$ oc get tektonconfig config
This guide walks cluster administrators through the process of installing the Red Hat OpenShift Pipelines Operator to an OpenShift Container Platform cluster.
You have access to an OpenShift Container Platform cluster using an account with cluster-admin
permissions.
You have installed oc
cli.
You have installed OpenShift Pipelines (tkn
) cli on your local system.
You can install Red Hat OpenShift Pipelines using the Operator listed in the OpenShift Container Platform OperatorHub. When you install the Red Hat OpenShift Pipelines Operator, the custom resources (CRs) required for the pipelines configuration are automatically installed along with the Operator.
The default Operator custom resource definition (CRD) config.operator.tekton.dev
is now replaced by tektonconfigs.operator.tekton.dev
. In addition, the Operator provides the following additional CRDs to individually manage OpenShift Pipelines components:
tektonpipelines.operator.tekton.dev
, tektontriggers.operator.tekton.dev
and tektonaddons.operator.tekton.dev
.
If you have OpenShift Pipelines already installed on your cluster, the existing installation is seamlessly upgraded. The Operator will replace the instance of config.operator.tekton.dev
on your cluster with an instance of tektonconfigs.operator.tekton.dev
and additional objects of the other CRDs as necessary.
If you manually changed your existing installation, such as, changing the target namespace in the |
The Red Hat OpenShift Pipelines Operator now provides the option to choose the components that you want to install by specifying profiles as part of the TektonConfig
CR. The TektonConfig
CR is automatically installed when the Operator is installed.
The supported profiles are:
Lite: This installs only Tekton Pipelines.
Basic: This installs Tekton Pipelines and Tekton Triggers.
All: This is the default profile used when the TektonConfig
CR is installed. This profile installs all of the Tekton components: Tekton Pipelines, Tekton Triggers, Tekton Addons (which include ClusterTasks
, ClusterTriggerBindings
, ConsolecliDownload
, ConsoleQuickStart
and ConsoleYAMLSample
resources).
In the Administrator perspective of the web console, navigate to Operators → OperatorHub.
Use the Filter by keyword box to search for Red Hat OpenShift Pipelines
Operator in the catalog. click the Red Hat OpenShift Pipelines Operator tile.
Read the brief description about the Operator on the Red Hat OpenShift Pipelines Operator page. click Install.
On the Install Operator page:
Select All namespaces on the cluster (default) for the Installation Mode. This mode installs the Operator in the default openshift-operators
namespace, which enables the Operator to watch and be made available to all namespaces in the cluster.
Select Automatic for the Approval Strategy. This ensures that the future upgrades to the Operator are handled automatically by the Operator Lifecycle Manager (OLM). If you select the Manual approval strategy, OLM creates an update request. As a cluster administrator, you must then manually approve the OLM update request to update the Operator to the new version.
Select an Update Channel.
The stable channel enables installation of the latest stable and supported release of the Red Hat OpenShift Pipelines Operator.
The preview channel enables installation of the latest preview version of the Red Hat OpenShift Pipelines Operator, which may contain features that are not yet available from the stable channel and is not supported.
click Install. You will see the Operator listed on the Installed Operators page.
The Operator is installed automatically into the |
Verify that the Status is set to Succeeded Up to date to confirm successful installation of Red Hat OpenShift Pipelines Operator.
The success status may show as Succeeded Up to date even if installation of other components is in-progress. Therefore, it is important to verify the installation manually in the terminal. |
Verify that all components of the Red Hat OpenShift Pipelines Operator were installed successfully. Login to the cluster on the terminal, and run the following command:
$ oc get tektonconfig config
NAME VERSION READY REASON config 1.9.2 True
If the READY condition is True, the Operator and its components have been installed successfully.
Additonally, check the components' versions by running the following command:
$ oc get tektonpipeline,tektontrigger,tektonaddon,pac
NAME VERSION READY REASON tektonpipeline.operator.tekton.dev/pipeline v0.41.1 True NAME VERSION READY REASON tektontrigger.operator.tekton.dev/trigger v0.22.2 True NAME VERSION READY REASON tektonaddon.operator.tekton.dev/addon 1.9.2 True NAME VERSION READY REASON openshiftpipelinesascode.operator.tekton.dev/pipelines-as-code v0.15.5 True
You can install Red Hat OpenShift Pipelines Operator from the OperatorHub using the cli.
Create a Subscription object YAML file to subscribe a namespace to the Red Hat OpenShift Pipelines Operator,
for example, sub.yaml
:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: openshift-pipelines-operator
namespace: openshift-operators
spec:
channel: <channel name> (1)
name: openshift-pipelines-operator-rh (2)
source: redhat-operators (3)
sourceNamespace: openshift-marketplace (4)
1 | Specify the channel name from where you want to subscribe the Operator |
2 | Name of the Operator to subscribe to. |
3 | Name of the CatalogSource that provides the Operator. |
4 | Namespace of the CatalogSource. Use openshift-marketplace for the default OperatorHub CatalogSources. |
Create the Subscription object:
$ oc apply -f sub.yaml
The Red Hat OpenShift Pipelines Operator is now installed in the default target namespace openshift-operators
.
The Red Hat OpenShift Pipelines Operator enables support for installation of pipelines in a restricted network environment.
The Operator installs a proxy webhook that sets the proxy environment variables in the containers of the pod created by tekton-controllers based on the cluster
proxy object. It also sets the proxy environment variables in the TektonPipelines
, TektonTriggers
, Controllers
, Webhooks
, and Operator Proxy Webhook
resources.
By default, the proxy webhook is disabled for the openshift-pipelines
namespace. To disable it for any other namespace, you can add the operator.tekton.dev/disable-proxy: true
label to the namespace
object.
The default installation of the Red Hat OpenShift Pipelines Operator creates multiple role-based access control (RBAC) resources for all namespaces in the cluster, except the namespaces matching the ^(openshift|kube)-*
regular expression pattern. Among these RBAC resources, the pipelines-scc-rolebinding
security context constraint (SCC) role binding resource is a potential security issue, because the associated pipelines-scc
SCC has the RunAsAny
privilege.
To disable the automatic creation of cluster-wide RBAC resources after the Red Hat OpenShift Pipelines Operator is installed, cluster administrators can set the createRbacResource
parameter to false
in the cluster-level TektonConfig
custom resource (CR).
TektonConfig
CRapiVersion: operator.tekton.dev/v1alpha1
kind: TektonConfig
metadata:
name: config
spec:
params:
- name: createRbacResource
value: "false"
profile: all
targetNamespace: openshift-pipelines
addon:
params:
- name: clusterTasks
value: "true"
- name: pipelineTemplates
value: "true"
...
As a cluster administrator or an user with appropriate privileges, when you disable the automatic creation of RBAC resources for all namespaces, the default |
You can learn more about installing Operators on OpenShift Container Platform in the adding Operators to a cluster section.
To install Tekton Chains using the Red Hat OpenShift Pipelines Operator, see Using Tekton Chains for Red Hat OpenShift Pipelines supply chain security.
To install and deploy in-cluster Tekton Hub, see Using Tekton Hub with Red Hat OpenShift Pipelines.
For more information on using pipelines in a restricted environment, see: