Installation #
Operator Install #
Follow Operator Installation to install Pipelines As Code on OpenShift.
Manual Install #
Prerequisite #
Before installing Pipelines As Code, please verify tektoncd/pipeline is installed. You can install the latest released version using the following command
kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
If you are not installing the most recent version, ensure that you have Tekton Pipeline installed and running at a version that is higher than v0.44.0.
If you want to do a manual installation of the stable release of Pipelines-as-Code on your OpenShift cluster you can apply the template with kubectl :
# OpenShift
kubectl patch tektonconfig config --type="merge" -p '{"spec": {"platforms": {"openshift":{"pipelinesAsCode": {"enable": false}}}}}'
kubectl apply -f https://raw.githubusercontent.com/openshift-pipelines/pipelines-as-code/stable/release.yaml
# Kubernetes
kubectl apply -f https://raw.githubusercontent.com/openshift-pipelines/pipelines-as-code/stable/release.k8s.yaml
If you want to install the current development version you can simply install it like this :
# OpenShift
kubectl apply -f https://raw.githubusercontent.com/openshift-pipelines/pipelines-as-code/nightly/release.yaml
# Kubernetes
kubectl apply -f https://raw.githubusercontent.com/openshift-pipelines/pipelines-as-code/nightly/release.k8s.yaml
This will apply the release.yaml to your OpenShift cluster, creating the admin
namespace pipelines-as-code, the roles and all other bits needed.
The pipelines-as-code namespace is where the Pipelines-as-Code infrastructure
runs and is supposed to be accessible only by the admins.
OpenShift #
On OpenShift the Route URL for the Pipelines-as-Code Controller is automatically created when
you apply the release.yaml. You will need to reference this URL when configuring
your GitHub provider.
You can run this command to get the route created on your cluster:
echo https://$(oc get route -n pipelines-as-code pipelines-as-code-controller -o jsonpath='{.spec.host}')
Kubernetes #
Kubernetes installation is a bit more involved head over here for more details.
RBAC #
Non system:admin users needs to be allowed explicitly to create repositories
CRD in their namespace
To allow them you need to create a RoleBinding on the namespace to the
openshift-pipeline-as-code-clusterrole.
For example assuming we want user being able to create repository CRD in the
namespace user-ci, if we use the openshift oc cli :
oc adm policy add-role-to-user openshift-pipeline-as-code-clusterrole user -n user-ci
or through kubectl applying this YAML :
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: openshift-pipeline-as-code-clusterrole
namespace: user-ci
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: openshift-pipeline-as-code-clusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: user
CLI #
Pipelines-as-Code provide a CLI which is designed to work as tkn plug-in. To
install the plug-in follow the instruction from the CLI
documentation.
Controller TLS Setup #
Pipelines As Code Controller now support both HTTP and HTTPS. Usually, you configure the TLS directly on the
ingress/Route pointing to the controller. If you want to configure the TLS directly on the controller you can do so
by following this guide.
First, create a secret which includes those certificates
kubectl create secret generic -n pipelines-as-code pipelines-as-code-tls-secret \
--from-file=cert=/path/to/crt/file \
--from-file=key=/path/to/key/file
You can now restart the pipelines-as-code-controller pod in pipelines-as-code namespace and by the time the controller will be
restarted it will use the tls secrets.
NOTE:
- It is required to create the secret named
pipelines-as-code-tls-secret, or you will have to update the secret name in controller deployment. - If you have different keys in your secret other than
certandkey, you will need to update controller deployment envs and subsequently apply this changes on upgrade (for example through kustomize or other methods)
You can use following command to update the envs on the controller
kubectl set env deployment pipelines-as-code-controller -n pipelines-as-code TLS_KEY=<key> TLS_CERT=<cert>
Proxy service for PAC controller #
Pipelines-as-Code requires an externally accessible URL to receive events from Git providers.
If you’re developing locally (such as on kind or Minikube) or don’t want to set up an ingress on your cluster,
you can also use a proxy service to expose the pipelines-as-code-controller service and allow it to receive events.
Proxying with hook.pipelinesascode.com #
To handle such scenario for minikube/kind cluster let’s use hook.pipelinesascode.com
- Generate your own URL by going to hook.pipelinesascode.com/new
- Copy
Webhook Proxy URL - Add
Webhook Proxy URLURL in container args ofdeployment.yaml.
ex: '<replace Webhook Proxy URL>' -> 'https://hook.pipelinesascode.com/oLHu7IjUV4wGm2tJ'
kind: Deployment
apiVersion: apps/v1
metadata:
name: gosmee-client
spec:
replicas: 1
selector:
matchLabels:
app: gosmee-client
template:
metadata:
creationTimestamp: null
labels:
app: gosmee-client
spec:
containers:
- name: gosmee-client
image: 'ghcr.io/chmouel/gosmee:main'
args:
- '<replace Webhook Proxy URL>'
- $(SVC)
env:
- name: SVC
value: >-
http://pipelines-as-code-controller.pipelines-as-code.svc.cluster.local:8080
restartPolicy: Always
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 25%
maxSurge: 25%
revisionHistoryLimit: 10
progressDeadlineSeconds: 600
- Execute
kubectl create -f deployment.yaml -n pipelines-as-code
- Use
Webhook Proxy URLto configure in GitHub, GitLab and BitBucket.
Basically use Webhook Proxy URL in all the places wherever pipelines-as-code-controller service URL used.