$ tkn pipeline export test_pipeline -n openshift-pipelines
Red Hat OpenShift Pipelines is a cloud-native CI/CD experience based on the Tekton project which provides:
Standard Kubernetes-native pipeline definitions (CRDs).
Serverless pipelines with no CI server management overhead.
Extensibility to build images using any Kubernetes tool, such as S2I, Buildah, JIB, and Kaniko.
Portability across any Kubernetes distribution.
Powerful CLI for interacting with pipelines.
Integrated user experience with the Developer perspective of the OpenShift Container Platform web console.
For an overview of Red Hat OpenShift Pipelines, see Understanding OpenShift Pipelines.
Some features in this release are currently in Technology Preview. These experimental features are not intended for production use.
In the table, features are marked with the following statuses:
TP |
Technology Preview |
GA |
General Availability |
Red Hat OpenShift Pipelines Version | Component Version | OpenShift Version | Support Status | |||
---|---|---|---|---|---|---|
Operator |
Pipelines |
Triggers |
CLI |
Catalog |
||
1.6 |
0.28.x |
0.16.x |
0.21.x |
0.28 |
4.9 |
GA |
1.5 |
0.24.x |
0.14.x |
0.19.x |
0.24 |
4.8 |
GA |
1.4 |
0.22.x |
0.12.x |
0.17.x |
0.22 |
4.7 |
GA |
In Red Hat OpenShift Pipelines 1.6, Triggers 0.16.x transitioned to GA status. In earlier versions, Triggers was available as a technology preview feature. |
For questions and feedback, you can send an email to the product team at pipelines-interest@redhat.com.
Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.
With this update, Red Hat OpenShift Pipelines General Availability (GA) 1.7 is available on OpenShift Container Platform 4.9, 4.10, and 4.11.
In addition to the fixes and stability improvements, the following sections highlight what is new in Red Hat OpenShift Pipelines 1.7.
With this update, pipelines-<version>
is the default channel to install the Red Hat OpenShift Pipelines Operator. For example, the default channel to install the Pipelines Operator version 1.7
is pipelines-1.7
. Cluster administrators can also use the latest
channel to install the most recent stable version of the Operator.
The |
When you run a command in a user namespace, your container runs as root
(user id 0
) but has user privileges on the host. With this update, to run pods in the user namespace, you must pass the annotations that CRI-O expects.
To add these annotations for all users, run the oc edit clustertask buildah
command and edit the buildah
cluster task.
To add the annotations to a specific namespace, export the cluster task as a task to that namespace.
With this update, the when
expressions in a Task
object are scoped to guard the tasks by default. To continue guarding the Task
object and its dependent tasks, set the scope-when-expressions-to-task
flag to true
.
The |
With this update, you can use variable substitution in the subPath
field of a workspace within a task.
With this update, you can reference parameters and results by using a bracket notation with single or double quotes. Prior to this update, you could only use the dot notation. For example, the following are now equivalent:
$(param.myparam)
, $(param['myparam'])
, and $(param["myparam"])
.
You can use single or double quotes to enclose parameter names that contain problematic characters, such as "."
. For example, $(param['my.param'])
and $(param["my.param"])
.
With this update, you can include the onError
parameter of a step in the task definition without enabling the enable-api-fields
flag.
With this update, the feature-flag-triggers
config map has a new field labels-exclusion-pattern
. You can set the value of this field to a regular expression (regex) pattern. The controller filters out labels that match the regex pattern from propagating from the event listener to the resources created for the event listener.
With this update, the TriggerGroups
field is added to the EventListener
specification. Using this field, you can specify a set of interceptors to run before selecting and running a group of triggers. To enable this feature, set the enable-api-fields
flag in the feature-flags-triggers
config map to alpha
.
With this update, Trigger
resources support custom runs defined by a TriggerTemplate
template.
With this update, Triggers support emitting Kubernetes events from an EventListener
pod.
With this update, count metrics are available for the following objects: ClusterInteceptor
, EventListener
, TriggerTemplate
, ClusterTriggerBinding
, and TriggerBinding
.
This update adds the ServicePort
specification to Kubernetes resource. You can use this specification to modify which port exposes the event listener service. The default port is 8080
.
With this update, you can use the targetURI
field in the EventListener
specification to send cloud events during trigger processing. To enable this feature, set the enable-api-fields
flag in the feature-flags-triggers
config map to alpha
.
With this update, the tekton-triggers-eventlistener-roles
object now has a patch
verb, in addition to the create
verb that already exists.
With this update, the securityContext.runAsUser
parameter is removed from event listener deployment.
With this update, the tkn [pipeline | pipelinerun] export
command exports a pipeline or pipeline run as a YAML file. For example:
Export a pipeline named test_pipeline
in the openshift-pipelines
namespace:
$ tkn pipeline export test_pipeline -n openshift-pipelines
Export a pipeline run named test_pipeline_run
in the openshift-pipelines
namespace:
$ tkn pipelinerun export test_pipeline_run -n openshift-pipelines
With this update, the --grace
option is added to the tkn pipelinerun cancel
. Use the --grace
option to terminate a pipeline run gracefully instead of forcing the termination. To enable this feature, set the enable-api-fields
flag in the feature-flags
config map to alpha
.
This update adds the Operator and Chains versions to the output of the tkn version
command.
Tekton Chains is a Technology Preview feature. |
With this update, the tkn pipelinerun describe
command displays all canceled task runs, when you cancel a pipeline run. Before this fix, only one task run was displayed.
With this update, you can skip supplying the asking specifications for optional workspace when you run the tkn [t | p | ct] start
command skips with the --skip-optional-workspace
flag. You can also skip it when running in interactive mode.
With this update, you can use the tkn chains
command to manage Tekton Chains. You can also use the --chains-namespace
option to specify the namespace where you want to install Tekton Chains.
Tekton Chains is a Technology Preview feature. |
With this update, you can use the Red Hat OpenShift Pipelines Operator to install and deploy Tekton Hub and Tekton Chains.
Tekton Chains and deployment of Tekton Hub on a cluster are Technology Preview features. |
With this update, you can find and use Pipelines as Code (PAC) as an add-on option.
Pipelines as Code is a Technology Preview feature. |
With this update, you can now disable the installation of community cluster tasks by setting the communityClusterTasks
parameter to false
. For example:
...
spec:
profile: all
targetNamespace: openshift-pipelines
addon:
params:
- name: clusterTasks
value: "true"
- name: pipelineTemplates
value: "true"
- name: communityClusterTasks
value: "false"
...
With this update, you can disable the integration of Tekton Hub with the Developer perspective by setting the enable-devconsole-integration
flag in the TektonConfig
custom resource to false
. For example:
...
hub:
params:
- name: enable-devconsole-integration
value: "true"
...
With this update, the operator-config.yaml
config map enables the output of the tkn version
command to display of the Operator version.
With this update, the version of the argocd-task-sync-and-wait
tasks is modified to v0.2
.
With this update to the TektonConfig
CRD, the oc get tektonconfig
command displays the OPerator version.
With this update, service monitor is added to the Triggers metrics.
Deploying Tekton Hub on a cluster is a Technology Preview feature. |
Tekton Hub helps you discover, search, and share reusable tasks and pipelines for your CI/CD workflows. A public instance of Tekton Hub is available at hub.tekton.dev.
Staring with Red Hat OpenShift Pipelines 1.7, cluster administrators can also install and deploy a custom instance of Tekton Hub on enterprise clusters. You can curate a catalog with reusable tasks and pipelines specific to your organization.
Tekton Chains is a Technology Preview feature. |
Tekton Chains is a Kubernetes Custom Resource Definition (CRD) controller. You can use it to manage the supply chain security of the tasks and pipelines created using Red Hat OpenShift Pipelines.
By default, Tekton Chains monitors the task runs in your OpenShift Container Platform cluster. Chains takes snapshots of completed task runs, converts them to one or more standard payload formats, and signs and stores all artifacts.
Tekton Chains supports the following features:
You can sign task runs, task run results, and OCI registry images with cryptographic key types and services such as cosign
.
You can use attestation formats such as in-toto
.
You can securely store signatures and signed artifacts using OCI repository as a storage backend.
Pipelines as Code is a Technology Preview feature. |
With Pipelines as Code, cluster administrators and users with the required privileges can define pipeline templates as part of source code Git repositories. When triggered by a source code push or a pull request for the configured Git repository, the feature runs the pipeline and reports status.
Pipelines as Code supports the following features:
Pull request status. When iterating over a pull request, the status and control of the pull request is exercised on the platform hosting the Git repository.
GitHub checks the API to set the status of a pipeline run, including rechecks.
GitHub pull request and commit events.
Pull request actions in comments, such as /retest
.
Git events filtering, and a separate pipeline for each event.
Automatic task resolution in Pipelines for local tasks, Tekton Hub, and remote URLs.
Use of GitHub blobs and objects API for retrieving configurations.
Access Control List (ACL) over a GitHub organization, or using a Prow-style OWNER
file.
The tkn-pac
plugin for the tkn
CLI tool, which you can use to manage Pipelines as Code repositories and bootstrapping.
Support for GitHub Application, GitHub Webhook, Bitbucket Server, and Bitbucket Cloud.
Breaking change: This update removes the disable-working-directory-overwrite
and disable-home-env-overwrite
fields from the TektonConfig
custom resource (CR). As a result, the TektonConfig
CR no longer automatically sets the $HOME
environment variable and workingDir
parameter. You can still set the $HOME
environment variable and workingDir
parameter by using the env
and workingDir
fields in the Task
custom resource definition (CRD).
The Conditions
custom resource definition (CRD) type is deprecated and planned to be removed in a future release. Instead, use the recommended When
expression.
Breaking change: The Triggers
resource validates the templates and generates an error if you do not specify the EventListener
and TriggerBinding
values.
When you run Maven and Jib-Maven cluster tasks, the default container image is supported only on Intel (x86) architecture. Therefore, tasks will fail on IBM Power Systems (ppc64le), IBM Z, and LinuxONE (s390x) clusters. As a workaround, you can specify a custom image by setting the MAVEN_IMAGE
parameter value to maven:3.6.3-adoptopenjdk-11
.
Before you install tasks based on the Tekton Catalog on IBM Power Systems (ppc64le), IBM Z, and LinuxONE (s390x) using |
On IBM Power Systems, IBM Z, and LinuxONE, the s2i-dotnet
cluster task is unsupported.
You cannot use the nodejs:14-ubi8-minimal
image stream because doing so generates the following errors:
STEP 7: RUN /usr/libexec/s2i/assemble
/bin/sh: /usr/libexec/s2i/assemble: No such file or directory
subprocess exited with status 127
subprocess exited with status 127
error building at STEP "RUN /usr/libexec/s2i/assemble": exit status 127
time="2021-11-04T13:05:26Z" level=error msg="exit status 127"
Implicit parameter mapping incorrectly passes parameters from the top-level Pipeline
or PipelineRun
definitions to the taskRef
tasks. Mapping should only occur from a top-level resource to tasks with in-line taskSpec
specifications. This issue only affects users who have set the enable-api-fields
feature flag to alpha
.
With this update, if metadata such as labels
and annotations
are present in both Pipeline
and PipelineRun
object definitions, the values in the PipelineRun
type takes precedence. You can observe similar behavior for Task
and TaskRun
objects.
With this update, if the timeouts.tasks
field or the timeouts.finally
field is set to 0
, then the timeouts.pipeline
is also set to 0
.
With this update, the -x
set flag is removed from scripts that do not use a shebang. The fix reduces potential data leak from script execution.
With this update, any backslash character present in the usernames in Git credentials is escaped with an additional backslash in the .gitconfig
file.
With this update, the finalizer
property of the EventListener
object is not necessary for cleaning up logging and config maps.
With this update, the default HTTP client associated with the event listener server is removed, and a custom HTTP client added. As a result, the timeouts have improved.
With this update, the Triggers cluster role now works with owner references.
With this update, the race condition in the event listener does not happen when multiple interceptors return extensions.
With this update, the tkn pr delete
command does not delete the pipeline runs with the ignore-running
flag.
With this update, the Operator pods do not continue restarting when you modify any add-on parameters.
With this update, the tkn serve
CLI pod is scheduled on infra nodes, if not configured in the subscription and config custom resources.
With this update, cluster tasks with specified versions are not deleted during upgrade.
With this update, Red Hat OpenShift Pipelines General Availability (GA) 1.7.1 is available on OpenShift Container Platform 4.9, 4.10, and 4.11.
Before this update, upgrading the Red Hat OpenShift Pipelines Operator deleted the data in the database associated with Tekton Hub and installed a new database. With this update, an Operator upgrade preserves the data.
Before this update, only cluster administrators could access pipeline metrics in the OpenShift Container Platform console. With this update, users with other cluster roles also can access the pipeline metrics.
Before this update, pipeline runs failed for pipelines containing tasks that emit large termination messages. The pipeline runs failed because the total size of termination messages of all containers in a pod cannot exceed 12 KB. With this update, the place-tools
and step-init
initialization containers that uses the same image are merged to reduce the number of containers running in each tasks’s pod. The solution reduces the chance of failed pipeline runs by minimizing the number of containers running in a task’s pod. However, it does not remove the limitation of the maximum allowed size of a termination message.
Before this update, attempts to access resource URLs directly from the Tekton Hub web console resulted in an Nginx 404
error. With this update, the Tekton Hub web console image is fixed to allow accessing resource URLs directly from the Tekton Hub web console.
Before this update, for each namespace the resource pruner job created a separate container to prune resources. With this update, the resource pruner job runs commands for all namespaces as a loop in one container.
With this update, Red Hat OpenShift Pipelines General Availability (GA) 1.7.2 is available on OpenShift Container Platform 4.9, 4.10, and the upcoming version.
The chains-config
config map for Tekton Chains in the openshift-pipelines
namespace is automatically reset to default after upgrading the Red Hat OpenShift Pipelines Operator. Currently, there is no workaround for this issue.
Before this update, tasks on Pipelines 1.7.1 failed on using init
as the first argument, followed by two or more arguments. With this update, the flags are parsed correctly and the task runs are successful.
Before this update, installation of the Red Hat OpenShift Pipelines Operator on OpenShift Container Platform 4.9 and 4.10 failed due to invalid role binding, with the following error message:
error updating rolebinding openshift-operators-prometheus-k8s-read-binding: RoleBinding.rbac.authorization.k8s.io "openshift-operators-prometheus-k8s-read-binding" is invalid: roleRef: Invalid value: rbac.RoleRef{APIGroup:"rbac.authorization.k8s.io", Kind:"Role", Name:"openshift-operator-read"}: cannot change roleRef
With this update, the Red Hat OpenShift Pipelines Operator installs with distinct role binding namespaces to avoid conflict with installation of other Operators.
Before this update, upgrading the Operator triggered a reset of the signing-secrets
secret key for Tekton Chains to its default value. With this update, the custom secret key persists after you upgrade the Operator.
Upgrading to Red Hat OpenShift Pipelines 1.7.2 resets the key. However, when you upgrade to future releases, the key is expected to persist. |
Before this update, all S2I build tasks failed with an error similar to the following message:
Error: error writing "0 0 4294967295\n" to /proc/22/uid_map: write /proc/22/uid_map: operation not permitted
time="2022-03-04T09:47:57Z" level=error msg="error writing \"0 0 4294967295\\n\" to /proc/22/uid_map: write /proc/22/uid_map: operation not permitted"
time="2022-03-04T09:47:57Z" level=error msg="(unable to determine exit status)"
With this update, the pipelines-scc
security context constraint (SCC) is compatible with the SETFCAP
capability necessary for Buildah
and S2I
cluster tasks. As a result, the Buildah
and S2I
build tasks can run successfully.
To successfully run the Buildah
cluster task and S2I
build tasks for applications written in various languages and frameworks, add the following snippet for appropriate steps
objects such as build
and push
:
securityContext:
capabilities:
add: ["SETFCAP"]
With this update, Red Hat OpenShift Pipelines General Availability (GA) 1.7.3 is available on OpenShift Container Platform 4.9, 4.10, and 4.11.
Before this update, the Operator failed when creating RBAC resources if any namespace was in a Terminating
state. With this update, the Operator ignores namespaces in a Terminating
state and creates the RBAC resources.
Previously, upgrading the Red Hat OpenShift Pipelines Operator caused the pipeline
service account to be recreated, which meant that the secrets linked to the service account were lost. This update fixes the issue. During upgrades, the Operator no longer recreates the pipeline
service account. As a result, secrets attached to the pipeline
service account persist after upgrades, and the resources (tasks and pipelines) continue to work correctly.
With this update, Red Hat OpenShift Pipelines General Availability (GA) 1.6 is available on OpenShift Container Platform 4.9.
In addition to the fixes and stability improvements, the following sections highlight what is new in Red Hat OpenShift Pipelines 1.6.
With this update, you can configure a pipeline or task start
command to return a YAML or JSON-formatted string by using the --output <string>
, where <string>
is yaml
or json
. Otherwise, without the --output
option, the start
command returns a human-friendly message that is hard for other programs to parse. Returning a YAML or JSON-formatted string is useful for continuous integration (CI) environments. For example, after a resource is created, you can use yq
or jq
to parse the YAML or JSON-formatted message about the resource and wait until that resource is terminated without using the showlog
option.
With this update, you can authenticate to a registry using the auth.json
authentication file of Podman. For example, you can use tkn bundle push
to push to a remote registry using Podman instead of Docker CLI.
With this update, if you use the tkn [taskrun | pipelinerun] delete --all
command, you can preserve runs that are younger than a specified number of minutes by using the new --keep-since <minutes>
option. For example, to keep runs that are less than five minutes old, you enter tkn [taskrun | pipelinerun] delete -all --keep-since 5
.
With this update, when you delete task runs or pipeline runs, you can use the --parent-resource
and --keep-since
options together. For example, the tkn pipelinerun delete --pipeline pipelinename --keep-since 5
command preserves pipeline runs whose parent resource is named pipelinename
and whose age is five minutes or less. The tkn tr delete -t <taskname> --keep-since 5
and tkn tr delete --clustertask <taskname> --keep-since 5
commands work similarly for task runs.
This update adds support for the triggers resources to work with v1beta1
resources.
This update adds an ignore-running
option to the tkn pipelinerun delete
and tkn taskrun delete
commands.
This update adds a create
subcommand to the tkn task
and tkn clustertask
commands.
With this update, when you use the tkn pipelinerun delete --all
command, you can use the new --label <string>
option to filter the pipeline runs by label. Optionally, you can use the --label
option with =
and ==
as equality operators, or !=
as an inequality operator. For example, the tkn pipelinerun delete --all --label asdf
and tkn pipelinerun delete --all --label==asdf
commands both delete all the pipeline runs that have the asdf
label.
With this update, you can fetch the version of installed Tekton components from the config map or, if the config map is not present, from the deployment controller.
With this update, triggers support the feature-flags
and config-defaults
config map to configure feature flags and to set default values respectively.
This update adds a new metric, eventlistener_event_count
, that you can use to count events received by the EventListener
resource.
This update adds v1beta1
Go API types. With this update, triggers now support the v1beta1
API version.
With the current release, the v1alpha1
features are now deprecated and will be removed in a future release. Begin using the v1beta1
features instead.
In the current release, auto-prunning of resources is enabled by default. In addition, you can configure auto-prunning of task run and pipeline run for each namespace separately, by using the following new annotations:
operator.tekton.dev/prune.schedule
: If the value of this annotation is different from the value specified at the TektonConfig
custom resource definition, a new cron job in that namespace is created.
operator.tekton.dev/prune.skip
: When set to true
, the namespace for which it is configured will not be prunned.
operator.tekton.dev/prune.resources
: This annotation accepts a comma-separated list of resources. To prune a single resource such as a pipeline run, set this annotation to "pipelinerun"
. To prune multiple resources, such as task run and pipeline run, set this annotation to "taskrun, pipelinerun"
.
operator.tekton.dev/prune.keep
: Use this annotation to retain a resource without prunning.
operator.tekton.dev/prune.keep-since
: Use this annotation to retain resources based on their age. The value for this annotation must be equal to the age of the resource in minutes. For example, to retain resources which were created not more than five days ago, set keep-since
to 7200
.
The |
operator.tekton.dev/prune.strategy
: Set the value of this annotation to either keep
or keep-since
.
Administrators can disable the creation of the pipeline
service account for the entire cluster, and prevent privilege escalation by misusing the associated SCC, which is very similar to anyuid
.
You can now configure feature flags and components by using the TektonConfig
custom resource (CR) and the CRs for individual components, such as TektonPipeline
and TektonTriggers
. This level of granularity helps customize and test alpha features such as the Tekton OCI bundle for individual components.
You can now configure optional Timeouts
field for the PipelineRun
resource. For example, you can configure timeouts separately for a pipeline run, each task run, and the finally
tasks.
The pods generated by the TaskRun
resource now sets the activeDeadlineSeconds
field of the pods. This enables OpenShift to consider them as terminating, and allows you to use specifically scoped ResourceQuota
object for the pods.
You can use configmaps to eliminate metrics tags or labels type on a task run, pipeline run, task, and pipeline. In addition, you can configure different types of metrics for measuring duration, such as a histogram, gauge, or last value.
You can define requests and limits on a pod coherently, as Tekton now fully supports the LimitRange
object by considering the Min
, Max
, Default
, and DefaultRequest
fields.
The following alpha features are introduced:
A pipeline run can now stop after running the finally
tasks, rather than the previous behavior of stopping the execution of all task run directly. This update adds the following spec.status
values:
StoppedRunFinally
will stop the currently running tasks after they are completed, and then run the finally
tasks.
CancelledRunFinally
will immediately cancel the running tasks, and then run the finally
tasks.
Cancelled
will retain the previous behavior provided by the PipelineRunCancelled
status.
The |
You can now use the oc debug
command to put a task run into debug mode, which pauses the execution and allows you to inspect specific steps in a pod.
When you set the onError
field of a step to continue
, the exit code for the step is recorded and passed on to subsequent steps. However, the task run does not fail and the execution of the rest of the steps in the task continues. To retain the existing behavior, you can set the value of the onError
field to stopAndFail
.
Tasks can now accept more parameters than are actually used. When the alpha feature flag is enabled, the parameters can implicitly propagate to inlined specs. For example, an inlined task can access parameters of its parent pipeline run, without explicitly defining each parameter for the task.
If you enable the flag for the alpha features, the conditions under When
expressions will only apply to the task with which it is directly associated, and not the dependents of the task. To apply the When
expressions to the associated task and its dependents, you must associate the expression with each dependent task separately. Note that, going forward, this will be the default behavior of the When
expressions in any new API versions of Tekton. The existing default behavior will be deprecated in favor of this update.
The current release enables you to configure node selection by specifying the nodeSelector
and tolerations
values in the TektonConfig
custom resource (CR). The Operator adds these values to all the deployments that it creates.
To configure node selection for the Operator’s controller and webhook deployment, you edit the config.nodeSelector
and config.tolerations
fields in the specification for the Subscription
CR, after installing the Operator.
To deploy the rest of the control plane pods of OpenShift Pipelines on an infrastructure node, update the TektonConfig
CR with the nodeSelector
and tolerations
fields. The modifications are then applied to all the pods created by Operator.
In CLI 0.21.0, support for all v1alpha1
resources for clustertask
, task
, taskrun
, pipeline
, and pipelinerun
commands are deprecated. These resources are now deprecated and will be removed in a future release.
In Tekton Triggers v0.16.0, the redundant status
label is removed from the metrics for the EventListener
resource.
Breaking change: The |
With the current release, the v1alpha1
features are now deprecated and will be removed in a future release. With this update, you can begin using the v1beta1
Go API types instead. Triggers now supports the v1beta1
API version.
With the current release, the EventListener
resource sends a response before the triggers finish processing.
Breaking change: With this change, the |
The current release removes the podTemplate
field from the EventListener
resource.
Breaking change: The |
The current release removes the deprecated replicas
field from the specification for the EventListener
resource.
Breaking change: The deprecated |
In Red Hat OpenShift Pipelines 1.6, the values of HOME="/tekton/home"
and workingDir="/workspace"
are removed from the specification of the Step
objects.
Instead, Red Hat OpenShift Pipelines sets HOME
and workingDir
to the values defined by the containers running the Step
objects. You can override these values in the specification of your Step
objects.
To use the older behavior, you can change the disable-working-directory-overwrite
and disable-home-env-overwrite
fields in the TektonConfig
CR to false
:
apiVersion: operator.tekton.dev/v1alpha1
kind: TektonConfig
metadata:
name: config
spec:
pipeline:
disable-working-directory-overwrite: false
disable-home-env-overwrite: false
...
The |
When you run Maven and Jib-Maven cluster tasks, the default container image is supported only on Intel (x86) architecture. Therefore, tasks will fail on IBM Power Systems (ppc64le), IBM Z, and LinuxONE (s390x) clusters. As a workaround, you can specify a custom image by setting the MAVEN_IMAGE
parameter value to maven:3.6.3-adoptopenjdk-11
.
On IBM Power Systems, IBM Z, and LinuxONE, the s2i-dotnet
cluster task is unsupported.
Before you install tasks based on the Tekton Catalog on IBM Power Systems (ppc64le), IBM Z, and LinuxONE (s390x) using tkn hub
, verify if the task can be executed on these platforms. To check if ppc64le
and s390x
are listed in the "Platforms" section of the task information, you can run the following command: tkn hub info task <name>
You cannot use the nodejs:14-ubi8-minimal
image stream because doing so generates the following errors:
STEP 7: RUN /usr/libexec/s2i/assemble
/bin/sh: /usr/libexec/s2i/assemble: No such file or directory
subprocess exited with status 127
subprocess exited with status 127
error building at STEP "RUN /usr/libexec/s2i/assemble": exit status 127
time="2021-11-04T13:05:26Z" level=error msg="exit status 127"
The tkn hub
command is now supported on IBM Power Systems, IBM Z, and LinuxONE.
Before this update, the terminal was not available after the user ran a tkn
command, and the pipeline run was done, even if retries
were specified. Specifying a timeout in the task run or pipeline run had no effect. This update fixes the issue so that the terminal is available after running the command.
Before this update, running tkn pipelinerun delete --all
would delete all resources. This update prevents the resources in the running state from getting deleted.
Before this update, using the tkn version --component=<component>
command did not return the component version. This update fixes the issue so that this command returns the component version.
Before this update, when you used the tkn pr logs
command, it displayed the pipelines output logs in the wrong task order. This update resolves the issue so that logs of completed PipelineRuns
are listed in the appropriate TaskRun
execution order.
Before this update, editing the specification of a running pipeline might prevent the pipeline run from stopping when it was complete. This update fixes the issue by fetching the definition only once and then using the specification stored in the status for verification. This change reduces the probability of a race condition when a PipelineRun
or a TaskRun
refers to a Pipeline
or Task
that changes while it is running.
When
expression values can now have array parameter references, such as: values: [$(params.arrayParam[*])]
.
After upgrading to Red Hat OpenShift Pipelines 1.6.1 from an older version, Pipelines might enter an inconsistent state where you are unable to perform any operations (create/delete/apply) on Tekton resources (tasks and pipelines). For example, while deleting a resource, you might encounter the following error:
Error from server (InternalError): Internal error occurred: failed calling webhook "validation.webhook.pipeline.tekton.dev": Post "https://tekton-pipelines-webhook.openshift-pipelines.svc:443/resource-validation?timeout=10s": service "tekton-pipelines-webhook" not found.
The SSL_CERT_DIR
environment variable (/tekton-custom-certs
) set by Red Hat OpenShift Pipelines will not override the following default system directories with certificate files:
/etc/pki/tls/certs
/etc/ssl/certs
/system/etc/security/cacerts
The Horizontal Pod Autoscaler can manage the replica count of deployments controlled by the Red Hat OpenShift Pipelines Operator. From this release onward, if the count is changed by an end user or an on-cluster agent, the Red Hat OpenShift Pipelines Operator will not reset the replica count of deployments managed by it. However, the replicas will be reset when you upgrade the Red Hat OpenShift Pipelines Operator.
The pod serving the tkn
CLI will now be scheduled on nodes, based on the node selector and toleration limits specified in the TektonConfig
custom resource.
When you create a new project, the creation of the pipeline
service account is delayed, and removal of existing cluster tasks and pipeline templates takes more than 10 minutes.
Before this update, multiple instances of Tekton installer sets were created for a pipeline after upgrading to Red Hat OpenShift Pipelines 1.6.1 from an older version. With this update, the Operator ensures that only one instance of each type of TektonInstallerSet
exists after an upgrade.
Before this update, all the reconcilers in the Operator used the component version to decide resource recreation during an upgrade to Red Hat OpenShift Pipelines 1.6.1 from an older version. As a result, those resources were not recreated whose component versions did not change in the upgrade. With this update, the Operator uses the Operator version instead of the component version to decide resource recreation during an upgrade.
Before this update, the pipelines webhook service was missing in the cluster after an upgrade. This was due to an upgrade deadlock on the config maps. With this update, a mechanism is added to disable webhook validation if the config maps are absent in the cluster. As a result, the pipelines webhook service persists in the cluster after an upgrade.
Before this update, cron jobs for auto-pruning got recreated after any configuration change to the namespace. With this update, cron jobs for auto-pruning get recreated only if there is a relevant annotation change in the namespace.
The upstream version of Tekton Pipelines is revised to v0.28.3
, which has the following fixes:
Fix PipelineRun
or TaskRun
objects to allow label or annotation propagation.
For implicit params:
Do not apply the PipelineSpec
parameters to the TaskRefs
object.
Disable implicit param behavior for the Pipeline
objects.
Before this update, the Red Hat OpenShift Pipelines Operator installed pod security policies from components such as Pipelines and Triggers. However, the pod security policies shipped as part of the components were deprecated in an earlier release. With this update, the Operator stops installing pod security policies from components. As a result, the following upgrade paths are affected:
Upgrading from Pipelines 1.6.1 or 1.6.2 to Pipelines 1.6.3 deletes the pod security policies, including those from the Pipelines and Triggers components.
Upgrading from Pipelines 1.5.x to 1.6.3 retains the pod security policies installed from components. As a cluster administrator, you can delete them manually.
When you upgrade to future releases, the Red Hat OpenShift Pipelines Operator will automatically delete all obsolete pod security policies. |
Before this update, only cluster administrators could access pipeline metrics in the OpenShift Container Platform console. With this update, users with other cluster roles also can access the pipeline metrics.
Before this update, role-based access control (RBAC) issues with the Pipelines Operator caused problems upgrading or installing components. This update improves the reliability and consistency of installing various Red Hat OpenShift Pipelines components.
Before this update, setting the clusterTasks
and pipelineTemplates
fields to false
in the TektonConfig
CR slowed the removal of cluster tasks and pipeline templates. This update improves the speed of lifecycle management of Tekton resources such as cluster tasks and pipeline templates.
After upgrading from Red Hat OpenShift Pipelines 1.5.2 to 1.6.4, accessing the event listener routes returns a 503
error.
Workaround: Modify the target port in the YAML file for the event listener’s route.
Extract the route name for the relevant namespace.
$ oc get route -n <namespace>
Edit the route to modify the value of the targetPort
field.
$ oc edit route -n <namespace> <el-route_name>
...
spec:
host: el-event-listener-q8c3w5-test-upgrade1.apps.ve49aws.aws.ospqa.com
port:
targetPort: 8000
to:
kind: Service
name: el-event-listener-q8c3w5
weight: 100
wildcardPolicy: None
...
...
spec:
host: el-event-listener-q8c3w5-test-upgrade1.apps.ve49aws.aws.ospqa.com
port:
targetPort: http-listener
to:
kind: Service
name: el-event-listener-q8c3w5
weight: 100
wildcardPolicy: None
...
Before this update, the Operator failed when creating RBAC resources if any namespace was in a Terminating
state. With this update, the Operator ignores namespaces in a Terminating
state and creates the RBAC resources.
Before this update, the task runs failed or restarted due to absence of annotation specifying the release version of the associated Tekton controller. With this update, the inclusion of the appropriate annotations are automated, and the tasks run without failure or restarts.
Red Hat OpenShift Pipelines General Availability (GA) 1.5 is now available on OpenShift Container Platform 4.9.
Some features in this release are currently in Technology Preview. These experimental features are not intended for production use.
In the table, features are marked with the following statuses:
TP |
Technology Preview |
GA |
General Availability |
Note the following scope of support on the Red Hat Customer Portal for these features:
Feature | Version | Support Status |
---|---|---|
Pipelines |
0.24 |
GA |
CLI |
0.19 |
GA |
Catalog |
0.24 |
GA |
Triggers |
0.14 |
TP |
Pipeline resources |
- |
TP |
For questions and feedback, you can send an email to the product team at pipelines-interest@redhat.com.
In addition to the fixes and stability improvements, the following sections highlight what is new in Red Hat OpenShift Pipelines 1.5.
Pipeline run and task runs will be automatically pruned by a cron job in the target namespace. The cron job uses the IMAGE_JOB_PRUNER_TKN
environment variable to get the value of tkn image
. With this enhancement, the following fields are introduced to the TektonConfig
custom resource:
...
pruner:
resources:
- pipelinerun
- taskrun
schedule: "*/5 * * * *" # cron schedule
keep: 2 # delete all keeping n
...
In OpenShift Container Platform, you can customize the installation of the Tekton Add-ons component by modifying the values of the new parameters clusterTasks
and pipelinesTemplates
in the TektonConfig
custom resource:
apiVersion: operator.tekton.dev/v1alpha1
kind: TektonConfig
metadata:
name: config
spec:
profile: all
targetNamespace: openshift-pipelines
addon:
params:
- name: clusterTasks
value: "true"
- name: pipelineTemplates
value: "true"
...
The customization is allowed if you create the add-on using TektonConfig
, or directly by using Tekton Add-ons. However, if the parameters are not passed, the controller adds parameters with default values.
|
The enableMetrics
parameter is added to the TektonConfig
custom resource. You can use it to disable the service monitor, which is part of Tekton Pipelines for OpenShift Container Platform.
apiVersion: operator.tekton.dev/v1alpha1
kind: TektonConfig
metadata:
name: config
spec:
profile: all
targetNamespace: openshift-pipelines
pipeline:
params:
- name: enableMetrics
value: "true"
...
Eventlistener OpenCensus metrics, which captures metrics at process level, is added.
Triggers now has label selector; you can configure triggers for an event listener using labels.
The ClusterInterceptor
custom resource definition for registering interceptors is added, which allows you to register new Interceptor
types that you can plug in. In addition, the following relevant changes are made:
In the trigger specifications, you can configure interceptors using a new API that includes a ref
field to refer to a cluster interceptor. In addition, you can use the params
field to add parameters that pass on to the interceptors for processing.
The bundled interceptors CEL, GitHub, GitLab, and BitBucket, have been migrated. They are implemented using the new ClusterInterceptor
custom resource definition.
Core interceptors are migrated to the new format, and any new triggers created using the old syntax automatically switch to the new ref
or params
based syntax.
To disable prefixing the name of the task or step while displaying logs, use the --prefix
option for log
commands.
To display the version of a specific component, use the new --component
flag in the tkn version
command.
The tkn hub check-upgrade
command is added, and other commands are revised to be based on the pipeline version. In addition, catalog names are displayed in the search
command output.
Support for optional workspaces are added to the start
command.
If the plugins are not present in the plugins
directory, they are searched in the current path.
The tkn start [task | clustertask | pipeline]
command starts interactively and ask for the params
value, even when you specify the default parameters are specified. To stop the interactive prompts, pass the --use-param-defaults
flag at the time of invoking the command. For example:
$ tkn pipeline start build-and-deploy \
-w name=shared-workspace,volumeClaimTemplateFile=https://raw.githubusercontent.com/openshift/pipelines-tutorial/pipelines-1.7/01_pipeline/03_persistent_volume_claim.yaml \
-p deployment-name=pipelines-vote-api \
-p git-url=https://github.com/openshift/pipelines-vote-api.git \
-p IMAGE=image-registry.openshift-image-registry.svc:5000/pipelines-tutorial/pipelines-vote-api \
--use-param-defaults
The version
field is added in the tkn task describe
command.
The option to automatically select resources such as TriggerTemplate
, or TriggerBinding
, or ClusterTriggerBinding
, or Eventlistener
, is added in the describe
command, if only one is present.
In the tkn pr describe
command, a section for skipped tasks is added.
Support for the tkn clustertask logs
is added.
The YAML merge and variable from config.yaml
is removed. In addition, the release.yaml
file can now be more easily consumed by tools such as kustomize
and ytt
.
The support for resource names to contain the dot character (".") is added.
The hostAliases
array in the PodTemplate
specification is added to the pod-level override of hostname resolution. It is achieved by modifying the /etc/hosts
file.
A variable $(tasks.status)
is introduced to access the aggregate execution status of tasks.
An entry-point binary build for Windows is added.
In the when
expressions, support for fields written is PascalCase is removed. The when
expressions only support fields written in lowercase.
If you had applied a pipeline with |
When you upgrade the Red Hat OpenShift Pipelines Operator to v1.5
, the openshift-client
and the openshift-client-v-1-5-0
cluster tasks have the SCRIPT
parameter. However, the ARGS
parameter and the git
resource are removed from the specification of the openshift-client
cluster task. This is a breaking change, and only those cluster tasks that do not have a specific version in the name
field of the ClusterTask
resource upgrade seamlessly.
To prevent the pipeline runs from breaking, use the SCRIPT
parameter after the upgrade because it moves the values previously specified in the ARGS
parameter into the SCRIPT
parameter of the cluster task. For example:
...
- name: deploy
params:
- name: SCRIPT
value: oc rollout status <deployment-name>
runAfter:
- build
taskRef:
kind: ClusterTask
name: openshift-client
...
When you upgrade from Red Hat OpenShift Pipelines Operator v1.4
to v1.5
, the profile names in which the TektonConfig
custom resource is installed now change.
Profiles in Pipelines 1.5 | Corresponding profile in Pipelines 1.4 | Installed Tekton components |
---|---|---|
All (default profile) |
All (default profile) |
Pipelines, Triggers, Add-ons |
Basic |
Default |
Pipelines, Triggers |
Lite |
Basic |
Pipelines |
If you used However, if the installed Operator is either in the Default or the Basic profile before the upgrade, you must edit the |
The disable-home-env-overwrite
and disable-working-dir-overwrite
fields are now deprecated and will be removed in a future release. For this release, the default value of these flags is set to true
for backward compatibility.
In the next release (Red Hat OpenShift Pipelines 1.6), the |
The ServiceType
and podTemplate
fields are removed from the EventListener
spec.
The controller service account no longer requests cluster-wide permission to list and watch namespaces.
The status of the EventListener
resource has a new condition called Ready
.
In the future, the other status conditions for the |
The eventListener
and namespace
fields in the EventListener
response are deprecated. Use the eventListenerUID
field instead.
The replicas
field is deprecated from the EventListener
spec. Instead, the spec.replicas
field is moved to spec.resources.kubernetesResource.replicas
in the KubernetesResource
spec.
The |
The old method of configuring the core interceptors is deprecated. However, it continues to work until it is removed in a future release. Instead, interceptors in a Trigger
resource are now configured using a new ref
and params
based syntax. The resulting default webhook automatically switch the usages of the old syntax to the new syntax for new triggers.
Use rbac.authorization.k8s.io/v1
instead of the deprecated rbac.authorization.k8s.io/v1beta1
for the ClusterRoleBinding
resource.
In cluster roles, the cluster-wide write access to resources such as serviceaccounts
, secrets
, configmaps
, and limitranges
are removed. In addition, cluster-wide access to resources such as deployments
, statefulsets
, and deployment/finalizers
are removed.
The image
custom resource definition in the caching.internal.knative.dev
group is not used by Tekton anymore, and is excluded in this release.
The git-cli cluster task is built off the alpine/git base image, which expects /root
as the user’s home directory. However, this is not explicitly set in the git-cli
cluster task.
In Tekton, the default home directory is overwritten with /tekton/home
for every step of a task, unless otherwise specified. This overwriting of the $HOME
environment variable of the base image causes the git-cli
cluster task to fail.
This issue is expected to be fixed in the upcoming releases. For Red Hat OpenShift Pipelines 1.5 and earlier versions, you can use any one of the following workarounds to avoid the failure of the git-cli
cluster task:
Set the $HOME
environment variable in the steps, so that it is not overwritten.
[OPTIONAL] If you installed Red Hat OpenShift Pipelines using the Operator, then clone the git-cli
cluster task into a separate task. This approach ensures that the Operator does not overwrite the changes made to the cluster task.
Execute the oc edit clustertasks git-cli
command.
Add the expected HOME
environment variable to the YAML of the step:
...
steps:
- name: git
env:
- name: HOME
value: /root
image: $(params.BASE_IMAGE)
workingDir: $(workspaces.source.path)
...
For Red Hat OpenShift Pipelines installed by the Operator, if you do not clone the |
Disable overwriting the HOME
environment variable in the feature-flags
config map.
Execute the oc edit -n openshift-pipelines configmap feature-flags
command.
Set the value of the disable-home-env-overwrite
flag to true
.
|
Use a different service account for the git-cli
cluster task, as the overwriting of the HOME
environment variable happens when the default service account for pipelines is used.
Create a new service account.
Link your Git secret to the service account you just created.
Use the service account while executing a task or a pipeline.
On IBM Power Systems, IBM Z, and LinuxONE, the s2i-dotnet
cluster task and the tkn hub
command are unsupported.
When you run Maven and Jib-Maven cluster tasks, the default container image is supported only on Intel (x86) architecture. Therefore, tasks will fail on IBM Power Systems (ppc64le), IBM Z, and LinuxONE (s390x) clusters. As a workaround, you can specify a custom image by setting the MAVEN_IMAGE
parameter value to maven:3.6.3-adoptopenjdk-11
.
The when
expressions in dag
tasks are not allowed to specify the context variable accessing the execution status ($(tasks.<pipelineTask>.status)
) of any other task.
Use Owner UIDs instead of Owner names, as it helps avoid race conditions created by deleting a volumeClaimTemplate
PVC, in situations where a PipelineRun
resource is quickly deleted and then recreated.
A new Dockerfile is added for pullrequest-init
for build-base
image triggered by non-root users.
When a pipeline or task is executed with the -f
option and the param
in its definition does not have a type
defined, a validation error is generated instead of the pipeline or task run failing silently.
For the tkn start [task | pipeline | clustertask]
commands, the description of the --workspace
flag is now consistent.
While parsing the parameters, if an empty array is encountered, the corresponding interactive help is displayed as an empty string now.
Red Hat OpenShift Pipelines General Availability (GA) 1.4 is now available on OpenShift Container Platform 4.7.
In addition to the stable and preview Operator channels, the Red Hat OpenShift Pipelines Operator 1.4.0 comes with the ocp-4.6, ocp-4.5, and ocp-4.4 deprecated channels. These deprecated channels and support for them will be removed in the following release of Red Hat OpenShift Pipelines. |
Some features in this release are currently in Technology Preview. These experimental features are not intended for production use.
In the table, features are marked with the following statuses:
TP |
Technology Preview |
GA |
General Availability |
Note the following scope of support on the Red Hat Customer Portal for these features:
Feature | Version | Support Status |
---|---|---|
Pipelines |
0.22 |
GA |
CLI |
0.17 |
GA |
Catalog |
0.22 |
GA |
Triggers |
0.12 |
TP |
Pipeline resources |
- |
TP |
For questions and feedback, you can send an email to the product team at pipelines-interest@redhat.com.
In addition to the fixes and stability improvements, the following sections highlight what is new in Red Hat OpenShift Pipelines 1.4.
The custom tasks have the following enhancements:
Pipeline results can now refer to results produced by custom tasks.
Custom tasks can now use workspaces, service accounts, and pod templates to build more complex custom tasks.
The finally
task has the following enhancements:
The when
expressions are supported in finally
tasks, which provides efficient guarded execution and improved reusability of tasks.
A finally
task can be configured to consume the results of any task within the same pipeline.
Support for |
Support for multiple secrets of the type dockercfg
or dockerconfigjson
is added for authentication at runtime.
Functionality to support sparse-checkout with the git-clone
task is added. This enables you to clone only a subset of the repository as your local copy, and helps you to restrict the size of the cloned repositories.
You can create pipeline runs in a pending state without actually starting them. In clusters that are under heavy load, this allows Operators to have control over the start time of the pipeline runs.
Ensure that you set the SYSTEM_NAMESPACE
environment variable manually for the controller; this was previously set by default.
A non-root user is now added to the build-base image of pipelines so that git-init
can clone repositories as a non-root user.
Support to validate dependencies between resolved resources before a pipeline run starts is added. All result variables in the pipeline must be valid, and optional workspaces from a pipeline can only be passed to tasks expecting it for the pipeline to start running.
The controller and webhook runs as a non-root group, and their superfluous capabilities have been removed to make them more secure.
You can use the tkn pr logs
command to see the log streams for retried task runs.
You can use the --clustertask
option in the tkn tr delete
command to delete all the task runs associated with a particular cluster task.
Support for using Knative service with the EventListener
resource is added by introducing a new customResource
field.
An error message is displayed when an event payload does not use the JSON format.
The source control interceptors such as GitLab, BitBucket, and GitHub, now use the new InterceptorRequest
or InterceptorResponse
type interface.
A new CEL function marshalJSON
is implemented so that you can encode a JSON object or an array to a string.
An HTTP handler for serving the CEL and the source control core interceptors is added. It packages four core interceptors into a single HTTP server that is deployed in the tekton-pipelines
namespace. The EventListener
object forwards events over the HTTP server to the interceptor. Each interceptor is available at a different path. For example, the CEL interceptor is available on the /cel
path.
The pipelines-scc
Security Context Constraint (SCC) is used with the default pipeline
service account for pipelines. This new service account is similar to anyuid
, but with a minor difference as defined in the YAML for SCC of OpenShift Container Platform 4.7:
fsGroup:
type: MustRunAs
The build-gcs
sub-type in the pipeline resource storage, and the gcs-fetcher
image, are not supported.
In the taskRun
field of cluster tasks, the label tekton.dev/task
is removed.
For webhooks, the value v1beta1
corresponding to the field admissionReviewVersions
is removed.
The creds-init
helper image for building and deploying is removed.
In the triggers spec and binding, the deprecated field template.name
is removed in favor of template.ref
. You should update all eventListener
definitions to use the ref
field.
Upgrade from Pipelines 1.3.x and earlier versions to Pipelines 1.4.0 breaks event listeners because of the unavailability of the |
For EventListener
custom resources/objects, the fields PodTemplate
and ServiceType
are deprecated in favor of Resource
.
The deprecated spec style embedded bindings is removed.
The spec
field is removed from the triggerSpecBinding
.
The event ID representation is changed from a five-character random string to a UUID.
In the Developer perspective, the pipeline metrics and triggers features are available only on OpenShift Container Platform 4.7.6 or later versions.
On IBM Power Systems, IBM Z, and LinuxONE, the tkn hub
command is not supported.
When you run Maven and Jib Maven cluster tasks on an IBM Power Systems (ppc64le), IBM Z, and LinuxONE (s390x) clusters, set the MAVEN_IMAGE
parameter value to maven:3.6.3-adoptopenjdk-11
.
Triggers throw error resulting from bad handling of the JSON format, if you have the following configuration in the trigger binding:
params:
- name: github_json
value: $(body)
To resolve the issue:
If you are using triggers v0.11.0 and above, use the marshalJSON
CEL function, which takes a JSON object or array and returns the JSON encoding of that object or array as a string.
If you are using older triggers version, add the following annotation in the trigger template:
annotations:
triggers.tekton.dev/old-escape-quotes: "true"
When upgrading from Pipelines 1.3.x to 1.4.x, you must recreate the routes.
Previously, the tekton.dev/task
label was removed from the task runs of cluster tasks, and the tekton.dev/clusterTask
label was introduced. The problems resulting from that change is resolved by fixing the clustertask describe
and delete
commands. In addition, the lastrun
function for tasks is modified, to fix the issue of the tekton.dev/task
label being applied to the task runs of both tasks and cluster tasks in older versions of pipelines.
When doing an interactive tkn pipeline start pipelinename
, a PipelineResource
is created interactively. The tkn p start
command prints the resource status if the resource status is not nil
.
Previously, the tekton.dev/task=name
label was removed from the task runs created from cluster tasks. This fix modifies the tkn clustertask start
command with the --last
flag to check for the tekton.dev/task=name
label in the created task runs.
When a task uses an inline task specification, the corresponding task run now gets embedded in the pipeline when you run the tkn pipeline describe
command, and the task name is returned as embedded.
The tkn version
command is fixed to display the version of the installed Tekton CLI tool, without a configured kubeConfiguration namespace
or access to a cluster.
If an argument is unexpected or more than one arguments are used, the tkn completion
command gives an error.
Previously, pipeline runs with the finally
tasks nested in a pipeline specification would lose those finally
tasks, when converted to the v1alpha1
version and restored back to the v1beta1
version. This error occurring during conversion is fixed to avoid potential data loss. Pipeline runs with the finally
tasks nested in a pipeline specification is now serialized and stored on the alpha version, only to be deserialized later.
Previously, there was an error in the pod generation when a service account had the secrets
field as {}
. The task runs failed with CouldntGetTask
because the GET request with an empty secret name returned an error, indicating that the resource name may not be empty. This issue is fixed by avoiding an empty secret name in the kubeclient
GET request.
Pipelines with the v1beta1
API versions can now be requested along with the v1alpha1
version, without losing the finally
tasks. Applying the returned v1alpha1
version will store the resource as v1beta1
, with the finally
section restored to its original state.
Previously, an unset selfLink
field in the controller caused an error in the Kubernetes v1.20 clusters. As a temporary fix, the CloudEvent
source field is set to a value that matches the current source URI, without the value of the auto-populated selfLink
field.
Previously, a secret name with dots such as gcr.io
led to a task run creation failure. This happened because of the secret name being used internally as part of a volume mount name. The volume mount name conforms to the RFC1123 DNS label and disallows dots as part of the name. This issue is fixed by replacing the dot with a dash that results in a readable name.
Context variables are now validated in the finally
tasks.
Previously, when the task run reconciler was passed a task run that did not have a previous status update containing the name of the pod it created, the task run reconciler listed the pods associated with the task run. The task run reconciler used the labels of the task run, which were propagated to the pod, to find the pod. Changing these labels while the task run was running, caused the code to not find the existing pod. As a result, duplicate pods were created. This issue is fixed by changing the task run reconciler to only use the tekton.dev/taskRun
Tekton-controlled label when finding the pod.
Previously, when a pipeline accepted an optional workspace and passed it to a pipeline task, the pipeline run reconciler stopped with an error if the workspace was not provided, even if a missing workspace binding is a valid state for an optional workspace. This issue is fixed by ensuring that the pipeline run reconciler does not fail to create a task run, even if an optional workspace is not provided.
The sorted order of step statuses matches the order of step containers.
Previously, the task run status was set to unknown
when a pod encountered the CreateContainerConfigError
reason, which meant that the task and the pipeline ran until the pod timed out. This issue is fixed by setting the task run status to false
, so that the task is set as failed when the pod encounters the CreateContainerConfigError
reason.
Previously, pipeline results were resolved on the first reconciliation, after a pipeline run was completed. This could fail the resolution resulting in the Succeeded
condition of the pipeline run being overwritten. As a result, the final status information was lost, potentially confusing any services watching the pipeline run conditions. This issue is fixed by moving the resolution of pipeline results to the end of a reconciliation, when the pipeline run is put into a Succeeded
or True
condition.
Execution status variable is now validated. This avoids validating task results while validating context variables to access execution status.
Previously, a pipeline result that contained an invalid variable would be added to the pipeline run with the literal expression of the variable intact. Therefore, it was difficult to assess whether the results were populated correctly. This issue is fixed by filtering out the pipeline run results that reference failed task runs. Now, a pipeline result that contains an invalid variable will not be emitted by the pipeline run at all.
The tkn eventlistener describe
command is fixed to avoid crashing without a template. It also displays the details about trigger references.
Upgrades from Pipelines 1.3.x and earlier versions to Pipelines 1.4.0 breaks event listeners because of the unavailability of template.name
. In Pipelines 1.4.1, the template.name
has been restored to avoid breaking event listeners in triggers.
In Pipelines 1.4.1, the ConsoleQuickStart
custom resource has been updated to align with OpenShift Container Platform 4.7 capabilities and behavior.
Red Hat OpenShift Pipelines Technology Preview (TP) 1.3 is now available on OpenShift Container Platform 4.7. Red Hat OpenShift Pipelines TP 1.3 is updated to support:
Tekton Pipelines 0.19.0
Tekton tkn
CLI 0.15.0
Tekton Triggers 0.10.2
cluster tasks based on Tekton Catalog 0.19.0
IBM Power Systems on OpenShift Container Platform 4.7
IBM Z and LinuxONE on OpenShift Container Platform 4.7
In addition to the fixes and stability improvements, the following sections highlight what is new in Red Hat OpenShift Pipelines 1.3.
Tasks that build images, such as S2I and Buildah tasks, now emit a URL of the image built that includes the image SHA.
Conditions in pipeline tasks that reference custom tasks are disallowed because the Condition
custom resource definition (CRD) has been deprecated.
Variable expansion is now added in the Task
CRD for the following fields:
spec.steps[].imagePullPolicy
and spec.sidecar[].imagePullPolicy
.
You can disable the built-in credential mechanism in Tekton by setting the disable-creds-init
feature-flag to true
.
Resolved when expressions are now listed in the Skipped Tasks
and the Task Runs
sections in the Status
field of the PipelineRun
configuration.
The git init
command can now clone recursive submodules.
A Task
CR author can now specify a timeout for a step in the Task
spec.
You can now base the entry point image on the distroless/static:nonroot
image and give it a mode to copy itself to the destination, without relying on the cp
command being present in the base image.
You can now use the configuration flag require-git-ssh-secret-known-hosts
to disallow omitting known hosts in the Git SSH secret. When the flag value is set to true
, you must include the known_host
field in the Git SSH secret. The default value for the flag is false
.
The concept of optional workspaces is now introduced. A task or pipeline might declare a workspace optional and conditionally change their behavior based on its presence. A task run or pipeline run might also omit that workspace, thereby modifying the task or pipeline behavior. The default task run workspaces are not added in place of an omitted optional workspace.
Credentials initialization in Tekton now detects an SSH credential that is used with a non-SSH URL, and vice versa in Git pipeline resources, and logs a warning in the step containers.
The task run controller emits a warning event if the affinity specified by the pod template is overwritten by the affinity assistant.
The task run reconciler now records metrics for cloud events that are emitted once a task run is completed. This includes retries.
Support for --no-headers flag
is now added to the following commands:
tkn condition list
,tkn triggerbinding list
,tkn eventlistener list
,tkn clustertask list
, tkn clustertriggerbinding list
.
When used together, the --last
or --use
options override the --prefix-name
and --timeout
options.
The tkn eventlistener logs
command is now added to view the EventListener
logs.
The tekton hub
commands are now integrated into the tkn
CLI.
The --nocolour
option is now changed to --no-color
.
The --all-namespaces
flag is added to the following commands:
tkn triggertemplate list
, tkn condition list
, tkn triggerbinding list
, tkn eventlistener list
.
You can now specify your resource information in the EventListener
template.
It is now mandatory for EventListener
service accounts to have the list
and watch
verbs, in addition to the get
verb for all the triggers resources. This enables you to use Listers
to fetch data from EventListener
, Trigger
, TriggerBinding
, TriggerTemplate
, and ClusterTriggerBinding
resources. You can use this feature to create a Sink
object rather than specifying multiple informers, and directly make calls to the API server.
A new Interceptor
interface is added to support immutable input event bodies. Interceptors can now add data or fields to a new extensions
field, and cannot modify the input bodies making them immutable. The CEL interceptor uses this new Interceptor
interface.
A namespaceSelector
field is added to the EventListener
resource. Use it to specify the namespaces from where the EventListener
resource can fetch the Trigger
object for processing events. To use the namespaceSelector
field, the service account for the EventListener
resource must have a cluster role.
The triggers EventListener
resource now supports end-to-end secure connection to the eventlistener
pod.
The escaping parameters behavior in the TriggerTemplates
resource by replacing "
with \"
is now removed.
A new resources
field, supporting Kubernetes resources, is introduced as part of the EventListener
spec.
A new functionality for the CEL interceptor, with support for upper and lower-casing of ASCII strings, is added.
You can embed TriggerBinding
resources by using the name
and value
fields in a trigger, or an event listener.
The PodSecurityPolicy
configuration is updated to run in restricted environments. It ensures that containers must run as non-root. In addition, the role-based access control for using the pod security policy is moved from cluster-scoped to namespace-scoped. This ensures that the triggers cannot use other pod security policies that are unrelated to a namespace.
Support for embedded trigger templates is now added. You can either use the name
field to refer to an embedded template or embed the template inside the spec
field.