$ oc get tektonconfig config
This guide walks cluster administrators through the process of installing the Red Hat OpenShift Pipelines Operator to an OpenShift Container Platform cluster.
You have access to an OpenShift Container Platform cluster using an account with
You have installed
You have installed OpenShift Pipelines (
tkn) CLI on your local system.
You can install Red Hat OpenShift Pipelines using the Operator listed in the OpenShift Container Platform OperatorHub. When you install the Red Hat OpenShift Pipelines Operator, the custom resources (CRs) required for the pipelines configuration are automatically installed along with the Operator.
The default Operator custom resource definition (CRD)
config.operator.tekton.dev is now replaced by
tektonconfigs.operator.tekton.dev. In addition, the Operator provides the following additional CRDs to individually manage OpenShift Pipelines components:
If you have OpenShift Pipelines already installed on your cluster, the existing installation is seamlessly upgraded. The Operator will replace the instance of
config.operator.tekton.dev on your cluster with an instance of
tektonconfigs.operator.tekton.dev and additional objects of the other CRDs as necessary.
If you manually changed your existing installation, such as, changing the target namespace in the
The Red Hat OpenShift Pipelines Operator now provides the option to choose the components that you want to install by specifying profiles as part of the
TektonConfig CR. The
TektonConfig CR is automatically installed when the Operator is installed.
The supported profiles are:
Lite: This installs only Tekton Pipelines.
Basic: This installs Tekton Pipelines and Tekton Triggers.
All: This is the default profile used when the
TektonConfig CR is installed. This profile installs all of the Tekton components: Tekton Pipelines, Tekton Triggers, Tekton Addons (which include
In the Administrator perspective of the web console, navigate to Operators → OperatorHub.
Use the Filter by keyword box to search for
Red Hat OpenShift Pipelines Operator in the catalog. Click the Red Hat OpenShift Pipelines Operator tile.
Read the brief description about the Operator on the Red Hat OpenShift Pipelines Operator page. Click Install.
On the Install Operator page:
Select All namespaces on the cluster (default) for the Installation Mode. This mode installs the Operator in the default
openshift-operators namespace, which enables the Operator to watch and be made available to all namespaces in the cluster.
Select Automatic for the Approval Strategy. This ensures that the future upgrades to the Operator are handled automatically by the Operator Lifecycle Manager (OLM). If you select the Manual approval strategy, OLM creates an update request. As a cluster administrator, you must then manually approve the OLM update request to update the Operator to the new version.
Select an Update Channel.
The stable channel enables installation of the latest stable and supported release of the Red Hat OpenShift Pipelines Operator.
The preview channel enables installation of the latest preview version of the Red Hat OpenShift Pipelines Operator, which may contain features that are not yet available from the stable channel and is not supported.
Click Install. You will see the Operator listed on the Installed Operators page.
The Operator is installed automatically into the
Verify that the Status is set to Succeeded Up to date to confirm successful installation of Red Hat OpenShift Pipelines Operator.
The success status may show as Succeeded Up to date even if installation of other components is in-progress. Therefore, it is important to verify the installation manually in the terminal.
Verify that all components of the Red Hat OpenShift Pipelines Operator were installed successfully. Login to the cluster on the terminal, and run the following command:
$ oc get tektonconfig config
NAME VERSION READY REASON config 1.9.2 True
If the READY condition is True, the Operator and its components have been installed successfully.
Additonally, check the components' versions by running the following command:
$ oc get tektonpipeline,tektontrigger,tektonaddon,pac
NAME VERSION READY REASON tektonpipeline.operator.tekton.dev/pipeline v0.41.1 True NAME VERSION READY REASON tektontrigger.operator.tekton.dev/trigger v0.22.2 True NAME VERSION READY REASON tektonaddon.operator.tekton.dev/addon 1.9.2 True NAME VERSION READY REASON openshiftpipelinesascode.operator.tekton.dev/pipelines-as-code v0.15.5 True
You can install Red Hat OpenShift Pipelines Operator from the OperatorHub using the CLI.
Create a Subscription object YAML file to subscribe a namespace to the Red Hat OpenShift Pipelines Operator,
apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: openshift-pipelines-operator namespace: openshift-operators spec: channel: <channel name> (1) name: openshift-pipelines-operator-rh (2) source: redhat-operators (3) sourceNamespace: openshift-marketplace (4)
|1||Specify the channel name from where you want to subscribe the Operator|
|2||Name of the Operator to subscribe to.|
|3||Name of the CatalogSource that provides the Operator.|
|4||Namespace of the CatalogSource. Use
Create the Subscription object:
$ oc apply -f sub.yaml
The Red Hat OpenShift Pipelines Operator is now installed in the default target namespace
The Red Hat OpenShift Pipelines Operator enables support for installation of pipelines in a restricted network environment.
The Operator installs a proxy webhook that sets the proxy environment variables in the containers of the pod created by tekton-controllers based on the
cluster proxy object. It also sets the proxy environment variables in the
Operator Proxy Webhook resources.
By default, the proxy webhook is disabled for the
openshift-pipelines namespace. To disable it for any other namespace, you can add the
operator.tekton.dev/disable-proxy: true label to the
The default installation of the Red Hat OpenShift Pipelines Operator creates multiple role-based access control (RBAC) resources for all namespaces in the cluster, except the namespaces matching the
^(openshift|kube)-* regular expression pattern. Among these RBAC resources, the
pipelines-scc-rolebinding security context constraint (SCC) role binding resource is a potential security issue, because the associated
pipelines-scc SCC has the
To disable the automatic creation of cluster-wide RBAC resources after the Red Hat OpenShift Pipelines Operator is installed, cluster administrators can set the
createRbacResource parameter to
false in the cluster-level
TektonConfig custom resource (CR).
apiVersion: operator.tekton.dev/v1alpha1 kind: TektonConfig metadata: name: config spec: params: - name: createRbacResource value: "false" profile: all targetNamespace: openshift-pipelines addon: params: - name: clusterTasks value: "true" - name: pipelineTemplates value: "true" ...
As a cluster administrator or an user with appropriate privileges, when you disable the automatic creation of RBAC resources for all namespaces, the default
You can learn more about installing Operators on OpenShift Container Platform in the adding Operators to a cluster section.
To install Tekton Chains using the Red Hat OpenShift Pipelines Operator, see Using Tekton Chains for Red Hat OpenShift Pipelines supply chain security.
To install and deploy in-cluster Tekton Hub, see Using Tekton Hub with Red Hat OpenShift Pipelines.
For more information on using pipelines in a restricted environment, see: