feature(apps/prod/tekton): add pipeline-in-pipeline controller (#677)

* feature(apps/prod/tekton): add pipeline-in-pipeline controller

* chore(apps/dev): migrate tekton from staging to dev

* chore(apps/dev/tekton/setup): only deploy tekton pip in dev env

* chore: delete useless files

apps/dev/kustomization.yaml

@@ -5,3 +5,4 @@ resources:
   - namespace.yaml
   - prow-crd.yaml
   - prow
+  # - tekton

apps/staging/tekton/setup/kustomization.yaml → apps/dev/tekton/setup/kustomization.yaml

@@ -6,3 +6,4 @@ resources:
   - https://github.com/tektoncd/operator/releases/download/v0.65.1/release.yaml
   - operator-config.yaml
   - ingress-dashboard.yaml
+  - pip-release.yaml

apps/dev/tekton/setup/pip-release.yaml

@@ -0,0 +1,357 @@
+# Copyright 2021 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# apiVersion: v1
+# kind: Namespace
+# metadata:
+#   name: tekton-pip-run
+#   labels:
+#     app.kubernetes.io/instance: default
+#     app.kubernetes.io/part-of: tekton-pip-run
+
+---
+# Copyright 2021 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pip-controller
+  namespace: tekton-pipelines
+  labels:
+    app.kubernetes.io/component: pip-controller
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-pip-run
+
+---
+# Copyright 2021 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: pip-controller-cluster-access
+  labels:
+    app.kubernetes.io/component: pip-controller
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-pip-run
+rules:
+  # Controller needs cluster access to all CustomRun CRs.
+  - apiGroups: ["tekton.dev"]
+    resources: ["customruns", "pipelineruns"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+  - apiGroups: ["tekton.dev"]
+    resources: ["customruns/finalizers"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+  - apiGroups: ["tekton.dev"]
+    resources: ["customruns/status", "pipelineruns/status"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+  # Controller needs cluster access to leases for leader election.
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+  # Controller needs permission to emit events associated with CustomRun CRs.
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+
+---
+# Copyright 2021 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: pip-controller
+  namespace: tekton-pipelines
+  labels:
+    app.kubernetes.io/component: pip-controller
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-pip-run
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["list", "watch"]
+  # The controller needs access to these configmaps for logging information and runtime configuration.
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get"]
+    resourceNames: ["config-logging-pip", "config-observability", "config-leader-election"]
+
+---
+# Copyright 2021 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: pip-controller
+  namespace: tekton-pipelines
+  labels:
+    app.kubernetes.io/component: pip-controller
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-pip-run
+subjects:
+  - kind: ServiceAccount
+    name: pip-controller
+    namespace: tekton-pipelines
+roleRef:
+  kind: Role
+  name: pip-controller
+  apiGroup: rbac.authorization.k8s.io
+
+---
+# Copyright 2021 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: pip-controller-cluster-access
+  labels:
+    app.kubernetes.io/component: pip-controller
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-pip-run
+subjects:
+  - kind: ServiceAccount
+    name: pip-controller
+    namespace: tekton-pipelines
+roleRef:
+  kind: ClusterRole
+  name: pip-controller-cluster-access
+  apiGroup: rbac.authorization.k8s.io
+
+---
+# Copyright 2021 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: pip-controller
+    app.kubernetes.io/component: pip-controller
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/version: devel
+    app.kubernetes.io/part-of: tekton-pip-run
+    # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
+    pipeline.tekton.dev/release: "v20220126-2d431237c6"
+    # labels below are related to istio and should not be used for resource lookup
+    app: pip-controller
+    version: "v20220126-2d431237c6"
+  name: pip-controller
+  namespace: tekton-pipelines
+spec:
+  ports:
+    - name: http-metrics
+      port: 9090
+      protocol: TCP
+      targetPort: 9090
+  selector:
+    app.kubernetes.io/name: pip-controller
+    app.kubernetes.io/component: pip-controller
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-pip-run
+
+---
+# Copyright 2021 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pip-controller
+  namespace: tekton-pipelines
+  labels:
+    app.kubernetes.io/name: pip-controller
+    app.kubernetes.io/component: pip-controller
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/version: devel
+    app.kubernetes.io/part-of: tekton-pip-run
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: pip-controller
+      app.kubernetes.io/component: pip-controller
+      app.kubernetes.io/instance: default
+      app.kubernetes.io/part-of: pip
+  template:
+    metadata:
+      annotations:
+        cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
+      labels:
+        app.kubernetes.io/name: pip-controller
+        app.kubernetes.io/component: pip-controller
+        app.kubernetes.io/instance: default
+        app.kubernetes.io/version: devel
+        app.kubernetes.io/part-of: pip
+        app: pip-controller
+    spec:
+      serviceAccountName: pip-controller
+      containers:
+        - name: pip-controller
+          image: gcr.io/tekton-nightly/github.com/tektoncd/experimental/pipelines-in-pipelines/cmd/controller:v20220126-2d431237c6
+          volumeMounts:
+            - name: config-logging
+              mountPath: /etc/config-logging
+          env:
+            - name: SYSTEM_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            # If you are changing these names, you will also need to update
+            # the controller's Role in 200-role.yaml to include the new
+            # values in the "configmaps" "get" rule.
+            - name: CONFIG_LOGGING_NAME
+              value: config-logging-pip
+            - name: METRICS_DOMAIN
+              value: experimental.tekton.dev/pipelines-in-pipelines
+      volumes:
+        - name: config-logging
+          configMap:
+            name: config-logging-pip
+
+---
+# Copyright 2021 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config-logging-pip
+  namespace: tekton-pipelines
+  labels:
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-pip-run
+data:
+  # Common configuration for all knative codebase
+  zap-logger-config: |
+    {
+      "level": "info",
+      "development": false,
+      "sampling": {
+        "initial": 100,
+        "thereafter": 100
+      },
+      "outputPaths": ["stdout"],
+      "errorOutputPaths": ["stderr"],
+      "encoding": "json",
+      "encoderConfig": {
+        "timeKey": "ts",
+        "levelKey": "level",
+        "nameKey": "logger",
+        "callerKey": "caller",
+        "messageKey": "msg",
+        "stacktraceKey": "stacktrace",
+        "lineEnding": "",
+        "levelEncoder": "",
+        "timeEncoder": "",
+        "durationEncoder": "",
+        "callerEncoder": ""
+      }
+    }
+  # Log level overrides
+  loglevel.controller: "info"
+  loglevel.webhook: "info"
+
+---

apps/prod/tekton/setup/kustomization.yaml

@@ -7,4 +7,4 @@ resources:
   # we fixed the image tag to make it runable on arm64 nodes:
   #   gcr.io/tekton-releases/dogfooding/tkn
   - operator-release.yaml 
-  - operator-config.yaml
+  - operator-config.yaml

apps/staging/kustomization.yaml

@@ -4,7 +4,6 @@ resources:
   - ../_base
   - namespace.yaml
   - jenkins
-  - tekton
   - prow-crd.yaml
   - prow
   - mongodb