Collapse simple 2-task pipelines into single Tasks to eliminate PVC usage#3480
Collapse simple 2-task pipelines into single Tasks to eliminate PVC usage#3480vdemeester wants to merge 5 commits into
Conversation
Collapse the peribolos-sync Pipeline (git-clone -> peribolos) into a single Task where git-clone is a step using the git-clone StepAction from tektoncd-catalog/git-clone (via the git resolver). The shared workspace becomes an emptyDir, eliminating PVC creation. Part of tektoncd#3379
…asks Collapse single-arch-build-and-push, docker-multi-arch-build-and-push and ko-multi-arch-build-and-push Pipelines into single Tasks with git-clone as a step (git-clone StepAction from tektoncd-catalog/git-clone). Source workspace becomes an emptyDir, eliminating PVC creation. Part of tektoncd#3379
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Pull request overview
This PR reduces PVC churn in the dogfooding Tekton workloads by collapsing several simple 2-Task Pipelines (git-clone → action) into single Tasks that run in one pod, switching triggers/runs to TaskRun, and replacing cross-task PVC-backed workspaces with emptyDir volumes.
Changes:
- Converted selected Pipelines into single
Taskdefinitions by inlining the clone phase as agit-cloneStepAction resolved via the git resolver (pinned tov1.7.0). - Updated TriggerTemplates (and the manual peribolos run) to create
TaskRuninstead ofPipelineRun, and droppedtekton.dev/auto-cleanup-pvcwhere PVCs are no longer created. - Removed now-redundant standalone Tasks (
peribolos.yaml,terraform.yaml) and updated kustomizations accordingly.
Reviewed changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| tekton/resources/org-permissions/peribolos.yaml | Removed standalone peribolos Task now inlined into peribolos-sync as a step. |
| tekton/resources/org-permissions/peribolos-trigger.yaml | TriggerTemplate updated to create a TaskRun and bind source as emptyDir. |
| tekton/resources/org-permissions/peribolos-sync.yaml | Collapsed Pipeline into a single Task using git-clone StepAction + peribolos step. |
| tekton/resources/org-permissions/peribolos-run.yaml | Manual run updated from PipelineRun to TaskRun with emptyDir workspace. |
| tekton/resources/org-permissions/kustomization.yaml | Dropped removed peribolos.yaml from resources list. |
| tekton/resources/images/single-arch-template.yaml | Collapsed Pipeline into Task; TriggerTemplate now creates TaskRun with emptyDir source. |
| tekton/resources/images/ko-multi-arch-template.yaml | Collapsed Pipeline into Task; TriggerTemplate now creates TaskRun with emptyDir source. |
| tekton/resources/images/docker-multi-arch-template.yaml | Collapsed Pipeline into Task; moved buildx step + dind sidecar/volume into Task; TriggerTemplate now creates TaskRun. |
| tekton/resources/cd/terraform-branch-protection-template.yaml | TriggerTemplate updated to create TaskRun, bind source as emptyDir, and map command param. |
| tekton/resources/cd/peribolos-template.yaml | TriggerTemplate updated to create TaskRun with emptyDir source workspace. |
| tekton/resources/cd/folder-template.yaml | Removed Pipeline section and inlined clone as a first Task step; TriggerTemplate now creates TaskRun with emptyDir. |
| tekton/resources/cd/configmap-template.yaml | Removed Pipeline section and inlined clone as a first Task step; TriggerTemplate now creates TaskRun with emptyDir. |
| tekton/resources/branch-protection/terraform.yaml | Removed standalone terraform Task now inlined into terraform-sync as steps. |
| tekton/resources/branch-protection/terraform-sync.yaml | Collapsed Pipeline into a single Task using git-clone StepAction + terraform steps. |
| tekton/resources/branch-protection/kustomization.yaml | Dropped removed terraform.yaml from resources list. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…s.*)
Using $(params.*) inside script: blocks is vulnerable to injection since
Tekton substitutes the value directly into the script text before the
shell runs. Environment variables are safe because values go through the
env, not inline into the shell script.
- terraform-sync.yaml: $(params.command) → ${COMMAND} env var
- single-arch-template.yaml: $(params.contextPath) → ${CONTEXT_PATH} env var
Changes
Collapses the 7 "clearly collapsible" 2-task pipelines from #3379 into single Tasks. Each followed a
git-clone → do-somethingpattern with two tasks sharing a workspace via avolumeClaimTemplate(PVC). On OCI/OKE everyvolumeClaimTemplateprovisions a 50 GiB block volume regardless of the requested size, so eliminating cross-task workspaces removes that PVC churn for the most frequent workloads.For each pipeline:
git-clonetask becomes the first step of a single Task, using the git-clone StepAction fromtektoncd-catalog/git-clone(pinned tov1.7.0) via the git resolver.TaskRuninstead of aPipelineRun.emptyDirvolume, so no PVC is created; thetekton.dev/auto-cleanup-pvcannotation is dropped.Pipelines collapsed:
peribolos-syncterraform-branch-protection-syncdeploy-from-folderdeploy-configmapsingle-arch-build-and-pushdocker-multi-arch-build-and-pushko-multi-arch-build-and-pushNow-inlined standalone Task files (
peribolos.yaml,terraform.yaml) were removed and the relevant kustomizations updated.kubectl kustomizebuilds cleanly for all touched directories.The 4 tekton-ci pipelines (
request-pr-docs-reviewer,teps-linter,org-validation,diff-task-job) are left for a follow-up.Part of #3379
/kind cleanup
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
See the contribution guide
for more details.