Chapter 1. Red Hat OpenShift Pipelines release notes

• The public instance of Tekton Hub (hub.tekton.dev) is deprecated and will be removed in a future release. For more information, see "Additional resources".
• Git resolver no longer sets TEKTON_HUB_API to the public hub. You must set the environment variable when pointing to a self-hosted hub. For more information, see Resolvers.

• OpenShift Pipelines no longer emits deprecated metrics, such as pipelinerun_count or running_taskruns_count. You must update your dashboards and alerts with the new metrics, such as pipelinerun_total or running_pipelineruns.

  Expand

  Deprecated	New
  pipelinerun_count	pipelinerun_total
  running_pipelineruns_count	running_pipelineruns
  running_pipelineruns_waiting_on_pipeline_resolution_count	running_pipelineruns_waiting_on_pipeline_resolution
  running_pipelineruns_waiting_on_task_resolution_count	running_pipelineruns_waiting_on_task_resolution
  taskrun_count	taskrun_total
  running_taskruns_count	running_taskruns
  running_taskruns_throttled_by_quota_count	running_taskruns_throttled_by_quota
  running_taskruns_throttled_by_node_count	running_taskruns_throttled_by_node

  Show more

Pipelines as Code

• Pipelines as Code automatically moves from using the deprecated Tekton Hub to Artifact Hub for pipeline and task resolution. After the upgrade some task references using short version pins, such as 0.2, will not resolve correctly. You must update these pins to the full semantic version format, such as 0.2.0, to ensure correct task resolution.

• The hub_catalog_name variable value remains set to tekton after upgrading to 1.20. As a result, the system does not fetch the git-clone task from the correct catalog on Artifact Hub. After upgrading to 1.20, you must remove the variable from the Pipelines as Code config map by running the following command:

  $ oc patch configmap pipelines-as-code -n openshift-pipelines --type=json -p='[{"op": "remove", "path": "/data/hub-catalog-name"}]'

  Copy to Clipboard Toggle word wrap

Pruner

• After upgrading from Red Hat OpenShift Pipelines 1.19 to 1.20, the tekton-pruner-default-spec config map values are overridden with default values. As a mitigation, maintain a copy of the tekton-pruner-default-spec config map before upgrade and apply the same to the TektonConfig fields post upgrade. This issue affects only upgrade path and does not occur on fresh installations.

CLI

• Using opc pr logs in the OpenShift namespace may fail with repeated Failed to list objects from openshift namespace errors for both admin and non-admin users.

Tekton Cache

• On IBM P environments, the cache-fetch step may fail with the error failed to change ownership: operation not permitted. This typically occurs because of filesystem permission restrictions on the underlying storage.

Tekton Chains

• Pod anti-affinity rules are not applied to tekton-chains-controller replicas.

Tekton Hub

• The git-clone task downloaded from Tekton Hub displays version 0.9 instead of 0.10. This occurs because the system sorts version strings lexicographically rather than using semantic versioning.

Pipelines

• Before this update, the OpenShift Pipelines controller did not apply the managed-by: tekton-pipelines label when deploying PipelineRuns and TaskRuns with Helm. In addition, pods created by the controller could have the app.kubernetes.io/managed-by label overridden by values set by a TaskRun or PipelineRun. With this update, the controller consistently applies the correct labels, and pods use the default app.kubernetes.io/managed-by value.
• Before this update, the OpenShift Container Platform Console stated a 'Cancelling' state for PipelineRun objects with failed finally tasks, even when the actual status of the PipelineRun was Canceled, causing confusion. With this update, the issue is fixed.
• Before this update, the PipelineRun Events tab did not show events, due to an issue with the Pipeline Console plugin. As a consequence, you could not monitor the events in real-time. With this update, the issue is fixed.
• Before this update, the pipeline builder fetched only a limited number of tasks from Artifact Hub, resulting in some tasks not being available. This resulted in an incomplete pipeline creation. With this update, the interface fetches the complete list of tasks from Artifact Hub on search, showing all available tasks in the pipeline builder.
• Before this update, running the Konflux-specific fbc-fips-check-oci-ta tasks during git cloning caused temporary resource unavailability, stalling the git resolver and preventing the resolution of ResolutionRequests. This resulted in a build failure with the following error message: cannot fork() for remote-https: Resource temporarily unavailable. With this update, the issue is fixed.

• Before this update, TaskRun and CustomRun creation could fail immediately on transient mutating-webhook timeouts, causing flakiness on busy clusters. With this update, the system applies exponential backoff, configurable via the wait-exponential-backoff config map and controlled by the enable-wait-exponential-backoff setting:

  apiVersion: v1
  kind: ConfigMap
  metadata:
    name: feature-flags
    namespace: tekton-pipelines
  data:
    enable-wait-exponential-backoff: "true"
  #...

  Copy to Clipboard Toggle word wrap
• Before this update, the controllers used a fixed thread count, limiting concurrency. With this update, you can override threads-per-controller by setting the THREADS_PER_CONTROLLER environment variable, allowing finer control over controller concurrency.
• Before this update, podTemplate fields in TaskRunSpec CR did not support parameter substitution, limiting matrix and multi-arch patterns. With this update, the controller substitutes parameters in podTemplate fields for all TaskRuns and TaskRunSpecs.
• Before this update, the onError block in pipeline v1beta1 did not support variables. With this update, the controller resolves the onError variables, improving error handling flexibility.
• Before this update, git resolver shell-outs sometimes failed to inherit environment variables, breaking environment-driven authentication or configuration. With this update, the resolver passes the pod environment correctly to all git subprocesses.
• Before this update, git resolver deployments could leave zombie git processes running, consuming resources. With this update, resolvers use a tini-based image and entrypoint to actively clean up subprocesses.
• Before this update, upgrading OpenShift Pipelines could cause errors when updating metadata, such as finalizers, on completed PipelineRuns or TaskRuns due to specification drift. With this update, the issue is fixed.
• Before this update, the OpenShift git resolver did not mount the trusted CA config map into the component system CA store, potentially causing certificate verification issues. With this update, the config map is mounted correctly, ensuring secure git operations.
• Before this update, the git-clone task failed with a No such remote 'origin' error messgae if the origin remote was missing from the repository. With this update, the task automatically adds the origin remote to the repository configuration, ensuring correct setup and successful cloning.
• Before this update, Pipelines as Code failed immediately when resource quotas were exceeded, canceling the run and interrupting user workflows. With this update, the controllers retry and automatically rerun if resources become available, reducing unnecessary cancellations and improving pipeline reliability.
• Before this update, the pipeline builder UI failed to save a pipeline when the buildah task BUILD_ARGS parameter had the default value [""]. The validation incorrectly rejected empty strings in arrays, even though the task could run successfully. With this update, the issue is fixed, allowing pipelines with default BUILD_ARGS parameter to be saved correctly.

Pipelines as Code

• Before this update, structured logs for Pipelines as Code lacked detailed source repository information from the initiating webhook request. With this update, logs for Pipelines as Code include complete source repository details, making it easier for operators to identify user-reported issues.
• Before this update, invalid Common Expression Language (CEL) expressions in Pipelines as Code PipelineRun failed silently. With this update, Pipelines as Code posts error comments on pull requests, making troubleshooting easier.

• Before this update, Pipelines as Code PipelineRun posted status comments on every pull request in GitHub webhook integration, creating unnecessary noise. With this update, you can disable status comments in the Repository CR by setting the following:

  kind: Repository
  spec:
    settings:
      github:
        comment_strategy: "disable_all"
  #...

  Copy to Clipboard Toggle word wrap
• Before this update, the PipelineRun starting comment did not include a link to the OpenShift Container Platform Console, making access less convenient. With this update, the comment includes a direct link to the PipelineRun.
• Before this update, empty commits in Bitbucket push events were processed by Pipelines as Code, causing the controller to crash. With this update, the controller ignores empty commits in the payload, preventing crashes.
• Before this update, Pipelines as Code incorrectly annotated PipelineRun objects modified by external controllers and marked as started. With this update, PipelineRun receives proper annotations on status change, helping ensure accurate tracking.
• Before this update, auto-merge was blocked if an unauthorized user opened a pull request (PR) and the target branch did not contain a .tekton directory. Pipelines as Code created a pending check that remained indefinitely, even after a repository admin approved the CI run with the /ok-to-test GitOps comment. With this update, the check is updated correctly after approval, allowing auto-merge to proceed as expected.

CLI

• Before this update, opc CLI reading pod logs from already deleted pods could cause a panic, leading to application crashes. With this update, deleted pod scenarios are handled properly, preventing crashes when reading logs.
• Before this update, the opc CLI PipelineRunPending status was displayed with incorrect coloring, making it harder to distinguish from other statuses. With this update, the Pending status color is correct for improved visual clarity.
• Before this update, opc CLI following logs could trigger a deadlock, causing the application to hang. With this update, the deadlock scenario in the log following functionality is fixed, ensuring reliable log streaming.
• Before this update, opc CLI log lines from different tasks and steps were not easily distinguishable, complicating debugging. With this update, log lines include a prefix showing the log source, task, and step name by default, improving readability and the debugging experience.
• Before this update, querying logs for a running PipelineRun or TaskRun in OPC Results resulted in an unclear error message. With this update, the message clearly indicates that logs cannot be retrieved while the run is still in progress.

Tekton Triggers

• Before this update, using a TriggerGroup with multiple triggers and extensions caused a data race and controller panic. With this update, the controller handles multiple triggers without errors.

• The maxRetention parameter in Tekton Results retention agent is deprecated. Use defaultRetention.
• The chain command is deprecated and will be removed in a future release.

Additional resources

• Differences between buildah and buildah-ns tasks
• Enabling the event-based pruner
• Customizing Pipelines as Code configuration
• Commit and URL Information
• Tekton Hub deprecation note under Specifying from a Tekton catalog