Skip to content

Installation

Fábio Luciano edited this page Jun 13, 2026 · 6 revisions

Installation

The supported install method is the Helm chart, published as an OCI artifact (Cosign-signed):

helm install tekton-events-relay \
  oci://ghcr.io/fabioluciano/charts/tekton-events-relay \
  --namespace tekton-events-relay --create-namespace \
  -f values.yaml

The chart renders your config: values into the application ConfigMap, mounts the referenced Secrets at the conventional paths, and wires probes, ServiceMonitor, PodDisruptionBudget, HPA and NetworkPolicy. A values.schema.json validates your values at install time — typos fail helm install, not the pod.

A realistic values file

replicaCount: 1            # >1 requires config.store.backend valkey/olric — see Operations

config:
  dashboard_url: "https://tekton.company.example.com"

  scm:
    github:
      - name: github       # matched by the scm.provider annotation
        enabled: true
        auth:
          secretRef:
            secretName: github-token       # Secret with key "token"
        actions:
          - name: ci-status
            type: commit_status
            enabled: true
          - name: pr-summary
            type: pr_comment
            enabled: true
            mode: upsert
            when: 'isPipelineRun() && stateIn("success", "failure")'
            template: |
              ## Pipeline {{.State}}
              **Run:** {{.RunName}} · `{{ .CommitSHA | trunc 8 }}`

  notifiers:
    slack:
      - name: prod-alerts
        enabled: true
        secretRef:
          secretName: slack-webhook         # Secret with key "webhook_url"
        channel: "#prod-alerts"
        when: 'event.Namespace == "production" && stateIn("failure", "error")'

Secrets

You create plain Kubernetes Secrets; the chart mounts them read-only under /etc/secrets/<provider>/<instance>/ and points the app config at the files. Conventional keys:

Where Values key Secret key(s)
GitHub (token) auth.secretRef.secretName token
GitHub (App) auth.app_id, auth.installation_id, auth.privateKeyRef.secretName private-key.pem
GitLab / Gitea (PAT) auth.secretRef.secretName token
GitLab / Gitea / Bitbucket (OAuth2) auth.oauth2.clientIdRef.secretName, auth.oauth2.clientSecretRef.secretName + token_url client_id, client_secret
Bitbucket Cloud auth.usernameRef.secretName, auth.appPasswordRef.secretName username, app_password
Bitbucket Server / Azure DevOps / SourceHut secretRef.secretName token
Slack / Teams / Discord secretRef.secretName (or bot_token.tokenRef.secretName for Slack/Discord bots) webhook_url (or token)
PagerDuty secretRef.secretName integration_key
Datadog secretRef.secretName api_key
Grafana / Sentry secretRef.secretName token
Webhook secretRef.secretName url
Receiver auth config.server.auth.secret_file (file path; mount it yourself or via env expansion)

A custom secretRef.secretKey field is available where you need a non-default key name.

Connecting Tekton

Point the Tekton controller's CloudEvents sink at the relay Service (config-defaults ConfigMap in tekton-pipelines):

data:
  default-cloud-events-sink: http://tekton-events-relay.tekton-events-relay.svc.cluster.local

Then annotate your PipelineRuns.

Chart switches worth knowing

Values key Default Notes
replicaCount 1 ⚠️ Set to 1 unless you configured a shared store.
config.store.* memory Valkey/Olric backends; Olric mode auto-creates the gossip headless Service + NetworkPolicy rules.
config.dlq.enabled false Mounts a writable emptyDir and enables the DLQ API.
config.server.auth.* off HMAC/bearer auth + optional timestamp replay protection.
config.server.tls.* off Native HTTPS (mount your cert via extra volumes).
networkPolicy.enabled true DNS + 443/80 egress; conditional Valkey/Olric rules. networkPolicy.valkeyPort if non-6379.
autoscaling.* off Only enable with a shared store.
serviceMonitor / probes / PDB sensible defaults Standard knobs.
templates.enabled off Ship large message templates as a separate ConfigMap. Reference them with templateRef.configmapName / templateRef.configmapKey.

Verifying signatures

cosign verify \
  --certificate-identity-regexp='https://github.com/fabioluciano/tekton-events-relay' \
  --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
  ghcr.io/fabioluciano/tekton-events-relay:latest

(same command with oci://ghcr.io/fabioluciano/charts/tekton-events-relay for the chart).

Upgrades

helm upgrade with your values. Config-only changes don't even need a rollout: the relay hot-reloads the ConfigMap when Kubernetes propagates it (typically within a minute), validating before applying. Check tekton_events_relay_config_reloads_total or the logs to confirm.

Clone this wiki locally