Deploy Pipeline Resources

Once we have setup tekton ci and dashboard, lets proceed with setting up pipeline resources. The resources include, tasks, pipelines, and required secrets.

Configure Secrets

The pipeline supports both SSH and HTTPS token authentication for git. You can provide either or both — git-clone will use the appropriate method based on the repository URL format.

Option 1 — SSH Key (for `[email protected]:...` URLs)

export SSH_KEY=$(cat ~/.ssh/id_rsa | base64 -w0)
cat <<EOF | kubectl apply -f -
kind: Secret
apiVersion: v1
metadata:
  name: git-ssh-creds
data:
  id_rsa: ${SSH_KEY}
EOF

Option 2 — Git Token (for `https://github.com/...` URLs)

cat <<EOF | kubectl apply -f -
kind: Secret
apiVersion: v1
metadata:
  name: git-token-creds
stringData:
  username: git
  password: <github-personal-access-token>
EOF

For more details check out https://hub.tekton.dev/tekton/task/git-clone

Create Image Pull Secret

export DOCKER_CONFIG_BASE64=`cat ~/.docker/config.json | base64 -w0`
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: docker-pull-secret
data:
  .dockerconfigjson: ${DOCKER_CONFIG_BASE64}
type: kubernetes.io/dockerconfigjson
EOF

Create Kaniko Docker Config

export DOCKER_CONFIG_BASE64=`cat ~/.docker/config.json | base64 -w0`
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: docker-credentials
data:
  config.json: ${DOCKER_CONFIG_BASE64}
EOF

Create Tasks and Pipeline

kubectl apply -k tekton/resources

Verify the created resources

kubectl get tekton

Create PipelineRun

Pipeline Run is a declrative resource for pipeline execution which defines the runtime params and config for the pipeline.

kubectl create -f tekton/pipelinerun.yaml

You can view the pipeline execution status and logs on Tekton Dashboard

Deploy to OCM Managed Clusters

The OCM build-deploy pipeline builds a container image and deploys it to an OCM managed spoke cluster via an ArgoCD ApplicationSet using the DevSpace component-chart with inline Helm values.

Pipeline flow: git-clone → kaniko build-push → ocm-create-applicationset

Setup

make deploy-tekton-ocm

This deploys: - ocm-create-applicationset task — creates an ArgoCD ApplicationSet on the hub targeting a spoke cluster with DevSpace component-chart - ocm-build-deploy pipeline — end-to-end CI/CD to OCM spokes - tekton-ocm-serviceaccount — service account with RBAC for ApplicationSet + ManagedCluster access

Run

kubectl create -f tekton/ocm/pipelinerun.yaml

This runs the pipeline with the guestbook-go example from kubernetes/examples, building and deploying to ocm-spoke-1.

Pipeline Parameters

Parameter	Description	Default
`repo-url`	Git repository URL	—
`git-revision`	Branch, tag, or commit	`main`
`image-reference`	Container image name (tag auto-generated)	—
`dockerfile`	Path to Dockerfile	`Dockerfile`
`docker-context`	Build context directory	`.`
`target-cluster`	OCM ManagedCluster name (e.g. `ocm-spoke-1`)	—
`deployment-name`	Name of the application on the spoke	—
`namespace`	Namespace on the spoke	`default`
`port`	Container and service port	`80`
`replicas`	Number of replicas	`1`

What it creates

The ocm-create-applicationset task creates the following on the hub:

Resource	Namespace	Purpose
ConfigMap `ocm-placement-generator`	`argocd`	Defines how to query OCM PlacementDecisions
Placement `tekton-{name}`	`default`	Selects managed clusters labeled with `tekton.app: {name}`
ApplicationSet `tekton-{name}`	`argocd`	Deploys the DevSpace `component-chart` to selected clusters

The task also labels the target ManagedCluster with tekton.app: {deployment-name} so the Placement selects it.

Architecture: - The clusterDecisionResource generator queries OCM PlacementDecisions for the Placement - Each matching cluster gets an Application from the ApplicationSet template - The ArgoCD agent addon syncs the Application to the spoke cluster - The inline Helm values include image, port, replicas, and a ClusterIP service

Verify

# Check Placement and selected clusters
kubectl get placement -n default -l app.kubernetes.io/managed-by=tekton
kubectl get placementdecision -n default

# Check ApplicationSet on hub
kubectl get applicationset -n argocd -l app.kubernetes.io/managed-by=tekton

# Check generated Application
kubectl get app -A -l app.kubernetes.io/managed-by=tekton

# Check deployment rolled out on spoke
kubectl --context k3d-ocm-spoke-1 get pods -n default
kubectl --context k3d-ocm-spoke-1 get svc -n default