×

Red Hat OpenShift Pipelines is a cloud-native CI/CD experience based on the Tekton project which provides:

  • Standard Kubernetes-native pipeline definitions (CRDs).

  • Serverless pipelines with no CI server management overhead.

  • Extensibility to build images using any Kubernetes tool, such as S2I, Buildah, JIB, and Kaniko.

  • Portability across any Kubernetes distribution.

  • Powerful CLI for interacting with pipelines.

  • Integrated user experience with the Developer perspective of the OpenShift Container Platform web console.

For an overview of Red Hat OpenShift Pipelines, see Understanding OpenShift Pipelines.

Compatibility and support matrix

Some features in this release are currently in Technology Preview. These experimental features are not intended for production use.

In the table, features are marked with the following statuses:

TP

Technology Preview

GA

General Availability

Table 1. Compatibility and support matrix
Red Hat OpenShift Pipelines Version Component Version OpenShift Version Support Status

Operator

Pipelines

Triggers

CLI

Catalog

Chains

Hub

PAC

1.7

0.33.x

0.19.x

0.23.x

0.33

0.8.0 (TP)

1.7.0 (TP)

0.5.4 (TP)

4.9, 4.10

GA

1.6

0.28.x

0.16.x

0.21.x

0.28

N/A

N/A

N/A

4.9

GA

1.5

0.24.x

0.14.x (TP)

0.19.x

0.24

N/A

N/A

N/A

4.8

GA

1.4

0.22.x

0.12.x (TP)

0.17.x

0.22

N/A

N/A

N/A

4.7

GA

For questions and feedback, you can send an email to the product team at pipelines-interest@redhat.com.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.

Release notes for Red Hat OpenShift Pipelines General Availability 1.7

With this update, Red Hat OpenShift Pipelines General Availability (GA) 1.7 is available on OpenShift Container Platform 4.9, 4.10, and 4.11.

New features

In addition to the fixes and stability improvements, the following sections highlight what is new in Red Hat OpenShift Pipelines 1.7.

Pipelines

  • With this update, pipelines-<version> is the default channel to install the Red Hat OpenShift Pipelines Operator. For example, the default channel to install the Pipelines Operator version 1.7 is pipelines-1.7. Cluster administrators can also use the latest channel to install the most recent stable version of the Operator.

    The preview and stable channels will be deprecated and removed in a future release.

  • When you run a command in a user namespace, your container runs as root (user id 0) but has user privileges on the host. With this update, to run pods in the user namespace, you must pass the annotations that CRI-O expects.

    • To add these annotations for all users, run the oc edit clustertask buildah command and edit the buildah cluster task.

    • To add the annotations to a specific namespace, export the cluster task as a task to that namespace.

  • With this update, the when expressions in a Task object are scoped to guard the tasks by default. To continue guarding the Task object and its dependent tasks, set the scope-when-expressions-to-task flag to true.

    The scope-when-expressions-to-task flag is deprecated and will be removed in a future release. As a best practice for Pipelines, use when expressions scoped to the guarded Task only.

  • With this update, you can use variable substitution in the subPath field of a workspace within a task.

  • With this update, you can reference parameters and results by using a bracket notation with single or double quotes. Prior to this update, you could only use the dot notation. For example, the following are now equivalent:

    • $(param.myparam), $(param['myparam']), and $(param["myparam"]).

      You can use single or double quotes to enclose parameter names that contain problematic characters, such as ".". For example, $(param['my.param']) and $(param["my.param"]).

  • With this update, you can include the onError parameter of a step in the task definition without enabling the enable-api-fields flag.

Triggers

  • With this update, the feature-flag-triggers config map has a new field labels-exclusion-pattern. You can set the value of this field to a regular expression (regex) pattern. The controller filters out labels that match the regex pattern from propagating from the event listener to the resources created for the event listener.

  • With this update, the TriggerGroups field is added to the EventListener specification. Using this field, you can specify a set of interceptors to run before selecting and running a group of triggers. To enable this feature, set the enable-api-fields flag in the feature-flags-triggers config map to alpha.

  • With this update, Trigger resources support custom runs defined by a TriggerTemplate template.

  • With this update, Triggers support emitting Kubernetes events from an EventListener pod.

  • With this update, count metrics are available for the following objects: ClusterInteceptor, EventListener, TriggerTemplate, ClusterTriggerBinding, and TriggerBinding.

  • This update adds the ServicePort specification to Kubernetes resource. You can use this specification to modify which port exposes the event listener service. The default port is 8080.

  • With this update, you can use the targetURI field in the EventListener specification to send cloud events during trigger processing. To enable this feature, set the enable-api-fields flag in the feature-flags-triggers config map to alpha.

  • With this update, the tekton-triggers-eventlistener-roles object now has a patch verb, in addition to the create verb that already exists.

  • With this update, the securityContext.runAsUser parameter is removed from event listener deployment.

CLI

  • With this update, the tkn [pipeline | pipelinerun] export command exports a pipeline or pipeline run as a YAML file. For example:

    • Export a pipeline named test_pipeline in the openshift-pipelines namespace:

      $ tkn pipeline export test_pipeline -n openshift-pipelines
    • Export a pipeline run named test_pipeline_run in the openshift-pipelines namespace:

      $ tkn pipelinerun export test_pipeline_run -n openshift-pipelines
  • With this update, the --grace option is added to the tkn pipelinerun cancel. Use the --grace option to terminate a pipeline run gracefully instead of forcing the termination. To enable this feature, set the enable-api-fields flag in the feature-flags config map to alpha.

  • This update adds the Operator and Chains versions to the output of the tkn version command.

    Tekton Chains is a Technology Preview feature.

  • With this update, the tkn pipelinerun describe command displays all canceled task runs, when you cancel a pipeline run. Before this fix, only one task run was displayed.

  • With this update, you can skip supplying the asking specifications for optional workspace when you run the tkn [t | p | ct] start command skips with the --skip-optional-workspace flag. You can also skip it when running in interactive mode.

  • With this update, you can use the tkn chains command to manage Tekton Chains. You can also use the --chains-namespace option to specify the namespace where you want to install Tekton Chains.

    Tekton Chains is a Technology Preview feature.

Operator

  • With this update, you can use the Red Hat OpenShift Pipelines Operator to install and deploy Tekton Hub and Tekton Chains.

    Tekton Chains and deployment of Tekton Hub on a cluster are Technology Preview features.

  • With this update, you can find and use Pipelines as Code (PAC) as an add-on option.

    Pipelines as Code is a Technology Preview feature.

  • With this update, you can now disable the installation of community cluster tasks by setting the communityClusterTasks parameter to false. For example:

    ...
    spec:
      profile: all
      targetNamespace: openshift-pipelines
      addon:
        params:
        - name: clusterTasks
          value: "true"
        - name: pipelineTemplates
          value: "true"
        - name: communityClusterTasks
          value: "false"
    ...
  • With this update, you can disable the integration of Tekton Hub with the Developer perspective by setting the enable-devconsole-integration flag in the TektonConfig custom resource to false. For example:

    ...
    hub:
      params:
        - name: enable-devconsole-integration
          value: "true"
    ...
  • With this update, the operator-config.yaml config map enables the output of the tkn version command to display of the Operator version.

  • With this update, the version of the argocd-task-sync-and-wait tasks is modified to v0.2.

  • With this update to the TektonConfig CRD, the oc get tektonconfig command displays the OPerator version.

  • With this update, service monitor is added to the Triggers metrics.

Hub

Deploying Tekton Hub on a cluster is a Technology Preview feature.

Tekton Hub helps you discover, search, and share reusable tasks and pipelines for your CI/CD workflows. A public instance of Tekton Hub is available at hub.tekton.dev.

Staring with Red Hat OpenShift Pipelines 1.7, cluster administrators can also install and deploy a custom instance of Tekton Hub on enterprise clusters. You can curate a catalog with reusable tasks and pipelines specific to your organization.

Chains

Tekton Chains is a Technology Preview feature.

Tekton Chains is a Kubernetes Custom Resource Definition (CRD) controller. You can use it to manage the supply chain security of the tasks and pipelines created using Red Hat OpenShift Pipelines.

By default, Tekton Chains monitors the task runs in your OpenShift Container Platform cluster. Chains takes snapshots of completed task runs, converts them to one or more standard payload formats, and signs and stores all artifacts.

Tekton Chains supports the following features:

  • You can sign task runs, task run results, and OCI registry images with cryptographic key types and services such as cosign.

  • You can use attestation formats such as in-toto.

  • You can securely store signatures and signed artifacts using OCI repository as a storage backend.

Pipelines as Code (PAC)

Pipelines as Code is a Technology Preview feature.

With Pipelines as Code, cluster administrators and users with the required privileges can define pipeline templates as part of source code Git repositories. When triggered by a source code push or a pull request for the configured Git repository, the feature runs the pipeline and reports status.

Pipelines as Code supports the following features:

  • Pull request status. When iterating over a pull request, the status and control of the pull request is exercised on the platform hosting the Git repository.

  • GitHub checks the API to set the status of a pipeline run, including rechecks.

  • GitHub pull request and commit events.

  • Pull request actions in comments, such as /retest.

  • Git events filtering, and a separate pipeline for each event.

  • Automatic task resolution in Pipelines for local tasks, Tekton Hub, and remote URLs.

  • Use of GitHub blobs and objects API for retrieving configurations.

  • Access Control List (ACL) over a GitHub organization, or using a Prow-style OWNER file.

  • The tkn-pac plugin for the tkn CLI tool, which you can use to manage Pipelines as Code repositories and bootstrapping.

  • Support for GitHub Application, GitHub Webhook, Bitbucket Server, and Bitbucket Cloud.

Deprecated features

  • Breaking change: This update removes the disable-working-directory-overwrite and disable-home-env-overwrite fields from the TektonConfig custom resource (CR). As a result, the TektonConfig CR no longer automatically sets the $HOME environment variable and workingDir parameter. You can still set the $HOME environment variable and workingDir parameter by using the env and workingDir fields in the Task custom resource definition (CRD).

  • The Conditions custom resource definition (CRD) type is deprecated and planned to be removed in a future release. Instead, use the recommended When expression.

  • Breaking change: The Triggers resource validates the templates and generates an error if you do not specify the EventListener and TriggerBinding values.

Known issues

  • When you run Maven and Jib-Maven cluster tasks, the default container image is supported only on Intel (x86) architecture. Therefore, tasks will fail on IBM Power Systems (ppc64le), IBM Z, and LinuxONE (s390x) clusters. As a workaround, you can specify a custom image by setting the MAVEN_IMAGE parameter value to maven:3.6.3-adoptopenjdk-11.

    Before you install tasks based on the Tekton Catalog on IBM Power Systems (ppc64le), IBM Z, and LinuxONE (s390x) using tkn hub, verify if the task can be executed on these platforms. To check if ppc64le and s390x are listed in the "Platforms" section of the task information, you can run the following command: tkn hub info task <name>

  • On IBM Power Systems, IBM Z, and LinuxONE, the s2i-dotnet cluster task is unsupported.

  • You cannot use the nodejs:14-ubi8-minimal image stream because doing so generates the following errors:

    STEP 7: RUN /usr/libexec/s2i/assemble
    /bin/sh: /usr/libexec/s2i/assemble: No such file or directory
    subprocess exited with status 127
    subprocess exited with status 127
    error building at STEP "RUN /usr/libexec/s2i/assemble": exit status 127
    time="2021-11-04T13:05:26Z" level=error msg="exit status 127"
  • Implicit parameter mapping incorrectly passes parameters from the top-level Pipeline or PipelineRun definitions to the taskRef tasks. Mapping should only occur from a top-level resource to tasks with in-line taskSpec specifications. This issue only affects users who have set the enable-api-fields feature flag to alpha.

Fixed issues

  • With this update, if metadata such as labels and annotations are present in both Pipeline and PipelineRun object definitions, the values in the PipelineRun type takes precedence. You can observe similar behavior for Task and TaskRun objects.

  • With this update, if the timeouts.tasks field or the timeouts.finally field is set to 0, then the timeouts.pipeline is also set to 0.

  • With this update, the -x set flag is removed from scripts that do not use a shebang. The fix reduces potential data leak from script execution.

  • With this update, any backslash character present in the usernames in Git credentials is escaped with an additional backslash in the .gitconfig file.

  • With this update, the finalizer property of the EventListener object is not necessary for cleaning up logging and config maps.

  • With this update, the default HTTP client associated with the event listener server is removed, and a custom HTTP client added. As a result, the timeouts have improved.

  • With this update, the Triggers cluster role now works with owner references.

  • With this update, the race condition in the event listener does not happen when multiple interceptors return extensions.

  • With this update, the tkn pr delete command does not delete the pipeline runs with the ignore-running flag.

  • With this update, the Operator pods do not continue restarting when you modify any add-on parameters.

  • With this update, the tkn serve CLI pod is scheduled on infra nodes, if not configured in the subscription and config custom resources.

  • With this update, cluster tasks with specified versions are not deleted during upgrade.

Release notes for Red Hat OpenShift Pipelines General Availability 1.7.1

With this update, Red Hat OpenShift Pipelines General Availability (GA) 1.7.1 is available on OpenShift Container Platform 4.9, 4.10, and 4.11.

Fixed issues

  • Before this update, upgrading the Red Hat OpenShift Pipelines Operator deleted the data in the database associated with Tekton Hub and installed a new database. With this update, an Operator upgrade preserves the data.

  • Before this update, only cluster administrators could access pipeline metrics in the OpenShift Container Platform console. With this update, users with other cluster roles also can access the pipeline metrics.

  • Before this update, pipeline runs failed for pipelines containing tasks that emit large termination messages. The pipeline runs failed because the total size of termination messages of all containers in a pod cannot exceed 12 KB. With this update, the place-tools and step-init initialization containers that uses the same image are merged to reduce the number of containers running in each tasks’s pod. The solution reduces the chance of failed pipeline runs by minimizing the number of containers running in a task’s pod. However, it does not remove the limitation of the maximum allowed size of a termination message.

  • Before this update, attempts to access resource URLs directly from the Tekton Hub web console resulted in an Nginx 404 error. With this update, the Tekton Hub web console image is fixed to allow accessing resource URLs directly from the Tekton Hub web console.

  • Before this update, for each namespace the resource pruner job created a separate container to prune resources. With this update, the resource pruner job runs commands for all namespaces as a loop in one container.

Release notes for Red Hat OpenShift Pipelines General Availability 1.7.2

With this update, Red Hat OpenShift Pipelines General Availability (GA) 1.7.2 is available on OpenShift Container Platform 4.9, 4.10, and the upcoming version.

Known issues

  • The chains-config config map for Tekton Chains in the openshift-pipelines namespace is automatically reset to default after upgrading the Red Hat OpenShift Pipelines Operator. Currently, there is no workaround for this issue.

Fixed issues

  • Before this update, tasks on Pipelines 1.7.1 failed on using init as the first argument, followed by two or more arguments. With this update, the flags are parsed correctly and the task runs are successful.

  • Before this update, installation of the Red Hat OpenShift Pipelines Operator on OpenShift Container Platform 4.9 and 4.10 failed due to invalid role binding, with the following error message:

    error updating rolebinding openshift-operators-prometheus-k8s-read-binding: RoleBinding.rbac.authorization.k8s.io "openshift-operators-prometheus-k8s-read-binding" is invalid: roleRef: Invalid value: rbac.RoleRef{APIGroup:"rbac.authorization.k8s.io", Kind:"Role", Name:"openshift-operator-read"}: cannot change roleRef

    With this update, the Red Hat OpenShift Pipelines Operator installs with distinct role binding namespaces to avoid conflict with installation of other Operators.

  • Before this update, upgrading the Operator triggered a reset of the signing-secrets secret key for Tekton Chains to its default value. With this update, the custom secret key persists after you upgrade the Operator.

    Upgrading to Red Hat OpenShift Pipelines 1.7.2 resets the key. However, when you upgrade to future releases, the key is expected to persist.

  • Before this update, all S2I build tasks failed with an error similar to the following message:

    Error: error writing "0 0 4294967295\n" to /proc/22/uid_map: write /proc/22/uid_map: operation not permitted
    time="2022-03-04T09:47:57Z" level=error msg="error writing \"0 0 4294967295\\n\" to /proc/22/uid_map: write /proc/22/uid_map: operation not permitted"
    time="2022-03-04T09:47:57Z" level=error msg="(unable to determine exit status)"

    With this update, the pipelines-scc security context constraint (SCC) is compatible with the SETFCAP capability necessary for S2I and Buildah clustertasks. As a result, the S2I build tasks run successfully.

Release notes for Red Hat OpenShift Pipelines General Availability 1.7.3

With this update, Red Hat OpenShift Pipelines General Availability (GA) 1.7.3 is available on OpenShift Container Platform 4.9, 4.10, and 4.11.

Fixed issues

  • Before this update, the Operator failed when creating RBAC resources if any namespace was in a Terminating state. With this update, the Operator ignores namespaces in a Terminating state and creates the RBAC resources.

  • Previously, upgrading the Red Hat OpenShift Pipelines Operator caused the pipeline service account to be recreated, which meant that the secrets linked to the service account were lost. This update fixes the issue. During upgrades, the Operator no longer recreates the pipeline service account. As a result, secrets attached to the pipeline service account persist after upgrades, and the resources (tasks and pipelines) continue to work correctly.

Release notes for Red Hat OpenShift Pipelines General Availability 1.6

With this update, Red Hat OpenShift Pipelines General Availability (GA) 1.6 is available on OpenShift Container Platform 4.9.

New features

In addition to the fixes and stability improvements, the following sections highlight what is new in Red Hat OpenShift Pipelines 1.6.

  • With this update, you can configure a pipeline or task start command to return a YAML or JSON-formatted string by using the --output <string>, where <string> is yaml or json. Otherwise, without the --output option, the start command returns a human-friendly message that is hard for other programs to parse. Returning a YAML or JSON-formatted string is useful for continuous integration (CI) environments. For example, after a resource is created, you can use yq or jq to parse the YAML or JSON-formatted message about the resource and wait until that resource is terminated without using the showlog option.

  • With this update, you can authenticate to a registry using the auth.json authentication file of Podman. For example, you can use tkn bundle push to push to a remote registry using Podman instead of Docker CLI.

  • With this update, if you use the tkn [taskrun | pipelinerun] delete --all command, you can preserve runs that are younger than a specified number of minutes by using the new --keep-since <minutes> option. For example, to keep runs that are less than five minutes old, you enter tkn [taskrun | pipelinerun] delete -all --keep-since 5.

  • With this update, when you delete task runs or pipeline runs, you can use the --parent-resource and --keep-since options together. For example, the tkn pipelinerun delete --pipeline pipelinename --keep-since 5 command preserves pipeline runs whose parent resource is named pipelinename and whose age is five minutes or less. The tkn tr delete -t <taskname> --keep-since 5 and tkn tr delete --clustertask <taskname> --keep-since 5 commands work similarly for task runs.

  • This update adds support for the triggers resources to work with v1beta1 resources.

  • This update adds an ignore-running option to the tkn pipelinerun delete and tkn taskrun delete commands.

  • This update adds a create subcommand to the tkn task and tkn clustertask commands.

  • With this update, when you use the tkn pipelinerun delete --all command, you can use the new --label <string> option to filter the pipeline runs by label. Optionally, you can use the --label option with = and == as equality operators, or != as an inequality operator. For example, the tkn pipelinerun delete --all --label asdf and tkn pipelinerun delete --all --label==asdf commands both delete all the pipeline runs that have the asdf label.

  • With this update, you can fetch the version of installed Tekton components from the config map or, if the config map is not present, from the deployment controller.

  • With this update, triggers support the feature-flags and config-defaults config map to configure feature flags and to set default values respectively.

  • This update adds a new metric, eventlistener_event_count, that you can use to count events received by the EventListener resource.

  • This update adds v1beta1 Go API types. With this update, triggers now support the v1beta1 API version.

    With the current release, the v1alpha1 features are now deprecated and will be removed in a future release. Begin using the v1beta1 features instead.

  • In the current release, auto-prunning of resources is enabled by default. In addition, you can configure auto-prunning of task run and pipeline run for each namespace separately, by using the following new annotations:

    • operator.tekton.dev/prune.schedule: If the value of this annotation is different from the value specified at the TektonConfig custom resource definition, a new cron job in that namespace is created.

    • operator.tekton.dev/prune.skip: When set to true, the namespace for which it is configured will not be prunned.

    • operator.tekton.dev/prune.resources: This annotation accepts a comma-separated list of resources. To prune a single resource such as a pipeline run, set this annotation to "pipelinerun". To prune multiple resources, such as task run and pipeline run, set this annotation to "taskrun, pipelinerun".

    • operator.tekton.dev/prune.keep: Use this annotation to retain a resource without prunning.

    • operator.tekton.dev/prune.keep-since: Use this annotation to retain resources based on their age. The value for this annotation must be equal to the age of the resource in minutes. For example, to retain resources which were created not more than five days ago, set keep-since to 7200.

      The keep and keep-since annotations are mutually exclusive. For any resource, you must configure only one of them.

    • operator.tekton.dev/prune.strategy: Set the value of this annotation to either keep or keep-since.

  • Administrators can disable the creation of the pipeline service account for the entire cluster, and prevent privilege escalation by misusing the associated SCC, which is very similar to anyuid.

  • You can now configure feature flags and components by using the TektonConfig custom resource (CR) and the CRs for individual components, such as TektonPipeline and TektonTriggers. This level of granularity helps customize and test alpha features such as the Tekton OCI bundle for individual components.

  • You can now configure optional Timeouts field for the PipelineRun resource. For example, you can configure timeouts separately for a pipeline run, each task run, and the finally tasks.

  • The pods generated by the TaskRun resource now sets the activeDeadlineSeconds field of the pods. This enables OpenShift to consider them as terminating, and allows you to use specifically scoped ResourceQuota object for the pods.

  • You can use configmaps to eliminate metrics tags or labels type on a task run, pipeline run, task, and pipeline. In addition, you can configure different types of metrics for measuring duration, such as a histogram, gauge, or last value.

  • You can define requests and limits on a pod coherently, as Tekton now fully supports the LimitRange object by considering the Min, Max, Default, and DefaultRequest fields.

  • The following alpha features are introduced:

    • A pipeline run can now stop after running the finally tasks, rather than the previous behavior of stopping the execution of all task run directly. This update adds the following spec.status values:

      • StoppedRunFinally will stop the currently running tasks after they are completed, and then run the finally tasks.

      • CancelledRunFinally will immediately cancel the running tasks, and then run the finally tasks.

      • Cancelled will retain the previous behavior provided by the PipelineRunCancelled status.

        The Cancelled status replaces the deprecated PipelineRunCancelled status, which will be removed in the v1 version.

    • You can now use the oc debug command to put a task run into debug mode, which pauses the execution and allows you to inspect specific steps in a pod.

    • When you set the onError field of a step to continue, the exit code for the step is recorded and passed on to subsequent steps. However, the task run does not fail and the execution of the rest of the steps in the task continues. To retain the existing behavior, you can set the value of the onError field to stopAndFail.

    • Tasks can now accept more parameters than are actually used. When the alpha feature flag is enabled, the parameters can implicitly propagate to inlined specs. For example, an inlined task can access parameters of its parent pipeline run, without explicitly defining each parameter for the task.

    • If you enable the flag for the alpha features, the conditions under When expressions will only apply to the task with which it is directly associated, and not the dependents of the task. To apply the When expressions to the associated task and its dependents, you must associate the expression with each dependent task separately. Note that, going forward, this will be the default behavior of the When expressions in any new API versions of Tekton. The existing default behavior will be deprecated in favor of this update.

  • The current release enables you to configure node selection by specifying the nodeSelector and tolerations values in the TektonConfig custom resource (CR). The Operator adds these values to all the deployments that it creates.

    • To configure node selection for the Operator’s controller and webhook deployment, you edit the config.nodeSelector and config.tolerations fields in the specification for the Subscription CR, after installing the Operator.

    • To deploy the rest of the control plane pods of OpenShift Pipelines on an infrastructure node, update the TektonConfig CR with the nodeSelector and tolerations fields. The modifications are then applied to all the pods created by Operator.

Deprecated features

  • In CLI 0.21.0, support for all v1alpha1 resources for clustertask, task, taskrun, pipeline, and pipelinerun commands are deprecated. These resources are now deprecated and will be removed in a future release.

  • In Tekton Triggers v0.16.0, the redundant status label is removed from the metrics for the EventListener resource.

    Breaking change: The status label has been removed from the eventlistener_http_duration_seconds_* metric. Remove queries that are based on the status label.

  • With the current release, the v1alpha1 features are now deprecated and will be removed in a future release. With this update, you can begin using the v1beta1 Go API types instead. Triggers now supports the v1beta1 API version.

  • With the current release, the EventListener resource sends a response before the triggers finish processing.

    Breaking change: With this change, the EventListener resource stops responding with a 201 Created status code when it creates resources. Instead, it responds with a 202 Accepted response code.

  • The current release removes the podTemplate field from the EventListener resource.

    Breaking change: The podTemplate field, which was deprecated as part of #1100, has been removed.

  • The current release removes the deprecated replicas field from the specification for the EventListener resource.

    Breaking change: The deprecated replicas field has been removed.

  • In Red Hat OpenShift Pipelines 1.6, the values of HOME="/tekton/home" and workingDir="/workspace" are removed from the specification of the Step objects.

    Instead, Red Hat OpenShift Pipelines sets HOME and workingDir to the values defined by the containers running the Step objects. You can override these values in the specification of your Step objects.

    To use the older behavior, you can change the disable-working-directory-overwrite and disable-home-env-overwrite fields in the TektonConfig CR to false:

    apiVersion: operator.tekton.dev/v1alpha1
      kind: TektonConfig
      metadata:
        name: config
      spec:
        pipeline:
          disable-working-directory-overwrite: false
          disable-home-env-overwrite: false
      ...

    The disable-working-directory-overwrite and disable-home-env-overwrite fields in the TektonConfig CR are now deprecated and will be removed in a future release.

Known issues

  • When you run Maven and Jib-Maven cluster tasks, the default container image is supported only on Intel (x86) architecture. Therefore, tasks will fail on IBM Power Systems (ppc64le), IBM Z, and LinuxONE (s390x) clusters. As a workaround, you can specify a custom image by setting the MAVEN_IMAGE parameter value to maven:3.6.3-adoptopenjdk-11.

  • On IBM Power Systems, IBM Z, and LinuxONE, the s2i-dotnet cluster task is unsupported.

  • Before you install tasks based on the Tekton Catalog on IBM Power Systems (ppc64le), IBM Z, and LinuxONE (s390x) using tkn hub, verify if the task can be executed on these platforms. To check if ppc64le and s390x are listed in the "Platforms" section of the task information, you can run the following command: tkn hub info task <name>

  • You cannot use the nodejs:14-ubi8-minimal image stream because doing so generates the following errors:

    STEP 7: RUN /usr/libexec/s2i/assemble
    /bin/sh: /usr/libexec/s2i/assemble: No such file or directory
    subprocess exited with status 127
    subprocess exited with status 127
    error building at STEP "RUN /usr/libexec/s2i/assemble": exit status 127
    time="2021-11-04T13:05:26Z" level=error msg="exit status 127"

Fixed issues

  • The tkn hub command is now supported on IBM Power Systems, IBM Z, and LinuxONE.

  • Before this update, the terminal was not available after the user ran a tkn command, and the pipeline run was done, even if retries were specified. Specifying a timeout in the task run or pipeline run had no effect. This update fixes the issue so that the terminal is available after running the command.

  • Before this update, running tkn pipelinerun delete --all would delete all resources. This update prevents the resources in the running state from getting deleted.

  • Before this update, using the tkn version --component=<component> command did not return the component version. This update fixes the issue so that this command returns the component version.

  • Before this update, when you used the tkn pr logs command, it displayed the pipelines output logs in the wrong task order. This update resolves the issue so that logs of completed PipelineRuns are listed in the appropriate TaskRun execution order.

  • Before this update, editing the specification of a running pipeline might prevent the pipeline run from stopping when it was complete. This update fixes the issue by fetching the definition only once and then using the specification stored in the status for verification. This change reduces the probability of a race condition when a PipelineRun or a TaskRun refers to a Pipeline or Task that changes while it is running.

  • When expression values can now have array parameter references, such as: values: [$(params.arrayParam[*])].

Release notes for Red Hat OpenShift Pipelines General Availability 1.6.1

Known issues

  • After upgrading to Red Hat OpenShift Pipelines 1.6.1 from an older version, Pipelines might enter an inconsistent state where you are unable to perform any operations (create/delete/apply) on Tekton resources (tasks and pipelines). For example, while deleting a resource, you might encounter the following error:

    Error from server (InternalError): Internal error occurred: failed calling webhook "validation.webhook.pipeline.tekton.dev": Post "https://tekton-pipelines-webhook.openshift-pipelines.svc:443/resource-validation?timeout=10s": service "tekton-pipelines-webhook" not found.

Fixed issues

  • The SSL_CERT_DIR environment variable (/tekton-custom-certs) set by Red Hat OpenShift Pipelines will not override the following default system directories with certificate files:

    • /etc/pki/tls/certs

    • /etc/ssl/certs

    • /system/etc/security/cacerts

  • The Horizontal Pod Autoscaler can manage the replica count of deployments controlled by the Red Hat OpenShift Pipelines Operator. From this release onward, if the count is changed by an end user or an on-cluster agent, the Red Hat OpenShift Pipelines Operator will not reset the replica count of deployments managed by it. However, the replicas will be reset when you upgrade the Red Hat OpenShift Pipelines Operator.

  • The pod serving the tkn CLI will now be scheduled on nodes, based on the node selector and toleration limits specified in the TektonConfig custom resource.

Release notes for Red Hat OpenShift Pipelines General Availability 1.6.2

Known issues

  • When you create a new project, the creation of the pipeline service account is delayed, and removal of existing cluster tasks and pipeline templates takes more than 10 minutes.

Fixed issues

  • Before this update, multiple instances of Tekton installer sets were created for a pipeline after upgrading to Red Hat OpenShift Pipelines 1.6.1 from an older version. With this update, the Operator ensures that only one instance of each type of TektonInstallerSet exists after an upgrade.

  • Before this update, all the reconcilers in the Operator used the component version to decide resource recreation during an upgrade to Red Hat OpenShift Pipelines 1.6.1 from an older version. As a result, those resources were not recreated whose component versions did not change in the upgrade. With this update, the Operator uses the Operator version instead of the component version to decide resource recreation during an upgrade.

  • Before this update, the pipelines webhook service was missing in the cluster after an upgrade. This was due to an upgrade deadlock on the config maps. With this update, a mechanism is added to disable webhook validation if the config maps are absent in the cluster. As a result, the pipelines webhook service persists in the cluster after an upgrade.

  • Before this update, cron jobs for auto-pruning got recreated after any configuration change to the namespace. With this update, cron jobs for auto-pruning get recreated only if there is a relevant annotation change in the namespace.

  • The upstream version of Tekton Pipelines is revised to v0.28.3, which has the following fixes:

    • Fix PipelineRun or TaskRun objects to allow label or annotation propagation.

    • For implicit params:

      • Do not apply the PipelineSpec parameters to the TaskRefs object.

      • Disable implicit param behavior for the Pipeline objects.

Release notes for Red Hat OpenShift Pipelines General Availability 1.6.3

Fixed issues

  • Before this update, the Red Hat OpenShift Pipelines Operator installed pod security policies from components such as Pipelines and Triggers. However, the pod security policies shipped as part of the components were deprecated in an earlier release. With this update, the Operator stops installing pod security policies from components. As a result, the following upgrade paths are affected:

    • Upgrading from Pipelines 1.6.1 or 1.6.2 to Pipelines