Plumbing

This repo holds configuration for infrastructure used across the tektoncd org 🏗️:

• Automation runs in the tektoncd GCP projects, including clusters
• Tekton is used to release projects, build docker images and run periodic jobs
• Ingress configuration for access via tekton.dev
• Gubernator is used for holding and displaying Prow logs
• Boskos is used to control a pool of GCP projects which end to end tests can run against
• Peribolos is used to control org and repo permissions

Support

If you need support, reach out in the tektoncd slack via the #plumbing channel.

Members of the Tekton governing board have access to the underlying resources.

Clusters

Tekton uses several kubernetes clusters:

• dogfooding which exists in tekton-releases
• robocat which exists in tekton-nightly
• The cluster prow also exists in tekton-releases

GCP projects

Automation for the tektoncd org runs in a GKE cluster which members of the governing board have access to.

There are several GCP projects used by Tekton:

• The GCP project that is used for GKE, storage, etc. is called tekton-releases. It has several GKE clusters:
  • The GKE cluster that Prow, Tekton, and boskos run in is called prow and is used
  • The GKE cluster that is used for nightly releases and other dogfooding is called dogfooding
• The GCP project tekton-nightly is used to hold nightly release artifacts and the robocat cluster

The script addpermissions.py gives users access to these projects.

The prow cluster

The prow cluster is where we run Prow, which currently does a lot of our CI, though we are trying to dogfood more and more.

Prow secrets

Secrets which have been applied to the prow cluster but are not committed here are:

• GitHub personal access tokens:
• bot-token-github in the default namespace
• bot-token-github in the github-admin namespace
• hmac-token for authenticating GitHub
• oauth-token which is a GitHub access token for tekton-robot, used by Prow itself as well as by containers started by Prow via the Prow config. See the GitHub secret Prow docs.
• GCP secrets:
  • test-account is a token for the service account [email protected]. This account can interact with GCP resources such as uploading Prow results to GCS (which is done directly from the containers started by Prow, configured in config.yaml) and interacting with boskos clusters.
  • Nightly release secret: nightly-account a token for the nightly-release GCP service account

The robocat cluster

The robocat cluster is where we test the nightly releases of all Tekton projects.

Robocat secrets

Secrets which have been applied to the robocat cluster but are not committed here are:

• cluster admin secret
• secrets used by cronjobs
• deployment secrets

The Dogfooding cluster

The dogfooding cluster is where we run Tekton for CI. Configuration for the CI itself lives in the tekton folder. This cluster is part of the tekton-releases GCP project

Dogfooding Secrets

Secrets which have been applied to the dogfooding cluster but are not committed here are:

• GitHub personal access tokens:
  • In the default namespace:
    • bot-token-github used for syncing label configuration and org configuration
    • github-token used to create a draft release
  • In the tektonci namespace:
    • bot-token-github used for ?
    • ci-webhook contains the secret used to verify pull request webhook requests for plumbing CI.
  • In the mario namespace:
    • mario-github-secret contains the secret used to verify comment webhook requests to the mario service are coming from github
    • mario-github-token used for updating PRs
• GCP secrets:
  • nightly-account is used by nightly releases to push releases to the nightly bucket. It's a token for service account [email protected].
  • release-secret is used by Tekton Pipeline to push pipeline artifacts to a GCS bucket. It's also used to push images built by cron trigger (or Mario to the image registry on GCP.
• Lots of other secrets, hopefully we can add more documentation on them here as we go.