neon-vortex/tekton-pipeline.yaml

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tekton-build-sa
  namespace: default
---
apiVersion: v1
kind: Secret
metadata:
  name: gitea-webhook-secret
  namespace: default
type: Opaque
stringData:
  secretToken: "change-me-to-random-string"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: tekton-build-role
  namespace: default
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]
- apiGroups: ["batch"]
  resources: ["jobs"]
  verbs: ["create", "get", "list", "watch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: tekton-build-binding
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: tekton-build-role
subjects:
- kind: ServiceAccount
  name: tekton-build-sa
  namespace: default
---
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: kaniko-build
  namespace: default
spec:
  params:
  - name: IMAGE
    description: Name (reference) of the image to build
  - name: DOCKERFILE
    description: Path to the Dockerfile to build
    default: ./Dockerfile
  - name: CONTEXT
    description: The build context used by Kaniko
    default: ./
  - name: EXTRA_ARGS
    default: ""
  - name: GIT_URL
    description: Git repository URL
  - name: GIT_REVISION
    description: Git revision to checkout
    default: main
  workspaces:
  - name: source
  - name: dockerconfig
    mountPath: /kaniko/.docker
  steps:
  - name: git-clone
    image: alpine/git:latest
    script: |
      #!/bin/sh
      set -e
      cd $(workspaces.source.path)
      git clone $(params.GIT_URL) .
      git checkout $(params.GIT_REVISION)
      echo "Cloned $(params.GIT_URL) at revision $(params.GIT_REVISION)"
  - name: build-and-push
    image: gcr.io/kaniko-project/executor:latest
    args:
    - $(params.EXTRA_ARGS)
    - --dockerfile=$(params.DOCKERFILE)
    - --context=$(workspaces.source.path)/$(params.CONTEXT)
    - --destination=$(params.IMAGE)
    - --cache=true
    - --cache-repo=$(params.IMAGE)/cache
---
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: neon-vortex-build-pipeline
  namespace: default
spec:
  params:
  - name: git-url
    type: string
  - name: git-revision
    type: string
    default: main
  - name: image-name
    type: string
  - name: image-tag
    type: string
  workspaces:
  - name: shared-workspace
  - name: docker-credentials
  tasks:
  - name: build-image
    taskRef:
      name: kaniko-build
    workspaces:
    - name: source
      workspace: shared-workspace
    - name: dockerconfig
      workspace: docker-credentials
    params:
    - name: IMAGE
      value: "$(params.image-name):$(params.image-tag)"
    - name: DOCKERFILE
      value: "./htlm/Dockerfile"
    - name: CONTEXT
      value: "htlm"
    - name: GIT_URL
      value: "$(params.git-url)"
    - name: GIT_REVISION
      value: "$(params.git-revision)"
---
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerTemplate
metadata:
  name: neon-vortex-trigger-template
  namespace: default
spec:
  params:
  - name: git-revision
    description: The git revision
  - name: git-commit-message
    description: The git commit message
  - name: git-repo-url
    description: The git repository url
  resourcetemplates:
  - apiVersion: tekton.dev/v1beta1
    kind: PipelineRun
    metadata:
      generateName: neon-vortex-build-
      namespace: default
    spec:
      serviceAccountName: tekton-build-sa
      pipelineRef:
        name: neon-vortex-build-pipeline
      workspaces:
      - name: shared-workspace
        volumeClaimTemplate:
          spec:
            accessModes:
            - ReadWriteOnce
            resources:
              requests:
                storage: 1Gi
      - name: docker-credentials
        secret:
          secretName: harbor-registry
      params:
      - name: git-url
        value: $(tt.params.git-repo-url)
      - name: git-revision
        value: $(tt.params.git-revision)
      - name: image-name
        value: images.caffeinetux.com/apps/neon-vortex
      - name: image-tag
        value: v1.0.$(tt.params.git-revision)
---
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerBinding
metadata:
  name: neon-vortex-trigger-binding
  namespace: default
spec:
  params:
  - name: git-repo-url
    value: $(body.repository.clone_url)
  - name: git-revision
    value: $(body.after)
  - name: git-commit-message
    value: $(body.head_commit.message)
---
apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
  name: neon-vortex-listener
  namespace: default
spec:
  serviceAccountName: tekton-build-sa
  triggers:
  - name: gitea-push
    interceptors:
    - ref:
        name: "gitea"
      params:
      - name: "secretRef"
        value:
          secretName: gitea-webhook-secret
          secretKey: secretToken
      - name: "eventTypes"
        value: ["push"]
    bindings:
    - ref: neon-vortex-trigger-binding
    template:
      ref: neon-vortex-trigger-template
---
apiVersion: v1
kind: Service
metadata:
  name: el-neon-vortex-listener
  namespace: default
spec:
  type: NodePort
  ports:
  - port: 8080
    targetPort: 8080
    nodePort: 30081
  selector:
    eventlistener: neon-vortex-listener
Add complete CI/CD pipeline with Tekton and Flux image automation - Add Tekton pipeline and triggers for automated builds on git push - Add Flux ImageRepository to track Harbor registry images - Add Flux ImagePolicy for semantic versioning strategy - Add Flux ImageUpdateAutomation to auto-update HelmRelease - Update HelmRelease with image automation marker - Add comprehensive CI/CD pipeline setup documentation This enables automatic build and deployment when pushing to Gitea: 1. Gitea webhook triggers Tekton pipeline 2. Kaniko builds and pushes image to Harbor 3. Flux detects new image and updates deployment 4. Application automatically deploys to cluster 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-22 21:56:12 -05:00			`---`
			`apiVersion: v1`
			`kind: ServiceAccount`
			`metadata:`
			`name: tekton-build-sa`
			`namespace: default`
			`---`
			`apiVersion: v1`
			`kind: Secret`
			`metadata:`
			`name: gitea-webhook-secret`
			`namespace: default`
			`type: Opaque`
			`stringData:`
			`secretToken: "change-me-to-random-string"`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: Role`
			`metadata:`
			`name: tekton-build-role`
			`namespace: default`
			`rules:`
			`- apiGroups: [""]`
			`resources: ["secrets"]`
			`verbs: ["get"]`
			`- apiGroups: ["batch"]`
			`resources: ["jobs"]`
			`verbs: ["create", "get", "list", "watch", "delete"]`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: RoleBinding`
			`metadata:`
			`name: tekton-build-binding`
			`namespace: default`
			`roleRef:`
			`apiGroup: rbac.authorization.k8s.io`
			`kind: Role`
			`name: tekton-build-role`
			`subjects:`
			`- kind: ServiceAccount`
			`name: tekton-build-sa`
			`namespace: default`
			`---`
			`apiVersion: tekton.dev/v1beta1`
			`kind: Task`
			`metadata:`
			`name: kaniko-build`
			`namespace: default`
			`spec:`
			`params:`
			`- name: IMAGE`
			`description: Name (reference) of the image to build`
			`- name: DOCKERFILE`
			`description: Path to the Dockerfile to build`
			`default: ./Dockerfile`
			`- name: CONTEXT`
			`description: The build context used by Kaniko`
			`default: ./`
			`- name: EXTRA_ARGS`
			`default: ""`
			`- name: GIT_URL`
			`description: Git repository URL`
			`- name: GIT_REVISION`
			`description: Git revision to checkout`
			`default: main`
			`workspaces:`
			`- name: source`
			`- name: dockerconfig`
			`mountPath: /kaniko/.docker`
			`steps:`
			`- name: git-clone`
			`image: alpine/git:latest`
			`script: \|`
			`#!/bin/sh`
			`set -e`
			`cd $(workspaces.source.path)`
			`git clone $(params.GIT_URL) .`
			`git checkout $(params.GIT_REVISION)`
			`echo "Cloned $(params.GIT_URL) at revision $(params.GIT_REVISION)"`
			`- name: build-and-push`
			`image: gcr.io/kaniko-project/executor:latest`
			`args:`
			`- $(params.EXTRA_ARGS)`
			`- --dockerfile=$(params.DOCKERFILE)`
			`- --context=$(workspaces.source.path)/$(params.CONTEXT)`
			`- --destination=$(params.IMAGE)`
			`- --cache=true`
			`- --cache-repo=$(params.IMAGE)/cache`
			`---`
			`apiVersion: tekton.dev/v1beta1`
			`kind: Pipeline`
			`metadata:`
			`name: neon-vortex-build-pipeline`
			`namespace: default`
			`spec:`
			`params:`
			`- name: git-url`
			`type: string`
			`- name: git-revision`
			`type: string`
			`default: main`
			`- name: image-name`
			`type: string`
			`- name: image-tag`
			`type: string`
			`workspaces:`
			`- name: shared-workspace`
			`- name: docker-credentials`
			`tasks:`
			`- name: build-image`
			`taskRef:`
			`name: kaniko-build`
			`workspaces:`
			`- name: source`
			`workspace: shared-workspace`
			`- name: dockerconfig`
			`workspace: docker-credentials`
			`params:`
			`- name: IMAGE`
			`value: "$(params.image-name):$(params.image-tag)"`
			`- name: DOCKERFILE`
			`value: "./htlm/Dockerfile"`
			`- name: CONTEXT`
			`value: "htlm"`
			`- name: GIT_URL`
			`value: "$(params.git-url)"`
			`- name: GIT_REVISION`
			`value: "$(params.git-revision)"`
			`---`
			`apiVersion: triggers.tekton.dev/v1beta1`
			`kind: TriggerTemplate`
			`metadata:`
			`name: neon-vortex-trigger-template`
			`namespace: default`
			`spec:`
			`params:`
			`- name: git-revision`
			`description: The git revision`
			`- name: git-commit-message`
			`description: The git commit message`
			`- name: git-repo-url`
			`description: The git repository url`
			`resourcetemplates:`
			`- apiVersion: tekton.dev/v1beta1`
			`kind: PipelineRun`
			`metadata:`
			`generateName: neon-vortex-build-`
			`namespace: default`
			`spec:`
			`serviceAccountName: tekton-build-sa`
			`pipelineRef:`
			`name: neon-vortex-build-pipeline`
			`workspaces:`
			`- name: shared-workspace`
			`volumeClaimTemplate:`
			`spec:`
			`accessModes:`
			`- ReadWriteOnce`
			`resources:`
			`requests:`
			`storage: 1Gi`
			`- name: docker-credentials`
			`secret:`
			`secretName: harbor-registry`
			`params:`
			`- name: git-url`
			`value: $(tt.params.git-repo-url)`
			`- name: git-revision`
			`value: $(tt.params.git-revision)`
			`- name: image-name`
			`value: images.caffeinetux.com/apps/neon-vortex`
			`- name: image-tag`
			`value: v1.0.$(tt.params.git-revision)`
			`---`
			`apiVersion: triggers.tekton.dev/v1beta1`
			`kind: TriggerBinding`
			`metadata:`
			`name: neon-vortex-trigger-binding`
			`namespace: default`
			`spec:`
			`params:`
			`- name: git-repo-url`
			`value: $(body.repository.clone_url)`
			`- name: git-revision`
			`value: $(body.after)`
			`- name: git-commit-message`
			`value: $(body.head_commit.message)`
			`---`
			`apiVersion: triggers.tekton.dev/v1beta1`
			`kind: EventListener`
			`metadata:`
			`name: neon-vortex-listener`
			`namespace: default`
			`spec:`
			`serviceAccountName: tekton-build-sa`
			`triggers:`
			`- name: gitea-push`
			`interceptors:`
			`- ref:`
			`name: "gitea"`
			`params:`
			`- name: "secretRef"`
			`value:`
			`secretName: gitea-webhook-secret`
			`secretKey: secretToken`
			`- name: "eventTypes"`
			`value: ["push"]`
			`bindings:`
			`- ref: neon-vortex-trigger-binding`
			`template:`
			`ref: neon-vortex-trigger-template`
			`---`
			`apiVersion: v1`
			`kind: Service`
			`metadata:`
			`name: el-neon-vortex-listener`
			`namespace: default`
			`spec:`
			`type: NodePort`
			`ports:`
			`- port: 8080`
			`targetPort: 8080`
			`nodePort: 30081`
			`selector:`
			`eventlistener: neon-vortex-listener`