A Carvel package for Tekton Pipelines, a cloud-native solution for building CI/CD systems.
-
Kubernetes 1.28+
-
Carvel
kctrlCLI. -
Carvel kapp-controller deployed in your Kubernetes cluster. You can install it with Carvel
kapp(recommended choice) orkubectl.kapp deploy -a kapp-controller -y \ -f https://github.com/carvel-dev/kapp-controller/releases/latest/download/release.yml
Add the Kadras package repository to your Kubernetes cluster:
kctrl package repository add -r kadras-packages \
--url ghcr.io/kadras-io/kadras-packages \
-n kadras-system --create-namespaceInstallation without package repository
The recommended way of installing the Tekton Pipelines package is via the Kadras package repository. If you prefer not using the repository, you can add the package definition directly usingkapp or kubectl.
kubectl create namespace kadras-system
kapp deploy -a tekton-pipelines-package -n kadras-system -y \
-f https://github.com/kadras-io/package-for-tekton-pipelines/releases/latest/download/metadata.yml \
-f https://github.com/kadras-io/package-for-tekton-pipelines/releases/latest/download/package.ymlInstall the Tekton Pipelines package:
kctrl package install -i tekton-pipelines \
-p tekton-pipelines.packages.kadras.io \
-v ${VERSION} \
-n kadras-systemNote You can find the
${VERSION}value by retrieving the list of package versions available in the Kadras package repository installed on your cluster.kctrl package available list -p tekton-pipelines.packages.kadras.io -n kadras-system
Verify the installed packages and their status:
kctrl package installed list -n kadras-systemDocumentation, tutorials and examples for this package are available in the docs folder. For documentation specific to Tekton Pipelines, check out tekton.dev.
The Tekton Pipelines package can be customized via a values.yml file.
controllers:
pipelines:
replicas: 3Reference the values.yml file from the kctrl command when installing or upgrading the package.
kctrl package install -i tekton-pipelines \
-p tekton-pipelines.packages.kadras.io \
-v ${VERSION} \
-n kadras-system \
--values-file values.ymlThe Tekton Pipelines package has the following configurable properties.
Configurable properties
| Config | Default | Description |
|---|---|---|
ca_cert_data |
"" |
PEM-encoded certificate data to trust TLS connections with a custom CA. |
policies.include |
false |
Whether to include the out-of-the-box Kyverno policies to validate and secure the package installation. |
controllers.pipelines.replicas |
1 |
The number of replicas for the tekton-pipelines-controller Deployment. In order to enable high availability, it should be greater than 1. |
controllers.resolvers.replicas |
1 |
The number of replicas for the tekton-pipelines-remote-resolvers Deployment. In order to enable high availability, it should be greater than 1. |
controllers.resolvers.artifact_hub_url |
https://artifacthub.io/ |
The Artifact Hub API used by the Hub Resolver to resolve remote pipelines and tasks. |
controllers.resolvers.tekton_hub_url |
https://api.hub.tekton.dev/ |
The Tekton Hub API used by the Hub Resolver to resolve remote pipelines and tasks. |
webhook.minReplicas |
1 |
The minimum number of replicas as controlled by a HorizontalPodAutoscaler. In order to enable high availability, it should be greater than 1. |
opentelemetry.exporter.jaeger.username |
"" |
The username to access the distributed tracing backend. Optional. |
opentelemetry.exporter.jaeger.password |
"" |
The password/token to authenticate with the distributed tracing backend. Optional. |
Default configuration stored in the config-defaults ConfigMap.
| Config | Default | Description |
|---|---|---|
config-defaults.default-timeout-minutes |
60 |
Number of minutes to use for TaskRun and PipelineRun, if none is specified. |
config-defaults.default-service-account |
default |
Service account name to use for TaskRun and PipelineRun, if none is specified. |
config-defaults.default-managed-by-label-value |
tekton-pipelines |
Value given to the app.kubernetes.io/managed-by label applied to all Pods created for TaskRuns. |
config-defaults.default-pod-template |
"" |
Pod template to use for TaskRun and PipelineRun. |
config-defaults.default-affinity-assistant-pod-template |
"" |
Pod template to use for affinity assistant Pods. |
config-defaults.default-task-run-workspace-binding |
emptyDir: {} |
Workspace configuration provided for any Workspaces that a Task declares but that a TaskRun does not explicitly provide. |
config-defaults.default-max-matrix-combinations-count |
256 |
Maximum number of combinations from a Matrix, if none is specified. |
config-defaults.default-forbidden-env |
"" |
Comma seperated environment variables that cannot be overridden by PodTemplate. |
config-defaults.default-resolver-type |
"" |
The default resolver type to be used in the cluster. |
config-defaults.default-imagepullbackoff-timeout |
5m |
The default duration to wait before requeuing the TaskRun to retry, specifying 0 here is equivalent to fail fast. Possible values could be 1m, 5m, 10s, 1h, etc. |
Events configuration stored in the config-events ConfigMap.
| Config | Default | Description |
|---|---|---|
config-events.sink |
"" |
CloudEvents sink to be used for TaskRun, PipelineRun, and CustomRun. If no sink is specified, no CloudEvent is generated. |
Leader election configuration stored in the config-leader-election-controller ConfigMap.
| Config | Default | Description |
|---|---|---|
config-leader-election-controller.lease-duration |
60s |
How long non-leaders will wait to try to acquire the lock; 15 seconds is the value used by core Kubernetes controllers. |
config-leader-election-controller.renew-deadline |
40s |
How long a leader will try to renew the lease before giving up; 10 seconds is the value used by core Kubernetes controllers. |
config-leader-election-controller.retry-period |
10s |
How long the leader election client waits between tries of actions; 2 seconds is the value used by core Kubernetes controllers. |
config-leader-election-controller.buckets |
1 |
Yhe number of buckets used to partition key space of each Reconciler. If this number is M and the replica number of the controller is N, the N replicas will compete for the M buckets. The owner of a bucket will take care of the reconciling for the keys partitioned into that bucket. The maximum value of at this time is 10. |
Leader election configuration stored in the config-leader-election-events ConfigMap.
| Config | Default | Description |
|---|---|---|
config-leader-election-events.lease-duration |
60s |
How long non-leaders will wait to try to acquire the lock; 15 seconds is the value used by core Kubernetes controllers. |
config-leader-election-events.renew-deadline |
40s |
How long a leader will try to renew the lease before giving up; 10 seconds is the value used by core Kubernetes controllers. |
config-leader-election-events.retry-period |
10s |
How long the leader election client waits between tries of actions; 2 seconds is the value used by core Kubernetes controllers. |
config-leader-election-events.buckets |
1 |
Yhe number of buckets used to partition key space of each Reconciler. If this number is M and the replica number of the controller is N, the N replicas will compete for the M buckets. The owner of a bucket will take care of the reconciling for the keys partitioned into that bucket. The maximum value of at this time is 10. |
Leader election configuration stored in the config-leader-election-webhook ConfigMap.
| Config | Default | Description |
|---|---|---|
config-leader-election-webhook.lease-duration |
60s |
How long non-leaders will wait to try to acquire the lock; 15 seconds is the value used by core Kubernetes controllers. |
config-leader-election-webhook.renew-deadline |
40s |
How long a leader will try to renew the lease before giving up; 10 seconds is the value used by core Kubernetes controllers. |
config-leader-election-webhook.retry-period |
10s |
How long the leader election client waits between tries of actions; 2 seconds is the value used by core Kubernetes controllers. |
config-leader-election-webhook.buckets |
1 |
Yhe number of buckets used to partition key space of each Reconciler. If this number is M and the replica number of the controller is N, the N replicas will compete for the M buckets. The owner of a bucket will take care of the reconciling for the keys partitioned into that bucket. The maximum value of at this time is 10. |
Leader election configuration stored in the config-leader-election-resolvers ConfigMap.
| Config | Default | Description |
|---|---|---|
config-leader-election-resolvers.lease-duration |
60s |
How long non-leaders will wait to try to acquire the lock; 15 seconds is the value used by core Kubernetes controllers. |
config-leader-election-resolvers.renew-deadline |
40s |
How long a leader will try to renew the lease before giving up; 10 seconds is the value used by core Kubernetes controllers. |
config-leader-election-resolvers.retry-period |
10s |
How long the leader election client waits between tries of actions; 2 seconds is the value used by core Kubernetes controllers. |
config-leader-election-resolvers.buckets |
1 |
Yhe number of buckets used to partition key space of each Reconciler. If this number is M and the replica number of the controller is N, the N replicas will compete for the M buckets. The owner of a bucket will take care of the reconciling for the keys partitioned into that bucket. The maximum value of at this time is 10. |
Logging configuration stored in the config-logging ConfigMaps.
| Config | Default | Description |
|---|---|---|
config-logging.zap-logger-config |
"" |
Configuration for the zap logger used by all Tekton containers. |
config-logging.loglevel.controller |
info |
Log level for the tekton-pipelines-controller and tekton-pipelines-resolvers Deployments. |
config-logging.loglevel.webhook |
info |
Log level for the tekton-pipelines-webhook Deployment. |
Observability configuration stored in the config-observability ConfigMaps.
| Config | Default | Description |
|---|---|---|
config-observability.metrics.backend-destination |
prometheus |
The system metrics destination. Supported values: prometheus, stackdriver. |
config-observability.metrics.stackdriver-project-id |
"" |
The Stackdriver project ID. When running on GCE, application default credentials will be used and metrics will be sent to the cluster's project if this field is not provided. |
config-observability.metrics.allow-stackdriver-custom-metrics |
false |
Whether it is allowed to send metrics to Stackdriver using 'global' resource type and custom metric type. Ignore if backend_destination is not stackdriver. |
config-observability.metrics.taskrun.level |
task |
Level for the TaskRun metrics controlling which labels are included: (taskrun, task, namespace), (task, namespace), (namespace). Supported values: taskrun, task, namespace. |
config-observability.metrics.taskrun.duration-type |
histogram |
Duration type for the TaskRun metrics. Histogram value isnโt available when the taskrun level is selected. Supported values: histogram, lastvalue. |
config-observability.metrics.pipelinerun.level |
pipeline |
Level for the PipelineRun metrics controlling which labels are included: (pipelinerun, pipeline, namespace), (pipeline, namespace), (namespace). Supported values: pipelinerun, pipeline, namespace. |
config-observability.metrics.pipelinerun.duration-type |
histogram |
Duration type for the PipelineRun metrics. Histogram value isnโt available when the pipelinerun level is selected. Supported values: histogram, lastvalue. |
config-observability.metrics.count.enable-reason |
false |
Whether to include the reason as part of the count metrics for failed PipelineRuns and TaskRuns. |
Tracing configuration stored in the config-tracing ConfigMaps.
| Config | Default | Description |
|---|---|---|
config-tracing.enabled |
false |
Enable sending traces to defined endpoint by setting this to true. |
config-tracing.endpoint |
"" |
The endpoint where the distributed tracing backend accepts OpenTelemetry traces using the Jaeger protocol. |
Feature flags configuration stored in the feature-flags ConfigMap.
| Config | Default | Description |
|---|---|---|
feature-flags.coschedule |
workspaces |
Setting this flag will determine how PipelineRun Pods are scheduled with Affinity Assistant. Options: workspaces, pipelineruns, isolate-pipelinerun, disabled. |
feature-flags.disable-creds-init |
false |
Setting this flag to true will prevent Tekton scanning attached service accounts and injecting any credentials it finds into your Steps. |
feature-flags.await-sidecar-readiness |
true |
Setting this flag to false will stop Tekton from waiting for a TaskRun's sidecar containers to be running before starting the first step. This will allow Tasks to be run in environments that don't support the DownwardAPI volume type, but may lead to unintended behaviour if sidecars are used. |
feature-flags.running-in-environment-with-injected-sidecars |
true |
This option should be set to false when Pipelines is running in a cluster that does not use injected sidecars such as Istio. Setting it to false should decrease the time it takes for a TaskRun to start running. For clusters that use injected sidecars, setting this option to false can lead to unexpected behavior. |
feature-flags.require-git-ssh-secret-known-hosts |
true |
Setting this flag to true will require that any Git SSH Secret offered to Tekton must have known_hosts included. |
feature-flags.enable-tekton-oci-bundles |
false |
Setting this flag to true enables the use of Tekton OCI bundle. This is an experimental feature and thus should still be considered an alpha feature. |
feature-flags.enable-api-fields |
beta |
Setting this flag will determine which gated features are enabled. Support values: stable, beta, alpha. |
feature-flags.send-cloudevents-for-runs |
false |
Setting this flag to true enables CloudEvents for CustomRuns and Runs, as long as a CloudEvents sink is configured in the config-defaults ConfigMap. |
feature-flags.trusted-resources-verification-no-match-policy |
ignore |
This flag affects the behavior of taskruns and pipelineruns in cases where no VerificationPolicies match them. If it is set to fail, TaskRuns and PipelineRuns will fail verification if no matching policies are found. If it is set to warn, TaskRuns and PipelineRuns will run to completion if no matching policies are found, and an error will be logged. If it is set to ignore, TaskRuns and PipelineRuns will run to completion if no matching policies are found, and no error will be logged. |
feature-flags.enable-provenance-in-status |
true |
Setting this flag to true enables populating the provenance field in TaskRun and PipelineRun status. This field contains metadata about resources used in the TaskRun/PipelineRun such as the source from where a remote Task/Pipeline definition was fetched. |
feature-flags.enforce-nonfalsifiability |
none |
Setting this flag will determine how Tekton Pipelines will handle non-falsifiable provenance. If set to spire, then SPIRE will be used to ensure non-falsifiable provenance. If set to none, then Tekton will not have non-falsifiable provenance. This is an experimental feature and thus should still be considered an alpha feature. |
feature-flags.results-from |
termination-message |
Setting this flag will determine how Tekton pipelines will handle extracting results from the task. Acceptable values are termination-message or sidecar-logs. sidecar-logs is an experimental feature and thus should still be considered an alpha feature. |
feature-flags.max-result-size |
4096 |
Setting this flag will determine the upper limit of each task result. This flag is optional and only associated with the previous flag, results-from. When results-from is set to sidecar-logs, this flag can be used to configure the upper limit of a task result. |
feature-flags.set-security-context |
false |
Setting this flag to true will limit privileges for containers injected by Tekton into TaskRuns. This allows TaskRuns to run in namespaces with restricted pod security standards. Not all Kubernetes implementations support this option. |
feature-flags.keep-pod-on-cancel |
false |
Setting this flag to true will keep pod on cancellation allowing examination of the logs on the pods from cancelled taskruns. |
feature-flags.enable-cel-in-whenexpression |
false |
Setting this flag to true will enable the CEL evaluation in WhenExpression. |
feature-flags.enable-step-actions |
false |
Setting this flag to true will enable the use of StepActions in Steps. This feature is in preview mode and not implemented yet. Please check #7259 for updates. |
Configuration for the bundle resolver stored in the bundleresolver-config ConfigMap.
| Config | Default | Description |
|---|---|---|
resolvers.bundleresolver-config.default-service-account |
default |
The default name of the service account to use when constructing registry credentials. |
resolvers.bundleresolver-config.default-kind |
task |
The default resource kind to pull out of the bundle. Supported values: pipeline, task. |
Configuration for the cluster resolver stored in the cluster-resolver-config ConfigMap.
| Config | Default | Description |
|---|---|---|
resolvers.cluster-resolver-config.default-kind |
task |
The default resource kind to fetch. Supported values: pipeline, task. |
resolvers.cluster-resolver-config.default-namespace |
"" |
The default namespace to fetch resources from. |
resolvers.cluster-resolver-config.allowed-namespaces |
"" |
A comma-separated list of namespaces which the resolver is allowed to access. Defaults to empty, meaning all namespaces are allowed. |
resolvers.cluster-resolver-config.blocked-namespaces |
"" |
A comma-separated list of namespaces which the resolver is blocked from accessing. Defaults to empty, meaning all namespaces are allowed. |
Configuration for the git resolver stored in the git-resolver-config ConfigMap.
| Config | Default | Description |
|---|---|---|
resolvers.git-resolver-config.fetch-timeout |
1m |
The maximum amount of time a single anonymous cloning resolution may take. |
resolvers.git-resolver-config.default-url |
https://github.com/tektoncd/catalog.git |
The git url to fetch the remote resource from when using anonymous cloning. |
resolvers.git-resolver-config.default-revision |
main |
The git revision to fetch the remote resource from with either anonymous cloning or the authenticated API. |
resolvers.git-resolver-config.scm-type |
github |
The SCM type to use with the authenticated API. Supported values: github, gitlab, gitea, bitbucketserver, bitbucketcloud. |
resolvers.git-resolver-config.server-url |
"" |
The SCM server URL to use with the authenticated API. Not needed when using github.com, gitlab.com, or BitBucket Cloud. |
resolvers.git-resolver-config.api-token-secret-name |
"" |
The Kubernetes secret containing the API token for the SCM provider. Required when using the authenticated API. |
resolvers.git-resolver-config.api-token-secret-key |
"" |
The key in the API token secret containing the actual token. Required when using the authenticated API. |
resolvers.git-resolver-config.api-token-secret-namespace |
default |
The namespace containing the API token secret. |
resolvers.git-resolver-config.default-org |
"" |
The default organization to look for repositories under when using the authenticated API. |
Configuration for the hub resolver stored in the hubresolver-config ConfigMap.
| Config | Default | Description |
|---|---|---|
resolvers.hubresolver-config.default-tekton-hub-catalog |
Tekton |
The default Tekton Hub catalog from where to pull the resource. |
resolvers.hubresolver-config.default-artifact-hub-task-catalog |
tekton-catalog-tasks |
The default Artifact Hub Task catalog from where to pull the resource. |
resolvers.hubresolver-config.default-artifact-hub-pipeline-catalog |
tekton-catalog-pipelines |
The default Artifact Hub Pipeline catalog from where to pull the resource. |
resolvers.hubresolver-config.default-kind |
task |
The default resource kind to fetch. Supported values: pipeline, task. |
resolvers.hubresolver-config.default-type |
artifact |
The default hub from where to pull the resource. Supported values: artifact, tekton. |
Feature flags configuration stored in the resolvers-feature-flags ConfigMap.
| Config | Default | Description |
|---|---|---|
resolvers.resolvers-feature-flags.enable-bundles-resolver |
true |
Setting this flag to true enables remote resolution of Tekton OCI bundles. |
resolvers.resolvers-feature-flags.enable-hub-resolver |
true |
Setting this flag to true enables remote resolution of tasks and pipelines via the Tekton Hub. |
resolvers.resolvers-feature-flags.enable-git-resolver |
true |
Setting this flag to true enables remote resolution of tasks and pipelines from Git repositories. |
resolvers.resolvers-feature-flags.enable-cluster-resolver |
true |
Setting this flag to true enables remote resolution of tasks and pipelines from other namespaces within the cluster. |
The security process for reporting vulnerabilities is described in SECURITY.md.
This project is licensed under the Apache License 2.0. See LICENSE for more information.