×

Tekton Hub is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Tekton Hub helps you discover, search, and share reusable tasks and pipelines for your CI/CD workflows. A public instance of Tekton Hub is available at hub.tekton.dev. Cluster administrators can also install and deploy a custom instance of Tekton Hub for enterprise use.

Installing and deploying Tekton Hub on a OpenShift Container Platform cluster

Tekton Hub is an optional component; cluster administrators cannot install it using the TektonConfig custom resource (CR). To install and manage Tekton Hub, use the TektonHub CR.

You can install Tekton Hub on your cluster using two modes:

  • Without login authorization and ratings for Tekton Hub artifacts

  • with login autorization and ratings for Tekton Hub artifacts

If you are using Github Enterprise or Gitlab Enterprise, install and deploy Tekton Hub in the same network as the enterprise server. For example, if the enterprise server is running behind a VPN, deploy Tekton Hub on a cluster that is also behind the VPN.

Installing Tekton Hub without login and rating

You can install Tekton Hub on your cluster automatically with default configuration. When using the default configuration, Tekton Hub does not support login with authorization and ratings for Tekton Hub artifacts.

Prerequisites
  • Ensure that the Red Hat OpenShift Pipelines Operator is installed in the default openshift-pipelines namespace on the cluster.

Procedure
  1. Create a TektonHub CR similar to the following example.

    apiVersion: operator.tekton.dev/v1alpha1
    kind: TektonHub
    metadata:
      name: hub
    spec:
      targetNamespace: openshift-pipelines (1)
      api:
        hubConfigUrl: https://raw.githubusercontent.com/tektoncd/hub/main/config.yaml (2)
        catalogRefreshInterval: 30m (3)
    1 The namespace in which Tekton Hub must be installed; default is openshift-pipelines.
    2 The URL of the config.yaml file.
    3 The time interval after which the catalog refreshes automatically. The supported units of time are seconds (s), minutes (m), hours (h), days (d), and weeks (w). The default interval is 30 minutes.
  2. Apply the TektonHub CR.

    $ oc apply -f <TektonHub>.yaml (1)
    1 The file name or path of the TektonHub CR.

    When you apply the TektonHub CR, Tekton Hub is installed on the cluster in the openshift-pipelines namespace, with upstream Tekton Catalog content.

  3. Check the status of the installation. The TektonHub CR might take some time to attain steady state.

    $ oc get tektonhub.operator.tekton.dev
    Sample output
    NAME   VERSION   READY   REASON   APIURL                    UIURL
    hub    v1.8.0    True             https://api.route.url/    https://ui.route.url/

Installating Tekton Hub with login and rating

You can install Tekton Hub on your cluster with custom configuration that supports login with authorization and ratings for Tekton Hub artifacts.

Prerequisites
  • Ensure that the Red Hat OpenShift Pipelines Operator is installed in the default openshift-pipelines namespace on the cluster.

Procedure
  1. Create a fork of the Tekton Hub repository.

  2. Clone the forked repository.

  3. Create an OAuth application with your Git repository hosting provider, and note the Client ID and Client Secret. The supported providers are GitHub, GitLab, and BitBucket.

  4. Edit the <tekton_hub_repository>/config/02-api/20-api-secret.yaml file of your cloned repository to include the Tekton Hub API secrets:

    apiVersion: v1
    kind: Secret
    metadata:
      name: tekton-hub-api
      namespace: openshift-pipelines
    type: Opaque
    stringData:
      GH_CLIENT_ID: (1)
      GH_CLIENT_SECRET: (2)
      GL_CLIENT_ID: (3)
      GL_CLIENT_SECRET: (4)
      BB_CLIENT_ID: (5)
      BB_CLIENT_SECRET: (6)
      JWT_SIGNING_KEY: (7)
      ACCESS_JWT_EXPIRES_IN: (8)
      REFRESH_JWT_EXPIRES_IN: (9)
      AUTH_BASE_URL: (10)
      GHE_URL: (11)
      GLE_URL: (12)
    1 The Client ID from the GitHub OAuth application.
    2 The Client Secret from the GitHub OAuth application.
    3 The Client ID from the GitLab OAuth application.
    4 The Client Secret from the GitLab OAuth application.
    5 The Client ID from the BitBucket OAuth application.
    6 The Client Secret from the BitBucket OAuth application.
    7 A long, random string used to sign the JSON Web Token (JWT) created for users.
    8 Add the time limit after which the access token expires. For example, 1m, where m denotes minutes. The supported units of time are seconds (s), minutes (m), hours (h), days (d), and weeks (w).
    9 Add the time limit after which the refresh token expires. For example, 1m, where m denotes minutes. The supported units of time are seconds (s), minutes (m), hours (h), days (d), and weeks (w). Ensure that the expiry time set for token refresh is greater than the expiry time set for token access.
    10 Route URL for the OAuth application.
    11 GitHub Enterprise URL, if you are authenticating using GitHub Enterprise. Do not provide the URL to the catalog as a value for this field.
    12 GitLab Enterprise URL, if you are authenticating using GitLab Enterprise. Do not provide the URL to the catalog as a value for this field.

    You can delete the unused fields for the Git repository hosting service providers that are irrelevant to your deployment.

  5. Create a TektonHub CR similar to the following example.

    apiVersion: operator.tekton.dev/v1alpha1
    kind: TektonHub
    metadata:
      name: hub
    spec:
      targetNamespace: openshift-pipelines (1)
      api:
        hubConfigUrl: https://raw.githubusercontent.com/tektoncd/hub/main/config.yaml (2)
        catalogRefreshInterval: 30m (3)
    1 The namespace in which Tekton Hub must be installed; default is openshift-pipelines.
    2 Substitute with the URL of the config.yaml file.
    3 The time interval after which the catalog refreshes automatically. The supported units of time are seconds (s), minutes (m), hours (h), days (d), and weeks (w). The default interval is 30 minutes.
  6. Apply the TektonHub CR.

    $ oc apply -f <TektonHub>.yaml (1)
    1 The file name or path of the TektonHub CR.

    When you apply the TektonHub CR, Tekton Hub is installed on the cluster in the openshift-pipelines namespace, with upstream Tekton Catalog content.

  7. Check the status of the installation. The TektonHub CR might take some time to attain steady state.

    $ oc get tektonhub.operator.tekton.dev
    NAME   VERSION   READY   REASON   APIURL                    UIURL
    hub    v1.8.0    True             https://api.route.url/    https://ui.route.url/

Optional: Adding new users in Tekton Hub configuration

Procedure
  1. Depending on the intended scope, cluster administrators can add new users in the config.yaml file.

    ...
    scopes:
      - name: agent:create
        users: [<username_1>, <username_2>] (1)
      - name: catalog:refresh
        users: [<username_3>, <username_4>]
      - name: config:refresh
        users: [<username_5>, <username_6>]
    
    default:
      scopes:
        - rating:read
        - rating:write
    ...
    1 The usernames registered with the Git repository hosting service provider.

    When any user logs in for the first time, they will have only the default scope even if they are added in the config.yaml. To activate additional scopes, ensure the user has logged in at least once.

  2. Ensure that in the config.yaml file, you have the config-refresh scope.

  3. Refresh the configuration.

    $ curl -X POST -H "Authorization: <access-token>" \ (1)
        --header "Content-Type: application/json" \
        --data '{"force": true} \
        <api-route>/system/config/refresh
    1 The JWT token.

Optional: Using a custom database in Tekton Hub

Cluster administrators can use a custom database with Tekton Hub, instead of the default PostgreSQL database installed by the Operator. You can associate a custom database at the time of installation, and use it with the db-migration, api, and ui interfaces provided by Tekton Hub. Alternatively, you can associate a custom database with Tekton Hub even after the installation with the default database is complete.

Procedure
  1. Create a secret named tekton-hub-db in the target namespace with the following keys:

    • POSTGRES_HOST

    • POSTGRES_DB

    • POSTGRES_USER

    • POSTGRES_PASSWORD

    • POSTGRES_PORT

      Example: Custom database secrets
      apiVersion: v1
      kind: Secret
      metadata:
        name: tekton-hub-db
        labels:
          app: tekton-hub-db
      type: Opaque
      stringData:
        POSTGRES_HOST: <The name of the host of the database>
        POSTGRES_DB: <Name of the database>
        POSTGRES_USER: <The name of user account>
        POSTGRES_PASSWORD: <The password of user account>
        POSTGRES_PORT: <The port that the database is listening on>
      ...

      The default target namespace is openshift-pipelines.

  2. In the TektonHub CR, set the value of the database secret attribute to tekton-hub-db.

    Example: Adding custom database secret
    apiVersion: operator.tekton.dev/v1alpha1
    kind: TektonHub
    metadata:
      name: hub
    spec:
      targetNamespace: openshift-pipelines
      db:
        secret: tekton-hub-db
      api:
        hubConfigUrl: https://raw.githubusercontent.com/tektoncd/hub/main/config.yaml
        catalogRefreshInterval: 30m
    ...
  3. Use the updated TektonHub CR to associate the custom database with Tekton Hub.

    1. If you are associating the custom database at the time of installing Tekton Hub on your cluster, apply the updated TektonHub CR.

      $ oc apply -f <tekton-hub-cr>.yaml
    2. Alternatively, if you are associating the custom database after the installation of Tekton Hub is complete, replace the existing TektonHub CR with the updated TektonHub CR.

      $ oc replace -f <tekton-hub-cr>.yaml
  4. Check the status of the installation. The TektonHub CR might take some time to attain steady state.

    $ oc get tektonhub.operator.tekton.dev
    Sample output
    NAME   VERSION   READY   REASON   APIURL                    UIURL
    hub    v1.8.0    True             https://api.route.url/    https://ui.route.url/

Disabling Tekton Hub authorization after upgrading the Red Hat OpenShift Pipelines Operator from 1.7 to 1.8

When you install Tekton Hub with Red Hat OpenShift Pipelines Operator 1.8, the login authorization and ratings for the Tekton Hub artifacts are disabled for the default installation. However, when you upgrade the Operator from 1.7 to 1.8, the instance of the Tekton Hub on your cluster does not automatically disable the login authorization and ratings.

To disable login authorization and ratings for Tekton Hub after upgrading the Operator from 1.7 to 1.8, perform the steps in the following procedure.

Prerequisites
  • Ensure that the Red Hat OpenShift Pipelines Operator is installed in the default openshift-pipelines namespace on the cluster.

Procedure
  1. Delete the existing Tekton Hub API secret that you created while manually installing Tekton Hub for Operator 1.7.

    $ oc delete secret tekton-hub-api -n <targetNamespace> (1)
    1 The common namespace for the Tekton Hub API secret and the Tekton Hub CR. By default, the target namespace is openshift-pipelines.
  2. Delete the TektonInstallerSet object for the Tekton Hub API.

    $ oc get tektoninstallerset -o name | grep tekton-hub-api | xargs oc delete

    After deletion, the Operator automatically creates a new Tekton Hub API installer set.

    Wait and check the status of the Tekton Hub. Proceed to the next steps when the READY column displays True.

    $ oc get tektonhub hub
    Sample output
    NAME   VERSION        READY   REASON   APIURL                                                                                                  UIURL
    hub    1.8.0          True             https://tekton-hub-api-openshift-pipelines.apps.example.com   https://tekton-hub-ui-openshift-pipelines.apps.example.com
    
  3. Delete the ConfigMap object for the Tekton Hub UI.

    $ oc delete configmap tekton-hub-ui -n <targetNamespace> (1)
    1 The common namespace for the Tekton Hub UI and the Tekton Hub CR. By default, the target namespace is openshift-pipelines.
  4. Delete the TektonInstallerSet object for the Tekton Hub UI.

    $ oc get tektoninstallerset -o name | grep tekton-hub-ui | xargs oc delete

    After deletion, the Operator automatically creates a new Tekton Hub UI installer set.

    Wait and check the status of the Tekton Hub. Proceed to the next steps when the READY column displays True.

    $ oc get tektonhub hub
    Sample output
    NAME   VERSION        READY   REASON   APIURL                                                                                                  UIURL
    hub    1.8.0          True             https://tekton-hub-api-openshift-pipelines.apps.example.com   https://tekton-hub-ui-openshift-pipelines.apps.example.com
    

Opting out of Tekton Hub in the Developer perspective

Cluster administrators can opt out of displaying Tekton Hub resources, such as tasks and pipelines, in the Pipeline builder page of the Developer perspective of an OpenShift Container Platform cluster.

Prerequisite
  • Ensure that the Red Hat OpenShift Pipelines Operator is installed on the cluster, and the oc command line tool is available.

Procedure
  • To opt of displaying Tekton Hub resources in the Developer perspective, set the value of the enable-devconsole-integration field in the TektonConfig custom resource (CR) to false.

    apiVersion: operator.tekton.dev/v1alpha1
      kind: TektonConfig
      metadata:
        name: config
      spec:
        targetNamespace: openshift-pipelines
        ...
        hub:
          params:
            - name: enable-devconsole-integration
              value: "false"
        ...

    By default, the TektonConfig CR does not include the enable-devconsole-integration field, and the Red Hat OpenShift Pipelines Operator assumes that the value is true.

Instead of opting out of displaying Tekton Hub resources in the Developer perspective, if you want to completely disable the Tekton Hub UI, set the enableUI field to false in the TektonHub CR.