fix(triggers): updates tekton triggers chart

This patch updates the tekton trigger charts to:

1. align with the latest upstream manifests where resources between the
   webhook and the controller are now separated out;
2. add liveness and readiness probes to the webhook deployment;
3. changed the naming convention of the files to be:
   <k8s resource>-<name separated by _>.yaml for easier identification.

Signed-off-by: Tin Lam <tin@irrational.io>
Change-Id: I8adac3f4882b8ad38bfe57d5873f36c86aa7f0a0

charts/tekton-triggers/templates/clusterrole-admin.yaml

@@ -1,4 +1,4 @@
-{{- define "clusterrole_admin-triggers" -}}
+{{- define "clusterrole-admin" -}}
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -93,4 +93,4 @@ rules:
       - watch
 ...
 {{- end -}}
-{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "clusterrole_admin-triggers" ) }}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "clusterrole-admin" ) }}

charts/tekton-triggers/templates/clusterrole-aggregate_edit.yaml

@@ -1,4 +1,4 @@
-{{- define "clusterrole_aggregate_edit-triggers" -}}
+{{- define "clusterrole-aggregate_edit" -}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -27,4 +27,4 @@ rules:
       - watch
 ...
 {{- end -}}
-{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "clusterrole_aggregate_edit-triggers" ) }}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "clusterrole-aggregate_edit" ) }}

charts/tekton-triggers/templates/clusterrole-aggregate_view.yaml

@@ -1,4 +1,4 @@
-{{- define "clusterrole_aggregate_view-triggers" -}}
+{{- define "clusterrole-aggregate_view" -}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -21,4 +21,4 @@ rules:
       - watch
 ...
 {{- end -}}
-{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "clusterrole_aggregate_view-triggers" ) }}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "clusterrole-aggregate_view" ) }}

charts/tekton-triggers/templates/clusterrolebinding-controller_admin.yaml

@@ -1,4 +1,4 @@
-{{- define "clusterrolebinding_controller-triggers" -}}
+{{- define "clusterrolebinding-controller_admin" -}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -15,4 +15,4 @@ subjects:
     namespace: {{ $.Release.Namespace }}
 ...
 {{- end -}}
-{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "clusterrolebinding_controller-triggers" ) }}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "clusterrolebinding-controller_admin" ) }}

charts/tekton-triggers/templates/clusterrolebinding-webhook_admin.yaml

@@ -0,0 +1,18 @@
+{{- define "clusterrolebinding-webhook_admin" -}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels: {{- include "helpers.labels.labels" (dict "Global" $ "Component" "tekton" "PartOf" "tekton-triggers") | nindent 4 }}
+  name: tekton-triggers-webhook-admin
+roleRef:
+  kind: ClusterRole
+  name: tekton-triggers-admin
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: tekton-triggers-webhook
+    namespace: {{ $.Release.Namespace }}
+...
+{{- end -}}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "clusterrolebinding-webhook_admin" ) }}

charts/tekton-triggers/templates/config-logging.yaml

@@ -1,4 +1,4 @@
-{{- define "config_logging-triggers" -}}
+{{- define "config-logging" -}}
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -12,4 +12,4 @@ data:
   loglevel.eventlistener: {{ $.Values.config.loglevel.eventlistener | quote }}
 ...
 {{- end -}}
-{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "config_logging-triggers" ) }}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "config-logging" ) }}

charts/tekton-triggers/templates/config-observability.yaml

@@ -1,4 +1,4 @@
-{{- define "config_observability-triggers" -}}
+{{- define "config-observability" -}}
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -7,4 +7,4 @@ metadata:
 data:
 {{- $.Values.configobservability | toYaml | nindent 2 }}
 {{- end -}}
-{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "config_observability-triggers" ) }}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "config-observability" ) }}

charts/tekton-triggers/templates/config-validation.yaml

@@ -1,4 +1,4 @@
-{{- define "config_validation-triggers" -}}
+{{- define "config-validation" -}}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
@@ -20,4 +20,4 @@ webhooks:
           operator: Exists
 ...
 {{- end -}}
-{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "config_validation-triggers" ) }}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "config-validation" ) }}

charts/tekton-triggers/templates/deployment-webhook.yaml

@@ -21,7 +21,7 @@ spec:
       annotations:
         cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
     spec:
-      serviceAccountName: tekton-triggers-controller
+      serviceAccountName: tekton-triggers-webhook
       nodeSelector: {{- include "helpers.pod.node_selector" ( dict "Global" $ "Application" "tekton_webhook" ) | nindent 8 }}
       terminationGracePeriodSeconds: 30
       containers:
@@ -51,6 +51,20 @@ spec:
           securityContext:
             allowPrivilegeEscalation: false
             runAsUser: 65532
+          readinessProbe:
+            httpGet:
+              path: /
+              scheme: HTTPS
+              port: {{ $.Values.params.endpoints.ports.webhook.target }}
+            initialDelaySeconds: 30
+            periodSeconds: 15
+          livenessProbe:
+            httpGet:
+              path: /
+              scheme: HTTPS
+              port: {{ $.Values.params.endpoints.ports.webhook.target }}
+            initialDelaySeconds: 60
+            periodSeconds: 30
       volumes: []
 ...
 {{- end -}}

charts/tekton-triggers/templates/mutatingwebhookconfig-webhook.yaml

@@ -1,4 +1,4 @@
-{{- define "webhook-triggers" -}}
+{{- define "mutatingwebhookconfig-webhook" -}}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
@@ -16,4 +16,4 @@ webhooks:
     name: webhook.triggers.tekton.dev
 ...
 {{- end -}}
-{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "webhook-triggers" ) }}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "mutatingwebhookconfig-webhook" ) }}

charts/tekton-triggers/templates/role-admin.yaml

@@ -0,0 +1,19 @@
+{{- define "role_admin-triggers" -}}
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels: {{- include "helpers.labels.labels" (dict "Global" $ "Component" "tekton" "PartOf" "tekton-triggers") | nindent 4 }}
+  name: tekton-triggers-admin
+  namespace: {{ $.Release.Namespace }}
+rules:
+  - apiGroups:
+      - policy
+    resources:
+      - podsecuritypolicies
+    resourceNames:
+      - tekton-triggers
+    verbs:
+      - use
+{{- end -}}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "role_admin-triggers" ) }}

charts/tekton-triggers/templates/role-webhook_admin.yaml

@@ -1,10 +1,10 @@
-{{- define "role_admin-triggers" -}}
+{{- define "role-webhook_admin" -}}
 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   labels: {{- include "helpers.labels.labels" (dict "Global" $ "Component" "tekton" "PartOf" "tekton-triggers") | nindent 4 }}
-  name: tekton-triggers-admin
+  name: tekton-triggers-admin-webhook
   namespace: {{ $.Release.Namespace }}
 rules:
   - apiGroups:
@@ -28,4 +28,4 @@ rules:
       - patch
       - watch
 {{- end -}}
-{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "role_admin-triggers" ) }}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "role-webhook_admin" ) }}

charts/tekton-triggers/templates/rolebinding-controller_admin.yaml

@@ -1,4 +1,4 @@
-{{- define "rolebinding_controller-triggers" -}}
+{{- define "rolebinding-controller_admin" -}}
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -18,4 +18,4 @@ roleRef:
   name: tekton-triggers-admin
   apiGroup: rbac.authorization.k8s.io
 {{- end -}}
-{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "rolebinding_controller-triggers" ) }}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "rolebinding-controller_admin" ) }}

charts/tekton-triggers/templates/rolebinding-webhook_admin.yaml

@@ -0,0 +1,20 @@
+{{- define "rolebinding-webhook_admin" -}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tekton-triggers-webhook-admin
+  namespace: tekton-pipelines
+  labels:
+    app.kubernetes.io/instance: tekton-triggers
+    app.kubernetes.io/part-of: tekton-triggers
+subjects:
+  - kind: ServiceAccount
+    name: tekton-triggers-webhook
+    namespace: {{ $.Release.Namespace }}
+roleRef:
+  kind: Role
+  name: tekton-triggers-admin-webhook
+  apiGroup: rbac.authorization.k8s.io
+{{- end -}}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "rolebinding-webhook_admin" ) }}

charts/tekton-triggers/templates/serviceaccount-webhook.yaml

@@ -0,0 +1,11 @@
+{{- define "serviceaccount-webhook" -}}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels: {{- include "helpers.labels.labels" (dict "Global" $ "Component" "tekton" "PartOf" "tekton-triggers") | nindent 4 }}
+  name: tekton-triggers-webhook
+  namespace: {{ $.Release.Namespace }}
+...
+{{- end -}}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "serviceaccount-webhook" ) }}

charts/tekton-triggers/templates/validatingwebhookconfig-webhook.yaml

@@ -1,4 +1,4 @@
-{{- define "webhook_validation-triggers" -}}
+{{- define "validatingwebhookconfig-webhook" -}}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
@@ -16,4 +16,4 @@ webhooks:
     name: validation.webhook.triggers.tekton.dev
 ...
 {{- end -}}
-{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "webhook_validation-triggers" ) }}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "validatingwebhookconfig-webhook" ) }}

tools/gate/tekton/300-test.sh

@@ -4,35 +4,16 @@ set -eux
 
 TEKTON_NS="tekton-pipelines"
 
-# Runs the tekton pipeline trigger test
-function retry {
-  local n=1
-  local max=5
-  local delay=10
-
-  while true; do
-    "$@" && break || {
-      if [[ $n -lt $max ]]; then
-        (( n++ ))
-        sleep $delay
-      else
-        echo "failed after $n attempts." >&2
-        exit 1
-      fi
-    }
-  done
-}
-
 sleep 60
 
 kubectl -n $TEKTON_NS apply -f ./tools/gate/tekton/yaml/role-resources/secret.yaml
 kubectl -n $TEKTON_NS apply -f ./tools/gate/tekton/yaml/role-resources/serviceaccount.yaml
 kubectl -n $TEKTON_NS apply -f ./tools/gate/tekton/yaml/role-resources/clustertriggerbinding-roles
 kubectl -n $TEKTON_NS apply -f ./tools/gate/tekton/yaml/role-resources/triggerbinding-roles
-retry kubectl -n $TEKTON_NS apply -f ./tools/gate/tekton/yaml/triggertemplates/triggertemplate.yaml
+kubectl -n $TEKTON_NS apply -f ./tools/gate/tekton/yaml/triggertemplates/triggertemplate.yaml
-retry kubectl -n $TEKTON_NS apply -f ./tools/gate/tekton/yaml/triggerbindings/triggerbinding.yaml
+kubectl -n $TEKTON_NS apply -f ./tools/gate/tekton/yaml/triggerbindings/triggerbinding.yaml
-retry kubectl -n $TEKTON_NS apply -f ./tools/gate/tekton/yaml/triggerbindings/triggerbinding-message.yaml
+kubectl -n $TEKTON_NS apply -f ./tools/gate/tekton/yaml/triggerbindings/triggerbinding-message.yaml
-retry kubectl -n $TEKTON_NS apply -f ./tools/gate/tekton/yaml/eventlisteners/eventlistener.yaml
+kubectl -n $TEKTON_NS apply -f ./tools/gate/tekton/yaml/eventlisteners/eventlistener.yaml
 
 kubectl -n $TEKTON_NS get svc
 kubectl -n $TEKTON_NS get pod