Introduce Kustomize and read-only ('locked-down') yaml base

jjjjijiji · Jan 24, 2020 · 3e0c254 · 3e0c254
1 parent 9b649ab
commit 3e0c254
Show file tree

Hide file tree

Showing 35 changed files with 598 additions and 1,021 deletions.
diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
@@ -16,6 +16,7 @@ You must install these tools:
 1. [`ko`](https://github.com/google/ko): For development. `ko` version v0.1 or higher is required for `dashboard` to work correctly.
 1. [Node.js & npm](https://nodejs.org/): For building and running the frontend locally. See `engines` in [package.json](./package.json) for versions used. _Node.js 10.x is recommended_
 1. [`kubectl`](https://kubernetes.io/docs/tasks/tools/install-kubectl/): For interacting with your kube cluster.
+1. [`kustomize`](https://github.com/kubernetes-sigs/kustomize/blob/master/docs/INSTALL.md): For building the Dashboard kube config. You need a recent version - v3.5.4 is recommended. See [here](https://github.com/kubernetes-sigs/kustomize/blob/master/docs/INSTALL.md#try-go) - `GO111MODULE=on go install sigs.k8s.io/kustomize/kustomize/v3` works correctly. 
 
 Your [`$GOPATH`] setting is critical for `ko apply` to function properly: a
 successful run will typically involve building pushing images instead of only
@@ -121,8 +122,20 @@ npm run build_ko
 
 This will build the static resources and add them to the `kodata` directory.
 
+Development dashboard builds come in four flavours: (plain kube or Openshift) * (read-only or read-write):
 ```shell
-ko apply -f config/
+# Plain Kube
+kustomize build overlays/dev | ko apply -f -
+kustomize build overlays/dev-locked-down | ko apply -f -
+
+# OpenShift
+kustomize build overlays/dev-openshift --load_restrictor=LoadRestrictionsNone | ko apply -f - | kubectl apply -f - --validate=false
+kustomize build overlays/dev-openshift-locked-down --load_restrictor=LoadRestrictionsNone | ko apply -f - | kubectl apply -f - --validate=false
+```
+
+We also provide a version for working with OpenShift image streams:
+```shell
+kustomize build overlays/dev-openshift-imagestream --load_restrictor=LoadRestrictionsNone | ko apply -f -
 ```
 
 ## Access the dashboard

diff --git a/README.md b/README.md
@@ -43,19 +43,17 @@ You are now ready to use the Tekton Dashboard, optionally with the Tekton Webhoo
 
 ### Nightly builds
 
-The Tekton Dashboard has a hosted image of the latest builds located at `gcr.io/tekton-nightly/dashboard:latest`
-To install the Dashboard using this image:
-
-```bash
-kubectl apply -f config/release/gcr-tekton-dashboard.yaml
+The Tekton Dashboard has a hosted image of the latest builds located at `gcr.io/tekton-nightly/dashboard:latest`. Nightly builds come in four flavours: 
+(plain kube or Openshift) * (read-only or read-write):
+```shell
+# Plain Kube
+kustomize build overlays/latest | ko apply -f -
+kustomize build overlays/latest-locked-down | ko apply -f -
+
+# OpenShift
+kustomize build overlays/latest-openshift --load_restrictor=LoadRestrictionsNone | ko apply -f - | kubectl apply -f - --validate=false
+kustomize build overlays/latest-openshift-locked-down --load_restrictor=LoadRestrictionsNone | ko apply -f - | kubectl apply -f - --validate=false
 ```
-
-Alternatively, the dashboard can be installed through the same GitHub release asset:
-
-```bash
-curl -L https://github.com/tektoncd/dashboard/releases/download/v0/gcr-tekton-dashboard.yaml | kubectl apply -f -
-```
-
 Development installation of the Dashboard uses `ko`:
 
 ```bash

diff --git a/base/200-clusterrole.yaml b/base/200-clusterrole.yaml
@@ -0,0 +1,52 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: tekton-dashboard-minimal
+  namespace: tekton-pipelines
+rules:
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list"]
+  - apiGroups: ["security.openshift.io"]
+    resources: ["securitycontextconstraints"]
+    verbs: ["use"]
+  - apiGroups: ["route.openshift.io"]
+    resources: ["routes"]
+    verbs: ["get", "list"]
+  - apiGroups: ["extensions", "apps"]
+    resources: ["ingresses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["serviceaccounts"]
+    verbs: ["get", "list"]
+  - apiGroups: [""]
+    resources: ["pods", "services"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["pods/log", "namespaces", "events"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["secrets", "configmaps"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["extensions", "apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["tekton.dev"]
+    resources: ["tasks", "clustertasks", "taskruns", "pipelines",
+                "pipelineruns", "pipelineresources", "conditions"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["tekton.dev"]
+    resources: ["taskruns/finalizers", "pipelineruns/finalizers"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["tekton.dev"]
+    resources: ["tasks/status", "clustertasks/status", "taskruns/status",
+                "pipelines/status", "pipelineruns/status"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["dashboard.tekton.dev"]
+    resources: ["extensions"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["tekton.dev"]
+    resources: ["eventlisteners", "triggerbindings",
+                "triggertemplates"]
+    verbs: ["get", "list", "watch"]
diff --git a/base/201-clusterrolebinding.yaml b/base/201-clusterrolebinding.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tekton-dashboard-minimal
+subjects:
+  - kind: ServiceAccount
+    name: tekton-dashboard
+    namespace: tekton-pipelines
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: tekton-dashboard-minimal
diff --git a/base/202-extension-crd.yaml b/base/202-extension-crd.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: extensions.dashboard.tekton.dev
+spec:
+  group: dashboard.tekton.dev
+  names:
+    kind: Extension
+    plural: extensions
+    categories:
+      - tekton
+      - tekton-dashboard
+  scope: Namespaced
+  # Opt into the status subresource so metadata.generation
+  # starts to increment
+  subresources:
+    status: {}
+  version: v1alpha1
diff --git a/base/203-serviceaccount.yaml b/base/203-serviceaccount.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: tekton-dashboard
+  name: tekton-dashboard
+  namespace: tekton-pipelines
diff --git a/base/300-deployment.yaml b/base/300-deployment.yaml
@@ -0,0 +1,44 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tekton-dashboard
+  namespace: tekton-pipelines
+  labels:
+    app: tekton-dashboard
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: tekton-dashboard
+  template:
+    metadata:
+      name: tekton-dashboard
+      labels:
+        app: tekton-dashboard
+    spec:
+      serviceAccountName: tekton-dashboard
+      containers:
+        - name: tekton-dashboard
+          image: dashboardImage
+          ports:
+            - containerPort: 9097
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 9097
+          readinessProbe:
+            httpGet:
+              path: /readiness
+              port: 9097
+          env:
+            - name: PORT
+              value: "9097"
+            - name: WEB_RESOURCES_DIR
+              value: /var/run/ko/web
+            - name: PIPELINE_RUN_SERVICE_ACCOUNT
+              value: ""
+            - name: INSTALLED_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
diff --git a/base/300-service.yaml b/base/300-service.yaml
@@ -0,0 +1,16 @@
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: tekton-dashboard
+  namespace: tekton-pipelines
+  labels:
+    app: tekton-dashboard
+spec:
+  ports:
+    - name: http
+      protocol: TCP
+      port: 9097
+      targetPort: 9097
+  selector:
+    app: tekton-dashboard
diff --git a/config/pipeline0-task.yaml → base/400-pipeline0-task.yaml b/config/pipeline0-task.yaml → base/400-pipeline0-task.yaml
@@ -1,5 +1,3 @@
-# The contents of this file should be included in both the Tekton dashboard
-# config directory and config/release/gcr-tekton-dashboard.yaml
 ---
 apiVersion: tekton.dev/v1alpha1
 kind: Task

diff --git a/base/401-pipeline0.yaml b/base/401-pipeline0.yaml
@@ -0,0 +1,38 @@
+---
+apiVersion: tekton.dev/v1alpha1
+kind: Pipeline
+metadata:
+  name: pipeline0
+  namespace: tekton-pipelines
+spec:
+  resources:
+    - name: git-source
+      type: git
+  params:
+    - name: pathToResourceFiles
+      description: The path to the resource files to apply
+      default: /workspace/git-source
+      type: string
+    - name: apply-directory
+      description: The directory from which resources are to be applied
+      default: "."
+      type: string
+    - name: target-namespace
+      description: The namespace in which to create the resources being imported
+      default: tekton-pipelines
+      type: string
+  tasks:
+    - name: pipeline0-task
+      taskRef:
+        name: pipeline0-task
+      params:
+        - name: pathToResourceFiles
+          value: $(params.pathToResourceFiles)
+        - name: apply-directory
+          value: $(params.apply-directory)
+        - name: target-namespace
+          value: $(params.target-namespace)
+      resources:
+        inputs:
+          - name: git-source
+            resource: git-source
diff --git a/base/kustomization.yaml b/base/kustomization.yaml
@@ -0,0 +1,10 @@
+---
+resources:
+  - 200-clusterrole.yaml
+  - 201-clusterrolebinding.yaml
+  - 202-extension-crd.yaml
+  - 203-serviceaccount.yaml
+  - 300-deployment.yaml
+  - 300-service.yaml
+  - 400-pipeline0-task.yaml
+  - 401-pipeline0.yaml