📚 Sync docs from alaudadevops/tektoncd-operator on 515298d9e11daf0aafc74cb495f7fc8d983584f7

edge-katanomi-app2[bot] · edge-katanomi-app2[bot] · commit f6cc7e75b7a2 · 2025-11-18T05:24:13.000Z
Source: feat: add manual approval gate (#763) Author: l-qing Ref: refs/heads/main Commit: 515298d9e11daf0aafc74cb495f7fc8d983584f7 This commit automatically syncs documentation changes from the source-docs repository. 🔗 View source commit: https://github.com/alaudadevops/tektoncd-operator/commit/515298d9e11daf0aafc74cb495f7fc8d983584f7 🤖 Synced on 2025-11-18 05:24:12 UTC
diff --git a/.github/SYNC_INFO.md b/.github/SYNC_INFO.md
@@ -1,10 +1,10 @@
 # Documentation Sync Information
 
-- **Last synced**: 2025-11-17 07:19:21 UTC
+- **Last synced**: 2025-11-18 05:24:12 UTC
 - **Source repository**: alaudadevops/tektoncd-operator
-- **Source commit**: [b908cd738c107ea344fbee70e7cfc0f88df5c71a](https://github.com/alaudadevops/tektoncd-operator/commit/b908cd738c107ea344fbee70e7cfc0f88df5c71a)
+- **Source commit**: [515298d9e11daf0aafc74cb495f7fc8d983584f7](https://github.com/alaudadevops/tektoncd-operator/commit/515298d9e11daf0aafc74cb495f7fc8d983584f7)
 - **Triggered by**: edge-katanomi-app2[bot]
-- **Workflow run**: [#95](https://github.com/alaudadevops/tektoncd-operator/actions/runs/19421571524)
+- **Workflow run**: [#96](https://github.com/alaudadevops/tektoncd-operator/actions/runs/19455181392)
 
 ## Files synced:
 - docs/
diff --git a/docs/en/apis/kubernetes_apis/pipelines/openshiftpipelines.org_approvaltasks.mdx b/docs/en/apis/kubernetes_apis/pipelines/openshiftpipelines.org_approvaltasks.mdx
@@ -0,0 +1,9 @@
+---
+weight: 200
+---
+
+# ApprovalTask [openshiftpipelines.org/v1alpha1]
+
+
+<K8sCrd name="approvaltasks.openshiftpipelines.org" />
+
diff --git a/docs/en/how_to/manual_approval_gate_operator.mdx b/docs/en/how_to/manual_approval_gate_operator.mdx
@@ -0,0 +1,105 @@
+---
+weight: 70
+i18n:
+  title:
+    en: Deploy Manual Approval Gate
+    zh: 部署手动审批关卡
+title: Deploy Manual Approval Gate
+---
+
+# Deploying `Manual Approval Gate`
+
+## Feature Overview
+
+`Manual Approval Gate` provides the cluster-scoped controller and webhooks that back `ApprovalTask` custom tasks. Administrators must create and maintain the `ManualApprovalGate` custom resource (CR) so that platform users can insert manual approvals in their pipelines. This guide explains how to deploy the `Manual Approval Gate` component in `tekton-pipelines`, customize runtime options, and uninstall it safely.
+
+## Use Cases
+
+- Enabling manual approvals for all teams in the cluster by provisioning a managed controller.
+- Tweaking controller deployments (for example, replica counts, resource limits, or ConfigMaps) through the Operator's `options` contract instead of editing manifests.
+- Cleaning up the feature when approval tasks are no longer required.
+
+## Prerequisites
+
+- `Alauda DevOps Pipelines` v4.5.0 or later with cluster-admin access.
+- `kubectl` configured against the target cluster.
+
+## Steps
+
+### 1. Create the `ManualApprovalGate` CR
+
+Save the manifest as `manual-approval-gate.yaml` and apply it:
+
+```yaml
+apiVersion: operator.tekton.dev/v1alpha1
+kind: ManualApprovalGate
+metadata:
+  name: manual-approval-gate
+spec:
+  targetNamespace: tekton-pipelines
+  options:
+    disabled: false
+```
+
+```bash
+kubectl apply -f manual-approval-gate.yaml
+```
+
+- `spec.targetNamespace` determines where controller deployments, webhooks, and ConfigMaps are created. We recommend `tekton-pipelines` so that the component stays beside other Tekton services, but you can point it to any namespace as long as that namespace exists (or is created) before applying the CR.
+- Use `spec.options` to override Deployments, ConfigMaps, or image fields without editing generated YAML. For detailed syntax, refer to [Adjusting Optional Configuration Items of Subcomponents](../configure/customize_options.mdx).
+
+### 2. Verify controller health
+
+```bash
+$ kubectl get manualapprovalgates.operator.tekton.dev manual-approval-gate
+
+NAME                   VERSION          READY   REASON
+manual-approval-gate   v0.7.0-4f10729   True
+```
+
+```bash
+$ kubectl get deployment -n tekton-pipelines | grep manual-approval-gate
+
+manual-approval-gate-controller     1/1     1            1           1h1m
+manual-approval-gate-webhook        1/1     1            1           1h1m
+```
+
+The CR's `READY` condition must report `True`, and you should see controller and webhook Deployments running in `tekton-pipelines`.
+
+### 3. Reconfigure or force a rollout
+
+- Patch the CR to adjust replicas or other options; the Operator rolls the workloads automatically:
+
+    ```bash
+    kubectl patch manualapprovalgate manual-approval-gate \
+      --type merge \
+      --patch '{"spec":{"options":{"deployments":{"manual-approval-gate-controller":{"spec":{"replicas":2}}}}}}'
+    ```
+
+
+### 4. Uninstall `Manual Approval Gate`
+
+```bash
+$ kubectl delete manualapprovalgate manual-approval-gate
+$ kubectl get deployment -n tekton-pipelines | grep manual-approval-gate
+```
+
+The CRD remains installed so you can recreate the CR later, but Deployments, Services, and Webhooks should disappear.
+
+## Operation Results
+
+- `kubectl get manualapprovalgates` shows the instance with `READY=True`, `VERSION=<release>`, and `REASON` empty or `Installed`.
+- `kubectl get pods -n tekton-pipelines | grep manual-approval-gate` lists controller and webhook pods in `Running` state.
+- After deletion, no pods or services with the same label remain, and the Operator stops reconciling `ApprovalTask` resources until the CR is recreated.
+
+## Troubleshooting
+
+- **`ManualApprovalGate` CR stuck in `NotReady`:** Run `kubectl describe manualapprovalgate manual-approval-gate` to check events, then review Operator logs (`kubectl logs -n tekton-operator deploy/tekton-operator`). Mis-typed fields in `spec.options` or insufficient privileges are the most common root causes.
+- **Controller/webhook pods crash looping:** Describe the failing pods in `tekton-pipelines` to confirm whether TLS secrets or configuration maps are missing. Reapplying the CR usually recreates these resources automatically.
+- **`ApprovalTask` resources not created:** Ensure the `ManualApprovalGate` CR still exists with `READY=True`. If it was deleted or is failing, reinstall it before users rerun pipelines.
+
+## Learn More
+
+- [Manual Approval Gate usage for pipeline authors](../pipelines/how_to/manual_approval_gate.mdx)
+- [Tekton Operator documentation](../overview/architecture.mdx)
+- [ApprovalTask upstream repository](https://github.com/openshift-pipelines/manual-approval-gate)
diff --git a/docs/en/pipelines/how_to/manual_approval_gate.mdx b/docs/en/pipelines/how_to/manual_approval_gate.mdx
@@ -0,0 +1,191 @@
+---
+weight: 30
+i18n:
+  title:
+    en: Manual Approval Gate
+    zh: 手动审批关卡
+title: Manual Approval Gate
+---
+
+# `Manual Approval Gate` for `Tekton Pipelines`
+
+## Feature Overview
+
+`Manual Approval Gate` lets pipeline authors pause a `PipelineRun` until designated approvers review and approve the operation. Behind the scenes, the Operator-provided controller creates an `ApprovalTask` resource for every approval step, tracks approver responses, and writes the result back to the originating `CustomRun`.
+
+## Use Cases
+
+- Enforcing human checkpoints before deploying to production or performing destructive maintenance.
+- Implementing multi-person approval policies by combining individuals and groups with `numberOfApprovalsRequired`.
+- Auditing who approved or rejected a change by querying `ApprovalTask` status fields or CLI output.
+
+## Prerequisites
+
+- A cluster administrator has deployed `Manual Approval Gate`. If not, refer to the [deployment guide](../../how_to/manual_approval_gate_operator.mdx).
+- You can create or edit `Pipeline`/`PipelineRun` objects in the target namespace.
+- Approvers can patch `approvaltasks.openshift-pipelines.org` resources (typically via `kubectl`) in the target namespace. Platforms such as `Alauda Container Platform` grant this capability by default; only customize RBAC if you have explicitly removed the built-in permissions.
+
+## Steps
+
+### 1. Declare the approval step in a pipeline
+
+```yaml
+apiVersion: tekton.dev/v1
+kind: Pipeline
+metadata:
+  name: deploy-with-approval
+spec:
+  tasks:
+    - name: build
+      taskRef:
+        name: build-bundle     # Placeholder Task; replace with your build logic
+    - name: wait-for-approval
+      runAfter:
+        - build
+      taskRef:
+        apiVersion: openshift-pipelines.org/v1alpha1
+        kind: ApprovalTask
+      params:
+        - name: approvers
+          value:
+            - alice
+            - group:release-managers
+        - name: numberOfApprovalsRequired
+          value: "1"
+        - name: timeout
+          value: "24h"
+        - name: description
+          value: "Approve promotion into production"
+    - name: deploy
+      runAfter:
+        - wait-for-approval
+      taskRef:
+        name: deploy-prod     # Placeholder Task; replace with your deployment logic
+```
+
+When the pipeline reaches `wait-for-approval`, `Tekton` emits a `CustomRun`. The approval controller creates an `ApprovalTask` with your parameters and keeps the `PipelineRun` pending until quorum is met or a rejection occurs.
+
+### 2. Monitor approval status
+
+```bash
+$ kubectl get approvaltasks.openshift-pipelines.org
+
+NAME                                         AGE
+deploy-with-approval-run-wait-for-approval   4m16s
+```
+
+```bash
+$ kubectl describe approvaltask deploy-with-approval-run-wait-for-approval
+Name:         deploy-with-approval-run-wait-for-approval
+Status:
+  Approvals Received:  1
+  Approvals Required:  1
+  Approvers:
+    alice
+    release-managers
+  Approvers Response:
+    Name:      alice
+    Response:  approved
+    Type:      User
+  Start Time:  2025-11-17T10:37:01Z
+  State:       approved
+Events:        <none>
+```
+
+Important status fields:
+
+- `status.state`: overall gate state such as `pending`, `approved`, or `rejected`.
+- `status.approvalsRequired` / `status.approvalsReceived`: quorum tracking (the received count appears only after at least one approver responds).
+- `status.approversResponse`: per-user/group outcome plus messages, useful for auditing.
+
+### 3. Approve or reject
+
+```bash
+$ kubectl get approvaltask deploy-with-approval-run-wait-for-approval -o json | jq '.spec.approvers'
+
+$ kubectl patch approvaltask deploy-with-approval-run-wait-for-approval \
+    --type='json' \
+    --as alice \
+    -p='[
+      {"op":"replace","path":"/spec/approvers/0/input","value":"approve"},
+      {"op":"replace","path":"/spec/approvers/0/message","value":"QA complete"}
+    ]'
+
+$ kubectl patch approvaltask deploy-with-approval-run-wait-for-approval \
+    --type='json' \
+    --as alice \
+    -p='[
+      {"op":"replace","path":"/spec/approvers/0/input","value":"reject"},
+      {"op":"replace","path":"/spec/approvers/0/message","value":"Found regression"}
+    ]'
+
+$ kubectl patch approvaltask deploy-with-approval-run-wait-for-approval \
+    --type='json' \
+    --as bob \
+    --as-group release-managers \
+    -p='[
+      {"op":"replace","path":"/spec/approvers/1/input","value":"approve"},
+      {"op":"replace","path":"/spec/approvers/1/message","value":"Group approval from release-managers"}
+    ]'
+```
+
+The first command helps you determine the array index for your approver entry. The JSON patches then update only the matched entry's `input` and `message`, whether it represents a user (`alice` in the example) or a user impersonating a group (`bob` acting for `release-managers`). The controller sets the corresponding `CustomRun` and `PipelineRun` to `Succeeded` or `Failed` accordingly: approvals accumulate until `numberOfApprovalsRequired` is satisfied, while any rejection immediately fails that section of the pipeline.
+
+> **Tip:** Use `--as <username>` (required) and optionally `--as-group <group>` when you need to approve as a specific identity. The validation webhook allows you to modify only the entry that matches that impersonated user, so you often impersonate a user while also attaching the relevant group. RBAC must grant you impersonation rights. For example, `kubectl patch ... --as release-robot --as-group release-managers` simulates a service account acting for the `release-managers` group.
+
+### 4. Extend `PipelineRun` timeouts for long approvals
+
+If an approval could take hours or days, configure both `PipelineRun.spec.timeouts.pipeline` and `PipelineRun.spec.timeouts.tasks` to exceed the approval window so the run does not terminate before approvers respond. A simple `PipelineRun` to exercise the approval gate looks like the following:
+
+```yaml
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  name: deploy-with-approval-run
+spec:
+  pipelineRef:
+    name: deploy-with-approval
+  timeouts:
+    pipeline: 72h
+    tasks: 72h
+```
+
+Ensure the approval task's `timeout` parameter is shorter than the pipeline timeout. Otherwise, the `PipelineRun` might expire first, leaving the approval unresolved.
+
+## Operation Results
+
+- `kubectl get approvaltasks -o yaml` shows each approval gate with `state` and quorum-related fields (the `approvalsReceived` column appears after someone responds).
+- `PipelineRun` status reflects the approval outcome: when approved, downstream tasks resume; when rejected, the run fails with the reason propagated from the `ApprovalTask`.
+- Dispatch logs or `kubectl get approvaltask -o yaml` output provide the approval history for auditing.
+
+## Troubleshooting
+
+- **Approval task never appears:** Confirm the administrator-installed `ManualApprovalGate` CR is `READY`. Without the controller, `CustomRun` objects remain pending.
+- **Approvers lack permissions:** Grant them `get`, `list`, `update`, and `patch` access to `approvaltasks.openshift-pipelines.org` in the relevant namespace.
+- **Pipeline ended before approval finished:** Set both `PipelineRun.spec.timeouts.pipeline` and `PipelineRun.spec.timeouts.tasks` to cover the expected approval window, and ensure the approval `timeout` is realistic. Otherwise the run may time out even if approvers have not responded.
+- **Stuck in pending even after approvals:** Check `status.approversResponse` for users who changed their vote or rejected. You may need to update the approver list and rerun the pipeline.
+
+## User and group identifiers
+
+`Manual Approval Gate` relies on your platform's identity provider to match approver names. Always use the canonical identifiers exposed by the provider rather than UI display names. For example, on `Alauda Container Platform`:
+
+```bash
+$ kubectl get users.auth.alauda.io
+NAME                               TYPE    USERNAME   AGE
+21232f297a57a5a743894a0e4a801fc3   local   admin      19d
+```
+
+Use the `USERNAME` column (such as `admin`) when adding user approvers.
+
+```bash
+$ kubectl get groups.auth.alauda.io
+NAME      DISPLAYNAME   CONNTYPE   CONNID   AGE
+g-v9mfs   test-group    local      local    19d
+```
+
+Use the `NAME` column (such as `g-v9mfs`) when referencing group approvers (for example, `group:g-v9mfs`). Other platforms expose similar resources—consult the identity service documentation for the exact field names.
+
+## Learn More
+
+- [Deploying `Manual Approval Gate` as an administrator](../../how_to/manual_approval_gate_operator.mdx)
+- [Manual Approval Gate upstream repository](https://github.com/openshift-pipelines/manual-approval-gate)
diff --git a/docs/shared/crds/pipelines/openshiftpipelines.org_approvaltasks.yaml b/docs/shared/crds/pipelines/openshiftpipelines.org_approvaltasks.yaml
