1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

apiVersion: triggers.tekton.dev/v1alpha1
kind: EventListener
metadata:
  name: gitlab-listener-interceptor
spec:
  serviceAccountName: tekton-triggers
  triggers:
    - name: gitlab-listener
      interceptors:
        - gitlab:
            secretRef:
              secretName: gitlab-secret
              secretKey: secretToken
            eventTypes:
              - Push Hook
        - cel:
#            filter: header.match('X-Gitlab-Event', 'Push Hook') && header.canonical('X-Gitlab-Token').compareSecret('secretToken', 'gitlab-secret')
            filter: body.commits[0].message.indexOf('[skip ci]') == -1 && body.commits[0].message.indexOf('[ci skip]') == -1
            overlays:
            - key: branch_name
              expression: "body.ref.split('/')[2]"  
            - key: commit_id
              expression: "body.commits[0].id.truncate(7)"
      bindings:
        - ref: pipeline-binding
      template:
        ref: pipeline-template
  resources:
    kubernetesResource:
      serviceType: NodePort
---
apiVersion: v1
kind: Secret
metadata:
  name: gitlab-secret
type: Opaque
stringData:
  secretToken: "cloudnative"

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

apiVersion: v1
kind: ServiceAccount
metadata:
 name: tekton-triggers
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
 name: tekton-triggers
rules:
# EventListeners need to be able to fetch all namespaced resources
- apiGroups: ["triggers.tekton.dev"]
 resources: ["eventlisteners", "triggerbindings", "triggertemplates", "triggers"]
 verbs: ["get", "list", "watch"]
- apiGroups: [""]
# secrets are only needed for GitHub/GitLab interceptors
# configmaps is needed for updating logging config
 resources: ["configmaps", "secrets"]
 verbs: ["get", "list", "watch"]
# Permissions to create resources in associated TriggerTemplates
- apiGroups: ["tekton.dev"]
 resources: ["pipelineruns", "pipelineresources", "taskruns"]
 verbs: ["create", "delete"]
- apiGroups: [""]
 resources: ["serviceaccounts"]
 verbs: ["impersonate"]
- apiGroups: ["policy"]
 resources: ["podsecuritypolicies"]
 resourceNames: ["tekton-triggers"]
 verbs: ["use"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
 name: tekton-triggers
subjects:
- kind: ServiceAccount
 name: tekton-triggers
roleRef:
 apiGroup: rbac.authorization.k8s.io
 kind: Role
 name: tekton-triggers
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: tekton-triggers-cluster
rules:
 # EventListeners need to be able to fetch any clustertriggerbindings
- apiGroups: ["triggers.tekton.dev"]
 resources: ["clustertriggerbindings"]
 verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
 name: tekton-triggers-cluster
subjects:
- kind: ServiceAccount
 name: tekton-triggers
 namespace: default
roleRef:
 apiGroup: rbac.authorization.k8s.io
 kind: ClusterRole
 name: tekton-triggers-cluster

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

apiVersion: triggers.tekton.dev/v1alpha1
kind: TriggerBinding
metadata:
  name: pipeline-binding
spec:
  params:
  - name: git-url
    value: $(body.repository.url)
  - name: git-revision
    value: $(extensions.branch_name)
  - name: server-name
    value: $(body.repository.name)
  - name: message
    value: $(body.commits[0].message)
  - name: commit-id
    value: $(extensions.commit_id)
# git log --pretty=%B | awk 'NR==1 {print $NF}'

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

apiVersion: triggers.tekton.dev/v1alpha1
kind: TriggerTemplate
metadata:
  name: pipeline-template
spec:
  params:
  - name: git-url
    description: The git repository url
  - name: git-revision
    description: The git revision
  - name: server-name
    description: The server name
  - name: commit-id
    description: The git commit id
  resourcetemplates:
  - apiVersion: tekton.dev/v1beta1
    kind: PipelineRun
    metadata:
      labels:
        app: $(tt.params.server-name)
        branch: $(tt.params.git-revision)
      generateName: $(tt.params.server-name)-$(tt.params.git-revision)-
    spec:
      pipelineRef:
        name: kubernetes-pipeline
      params:
        - name: git-url
          value: $(tt.params.git-url)
        - name: git-revision
          value: $(tt.params.git-revision)
        - name: server-name
          value: $(tt.params.server-name)
        - name: commit-id
          value: $(tt.params.commit-id)