Tekton
Purpose
Tekton provides the controller layer for Lumie's build system. The platform installs Tekton Pipelines, Tekton Triggers, and Tekton Dashboard as separate Argo CD applications, then layers Lumie-specific Pipeline, Task, TriggerTemplate, and EventListener resources on top through the tekton-ci-cd application.
This page is a reference document for developers changing Tekton installation, namespace behavior, image rewrite policy, or the boundary between upstream Tekton releases and Lumie CI definitions. For the build flow itself, see CI/CD.
Source Paths
| Path | Role |
|---|---|
lumie-infra/applications/tekton/pipeline/argocd.yaml | Argo CD application for Tekton Pipelines |
lumie-infra/applications/tekton/pipeline/kustomization.yaml | Pulls upstream Tekton Pipeline release and rewrites images to Zot |
lumie-infra/applications/tekton/triggers/argocd.yaml | Argo CD application for Tekton Triggers |
lumie-infra/applications/tekton/triggers/kustomization.yaml | Pulls upstream Triggers and interceptor releases and rewrites images |
lumie-infra/applications/tekton/dashboard/argocd.yaml | Argo CD application for Tekton Dashboard |
lumie-infra/applications/tekton/dashboard/kustomization.yaml | Pulls the upstream Dashboard release and applies resource overrides |
lumie-infra/applications/tekton/ci-cd/argocd.yaml | Lumie-specific Tekton runtime objects |
Installed Components
| Application | Namespace | Source |
|---|---|---|
tekton-pipeline | tekton-pipelines | Upstream manifest endpoint referenced by applications/tekton/pipeline/kustomization.yaml, with mirrored image tags pinned to v1.6.0 |
tekton-triggers | tekton-pipelines | Upstream manifest endpoints referenced by applications/tekton/triggers/kustomization.yaml, with mirrored image tags pinned to v0.34.0 |
tekton-dashboard | tekton-pipelines | Upstream manifest endpoint referenced by applications/tekton/dashboard/kustomization.yaml, with the mirrored dashboard image pinned to v0.63.1 |
tekton-ci-cd | tekton-pipelines | Lumie repo-local manifests under applications/tekton/ci-cd/manifests |
All four applications are GitOps-managed by Argo CD.
Runtime Topology
Namespace And Image Policy
The Tekton namespace is intentionally special:
applications/tekton/pipeline/kustomization.yamllabelstekton-pipelineswithpod-security.kubernetes.io/enforce: privileged.- the same file also enables
goldilocks.fairwinds.com/enabled: "true"for the main and resolver namespaces. - the controller-install kustomizations intentionally track moving upstream release endpoints, but every checked-in
images:rewrite pins the mirrored controller images to explicit tags underzot.lumie-infra.com/....
This is the main invariant:
images:
- name: ghcr.io/tektoncd/pipeline/controller-10a3e32792f33651396d02b6855a6e36
newName: zot.lumie-infra.com/tektoncd/pipeline/controller-10a3e32792f33651396d02b6855a6e36
newTag: v1.6.0
If the upstream manifest changes image names or hashes, the rewrite stops matching and Tekton will attempt to pull from upstream instead of Zot.
Ownership Boundaries
| Responsibility | Owner |
|---|---|
| Installing Tekton CRDs and controllers | applications/tekton/pipeline and applications/tekton/triggers |
| Tekton dashboard | applications/tekton/dashboard |
| Lumie pipelines, tasks, triggers, quotas, and cleanup | applications/tekton/ci-cd |
| Image content | Zot, not the upstream registries directly |
Failure And Drift Behavior
| Failure point | Behavior |
|---|---|
| Upstream release changes image names | Kustomize images: rewrites no longer match exact names |
| Tekton CRD status changes | Argo CD ignores CRD status diffs in the tekton-pipeline, tekton-triggers, and tekton-dashboard apps |
| EventListener sink image mismatch | applications/tekton/triggers/kustomization.yaml explicitly patches the controller arg at index 4; upstream arg reordering would break that patch |
| CI runtime object churn | Expected; long-lived cleanup is handled by tekton-ci-cd, not the controller installs |
Verification
cd lumie-infra
rg -n "storage.googleapis.com/tekton-releases|infra.tekton.dev|zot.lumie-infra.com/tektoncd|pod-security.kubernetes.io/enforce" \
applications/tekton
kubectl get applications tekton-pipeline tekton-triggers tekton-dashboard tekton-ci-cd -n argocd
kubectl get deploy -n tekton-pipelines
kubectl get crd | rg "tekton|triggers"
Success signals:
- All four Argo CD applications are
HealthyandSynced. - The
tekton-pipelinesnamespace contains the expected controller deployments, includingtekton-pipelines-webhook,tekton-pipelines-remote-resolvers,tekton-triggers-controller, andtekton-dashboard. - CRDs for
tekton.devandtriggers.tekton.devexist before the Lumie-specifictekton-ci-cdobjects reconcile. - The repo grep still shows
zot.lumie-infra.com/tektoncd/...image rewrites matching the upstream manifest references declared in the three install kustomizations.