Skip to content

Commit 3b008f5

Browse files
committed
feat(triggers): wire NetworkPolicy reconciliation into TektonTrigger
Add triggersDefaultPolicies() defining four NetworkPolicies for the Triggers workloads (controller, webhook, core-interceptors ingress, core-interceptors egress). Platform-specific DNS and Prometheus values are resolved at controller startup via v1alpha1.IsOpenShiftPlatform(). reconcileNetworkPolicies() applies policies as a named CustomSet ("triggers-network-policies") or cleans it up when disabled. Signed-off-by: Khurram Baig <khurram.baig@gmail.com> Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent 59a9639 commit 3b008f5

13 files changed

Lines changed: 430 additions & 92 deletions

File tree

charts/tekton-operator/templates/kubernetes-crds.yaml

Lines changed: 55 additions & 40 deletions
Original file line numberDiff line numberDiff line change
@@ -89,8 +89,6 @@ spec:
8989
targetNamespace:
9090
description: TargetNamespace is where resources will be installed
9191
type: string
92-
required:
93-
- options
9492
type: object
9593
status:
9694
description: ManualApprovalGateStatus defines the observed state of ManualApprovalGate
@@ -328,8 +326,6 @@ spec:
328326
targetNamespace:
329327
description: TargetNamespace is where resources will be installed
330328
type: string
331-
required:
332-
- options
333329
type: object
334330
status:
335331
description: OpenShiftPipelinesAsCodeStatus defines the observed state
@@ -811,7 +807,6 @@ spec:
811807
type: string
812808
required:
813809
- disabled
814-
- options
815810
type: object
816811
status:
817812
description: TektonChainStatus defines the observed state of TektonChain
@@ -1266,7 +1261,6 @@ spec:
12661261
type: string
12671262
required:
12681263
- disabled
1269-
- options
12701264
type: object
12711265
config:
12721266
description: Config holds the configuration for resources created
@@ -1362,7 +1356,6 @@ spec:
13621356
in read-only mode
13631357
type: boolean
13641358
required:
1365-
- options
13661359
- readonly
13671360
type: object
13681361
hub:
@@ -1412,8 +1405,6 @@ spec:
14121405
type: string
14131406
type: object
14141407
type: array
1415-
required:
1416-
- options
14171408
type: object
14181409
multiclusterProxyAAE:
14191410
description: MulticlusterProxyAAE holds the customizable options for
@@ -1451,8 +1442,23 @@ spec:
14511442
type: object
14521443
type: object
14531444
type: object
1454-
required:
1455-
- options
1445+
type: object
1446+
networkPolicy:
1447+
description: NetworkPolicy configures namespace-wide NetworkPolicies
1448+
for the operand namespace.
1449+
properties:
1450+
disabled:
1451+
description: |-
1452+
Disabled disables all NetworkPolicy creation for this component.
1453+
Existing policies are removed on the next reconcile.
1454+
type: boolean
1455+
policies:
1456+
description: |-
1457+
Policies merges with the operator's default NetworkPolicies by name.
1458+
A key matching a default policy name replaces that default entirely.
1459+
A key not matching any default is added alongside the defaults.
1460+
If nil or empty, all operator defaults are applied unchanged.
1461+
x-kubernetes-preserve-unknown-fields: true
14561462
type: object
14571463
params:
14581464
description: Params is the list of params passed for all platforms
@@ -1649,6 +1655,13 @@ spec:
16491655
used.
16501656
type: boolean
16511657
send-cloudevents-for-runs:
1658+
description: |-
1659+
Deprecated: send-cloudevents-for-runs is deprecated in tektoncd/pipeline v1.12.0
1660+
(https://github.com/tektoncd/pipeline/pull/9774) and will be removed in a future release.
1661+
CloudEvents for CustomRuns are now enabled by default when a sink is configured in
1662+
the config-events ConfigMap. This field only affects CustomRun objects; it has no
1663+
effect on TaskRuns or PipelineRuns. Set to false only to suppress duplicate events
1664+
when a custom task controller already sends its own CloudEvents.
16521665
type: boolean
16531666
set-security-context:
16541667
type: boolean
@@ -1666,8 +1679,6 @@ spec:
16661679
type: string
16671680
verification-mode:
16681681
type: string
1669-
required:
1670-
- options
16711682
type: object
16721683
platforms:
16731684
description: Platforms allows configuring platform specific configurations
@@ -1746,8 +1757,6 @@ spec:
17461757
additionalProperties:
17471758
type: string
17481759
type: object
1749-
required:
1750-
- options
17511760
type: object
17521761
type: object
17531762
openshift:
@@ -1756,14 +1765,13 @@ spec:
17561765
properties:
17571766
enableCentralTLSConfig:
17581767
description: |-
1759-
EnableCentralTLSConfig enables TLS configuration inheritance from
1760-
the cluster's APIServer TLS security profile. When enabled, TLS settings
1761-
(minimum version, cipher suites, curve preferences) are automatically
1762-
derived from the cluster-wide security policy and injected into Tekton
1763-
component containers that support TLS configuration.
1764-
If the APIServer does not have a TLS profile configured, user-specified
1765-
TLS settings in component configurations will be used as fallback.
1766-
Default: false (opt-in)
1768+
EnableCentralTLSConfig controls TLS configuration inheritance from the
1769+
cluster's APIServer TLS security profile. When enabled (the default),
1770+
TLS settings (minimum version, cipher suites, curve preferences) are
1771+
automatically derived from the cluster-wide security policy and injected
1772+
into Tekton component containers that support TLS configuration.
1773+
Set to false to opt out and manage TLS settings manually.
1774+
Default: true (opt-out)
17671775
type: boolean
17681776
pipelinesAsCode:
17691777
description: PipelinesAsCode allows configuring PipelinesAsCode
@@ -1835,8 +1843,6 @@ spec:
18351843
additionalProperties:
18361844
type: string
18371845
type: object
1838-
required:
1839-
- options
18401846
type: object
18411847
scc:
18421848
description: SCC allows configuring security context constraints
@@ -2057,7 +2063,6 @@ spec:
20572063
required:
20582064
- disabled
20592065
- is_external_db
2060-
- options
20612066
type: object
20622067
scheduler:
20632068
description: To enable Pipeline Scheduling on Single Cluster or Multiple
@@ -2115,7 +2120,6 @@ spec:
21152120
- disabled
21162121
- multi-cluster-disabled
21172122
- multi-cluster-role
2118-
- options
21192123
type: object
21202124
targetNamespace:
21212125
description: TargetNamespace is where resources will be installed
@@ -2176,7 +2180,6 @@ spec:
21762180
required:
21772181
- disabled
21782182
- global-config
2179-
- options
21802183
type: object
21812184
trigger:
21822185
description: Trigger holds the customizable option for triggers component
@@ -2222,7 +2225,6 @@ spec:
22222225
type: object
22232226
required:
22242227
- disabled
2225-
- options
22262228
type: object
22272229
type: object
22282230
status:
@@ -2443,7 +2445,6 @@ spec:
24432445
description: TargetNamespace is where resources will be installed
24442446
type: string
24452447
required:
2446-
- options
24472448
- readonly
24482449
type: object
24492450
status:
@@ -2686,8 +2687,6 @@ spec:
26862687
targetNamespace:
26872688
description: TargetNamespace is where resources will be installed
26882689
type: string
2689-
required:
2690-
- options
26912690
type: object
26922691
status:
26932692
description: TektonHubStatus defines the observed state of TektonHub
@@ -3169,6 +3168,13 @@ spec:
31693168
description: ScopeWhenExpressionsToTask is deprecated and never used.
31703169
type: boolean
31713170
send-cloudevents-for-runs:
3171+
description: |-
3172+
Deprecated: send-cloudevents-for-runs is deprecated in tektoncd/pipeline v1.12.0
3173+
(https://github.com/tektoncd/pipeline/pull/9774) and will be removed in a future release.
3174+
CloudEvents for CustomRuns are now enabled by default when a sink is configured in
3175+
the config-events ConfigMap. This field only affects CustomRun objects; it has no
3176+
effect on TaskRuns or PipelineRuns. Set to false only to suppress duplicate events
3177+
when a custom task controller already sends its own CloudEvents.
31723178
type: boolean
31733179
set-security-context:
31743180
type: boolean
@@ -3189,8 +3195,6 @@ spec:
31893195
type: string
31903196
verification-mode:
31913197
type: string
3192-
required:
3193-
- options
31943198
type: object
31953199
status:
31963200
description: TektonPipelineStatus defines the observed state of TektonPipeline
@@ -3532,7 +3536,6 @@ spec:
35323536
required:
35333537
- disabled
35343538
- is_external_db
3535-
- options
35363539
type: object
35373540
status:
35383541
description: TektonResultStatus defines the observed state of TektonResult
@@ -3712,6 +3715,23 @@ spec:
37123715
type: boolean
37133716
enable-api-fields:
37143717
type: string
3718+
networkPolicy:
3719+
description: NetworkPolicy configures NetworkPolicy creation for TektonTrigger
3720+
workloads.
3721+
properties:
3722+
disabled:
3723+
description: |-
3724+
Disabled disables all NetworkPolicy creation for this component.
3725+
Existing policies are removed on the next reconcile.
3726+
type: boolean
3727+
policies:
3728+
description: |-
3729+
Policies merges with the operator's default NetworkPolicies by name.
3730+
A key matching a default policy name replaces that default entirely.
3731+
A key not matching any default is added alongside the defaults.
3732+
If nil or empty, all operator defaults are applied unchanged.
3733+
x-kubernetes-preserve-unknown-fields: true
3734+
type: object
37153735
options:
37163736
description: options holds additions fields and these fields will
37173737
be updated on the manifests
@@ -3749,7 +3769,6 @@ spec:
37493769
type: string
37503770
required:
37513771
- disabled
3752-
- options
37533772
type: object
37543773
status:
37553774
description: TektonTriggerStatus defines the observed state of TektonTrigger
@@ -3964,7 +3983,6 @@ spec:
39643983
required:
39653984
- disabled
39663985
- global-config
3967-
- options
39683986
type: object
39693987
status:
39703988
description: TektonPrunerStatus defines the observed state of TektonPruner
@@ -4140,7 +4158,6 @@ spec:
41404158
- disabled
41414159
- multi-cluster-disabled
41424160
- multi-cluster-role
4143-
- options
41444161
type: object
41454162
status:
41464163
description: TektonSchedulerStatus defines the observed state of TektonScheduler
@@ -4297,8 +4314,6 @@ spec:
42974314
targetNamespace:
42984315
description: TargetNamespace is where resources will be installed
42994316
type: string
4300-
required:
4301-
- options
43024317
type: object
43034318
status:
43044319
description: TektonMulticlusterProxyAAEStatus defines the observed state

0 commit comments

Comments
 (0)