Add tekton pipelines

service/.sops.yaml

@@ -0,0 +1,5 @@
+creation_rules:
+  - path_regex: .*
+    key_groups:
+      - age:
+          - age1mrdee45qq36trja45u0wcem7c2mgydw35zkuhh97khgc7veanaaq29wzh4

service/helmfile.yaml

@@ -54,6 +54,15 @@ releases:
       - kube-system/cilium
       - kube-system/namespaces
   
+  - name: tekton-pipelines
+    namespace: tekton-system
+    createNamespace: false
+    chart: ../charts/tekton-pipelines
+    secrets:
+      - ./secrets/pipelines.yaml
+    needs:
+      - tekton-system/tekton
+  
   - name: cert-manager
     chart: zot/cert-manager
     version: v1.14.4

service/manifests/pipeline-run-cleanup.yaml

@@ -0,0 +1,23 @@
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  generateName: hetzner-cleanup
+  namespace: default
+spec:
+  params:
+    - name: namespace
+      value: default
+    - name: environment
+      value: default
+    - name: customer
+      value: allanger
+  pipelineRef:
+    resolver: cluster
+    params:
+      - name: kind
+        value: pipeline
+      - name: name
+        value: hetzner-cleanup
+      - name: namespace
+        value: tekton-pipelines
+  serviceAccountName: secret-manager

service/manifests/pipeline-run.yaml

@@ -1,8 +1,30 @@
 apiVersion: tekton.dev/v1beta1
 kind: PipelineRun
 metadata:
-  name: hetzner-k3s
+  generateName: hetzner-k3s
+  namespace: tekton-runtime
 spec:
+  params:
+    - name: namespace
+      value: default
+    - name: environment
+      value: default
+    - name: customer
+      value: allanger
   pipelineRef:
-    name: hetzner-k3s
-  serviceAccountName: default
+    resolver: cluster
+    params:
+      - name: kind
+        value: pipeline
+      - name: name
+        value: hetzner-k3s
+      - name: namespace
+        value: tekton-pipelines
+  workspaces:
+    - name: ssh-keys
+      emptyDir: {}
+    - name: inventory
+      emptyDir: {}
+    - name: kubeconfig-output
+      emptyDir: {}
+  serviceAccountName: secret-manager

service/manifests/pipeline.yaml

@@ -1,15 +0,0 @@
-apiVersion: tekton.dev/v1beta1
-kind: Pipeline
-metadata:
-  name: hetzner-k3s
-spec:
-  tasks:
-    - name: generate-ssh-keys
-      taskRef:
-        name: generate-ssh-keys
-    - name: prepare-hetzner-infra
-      taskRef:
-        name: prepare-hetzner-infra
-    - name: bootstrap-k3s
-      taskRef:
-        name: bootstrap-k3s

service/manifests/task.yaml

@@ -1,58 +0,0 @@
----
-apiVersion: tekton.dev/v1beta1
-kind: Task
-metadata:
-  name: generate-ssh-keys
-spec:
-  steps:
-    - name: prepare-ssh-key
-      image: alpine
-      imagePullPolicy: Never
-      script: |-
-        #!/bin/sh
-        echo "Generate SSH keys"
-    - name: save-ssh-keys
-      image: alpine
-      script: |-
-        #!/bin/sh
-        echo "Save public and private keys to k8s secret"
----
-apiVersion: tekton.dev/v1beta1
-kind: Task
-metadata:
-  name: prepare-hetzner-infra
-spec:
-  steps:
-    - name: create-hetzner-infra
-      image: alpine
-      imagePullPolicy: Never
-      script: |-
-        #!/bin/sh
-        echo "Create hetzner server and everything else"
-    - name: save-inventory
-      image: alpine
-      script: |-
-        #!/bin/sh
-        echo "Inventory file that is generated by ansible, must be saved to secrets"
----
-apiVersion: tekton.dev/v1beta1
-kind: Task
-metadata:
-  name: bootstrap-k3s
-spec:
-  steps:
-    - name: prepare-servers
-      image: alpine
-      script: |
-        #!/bin/sh
-        echo "Prepere nodes"
-    - name: prepare-k3s
-      image: alpine
-      script: |-
-        #!/bin/sh
-        echo "Bootsrap k3s"
-    - name: save-kubeconfig
-      image: alpine
-      script: |-
-        #!/bin/sh
-        echo "check if kubeconfig is valid and save it to k8s secrets"

service/secrets/pipelines.yaml

@@ -0,0 +1,23 @@
+providers:
+    hetzner:
+        ageKey: ENC[AES256_GCM,data:xF5+jYQFI/F+o5t481gCKkh9e8I9oaZkBC28GjskAvpnda6EpknF9PgMHt3mmw7JPRU72ZRK+q7HVuILugZ+VEa0GGHNnGUO1t4=,iv:SUcXsEX4a766C/hkObRPHxRTKv0Ul+8uiu9Q/XrWKlA=,tag:pGTJbsicPXIb2ik8LTjnNg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1mrdee45qq36trja45u0wcem7c2mgydw35zkuhh97khgc7veanaaq29wzh4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzTXVzeE8rUEVEcWE0OWwr
+            cjA1aVgxSDAwVjBIUUVpOHBGcjRTOEVkSWp3CjhERWlLOUplNGxMRCtEMVMxTXls
+            MGZQS0x6YXdiOG1XNTBGcVFoMEdodU0KLS0tIFZPc0FMbVpTZnZsMnhvdVY3Q1Va
+            b3cyZWV1dW5RakFseUxNdXZqaEtsVFUK0PJqIDXM7eBFN+mZ2FG8mEwajBzuGU1Y
+            iqC+5EMj3R2v+Dt+5P+dS/loYFo92YELyZgveFVzrgOArOKoEslrTQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-02T14:59:34Z"
+    mac: ENC[AES256_GCM,data:UL2PH2AmN3r2Z3hTm7lLDgd/+xte/DMgAXiJwl4gcfCBzdA0ThMvVsCBMjfuxwTTEKuJEBR4V2l68//wC0zgcV6IrjvNXrlP8nB1TsKIkEh+o9nF27zp6mLIBf5QP5BDrh0uKbj9gEsodHrAfjeaoNh9DhjgXHuabCLe1EVyxCI=,iv:xhjsriHCvDBa1iJRknImGtqIeEy/nepQdshAB4OKaVg=,tag:KqXlg9x0ajihelpnfrHk8g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1