-
Notifications
You must be signed in to change notification settings - Fork 0
Installation
The supported install method is the Helm chart, published as an OCI artifact (Cosign-signed):
helm install tekton-events-relay \
oci://ghcr.io/fabioluciano/charts/tekton-events-relay \
--namespace tekton-events-relay --create-namespace \
-f values.yamlThe chart renders your config: values into the application ConfigMap, mounts the referenced Secrets at the conventional paths, and wires probes, ServiceMonitor, PodDisruptionBudget, HPA and NetworkPolicy. A values.schema.json validates your values at install time — typos fail helm install, not the pod.
replicaCount: 1 # >1 requires config.store.backend valkey/olric — see Operations
config:
dashboard_url: "https://tekton.company.example.com"
scm:
github:
- name: github # matched by the scm.provider annotation
enabled: true
auth:
secretRef:
name: github-token # Secret with key "token"
actions:
- name: ci-status
type: commit_status
enabled: true
- name: pr-summary
type: pr_comment
enabled: true
mode: upsert
when: 'isPipelineRun() && stateIn("success", "failure")'
template: |
## Pipeline {{.State}}
**Run:** {{.RunName}} · `{{ .CommitSHA | trunc 8 }}`
notifiers:
slack:
- name: prod-alerts
enabled: true
secretRef:
name: slack-webhook # Secret with key "webhook_url"
channel: "#prod-alerts"
when: 'event.Namespace == "production" && stateIn("failure", "error")'You create plain Kubernetes Secrets; the chart mounts them read-only under /etc/secrets/<provider>/<instance>/ and points the app config at the files. Conventional keys:
| Where | Values key | Secret key(s) |
|---|---|---|
| GitHub (token) | auth.secretRef.name |
token |
| GitHub (App) |
auth.app_id, auth.installation_id, auth.private_key.secretRef.name
|
private-key.pem |
| GitLab / Gitea (PAT) | auth.secretRef.name |
token |
| GitLab / Gitea / Bitbucket (OAuth2) |
auth.oauth2.client_id.secretRef.name, auth.oauth2.client_secret.secretRef.name + token_url
|
client_id, client_secret
|
| Bitbucket Cloud |
auth.username.secretRef.name, auth.app_password.secretRef.name
|
username, app_password
|
| Bitbucket Server / Azure DevOps / SourceHut | secretRef.name |
token |
| Slack / Teams / Discord |
webhook_url.secretRef.name (or bot_token.token.secretRef.name for Slack/Discord bots) |
webhook_url (or token) |
| PagerDuty | integration_key.secretRef.name |
integration_key |
| Datadog | api_key.secretRef.name |
api_key |
| Grafana / Sentry | token.secretRef.name |
token |
| Webhook | url.secretRef.name |
url |
| Receiver auth | config.server.auth.secret_file |
(file path; mount it yourself or via env expansion) |
A custom secretRef.key field is available where you need a non-default key name.
Point the Tekton controller's CloudEvents sink at the relay Service (config-defaults ConfigMap in tekton-pipelines):
data:
default-cloud-events-sink: http://tekton-events-relay.tekton-events-relay.svc.cluster.localThen annotate your PipelineRuns.
When using config.store.valkey.embedded.enabled: true, the chart deploys a Valkey subchart. You must first add the Valkey Helm repo:
helm repo add valkey https://valkey.io/valkey-helm/
helm dependency build charts/tekton-events-relayWithout this step, helm install or helm template will fail with a missing dependency error.
| Values key | Default | Notes |
|---|---|---|
replicaCount |
1 |
1 unless you configured a shared store. |
config.store.* |
memory |
Valkey/Olric backends; Olric mode auto-creates the gossip headless Service + NetworkPolicy rules. |
config.dlq.enabled |
false |
Mounts a writable emptyDir and enables the DLQ API. |
config.server.auth.* |
off | HMAC/bearer auth + optional timestamp replay protection. |
config.server.tls.* |
off | Native HTTPS (mount your cert via extra volumes). |
networkPolicy.enabled |
true |
DNS + 443/80 egress; conditional Valkey/Olric rules. networkPolicy.valkeyPort if non-6379. |
autoscaling.* |
off | Only enable with a shared store. |
serviceMonitor / probes / PDB |
sensible defaults | Standard knobs. |
templates.enabled |
off | Ship large message templates as a separate ConfigMap. Reference them with template.configmapRef.name / template.configmapRef.key. |
cosign verify \
--certificate-identity-regexp='https://github.com/fabioluciano/tekton-events-relay' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
ghcr.io/fabioluciano/tekton-events-relay:latest(same command with oci://ghcr.io/fabioluciano/charts/tekton-events-relay for the chart).
helm upgrade with your values. Config-only changes don't even need a rollout: the relay hot-reloads the ConfigMap when Kubernetes propagates it (typically within a minute), validating before applying. Check tekton_events_relay_config_reloads_total or the logs to confirm.
Getting started
Reference
SCM providers
Notifiers
Running in production
More