RHDEVDOCS-4169 Document using admin provided database for Tekton Hub

draft content

custom database revised content

deleted unnecessary modules for 1.8

skeleton for auto, manual installations and upgrade gotchas

removing custom database module as not supported in 1.8

automatic installation

manual installation

disable tekton hub login auth and rating after operator upgrade

added custom database module, just in case

addressing SME comments

Peer review comments

incorporated comments from Pavol

incorporated Veeresh's comments

typo correction

incorporated Puneet's comments

typo fix

Author: Souvik Sarkar

cicd/pipelines/using-tekton-hub-with-openshift-pipelines.adoc

@@ -14,19 +14,23 @@ include::snippets/technology-preview.adoc[]
 
 include::modules/op-installing-and-deploying-tekton-hub-on-an-openshift-cluster.adoc[leveloffset=+1]
 
-include::modules/op-manually-refreshing-the-catalog-in-tekton-hub.adoc[leveloffset=+2]
+include::modules/op-installing-tekton-hub-without-login-and-rating.adoc[leveloffset=+2]
 
-include::modules/op-setting-a-cron-job-for-refreshing-catalog-in-tekton-hub.adoc[leveloffset=+2]
+include::modules/op-installing-tekton-hub-with-login-and-rating.adoc[leveloffset=+2]
 
-include::modules/op-adding-new-users-in-tekton-hub-configuration.adoc[leveloffset=+2]
+include::modules/op-adding-new-users-in-tekton-hub-configuration.adoc[leveloffset=+1]
+
+include::modules/op-using-a-custom-database-in-tekton-hub.adoc[leveloffset=+1]
+
+include::modules/op-disabling-tekton-hub-authorization-after-upgrade.adoc[leveloffset=+1]
 
 include::modules/op-opting-out-of-tekton-hub-in-the-developer-perspective.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 [id="additional-resources-tekton-hub"]
 == Additional resources
 
-* GitHub repository of link:https://github.com/tektoncd/hub[Tekton Hub].
+* GitHub repository of link:https://github.com/tektoncd/hub[Tekton Hub]
 
 * xref:../../cicd/pipelines/installing-pipelines.adoc#installing-pipelines[Installing OpenShift Pipelines]
 

modules/op-disabling-tekton-hub-authorization-after-upgrade.adoc

@@ -0,0 +1,89 @@
+// This module is included in the following assembly:
+//
+// *cicd/pipelines/using-tekton-hub-with-openshift-pipelines.adoc
+
+:_content-type: PROCEDURE
+[id="disabling-tekton-hub-authorization-after-upgrade.adoc_{context}"]
+= Disabling {tekton-hub} authorization after upgrading the {pipelines-title} Operator from 1.7 to 1.8
+
+[role="_abstract"]
+When you install {tekton-hub} with {pipelines-title} Operator 1.8, the login authorization and ratings for the {tekton-hub} artifacts are disabled for the default installation. However, when you upgrade the Operator from 1.7 to 1.8, the instance of the {tekton-hub} on your cluster does not automatically disable the login authorization and ratings. 
+
+To disable login authorization and ratings for {tekton-hub} after upgrading the Operator from 1.7 to 1.8, perform the steps in the following procedure.
+
+[discrete]
+.Prerequisites
+* Ensure that the {pipelines-title} Operator is installed in the default `openshift-pipelines` namespace on the cluster.
+
+[discrete]
+.Procedure 
+
+. Delete the existing {tekton-hub} API secret that you created while manually installing {tekton-hub} for Operator 1.7.
++
+[source,terminal]
+----
+$ oc delete secret tekton-hub-api -n <targetNamespace> <1>
+----
+<1> The common namespace for the {tekton-hub} API secret and the {tekton-hub} CR. By default, the target namespace is `openshift-pipelines`.
+
+. Delete the `TektonInstallerSet` object for the {tekton-hub} API.
++
+[source,terminal]
+----
+$ oc get tektoninstallerset -o name | grep tekton-hub-api | xargs oc delete
+----
++
+[NOTE]
+====
+After deletion, the Operator automatically creates a new {tekton-hub} API installer set.
+====
++
+Wait and check the status of the {tekton-hub}. Proceed to the next steps when the `READY` column displays `True`.
++
+[source,terminal]
+----
+$ oc get tektonhub hub
+----
++
+.Sample output
+[source,terminal]
+----
+NAME   VERSION        READY   REASON   APIURL                                                                                                  UIURL
+hub    1.8.0          True             https://tekton-hub-api-openshift-pipelines.apps.example.com   https://tekton-hub-ui-openshift-pipelines.apps.example.com
+
+----
+
+. Delete the `ConfigMap` object for the {tekton-hub} UI.
++
+[source,terminal]
+----
+$ oc delete configmap tekton-hub-ui -n <targetNamespace> <1>
+----
+<1> The common namespace for the {tekton-hub} UI and the {tekton-hub} CR. By default, the target namespace is `openshift-pipelines`.
+
+. Delete the `TektonInstallerSet` object for the {tekton-hub} UI.
++
+[source,terminal]
+----
+$ oc get tektoninstallerset -o name | grep tekton-hub-ui | xargs oc delete
+----
++
+[NOTE]
+====
+After deletion, the Operator automatically creates a new {tekton-hub} UI installer set.
+====
++
+Wait and check the status of the {tekton-hub}. Proceed to the next steps when the `READY` column displays `True`.
++
+[source,terminal]
+----
+$ oc get tektonhub hub
+----
++
+.Sample output
+[source,terminal]
+----
+NAME   VERSION        READY   REASON   APIURL                                                                                                  UIURL
+hub    1.8.0          True             https://tekton-hub-api-openshift-pipelines.apps.example.com   https://tekton-hub-ui-openshift-pipelines.apps.example.com
+
+----

modules/op-installing-and-deploying-tekton-hub-on-an-openshift-cluster.adoc

@@ -3,104 +3,18 @@
 // *cicd/pipelines/using-tekton-hub-with-openshift-pipelines.adoc
 
 :_content-type: PROCEDURE
-[id="op-installing-and-deploying-tekton-hub-on-an-openshift-cluster_{context}"]
+[id="installing-and-deploying-tekton-hub-on-an-openshift-cluster_{context}"]
 = Installing and deploying {tekton-hub} on a {product-title} cluster
 
 [role="_abstract"]
 {tekton-hub} is an optional component; cluster administrators cannot install it using the `TektonConfig` custom resource (CR). To install and manage {tekton-hub}, use the `TektonHub` CR.
 
-[NOTE]
-====
-If you are using Github Enterprise or Gitlab Enterprise, install and deploy {tekton-hub} in the same network as the enterprise server. For example, if the enterprise server is running behind a VPN, deploy {tekton-hub} on a cluster that is also behind the VPN.
-====
-
-[discrete]
-.Prerequisites
-* Ensure that the {pipelines-title} Operator is installed in the default `openshift-pipelines` namespace on the cluster.
-
-[discrete]
-.Procedure
-
-. Create a fork of the link:https://github.com/tektoncd/hub[Tekton Hub] repository.
+You can install {tekton-hub} on your cluster using two modes:
 
-. Clone the forked repository. 
+* _Without_ login authorization and ratings for {tekton-hub} artifacts
+* _with_ login autorization and ratings for {tekton-hub} artifacts
 
-. Update the `config.yaml` file to include at least one user with the following scopes:
-* A user with `agent:create` scope who can set up a cron job that refreshes the {tekton-hub} database after an interval, if there are any changes in the catalog.
-* A user with the `catalog:refresh` scope who can refresh the catalog and all resources in the database of the {tekton-hub}.
-* A user with the `config:refresh` scope who can get additional scopes. 
-+
-[source,yaml]
-----
-...
-scopes:
-- name: agent:create
-  users: <username_registered_with_the_Git_repository_hosting_service_provider>
-- name: catalog:refresh
-  users: <username_registered_with_the_Git_repository_hosting_service_provider>
-- name: config:refresh
-  users: <username_registered_with_the_Git_repository_hosting_service_provider>
-...
-----
-+
-The supported service providers are GitHub, GitLab, and BitBucket.
-
-. Create an OAuth application with your Git repository hosting provider, and note the Client ID and Client Secret. 
-* For a GitHub OAuth application, set the `Homepage URL` and the `Authorization callback URL` as `<auth-route>`.
-* For a GitLab OAuth application, set the `REDIRECT_URI` as `<auth-route>/auth/gitlab/callback`.
-* For a BitBucket OAuth application, set the `Callback URL` as `<auth-route>`.
-
-. Edit the following fields in the `<tekton_hub_repository>/config/02-api/20-api-secret.yaml` file for the {tekton-hub} API secret:
-* `GH_CLIENT_ID`: The Client ID from the OAuth application created with the Git repository hosting service provider.
-* `GH_CLIENT_SECRET`: The Client Secret from the OAuth application created with the Git repository hosting service provider.
-* `GHE_URL`: GitHub Enterprise URL, if you are authenticating using GitHub Enterprise. Do not provide the URL to the catalog as a value for this field.
-* `GL_CLIENT_ID`: The Client ID from the GitLab OAuth application.
-* `GL_CLIENT_SECRET`: The Client Secret from the GitLab OAuth application.
-*  `GLE_URL`: GitLab Enterprise URL, if you are authenticating using GitLab Enterprise. Do not provide the URL to the catalog as a value for this field.
-* `BB_CLIENT_ID`: The Client ID from the BitBucket OAuth application.
-* `BB_CLIENT_SECRET`: The Client Secret from the BitBucket OAuth application.
-* `JWT_SIGNING_KEY`: A long, random string used to sign the JSON Web Token (JWT) created for users.
-* `ACCESS_JWT_EXPIRES_IN`: Add the time limit after which the access token expires. For example, `1m`, where `m` denotes minutes. The supported units of time are seconds (`s`), minutes (`m`), hours (`h`), days (`d`), and weeks (`w`).
-* `REFRESH_JWT_EXPIRES_IN`: Add the time limit after which the refresh token expires. For example, `1m`, where `m` denotes minutes. The supported units of time are seconds (`s`), minutes (`m`), hours (`h`), days (`d`), and weeks (`w`). Ensure that the expiry time set for token refresh is greater than the expiry time set for token access.
-* `AUTH_BASE_URL`: Route URL for the OAuth application.
-+
 [NOTE]
 ====
-* Use the fields related to Client ID and Client Secret for any one of the supported Git repository hosting service providers.
-* The account credentials registered with the Git repository hosting service provider enables the users with `catalog: refresh` scope to authenticate and load all catalog resources to the database. 
-==== 
-
-. Commit and push the changes to your forked repository.
-
-. Ensure that the `TektonHub` CR is similar to the following example:
-+
-[source,yaml]
-----
-apiVersion: operator.tekton.dev/v1alpha1
-kind: TektonHub
-metadata:
-  name: hub
-spec:
-  targetNamespace: openshift-pipelines <1>
-  api:
-    hubConfigUrl: https://raw.githubusercontent.com/tektoncd/hub/main/config.yaml <2> 
-----
-<1> The namespace in which Tekton Hub must be installed; default is `openshift-pipelines`.
-<2> Substitute with the URL of the `config.yaml` file of your forked repository.
-
-. Install the {tekton-hub}.
-+
-[source,terminal]
-----
-$ oc apply -f TektonHub.yaml <1>
-----
-<1> The file name or path of the `TektonConfig` CR.
-
-. Check the status of the installation.
-+
-[source,terminal]
-----
-$ oc get tektonhub.operator.tekton.dev
-NAME   VERSION   READY   REASON   APIURL                    UIURL
-hub    v1.7.2    True             https://api.route.url/    https://ui.route.url/
-----
+If you are using Github Enterprise or Gitlab Enterprise, install and deploy {tekton-hub} in the same network as the enterprise server. For example, if the enterprise server is running behind a VPN, deploy {tekton-hub} on a cluster that is also behind the VPN.
+====

modules/op-installing-tekton-hub-with-login-and-rating.adoc

@@ -0,0 +1,111 @@
+// This module is included in the following assembly:
+//
+// *cicd/pipelines/using-tekton-hub-with-openshift-pipelines.adoc
+
+:_content-type: PROCEDURE
+[id="installing-tekton-hub-with-login-and-rating.adoc_{context}"]
+= Installating {tekton-hub} with login and rating
+
+[role="_abstract"]
+You can install {tekton-hub} on your cluster with custom configuration that supports login with authorization and ratings for {tekton-hub} artifacts.
+
+[discrete]
+.Prerequisites
+* Ensure that the {pipelines-title} Operator is installed in the default `openshift-pipelines` namespace on the cluster.
+
+[discrete]
+.Procedure 
+
+. Create a fork of the link:https://github.com/tektoncd/hub[Tekton Hub] repository.
+
+. Clone the forked repository.
+
+. Create an OAuth application with your Git repository hosting provider, and note the Client ID and Client Secret. The supported providers are GitHub, GitLab, and BitBucket.
+
+** For a link:https://docs.github.com/en/developers/apps/creating-an-oauth-app[GitHub OAuth application], set the Homepage URL and the Authorization callback URL as `<auth-route>`.
+
+** For a link:https://docs.gitlab.com/ee/integration/oauth_provider.html#user-owned-applications[GitLab OAuth application], set the `REDIRECT_URI` as `<auth-route>/auth/gitlab/callback`.
+
+** For a link:https://support.atlassian.com/bitbucket-cloud/docs/use-oauth-on-bitbucket-cloud[BitBucket OAuth application], set the `Callback URL` as `<auth-route>`.
+
+. Edit the `<tekton_hub_repository>/config/02-api/20-api-secret.yaml` file of your cloned repository to include the {tekton-hub} API secrets:
++
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tekton-hub-api
+  namespace: openshift-pipelines
+type: Opaque
+stringData:
+  GH_CLIENT_ID: <1>
+  GH_CLIENT_SECRET: <2>
+  GL_CLIENT_ID: <3>
+  GL_CLIENT_SECRET: <4>
+  BB_CLIENT_ID: <5>
+  BB_CLIENT_SECRET: <6>
+  JWT_SIGNING_KEY: <7>
+  ACCESS_JWT_EXPIRES_IN: <8>
+  REFRESH_JWT_EXPIRES_IN: <9>
+  AUTH_BASE_URL: <10>
+  GHE_URL: <11>
+  GLE_URL: <12>
+----
+<1> The Client ID from the GitHub OAuth application.
+<2> The Client Secret from the GitHub OAuth application.
+<3> The Client ID from the GitLab OAuth application.
+<4> The Client Secret from the GitLab OAuth application.
+<5> The Client ID from the BitBucket OAuth application.
+<6> The Client Secret from the BitBucket OAuth application.
+<7> A long, random string used to sign the JSON Web Token (JWT) created for users.
+<8> Add the time limit after which the access token expires. For example, `1m`, where m denotes minutes. The supported units of time are seconds (`s`), minutes (`m`), hours (`h`), days (`d`), and weeks (`w`).
+<9> Add the time limit after which the refresh token expires. For example, `1m`, where `m` denotes minutes. The supported units of time are seconds (`s`), minutes (`m`), hours (`h`), days (`d`), and weeks (`w`). Ensure that the expiry time set for token refresh is greater than the expiry time set for token access.
+<10> Route URL for the OAuth application.
+<11> GitHub Enterprise URL, if you are authenticating using GitHub Enterprise. Do not provide the URL to the catalog as a value for this field.
+<12> GitLab Enterprise URL, if you are authenticating using GitLab Enterprise. Do not provide the URL to the catalog as a value for this field.
++
+[NOTE]
+====
+You can delete the unused fields for the Git repository hosting service providers that are irrelevant to your deployment.
+====
+
+. Create a `TektonHub` CR similar to the following example.
++
+[source,yaml]
+----
+apiVersion: operator.tekton.dev/v1alpha1
+kind: TektonHub
+metadata:
+  name: hub
+spec:
+  targetNamespace: openshift-pipelines <1>
+  api:
+    hubConfigUrl: https://raw.githubusercontent.com/tektoncd/hub/main/config.yaml <2>
+    catalogRefreshInterval: 30m <3>
+----
+<1> The namespace in which {tekton-hub} must be installed; default is `openshift-pipelines`.
+<2> Substitute with the URL of the `config.yaml` file.
+<3> The time interval after which the catalog refreshes automatically. The supported units of time are seconds (`s`), minutes (`m`), hours (`h`), days (`d`), and weeks (`w`). The default interval is 30 minutes.
+
+. Apply the `TektonHub` CR.
++
+[source,terminal]
+----
+$ oc apply -f <TektonHub>.yaml <1>
+----
+<1> The file name or path of the `TektonHub` CR.
++
+[NOTE]
+====
+When you apply the `TektonHub` CR, {tekton-hub} is installed on the cluster in the `openshift-pipelines` namespace, with upstream Tekton Catalog content. 
+====
+
+. Check the status of the installation. The `TektonHub` CR might take some time to attain steady state.
++
+[source,terminal]
+----
+$ oc get tektonhub.operator.tekton.dev
+NAME   VERSION   READY   REASON   APIURL                    UIURL
+hub    v1.8.0    True             https://api.route.url/    https://ui.route.url/
+----