Managing OpenShift Pipelines Configuration with GitOps

OpenShift Pipelines enables you to manage the configuration of the operator via a global TektonConfig object called config. In this blog entry we will look at how to use GitOps to manage this object but first a bit of background about the use case where I need to do this.

In OpenShift Pipelines 1.6 in OpenShift 4.9 the ability to control the scope of the when statement in tekton with respect to whether the task or the task and it’s dependant chain of tasks was skipped. Previous to this release, the setting could not be changed and was set to skip the task and it’s dependant tasks. This meant you could not use the when statement if you only wanted to skip a specific task which greatly limited the usefullness of when in my humble opinion.

Thus I was super excited with the 1.6 release to be able to control this setting via the scope-when-expressions-to-task configuration variable. More details on this configutation setting can be found in the tekton documentation here.

One complication with the global config object is that it is created and managed by the operator. While you could potentially have GitOps overwrite the configuration with your version you need to be cognizant that the newer versions of Pipelines could add new configuration settings which would be overwritten by your copy in git and thereby cause compatibility issues. You could certainly deal with it by checking the generated “config” object on operator upgrades and update your copy accordingly but I prefer to use a patching strategy to make it more fire and forget.

As a result, we can use our trusty Kubernetes job to patch this config object as needed. To patch this particular setting, a simple “oc patch” command will suffice as follows:

oc patch TektonConfig config --type='json' -p='[{"op": "replace", "path": "/spec/pipeline/scope-when-expressions-to-task", "value":true}]'

Wrapping this in a job is similarly straightforward:

apiVersion: batch/v1
kind: Job
metadata:
  name: patch-tekton-config-parameters
  namespace: openshift-operators
  annotations:
    argocd.argoproj.io/hook: PostSync
    argocd.argoproj.io/hook-delete-policy: HookSucceeded
spec:
  template:
    spec:
      containers:
        - image: registry.redhat.io/openshift4/ose-cli:v4.9
          command:
            - /bin/bash
            - -c
            - |
              echo "Waiting for TektonConfig config to be present"
              until oc get TektonConfig config -n openshift-operators
              do
                sleep $SLEEP;
              done
 
              echo "Patching TektonConfig config patameters"
              oc patch TektonConfig config --type='json' -p='[{"op": "replace", "path": "/spec/pipeline/scope-when-expressions-to-task", "value":true}]'
          imagePullPolicy: Always
          name: patch-tekton-config-parameters
          env:
            - name: SLEEP
              value: "5"
      dnsPolicy: ClusterFirst
      restartPolicy: OnFailure
      terminationGracePeriodSeconds: 30
      serviceAccount: patch-tekton-config-parameters
      serviceAccountName: patch-tekton-config-parameters

A couple of items to note in this job. Since I’m deploying this job with the operator itself I have the job wait until the TektonConfig object is available though I should probably improve this to limit how long it waits since it currently waits forever.

Second notice that I’m using a separate serviceaccount patch-tekton-config-parameters for this job, this is so I can tailor the permissions to just those needed to patch the TektonConfig object as per below:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: patch-tekton-config-parameters
  namespace: openshift-operators
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: patch-tekton-config-parameters
rules:
  - apiGroups:
      - operator.tekton.dev
    resources:
      - tektonconfigs
    verbs:
      - get
      - list
      - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: patch-tekton-config-parameters
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: patch-tekton-config-parameters
subjects:
  - kind: ServiceAccount
    name: patch-tekton-config-parameters
    namespace: openshift-operators

A complete example is in my cluster-config repository.