Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 4. Using manual approval in OpenShift Pipelines

You can specify a manual approval task in a pipeline. When the pipeline reaches this task, it pauses and awaits approval from one or several OpenShift Container Platform users. If any of the users chooses to rejects the task instead of approving it, the pipeline fails. The manual approval gate controller provides this functionality.

Important

The manual approval gate is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

4.1. Enabling the manual approval gate controller
Copiar o link

To use manual approval tasks, you must first enable the manual approval gate controller.

Prerequisites

  • You installed the Red Hat OpenShift Pipelines Operator in your cluster.
  • You are logged on to the cluster using the oc command-line utility.
  • You have administrator permissions for the openshift-pipelines namespace.

Procedure

  1. Create a file named manual-approval-gate-cr.yaml with the following manifest for the ManualApprovalGate custom resource (CR): 

    apiVersion: operator.tekton.dev/v1alpha1
kind: ManualApprovalGate
metadata:
  name: manual-approval-gate
spec:
  targetNamespace: openshift-pipelines
    Copy to Clipboard Toggle word wrap

  2. Apply the ManualApprovalGate CR by entering the following command: 

    $ oc apply -f manual-approval-gate-cr.yaml
    Copy to Clipboard Toggle word wrap

  3. Verify that the manual approval gate controller is running by entering the following command: 

    $ oc get manualapprovalgates.operator.tekton.dev
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                   VERSION    READY   REASON
manual-approval-gate   v0.1.0	    True
    Copy to Clipboard Toggle word wrap

    Ensure that the READY status is True. If it is not True, wait for a few minutes and enter the command again. The controller might take some time to reach a ready state.

4.2. Specifying a manual approval task
Copiar o link

You can specify a manual approval task in your pipeline to pause execution until specific stakeholders provide authorization. When a pipeline run reaches an approval task, the process stops and waits for approval from the designated users or groups.

Prerequisites

  • You have enabled the manual approver gate controller.
  • You have created a YAML specification of a pipeline.
  • You have created the groups and added the required users before using group approval.

Procedure

  1. Add an ApprovalTask to your pipeline by entering the task definition in your Pipeline definition.

    The following example shows how to include an approval task in a typical deployment pipeline: 

    apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: deployment-pipeline
spec:
  tasks:
  - name: build
    taskRef:
      name: build-task

  - name: test
    taskRef:
      name: test-task
    runAfter: [build]

  - name: approval-gate
    taskRef:
      apiVersion: openshift-pipelines.org/v1alpha1
      kind: ApprovalTask
    params:
    - name: approvers
      value:
      - user1
      - user2
      - group:security-team
    - name: numberOfApprovalsRequired
      value: "2"
    - name: description
      value: "Approve deployment to production"
    runAfter: [test]

  - name: deploy
    taskRef:
      name: deploy-task
    runAfter: [approval-gate]
    Copy to Clipboard Toggle word wrap

  2. Optionally, specify status fields for the approval, such as the approval state and approver responses. These fields allow you to track the approval lifecycle during pipeline execution.

    The following example demonstrates an approval task with status information: 

    apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
  name: example-manual-approval-pipeline
spec:
  tasks:
  - name: example-manual-approval-task
    taskRef:
      apiVersion: openshift-pipelines.org/v1alpha1
      kind: ApprovalTask
    params:
    - name: approvers
      value:
      - user1
      - user2
      - user3
    - name: description
      value: Example manual approval task - please approve or reject
    - name: numberOfApprovalsRequired
      value: '2'
    - name: timeout
      value: '60m'
status:
  state: pending
  approvers:
  - user1
  - user2
  - user3
  approvalsRequired: 2
  approvalsReceived: 0
  approversResponse: []
  startTime: "2024-01-15T10:30:00Z"
    Copy to Clipboard Toggle word wrap

The following table describes the parameters for a manual approval task.

Expand
ParameterTypeDescription

approvers

array

The OpenShift Container Platform users or groups who can approve the task.

description

string

Optional: A description of the approval task. OpenShift Pipelines displays this text to the user who can approve or reject the task.

numberOfApprovalsRequired

string

The number of approvals required from different approvers.

timeout

string

Optional: The timeout period for approval. If the required approvals are not received within this period, the pipeline run fails. The default timeout is 1 hour.

state

string

The current approval state: pending, approved, or rejected.

approvalsReceived

int

The number of approvals received so far.

approversResponse

[]ApproverState

Detailed response from each approver.

You can define approval tasks for different workflows depending on your requirements. The following are a few examples of approval configurations.

The following is an example for multi user approval. 

apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: deployment-pipeline
spec:
  tasks:
  - name: build
    taskRef:
      name: build-task
  - name: test
    taskRef:
      name: test-task
    runAfter: [build]
  - name: approval-gate
    taskRef:
      apiVersion: openshift-pipelines.org/v1alpha1
      kind: ApprovalTask
    params:
    - name: approvers
      value:
      - <user_1>
      - <user_2>
      - <user_3>
    - name: numberOfApprovalsRequired
      value: "2"
    - name: description
      value: "Approve deployment to production"
    runAfter: [test]
  - name: deploy
    taskRef:
      name: deploy-task
    runAfter: [approval-gate]
Copy to Clipboard Toggle word wrap

The following is an example for a group-based user approval. 

apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: deployment-pipeline
spec:
  tasks:
  - name: build
    taskRef:
      name: build-task
  - name: test
    taskRef:
      name: test-task
    runAfter: [build]
  - name: approval-gate
    taskRef:
      apiVersion: openshift-pipelines.org/v1alpha1
      kind: ApprovalTask
    params:
    - name: approvers
      value:
      - group:qa-team
      - group:security-team
    - name: numberOfApprovalsRequired
      value: "2"
    - name: description
      value: "Approve deployment to production"
    runAfter: [test]
  - name: deploy
    taskRef:
      name: deploy-task
    runAfter: [approval-gate]
Copy to Clipboard Toggle word wrap

The following is an example for mixed user and group approvals. 

apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: deployment-pipeline
spec:
  tasks:
  - name: build
    taskRef:
      name: build-task
  - name: test
    taskRef:
      name: test-task
    runAfter: [build]
  - name: approval-gate
    taskRef:
      apiVersion: openshift-pipelines.org/v1alpha1
      kind: ApprovalTask
    params:
    - name: approvers
      value:
      - <tech-lead>
      - <group:qa-team>
      - <group:security-team>
    - name: numberOfApprovalsRequired
      value: "2"
    - name: description
      value: "Approve deployment to production"
    runAfter: [test]
  - name: deploy
    taskRef:
      name: deploy-task
    runAfter: [approval-gate]
Copy to Clipboard Toggle word wrap

4.3. Approving a manual approval task
Copiar o link

When you run a pipeline that includes an approval task and the execution reaches the approval task, the pipeline run pauses and waits for user approval or rejection.

Users can approve or reject the task by using either the web console or the opc command line utility.

If any one of the approvers configured in the task rejects the task, the pipeline run fails.

If one user approves the task but the configured number of approvals is still not reached, the same user can change to rejecting the task and the pipeline run fails

4.3.1. Approving a manual approval task by using the web console
Copiar o link

You can approve or reject a manual approval task by using the OpenShift Container Platform web console.

If you are listed as an approver in a manual approval task and a pipeline run reaches this task, the web console displays a notification. You can view a list of tasks that require your approval and approve or reject these tasks.

Prerequisites

  • You enabled the OpenShift Pipelines console plugin.

Procedure

  1. View a list of tasks that you can approve by completing one of the following actions:

    • When a notification about a task requiring your approval displays, click Go to Approvals tab in this notification.
    • In the Administrator perspective menu, select Pipelines Pipelines and then click the Approvals tab.
    • In the Developer perspective menu, select Pipelines and then click the Approvals tab.
    • In the PipelineRun details window, in the Details tab, click the rectangle that represents the manual approval task. The list displays only the approval for this task.
    • In the PipelineRun details window, click the ApprovalTasks tab. The list displays only the approval for this pipeline run.

  2. In the list of approval tasks, in the line that represents the task that you want to approve, click the kebab icon and then select one of the following options:

    • To approve the task, select Approve.
    • To reject the task, select Reject.
  3. Enter a message in the Reason field.
  4. Click Submit.

4.3.2. Approving a manual approval task by using the command line
Copiar o link

You can approve or reject a manual approval task by using the opc command-line utility. You can view a list of tasks for which you are an approver and approve or reject the tasks that are pending approval.

Prerequisites

  • You downloaded and installed the opc command-line utility. This utility is available in the same package as the tkn command-line utility.
  • You are logged on to the cluster using the oc command-line utility.

Procedure

  1. View a list of manual approval tasks for which you are listed as an approver by entering the following command: 

    $ opc approvaltask list
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                                     NumberOfApprovalsRequired   PendingApprovals   Rejected   STATUS
manual-approval-pipeline-01w6e1-task-2   2                           0                  0          Approved
manual-approval-pipeline-6ywv82-task-2   2                           2                  0          Rejected
manual-approval-pipeline-90gyki-task-2   2                           2                  0          Pending
manual-approval-pipeline-jyrkb3-task-2   2                           1                  1          Rejected
    Copy to Clipboard Toggle word wrap

  2. Optional: To view information about a manual approval task, including its name, namespace, pipeline run name, list of approvers, and current status, enter the following command: 

    $ opc approvaltask describe <approval_task_name>
    Copy to Clipboard Toggle word wrap

  3. Approve or reject a manual approval task as necessary:

    • To approve a manual approval task, enter the following command: 

      $ opc approvaltask approve <approval_task_name>
      Copy to Clipboard Toggle word wrap

      Optionally, you can specify a message for the approval by using the -m parameter: 

      $ opc approvaltask approve <approval_task_name> -m <message>
      Copy to Clipboard Toggle word wrap

    • To reject a manual approval task, enter the following command: 

      $ opc approvaltask reject <approval_task_name>
      Copy to Clipboard Toggle word wrap

      Optionally, you can specify a message for the rejection by using the -m parameter: 

      $ opc approvaltask reject <approval_task_name> -m <message>
      Copy to Clipboard Toggle word wrap

4.4. Behavior of ApprovalTask with groups and users
Copiar o link

You can define complex approval policies by combining individual users and groups in a single definition. This allows you to specify the total number of required approvals from different stakeholders, such as a tech lead, a QA engineer, and a member of the security team.

You can assign approval responsibility to a group. When a group is configured as an approver, the controller tracks individual approvals from group members and updates the group’s overall approval state automatically.

Example Initial ApprovalTask created by the controller with a group approver

spec:
  approvers:
  - name: dev-team
    type: Group
    input: pending
Copy to Clipboard Toggle word wrap

As group members approve or reject the task, their individual actions appear in the users list. The group’s approval state changes automatically as soon as the necessary member-level approvals are recorded.

Example Group member approvals recorded by the controller

spec:
  approvers:
  - name: dev-team
    type: Group
    input: approve
    users:
    - name: alice
      input: approve  # Alice has approved
    - name: bob
      input: approve  # Bob has approved
Copy to Clipboard Toggle word wrap

ApprovalTask also supports scenarios where approvals are required from both individual users and groups. You can combine users and groups in a single approval definition while specifying the total number of required approvals. This allows pipelines to enforce more granular approval policies, such as requiring sign-off from a tech lead, a QA engineer, and a member of the security team.

Important

The following YAML represents a runtime ApprovalTask object created automatically by the Manual Approval Gate controller when a PipelineRun pauses at an approval step. Do not apply this manifest. It is provided for debugging and inspection only. 

apiVersion: openshift-pipelines.org/v1alpha1
kind: ApprovalTask
metadata:
  name: mixed-approval
  namespace: default
spec:
  approvers:
  - name: tech-lead
    type: User
    input: pending
  - name: qa-team
    type: Group
    input: pending
    users:
    - name: <user_1>
      input: approve
    - name: <user_2>
      input: approve
  - name: security-team
    type: Group
    input: pending
  numberOfApprovalsRequired: 3
  description: "Requires an approval from the tech lead, a QA team member, and a security team member"
Copy to Clipboard Toggle word wrap
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2026 Red HatVoltar ao topo