Installation
The supported install method is the Helm chart, published as an OCI artifact (Cosign-signed):
helm install tekton-events-relay \
oci://ghcr.io/fabioluciano/charts/tekton-events-relay \
--namespace tekton-events-relay --create-namespace \
-f values.yaml
The chart renders your config: values into the application ConfigMap, mounts the referenced Secrets at the conventional paths, and wires probes, ServiceMonitor, PodDisruptionBudget, HPA and NetworkPolicy. A values.schema.json validates your values at install time — typos fail helm install, not the pod.
A realistic values file
replicaCount: 1 # >1 requires config.store.backend valkey/olric — see Operations
config:
dashboard_url: "https://tekton.company.example.com"
scm:
github:
- name: github # matched by the scm.provider annotation
enabled: true
auth:
secretRef:
name: github-token # Secret with key "token"
actions:
- name: ci-status
type: commit_status
enabled: true
- name: pr-summary
type: pr_comment
enabled: true
mode: upsert
when: 'isPipelineRun() && stateIn("success", "failure")'
template: |
## Pipeline {{.State}}
**Run:** {{.RunName}} · `{{ .CommitSHA | trunc 8 }}`
notifiers:
slack:
- name: prod-alerts
enabled: true
secretRef:
name: slack-webhook # Secret with key "webhook_url"
channel: "#prod-alerts"
when: 'event.Namespace == "production" && stateIn("failure", "error")'
Secrets
You create plain Kubernetes Secrets; the chart mounts them read-only under /etc/secrets/<provider>/<instance>/ and points the app config at the files. Conventional keys:
| Where | Values key | Secret key(s) |
|---|---|---|
| GitHub (token) | auth.secretRef.name | token |
| GitHub (App) | auth.app_id, auth.installation_id, auth.private_key.secretRef.name | private-key.pem |
| GitLab / Gitea (PAT) | auth.secretRef.name | token |
| GitLab / Gitea / Bitbucket (OAuth2) | auth.oauth2.client_id.secretRef.name, auth.oauth2.client_secret.secretRef.name + token_url | client_id, client_secret |
| Bitbucket Cloud | auth.username.secretRef.name, auth.app_password.secretRef.name | username, app_password |
| Bitbucket Server / Azure DevOps / SourceHut | secretRef.name | token |
| Slack / Teams / Discord | webhook_url.secretRef.name (or bot_token.token.secretRef.name for Slack/Discord bots) | webhook_url (or token) |
| PagerDuty | integration_key.secretRef.name | integration_key |
| Datadog | api_key.secretRef.name | api_key |
| Grafana / Sentry | token.secretRef.name | token |
| Webhook | url.secretRef.name | url |
| Receiver auth | config.server.auth.secret_file | (file path; mount it yourself or via env expansion) |
A custom secretRef.key field is available where you need a non-default key name.
Connecting Tekton
Point the Tekton controller’s CloudEvents sink at the relay Service (config-defaults ConfigMap in tekton-pipelines):
data:
default-cloud-events-sink: http://tekton-events-relay.tekton-events-relay.svc.cluster.local
Then annotate your PipelineRuns.
Embedded Valkey (optional)
When using config.store.valkey.embedded.enabled: true, the chart deploys a Valkey subchart. You must first add the Valkey Helm repo:
helm repo add valkey https://valkey.io/valkey-helm/
helm dependency build charts/tekton-events-relay
Without this step, helm install or helm template will fail with a missing dependency error.
Chart switches worth knowing
| Values key | Default | Notes |
|---|---|---|
replicaCount | 1 | ⚠️ Set to 1 unless you configured a shared store. |
config.store.* | memory | Valkey/Olric backends; Olric mode auto-creates the gossip headless Service + NetworkPolicy rules. |
config.dlq.enabled | false | Mounts a writable emptyDir and enables the DLQ API. |
config.server.auth.* | off | HMAC/bearer auth + optional timestamp replay protection. |
config.server.tls.* | off | Native HTTPS (mount your cert via extra volumes). |
networkPolicy.enabled | true | DNS + 443/80 egress; conditional Valkey/Olric rules. networkPolicy.valkeyPort if non-6379. |
autoscaling.* | off | Only enable with a shared store. |
serviceMonitor / probes / PDB | sensible defaults | Standard knobs. |
templates.enabled | off | Ship large message templates as a separate ConfigMap. Reference them with template.configmapRef.name / template.configmapRef.key. |
Verifying signatures
cosign verify \
--certificate-identity-regexp='https://github.com/fabioluciano/tekton-events-relay' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
ghcr.io/fabioluciano/tekton-events-relay:latest
(same command with oci://ghcr.io/fabioluciano/charts/tekton-events-relay for the chart).
Upgrades
helm upgrade with your values. Config-only changes don’t even need a rollout: the relay hot-reloads the ConfigMap when Kubernetes propagates it (typically within a minute), validating before applying. Check tekton_events_relay_config_reloads_total or the logs to confirm.