# Copyright 2019 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: tekton-pipelines-controller
  namespace: tekton-pipelines
  labels:
    app.kubernetes.io/name: controller
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: default
    app.kubernetes.io/version: "devel"
    app.kubernetes.io/part-of: tekton-pipelines
    # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
    pipeline.tekton.dev/release: "devel"
    # labels below are related to istio and should not be used for resource lookup
    version: "devel"
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: controller
      app.kubernetes.io/component: controller
      app.kubernetes.io/instance: default
      app.kubernetes.io/part-of: tekton-pipelines
  template:
    metadata:
      labels:
        app.kubernetes.io/name: controller
        app.kubernetes.io/component: controller
        app.kubernetes.io/instance: default
        app.kubernetes.io/version: "devel"
        app.kubernetes.io/part-of: tekton-pipelines
        # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
        pipeline.tekton.dev/release: "devel"
        # labels below are related to istio and should not be used for resource lookup
        app: tekton-pipelines-controller
        version: "devel"
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                - key: kubernetes.io/os
                  operator: NotIn
                  values:
                  - windows
      serviceAccountName: tekton-pipelines-controller
      containers:
      - name: tekton-pipelines-controller
        image: ko://github.com/tektoncd/pipeline/cmd/controller
        args: [
          # These images are built on-demand by `ko resolve` and are replaced
          # by image references by digest.
          "-entrypoint-image", "ko://github.com/tektoncd/pipeline/cmd/entrypoint",
          "-nop-image", "ko://github.com/tektoncd/pipeline/cmd/nop",
          "-sidecarlogresults-image", "ko://github.com/tektoncd/pipeline/cmd/sidecarlogresults",
          "-workingdirinit-image", "ko://github.com/tektoncd/pipeline/cmd/workingdirinit",

          # The shell image must allow root in order to create directories and copy files to PVCs.
          # cgr.dev/chainguard/busybox as of April 14 2022
          # image shall not contains tag, so it will be supported on a runtime like cri-o
          "-shell-image", "cgr.dev/chainguard/busybox@sha256:19f02276bf8dbdd62f069b922f10c65262cc34b710eea26ff928129a736be791",

          # for script mode to work with windows we need a powershell image
          # pinning to nanoserver tag as of July 15 2021
          "-shell-image-win", "mcr.microsoft.com/powershell:nanoserver@sha256:b6d5ff841b78bdf2dfed7550000fd4f3437385b8fa686ec0f010be24777654d6",
        ]
        volumeMounts:
        - name: config-logging
          mountPath: /etc/config-logging
        - name: config-registry-cert
          mountPath: /etc/config-registry-cert
        env:
        - name: SYSTEM_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: KUBERNETES_MIN_VERSION
          value: "v1.28.0"
        # If you are changing these names, you will also need to update
        # the controller's Role in 200-role.yaml to include the new
        # values in the "configmaps" "get" rule.
        - name: CONFIG_DEFAULTS_NAME
          value: config-defaults
        - name: CONFIG_LOGGING_NAME
          value: config-logging
        - name: CONFIG_OBSERVABILITY_NAME
          value: config-observability
        - name: CONFIG_FEATURE_FLAGS_NAME
          value: feature-flags
        - name: CONFIG_LEADERELECTION_NAME
          value: config-leader-election-controller
        - name: CONFIG_SPIRE
          value: config-spire
        - name: SSL_CERT_FILE
          value: /etc/config-registry-cert/cert
        - name: SSL_CERT_DIR
          value: /etc/ssl/certs
        - name: METRICS_DOMAIN
          value: tekton.dev/pipeline
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          capabilities:
            drop:
            - "ALL"
          # User 65532 is the nonroot user ID
          runAsUser: 65532
          runAsGroup: 65532
          runAsNonRoot: true
          seccompProfile:
            type: RuntimeDefault
        ports:
        - name: metrics
          containerPort: 9090
        - name: profiling
          containerPort: 8008
        - name: probes
          containerPort: 8080
        livenessProbe:
          httpGet:
            path: /health
            port: probes
            scheme: HTTP
          initialDelaySeconds: 5
          periodSeconds: 10
          timeoutSeconds: 5
        readinessProbe:
          httpGet:
            path: /readiness
            port: probes
            scheme: HTTP
          initialDelaySeconds: 5
          periodSeconds: 10
          timeoutSeconds: 5
      volumes:
        - name: config-logging
          configMap:
            name: config-logging
        - name: config-registry-cert
          configMap:
            name: config-registry-cert
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/name: controller
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: default
    app.kubernetes.io/version: "devel"
    app.kubernetes.io/part-of: tekton-pipelines
    # tekton.dev/release value replaced with inputs.params.versionTag in pipeline/tekton/publish.yaml
    pipeline.tekton.dev/release: "devel"
    # labels below are related to istio and should not be used for resource lookup
    app: tekton-pipelines-controller
    version: "devel"
  name: tekton-pipelines-controller
  namespace: tekton-pipelines
spec:
  ports:
  - name: http-metrics
    port: 9090
    protocol: TCP
    targetPort: 9090
  - name: http-profiling
    port: 8008
    targetPort: 8008
  - name: probes
    port: 8080
  selector:
    app.kubernetes.io/name: controller
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-pipelines