1. Using kubernetes tekton.dev with access

    TypeScript

    In order to set up Tekton on a Kubernetes cluster with appropriate access control, you would typically need to perform the following actions:

    1. Install Tekton Pipelines, which provides the foundation for executing pipelines.
    2. Configure RBAC (Role-Based Access Control) to define permissions for resources within the cluster so that Tekton and its components have the necessary access.

    Below is a Pulumi program written in TypeScript that demonstrates how to perform these steps. The program does the following:

    • Creates a Namespace for Tekton to keep its resources isolated.
    • Applies Tekton Pipeline resources using a ConfigFile resource which allows applying raw Kubernetes YAML files.
    • Sets up a Role and RoleBinding to grant permissions necessary for the pipeline service account.

    Prior to running this Pulumi program, ensure you have:

    • Pulumi CLI installed and configured.
    • Access to a Kubernetes cluster and the kubeconfig file set up or environment variables for cluster access.

    Now, let's look at the Pulumi TypeScript program that achieves the above:

    import * as k8s from "@pulumi/kubernetes"; // Create a namespace for Tekton resources const tektonNamespace = new k8s.core.v1.Namespace("tekton-namespace", { metadata: { name: "tekton-pipelines", // Name of the namespace }, }); // Apply the Tekton Pipelines installation manifest. // This manifest comes from the Tekton Pipelines GitHub repository releases. const tektonPipelines = new k8s.yaml.ConfigFile("tekton-pipelines", { file: "https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.14.2/release.yaml", // Replace this URL with the version you want to install namespace: tektonNamespace.metadata.name, }); // Define a Role in the Tekton namespace to manage resources const tektonRole = new k8s.rbac.v1.Role("tekton-role", { metadata: { namespace: tektonNamespace.metadata.name, }, rules: [{ apiGroups: [""], // Core API group resources: ["pods", "services", "endpoints", "persistentvolumeclaims", "events", "configmaps", "secrets"], verbs: ["get", "list", "watch", "create", "update", "patch", "delete"], }, { apiGroups: ["apps"], // For deployments, replicasets etc. resources: ["deployments"], verbs: ["get", "list", "watch", "create", "update", "patch", "delete"], }], }, { dependsOn: [tektonPipelines] }); // Bind the Role to a ServiceAccount, granting the permissions defined in the Role to the account const tektonRoleBinding = new k8s.rbac.v1.RoleBinding("tekton-role-binding", { metadata: { namespace: tektonNamespace.metadata.name, }, subjects: [{ kind: "ServiceAccount", name: "default", // Assuming 'default' service account, replace with specific service account name if necessary namespace: tektonNamespace.metadata.name, }], roleRef: { kind: "Role", name: tektonRole.metadata.name, apiGroup: "rbac.authorization.k8s.io", }, }, { dependsOn: [tektonRole] }); // Export the namespace name where Tekton is installed export const namespaceName = tektonNamespace.metadata.name;

    In the program above:

    • A new Kubernetes namespace is created where all Tekton resources will reside.
    • The tektonPipelines resource uses the ConfigFile class to load Tekton components from their official release YAML. You should replace the URL with the version of Tekton Pipelines you want to install.
    • The Role defines access control permissions for managing Kubernetes resources within the Tekton namespace.
    • The RoleBinding attaches these permissions to a ServiceAccount (we use default here).

    Make sure to replace the service account name with the one you intend to use for running Tekton Pipelines if it's not the default. Also, update the Tekton installation URL to point to the specific version you want to install.

    To run this program:

    1. Save the code to a file with the .ts extension, such as index.ts.
    2. Ensure you have installed Pulumi and configured it to use your Kubernetes cluster.
    3. Run pulumi up to deploy the resources defined in the program.

    Pulumi will apply the changes to your cluster, creating a namespace, installing Tekton, and setting up appropriate roles and bindings for access control.