From be4ad40c3dd0189b9607d5fb48aea0af10519fa2 Mon Sep 17 00:00:00 2001 From: Bakery Admin Date: Thu, 22 Jan 2026 17:29:56 +0100 Subject: [PATCH] Fix resources isues 11 --- .../tekton-helm/templates/event-listener.yaml | 8 +------- .../tekton-helm/templates/pipeline-ci.yaml | 1 - .../templates/task-detect-changes.yaml | 11 ++++++++++- .../tekton-helm/templates/task-git-clone.yaml | 9 +++++++++ .../templates/task-kaniko-build.yaml | 9 +++++++++ .../templates/task-pipeline-summary.yaml | 11 ++++++++++- .../tekton-helm/templates/task-run-tests.yaml | 18 ++++++++++++++++++ .../templates/task-update-gitops.yaml | 9 +++++++++ 8 files changed, 66 insertions(+), 10 deletions(-) diff --git a/infrastructure/cicd/tekton-helm/templates/event-listener.yaml b/infrastructure/cicd/tekton-helm/templates/event-listener.yaml index 7519d3c9..27dffcc3 100644 --- a/infrastructure/cicd/tekton-helm/templates/event-listener.yaml +++ b/infrastructure/cicd/tekton-helm/templates/event-listener.yaml @@ -16,16 +16,10 @@ spec: interceptors: - ref: name: "cel" + kind: ClusterInterceptor params: - name: "filter" value: "has(body.repository) && body.ref.contains('main')" - - ref: - name: "bitbucket" - params: - - name: "secretRef" - value: - secretName: gitea-webhook-secret - secretKey: secretToken bindings: - ref: bakery-ia-trigger-binding template: diff --git a/infrastructure/cicd/tekton-helm/templates/pipeline-ci.yaml b/infrastructure/cicd/tekton-helm/templates/pipeline-ci.yaml index f0fe810c..c2bd3338 100644 --- a/infrastructure/cicd/tekton-helm/templates/pipeline-ci.yaml +++ b/infrastructure/cicd/tekton-helm/templates/pipeline-ci.yaml @@ -19,7 +19,6 @@ spec: description: Docker registry credentials - name: git-credentials description: Git credentials for pushing GitOps updates - optional: true params: - name: git-url type: string diff --git a/infrastructure/cicd/tekton-helm/templates/task-detect-changes.yaml b/infrastructure/cicd/tekton-helm/templates/task-detect-changes.yaml index 5b05f59b..b7d9afd2 100644 --- a/infrastructure/cicd/tekton-helm/templates/task-detect-changes.yaml +++ b/infrastructure/cicd/tekton-helm/templates/task-detect-changes.yaml @@ -18,7 +18,16 @@ spec: description: Comma-separated list of changed services steps: - name: detect-changes - image: alpine/git + image: alpine/git:2.43.0 + securityContext: + runAsNonRoot: true + runAsUser: 65532 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault script: | #!/bin/bash set -e diff --git a/infrastructure/cicd/tekton-helm/templates/task-git-clone.yaml b/infrastructure/cicd/tekton-helm/templates/task-git-clone.yaml index 91438245..36a6eb2b 100644 --- a/infrastructure/cicd/tekton-helm/templates/task-git-clone.yaml +++ b/infrastructure/cicd/tekton-helm/templates/task-git-clone.yaml @@ -33,6 +33,15 @@ spec: steps: - name: clone image: alpine/git:2.43.0 + securityContext: + runAsNonRoot: true + runAsUser: 65532 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault script: | #!/bin/sh set -e diff --git a/infrastructure/cicd/tekton-helm/templates/task-kaniko-build.yaml b/infrastructure/cicd/tekton-helm/templates/task-kaniko-build.yaml index 582bb912..94581fd2 100644 --- a/infrastructure/cicd/tekton-helm/templates/task-kaniko-build.yaml +++ b/infrastructure/cicd/tekton-helm/templates/task-kaniko-build.yaml @@ -40,6 +40,15 @@ spec: steps: - name: build-and-push image: gcr.io/kaniko-project/executor:v1.15.0 + securityContext: + runAsNonRoot: true + runAsUser: 65532 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault env: - name: DOCKER_CONFIG value: /tekton/home/.docker diff --git a/infrastructure/cicd/tekton-helm/templates/task-pipeline-summary.yaml b/infrastructure/cicd/tekton-helm/templates/task-pipeline-summary.yaml index 89fea9cd..f5e78426 100644 --- a/infrastructure/cicd/tekton-helm/templates/task-pipeline-summary.yaml +++ b/infrastructure/cicd/tekton-helm/templates/task-pipeline-summary.yaml @@ -19,7 +19,16 @@ spec: description: Git revision being processed steps: - name: generate-summary - image: alpine + image: alpine:3.19 + securityContext: + runAsNonRoot: true + runAsUser: 65532 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault script: | #!/bin/bash set -e diff --git a/infrastructure/cicd/tekton-helm/templates/task-run-tests.yaml b/infrastructure/cicd/tekton-helm/templates/task-run-tests.yaml index 2b303e31..ff0ebd1a 100644 --- a/infrastructure/cicd/tekton-helm/templates/task-run-tests.yaml +++ b/infrastructure/cicd/tekton-helm/templates/task-run-tests.yaml @@ -24,6 +24,15 @@ spec: steps: - name: run-unit-tests image: registry.bakewise.ai/bakery-admin/python:3.11-slim + securityContext: + runAsNonRoot: true + runAsUser: 65532 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault workingDir: $(workspaces.source.path) script: | #!/bin/bash @@ -58,6 +67,15 @@ spec: memory: 512Mi - name: run-integration-tests image: registry.bakewise.ai/bakery-admin/python:3.11-slim + securityContext: + runAsNonRoot: true + runAsUser: 65532 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault workingDir: $(workspaces.source.path) script: | #!/bin/bash diff --git a/infrastructure/cicd/tekton-helm/templates/task-update-gitops.yaml b/infrastructure/cicd/tekton-helm/templates/task-update-gitops.yaml index ffc82adb..10fd7bd8 100644 --- a/infrastructure/cicd/tekton-helm/templates/task-update-gitops.yaml +++ b/infrastructure/cicd/tekton-helm/templates/task-update-gitops.yaml @@ -35,6 +35,15 @@ spec: steps: - name: update-manifests image: alpine/git:2.43.0 + securityContext: + runAsNonRoot: true + runAsUser: 65532 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault workingDir: $(workspaces.source.path) env: - name: GIT_USERNAME