Configuration Reference

The relay reads a single YAML file (default /etc/tekton-events-relay/config.yaml, mounted by the Helm chart from a ConfigMap). Validate any file without starting the server:

tekton-events-relay --validate --config ./config.yaml

${UPPERCASE_VARS} are expanded from the environment for non-secret values. Secrets are always file-based (*_file keys pointing at mounted Secret volumes). Most sections can be hot-reloaded; server, store, dlq, logging and tracing need a restart.

A complete annotated example lives at examples/config.yaml.

Top level

KeyDefaultDescription
dashboard_urlβ€”Tekton Dashboard base URL; when set, events get a clickable TargetURL (…/#/namespaces/<ns>/<kind>/<run>).
dedupe_size10000Capacity of the in-memory dedupe cache (store.backend: memory only).
max_concurrency100Max handlers executing concurrently per event (1–500).
handler_timeout10sPer-handler execution deadline; a slow provider can’t stall the dispatch.

server

KeyDefaultDescription
addr:8080Receiver listen address.
metrics_addrβ€”Optional separate metrics/health server (e.g. :9090).
read_timeout_sec / write_timeout_sec10 / 10HTTP timeouts.
shutdown_timeout_sec30Graceful shutdown budget.
max_body_size1048576Request body cap in bytes.
rate_limit.enabledfalsePer-source token bucket (keyed by Ce-Source, falls back to client IP).
rate_limit.requests_per_second / burst100 / 200Bucket parameters.
auth.enabledfalseAuthenticate incoming CloudEvents.
auth.typeβ€”hmac-sha256 (GitHub-style X-Hub-Signature-256) or bearer.
auth.secretRef.nameβ€”Kubernetes Secret name containing the shared secret/token.
auth.secretRef.keyβ€”Key within the Secret (optional; defaults to the conventional key).
auth.validate_timestamptrue for HMACReplay protection: require X-Webhook-Timestamp (unix seconds) within tolerance. Required when auth.type is hmac-sha256; omit for bearer.
auth.timestamp_tolerance5mAccepted clock skew for replay protection.
tls.cert_file / tls.key_fileβ€”Serve HTTPS natively (both required). Empty = plain HTTP behind your ingress.

retry β€” outbound HTTP policy

Applies to all SCM clients and notifiers. Exponential backoff with jitter; Retry-After on 429/503 is honored (capped at max_backoff); 4xx other than 429 never retries.

KeyDefault
retry.max_attempts4 (total, including the first request)
retry.initial_backoff250ms
retry.max_backoff30s

store β€” state backend

Shared by the deduper and the accumulator. See Operations β†’ State backends for choosing one.

KeyDefaultDescription
store.backendmemorymemory (per-pod), valkey (external RESP server), olric (embedded distributed cache).
store.ttl1hEntry lifetime on remote backends.
store.valkey.addressβ€”host:port, required for valkey.
store.valkey.password_fileβ€”Optional password file.
store.valkey.db0Logical database.
store.valkey.key_prefixtekton-events-relayKey namespace.
store.olric.bind_port3320Data port between relay pods.
store.olric.memberlist_port3322Gossip port (TCP+UDP).
store.olric.peerschart’s headless servicehost:port seeds for discovery.

⚠️ With memory, dedup/accumulation state is per-pod and lost on restart β€” run one replica, or switch backends. Backend failures fail open: events are processed without deduplication rather than dropped (tekton_events_relay_store_errors_total).

dlq β€” dead letter queue

KeyDefaultDescription
dlq.enabledfalsePreserve permanently-failed events for inspection/replay (API).
dlq.path/var/lib/tekton-events-relay/dlq.jsonlJSONL file (chart mounts a writable emptyDir).
dlq.max_size_bytes10485760Oldest entries are dropped beyond this.

filter

Coarse resource-type gate, before any handler runs: allow_taskrun, allow_pipelinerun, allow_customrun, allow_eventlistener, ignore_unknown (booleans). If both taskrun and pipelinerun are unset, the default is pipelineruns only, ignore unknown.

accumulator

Batches TaskRun events per PipelineRun and posts one summary PR comment when the run completes.

KeyDefaultDescription
accumulator.enabledfalse
accumulator.ttl30sHow long an incomplete run’s tasks are buffered.
accumulator.max_size100Max pipeline runs tracked simultaneously.
accumulator.provider.nameβ€”Registered handler that posts the summary (a pr_comment instance; use mode: upsert there for converging summaries).
accumulator.templatebuilt-in tableCustom Go template (receives SummaryData).

scm β€” provider instances

Each provider key holds a list of instances; multiple instances of the same provider can coexist. The instance name is what the scm.provider annotation must match. Common instance fields:

FieldDescription
name, enabledIdentity and switch.
base_urlAPI base URL (self-hosted; defaults to the SaaS endpoint where applicable).
insecure_skip_verifySkip TLS verification (avoid; prefer a custom CA).
secretRef.nameKubernetes Secret name containing credentials.
secretRef.keyKey within the Secret (optional; defaults to the conventional key).
templateGo template inline string OR object with configmapRef (see below).
template.configmapRef.nameKubernetes ConfigMap name containing message templates. Optional; defaults to tekton-events-relay-templates.
template.configmapRef.keyKey within the ConfigMap holding the template.
auth.*Provider-specific β€” token file, OAuth2 client-credentials, GitHub App. See each provider page.
actions[]The list of actions for this instance.

Per-action fields: name, type, enabled, when (CEL), template, mode (create/upsert for comments), context_per_task (commit_status), labels.add[] / labels.remove[] (label), filter.{tasks,pipelines,custom_runs,event_listeners}.{allow,deny} lists.

notifiers

Lists per channel: slack, teams, discord, pagerduty, datadog, webhook, grafana, sentry, email. All support name, enabled, when (CEL); message-based ones support template (inline string or configmapRef object). email additionally has a subject field with the same three template forms. Notifier credentials use field-specific refs (e.g. webhook_url.secretRef.name for Slack/Teams/Discord, integration_key.secretRef.name for PagerDuty, token.secretRef.name for Grafana/Sentry). Templates can be supplied inline, via template.configmapRef.{name,key} (name optional, defaults to tekton-events-relay-templates), or omitted to use the shipped default β€” see Templates β†’ Supplying a template. Notifiers that require a template (email, grafana) have no in-code default; the chart fills the omitted case from configmap-templates.yaml. Details and auth per channel on the Notifiers page.

Per-channel extras: slack accepts mode (create/upsert, upsert needs a bot token) and thread_ts (reply in a thread); discord accepts mode (create/upsert); pagerduty accepts acknowledge_on_running (opt-in acknowledge while running); grafana accepts dashboard_uid and panel_id (optional annotation scoping; panel_id requires dashboard_uid); email accepts cc/bcc lists, reply_to, and an auth.xoauth2 + auth.token_file XOAUTH2 mode (mutually exclusive with the password).

OAuth2 (webhook, jira): the generic webhook and Jira support OAuth2 client credentials under auth.oauth2 (client_id/client_secret refs + token_url; webhook also needs auth.type: oauth2). The relay fetches the access token, sends it as Authorization: Bearer, and auto-refreshes it before expiry. grant_type defaults to client_credentials; refresh_token is also supported (seed a pre-obtained refresh_token β€” the relay exposes no redirect/ingress, so authorization_code cannot run in-relay). oauth2 requires token_url and is mutually exclusive with the static token/basic credentials of the same notifier. Grafana/Sentry/Slack/Discord/Datadog/PagerDuty are not OAuth2-capable here β€” their APIs use a service-account token / auth token / bot token / API key / routing key.

Secret re-read (webhook, grafana, sentry, jira): when not using OAuth2, these notifiers re-read the mounted secret file on every request, so rotating a Kubernetes Secret is picked up without restarting the pod (no hot reload needed for the secret value).

jira

Top-level list (sibling of scm and notifiers) of Jira integrations, each with base_url, optional api_version ("2" default plain-text, or "3" Atlassian Document Format), auth (email + token.secretRef, or auth.oauth2 client credentials), and actions of type comment or transition. The target issue comes from the jira.issue-key annotation. Comment templates use the shared template.configmapRef.name/template.configmapRef.key mechanism. See Notifiers β†’ Jira.

logging and tracing

KeyDefaultDescription
logging.levelinfodebug, info, warn, error (JSON output).
logging.verbose.caller / http_calls / payloadsfalseExtra detail β€” valid only with level: debug (validation enforces this). Payloads are redacted of known secret keys.
tracing.endpointβ€”OTLP HTTP endpoint (e.g. otel-collector:4318). Empty = tracing off.
tracing.service_nametekton-events-relayReported service name.
tracing.insecurefalseWhen false, uses HTTPS for OTLP export. Set to true for plaintext HTTP.