Installation

The supported install method is the Helm chart, published as an OCI artifact (Cosign-signed):

helm install tekton-events-relay \
  oci://ghcr.io/fabioluciano/charts/tekton-events-relay \
  --namespace tekton-events-relay --create-namespace \
  -f values.yaml

The chart renders your config: values into the application ConfigMap, mounts the referenced Secrets at the conventional paths, and wires probes, ServiceMonitor, PodDisruptionBudget, HPA and NetworkPolicy. A values.schema.json validates your values at install time — typos fail helm install, not the pod.

A realistic values file

replicaCount: 1            # >1 requires config.store.backend valkey/olric — see Operations

config:
  dashboard_url: "https://tekton.company.example.com"

  scm:
    github:
      - name: github       # matched by the scm.provider annotation
        enabled: true
        auth:
          secretRef:
            name: github-token             # Secret with key "token"
        actions:
          - name: ci-status
            type: commit_status
            enabled: true
          - name: pr-summary
            type: pr_comment
            enabled: true
            mode: upsert
            when: 'isPipelineRun() && stateIn("success", "failure")'
            template: |
              ## Pipeline {{.State}}
              **Run:** {{.RunName}} · `{{ .CommitSHA | trunc 8 }}`

  notifiers:
    slack:
      - name: prod-alerts
        enabled: true
      secretRef:
        name: slack-webhook               # Secret with key "webhook_url"
        channel: "#prod-alerts"
        when: 'event.Namespace == "production" && stateIn("failure", "error")'

Secrets

You create plain Kubernetes Secrets; the chart mounts them read-only under /etc/secrets/<provider>/<instance>/ and points the app config at the files. Conventional keys:

WhereValues keySecret key(s)
GitHub (token)auth.secretRef.nametoken
GitHub (App)auth.app_id, auth.installation_id, auth.private_key.secretRef.nameprivate-key.pem
GitLab / Gitea (PAT)auth.secretRef.nametoken
GitLab / Gitea / Bitbucket (OAuth2)auth.oauth2.client_id.secretRef.name, auth.oauth2.client_secret.secretRef.name + token_urlclient_id, client_secret
Bitbucket Cloudauth.username.secretRef.name, auth.app_password.secretRef.nameusername, app_password
Bitbucket Server / Azure DevOps / SourceHutsecretRef.nametoken
Slack / Teams / Discordwebhook_url.secretRef.name (or bot_token.token.secretRef.name for Slack/Discord bots)webhook_url (or token)
PagerDutyintegration_key.secretRef.nameintegration_key
Datadogapi_key.secretRef.nameapi_key
Grafana / Sentrytoken.secretRef.nametoken
Webhookurl.secretRef.nameurl
Receiver authconfig.server.auth.secret_file(file path; mount it yourself or via env expansion)

A custom secretRef.key field is available where you need a non-default key name.

Connecting Tekton

Point the Tekton controller’s CloudEvents sink at the relay Service (config-defaults ConfigMap in tekton-pipelines):

data:
  default-cloud-events-sink: http://tekton-events-relay.tekton-events-relay.svc.cluster.local

Then annotate your PipelineRuns.

Embedded Valkey (optional)

When using config.store.valkey.embedded.enabled: true, the chart deploys a Valkey subchart. You must first add the Valkey Helm repo:

helm repo add valkey https://valkey.io/valkey-helm/
helm dependency build charts/tekton-events-relay

Without this step, helm install or helm template will fail with a missing dependency error.

Chart switches worth knowing

Values keyDefaultNotes
replicaCount1⚠️ Set to 1 unless you configured a shared store.
config.store.*memoryValkey/Olric backends; Olric mode auto-creates the gossip headless Service + NetworkPolicy rules.
config.dlq.enabledfalseMounts a writable emptyDir and enables the DLQ API.
config.server.auth.*offHMAC/bearer auth + optional timestamp replay protection.
config.server.tls.*offNative HTTPS (mount your cert via extra volumes).
networkPolicy.enabledtrueDNS + 443/80 egress; conditional Valkey/Olric rules. networkPolicy.valkeyPort if non-6379.
autoscaling.*offOnly enable with a shared store.
serviceMonitor / probes / PDBsensible defaultsStandard knobs.
templates.enabledoffShip large message templates as a separate ConfigMap. Reference them with template.configmapRef.name / template.configmapRef.key.

Verifying signatures

cosign verify \
  --certificate-identity-regexp='https://github.com/fabioluciano/tekton-events-relay' \
  --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
  ghcr.io/fabioluciano/tekton-events-relay:latest

(same command with oci://ghcr.io/fabioluciano/charts/tekton-events-relay for the chart).

Upgrades

helm upgrade with your values. Config-only changes don’t even need a rollout: the relay hot-reloads the ConfigMap when Kubernetes propagates it (typically within a minute), validating before applying. Check tekton_events_relay_config_reloads_total or the logs to confirm.