Skip to content

Setup

All YAML files use __NIPIO_IP__ and __LB_IP__ placeholders. Deploy via Makefile targets which auto-detect the IP:

  • __NIPIO_IP__ → Tailscale IPv4 (if available), otherwise Traefik LoadBalancer IP
  • __LB_IP__ → Traefik LoadBalancer IP (internal docker network)

IP Detection

# Script: scripts/get-nipio-ip.sh
# Priority: tailscale ip -4 → kubectl get svc traefik ... → error

make lb-ip
# nip.io IP:      100.106.163.111  (or other)
# Traefik LB IP:  172.18.0.200

Install Tekton Pipelines

kubectl apply --filename https://infra.tekton.dev/tekton-releases/pipeline/previous/v1.13.0/release.yaml

Install Tekton Dashboard

kubectl apply --filename https://infra.tekton.dev/tekton-releases/dashboard/previous/v0.68.0/release-full.yaml

Deploy OAuth2 Proxy with Dex SSO

make deploy-dex
make deploy-tektondashboard

Or manually:

kubectl create secret generic tekton-dashboard-auth \
  --from-literal=username=tekton \
  --from-literal=password=tekton-oidc-secret \
  -n tekton-pipelines

# Substitute placeholders before applying
sed -e 's%__LB_IP__%$(kubectl get svc traefik -n kube-system -o jsonpath='{$.status.loadBalancer.ingress[0].ip}')%g' \
    -e 's%__NIPIO_IP__%$(scripts/get-nipio-ip.sh)%g' \
    tekton/dashboard-auth.yaml | kubectl apply -f -

Install Email Approval Gate

make deploy-mailhog
make deploy-tekton-approval

Or manually:

sed 's%__NIPIO_IP__%$(scripts/get-nipio-ip.sh)%g' mailhog.yaml | kubectl apply -f -
kubectl apply -f tekton/resources/approvaltask-crd.yaml
kubectl apply -f tekton/resources/smtp-creds.yaml
sed 's%__NIPIO_IP__%$(scripts/get-nipio-ip.sh)%g' tekton/resources/approval-task-email.yaml | kubectl apply -f -
sed 's%__NIPIO_IP__%$(scripts/get-nipio-ip.sh)%g' tekton/resources/approval-task-ingress.yaml | kubectl apply -f -

The pipeline references the ApprovalTask custom task via taskRef with apiVersion: tekton.automatiko.io/v1beta1 and kind: ApprovalTask. Tekton creates a CustomRun which the automatiko operator processes. The operator sends an email with approve/reject links through Mailhog.

To approve/reject: click the link in the email or visit http://automatiko.$(NIPIO_IP).nip.io and authenticate via Dex SSO.

OCM Build-Deploy Pipeline

The ocm-build-deploy pipeline (tekton/ocm/pipeline.yaml) flows:

fetch-source → kaniko build-push → wait-for-approval → create-appset

The wait-for-approval task creates an ApprovalTask CR and polls for its status. Once approved, the pipeline creates an ArgoCD ApplicationSet on the hub targeting the OCM spoke cluster.

Deploy:

make deploy-tekton-ocm

Trigger:

kubectl create -f tekton/ocm/pipelinerun-netapi.yaml

A demo approval pipeline is at tekton/resources/approval-pipeline.yaml:

make deploy-approval-demo

Access

Sign in with your LDAP or static Dex user:

  • http://tekton.$(LB_IP).nip.io (docker internal network)
  • http://tekton.$(NIPIO_IP).nip.io (external / Tailscale)

Both URLs route through OAuth2 proxy → Dex OIDC authentication.

Dex SSO Clients

Client Redirect URI Purpose
tekton http://tekton.$(LB_IP).nip.io/oauth2/callback, http://tekton.$(NIPIO_IP).nip.io/oauth2/callback Tekton Dashboard
automatiko http://automatiko.$(NIPIO_IP).nip.io/oauth2/callback Approval Task UI
argocd https://argocd.$(NIPIO_IP).nip.io/auth/callback ArgoCD
grafana http://grafana.$(NIPIO_IP).nip.io/login/generic_oauth Grafana
test http://oidc-test.$(NIPIO_IP).nip.io/auth/callback OIDC test client