - service: - name: kubearchive-operator-webhooks - namespace: kubearchive - path: /validate-kubearchive-org-v1-kubearchiveconfig - failurePolicy: Fail - name: vkubearchiveconfig.kb.io - rules: - - apiGroups: - - kubearchive.org - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - kubearchiveconfigs - sideEffects: None - - admissionReviewVersions: - - v1 - clientConfig: - service: - name: kubearchive-operator-webhooks - namespace: kubearchive - path: /validate-kubearchive-org-v1-clusterkubearchiveconfig - failurePolicy: Fail - name: vclusterkubearchiveconfig.kb.io - rules: - - apiGroups: - - kubearchive.org - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - clusterkubearchiveconfigs - sideEffects: None - - admissionReviewVersions: - - v1 - clientConfig: - service: - name: kubearchive-operator-webhooks - namespace: kubearchive - path: /validate-kubearchive-org-v1-sinkfilter - failurePolicy: Fail - name: vsinkfilter.kb.io - rules: - - apiGroups: - - kubearchive.org - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - sinkfilters - sideEffects: None - - admissionReviewVersions: - - v1 - clientConfig: - service: - name: kubearchive-operator-webhooks - namespace: kubearchive - path: /validate-kubearchive-org-v1-namespacevacuumconfig - failurePolicy: Fail - name: vnamespacevacuumconfig.kb.io - rules: - - apiGroups: - - kubearchive.org - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - namespacevacuumconfigs - sideEffects: None - - admissionReviewVersions: - - v1 - clientConfig: - service: - name: kubearchive-operator-webhooks - namespace: kubearchive - path: /validate-kubearchive-org-v1-clustervacuumconfig - failurePolicy: Fail - name: vclustervacuumconfig.kb.io - rules: - - apiGroups: - - kubearchive.org - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - clustervacuumconfigs - sideEffects: None - ---- diff --git a/components/kubearchive/production/pentest-p01/kustomization.yaml b/components/kubearchive/production/pentest-p01/kustomization.yaml deleted file mode 100644 index 702179746a5..00000000000 --- a/components/kubearchive/production/pentest-p01/kustomization.yaml +++ /dev/null @@ -1,221 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ../../base - - ../base - - kubearchive.yaml - -namespace: product-kubearchive - -patches: - - patch: |- - apiVersion: batch/v1 - kind: CronJob - metadata: - name: releases-vacuum - spec: - jobTemplate: - spec: - template: - spec: - containers: - - name: vacuum - image: quay.io/kubearchive/vacuum:v1.15.0 - - - patch: |- - apiVersion: batch/v1 - kind: Job - metadata: - name: kubearchive-schema-migration - namespace: kubearchive - annotations: - # Needed if just the command is changed, otherwise the job needs to be deleted manually - argocd.argoproj.io/sync-options: Force=true,Replace=true - ignore-check.kube-linter.io/no-read-only-root-fs: > - "This job needs to clone a repository to do its job, so it needs write access to the FS." - spec: - suspend: false - template: - spec: - containers: - - name: migration - env: - - name: KUBEARCHIVE_VERSION - value: v1.15.0 - # We don't need the Secret as it will be created by the ExternalSecrets Operator - - patch: |- - $patch: delete - apiVersion: v1 - kind: Secret - metadata: - name: kubearchive-database-credentials - namespace: kubearchive - - patch: |- - apiVersion: external-secrets.io/v1beta1 - kind: ExternalSecret - metadata: - name: database-secret - spec: - secretStoreRef: - name: appsre-stonesoup-vault - dataFrom: - - extract: - key: production/platform/terraform/generated/pentest-p01/kubearchive-database - # These patches add an annotation so an OpenShift service - # creates the TLS secrets instead of Cert Manager - - patch: |- - apiVersion: v1 - kind: Service - metadata: - name: kubearchive-api-server - namespace: kubearchive - annotations: - service.beta.openshift.io/serving-cert-secret-name: kubearchive-api-server-tls - - patch: |- - apiVersion: v1 - kind: Service - metadata: - name: kubearchive-operator-webhooks - namespace: kubearchive - annotations: - service.beta.openshift.io/serving-cert-secret-name: kubearchive-operator-tls - - patch: |- - apiVersion: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration - metadata: - name: kubearchive-mutating-webhook-configuration - annotations: - service.beta.openshift.io/inject-cabundle: "true" - - patch: |- - apiVersion: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - metadata: - name: kubearchive-validating-webhook-configuration - annotations: - service.beta.openshift.io/inject-cabundle: "true" - # These patches solve Kube Linter problems - - patch: |- - apiVersion: apps/v1 - kind: Deployment - metadata: - name: kubearchive-api-server - namespace: kubearchive - spec: - template: - spec: - containers: - - name: kubearchive-api-server - env: - - name: KUBEARCHIVE_OTEL_MODE - value: enabled - - name: OTEL_EXPORTER_OTLP_ENDPOINT - value: http://otel-collector:4318 - - name: AUTH_IMPERSONATE - value: "true" - securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - - patch: |- - apiVersion: apps/v1 - kind: Deployment - metadata: - name: kubearchive-operator - namespace: kubearchive - spec: - template: - spec: - securityContext: - runAsUser: null - containers: - - name: manager - args: [--health-probe-bind-address=:8081] - env: - - name: KUBEARCHIVE_OTEL_MODE - value: enabled - - name: OTEL_EXPORTER_OTLP_ENDPOINT - value: http://otel-collector:4318 - securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - ports: - - containerPort: 8081 - resources: - limits: - cpu: 1 - memory: 5Gi - requests: - cpu: 1 - memory: 5Gi - - - patch: |- - apiVersion: apps/v1 - kind: Deployment - metadata: - name: kubearchive-sink - namespace: kubearchive - spec: - template: - spec: - containers: - - name: kubearchive-sink - env: - - name: KUBEARCHIVE_OTEL_MODE - value: enabled - - name: OTEL_EXPORTER_OTLP_ENDPOINT - value: http://otel-collector:4318 - securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - resources: - limits: - cpu: 200m - memory: 128Mi - requests: - cpu: 200m - memory: 128Mi - - # We don't need this CronJob as it is suspended, we can enable it later - - patch: |- - $patch: delete - apiVersion: batch/v1 - kind: CronJob - metadata: - name: cluster-vacuum - namespace: kubearchive - # These patches remove Certificates and Issuer from Cert-Manager - - patch: |- - $patch: delete - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - name: "kubearchive-api-server-certificate" - namespace: kubearchive - - patch: |- - $patch: delete - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - name: "kubearchive-ca" - namespace: kubearchive - - patch: |- - $patch: delete - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - name: "kubearchive-ca" - namespace: kubearchive - - patch: |- - $patch: delete - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - name: "kubearchive" - namespace: kubearchive - - patch: |- - $patch: delete - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - name: "kubearchive-operator-certificate" - namespace: kubearchive diff --git a/components/kubearchive/upgrade.sh b/components/kubearchive/upgrade.sh index 45197ae1984..eb8b442f6d6 100644 --- a/components/kubearchive/upgrade.sh +++ b/components/kubearchive/upgrade.sh @@ -8,7 +8,6 @@ cp components/kubearchive/development/kubearchive.yaml components/kubearchive/pr cp components/kubearchive/development/kubearchive.yaml components/kubearchive/production/kflux-prd-rh02/kubearchive.yaml cp components/kubearchive/development/kubearchive.yaml components/kubearchive/production/kflux-prd-rh03/kubearchive.yaml cp components/kubearchive/development/kubearchive.yaml components/kubearchive/production/kflux-rhel-p01/kubearchive.yaml -cp components/kubearchive/development/kubearchive.yaml components/kubearchive/production/pentest-p01/kubearchive.yaml cp components/kubearchive/development/kubearchive.yaml components/kubearchive/production/stone-prd-rh01/kubearchive.yaml cp components/kubearchive/development/kubearchive.yaml components/kubearchive/production/stone-prod-p01/kubearchive.yaml cp components/kubearchive/development/kubearchive.yaml components/kubearchive/production/stone-prod-p02/kubearchive.yaml diff --git a/components/kueue/production/pentest-p01/kustomization.yaml b/components/kueue/production/pentest-p01/kustomization.yaml deleted file mode 100644 index 60f1e99194c..00000000000 --- a/components/kueue/production/pentest-p01/kustomization.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- ../base -- queue-config - -patches: - - target: - kind: MutatingWebhookConfiguration - name: tekton-kueue-mutating-webhook-configuration - patch: |- - - op: replace - path: /webhooks/0/namespaceSelector - value: - matchLabels: - kubernetes.io/metadata.name: mintmaker - -commonAnnotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true diff --git a/components/kueue/production/pentest-p01/queue-config/cluster-queue.yaml b/components/kueue/production/pentest-p01/queue-config/cluster-queue.yaml deleted file mode 100644 index d9b286883a1..00000000000 --- a/components/kueue/production/pentest-p01/queue-config/cluster-queue.yaml +++ /dev/null @@ -1,157 +0,0 @@ -apiVersion: kueue.x-k8s.io/v1beta1 -kind: ClusterQueue -metadata: - name: cluster-pipeline-queue -spec: - flavorFungibility: - whenCanBorrow: Borrow - whenCanPreempt: TryNextFlavor - namespaceSelector: {} - preemption: - borrowWithinCohort: - policy: Never - reclaimWithinCohort: Never - withinClusterQueue: Never - queueingStrategy: BestEffortFIFO - resourceGroups: - - coveredResources: - - tekton.dev/pipelineruns - - cpu - - memory - - aws-ip - - mintmaker - flavors: - - name: default-flavor - resources: - - name: tekton.dev/pipelineruns - nominalQuota: '300' - - name: cpu - nominalQuota: 1k - - name: memory - nominalQuota: 500Ti - - name: aws-ip - nominalQuota: '250' - - name: mintmaker - nominalQuota: '150' - - coveredResources: - - linux-amd64 - - linux-arm64 - - linux-c2xlarge-amd64 - - linux-c2xlarge-arm64 - - linux-c4xlarge-amd64 - - linux-c4xlarge-arm64 - - linux-c6gd2xlarge-arm64 - - linux-c8xlarge-amd64 - - linux-c8xlarge-arm64 - - linux-cxlarge-amd64 - - linux-cxlarge-arm64 - - linux-extra-fast-amd64 - - linux-fast-amd64 - - linux-m2xlarge-amd64 - - linux-m2xlarge-arm64 - - linux-m4xlarge-amd64 - flavors: - - name: platform-group-1 - resources: - - name: linux-amd64 - nominalQuota: '10' - - name: linux-arm64 - nominalQuota: '50' - - name: linux-c2xlarge-amd64 - nominalQuota: '10' - - name: linux-c2xlarge-arm64 - nominalQuota: '20' - - name: linux-c4xlarge-amd64 - nominalQuota: '10' - - name: linux-c4xlarge-arm64 - nominalQuota: '20' - - name: linux-c6gd2xlarge-arm64 - nominalQuota: '20' - - name: linux-c8xlarge-amd64 - nominalQuota: '10' - - name: linux-c8xlarge-arm64 - nominalQuota: '20' - - name: linux-cxlarge-amd64 - nominalQuota: '10' - - name: linux-cxlarge-arm64 - nominalQuota: '50' - - name: linux-extra-fast-amd64 - nominalQuota: '10' - - name: linux-fast-amd64 - nominalQuota: '10' - - name: linux-m2xlarge-amd64 - nominalQuota: '10' - - name: linux-m2xlarge-arm64 - nominalQuota: '20' - - name: linux-m4xlarge-amd64 - nominalQuota: '10' - - coveredResources: - - linux-m4xlarge-arm64 - - linux-m8xlarge-amd64 - - linux-m8xlarge-arm64 - - linux-mlarge-amd64 - - linux-mlarge-arm64 - - linux-mxlarge-amd64 - - linux-mxlarge-arm64 - - linux-ppc64le - - linux-root-amd64 - - linux-root-arm64 - - linux-s390x - - linux-x86-64 - - local - - localhost - flavors: - - name: platform-group-2 - resources: - - name: linux-m4xlarge-arm64 - nominalQuota: '20' - - name: linux-m8xlarge-amd64 - nominalQuota: '10' - - name: linux-m8xlarge-arm64 - nominalQuota: '20' - - name: linux-mlarge-amd64 - nominalQuota: '10' - - name: linux-mlarge-arm64 - nominalQuota: '50' - - name: linux-mxlarge-amd64 - nominalQuota: '10' - - name: linux-mxlarge-arm64 - nominalQuota: '20' - - name: linux-ppc64le - nominalQuota: '24' - - name: linux-root-amd64 - nominalQuota: '10' - - name: linux-root-arm64 - nominalQuota: '50' - - name: linux-s390x - nominalQuota: '12' - - name: linux-x86-64 - nominalQuota: '1000' - - name: local - nominalQuota: '1000' - - name: localhost - nominalQuota: '1000' - stopPolicy: None ---- -apiVersion: kueue.x-k8s.io/v1beta1 -kind: ResourceFlavor -metadata: - name: default-flavor ---- -apiVersion: kueue.x-k8s.io/v1beta1 -kind: ResourceFlavor -metadata: - name: platform-group-1 -spec: {} ---- -apiVersion: kueue.x-k8s.io/v1beta1 -kind: ResourceFlavor -metadata: - name: platform-group-2 -spec: {} ---- -apiVersion: kueue.x-k8s.io/v1beta1 -kind: ResourceFlavor -metadata: - name: platform-group-3 -spec: {} diff --git a/components/kueue/production/pentest-p01/queue-config/kustomization.yaml b/components/kueue/production/pentest-p01/queue-config/kustomization.yaml deleted file mode 100644 index f9fd4ed82c8..00000000000 --- a/components/kueue/production/pentest-p01/queue-config/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- cluster-queue.yaml -- ../../base/queue-config - -# ensure that installation starts after the installation of kueue complete -commonAnnotations: - argocd.argoproj.io/sync-wave: "10" diff --git a/components/kyverno/production/pentest-p01/job_resources.yaml b/components/kyverno/production/pentest-p01/job_resources.yaml deleted file mode 100644 index e8a5f00be55..00000000000 --- a/components/kyverno/production/pentest-p01/job_resources.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- op: add - path: /spec/template/spec/containers/0/resources - value: - requests: - cpu: 100m - memory: 256M - limits: - cpu: 400m - memory: 256M diff --git a/components/kyverno/production/pentest-p01/kustomization.yaml b/components/kyverno/production/pentest-p01/kustomization.yaml deleted file mode 100644 index cc91bd2acb6..00000000000 --- a/components/kyverno/production/pentest-p01/kustomization.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namespace: konflux-kyverno - -generators: - - kyverno-helm-generator.yaml - -# set resources to jobs -patches: - - path: job_resources.yaml - target: - group: batch - version: v1 - kind: Job - name: konflux-kyverno-scale-to-zero - - path: job_resources.yaml - target: - group: batch - version: v1 - kind: Job - name: konflux-kyverno-clean-reports - - path: job_resources.yaml - target: - group: batch - version: v1 - kind: Job - name: konflux-kyverno-migrate-resources - - path: job_resources.yaml - target: - group: batch - version: v1 - kind: Job - name: konflux-kyverno-remove-configmap diff --git a/components/kyverno/production/pentest-p01/kyverno-helm-generator.yaml b/components/kyverno/production/pentest-p01/kyverno-helm-generator.yaml deleted file mode 100644 index 4c6d3460091..00000000000 --- a/components/kyverno/production/pentest-p01/kyverno-helm-generator.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: builtin -kind: HelmChartInflationGenerator -metadata: - name: kyverno -name: kyverno -repo: https://kyverno.github.io/kyverno/ -version: 3.5.2 -namespace: konflux-kyverno -valuesFile: kyverno-helm-values.yaml -releaseName: kyverno diff --git a/components/kyverno/production/pentest-p01/kyverno-helm-values.yaml b/components/kyverno/production/pentest-p01/kyverno-helm-values.yaml deleted file mode 100644 index ec90e57b172..00000000000 --- a/components/kyverno/production/pentest-p01/kyverno-helm-values.yaml +++ /dev/null @@ -1,138 +0,0 @@ -fullnameOverride: konflux-kyverno -namespaceOverride: konflux-kyverno -admissionController: - replicas: 3 - initContainer: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - "ALL" - container: - extraArgs: - leaderElectionRetryPeriod: 26s - resources: - requests: - cpu: 500m - memory: 2Gi - limits: - cpu: 500m - memory: 2Gi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - "ALL" - podDisruptionBudget: - enabled: true - maxUnavailable: 2 - minAvailable: null - unhealthyPodEvictionPolicy: AlwaysAllow -backgroundController: - replicas: 3 - extraArgs: - leaderElectionRetryPeriod: 26s - resources: - requests: - cpu: 500m - memory: 2Gi - limits: - cpu: 500m - memory: 2Gi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - "ALL" - podDisruptionBudget: - enabled: true - maxUnavailable: 2 - minAvailable: null - unhealthyPodEvictionPolicy: AlwaysAllow -cleanupController: - replicas: 3 - extraArgs: - leaderElectionRetryPeriod: 26s - resources: - limits: - cpu: 500m - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - "ALL" - podDisruptionBudget: - enabled: true - maxUnavailable: 2 - minAvailable: null - unhealthyPodEvictionPolicy: AlwaysAllow -reportsController: - replicas: 3 - resources: - limits: - cpu: 500m - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - "ALL" - podDisruptionBudget: - enabled: true - maxUnavailable: 2 - minAvailable: null - unhealthyPodEvictionPolicy: AlwaysAllow -policyReportsCleanup: - image: - registry: mirror.gcr.io - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsGroup: null - runAsUser: null - capabilities: - drop: - - "ALL" -webhooksCleanup: - image: - registry: mirror.gcr.io - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsGroup: null - runAsUser: null - capabilities: - drop: - - "ALL" -test: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsGroup: null - runAsUser: null - capabilities: - drop: - - "ALL" -crds: - migration: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsGroup: null - runAsUser: null - capabilities: - drop: - - "ALL" diff --git a/components/mintmaker/production/pentest-p01/kustomization.yaml b/components/mintmaker/production/pentest-p01/kustomization.yaml deleted file mode 100644 index 8256959d8c2..00000000000 --- a/components/mintmaker/production/pentest-p01/kustomization.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- ../base -namespace: mintmaker -patches: - - path: pipelines-as-code-secret-path.yaml - target: - name: pipelines-as-code-secret - group: external-secrets.io - version: v1beta1 - kind: ExternalSecret diff --git a/components/mintmaker/production/pentest-p01/pipelines-as-code-secret-path.yaml b/components/mintmaker/production/pentest-p01/pipelines-as-code-secret-path.yaml deleted file mode 100644 index 01bc7c23a62..00000000000 --- a/components/mintmaker/production/pentest-p01/pipelines-as-code-secret-path.yaml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- op: add - path: /spec/dataFrom/0/extract/key - value: production/platform/ansible/generated/pentest-p01/github-app diff --git a/components/monitoring/blackbox/production/pentest-p01/kustomization.yaml b/components/monitoring/blackbox/production/pentest-p01/kustomization.yaml deleted file mode 100644 index 1910bc0b9bc..00000000000 --- a/components/monitoring/blackbox/production/pentest-p01/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - https://github.com/redhat-appstudio/internal-infra-deployments/components/monitoring/blackbox-exporter/production/private/pentest-p01?ref=e6779c185a448f727736324c423b2b383f24f1f3 - -namespace: appstudio-monitoring diff --git a/components/monitoring/logging/production/pentest-p01/kustomization.yaml b/components/monitoring/logging/production/pentest-p01/kustomization.yaml deleted file mode 100644 index ea2a0a116f9..00000000000 --- a/components/monitoring/logging/production/pentest-p01/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- ../base -- ../../base/logging-operator-prerequisite diff --git a/components/monitoring/prometheus/production/pentest-p01/cluster-id-label.yaml b/components/monitoring/prometheus/production/pentest-p01/cluster-id-label.yaml deleted file mode 100644 index 2639f209454..00000000000 --- a/components/monitoring/prometheus/production/pentest-p01/cluster-id-label.yaml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- op: add - path: /spec/prometheusConfig/externalLabels/source_cluster - value: pentest-p01 diff --git a/components/monitoring/prometheus/production/pentest-p01/kustomization.yaml b/components/monitoring/prometheus/production/pentest-p01/kustomization.yaml deleted file mode 100644 index 377316117af..00000000000 --- a/components/monitoring/prometheus/production/pentest-p01/kustomization.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- ../base - -patches: - - path: cluster-id-label.yaml - target: - name: appstudio-federate-ms - kind: MonitoringStack - group: monitoring.rhobs - version: v1alpha1 diff --git a/components/multi-platform-controller/production-downstream/pentest-p01/external-secrets.yaml b/components/multi-platform-controller/production-downstream/pentest-p01/external-secrets.yaml deleted file mode 100644 index feb763681e5..00000000000 --- a/components/multi-platform-controller/production-downstream/pentest-p01/external-secrets.yaml +++ /dev/null @@ -1,114 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: aws-account - namespace: multi-platform-controller - labels: - build.appstudio.redhat.com/multi-platform-secret: "true" - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "-1" -spec: - dataFrom: - - extract: - key: production/platform/terraform/generated/pentest-p01/aws-account - refreshInterval: 1h - secretStoreRef: - kind: ClusterSecretStore - name: appsre-stonesoup-vault - target: - creationPolicy: Owner - deletionPolicy: Delete - name: aws-account ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: aws-ssh-key - namespace: multi-platform-controller - labels: - build.appstudio.redhat.com/multi-platform-secret: "true" - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "-1" -spec: - dataFrom: - - extract: - key: production/platform/terraform/generated/pentest-p01/aws-ssh-key - refreshInterval: 1h - secretStoreRef: - kind: ClusterSecretStore - name: appsre-stonesoup-vault - target: - creationPolicy: Owner - deletionPolicy: Delete - name: aws-ssh-key ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: ibm-api-key - namespace: multi-platform-controller - labels: - build.appstudio.redhat.com/multi-platform-secret: "true" - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "-1" -spec: - dataFrom: - - extract: - key: production/platform/terraform/generated/pentest-p01/ibm-api-key - refreshInterval: 1h - secretStoreRef: - kind: ClusterSecretStore - name: appsre-stonesoup-vault - target: - creationPolicy: Owner - deletionPolicy: Delete - name: ibm-api-key ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: ibm-ppc64le-ssh-key - namespace: multi-platform-controller - labels: - build.appstudio.redhat.com/multi-platform-secret: "true" - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "-1" -spec: - dataFrom: - - extract: - key: production/platform/terraform/generated/pentest-p01/ibm-ppc64le-ssh-key-eu-de - refreshInterval: 1h - secretStoreRef: - kind: ClusterSecretStore - name: appsre-stonesoup-vault - target: - creationPolicy: Owner - deletionPolicy: Delete - name: ibm-ppc64le-ssh-key ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: ibm-s390x-ssh-key - namespace: multi-platform-controller - labels: - build.appstudio.redhat.com/multi-platform-secret: "true" - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "-1" -spec: - dataFrom: - - extract: - key: production/platform/terraform/generated/pentest-p01/ibm-s390x-ssh-key-6iy3 - refreshInterval: 1h - secretStoreRef: - kind: ClusterSecretStore - name: appsre-stonesoup-vault - target: - creationPolicy: Owner - deletionPolicy: Delete - name: ibm-s390x-ssh-key diff --git a/components/multi-platform-controller/production-downstream/pentest-p01/host-values.yaml b/components/multi-platform-controller/production-downstream/pentest-p01/host-values.yaml deleted file mode 100644 index d4b7d3bed76..00000000000 --- a/components/multi-platform-controller/production-downstream/pentest-p01/host-values.yaml +++ /dev/null @@ -1,264 +0,0 @@ -environment: "prod" - -archDefaults: - arm64: - ami: "ami-06f37afe6d4f43c47" - key-name: "pentest-p01-key-pair" - security-group-id: "sg-0811f7092bfeb3e84" - subnet-id: "subnet-06232fb3beb5542cf" - amd64: - ami: "ami-01aaf1c29c7e0f0af" - key-name: "pentest-p01-key-pair" - security-group-id: "sg-0811f7092bfeb3e84" - subnet-id: "subnet-06232fb3beb5542cf" - -dynamicConfigs: - linux-arm64: - max-instances: 50 - - linux-amd64: {} - - linux-mlarge-arm64: - max-instances: 50 - - linux-mlarge-amd64: {} - - linux-mxlarge-arm64: {} - - linux-mxlarge-amd64: {} - - linux-m2xlarge-arm64: {} - - linux-m2xlarge-amd64: {} - - linux-m4xlarge-arm64: {} - - linux-m4xlarge-amd64: {} - - linux-d320-m8xlarge-arm64: {} - - linux-d320-m8xlarge-amd64: {} - - linux-m8xlarge-arm64: {} - - linux-m8xlarge-amd64: {} - - linux-c6gd2xlarge-arm64: - user-data: | - Content-Type: multipart/mixed; boundary="//" - MIME-Version: 1.0 - - --// - Content-Type: text/cloud-config; charset="us-ascii" - MIME-Version: 1.0 - Content-Transfer-Encoding: 7bit - Content-Disposition: attachment; filename="cloud-config.txt" - - #cloud-config - cloud_final_modules: - - [scripts-user, always] - - --// - Content-Type: text/x-shellscript; charset="us-ascii" - MIME-Version: 1.0 - Content-Transfer-Encoding: 7bit - Content-Disposition: attachment; filename="userdata.txt" - - #!/bin/bash -ex - - # Format and mount NVMe disk - mkfs -t xfs /dev/nvme1n1 - mount /dev/nvme1n1 /home - - # Create required directories - mkdir -p /home/var-lib-containers /var/lib/containers /home/var-tmp /var/tmp /home/ec2-user/.ssh - - # Setup bind mounts - mount --bind /home/var-lib-containers /var/lib/containers - mount --bind /home/var-tmp /var/tmp - restorecon -r /var/lib/containers /var/tmp - - # Configure ec2-user SSH access - chown -R ec2-user /home/ec2-user - sed -n 's,.*\(ssh-.*\s\),\1,p' /root/.ssh/authorized_keys > /home/ec2-user/.ssh/authorized_keys - chown ec2-user /home/ec2-user/.ssh/authorized_keys - chmod 600 /home/ec2-user/.ssh/authorized_keys - chmod 700 /home/ec2-user/.ssh - restorecon -r /home/ec2-user - - --//-- - - linux-cxlarge-arm64: - max-instances: 50 - - linux-cxlarge-amd64: {} - - linux-c2xlarge-arm64: {} - - linux-c2xlarge-amd64: {} - - linux-c4xlarge-arm64: {} - - linux-c4xlarge-amd64: {} - - linux-c8xlarge-arm64: {} - - linux-c8xlarge-amd64: {} - - linux-g4xlarge-amd64: {} - - linux-g6xlarge-amd64: - ami: "ami-0ad6c6b0ac6c36199" - user-data: | - Content-Type: multipart/mixed; boundary="//" - MIME-Version: 1.0 - - --// - Content-Type: text/cloud-config; charset="us-ascii" - MIME-Version: 1.0 - Content-Transfer-Encoding: 7bit - Content-Disposition: attachment; filename="cloud-config.txt" - - #cloud-config - cloud_final_modules: - - [scripts-user, always] - - --// - Content-Type: text/x-shellscript; charset="us-ascii" - MIME-Version: 1.0 - Content-Transfer-Encoding: 7bit - Content-Disposition: attachment; filename="userdata.txt" - - #!/bin/bash -ex - - # Format and mount NVMe disk - mkfs -t xfs /dev/nvme1n1 - mount /dev/nvme1n1 /home - - # Create required directories - mkdir -p /home/var-lib-containers /var/lib/containers /home/var-tmp /var/tmp /home/ec2-user/.ssh /etc/cdi - - # Setup bind mounts - mount --bind /home/var-lib-containers /var/lib/containers - mount --bind /home/var-tmp /var/tmp - chmod a+rw /var/tmp - restorecon -r /var/lib/containers /var/tmp - - # Configure ec2-user SSH access - chown -R ec2-user /home/ec2-user - sed -n 's,.*\(ssh-.*\s\),\1,p' /root/.ssh/authorized_keys > /home/ec2-user/.ssh/authorized_keys - chown ec2-user /home/ec2-user/.ssh/authorized_keys - chmod 600 /home/ec2-user/.ssh/authorized_keys - chmod 700 /home/ec2-user/.ssh - restorecon -r /home/ec2-user - - # GPU setup - chmod a+rwx /etc/cdi - su - ec2-user - nvidia-ctk cdi generate --output=/etc/cdi/nvidia.yaml - --//-- - - linux-root-arm64: - max-instances: "50" - sudo-commands: "/usr/bin/podman" - disk: "200" - iops: "16000" - throughput: "1000" - - linux-root-amd64: - instance-type: "m6idn.2xlarge" - sudo-commands: "/usr/bin/podman" - disk: "200" - user-data: |- - Content-Type: multipart/mixed; boundary="//" - MIME-Version: 1.0 - - --// - Content-Type: text/cloud-config; charset="us-ascii" - MIME-Version: 1.0 - Content-Transfer-Encoding: 7bit - Content-Disposition: attachment; filename="cloud-config.txt" - - #cloud-config - cloud_final_modules: - - [scripts-user, always] - - --// - Content-Type: text/x-shellscript; charset="us-ascii" - MIME-Version: 1.0 - Content-Transfer-Encoding: 7bit - Content-Disposition: attachment; filename="userdata.txt" - - #!/bin/bash -ex - - # Format and mount NVMe disk - mkfs -t xfs /dev/nvme1n1 - mount /dev/nvme1n1 /home - - # Create required directories - mkdir -p /home/var-lib-containers /var/lib/containers /home/var-tmp /var/tmp /home/ec2-user/.ssh - - # Setup bind mounts - mount --bind /home/var-lib-containers /var/lib/containers - mount --bind /home/var-tmp /var/tmp - restorecon -r /var/lib/containers /var/tmp - - # Configure ec2-user SSH access - chown -R ec2-user /home/ec2-user - sed -n 's,.*\(ssh-.*\s\),\1,p' /root/.ssh/authorized_keys > /home/ec2-user/.ssh/authorized_keys - chown ec2-user /home/ec2-user/.ssh/authorized_keys - chmod 600 /home/ec2-user/.ssh/authorized_keys - chmod 700 /home/ec2-user/.ssh - restorecon -r /home/ec2-user - - --//-- - - linux-fast-amd64: {} - - linux-extra-fast-amd64: {} - -# Static hosts configuration -staticHosts: - # PPC - ppc64le-pi-static-x0: - address: "10.130.130.76" - concurrency: "8" - platform: "linux/ppc64le" - secret: "ibm-ppc64le-ssh-key" - user: "root" - - ppc64le-pi-static-x1: - address: "10.130.130.73" - concurrency: "8" - platform: "linux/ppc64le" - secret: "ibm-ppc64le-ssh-key" - user: "root" - - ppc64le-pi-static-x2: - address: "10.130.130.75" - concurrency: "8" - platform: "linux/ppc64le" - secret: "ibm-ppc64le-ssh-key" - user: "root" - - # s390 - s390x-static-1: - address: "10.130.130.55" - concurrency: "4" - platform: "linux/s390x" - secret: "s390x-static-ssh-key" - user: "root" - - s390x-static-2: - address: "10.130.130.56" - concurrency: "4" - platform: "linux/s390x" - secret: "s390x-static-ssh-key" - user: "root" - - s390x-static-3: - address: "10.130.130.57" - concurrency: "4" - platform: "linux/s390x" - secret: "s390x-static-ssh-key" - user: "root" diff --git a/components/multi-platform-controller/production-downstream/pentest-p01/kustomization.yaml b/components/multi-platform-controller/production-downstream/pentest-p01/kustomization.yaml deleted file mode 100644 index df03583e6ca..00000000000 --- a/components/multi-platform-controller/production-downstream/pentest-p01/kustomization.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namespace: multi-platform-controller - -resources: -- ../../base/common -- external-secrets.yaml -- https://github.com/konflux-ci/multi-platform-controller/deploy/operator?ref=2a5a88f6e2611c80977603005fc3c97f354a59e7 -- https://github.com/konflux-ci/multi-platform-controller/deploy/otp?ref=2a5a88f6e2611c80977603005fc3c97f354a59e7 - -components: - - ../../k-components/manager-resources - -images: -- name: multi-platform-controller - newName: quay.io/konflux-ci/multi-platform-controller - newTag: 2a5a88f6e2611c80977603005fc3c97f354a59e7 -- name: multi-platform-otp-server - newName: quay.io/konflux-ci/multi-platform-controller-otp-service - newTag: 2a5a88f6e2611c80977603005fc3c97f354a59e7 - -patches: - - path: manager_resources_patch.yaml - -helmGlobals: - chartHome: ../../base - -helmCharts: -- name: host-config-chart - releaseName: host-config - namespace: multi-platform-controller - valuesFile: host-values.yaml diff --git a/components/multi-platform-controller/production-downstream/pentest-p01/manager_resources_patch.yaml b/components/multi-platform-controller/production-downstream/pentest-p01/manager_resources_patch.yaml deleted file mode 100644 index be57098fbe5..00000000000 --- a/components/multi-platform-controller/production-downstream/pentest-p01/manager_resources_patch.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: multi-platform-controller - namespace: multi-platform-controller -spec: - template: - spec: - containers: - - name: manager - resources: - limits: - cpu: 500m - memory: 22Gi - requests: - cpu: 500m - memory: 22Gi diff --git a/components/namespace-lister/production/pentest-p01/kustomization.yaml b/components/namespace-lister/production/pentest-p01/kustomization.yaml deleted file mode 100644 index a48b7b42a71..00000000000 --- a/components/namespace-lister/production/pentest-p01/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- ../base/ diff --git a/components/pipeline-service/production/pentest-p01/deploy.yaml b/components/pipeline-service/production/pentest-p01/deploy.yaml deleted file mode 100644 index 8e76f0d7456..00000000000 --- a/components/pipeline-service/production/pentest-p01/deploy.yaml +++ /dev/null @@ -1,2617 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "-1" - labels: - argocd.argoproj.io/managed-by: openshift-gitops - name: openshift-pipelines ---- -apiVersion: v1 -kind: Namespace -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - name: plnsvc-tests ---- -apiVersion: v1 -kind: Namespace -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "-1" - labels: - argocd.argoproj.io/managed-by: openshift-gitops - name: tekton-results ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: pipeline-service-exporter - namespace: openshift-pipelines ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - name: tekton-results-tests - namespace: plnsvc-tests ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: metrics-reader - namespace: tekton-results ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-api - namespace: tekton-results ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-watcher - namespace: tekton-results ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - name: pipeline-service-sre-manage-vector-pods - namespace: tekton-logging -rules: -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch - - delete -- apiGroups: - - apps - resources: - - daemonsets - verbs: - - get - - list - - watch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - name: pipeline-service-sre-exec-pprof-data - namespace: tekton-results -rules: -- apiGroups: - - "" - resources: - - pod/exec - verbs: - - get - - list - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/name: tekton-results-info - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-info - namespace: tekton-results -rules: -- apiGroups: - - "" - resourceNames: - - tekton-results-info - resources: - - configmaps - verbs: - - get - - describe ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: openshift-gitops-apply-tekton-config-parameters -rules: -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - - list - - patch - - create - - delete -- apiGroups: - - operator.tekton.dev - resources: - - tektonconfigs - verbs: - - get - - list - - patch - - create - - delete -- apiGroups: - - security.openshift.io - resources: - - securitycontextconstraints - verbs: - - get - - list - - patch - - create - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: openshift-gitops-jobs-admin -rules: -- apiGroups: - - batch - resources: - - jobs - verbs: - - get - - list - - patch - - create - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: pipeline-service-exporter-reader -rules: -- apiGroups: - - "" - resources: - - pods - - services - - namespaces - - endpoints - verbs: - - get - - list - - watch -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get -- apiGroups: - - tekton.dev - resources: - - pipelineruns - - taskruns - verbs: - - get - - list - - watch - - patch -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: pipeline-service-exporter-resolution-req-read-until-ocp-at-415 -rules: -- apiGroups: - - resolution.tekton.dev - resources: - - resolutionrequests - verbs: - - get - - list - - watch - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - name: pipeline-service-sre -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - list - - delete -- apiGroups: - - quota.openshift.io - resources: - - clusterresourcequotas - verbs: - - list - - get - - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - pipelinesascode.tekton.dev - - results.tekton.dev - - tekton.dev - - triggers.tekton.dev - - resolution.tekton.dev - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch -- apiGroups: - - metrics.k8s.io - resources: - - nodes - verbs: - - get - - list - - watch -- apiGroups: - - admissionregistration.k8s.io - resources: - - '*' - verbs: - - list - - get - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: tekton-chains-public-key-viewer -rules: -- apiGroups: - - "" - resourceNames: - - public-key - resources: - - secrets - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - rbac.authorization.k8s.io/aggregate-to-admin: "true" - name: tekton-results-admin -rules: -- apiGroups: - - results.tekton.dev - resources: - - results - - records - - logs - verbs: - - create - - update - - get - - list - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-api -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: tekton-results-readonly -rules: -- apiGroups: - - results.tekton.dev - resources: - - results - - records - - logs - - summary - verbs: - - get - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-readwrite -rules: -- apiGroups: - - results.tekton.dev - resources: - - results - - records - - logs - verbs: - - create - - update - - get - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: tekton-results-service-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-watcher -rules: -- apiGroups: - - results.tekton.dev - resources: - - logs - - results - - records - verbs: - - create - - get - - update -- apiGroups: - - tekton.dev - resources: - - pipelineruns - - taskruns - verbs: - - get - - list - - patch - - update - - watch - - delete -- apiGroups: - - "" - resources: - - configmaps - - pods - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - pods/log - verbs: - - get -- apiGroups: - - "" - resources: - - events - verbs: - - get - - list - - create - - update - - delete - - patch - - watch -- apiGroups: - - tekton.dev - resources: - - pipelines - verbs: - - get -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - create - - update - - delete - - patch - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: tekton-results-watcher-rbac -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - name: pipeline-service-sre-ns-edit - namespace: openshift-pipelines -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: edit -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: konflux-pipeline-service -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: konflux-sre ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: tekton-chains-public-key-viewer - namespace: openshift-pipelines -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tekton-chains-public-key-viewer -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - name: pipeline-service-admin - namespace: plnsvc-tests -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tekton-results-admin -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: konflux-pipeline-service ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - name: pipeline-service-sre-manage-vector-pods - namespace: tekton-logging -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: pipeline-service-sre-manage-vector-pods -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: konflux-pipeline-service -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: konflux-sre ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - name: pipeline-service-sre-exec-pprof-data - namespace: tekton-results -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: pipeline-service-sre-exec-pprof-data -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: konflux-pipeline-service -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: konflux-sre ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - name: pipeline-service-sre-ns-edit - namespace: tekton-results -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: edit -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: konflux-pipeline-service -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: konflux-sre ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/name: tekton-results-info - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-info - namespace: tekton-results -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: tekton-results-info -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - name: tekton-results-tests - namespace: plnsvc-tests -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tekton-results-readonly -subjects: -- kind: ServiceAccount - name: tekton-results-tests - namespace: plnsvc-tests ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: openshift-gitops-apply-tekton-config-parameters -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: openshift-gitops-apply-tekton-config-parameters -subjects: -- kind: ServiceAccount - name: openshift-gitops-argocd-application-controller - namespace: openshift-gitops ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: openshift-gitops-jobs-admin -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: openshift-gitops-jobs-admin -subjects: -- kind: ServiceAccount - name: openshift-gitops-argocd-application-controller - namespace: openshift-gitops ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: pipeline-service-exporter-reader-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: pipeline-service-exporter-reader -subjects: -- kind: ServiceAccount - name: pipeline-service-exporter - namespace: openshift-pipelines ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: pipeline-service-exporter-resolution-req-read-until-ocp-at-415 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: pipeline-service-exporter-resolution-req-read-until-ocp-at-415 -subjects: -- kind: ServiceAccount - name: pipeline-service-exporter - namespace: openshift-pipelines ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - name: pipeline-service-sre -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: pipeline-service-sre -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: konflux-pipeline-service ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: prometheus-tekton-results-service-metrics-reader -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tekton-results-service-metrics-reader -subjects: -- kind: ServiceAccount - name: metrics-reader - namespace: tekton-results ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-wave: "0" - name: tekton-pipelines-controller-konflux-scc -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: appstudio-pipelines-runner -subjects: -- kind: ServiceAccount - name: tekton-pipelines-controller - namespace: openshift-pipelines ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-api -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tekton-results-api -subjects: -- kind: ServiceAccount - name: tekton-results-api - namespace: tekton-results ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-watcher -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tekton-results-watcher -subjects: -- kind: ServiceAccount - name: tekton-results-watcher - namespace: tekton-results ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: tekton-results-watcher-logs -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tekton-results-admin -subjects: -- kind: ServiceAccount - name: tekton-results-watcher - namespace: tekton-results ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: tekton-results-watcher-rbac -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tekton-results-watcher-rbac -subjects: -- kind: ServiceAccount - name: tekton-results-watcher - namespace: tekton-results ---- -apiVersion: v1 -data: - tekton-results-db-ca.pem: |- - -----BEGIN CERTIFICATE----- - MIIEBjCCAu6gAwIBAgIJAMc0ZzaSUK51MA0GCSqGSIb3DQEBCwUAMIGPMQswCQYD - VQQGEwJVUzEQMA4GA1UEBwwHU2VhdHRsZTETMBEGA1UECAwKV2FzaGluZ3RvbjEi - MCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNlcywgSW5jLjETMBEGA1UECwwKQW1h - em9uIFJEUzEgMB4GA1UEAwwXQW1hem9uIFJEUyBSb290IDIwMTkgQ0EwHhcNMTkw - ODIyMTcwODUwWhcNMjQwODIyMTcwODUwWjCBjzELMAkGA1UEBhMCVVMxEDAOBgNV - BAcMB1NlYXR0bGUxEzARBgNVBAgMCldhc2hpbmd0b24xIjAgBgNVBAoMGUFtYXpv - biBXZWIgU2VydmljZXMsIEluYy4xEzARBgNVBAsMCkFtYXpvbiBSRFMxIDAeBgNV - BAMMF0FtYXpvbiBSRFMgUm9vdCAyMDE5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOC - AQ8AMIIBCgKCAQEArXnF/E6/Qh+ku3hQTSKPMhQQlCpoWvnIthzX6MK3p5a0eXKZ - oWIjYcNNG6UwJjp4fUXl6glp53Jobn+tWNX88dNH2n8DVbppSwScVE2LpuL+94vY - 0EYE/XxN7svKea8YvlrqkUBKyxLxTjh+U/KrGOaHxz9v0l6ZNlDbuaZw3qIWdD/I - 6aNbGeRUVtpM6P+bWIoxVl/caQylQS6CEYUk+CpVyJSkopwJlzXT07tMoDL5WgX9 - O08KVgDNz9qP/IGtAcRduRcNioH3E9v981QO1zt/Gpb2f8NqAjUUCUZzOnij6mx9 - McZ+9cWX88CRzR0vQODWuZscgI08NvM69Fn2SQIDAQABo2MwYTAOBgNVHQ8BAf8E - BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUc19g2LzLA5j0Kxc0LjZa - pmD/vB8wHwYDVR0jBBgwFoAUc19g2LzLA5j0Kxc0LjZapmD/vB8wDQYJKoZIhvcN - AQELBQADggEBAHAG7WTmyjzPRIM85rVj+fWHsLIvqpw6DObIjMWokpliCeMINZFV - ynfgBKsf1ExwbvJNzYFXW6dihnguDG9VMPpi2up/ctQTN8tm9nDKOy08uNZoofMc - NUZxKCEkVKZv+IL4oHoeayt8egtv3ujJM6V14AstMQ6SwvwvA93EP/Ug2e4WAXHu - cbI1NAbUgVDqp+DRdfvZkgYKryjTWd/0+1fS8X1bBZVWzl7eirNVnHbSH2ZDpNuY - 0SBd8dj5F6ld3t58ydZbrTHze7JJOd8ijySAp4/kiu9UfZWuTPABzDa/DSdz9Dk/ - zPW4CXXvhLmE02TA9/HeCw3KEHIwicNuEfw= - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIEBzCCAu+gAwIBAgICJVUwDQYJKoZIhvcNAQELBQAwgY8xCzAJBgNVBAYTAlVT - MRAwDgYDVQQHDAdTZWF0dGxlMRMwEQYDVQQIDApXYXNoaW5ndG9uMSIwIAYDVQQK - DBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJbmMuMRMwEQYDVQQLDApBbWF6b24gUkRT - MSAwHgYDVQQDDBdBbWF6b24gUkRTIFJvb3QgMjAxOSBDQTAeFw0xOTA5MTkxODE2 - NTNaFw0yNDA4MjIxNzA4NTBaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2Fz - aGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEiMCAGA1UECgwZQW1hem9uIFdlYiBT - ZXJ2aWNlcywgSW5jLjETMBEGA1UECwwKQW1hem9uIFJEUzElMCMGA1UEAwwcQW1h - em9uIFJEUyB1cy1lYXN0LTEgMjAxOSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP - ADCCAQoCggEBAM3i/k2u6cqbMdcISGRvh+m+L0yaSIoOXjtpNEoIftAipTUYoMhL - InXGlQBVA4shkekxp1N7HXe1Y/iMaPEyb3n+16pf3vdjKl7kaSkIhjdUz3oVUEYt - i8Z/XeJJ9H2aEGuiZh3kHixQcZczn8cg3dA9aeeyLSEnTkl/npzLf//669Ammyhs - XcAo58yvT0D4E0D/EEHf2N7HRX7j/TlyWvw/39SW0usiCrHPKDLxByLojxLdHzso - QIp/S04m+eWn6rmD+uUiRteN1hI5ncQiA3wo4G37mHnUEKo6TtTUh+sd/ku6a8HK - glMBcgqudDI90s1OpuIAWmuWpY//8xEG2YECAwEAAaNmMGQwDgYDVR0PAQH/BAQD - AgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFPqhoWZcrVY9mU7tuemR - RBnQIj1jMB8GA1UdIwQYMBaAFHNfYNi8ywOY9CsXNC42WqZg/7wfMA0GCSqGSIb3 - DQEBCwUAA4IBAQB6zOLZ+YINEs72heHIWlPZ8c6WY8MDU+Be5w1M+BK2kpcVhCUK - PJO4nMXpgamEX8DIiaO7emsunwJzMSvavSPRnxXXTKIc0i/g1EbiDjnYX9d85DkC - E1LaAUCmCZBVi9fIe0H2r9whIh4uLWZA41oMnJx/MOmo3XyMfQoWcqaSFlMqfZM4 - 0rNoB/tdHLNuV4eIdaw2mlHxdWDtF4oH+HFm+2cVBUVC1jXKrFv/euRVtsTT+A6i - h2XBHKxQ1Y4HgAn0jACP2QSPEmuoQEIa57bEKEcZsBR8SDY6ZdTd2HLRIApcCOSF - MRM8CKLeF658I0XgF8D5EsYoKPsA+74Z+jDH - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIID/zCCAuegAwIBAgIRAPVSMfFitmM5PhmbaOFoGfUwDQYJKoZIhvcNAQELBQAw - gZcxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ - bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTEwMC4GA1UEAwwn - QW1hem9uIFJEUyB1cy1lYXN0LTEgUm9vdCBDQSBSU0EyMDQ4IEcxMRAwDgYDVQQH - DAdTZWF0dGxlMCAXDTIxMDUyNTIyMzQ1N1oYDzIwNjEwNTI1MjMzNDU3WjCBlzEL - MAkGA1UEBhMCVVMxIjAgBgNVBAoMGUFtYXpvbiBXZWIgU2VydmljZXMsIEluYy4x - EzARBgNVBAsMCkFtYXpvbiBSRFMxCzAJBgNVBAgMAldBMTAwLgYDVQQDDCdBbWF6 - b24gUkRTIHVzLWVhc3QtMSBSb290IENBIFJTQTIwNDggRzExEDAOBgNVBAcMB1Nl - YXR0bGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDu9H7TBeGoDzMr - dxN6H8COntJX4IR6dbyhnj5qMD4xl/IWvp50lt0VpmMd+z2PNZzx8RazeGC5IniV - 5nrLg0AKWRQ2A/lGGXbUrGXCSe09brMQCxWBSIYe1WZZ1iU1IJ/6Bp4D2YEHpXrW - bPkOq5x3YPcsoitgm1Xh8ygz6vb7PsvJvPbvRMnkDg5IqEThapPjmKb8ZJWyEFEE - QRrkCIRueB1EqQtJw0fvP4PKDlCJAKBEs/y049FoOqYpT3pRy0WKqPhWve+hScMd - 6obq8kxTFy1IHACjHc51nrGII5Bt76/MpTWhnJIJrCnq1/Uc3Qs8IVeb+sLaFC8K - DI69Sw6bAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFE7PCopt - lyOgtXX0Y1lObBUxuKaCMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOC - AQEAFj+bX8gLmMNefr5jRJfHjrL3iuZCjf7YEZgn89pS4z8408mjj9z6Q5D1H7yS - jNETVV8QaJip1qyhh5gRzRaArgGAYvi2/r0zPsy+Tgf7v1KGL5Lh8NT8iCEGGXwF - g3Ir+Nl3e+9XUp0eyyzBIjHtjLBm6yy8rGk9p6OtFDQnKF5OxwbAgip42CD75r/q - p421maEDDvvRFR4D+99JZxgAYDBGqRRceUoe16qDzbMvlz0A9paCZFclxeftAxv6 - QlR5rItMz/XdzpBJUpYhdzM0gCzAzdQuVO5tjJxmXhkSMcDP+8Q+Uv6FA9k2VpUV - E/O5jgpqUJJ2Hc/5rs9VkAPXeA== - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIF/jCCA+agAwIBAgIQaRHaEqqacXN20e8zZJtmDDANBgkqhkiG9w0BAQwFADCB - lzELMAkGA1UEBhMCVVMxIjAgBgNVBAoMGUFtYXpvbiBXZWIgU2VydmljZXMsIElu - Yy4xEzARBgNVBAsMCkFtYXpvbiBSRFMxCzAJBgNVBAgMAldBMTAwLgYDVQQDDCdB - bWF6b24gUkRTIHVzLWVhc3QtMSBSb290IENBIFJTQTQwOTYgRzExEDAOBgNVBAcM - B1NlYXR0bGUwIBcNMjEwNTI1MjIzODM1WhgPMjEyMTA1MjUyMzM4MzVaMIGXMQsw - CQYDVQQGEwJVUzEiMCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNlcywgSW5jLjET - MBEGA1UECwwKQW1hem9uIFJEUzELMAkGA1UECAwCV0ExMDAuBgNVBAMMJ0FtYXpv - biBSRFMgdXMtZWFzdC0xIFJvb3QgQ0EgUlNBNDA5NiBHMTEQMA4GA1UEBwwHU2Vh - dHRsZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAInfBCaHuvj6Rb5c - L5Wmn1jv2PHtEGMHm+7Z8dYosdwouG8VG2A+BCYCZfij9lIGszrTXkY4O7vnXgru - JUNdxh0Q3M83p4X+bg+gODUs3jf+Z3Oeq7nTOk/2UYvQLcxP4FEXILxDInbQFcIx - yen1ESHggGrjEodgn6nbKQNRfIhjhW+TKYaewfsVWH7EF2pfj+cjbJ6njjgZ0/M9 - VZifJFBgat6XUTOf3jwHwkCBh7T6rDpgy19A61laImJCQhdTnHKvzTpxcxiLRh69 - ZObypR7W04OAUmFS88V7IotlPmCL8xf7kwxG+gQfvx31+A9IDMsiTqJ1Cc4fYEKg - bL+Vo+2Ii4W2esCTGVYmHm73drznfeKwL+kmIC/Bq+DrZ+veTqKFYwSkpHRyJCEe - U4Zym6POqQ/4LBSKwDUhWLJIlq99bjKX+hNTJykB+Lbcx0ScOP4IAZQoxmDxGWxN - S+lQj+Cx2pwU3S/7+OxlRndZAX/FKgk7xSMkg88HykUZaZ/ozIiqJqSnGpgXCtED - oQ4OJw5ozAr+/wudOawaMwUWQl5asD8fuy/hl5S1nv9XxIc842QJOtJFxhyeMIXt - LVECVw/dPekhMjS3Zo3wwRgYbnKG7YXXT5WMxJEnHu8+cYpMiRClzq2BEP6/MtI2 - AZQQUFu2yFjRGL2OZA6IYjxnXYiRAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8w - HQYDVR0OBBYEFADCcQCPX2HmkqQcmuHfiQ2jjqnrMA4GA1UdDwEB/wQEAwIBhjAN - BgkqhkiG9w0BAQwFAAOCAgEASXkGQ2eUmudIKPeOIF7RBryCoPmMOsqP0+1qxF8l - pGkwmrgNDGpmd9s0ArfIVBTc1jmpgB3oiRW9c6n2OmwBKL4UPuQ8O3KwSP0iD2sZ - KMXoMEyphCEzW1I2GRvYDugL3Z9MWrnHkoaoH2l8YyTYvszTvdgxBPpM2x4pSkp+ - 76d4/eRpJ5mVuQ93nC+YG0wXCxSq63hX4kyZgPxgCdAA+qgFfKIGyNqUIqWgeyTP - n5OgKaboYk2141Rf2hGMD3/hsGm0rrJh7g3C0ZirPws3eeJfulvAOIy2IZzqHUSY - jkFzraz6LEH3IlArT3jUPvWKqvh2lJWnnp56aqxBR7qHH5voD49UpJWY1K0BjGnS - OHcurpp0Yt/BIs4VZeWdCZwI7JaSeDcPMaMDBvND3Ia5Fga0thgYQTG6dE+N5fgF - z+hRaujXO2nb0LmddVyvE8prYlWRMuYFv+Co8hcMdJ0lEZlfVNu0jbm9/GmwAZ+l - 9umeYO9yz/uC7edC8XJBglMAKUmVK9wNtOckUWAcCfnPWYLbYa/PqtXBYcxrso5j - iaS/A7iEW51uteHBGrViCy1afGG+hiUWwFlesli+Rq4dNstX3h6h2baWABaAxEVJ - y1RnTQSz6mROT1VmZSgSVO37rgIyY0Hf0872ogcTS+FfvXgBxCxsNWEbiQ/XXva4 - 0Ws= - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIICrjCCAjSgAwIBAgIRAPAlEk8VJPmEzVRRaWvTh2AwCgYIKoZIzj0EAwMwgZYx - CzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJbmMu - MRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTEvMC0GA1UEAwwmQW1h - em9uIFJEUyB1cy1lYXN0LTEgUm9vdCBDQSBFQ0MzODQgRzExEDAOBgNVBAcMB1Nl - YXR0bGUwIBcNMjEwNTI1MjI0MTU1WhgPMjEyMTA1MjUyMzQxNTVaMIGWMQswCQYD - VQQGEwJVUzEiMCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNlcywgSW5jLjETMBEG - A1UECwwKQW1hem9uIFJEUzELMAkGA1UECAwCV0ExLzAtBgNVBAMMJkFtYXpvbiBS - RFMgdXMtZWFzdC0xIFJvb3QgQ0EgRUNDMzg0IEcxMRAwDgYDVQQHDAdTZWF0dGxl - MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEx5xjrup8II4HOJw15NTnS3H5yMrQGlbj - EDA5MMGnE9DmHp5dACIxmPXPMe/99nO7wNdl7G71OYPCgEvWm0FhdvVUeTb3LVnV - BnaXt32Ek7/oxGk1T+Df03C+W0vmuJ+wo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0G - A1UdDgQWBBTGXmqBWN/1tkSea4pNw0oHrjk2UDAOBgNVHQ8BAf8EBAMCAYYwCgYI - KoZIzj0EAwMDaAAwZQIxAIqqZWCSrIkZ7zsv/FygtAusW6yvlL935YAWYPVXU30m - jkMFLM+/RJ9GMvnO8jHfCgIwB+whlkcItzE9CRQ6CsMo/d5cEHDUu/QW6jSIh9BR - OGh9pTYPVkUbBiKPA7lVVhre - -----END CERTIFICATE----- -kind: ConfigMap -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - name: rds-root-crt - namespace: tekton-results ---- -apiVersion: v1 -data: - config.env: | - DB_USER= - DB_PASSWORD= - DB_HOST= - DB_PORT=5432 - DB_NAME= - DB_SSLMODE=verify-full - DB_SSLROOTCERT=/etc/tls/db/tekton-results-db-ca.pem - DB_ENABLE_AUTO_MIGRATION=true - SERVER_PORT=8080 - PROMETHEUS_PORT=9090 - PROMETHEUS_HISTOGRAM=true - TLS_PATH=/etc/tls - AUTH_DISABLE=false - AUTH_IMPERSONATE=true - LOG_LEVEL=info - LOGS_API=false - LOGS_TYPE=File - LOGS_BUFFER_SIZE=5242880 - LOGS_PATH=//logs - S3_BUCKET_NAME= - S3_ENDPOINT= - S3_HOSTNAME_IMMUTABLE=false - S3_REGION= - S3_ACCESS_KEY_ID= - S3_SECRET_ACCESS_KEY= - S3_MULTI_PART_SIZE=5242880 - GCS_BUCKET_NAME= - STORAGE_EMULATOR_HOST= - K8S_QPS=50 - K8S_BURST=100 - PROFILING=true - PROFILING_PORT=6060 - FEATURE_GATES='PartialResponse=true' - CONVERTER_ENABLE=false - CONVERTER_DB_LIMIT=50 - LOGGING_PLUGIN_PROXY_PATH=/api/logs/v1/application - LOGGING_PLUGIN_TOKEN_PATH=/var/run/secrets/kubernetes.io/serviceaccount/token - LOGGING_PLUGIN_NAMESPACE_KEY=kubernetes_namespace_name - LOGGING_PLUGIN_STATIC_LABELS='log_type=application' - LOGGING_PLUGIN_CA_CERT= - LOGGING_PLUGIN_QUERY_LIMIT=1700 - LOGGING_PLUGIN_TLS_VERIFICATION_DISABLE= - LOGGING_PLUGIN_FORWARDER_DELAY_DURATION=10 - LOGGING_PLUGIN_API_URL=s3://tekton-logs - LOGGING_PLUGIN_QUERY_PARAMS='v1alpha2LogType=true&use_path_style=true' - LOGGING_PLUGIN_MULTIPART_REGEX='-\d{10}.log$' -kind: ConfigMap -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-api-config - namespace: tekton-results ---- -apiVersion: v1 -data: - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - ################################ - # This block is not actually functional configuration, - # but serves to illustrate the available configuration - # options and document them in a way that is accessible - # to users that `kubectl edit` this config map. - # - # These sample configuration options may be copied out of - # this example block and unindented to be in the data block - # to actually change the configuration. - # lease-duration is how long non-leaders will wait to try to acquire the - # lock; 15 seconds is the value used by core kubernetes controllers. - lease-duration: "60s" - # renew-deadline is how long a leader will try to renew the lease before - # giving up; 10 seconds is the value used by core kubernetes controllers. - renew-deadline: "40s" - # retry-period is how long the leader election client waits between tries of - # actions; 2 seconds is the value used by core kubernetes controllers. - retry-period: "10s" - # buckets is the number of buckets used to partition key space of each - # Reconciler. If this number is M and the replica number of the controller - # is N, the N replicas will compete for the M buckets. The owner of a - # bucket will take care of the reconciling for the keys partitioned into - # that bucket. - buckets: "1" -kind: ConfigMap -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/name: tekton-results-leader-election - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-config-leader-election - namespace: tekton-results ---- -apiVersion: v1 -data: - loglevel.controller: info - loglevel.watcher: info - zap-logger-config: | - { - "level": "info", - "development": false, - "outputPaths": ["stdout"], - "errorOutputPaths": ["stderr"], - "encoding": "json", - "encoderConfig": { - "timeKey": "ts", - "levelKey": "level", - "nameKey": "logger", - "callerKey": "caller", - "messageKey": "msg", - "stacktraceKey": "stacktrace", - "lineEnding": "", - "levelEncoder": "", - "timeEncoder": "iso8601", - "durationEncoder": "string", - "callerEncoder": "" - } - } -kind: ConfigMap -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - labels: - app.kubernetes.io/name: tekton-results-logging - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-config-logging - namespace: tekton-results ---- -apiVersion: v1 -data: - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - ################################ - - # This block is not actually functional configuration, - # but serves to illustrate the available configuration - # options and document them in a way that is accessible - # to users that `kubectl edit` this config map. - # - # These sample configuration options may be copied out of - # this example block and unindented to be in the data block - # to actually change the configuration. - - # metrics.backend-destination field specifies the system metrics destination. - # It supports either prometheus (the default) or stackdriver. - # Note: Using Stackdriver will incur additional charges. - metrics.backend-destination: prometheus - - # metrics.stackdriver-project-id field specifies the Stackdriver project ID. This - # field is optional. When running on GCE, application default credentials will be - # used and metrics will be sent to the cluster's project if this field is - # not provided. - metrics.stackdriver-project-id: "" - - # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed - # to send metrics to Stackdriver using "global" resource type and custom - # metric type. Setting this flag to "true" could cause extra Stackdriver - # charge. If metrics.backend-destination is not Stackdriver, this is - # ignored. - metrics.allow-stackdriver-custom-metrics: "false" - metrics.taskrun.level: "task" - metrics.taskrun.duration-type: "histogram" - metrics.pipelinerun.level: "pipeline" - metrics.pipelinerun.duration-type: "histogram" - profiling.enable: "true" -kind: ConfigMap -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/name: tekton-results-observability - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-config-observability - namespace: tekton-results ---- -apiVersion: v1 -data: - maxRetention: "30" - runAt: 5 5 * * 0 -kind: ConfigMap -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/name: tekton-results-retention-policy - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-config-results-retention-policy - namespace: tekton-results ---- -apiVersion: v1 -data: - version: devel -kind: ConfigMap -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/name: tekton-results-info - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-info - namespace: tekton-results ---- -apiVersion: v1 -kind: Secret -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - kubernetes.io/service-account.name: metrics-reader - name: metrics-reader - namespace: tekton-results -type: kubernetes.io/service-account-token ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - labels: - app: pipeline-metrics-exporter - name: pipeline-metrics-exporter-service - namespace: openshift-pipelines -spec: - ports: - - name: metrics - port: 9117 - protocol: TCP - targetPort: 9117 - selector: - app: pipeline-metrics-exporter ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - ignore-check.kube-linter.io/dangling-service: This service is not dangling, it - exposes metric for an OSP deployment - labels: - app: tekton-chains-controller - app.kubernetes.io/component: metrics - app.kubernetes.io/part-of: tekton-chains - name: tekton-chains - namespace: openshift-pipelines -spec: - ports: - - name: metrics - port: 9090 - protocol: TCP - targetPort: 9090 - selector: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-chains ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - service.beta.openshift.io/serving-cert-secret-name: tekton-results-tls - labels: - app: tekton-results-api - app.kubernetes.io/component: api - app.kubernetes.io/name: tekton-results-api - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-api-service - namespace: tekton-results -spec: - ports: - - name: server - port: 8080 - protocol: TCP - targetPort: 8080 - - name: metrics - port: 9443 - protocol: TCP - targetPort: metrics - - name: profiling - port: 6060 - protocol: TCP - targetPort: 6060 - selector: - app.kubernetes.io/name: tekton-results-api ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - service.beta.openshift.io/serving-cert-secret-name: tekton-results-for-watcher-tls - labels: - app: tekton-results-api - app.kubernetes.io/component: api - app.kubernetes.io/name: tekton-results-api-for-watcher - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-api-service-for-watcher - namespace: tekton-results -spec: - ports: - - name: server - port: 8080 - protocol: TCP - targetPort: 8080 - - name: metrics - port: 9443 - protocol: TCP - targetPort: metrics - - name: profiling - port: 6060 - protocol: TCP - targetPort: 6060 - selector: - app.kubernetes.io/name: tekton-results-api-for-watcher ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "2" - labels: - app: tekton-results-watcher - app.kubernetes.io/component: watcher - app.kubernetes.io/name: tekton-results-watcher - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-watcher - namespace: tekton-results -spec: - ports: - - name: watchermetrics - port: 8443 - targetPort: watchermetrics - - name: profiling - port: 8008 - selector: - app.kubernetes.io/name: tekton-results-watcher ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: pipeline-metrics-exporter - namespace: openshift-pipelines -spec: - replicas: 1 - selector: - matchLabels: - app: pipeline-metrics-exporter - template: - metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app: pipeline-metrics-exporter - spec: - containers: - - args: - - -pprof-address - - "6060" - image: quay.io/konflux-ci/pipeline-service-exporter:9d2439c8a77d2ce0527cc5aea3fc6561b7671b48 - name: pipeline-metrics-exporter - ports: - - containerPort: 9117 - name: metrics - resources: - limits: - cpu: 500m - memory: 8Gi - requests: - cpu: 250m - memory: 8Gi - securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - restartPolicy: Always - serviceAccountName: pipeline-service-exporter ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "1" - labels: - app.kubernetes.io/name: tekton-results-api - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-api - namespace: tekton-results -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: tekton-results-api - template: - metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - cluster-autoscaler.kubernetes.io/safe-to-evict: "false" - labels: - app.kubernetes.io/name: tekton-results-api - app.kubernetes.io/version: devel - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: NotIn - values: - - windows - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: tekton-results-api - topologyKey: kubernetes.io/hostname - weight: 100 - containers: - - args: - - --secure-listen-address=0.0.0.0:9443 - - --upstream=http://127.0.0.1:9090/ - - --logtostderr=true - - --v=6 - image: registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.12 - name: kube-rbac-proxy - ports: - - containerPort: 9443 - name: metrics - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - - env: - - name: LOGS_API - value: "true" - - name: LOGS_TYPE - value: blob - - name: S3_HOSTNAME_IMMUTABLE - value: "true" - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - key: aws_access_key_id - name: tekton-results-s3 - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - key: aws_secret_access_key - name: tekton-results-s3 - - name: AWS_REGION - valueFrom: - secretKeyRef: - key: aws_region - name: tekton-results-s3 - - name: S3_BUCKET_NAME - valueFrom: - secretKeyRef: - key: bucket - name: tekton-results-s3 - - name: AWS_ENDPOINT_URL - valueFrom: - secretKeyRef: - key: endpoint - name: tekton-results-s3 - - name: LOGGING_PLUGIN_API_URL - valueFrom: - secretKeyRef: - key: s3_url - name: tekton-results-s3 - - name: DB_USER - valueFrom: - secretKeyRef: - key: db.user - name: tekton-results-database - - name: DB_PASSWORD - valueFrom: - secretKeyRef: - key: db.password - name: tekton-results-database - - name: DB_HOST - valueFrom: - secretKeyRef: - key: db.host - name: tekton-results-database - - name: DB_NAME - valueFrom: - secretKeyRef: - key: db.name - name: tekton-results-database - image: quay.io/konflux-ci/tekton-results-api:99db802a56c3d62e823e162feee9811e55ed1f5b - livenessProbe: - httpGet: - path: /healthz - port: 8080 - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - name: api - readinessProbe: - httpGet: - path: /healthz - port: 8080 - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 3000m - memory: 1Gi - requests: - cpu: 1000m - memory: 500Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - startupProbe: - failureThreshold: 10 - httpGet: - path: /healthz - port: 8080 - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - volumeMounts: - - mountPath: /etc/tls/db - name: db-tls-ca - readOnly: true - - mountPath: /etc/tekton/results - name: config - readOnly: true - - mountPath: /etc/tls - name: tls - readOnly: true - serviceAccountName: tekton-results-api - volumes: - - configMap: - name: rds-root-crt - name: db-tls-ca - - configMap: - name: tekton-results-api-config - name: config - - name: tls - secret: - secretName: tekton-results-tls ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "1" - labels: - app.kubernetes.io/name: tekton-results-api-for-watcher - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-api-for-watcher - namespace: tekton-results -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: tekton-results-api-for-watcher - template: - metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - cluster-autoscaler.kubernetes.io/safe-to-evict: "false" - labels: - app.kubernetes.io/name: tekton-results-api-for-watcher - app.kubernetes.io/version: devel - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: NotIn - values: - - windows - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: tekton-results-api-for-watcher - topologyKey: kubernetes.io/hostname - weight: 100 - containers: - - args: - - --secure-listen-address=0.0.0.0:9443 - - --upstream=http://127.0.0.1:9090/ - - --logtostderr=true - - --v=6 - image: registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.12 - name: kube-rbac-proxy - ports: - - containerPort: 9443 - name: metrics - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - - env: - - name: LOGS_API - value: "true" - - name: LOGS_TYPE - value: blob - - name: S3_HOSTNAME_IMMUTABLE - value: "true" - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - key: aws_access_key_id - name: tekton-results-s3 - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - key: aws_secret_access_key - name: tekton-results-s3 - - name: AWS_REGION - valueFrom: - secretKeyRef: - key: aws_region - name: tekton-results-s3 - - name: S3_BUCKET_NAME - valueFrom: - secretKeyRef: - key: bucket - name: tekton-results-s3 - - name: AWS_ENDPOINT_URL - valueFrom: - secretKeyRef: - key: endpoint - name: tekton-results-s3 - - name: LOGGING_PLUGIN_API_URL - valueFrom: - secretKeyRef: - key: s3_url - name: tekton-results-s3 - - name: DB_USER - valueFrom: - secretKeyRef: - key: db.user - name: tekton-results-database - - name: DB_PASSWORD - valueFrom: - secretKeyRef: - key: db.password - name: tekton-results-database - - name: DB_HOST - valueFrom: - secretKeyRef: - key: db.host - name: tekton-results-database - - name: DB_NAME - valueFrom: - secretKeyRef: - key: db.name - name: tekton-results-database - image: quay.io/konflux-ci/tekton-results-api:99db802a56c3d62e823e162feee9811e55ed1f5b - livenessProbe: - httpGet: - path: /healthz - port: 8080 - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - name: api - readinessProbe: - httpGet: - path: /healthz - port: 8080 - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 3000m - memory: 1Gi - requests: - cpu: 1000m - memory: 500Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - startupProbe: - failureThreshold: 10 - httpGet: - path: /healthz - port: 8080 - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - volumeMounts: - - mountPath: /etc/tls/db - name: db-tls-ca - readOnly: true - - mountPath: /etc/tekton/results - name: config - readOnly: true - - mountPath: /etc/tls - name: tls - readOnly: true - serviceAccountName: tekton-results-api - volumes: - - configMap: - name: rds-root-crt - name: db-tls-ca - - configMap: - name: tekton-results-api-config - name: config - - name: tls - secret: - secretName: tekton-results-for-watcher-tls ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/name: tekton-results-retention-policy-agent - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-retention-policy-agent - namespace: tekton-results -spec: - replicas: 0 - selector: - matchLabels: - app.kubernetes.io/name: tekton-results-retention-policy-agent - template: - metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - cluster-autoscaler.kubernetes.io/safe-to-evict: "false" - labels: - app.kubernetes.io/name: tekton-results-retention-policy-agent - app.kubernetes.io/version: devel - spec: - containers: - - env: - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CONFIG_LOGGING_NAME - value: tekton-results-config-logging - - name: DB_USER - valueFrom: - secretKeyRef: - key: POSTGRES_USER - name: tekton-results-postgres - - name: DB_PASSWORD - valueFrom: - secretKeyRef: - key: POSTGRES_PASSWORD - name: tekton-results-postgres - image: quay.io/konflux-ci/tekton-results-retention-policy-agent:99db802a56c3d62e823e162feee9811e55ed1f5b - name: retention-policy-agent - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /etc/tekton/results - name: config - readOnly: true - - mountPath: /etc/tls - name: tls - readOnly: true - serviceAccountName: tekton-results-watcher - volumes: - - configMap: - name: tekton-results-api-config - name: config - - name: tls - secret: - secretName: tekton-results-tls ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "2" - labels: - app.kubernetes.io/name: tekton-results-watcher - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-watcher - namespace: tekton-results -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: tekton-results-watcher - template: - metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - cluster-autoscaler.kubernetes.io/safe-to-evict: "false" - labels: - app.kubernetes.io/name: tekton-results-watcher - app.kubernetes.io/version: devel - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: NotIn - values: - - windows - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: tekton-results-watcher - topologyKey: kubernetes.io/hostname - weight: 100 - containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:9090/ - - --logtostderr=true - - --v=6 - image: registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.12 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: watchermetrics - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - - args: - - -api_addr - - tekton-results-api-service-for-watcher.tekton-results.svc.cluster.local:8080 - - -auth_mode - - token - - -check_owner=false - - -completed_run_grace_period=5m - - -requeue_interval=2m - - -store_deadline=240m - - -forward_buffer=1m - - -qps=50 - - -burst=50 - - -threadiness=32 - - -logs_api=true - - -disable_storing_incomplete_runs=true - env: - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CONFIG_LOGGING_NAME - value: tekton-results-config-logging - - name: CONFIG_LEADERELECTION_NAME - value: tekton-results-config-leader-election - - name: CONFIG_OBSERVABILITY_NAME - value: tekton-results-config-observability - - name: METRICS_DOMAIN - value: tekton.dev/results - - name: TEKTON_RESULTS_API_SERVICE - value: tekton-results-api-service-for-watcher.tekton-results.svc.cluster.local:8080 - - name: AUTH_MODE - value: token - - name: KUBERNETES_MIN_VERSION - value: v1.28.0 - image: quay.io/konflux-ci/tekton-results-watcher:99db802a56c3d62e823e162feee9811e55ed1f5b - name: watcher - ports: - - containerPort: 9090 - name: metrics - - containerPort: 8008 - name: profiling - resources: - limits: - cpu: 3000m - memory: 8Gi - requests: - cpu: 1000m - memory: 8Gi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /etc/tls - name: tls - readOnly: true - serviceAccountName: tekton-results-watcher - volumes: - - name: tls - secret: - secretName: tekton-results-for-watcher-tls ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "-1" - name: pipelines-as-code-secret - namespace: openshift-pipelines -spec: - dataFrom: - - extract: - key: production/platform/ansible/generated/pentest-p01/github-app - refreshInterval: 5m - secretStoreRef: - kind: ClusterSecretStore - name: appsre-stonesoup-vault - target: - creationPolicy: Owner - deletionPolicy: Delete - name: pipelines-as-code-secret ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "-1" - name: tekton-chains-public-key - namespace: openshift-pipelines -spec: - data: - - remoteRef: - key: production/platform/ansible/generated/pentest-p01/chains-signing-secret - property: cosign.pub - secretKey: cosign.pub - refreshInterval: 5m - secretStoreRef: - kind: ClusterSecretStore - name: appsre-stonesoup-vault - target: - creationPolicy: Orphan - name: public-key - template: - metadata: - annotations: - argocd.argoproj.io/sync-options: Prune=false ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "-1" - name: tekton-chains-signing-secret - namespace: openshift-pipelines -spec: - dataFrom: - - extract: - key: production/platform/ansible/generated/pentest-p01/chains-signing-secret - refreshInterval: 5m - secretStoreRef: - kind: ClusterSecretStore - name: appsre-stonesoup-vault - target: - creationPolicy: Orphan - name: signing-secrets - template: - metadata: - annotations: - argocd.argoproj.io/sync-options: Prune=false ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "-1" - name: tekton-results-s3 - namespace: tekton-logging -spec: - dataFrom: - - extract: - key: production/platform/terraform/generated/pentest-p01/tekton-bucket - refreshInterval: 1h - secretStoreRef: - kind: ClusterSecretStore - name: appsre-stonesoup-vault - target: - creationPolicy: Owner - deletionPolicy: Delete - name: tekton-results-s3 - template: - data: - aws_access_key_id: '{{ .aws_access_key_id }}' - aws_region: '{{ .aws_region }}' - aws_secret_access_key: '{{ .aws_secret_access_key }}' - bucket: '{{ .bucket }}' - endpoint: https://{{ .endpoint }} - s3_url: s3://{{ .bucket }} ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "-1" - name: tekton-results-database - namespace: tekton-results -spec: - dataFrom: - - extract: - key: production/platform/terraform/generated/pentest-p01/plnsvc-database - refreshInterval: 1h - secretStoreRef: - kind: ClusterSecretStore - name: appsre-stonesoup-vault - target: - creationPolicy: Owner - deletionPolicy: Delete - name: tekton-results-database ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "-1" - name: tekton-results-s3 - namespace: tekton-results -spec: - dataFrom: - - extract: - key: production/platform/terraform/generated/pentest-p01/tekton-bucket - refreshInterval: 1h - secretStoreRef: - kind: ClusterSecretStore - name: appsre-stonesoup-vault - target: - creationPolicy: Owner - deletionPolicy: Delete - name: tekton-results-s3 - template: - data: - aws_access_key_id: '{{ .aws_access_key_id }}' - aws_region: '{{ .aws_region }}' - aws_secret_access_key: '{{ .aws_secret_access_key }}' - bucket: '{{ .bucket }}' - endpoint: https://{{ .endpoint }} - s3_url: s3://{{ .bucket }} ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: pipeline-service - namespace: openshift-pipelines -spec: - endpoints: - - honorLabels: true - interval: 15s - path: /metrics - port: metrics - scheme: http - jobLabel: app - namespaceSelector: - matchNames: - - openshift-pipelines - selector: - matchLabels: - app: pipeline-metrics-exporter ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "1" - name: tekton-chains-controller - namespace: openshift-pipelines -spec: - endpoints: - - honorLabels: true - interval: 15s - path: /metrics - port: metrics - scheme: http - jobLabel: app.kubernetes.io/name - namespaceSelector: - matchNames: - - openshift-pipelines - selector: - matchLabels: - app: tekton-chains-controller - app.kubernetes.io/component: metrics - app.kubernetes.io/part-of: tekton-chains - targetLabels: - - app - - app.kubernetes.io/component - - app.kubernetes.io/part-of ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: tekton-results-api - namespace: tekton-results -spec: - endpoints: - - bearerTokenSecret: - key: token - name: metrics-reader - path: /metrics - port: metrics - scheme: https - tlsConfig: - insecureSkipVerify: true - jobLabel: app - selector: - matchLabels: - app.kubernetes.io/component: api - app.kubernetes.io/part-of: tekton-results ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: tekton-results-watcher - namespace: tekton-results -spec: - endpoints: - - bearerTokenSecret: - key: token - name: metrics-reader - path: /metrics - port: watchermetrics - scheme: https - tlsConfig: - insecureSkipVerify: true - selector: - matchLabels: - app.kubernetes.io/name: tekton-results-watcher ---- -apiVersion: operator.tekton.dev/v1alpha1 -kind: TektonConfig -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: config -spec: - chain: - artifacts.oci.storage: oci - artifacts.pipelinerun.enable-deep-inspection: "true" - artifacts.pipelinerun.format: in-toto - artifacts.pipelinerun.storage: oci - artifacts.taskrun.format: in-toto - artifacts.taskrun.storage: "" - options: - deployments: - tekton-chains-controller: - spec: - template: - spec: - containers: - - args: - - --threads-per-controller=32 - - --kube-api-qps=50 - - --kube-api-burst=50 - name: tekton-chains-controller - transparency.enabled: "false" - params: - - name: createRbacResource - value: "false" - - name: createCABundleConfigMaps - value: "false" - pipeline: - default-service-account: default - enable-api-fields: alpha - enable-bundles-resolver: true - enable-cluster-resolver: true - enable-git-resolver: true - enable-hub-resolver: true - enable-param-enum: true - enable-step-actions: true - metrics.pipelinerun.level: namespace - metrics.taskrun.level: namespace - options: - configMaps: - config-defaults: - data: - default-pod-template: | - nodeSelector: - konflux-ci.dev/workload: konflux-tenants - tolerations: - - key: konflux-ci.dev/workload - operator: "Equal" - value: "konflux-tenants" - effect: "NoSchedule" - default-timeout-minutes: "120" - config-leader-election-resolvers: - data: - buckets: "8" - config-logging: - data: - loglevel.controller: info - loglevel.webhook: info - zap-logger-config: | - { - "level": "info", - "development": false, - "sampling": { - "initial": 100, - "thereafter": 100 - }, - "outputPaths": ["stdout"], - "errorOutputPaths": ["stderr"], - "encoding": "json", - "encoderConfig": { - "timeKey": "ts", - "levelKey": "level", - "nameKey": "logger", - "callerKey": "caller", - "messageKey": "msg", - "stacktraceKey": "stacktrace", - "lineEnding": "", - "levelEncoder": "", - "timeEncoder": "iso8601", - "durationEncoder": "string", - "callerEncoder": "" - } - } - deployments: - tekton-operator-proxy-webhook: - spec: - replicas: 2 - template: - spec: - containers: - - name: proxy - resources: - limits: - cpu: 500m - memory: 500Mi - requests: - cpu: 100m - memory: 100Mi - tekton-pipelines-webhook: - spec: - template: - spec: - containers: - - name: webhook - resources: - limits: - cpu: "1" - memory: 1Gi - requests: - cpu: 400m - memory: 1Gi - disabled: false - horizontalPodAutoscalers: - tekton-operator-proxy-webhook: - spec: - maxReplicas: 6 - metrics: - - resource: - name: cpu - target: - averageUtilization: 100 - type: Utilization - type: Resource - - resource: - name: memory - target: - averageUtilization: 100 - type: Utilization - type: Resource - minReplicas: 2 - tekton-pipelines-webhook: - spec: - maxReplicas: 6 - metrics: - - resource: - name: cpu - target: - averageUtilization: 100 - type: Utilization - type: Resource - - resource: - name: memory - target: - averageUtilization: 100 - type: Utilization - type: Resource - minReplicas: 6 - statefulSets: - tekton-pipelines-controller: - spec: - template: - spec: - containers: - - name: tekton-pipelines-controller - resources: - limits: - memory: 16Gi - requests: - cpu: "1" - memory: 16Gi - topologySpreadConstraints: - - labelSelector: - matchLabels: - app: tekton-pipelines-controller - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: DoNotSchedule - tekton-pipelines-remote-resolvers: - spec: - replicas: 4 - template: - spec: - containers: - - env: - - name: GIT_SSL_CAINFO - value: /tekton-custom-certs/ca-bundle.crt - name: controller - resources: - limits: - memory: 10Gi - requests: - cpu: 500m - memory: 10Gi - performance: - buckets: 4 - disable-ha: false - kube-api-burst: 50 - kube-api-qps: 50 - replicas: 4 - statefulset-ordinals: true - threads-per-controller: 32 - platforms: - openshift: - pipelinesAsCode: - enable: true - options: - deployments: - pipelines-as-code-watcher: - spec: - replicas: 2 - pipelines-as-code-webhook: - spec: - replicas: 2 - settings: - application-name: Konflux pentest-p01 - custom-console-name: Konflux pentest-p01 - custom-console-url: https://konflux-ui.apps.pentest-p01.xfj6.p1.openshiftapps.com - custom-console-url-pr-details: https://konflux-ui.apps.pentest-p01.xfj6.p1.openshiftapps.com/ns/{{ - namespace }}/pipelinerun/{{ pr }} - custom-console-url-pr-tasklog: https://konflux-ui.apps.pentest-p01.xfj6.p1.openshiftapps.com/ns/{{ - namespace }}/pipelinerun/{{ pr }}/logs/{{ task }} - remember-ok-to-test: "false" - profile: all - pruner: - disabled: false - keep-since: 80 - resources: - - pipelinerun - schedule: '*/30 * * * *' - result: - disabled: true - targetNamespace: openshift-pipelines - tektonpruner: - disabled: true - trigger: - options: - configMaps: - config-logging-triggers: - data: - loglevel.controller: info - loglevel.eventlistener: info - loglevel.webhook: info - zap-logger-config: | - { - "level": "info", - "development": false, - "sampling": { - "initial": 100, - "thereafter": 100 - }, - "outputPaths": ["stdout"], - "errorOutputPaths": ["stderr"], - "encoding": "json", - "encoderConfig": { - "timeKey": "ts", - "levelKey": "level", - "nameKey": "logger", - "callerKey": "caller", - "messageKey": "msg", - "stacktraceKey": "stacktrace", - "lineEnding": "", - "levelEncoder": "", - "timeEncoder": "iso8601", - "durationEncoder": "string", - "callerEncoder": "" - } - } ---- -apiVersion: operators.coreos.com/v1alpha1 -kind: CatalogSource -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: custom-operators - namespace: openshift-marketplace -spec: - displayName: custom-operators - image: quay.io/openshift-pipeline/pipelines-index-4.17@sha256:92bd402729a9985593a49ec87b658cda7639f0fbf46bfe71a75acf035012b78c - sourceType: grpc - updateStrategy: - registryPoll: - interval: 30m ---- -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: openshift-pipelines-operator - namespace: openshift-operators -spec: - channel: pipelines-5.0 - config: - env: - - name: AUTOINSTALL_COMPONENTS - value: "false" - name: openshift-pipelines-operator-rh - source: custom-operators - sourceNamespace: openshift-marketplace ---- -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - haproxy.router.openshift.io/hsts_header: max-age=63072000 - haproxy.router.openshift.io/timeout: 86410s - openshift.io/host.generated: "true" - router.openshift.io/haproxy.health.check.interval: 86400s - labels: - app.kubernetes.io/part-of: tekton-results - name: tekton-results - namespace: tekton-results -spec: - port: - targetPort: server - tls: - insecureEdgeTerminationPolicy: Redirect - termination: reencrypt - to: - kind: Service - name: tekton-results-api-service - weight: 100 - wildcardPolicy: None ---- -allowHostDirVolumePlugin: false -allowHostIPC: false -allowHostNetwork: false -allowHostPID: false -allowHostPorts: false -allowPrivilegeEscalation: false -allowPrivilegedContainer: false -allowedCapabilities: -- SETFCAP -apiVersion: security.openshift.io/v1 -defaultAddCapabilities: null -fsGroup: - type: MustRunAs -groups: -- system:cluster-admins -kind: SecurityContextConstraints -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: appstudio-pipelines-scc -priority: 10 -readOnlyRootFilesystem: false -requiredDropCapabilities: -- MKNOD -runAsUser: - type: RunAsAny -seLinuxContext: - type: MustRunAs -supplementalGroups: - type: RunAsAny -users: [] -volumes: -- configMap -- downwardAPI -- emptyDir -- persistentVolumeClaim -- projected -- secret diff --git a/components/pipeline-service/production/pentest-p01/kustomization.yaml b/components/pipeline-service/production/pentest-p01/kustomization.yaml deleted file mode 100644 index ee2da5d8eba..00000000000 --- a/components/pipeline-service/production/pentest-p01/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - deploy.yaml diff --git a/components/pipeline-service/production/pentest-p01/resources/kustomization.yaml b/components/pipeline-service/production/pentest-p01/resources/kustomization.yaml deleted file mode 100644 index 59a7bc86ca6..00000000000 --- a/components/pipeline-service/production/pentest-p01/resources/kustomization.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ../../base - - scc-rbac.yaml -patches: - - path: tekton-chains-public-key-path.yaml - target: - name: tekton-chains-public-key - group: external-secrets.io - version: v1beta1 - kind: ExternalSecret - - path: tekton-chains-signing-secret-path.yaml - target: - name: tekton-chains-signing-secret - group: external-secrets.io - version: v1beta1 - kind: ExternalSecret - - path: tekton-results-database-secret-path.yaml - target: - name: tekton-results-database - group: external-secrets.io - version: v1beta1 - kind: ExternalSecret - - path: tekton-results-s3-secret-path.yaml - target: - name: tekton-results-s3 - group: external-secrets.io - version: v1beta1 - kind: ExternalSecret - - path: pipelines-as-code-secret-path.yaml - target: - name: pipelines-as-code-secret - group: external-secrets.io - version: v1beta1 - kind: ExternalSecret - - path: update-tekton-config-pac.yaml - target: - kind: TektonConfig - name: config diff --git a/components/pipeline-service/production/pentest-p01/resources/pipelines-as-code-secret-path.yaml b/components/pipeline-service/production/pentest-p01/resources/pipelines-as-code-secret-path.yaml deleted file mode 100644 index 01bc7c23a62..00000000000 --- a/components/pipeline-service/production/pentest-p01/resources/pipelines-as-code-secret-path.yaml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- op: add - path: /spec/dataFrom/0/extract/key - value: production/platform/ansible/generated/pentest-p01/github-app diff --git a/components/pipeline-service/production/pentest-p01/resources/scc-rbac.yaml b/components/pipeline-service/production/pentest-p01/resources/scc-rbac.yaml deleted file mode 100644 index 65c50beaaa8..00000000000 --- a/components/pipeline-service/production/pentest-p01/resources/scc-rbac.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: tekton-pipelines-controller-konflux-scc - annotations: - argocd.argoproj.io/sync-wave: "0" -subjects: - - kind: ServiceAccount - name: tekton-pipelines-controller - namespace: openshift-pipelines -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: appstudio-pipelines-runner diff --git a/components/pipeline-service/production/pentest-p01/resources/tekton-chains-public-key-path.yaml b/components/pipeline-service/production/pentest-p01/resources/tekton-chains-public-key-path.yaml deleted file mode 100644 index 77f7549774e..00000000000 --- a/components/pipeline-service/production/pentest-p01/resources/tekton-chains-public-key-path.yaml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- op: add - path: /spec/data/0/remoteRef/key - value: production/platform/ansible/generated/pentest-p01/chains-signing-secret diff --git a/components/pipeline-service/production/pentest-p01/resources/tekton-chains-signing-secret-path.yaml b/components/pipeline-service/production/pentest-p01/resources/tekton-chains-signing-secret-path.yaml deleted file mode 100644 index c34a7195973..00000000000 --- a/components/pipeline-service/production/pentest-p01/resources/tekton-chains-signing-secret-path.yaml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- op: add - path: /spec/dataFrom/0/extract/key - value: production/platform/ansible/generated/pentest-p01/chains-signing-secret diff --git a/components/pipeline-service/production/pentest-p01/resources/tekton-results-database-secret-path.yaml b/components/pipeline-service/production/pentest-p01/resources/tekton-results-database-secret-path.yaml deleted file mode 100644 index f65e357fd75..00000000000 --- a/components/pipeline-service/production/pentest-p01/resources/tekton-results-database-secret-path.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- op: add - path: /spec/dataFrom/0/extract/key - value: production/platform/terraform/generated/pentest-p01/plnsvc-database -- op: replace - path: /spec/secretStoreRef/name - value: appsre-stonesoup-vault diff --git a/components/pipeline-service/production/pentest-p01/resources/tekton-results-s3-secret-path.yaml b/components/pipeline-service/production/pentest-p01/resources/tekton-results-s3-secret-path.yaml deleted file mode 100644 index 367f111c7a0..00000000000 --- a/components/pipeline-service/production/pentest-p01/resources/tekton-results-s3-secret-path.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- op: add - path: /spec/dataFrom/0/extract/key - value: production/platform/terraform/generated/pentest-p01/tekton-bucket -- op: replace - path: /spec/secretStoreRef/name - value: appsre-stonesoup-vault diff --git a/components/pipeline-service/production/pentest-p01/resources/update-tekton-config-pac.yaml b/components/pipeline-service/production/pentest-p01/resources/update-tekton-config-pac.yaml deleted file mode 100644 index 927382a3cb2..00000000000 --- a/components/pipeline-service/production/pentest-p01/resources/update-tekton-config-pac.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- op: add - path: /spec/platforms/openshift/pipelinesAsCode/settings - value: - application-name: Konflux pentest-p01 - custom-console-name: Konflux pentest-p01 - custom-console-url: https://konflux-ui.apps.pentest-p01.xfj6.p1.openshiftapps.com - custom-console-url-pr-details: https://konflux-ui.apps.pentest-p01.xfj6.p1.openshiftapps.com/ns/{{ namespace }}/pipelinerun/{{ pr }} - custom-console-url-pr-tasklog: https://konflux-ui.apps.pentest-p01.xfj6.p1.openshiftapps.com/ns/{{ namespace }}/pipelinerun/{{ pr }}/logs/{{ task }} - remember-ok-to-test: "false" diff --git a/components/smee-client/production/pentest-p01/kustomization.yaml b/components/smee-client/production/pentest-p01/kustomization.yaml deleted file mode 100644 index 977ed4c4a55..00000000000 --- a/components/smee-client/production/pentest-p01/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ../../base -patches: - - path: sever-url-patch.yaml - target: - name: gosmee-client - kind: Deployment diff --git a/components/smee-client/production/pentest-p01/sever-url-patch.yaml b/components/smee-client/production/pentest-p01/sever-url-patch.yaml deleted file mode 100644 index 9efc35e95d4..00000000000 --- a/components/smee-client/production/pentest-p01/sever-url-patch.yaml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- op: replace - path: /spec/template/spec/containers/0/args/3 - value: "https://smee-smee.apps.rosa.kflux-c-prd-e01.yo5u.p3.openshiftapps.com/redhathookpentestp01" diff --git a/components/vector-kubearchive-log-collector/production/pentest-p01/kustomization.yaml b/components/vector-kubearchive-log-collector/production/pentest-p01/kustomization.yaml deleted file mode 100644 index 8a676aa13a0..00000000000 --- a/components/vector-kubearchive-log-collector/production/pentest-p01/kustomization.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -commonAnnotations: - ignore-check.kube-linter.io/drop-net-raw-capability: | - "Vector runs requires access to socket." - ignore-check.kube-linter.io/run-as-non-root: | - "Vector runs as Root and attach host Path." - ignore-check.kube-linter.io/sensitive-host-mounts: | - "Vector runs requires certain host mounts to watch files being created by pods." - ignore-check.kube-linter.io/pdb-unhealthy-pod-eviction-policy: | - "Managed by upstream Loki chart (no value exposed for unhealthyPodEvictionPolicy)." - -resources: -- ../base - -generators: -- vector-helm-generator.yaml -- loki-helm-generator.yaml diff --git a/components/vector-kubearchive-log-collector/production/pentest-p01/loki-helm-generator.yaml b/components/vector-kubearchive-log-collector/production/pentest-p01/loki-helm-generator.yaml deleted file mode 100644 index 375edff3703..00000000000 --- a/components/vector-kubearchive-log-collector/production/pentest-p01/loki-helm-generator.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: builtin -kind: HelmChartInflationGenerator -metadata: - name: loki -name: loki -repo: https://grafana.github.io/helm-charts -version: 6.30.1 -releaseName: loki -namespace: product-kubearchive-logging -valuesFile: loki-helm-values.yaml -additionalValuesFiles: - - loki-helm-prod-values.yaml -valuesInline: - # Cluster-specific overrides - serviceAccount: - create: true - name: loki-sa - annotations: - eks.amazonaws.com/role-arn: 'arn:aws:iam::558441962910:role/pentest-p01-loki-storage-role' - loki: - storage: - bucketNames: - chunks: pentest-p01-loki-storage - admin: pentest-p01-loki-storage - storage_config: - aws: - bucketnames: pentest-p01-loki-storage diff --git a/components/vector-kubearchive-log-collector/production/pentest-p01/loki-helm-prod-values.yaml b/components/vector-kubearchive-log-collector/production/pentest-p01/loki-helm-prod-values.yaml deleted file mode 100644 index 514907e621a..00000000000 --- a/components/vector-kubearchive-log-collector/production/pentest-p01/loki-helm-prod-values.yaml +++ /dev/null @@ -1,283 +0,0 @@ ---- -global: - extraArgs: - - "-log.level=debug" - -autoscale: &autoscale - autoscaling: - enabled: true - minReplicas: 1 - maxReplicas: 3 - targetCPUUtilizationPercentage: 75 - targetMemoryUtilizationPercentage: 85 - podDisruptionBudget: - enabled: true - minAvailable: 1 - behavior: - enabled: true - scaleDown: - stabilizationWindowSeconds: 300 - policies: - - type: Percent - value: 10 - periodSeconds: 60 - selectPolicy: Min - scaleUp: - stabilizationWindowSeconds: 60 - policies: - - type: Percent - value: 50 - periodSeconds: 60 - - type: Pods - value: 1 - periodSeconds: 60 - selectPolicy: Min - -gateway: - service: - type: LoadBalancer - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - memory: 256Mi - -# Basic Loki configuration with S3 storage -loki: - commonConfig: - replication_factor: 3 - memberlist: - join_members: [] - # How long to wait before reclaiming a dead node's tokens - # Reduced to 2 minutes for development (faster cleanup with single replica) - # This helps remove stale ring instances quickly when pods are restarted - dead_node_reclaim_time: 2m - # How often to gossip with other nodes (lower = faster detection of failures) - # Keep at 2s for quick failure detection - gossip_interval: 2s - # How often to do full state sync with other nodes - # Reduced for development to sync faster - push_pull_interval: 5s - # Number of random nodes to gossip with per interval - # Set to 1 for development (only 1 ingester replica) - gossip_nodes: 1 - # How long to continue gossiping to dead nodes (helps propagate death info) - # Reduced for development to propagate death info faster - gossip_to_dead_nodes_time: 10s - # How long to wait for an ingester to gracefully leave before considering it dead - # This should be longer than terminationGracePeriodSeconds to allow graceful shutdown - # Reduced to 60s for development (faster cleanup) - left_ingesters_timeout: 60s - max_join_backoff: 1m - max_join_retries: 10 - min_join_backoff: 1s - rejoin_interval: 90s - # Required storage configuration for Helm chart - storage: - type: s3 - # bucketNames: Fill it on the generator for each cluster - s3: - region: us-east-1 - storage_config: - aws: - # bucketnames: Fill it on the generator for each cluster - region: us-east-1 - s3forcepathstyle: false - # Configure ingestion limits to handle Vector's data volume - limits_config: - shard_streams: - enabled: false - retention_period: 744h # 31 days retention - ingestion_rate_mb: 100 - ingestion_burst_size_mb: 300 - ingestion_rate_strategy: "local" - max_streams_per_user: 0 - max_line_size: 2097152 - per_stream_rate_limit: 100M - per_stream_rate_limit_burst: 400M - reject_old_samples: false - reject_old_samples_max_age: 168h - discover_service_name: [] - discover_log_levels: false - volume_enabled: true - max_global_streams_per_user: 75000 - max_entries_limit_per_query: 100000 - increment_duplicate_timestamp: true - allow_structured_metadata: true - runtimeConfig: - configs: - kubearchive: - log_push_request: true - log_push_request_streams: true - log_stream_creation: false - log_duplicate_stream_info: true - ingester: - autoforget_unhealthy: true - chunk_target_size: 8388608 # 8MB - chunk_idle_period: 5m - max_chunk_age: 2h - chunk_encoding: snappy # Compress data (reduces S3 transfer size) - chunk_retain_period: 1h # Keep chunks in memory after flush - flush_op_timeout: 10m # Add timeout for S3 operations - server: - grpc_server_max_recv_msg_size: 15728640 # 15MB - grpc_server_max_send_msg_size: 15728640 - ingester_client: - grpc_client_config: - max_recv_msg_size: 15728640 # 15MB - max_send_msg_size: 15728640 # 15MB - query_scheduler: - grpc_client_config: - max_recv_msg_size: 15728640 # 15MB - max_send_msg_size: 15728640 # 15MB - # Tuning for high-load queries - querier: - max_concurrent: 8 - query_range: - # split_queries_by_interval deprecated in Loki 3.x - removed - parallelise_shardable_queries: false - -# Distributed components configuration -ingester: - replicas: 3 - autoscaling: - enabled: true - <<: *autoscale - zoneAwareReplication: - enabled: true - maxUnavailable: 1 - resources: - requests: - cpu: 500m - memory: 1Gi - limits: - cpu: 2000m - memory: 2Gi - persistence: - enabled: true - size: 10Gi - affinity: {} - podAntiAffinity: - soft: {} - hard: {} - -querier: - replicas: 3 - autoscaling: - enabled: true - maxUnavailable: 1 - resources: - requests: - cpu: 300m - memory: 512Mi - limits: - memory: 1Gi - affinity: {} - -queryFrontend: - replicas: 2 - maxUnavailable: 1 - resources: - requests: - cpu: 200m - memory: 256Mi - limits: - memory: 512Mi - -queryScheduler: - replicas: 2 - maxUnavailable: 1 - resources: - requests: - cpu: 200m - memory: 256Mi - limits: - memory: 512Mi - -distributor: - replicas: 5 - autoscaling: - enabled: true - minReplicas: 5 - maxReplicas: 10 - targetCPUUtilizationPercentage: 70 - maxUnavailable: 1 - resources: - requests: - cpu: 500m - memory: 1Gi - limits: - memory: 2Gi - affinity: {} - -compactor: - replicas: 1 - retention_enabled: true - retention_delete_delay: 2h - retention_delete_worker_count: 150 - resources: - requests: - cpu: 200m - memory: 512Mi - limits: - memory: 1Gi - -indexGateway: - replicas: 2 - maxUnavailable: 0 - resources: - requests: - cpu: 300m - memory: 512Mi - limits: - memory: 1Gi - affinity: {} - -# Enable Memcached caches for performance -chunksCache: - enabled: true - replicas: 1 - maxItemMemory: 10 # MB - -resultsCache: - enabled: true - replicas: 1 - maxItemMemory: 10 # MB - -memcached: - enabled: true - maxItemMemory: 10 # MB - -memcachedResults: - enabled: true - maxItemMemory: 10 # MB - -memcachedChunks: - enabled: true - maxItemMemory: 10 # MB - -memcachedFrontend: - enabled: true - maxItemMemory: 10 # MB - -memcachedIndexQueries: - enabled: true - maxItemMemory: 10 # MB - -memcachedIndexWrites: - enabled: true - maxItemMemory: 10 # MB - -# Disable Minio -minio: - enabled: false - -# Resources for memcached exporter to satisfy linter -memcachedExporter: - resources: - requests: - cpu: 50m - memory: 64Mi - limits: - memory: 128Mi diff --git a/components/vector-kubearchive-log-collector/production/pentest-p01/loki-helm-values.yaml b/components/vector-kubearchive-log-collector/production/pentest-p01/loki-helm-values.yaml deleted file mode 100644 index 4f6ff72bec7..00000000000 --- a/components/vector-kubearchive-log-collector/production/pentest-p01/loki-helm-values.yaml +++ /dev/null @@ -1,83 +0,0 @@ ---- -# simplified Loki configuration for staging -deploymentMode: Distributed - - # This exposes the Loki gateway so it can be written to and queried externally -gateway: - image: - registry: quay.io # Use Quay.io registry to prevent docker hub rate limit - repository: nginx/nginx-unprivileged - tag: 1.24-alpine - nginxConfig: - resolver: "dns-default.openshift-dns.svc.cluster.local." - -# Basic Loki configuration -loki: - # Enable multi-tenancy to handle X-Scope-OrgID headers - auth_enabled: true - commonConfig: - path_prefix: /var/loki # This directory will be writable via volume mount - storage: - type: s3 - schemaConfig: - configs: - - from: "2024-04-01" - store: tsdb - object_store: s3 - schema: v13 - index: - prefix: loki_index_ - period: 24h - # Configure compactor to use writable volumes - compactor: - working_directory: /var/loki/compactor - -# Security contexts for OpenShift -podSecurityContext: - runAsNonRoot: false - allowPrivilegeEscalation: false - -containerSecurityContext: - runAsNonRoot: false - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true # Keep read-only root filesystem for security - -# Disable test pods -test: - enabled: false - -# Disable sidecar completely to avoid loki-sc-rules container -sidecar: - rules: - enabled: false - datasources: - enabled: false - -# Zero out replica counts of other deployment modes - -singleBinary: - replicas: 0 -backend: - replicas: 0 -read: - replicas: 0 -write: - replicas: 0 - -bloomPlanner: - replicas: 0 -bloomBuilder: - replicas: 0 -bloomGateway: - replicas: 0 - -# Disable lokiCanary - not essential for core functionality -lokiCanary: - enabled: false - -# Disable the ruler - not needed as we aren't using metrics -ruler: - enabled: false diff --git a/components/vector-kubearchive-log-collector/production/pentest-p01/vector-helm-generator.yaml b/components/vector-kubearchive-log-collector/production/pentest-p01/vector-helm-generator.yaml deleted file mode 100644 index fd1d1d4e3b9..00000000000 --- a/components/vector-kubearchive-log-collector/production/pentest-p01/vector-helm-generator.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: builtin -kind: HelmChartInflationGenerator -metadata: - name: vector -name: vector -repo: https://helm.vector.dev -version: 0.43.0 -releaseName: vector -namespace: product-kubearchive-logging -valuesFile: vector-helm-values.yaml -additionalValuesFiles: - - vector-helm-prod-values.yaml diff --git a/components/vector-kubearchive-log-collector/production/pentest-p01/vector-helm-prod-values.yaml b/components/vector-kubearchive-log-collector/production/pentest-p01/vector-helm-prod-values.yaml deleted file mode 100644 index d6698dada2e..00000000000 --- a/components/vector-kubearchive-log-collector/production/pentest-p01/vector-helm-prod-values.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -resources: - requests: - cpu: 512m - memory: 4096Mi - limits: - cpu: 2000m - memory: 4096Mi - -customConfig: - sources: - k8s_logs: - extra_label_selector: "app.kubernetes.io/managed-by in (tekton-pipelines,pipelinesascode.tekton.dev)" - extra_field_selector: "metadata.namespace!=product-kubearchive-logging" - -podLabels: - vector.dev/exclude: "false" diff --git a/components/vector-kubearchive-log-collector/production/pentest-p01/vector-helm-values.yaml b/components/vector-kubearchive-log-collector/production/pentest-p01/vector-helm-values.yaml deleted file mode 100644 index 4f4a655f1f7..00000000000 --- a/components/vector-kubearchive-log-collector/production/pentest-p01/vector-helm-values.yaml +++ /dev/null @@ -1,161 +0,0 @@ ---- -role: Agent - -customConfig: - data_dir: /vector-data-dir - api: - enabled: true - address: 127.0.0.1:8686 - playground: false - sources: - k8s_logs: - type: kubernetes_logs - rotate_wait_secs: 5 - glob_minimum_cooldown_ms: 500 - max_line_bytes: 3145728 - auto_partial_merge: true - transforms: - reduce_events: - type: reduce - inputs: - - k8s_logs - group_by: - - file - max_events: 100 - expire_after_ms: 10000 - merge_strategies: - message: concat_newline - remap_app_logs: - type: remap - inputs: - - reduce_events - source: |- - .tmp = del(.) - # Preserve original kubernetes fields for Loki labels - if exists(.tmp.kubernetes.pod_uid) { - .pod_id = del(.tmp.kubernetes.pod_uid) - } else { - .pod_id = "unknown_pod_id" - } - if exists(.tmp.kubernetes.container_name) { - .container = del(.tmp.kubernetes.container_name) - } else { - .container = "unknown_container" - } - # Extract namespace for low cardinality labeling - if exists(.tmp.kubernetes.pod_namespace) { - .namespace = del(.tmp.kubernetes.pod_namespace) - } else { - .namespace = "unknown_namespace" - } - # Preserve the actual log message - if exists(.tmp.message) { - .message = to_string(del(.tmp.message)) ?? "no_message" - } else { - .message = "no_message" - } - if length(.message) > 1048576 { - .message = slice!(.message, 0, 1048576) + "...[TRUNCATED]" - } - # Clean up temporary fields - del(.tmp) - sinks: - loki: - type: loki - inputs: ["remap_app_logs"] - # Send to Loki gateway - endpoint: "http://loki-gateway.product-kubearchive-logging.svc.cluster.local:80" - encoding: - codec: "text" - except_fields: ["tmp"] - only_fields: - - message - structured_metadata: - pod_id: "{{`{{ pod_id }}`}}" - container: "{{`{{ container }}`}}" - auth: - strategy: "basic" - user: "${LOKI_USERNAME}" - password: "${LOKI_PASSWORD}" - tenant_id: "kubearchive" - request: - headers: - X-Scope-OrgID: kubearchive - timeout_secs: 60 - batch: - max_bytes: 10485760 # 10MB batches - max_events: 10000 - timeout_secs: 30 - compression: "gzip" - labels: - stream: "{{`{{ namespace }}`}}" - buffer: - type: "memory" - max_events: 10000 - when_full: "drop_newest" -env: - - name: LOKI_USERNAME - valueFrom: - secretKeyRef: - name: kubearchive-loki - key: USERNAME - - name: LOKI_PASSWORD - valueFrom: - secretKeyRef: - name: kubearchive-loki - key: PASSWORD -nodeSelector: - konflux-ci.dev/workload: konflux-tenants -tolerations: - - effect: NoSchedule - key: konflux-ci.dev/workload - operator: Equal - value: konflux-tenants -image: - repository: quay.io/kubearchive/vector - tag: 0.46.1-distroless-libc -serviceAccount: - create: true - name: vector -securityContext: - allowPrivilegeEscalation: false - runAsUser: 0 - capabilities: - drop: - - CHOWN - - DAC_OVERRIDE - - FOWNER - - FSETID - - KILL - - NET_BIND_SERVICE - - SETGID - - SETPCAP - - SETUID - readOnlyRootFilesystem: true - seLinuxOptions: - type: spc_t - seccompProfile: - type: RuntimeDefault - -# Override default volumes to be more specific and secure -extraVolumes: - - name: varlog - hostPath: - path: /var/log/pods - type: Directory - - name: varlibdockercontainers - hostPath: - path: /var/lib/containers - type: DirectoryOrCreate - -extraVolumeMounts: - - name: varlog - mountPath: /var/log/pods - readOnly: true - - name: varlibdockercontainers - mountPath: /var/lib/containers - readOnly: true - -# Configure Vector to use emptyDir for its default data volume instead of hostPath -persistence: - enabled: false diff --git a/configs/etcd-defrag/production/pentest-p01/kustomization.yaml b/configs/etcd-defrag/production/pentest-p01/kustomization.yaml deleted file mode 100644 index bdf7ce4f415..00000000000 --- a/configs/etcd-defrag/production/pentest-p01/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- ../base