Merge pull request #48671 from sounix000/4169-admin-provided-database-tekton-hub

RHDEVDOCS-4169+4392: Tekton Hub and auth changes for Pipelines 1.8

Author: bburt-rh

cicd/pipelines/using-tekton-hub-with-openshift-pipelines.adoc

@@ -14,19 +14,23 @@ include::snippets/technology-preview.adoc[]
 
 include::modules/op-installing-and-deploying-tekton-hub-on-an-openshift-cluster.adoc[leveloffset=+1]
 
-include::modules/op-manually-refreshing-the-catalog-in-tekton-hub.adoc[leveloffset=+2]
+include::modules/op-installing-tekton-hub-without-login-and-rating.adoc[leveloffset=+2]
 
-include::modules/op-setting-a-cron-job-for-refreshing-catalog-in-tekton-hub.adoc[leveloffset=+2]
+include::modules/op-installing-tekton-hub-with-login-and-rating.adoc[leveloffset=+2]
 
-include::modules/op-adding-new-users-in-tekton-hub-configuration.adoc[leveloffset=+2]
+include::modules/op-adding-new-users-in-tekton-hub-configuration.adoc[leveloffset=+1]
+
+include::modules/op-using-a-custom-database-in-tekton-hub.adoc[leveloffset=+1]
+
+include::modules/op-disabling-tekton-hub-authorization-after-upgrade.adoc[leveloffset=+1]
 
 include::modules/op-opting-out-of-tekton-hub-in-the-developer-perspective.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 [id="additional-resources-tekton-hub"]
 == Additional resources
 
-* GitHub repository of link:https://github.com/tektoncd/hub[Tekton Hub].
+* GitHub repository of link:https://github.com/tektoncd/hub[Tekton Hub]
 
 * xref:../../cicd/pipelines/installing-pipelines.adoc#installing-pipelines[Installing OpenShift Pipelines]
 

modules/op-disabling-tekton-hub-authorization-after-upgrade.adoc

@@ -0,0 +1,89 @@
+// This module is included in the following assembly:
+//
+// *cicd/pipelines/using-tekton-hub-with-openshift-pipelines.adoc
+
+:_content-type: PROCEDURE
+[id="disabling-tekton-hub-authorization-after-upgrade.adoc_{context}"]
+= Disabling {tekton-hub} authorization after upgrading the {pipelines-title} Operator from 1.7 to 1.8
+
+[role="_abstract"]
+When you install {tekton-hub} with {pipelines-title} Operator 1.8, the login authorization and ratings for the {tekton-hub} artifacts are disabled for the default installation. However, when you upgrade the Operator from 1.7 to 1.8, the instance of the {tekton-hub} on your cluster does not automatically disable the login authorization and ratings. 
+
+To disable login authorization and ratings for {tekton-hub} after upgrading the Operator from 1.7 to 1.8, perform the steps in the following procedure.
+
+[discrete]
+.Prerequisites
+* Ensure that the {pipelines-title} Operator is installed in the default `openshift-pipelines` namespace on the cluster.
+
+[discrete]
+.Procedure 
+
+. Delete the existing {tekton-hub} API secret that you created while manually installing {tekton-hub} for Operator 1.7.
++
+[source,terminal]
+----
+$ oc delete secret tekton-hub-api -n <targetNamespace> <1>
+----
+<1> The common namespace for the {tekton-hub} API secret and the {tekton-hub} CR. By default, the target namespace is `openshift-pipelines`.
+
+. Delete the `TektonInstallerSet` object for the {tekton-hub} API.
++
+[source,terminal]
+----
+$ oc get tektoninstallerset -o name | grep tekton-hub-api | xargs oc delete
+----
++
+[NOTE]
+====
+After deletion, the Operator automatically creates a new {tekton-hub} API installer set.
+====
++
+Wait and check the status of the {tekton-hub}. Proceed to the next steps when the `READY` column displays `True`.
++
+[source,terminal]
+----
+$ oc get tektonhub hub
+----
++
+.Sample output
+[source,terminal]
+----
+NAME   VERSION        READY   REASON   APIURL                                                                                                  UIURL
+hub    1.8.0          True             https://tekton-hub-api-openshift-pipelines.apps.example.com   https://tekton-hub-ui-openshift-pipelines.apps.example.com
+
+----
+
+. Delete the `ConfigMap` object for the {tekton-hub} UI.
++
+[source,terminal]
+----
+$ oc delete configmap tekton-hub-ui -n <targetNamespace> <1>
+----
+<1> The common namespace for the {tekton-hub} UI and the {tekton-hub} CR. By default, the target namespace is `openshift-pipelines`.
+
+. Delete the `TektonInstallerSet` object for the {tekton-hub} UI.
++
+[source,terminal]
+----
+$ oc get tektoninstallerset -o name | grep tekton-hub-ui | xargs oc delete
+----
++
+[NOTE]
+====
+After deletion, the Operator automatically creates a new {tekton-hub} UI installer set.
+====
++
+Wait and check the status of the {tekton-hub}. Proceed to the next steps when the `READY` column displays `True`.
++
+[source,terminal]
+----
+$ oc get tektonhub hub
+----
++
+.Sample output
+[source,terminal]
+----
+NAME   VERSION        READY   REASON   APIURL                                                                                                  UIURL
+hub    1.8.0          True             https://tekton-hub-api-openshift-pipelines.apps.example.com   https://tekton-hub-ui-openshift-pipelines.apps.example.com
+
+----

modules/op-installing-and-deploying-tekton-hub-on-an-openshift-cluster.adoc

@@ -3,104 +3,18 @@
 // *cicd/pipelines/using-tekton-hub-with-openshift-pipelines.adoc
 
 :_content-type: PROCEDURE
-[id="op-installing-and-deploying-tekton-hub-on-an-openshift-cluster_{context}"]
+[id="installing-and-deploying-tekton-hub-on-an-openshift-cluster_{context}"]
 = Installing and deploying {tekton-hub} on a {product-title} cluster
 
 [role="_abstract"]
 {tekton-hub} is an optional component; cluster administrators cannot install it using the `TektonConfig` custom resource (CR). To install and manage {tekton-hub}, use the `TektonHub` CR.
 
-[NOTE]
-====
-If you are using Github Enterprise or Gitlab Enterprise, install and deploy {tekton-hub} in the same network as the enterprise server. For example, if the enterprise server is running behind a VPN, deploy {tekton-hub} on a cluster that is also behind the VPN.
-====
-
-[discrete]
-.Prerequisites
-* Ensure that the {pipelines-title} Operator is installed in the default `openshift-pipelines` namespace on the cluster.
-
-[discrete]
-.Procedure
-
-. Create a fork of the link:https://github.com/tektoncd/hub[Tekton Hub] repository.
+You can install {tekton-hub} on your cluster using two modes:
 
-. Clone the forked repository. 
+* _Without_ login authorization and ratings for {tekton-hub} artifacts
+* _with_ login autorization and ratings for {tekton-hub} artifacts
 
-. Update the `config.yaml` file to include at least one user with the following scopes:
-* A user with `agent:create` scope who can set up a cron job that refreshes the {tekton-hub} database after an interval, if there are any changes in the catalog.
-* A user with the `catalog:refresh` scope who can refresh the catalog and all resources in the database of the {tekton-hub}.
-* A user with the `config:refresh` scope who can get additional scopes. 
-+
-[source,yaml]
-----
-...
-scopes:
-- name: agent:create
-  users: <username_registered_with_the_Git_repository_hosting_service_provider>
-- name: catalog:refresh
-  users: <username_registered_with_the_Git_repository_hosting_service_provider>
-- name: config:refresh
-  users: <username_registered_with_the_Git_repository_hosting_service_provider>
-...
-----
-+
-The supported service providers are GitHub, GitLab, and BitBucket.
-
-. Create an OAuth application with your Git repository hosting provider, and note the Client ID and Client Secret. 
-* For a GitHub OAuth application, set the `Homepage URL` and the `Authorization callback URL` as `<auth-route>`.
-* For a GitLab OAuth application, set the `REDIRECT_URI` as `<auth-route>/auth/gitlab/callback`.
-* For a BitBucket OAuth application, set the `Callback URL` as `<auth-route>`.
-
-. Edit the following fields in the `<tekton_hub_repository>/config/02-api/20-api-secret.yaml` file for the {tekton-hub} API secret:
-* `GH_CLIENT_ID`: The Client ID from the OAuth application created with the Git repository hosting service provider.
-* `GH_CLIENT_SECRET`: The Client Secret from the OAuth application created with the Git repository hosting service provider.
-* `GHE_URL`: GitHub Enterprise URL, if you are authenticating using GitHub Enterprise. Do not provide the URL to the catalog as a value for this field.
-* `GL_CLIENT_ID`: The Client ID from the GitLab OAuth application.
-* `GL_CLIENT_SECRET`: The Client Secret from the GitLab OAuth application.
-*  `GLE_URL`: GitLab Enterprise URL, if you are authenticating using GitLab Enterprise. Do not provide the URL to the catalog as a value for this field.
-* `BB_CLIENT_ID`: The Client ID from the BitBucket OAuth application.
-* `BB_CLIENT_SECRET`: The Client Secret from the BitBucket OAuth application.
-* `JWT_SIGNING_KEY`: A long, random string used to sign the JSON Web Token (JWT) created for users.
-* `ACCESS_JWT_EXPIRES_IN`: Add the time limit after which the access token expires. For example, `1m`, where `m` denotes minutes. The supported units of time are seconds (`s`), minutes (`m`), hours (`h`), days (`d`), and weeks (`w`).
-* `REFRESH_JWT_EXPIRES_IN`: Add the time limit after which the refresh token expires. For example, `1m`, where `m` denotes minutes. The supported units of time are seconds (`s`), minutes (`m`), hours (`h`), days (`d`), and weeks (`w`). Ensure that the expiry time set for token refresh is greater than the expiry time set for token access.
-* `AUTH_BASE_URL`: Route URL for the OAuth application.
-+
 [NOTE]
 ====
-* Use the fields related to Client ID and Client Secret for any one of the supported Git repository hosting service providers.
-* The account credentials registered with the Git repository hosting service provider enables the users with `catalog: refresh` scope to authenticate and load all catalog resources to the database. 
-==== 
-
-. Commit and push the changes to your forked repository.
-
-. Ensure that the `TektonHub` CR is similar to the following example:
-+
-[source,yaml]
-----
-apiVersion: operator.tekton.dev/v1alpha1
-kind: TektonHub
-metadata:
-  name: hub
-spec:
-  targetNamespace: openshift-pipelines <1>
-  api:
-    hubConfigUrl: https://raw.githubusercontent.com/tektoncd/hub/main/config.yaml <2> 
-----
-<1> The namespace in which Tekton Hub must be installed; default is `openshift-pipelines`.
-<2> Substitute with the URL of the `config.yaml` file of your forked repository.
-
-. Install the {tekton-hub}.
-+
-[source,terminal]
-----
-$ oc apply -f TektonHub.yaml <1>
-----
-<1> The file name or path of the `TektonConfig` CR.
-
-. Check the status of the installation.
-+
-[source,terminal]
-----
-$ oc get tektonhub.operator.tekton.dev
-NAME   VERSION   READY   REASON   APIURL                    UIURL
-hub    v1.7.2    True             https://api.route.url/    https://ui.route.url/
-----
+If you are using Github Enterprise or Gitlab Enterprise, install and deploy {tekton-hub} in the same network as the enterprise server. For example, if the enterprise server is running behind a VPN, deploy {tekton-hub} on a cluster that is also behind the VPN.
+====

modules/op-installing-tekton-hub-with-login-and-rating.adoc

@@ -0,0 +1,111 @@
+// This module is included in the following assembly:
+//
+// *cicd/pipelines/using-tekton-hub-with-openshift-pipelines.adoc
+
+:_content-type: PROCEDURE
+[id="installing-tekton-hub-with-login-and-rating.adoc_{context}"]
+= Installating {tekton-hub} with login and rating
+
+[role="_abstract"]
+You can install {tekton-hub} on your cluster with custom configuration that supports login with authorization and ratings for {tekton-hub} artifacts.
+
+[discrete]
+.Prerequisites
+* Ensure that the {pipelines-title} Operator is installed in the default `openshift-pipelines` namespace on the cluster.
+
+[discrete]
+.Procedure 
+
+. Create a fork of the link:https://github.com/tektoncd/hub[Tekton Hub] repository.
+
+. Clone the forked repository.
+
+. Create an OAuth application with your Git repository hosting provider, and note the Client ID and Client Secret. The supported providers are GitHub, GitLab, and BitBucket.
+
+** For a link:https://docs.github.com/en/developers/apps/creating-an-oauth-app[GitHub OAuth application], set the Homepage URL and the Authorization callback URL as `<auth-route>`.
+
+** For a link:https://docs.gitlab.com/ee/integration/oauth_provider.html#user-owned-applications[GitLab OAuth application], set the `REDIRECT_URI` as `<auth-route>/auth/gitlab/callback`.
+
+** For a link:https://support.atlassian.com/bitbucket-cloud/docs/use-oauth-on-bitbucket-cloud[BitBucket OAuth application], set the `Callback URL` as `<auth-route>`.
+
+. Edit the `<tekton_hub_repository>/config/02-api/20-api-secret.yaml` file of your cloned repository to include the {tekton-hub} API secrets:
++
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tekton-hub-api
+  namespace: openshift-pipelines
+type: Opaque
+stringData:
+  GH_CLIENT_ID: <1>
+  GH_CLIENT_SECRET: <2>
+  GL_CLIENT_ID: <3>
+  GL_CLIENT_SECRET: <4>
+  BB_CLIENT_ID: <5>
+  BB_CLIENT_SECRET: <6>
+  JWT_SIGNING_KEY: <7>
+  ACCESS_JWT_EXPIRES_IN: <8>
+  REFRESH_JWT_EXPIRES_IN: <9>
+  AUTH_BASE_URL: <10>
+  GHE_URL: <11>
+  GLE_URL: <12>
+----
+<1> The Client ID from the GitHub OAuth application.
+<2> The Client Secret from the GitHub OAuth application.
+<3> The Client ID from the GitLab OAuth application.
+<4> The Client Secret from the GitLab OAuth application.
+<5> The Client ID from the BitBucket OAuth application.
+<6> The Client Secret from the BitBucket OAuth application.
+<7> A long, random string used to sign the JSON Web Token (JWT) created for users.
+<8> Add the time limit after which the access token expires. For example, `1m`, where m denotes minutes. The supported units of time are seconds (`s`), minutes (`m`), hours (`h`), days (`d`), and weeks (`w`).
+<9> Add the time limit after which the refresh token expires. For example, `1m`, where `m` denotes minutes. The supported units of time are seconds (`s`), minutes (`m`), hours (`h`), days (`d`), and weeks (`w`). Ensure that the expiry time set for token refresh is greater than the expiry time set for token access.
+<10> Route URL for the OAuth application.
+<11> GitHub Enterprise URL, if you are authenticating using GitHub Enterprise. Do not provide the URL to the catalog as a value for this field.
+<12> GitLab Enterprise URL, if you are authenticating using GitLab Enterprise. Do not provide the URL to the catalog as a value for this field.
++
+[NOTE]
+====
+You can delete the unused fields for the Git repository hosting service providers that are irrelevant to your deployment.
+====
+
+. Create a `TektonHub` CR similar to the following example.
++
+[source,yaml]
+----
+apiVersion: operator.tekton.dev/v1alpha1
+kind: TektonHub
+metadata:
+  name: hub
+spec:
+  targetNamespace: openshift-pipelines <1>
+  api:
+    hubConfigUrl: https://raw.githubusercontent.com/tektoncd/hub/main/config.yaml <2>
+    catalogRefreshInterval: 30m <3>
+----
+<1> The namespace in which {tekton-hub} must be installed; default is `openshift-pipelines`.
+<2> Substitute with the URL of the `config.yaml` file.
+<3> The time interval after which the catalog refreshes automatically. The supported units of time are seconds (`s`), minutes (`m`), hours (`h`), days (`d`), and weeks (`w`). The default interval is 30 minutes.
+
+. Apply the `TektonHub` CR.
++
+[source,terminal]
+----
+$ oc apply -f <TektonHub>.yaml <1>
+----
+<1> The file name or path of the `TektonHub` CR.
++
+[NOTE]
+====
+When you apply the `TektonHub` CR, {tekton-hub} is installed on the cluster in the `openshift-pipelines` namespace, with upstream Tekton Catalog content. 
+====
+
+. Check the status of the installation. The `TektonHub` CR might take some time to attain steady state.
++
+[source,terminal]
+----
+$ oc get tektonhub.operator.tekton.dev
+NAME   VERSION   READY   REASON   APIURL                    UIURL
+hub    v1.8.0    True             https://api.route.url/    https://ui.route.url/
+----