×

Red Hat OpenShift Pipelines is a cloud-native CI/CD experience based on the Tekton project which provides:

  • Standard Kubernetes-native pipeline definitions (CRDs).

  • Serverless pipelines with no CI server management overhead.

  • Extensibility to build images using any Kubernetes tool, such as S2I, Buildah, JIB, and Kaniko.

  • Portability across any Kubernetes distribution.

  • Powerful CLI for interacting with pipelines.

  • Integrated user experience with the Developer perspective of the OpenShift Container Platform web console.

For an overview of Red Hat OpenShift Pipelines, see Understanding OpenShift Pipelines.

Compatibility and support matrix

Some features in this release are currently in Technology Preview. These experimental features are not intended for production use.

In the table, features are marked with the following statuses:

TP

Technology Preview

GA

General Availability

Table 1. Compatibility and support matrix
Red Hat OpenShift Pipelines Version Component Version OpenShift Version Support Status

Operator

Pipelines

Triggers

CLI

Catalog

Chains

Hub

Pipelines as Code

1.8

0.37.x

0.20.x

0.24.x

NA

0.9.0 (TP)

1.8.x (TP)

0.10.x (TP)

4.10, 4.11, 4.12 (planned)

GA

1.7

0.33.x

0.19.x

0.23.x

0.33

0.8.0 (TP)

1.7.0 (TP)

0.5.4 (TP)

4.9, 4.10

GA

1.6

0.28.x

0.16.x

0.21.x

0.28

N/A

N/A

N/A

4.9

GA

1.5

0.24.x

0.14.x (TP)

0.19.x

0.24

N/A

N/A

N/A

4.8

GA

1.4

0.22.x

0.12.x (TP)

0.17.x

0.22

N/A

N/A

N/A

4.7

GA

Additionally, support for running Red Hat OpenShift Pipelines on ARM hardware is in Technology Preview.

For questions and feedback, you can send an email to the product team at pipelines-interest@redhat.com.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.

Release notes for Red Hat OpenShift Pipelines General Availability 1.8

With this update, Red Hat OpenShift Pipelines General Availability (GA) 1.8 is available on OpenShift Container Platform 4.10, and is planned to be available on OpenShift Container Platform 4.11 and 4.12.

New features

In addition to the fixes and stability improvements, the following sections highlight what is new in Red Hat OpenShift Pipelines 1.8.

Pipelines

  • With this update, you can run Red Hat OpenShift Pipelines GA 1.8 and later on an OpenShift Container Platform cluster that is running on ARM hardware. This includes support for ClusterTask resources and the tkn CLI tool.

Running Red Hat OpenShift Pipelines on ARM hardware is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see https://access.redhat.com/support/offerings/techpreview/.

  • This update implements Step and Sidecar overrides for TaskRun resources.

  • This update adds minimal TaskRun and Run statuses within PipelineRun statuses.

    To enable this feature, in the TektonConfig custom resource definition, in the pipeline section, you must set the enable-api-fields field to alpha.

  • With this update, the graceful termination of pipeline runs feature is promoted from an alpha feature to a stable feature. As a result, the previously deprecated PipelineRunCancelled status remains deprecated and is planned to be removed in a future release.

    Because this feature is available by default, you no longer need to set the pipeline.enable-api-fields field to alpha in the TektonConfig custom resource definition.

  • With this update, you can specify the workspace for a pipeline task by using the name of the workspace. This change makes it easier to specify a shared workspace for a pair of Pipeline and PipelineTask resources. You can also continue to map workspaces explicitly.

    To enable this feature, in the TektonConfig custom resource definition, in the pipeline section, you must set the enable-api-fields field to alpha.

  • With this update, parameters in embedded specifications are propagated without mutations.

  • With this update, you can specify the required metadata of a Task resource referenced by a PipelineRun resource by using annotations and labels. This way, Task metadata that depends on the execution context is available during the pipeline run.

  • This update adds support for object or dictionary types in params and results values. This change affects backward compatibility and sometimes breaks forward compatibility, such as using an earlier client with a later Red Hat OpenShift Pipelines version. This update changes the ArrayOrStruct structure, which affects projects that use the Go language API as a library.

  • This update adds a SkippingReason value to the SkippedTasks field of the PipelineRun status fields so that users know why a given PipelineTask was skipped.

  • This update supports an alpha feature in which you can use an array type for emitting results from a Task object. The result type is changed from string to ArrayOrString. For example, a task can specify a type to produce an array result:

    kind: Task
    apiVersion: tekton.dev/v1beta1
    metadata:
      name: write-array
      annotations:
        description: |
          A simple task that writes array
    spec:
      results:
        - name: array-results
          type: array
          description: The array results
    ...

    Additionally, you can run a task script to populate the results with an array:

    $ echo -n "[\"hello\",\"world\"]" | tee $(results.array-results.path)

    To enable this feature, in the TektonConfig custom resource definition, in the pipeline section, you must set the enable-api-fields field to alpha.

    This feature is in progress and is part of TEP-0076.

Triggers

  • This update transitions the TriggerGroups field in the EventListener specification from an alpha feature to a stable feature. Using this field, you can specify a set of interceptors before selecting and running a group of triggers.

    Because this feature is available by default, you no longer need to set the pipeline.enable-api-fields field to alpha in the TektonConfig custom resource definition.

  • With this update, the Trigger resource supports end-to-end secure connections by running the ClusterInterceptor server using HTTPS.

CLI

  • With this update, you can use the tkn taskrun export command to export a live task run from a cluster to a YAML file, which you can use to import the task run to another cluster.

  • With this update, you can add the -o name flag to the tkn pipeline start command to print the name of the pipeline run right after it starts.

  • This update adds a list of available plug-ins to the output of the tkn --help command.

  • With this update, while deleting a pipeline run or task run, you can use both the --keep and --keep-since flags together.

  • With this update, you can use Cancelled as the value of the spec.status field rather than the deprecated PipelineRunCancelled value.

Operator

  • With this update, as an administrator, you can configure your local Tekton Hub instance to use a custom database rather than the default database.

  • With this update, as a cluster administrator, if you enable your local Tekton Hub instance, it periodically refreshes the database so that changes in the catalog appear in the Tekton Hub web console. You can adjust the period between refreshes.

    Previously, to add the tasks and pipelines in the catalog to the database, you performed that task manually or set up a cron job to do it for you.

  • With this update, you can install and run a Tekton Hub instance with minimal configuration. This way, you can start working with your teams to decide which additional customizations they might want.

  • This update adds GIT_SSL_CAINFO to the git-clone task so you can clone secured repositories.

Tekton Chains

Tekton Chains is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see https://access.redhat.com/support/offerings/techpreview/.

  • With this update, you can log in to a vault by using OIDC rather than a static token. This change means that Spire can generate the OIDC credential so that only trusted workloads are allowed to log in to the vault. Additionally, you can pass the vault address as a configuration value rather than inject it as an environment variable.

  • The chains-config config map for Tekton Chains in the openshift-pipelines namespace is automatically reset to default after upgrading the Red Hat OpenShift Pipelines Operator because directly updating the config map is not supported when installed by using the Red Hat OpenShift Pipelines Operator. However, with this update, you can configure Tekton Chains by using the TektonChain custom resource. This feature enables your configuration to persist after upgrading, unlike the chains-config config map, which gets overwritten during upgrades.

Tekton Hub

Tekton Hub is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see https://access.redhat.com/support/offerings/techpreview/.

  • With this update, if you install a fresh instance of Tekton Hub by using the Operator, the Tekton Hub login is disabled by default. To enable the login and rating features, you must create the Hub API secret while installing Tekton Hub.

    Because Tekton Hub login was enabled by default in Red Hat OpenShift Pipelines 1.7, if you upgrade the Operator, the login is enabled by default in Red Hat OpenShift Pipelines 1.8. To disable this login, see Disabling Tekton Hub login after upgrading from OpenShift Pipelines 1.7.x -→ 1.8.x

  • With this update, as an administrator, you can configure your local Tekton Hub instance to use a custom PostgreSQL 13 database rather than the default database. To do so, create a Secret resource named tekton-hub-db. For example:

    apiVersion: v1
    kind: Secret
    metadata:
      name: tekton-hub-db
      labels:
        app: tekton-hub-db
    type: Opaque
    stringData:
      POSTGRES_HOST: <hostname>
      POSTGRES_DB: <database_name>
      POSTGRES_USER: <user_name>
      POSTGRES_PASSWORD: <user_password>
      POSTGRES_PORT: <listening_port_number>
  • With this update, you no longer need to log in to the Tekton Hub web console to add resources from the catalog to the database. Now, these resources are automatically added when the Tekton Hub API starts running for the first time.

  • This update automatically refreshes the catalog every 30 minutes by calling the catalog refresh API job. This interval is user-configurable.

Pipelines as Code

Pipelines as Code (PAC) is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see https://access.redhat.com/support/offerings/techpreview/.

  • With this update, as a developer, you get a notification from the tkn-pac CLI tool if you try to add a duplicate repository to a Pipelines as Code run. When you enter tkn pac create repository, each repository must have a unique URL. This notification also helps prevent hijacking exploits.

  • With this update, as a developer, you can use the new tkn-pac setup cli command to add a Git repository to Pipelines as Code by using the webhook mechanism. This way, you can use Pipelines as Code even when using GitHub Apps is not feasible. This capability includes support for repositories on GitHub, GitLab, and BitBucket.

  • With this update, Pipelines as Code supports GitLab integration with features such as the following:

    • ACL (Access Control List) on project or group

    • /ok-to-test support from allowed users

    • /retest support.

  • With this update, you can perform advanced pipeline filtering with Common Expression Language (CEL). With CEL, you can match pipeline runs with different Git provider events by using annotations in the PipelineRun resource. For example:

      ...
      annotations:
         pipelinesascode.tekton.dev/on-cel-expression: |
          event == "pull_request" && target_branch == "main" && source_branch == "wip"
  • Previously, as a developer, you could have only one pipeline run in your .tekton directory for each Git event, such as a pull request. With this update, you can have multiple pipeline runs in your .tekton directory. The web console displays the status and reports of the runs. The pipeline runs operate in parallel and report back to the Git provider interface.

  • With this update, you can test or retest a pipeline run by commenting /test or /retest on a pull request. You can also specify the pipeline run by name. For example, you can enter /test <pipelinerun_name> or /retest <pipelinerun-name>.

  • With this update, you can delete a repository custom resource and its associated secrets by using the new tkn-pac delete repository command.

Breaking changes

  • This update changes the default metrics level of TaskRun and PipelineRun resources to the following values:

    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: config-observability
      namespace: tekton-pipelines
      labels:
        app.kubernetes.io/instance: default
        app.kubernetes.io/part-of: tekton-pipelines
    data:
      _example: |
      ...
        metrics.taskrun.level: "task"
        metrics.taskrun.duration-type: "histogram"
        metrics.pipelinerun.level: "pipeline"
        metrics.pipelinerun.duration-type: "histogram"
  • With this update, if an annotation or label is present in both Pipeline and PipelineRun resources, the value in the Run type takes precedence. The same is true if an annotation or label is present in Task and TaskRun resources.

  • In Red Hat OpenShift Pipelines 1.8, the previously deprecated PipelineRun.Spec.ServiceAccountNames field has been removed. Use the PipelineRun.Spec.TaskRunSpecs field instead.

  • In Red Hat OpenShift Pipelines 1.8, the previously deprecated TaskRun.Status.ResourceResults.ResourceRef field has been removed. Use the TaskRun.Status.ResourceResults.ResourceName field instead.

  • In Red Hat OpenShift Pipelines 1.8, the previously deprecated Conditions resource type has been removed. Remove the Conditions resource from Pipeline resource definitions that include it. Use when expressions in PipelineRun definitions instead.

  • For Tekton Chains, the tekton-provenance format has been removed in this release. Use the in-toto format by setting "artifacts.taskrun.format": "in-toto" in the TektonChain custom resource instead.

  • Red Hat OpenShift Pipelines 1.7.x shipped with Pipelines as Code 0.5.x. The current update ships with Pipelines as Code 0.10.x. This change creates a new route in the openshift-pipelines namespace for the new controller. You must update this route in GitHub Apps or webhooks that use Pipelines as Code. To fetch the route, use the following command:

    $ oc get route -n openshift-pipelines pipelines-as-code-controller \
      --template='https://{{ .spec.host }}'
  • With this update, Pipelines as Code renames the default secret keys for the Repository custom resource definition (CRD). In your CRD, replace token with provider.token, and replace secret with webhook.secret.

  • With this update, Pipelines as Code replaces a special template variable with one that supports multiple pipeline runs for private repositories. In your pipeline runs, replace secret: pac-git-basic-auth-{{repo_owner}}-{{repo_name}} with secret: {{ git_auth_secret }}.

  • With this update, Pipelines as Code updates the following commands in the tkn-pac CLI tool:

    • Replace tkn pac repository create with tkn pac create repository.

    • Replace tkn pac repository delete with tkn pac delete repository.

    • Replace tkn pac repository list with tkn pac list.

Deprecated and removed features

  • Support for the tekton.dev/v1alpha1 API version, which was deprecated in Red Hat OpenShift Pipelines GA 1.6, is planned to be removed in the upcoming Red Hat OpenShift Pipelines GA 1.9 release.

    This change affects the pipeline component, which includes the TaskRun, PipelineRun, Task, Pipeline, and similar tekton.dev/v1alpha1 resources. As an alternative, update existing resources to use apiVersion: tekton.dev/v1beta1 as described in Migrating From Tekton v1alpha1 to Tekton v1beta1.

    Bug fixes and support for the tekton.dev/v1alpha1 API version are provided only through the end of the current GA 1.8 lifecycle.

    For the Tekton Operator, the operator.tekton.dev/v1alpha1 API version is not deprecated. You do not need to make changes to this value.

  • In Red Hat OpenShift Pipelines 1.8, the PipelineResource custom resource (CR) is available but no longer supported. The PipelineResource CR was a Tech Preview feature and part of the tekton.dev/v1alpha1 API, which had been deprecated and planned to be removed in the upcoming Red Hat OpenShift Pipelines GA 1.9 release.

  • In Red Hat OpenShift Pipelines 1.8, the Condition custom resource (CR) is removed. The Condition CR was part of the tekton.dev/v1alpha1 API, which has been deprecated and is planned to be removed in the upcoming Red Hat OpenShift Pipelines GA 1.9 release.

  • In Red Hat OpenShift Pipelines 1.8, the gcr.io image for gsutil has been removed. This removal might break clusters with Pipeline resources that depend on this image. Bug fixes and support are provided only through the end of the Red Hat OpenShift Pipelines 1.7 lifecycle.

  • In Red Hat OpenShift Pipelines 1.8, the PipelineRun.Status.TaskRuns and PipelineRun.Status.Runs</