×

Tekton Hub is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see https://access.redhat.com/support/offerings/techpreview/.

Tekton Hub helps you discover, search, and share reusable tasks and pipelines for your CI/CD workflows. A public instance of Tekton Hub is available at hub.tekton.dev. Cluster administrators can also install and deploy a custom instance of Tekton Hub for enterprise use.

Installing and deploying Tekton Hub on a OpenShift Container Platform cluster

Tekton Hub is an optional component; cluster administrators cannot install it using the TektonConfig custom resource (CR). To install and manage Tekton Hub, use the TektonHub CR.

You can install Tekton Hub on your cluster using two modes:

  • Without login authorization and ratings for Tekton Hub artifacts

  • with login autorization and ratings for Tekton Hub artifacts

If you are using Github Enterprise or Gitlab Enterprise, install and deploy Tekton Hub in the same network as the enterprise server. For example, if the enterprise server is running behind a VPN, deploy Tekton Hub on a cluster that is also behind the VPN.

Installing Tekton Hub without login and rating

You can install Tekton Hub on your cluster automatically with default configuration. When using the default configuration, Tekton Hub does not support login with authorization and ratings for Tekton Hub artifacts.

Prerequisites
  • Ensure that the Red Hat OpenShift Pipelines Operator is installed in the default openshift-pipelines namespace on the cluster.

Procedure
  1. Create a TektonHub CR similar to the following example.

    apiVersion: operator.tekton.dev/v1alpha1
    kind: TektonHub
    metadata:
      name: hub
    spec:
      targetNamespace: openshift-pipelines (1)
      api:
        hubConfigUrl: https://raw.githubusercontent.com/tektoncd/hub/main/config.yaml (2)
        catalogRefreshInterval: 30m (3)
    1 The namespace in which Tekton Hub must be installed; default is openshift-pipelines.
    2 The URL of the config.yaml file.
    3 The time interval after which the catalog refreshes automatically. The supported units of time are seconds (s), minutes (m), hours (h), days (d), and weeks (w). The default interval is 30 minutes.
  2. Apply the TektonHub CR.

    $ oc apply -f <TektonHub>.yaml (1)
    1 The file name or path of the TektonHub CR.

    When you apply the TektonHub CR, Tekton Hub is installed on the cluster in the openshift-pipelines namespace, with upstream Tekton Catalog content.

  3. Check the status of the installation. The TektonHub CR might take some time to attain steady state.

    $ oc get tektonhub.operator.tekton.dev
    Sample output
    NAME   VERSION   READY   REASON   APIURL                    UIURL
    hub    v1.8.0    True             https://api.route.url/    https://ui.route.url/

Installating Tekton Hub with login and rating

You can install Tekton Hub on your cluster with custom configuration that supports login with authorization and ratings for Tekton Hub artifacts.

Prerequisites
  • Ensure that the Red Hat OpenShift Pipelines Operator is installed in the default openshift-pipelines namespace on the cluster.

Procedure
  1. Create a fork of the Tekton Hub repository.

  2. Clone the forked repository.

  3. Create an OAuth application with your Git repository hosting provider, and note the Client ID and Client Secret. The supported providers are GitHub, GitLab, and BitBucket.

  4. Edit the <tekton_hub_repository>/config/02-api/20-api-secret.yaml file of your cloned repository to include the Tekton Hub API secrets:

    apiVersion: v1
    kind: Secret
    metadata:
      name: tekton-hub-api
      namespace: openshift-pipelines
    type: Opaque
    stringData:
      GH_CLIENT_ID: (1)
      GH_CLIENT_SECRET: (2)
      GL_CLIENT_ID: (3)
      GL_CLIENT_SECRET: (4)
      BB_CLIENT_ID: (5)
      BB_CLIENT_SECRET: (6)
      JWT_SIGNING_KEY: (7)
      ACCESS_JWT_EXPIRES_IN: (8)
      REFRESH_JWT_EXPIRES_IN: (9)
      AUTH_BASE_URL: (10)
      GHE_URL: (11)
      GLE_URL: (12)
    1 The Client ID from the GitHub OAuth application.
    2 The Client Secret from the GitHub OAuth application.
    3 The Client ID from the GitLab OAuth application.
    4 The Client Secret from the GitLab OAuth application.
    5 The Client ID from the BitBucket OAuth application.
    6 The Client Secret from the BitBucket OAuth application.
    7 A long, random string used to sign the JSON Web Token (JWT) created for users.
    8 Add the time limit after which the access token expires. For example, 1m, where m denotes minutes. The supported units of time are seconds (s), minutes (m), hours (h), days (d), and weeks (w).
    9 Add the time limit after which the refresh token expires. For example, 1m, where m denotes minutes. The supported units of time are seconds (s), minutes (m), hours (h), days (d), and weeks (w). Ensure that the expiry time set for token refresh is greater than the expiry time set for token access.
    10 Route URL for the OAuth application.
    11 GitHub Enterprise URL, if you are authenticating using GitHub Enterprise. Do not provide the URL to the catalog as a value for this field.
    12 GitLab Enterprise URL, if you are authenticating using GitLab Enterprise. Do not provide the URL to the catalog as a value for this field.

    You can delete the unused fields for the Git repository hosting service providers that are irrelevant to your deployment.

  5. Create a TektonHub CR similar to the following example.

    apiVersion: operator.tekton.dev/v1alpha1
    kind: TektonHub
    metadata:
      name: hub
    spec:
      targetNamespace: openshift-pipelines (1)
      api:
        hubConfigUrl: https://raw.githubusercontent.com/tektoncd/hub/main/config.yaml (2)
        catalogRefreshInterval: 30m (3)
    1 The namespace in which Tekton Hub must be installed; default is openshift-pipelines.
    2 Substitute with the URL of the config.yaml file.
    3 The time interval after which the catalog refreshes automatically. The supported units of time are seconds (s), minutes (m), hours (h), days (d), and weeks (w). The default interval is 30 minutes.
  6. Apply the TektonHub CR.

    $ oc apply -f <TektonHub>.yaml (1)
    1 The file name or path of the TektonHub CR.

    When you apply the TektonHub CR, Tekton Hub is installed on the cluster in the openshift-pipelines namespace, with upstream Tekton Catalog content.

  7. Check the status of the installation. The TektonHub CR might take some time to attain steady state.

    $ oc get tektonhub.operator.tekton.dev
    NAME   VERSION   READY   REASON   APIURL                    UIURL
    hub    v1.8.0    True             https://api.route.url/    https://ui.route.url/

Optional: Adding new users in Tekton Hub configuration

Procedure
  1. Depending on the intended scope, cluster administrators can add new users in the config.yaml file.

    ...
    scopes:
      - name: agent:create
        users: [<username_1>, <username_2>] (1)
      - name: catalog:refresh
        users: [<username_3>, <username_4>]
      - name: config:refresh
        users: [<username_5>, <username_6>]
    
    default:
      scopes:
        - rating:read
        - rating:write
    ...
    1 The usernames registered with the Git repository hosting service provider.

    When any user logs in for the first time, they will have only the default scope even if they are added in the config.yaml. To activate additional scopes, ensure the user has logged in at least once.

  2. Ensure that in the config.yaml file, you have the config-refresh scope.

  3. Refresh the configuration.

    $ curl -X POST -H "Authorization: <access-token>" \ (1)
        --header "Content-Type: application/json" \
        --data '{"force": true} \
        <api-route>/system/config/refresh
    1 The JWT token.

Optional: Using a custom database in Tekton Hub

Cluster administrators can use a custom database with Tekton Hub, instead of the default PostgreSQL database installed by the Operator. You can associate a custom database at the time of installation, and use it with the db-migration, api, and ui interfaces provided by Tekton Hub. Alternatively, you can associate a custom database with Tekton Hub even after the installation with the default database is complete.

Procedure
  1. Create a secret named tekton-hub-db in the target namespace with the following keys:

    • POSTGRES_HOST

    • POSTGRES_DB

    • POSTGRES_USER

    • POSTGRES_PASSWORD

    • POSTGRES_PORT

      Example: Custom database secrets
      apiVersion: v1
      kind: Secret
      metadata:
        name: tekton-hub-db
        labels:
          app: tekton-hub-db
      type: Opaque
      stringData:
        POSTGRES_HOST: <The name of the host of the database>
        POSTGRE