Migrating from `Alauda DevOps Tekton v3` to `Alauda DevOps Pipelines`

NOTE

This guide is specifically for migrating from Alauda DevOps Tekton v3 to Alauda DevOps Pipelines. For upgrading between Alauda DevOps Pipelines versions, please refer to the Pipelines upgrade documentation.

This guide provides detailed steps for smoothly migrating from Alauda DevOps Tekton v3 to Alauda DevOps Pipelines. The upgrade process is designed as a seamless migration to ensure your existing CI/CD pipelines remain unaffected.

Migration Steps

1. Uninstall Existing Tekton Pipeline Instance and `Alauda DevOps Tekton v3`

Before starting the upgrade, you need to uninstall the existing Tekton components. Follow these steps:

Important Note: The uninstallation process will not affect your existing Task, TaskRun, Pipeline, and PipelineRun resources. These resources will remain unchanged after the upgrade is complete.

Delete Pipeline Instance

$ kubectl delete tektonpipelines.operator.tekton.dev pipeline

Verify Pipeline Instance Deletion
```
$ kubectl get tektonpipelines.operator.tekton.dev pipeline
```
Ensure the command returns no resources, indicating successful deletion.

Uninstall Tekton Operator

$ kubectl delete subscriptions.operators.coreos.com tekton-operator -n tekton-operator

Verify Operator Uninstallation
```
$ kubectl get subscriptions.operators.coreos.com -A | grep tekton
```
Ensure the command returns no results, indicating successful uninstallation.

2. Deploy `Alauda DevOps Pipelines`

Navigate to your cluster's Administrator -> Application Market Management -> OperatorHub page
Search for and select Alauda DevOps Pipelines
Choose the appropriate Channel

WARNING

Critical: Channel Selection

When deploying Alauda DevOps Pipelines, you MUST select the pipelines-4.0 channel. DO NOT select the latest channel.

Channel: Must be pipelines-4.0 (required for Katanomi pipeline compatibility)
Version: You may select any version within the pipelines-4.0 channel

Selecting the latest channel may cause automatic upgrades to v4.x or higher versions in the future, which could lead to irreversible compatibility issues with Katanomi pipelines.

Follow the on-screen instructions to complete the deployment
Wait for Alauda DevOps Pipelines Operator to be Ready

After the Alauda DevOps Pipelines Operator deployment is complete, it will automatically deploy related components such as Pipelines. You can check the component status using the following commands:
```
$ kubectl get tektonconfigs.operator.tekton.dev config

$ kubectl get tektonpipelines.operator.tekton.dev pipeline
```
Wait until both resources show a Ready status before proceeding to the next step.

3. (Optional) Adjust Operator Resources for Large-Scale Migrations

If your environment contains a large number of existing TaskRun and PipelineRun resources, the Tekton Operator may encounter Out of Memory (OOM) errors during the one-time data migration process. Since the operator doesn't normally require such extensive resources, the default resource limits may be insufficient.

NOTE

When to Apply This Configuration

This step is only necessary if you have a large volume of existing Tekton resources. For most installations, you can skip this step and proceed to step 4.

Adjusting Operator Resources

You can temporarily increase the operator's resource limits using either of these methods:

Method 1: Using the Platform UI

Navigate to the Alauda DevOps Pipelines operator page
Go to the Subscription tab
Click the Edit Subscription button
Add the resource configuration as shown below

Method 2: Using kubectl CLI

kubectl edit subscriptions.operators.coreos.com -n tekton-operator tektoncd-operator

Add the following config section under spec:

NOTE

The resources values can be adjusted based on your environment's needs. The example below provides a balanced configuration suitable for most scenarios.

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: tektoncd-operator
  namespace: tekton-operator
spec:
  channel: pipelines-4.0
  installPlanApproval: Manual
  name: tektoncd-operator
  source: platform
  sourceNamespace: cpaas-system
  config:
    resources:
      requests:
        cpu: "200m"
        memory: "256Mi"
      limits:
        cpu: "2"
        memory: "2Gi"

This configuration adjusts the tekton-operator Pod's resource quotas.

NOTE

The operator will automatically begin migrating existing Tekton resources after deployment. You can monitor the migration progress through operator logs or check the TektonConfig status as described in step 5 below. Once migration is complete, you can remove the config section to restore default settings.

NOTE

If you previously used Tekton only in Alauda Container Platform Builds, you can skip the following steps and use the default configuration of Alauda DevOps Pipelines directly.

4. Configure TektonConfig

NOTE

If you previously used Tekton only in Alauda Container Platform Builds, you can skip the following steps and use the default configuration of Alauda DevOps Pipelines directly.

After the Alauda DevOps Pipelines Operator deployment is complete, you need to configure the TektonConfig resource to ensure compatibility with your existing system:

Best Practice: It is recommended to only modify the spec.pipeline section configuration to maintain system stability.

apiVersion: operator.tekton.dev/v1alpha1
kind: TektonConfig
metadata:
  name: config
spec:
  pipeline:
    await-sidecar-readiness: true
    disable-creds-init: false
    enable-bundles-resolver: true
    enable-cluster-resolver: true
    enable-custom-tasks: true
    enable-git-resolver: true
    enable-hub-resolver: true
    enable-provenance-in-status: true
    enable-step-actions: true
    enforce-nonfalsifiability: none
    keep-pod-on-cancel: false
    metrics.count.enable-reason: false
    metrics.pipelinerun.duration-type: histogram
    metrics.pipelinerun.level: pipeline
    metrics.taskrun.duration-type: histogram
    metrics.taskrun.level: task

    performance:
      disable-ha: false
    require-git-ssh-secret-known-hosts: false
    running-in-environment-with-injected-sidecars: true
    send-cloudevents-for-runs: false
    set-security-context: false
    trusted-resources-verification-no-match-policy: ignore

    # Tekton Operator compatibility configuration
    coschedule: workspaces
    disable-affinity-assistant: true
    enable-api-fields: alpha
    enable-cel-in-whenexpression: true
    enable-param-enum: true
    max-result-size: 8192
    results-from: sidecar-logs

    options:
      disabled: false
      configMaps:
        # Modify default configuration: init container quotas, runAsUser, image pull timeout
        config-defaults:
          data:
            # Container configuration
            default-imagepullbackoff-timeout: 5m
            default-pod-template: |
              securityContext:
                runAsUser: 0

  addon: {}
  chain:
    artifacts.oci.format: simplesigning
    artifacts.oci.storage: oci
    artifacts.pipelinerun.format: in-toto
    artifacts.pipelinerun.storage: oci
    artifacts.taskrun.format: in-toto
    artifacts.taskrun.storage: oci
    disabled: false
    options: {}
  config: {}
  dashboard:
    options: {}
    readonly: false
  hub:
    options: {}

  platforms:
    openshift: {}
  profile: all
  pruner:
    disabled: false
    keep: 100
    resources:
    - pipelinerun
    schedule: 0 8 * * *
  targetNamespace: tekton-pipelines
  trigger:
    enable-api-fields: stable
    options: {}

WARNING

Important: Ensuring Both Legacy and New Pipelines Work

The configuration above sets runAsUser: 0 in the global default-pod-template to ensure backward compatibility with your existing Pipelines and container images.

However, this configuration will cause new Pipelines using Tasks from the Tekton catalog to fail, because these catalog Tasks require runAsUser: 65532 and fsGroup: 65532 for security and proper file permissions.

Solution: To ensure both legacy Pipelines and new Pipelines (using official Tasks) work correctly, you need to override the Pod template configuration at the PipelineRun level for Pipelines using official Tasks.

For detailed guidance on how to configure Pod templates for different scenarios, including:

How to override Pod template for specific PipelineRuns
Using TaskRunSpecs for fine-grained control when mixing official and custom Tasks
Security best practices and configuration examples (see Example 5: Using Official Tasks with Legacy Global Configuration)

Please refer to the .

5. (Optional) Monitor and Verify Migration Progress

After the Alauda DevOps Pipelines operator is deployed (step 2), it automatically begins migrating existing Tekton resources. You can monitor the migration progress and verify completion at any time during or after the configuration process.

Method 1: Monitor Through Operator Logs

You can watch the migration progress in real-time by checking the tekton-operator-webhook logs:

kubectl logs -f -n tekton-operator tekton-operator-webhook-<suffix>

During the migration, you will see log entries like:

migrating %d group resources - Indicates the total number of resource types to be migrated
migrating group resource - Shows when migration of a specific resource type begins
migration completed - Confirms that migration of a specific resource type has finished

Method 2: Check TektonConfig Status

To verify that the migration is complete, check the TektonConfig resource status:

kubectl get tektonconfigs.operator.tekton.dev config -o yaml

Look for the version annotations in the output:

apiVersion: operator.tekton.dev/v1alpha1
kind: TektonConfig
metadata:
  name: config
spec:
status:
  annotations:
    operator.tekton.dev/post-upgrade-version: v0.74.1-a07f82b
    operator.tekton.dev/pre-upgrade-version: v0.74.1-a07f82b
  version: v0.74.1-a07f82b

Migration is complete when pre-upgrade-version and post-upgrade-version match the current version.

NOTE

Reminder

If you adjusted the operator resources in step 3, you can now remove the config section from the Subscription to restore default resource settings.

6. Configure Log Access Permissions

NOTE

If you previously used Tekton only in Alauda Container Platform Builds, you can skip the following steps and use the default configuration of Alauda DevOps Pipelines directly.

Since the results-from: sidecar-logs feature is enabled, you need to configure log access permissions for the controller:

Technical Note: This configuration allows the controller to retrieve results information from pod logs. For detailed information, please refer to the Tekton official documentation.

kubectl apply -f - <<EOF
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tekton-pipelines-controller-pod-log-access
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-pipelines
rules:
  - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tekton-pipelines-controller-pod-log-access
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-pipelines
subjects:
  - kind: ServiceAccount
    name: tekton-pipelines-controller
    namespace: tekton-pipelines
roleRef:
  kind: ClusterRole
  name: tekton-pipelines-controller-pod-log-access
  apiGroup: rbac.authorization.k8s.io
EOF

Migration Complete

After completing the above steps, you have successfully migrated from Alauda DevOps Tekton v3 to Alauda DevOps Pipelines. The new version provides:

Enhanced system stability
Richer feature set
Better performance
More flexible configuration options

We recommend reviewing the Alauda DevOps Pipelines documentation to understand all the features the new version offers and take full advantage of its capabilities.

Migrating from `Alauda DevOps Tekton v3` to `Alauda DevOps Pipelines`

NOTE

This guide is specifically for migrating from Alauda DevOps Tekton v3 to Alauda DevOps Pipelines. For upgrading between Alauda DevOps Pipelines versions, please refer to the Pipelines upgrade documentation.

Migration Steps

1. Uninstall Existing Tekton Pipeline Instance and `Alauda DevOps Tekton v3`

Before starting the upgrade, you need to uninstall the existing Tekton components. Follow these steps:

Important Note: The uninstallation process will not affect your existing Task, TaskRun, Pipeline, and PipelineRun resources. These resources will remain unchanged after the upgrade is complete.

Delete Pipeline Instance

$ kubectl delete tektonpipelines.operator.tekton.dev pipeline

Verify Pipeline Instance Deletion
```
$ kubectl get tektonpipelines.operator.tekton.dev pipeline
```
Ensure the command returns no resources, indicating successful deletion.

Uninstall Tekton Operator

$ kubectl delete subscriptions.operators.coreos.com tekton-operator -n tekton-operator

Verify Operator Uninstallation
```
$ kubectl get subscriptions.operators.coreos.com -A | grep tekton
```
Ensure the command returns no results, indicating successful uninstallation.

2. Deploy `Alauda DevOps Pipelines`

Navigate to your cluster's Administrator -> Application Market Management -> OperatorHub page
Search for and select Alauda DevOps Pipelines
Choose the appropriate Channel

WARNING

Critical: Channel Selection

When deploying Alauda DevOps Pipelines, you MUST select the pipelines-4.0 channel. DO NOT select the latest channel.

Channel: Must be pipelines-4.0 (required for Katanomi pipeline compatibility)
Version: You may select any version within the pipelines-4.0 channel

Selecting the latest channel may cause automatic upgrades to v4.x or higher versions in the future, which could lead to irreversible compatibility issues with Katanomi pipelines.

Follow the on-screen instructions to complete the deployment
Wait for Alauda DevOps Pipelines Operator to be Ready

After the Alauda DevOps Pipelines Operator deployment is complete, it will automatically deploy related components such as Pipelines. You can check the component status using the following commands:
```
$ kubectl get tektonconfigs.operator.tekton.dev config

$ kubectl get tektonpipelines.operator.tekton.dev pipeline
```
Wait until both resources show a Ready status before proceeding to the next step.

3. (Optional) Adjust Operator Resources for Large-Scale Migrations

NOTE

When to Apply This Configuration

This step is only necessary if you have a large volume of existing Tekton resources. For most installations, you can skip this step and proceed to step 4.

Adjusting Operator Resources

You can temporarily increase the operator's resource limits using either of these methods:

Method 1: Using the Platform UI

Navigate to the Alauda DevOps Pipelines operator page
Go to the Subscription tab
Click the Edit Subscription button
Add the resource configuration as shown below

Method 2: Using kubectl CLI

kubectl edit subscriptions.operators.coreos.com -n tekton-operator tektoncd-operator

Add the following config section under spec:

NOTE

The resources values can be adjusted based on your environment's needs. The example below provides a balanced configuration suitable for most scenarios.

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: tektoncd-operator
  namespace: tekton-operator
spec:
  channel: pipelines-4.0
  installPlanApproval: Manual
  name: tektoncd-operator
  source: platform
  sourceNamespace: cpaas-system
  config:
    resources:
      requests:
        cpu: "200m"
        memory: "256Mi"
      limits:
        cpu: "2"
        memory: "2Gi"

This configuration adjusts the tekton-operator Pod's resource quotas.

NOTE

If you previously used Tekton only in Alauda Container Platform Builds, you can skip the following steps and use the default configuration of Alauda DevOps Pipelines directly.

4. Configure TektonConfig

NOTE

If you previously used Tekton only in Alauda Container Platform Builds, you can skip the following steps and use the default configuration of Alauda DevOps Pipelines directly.

After the Alauda DevOps Pipelines Operator deployment is complete, you need to configure the TektonConfig resource to ensure compatibility with your existing system:

Best Practice: It is recommended to only modify the spec.pipeline section configuration to maintain system stability.

apiVersion: operator.tekton.dev/v1alpha1
kind: TektonConfig
metadata:
  name: config
spec:
  pipeline:
    await-sidecar-readiness: true
    disable-creds-init: false
    enable-bundles-resolver: true
    enable-cluster-resolver: true
    enable-custom-tasks: true
    enable-git-resolver: true
    enable-hub-resolver: true
    enable-provenance-in-status: true
    enable-step-actions: true
    enforce-nonfalsifiability: none
    keep-pod-on-cancel: false
    metrics.count.enable-reason: false
    metrics.pipelinerun.duration-type: histogram
    metrics.pipelinerun.level: pipeline
    metrics.taskrun.duration-type: histogram
    metrics.taskrun.level: task

    performance:
      disable-ha: false
    require-git-ssh-secret-known-hosts: false
    running-in-environment-with-injected-sidecars: true
    send-cloudevents-for-runs: false
    set-security-context: false
    trusted-resources-verification-no-match-policy: ignore

    # Tekton Operator compatibility configuration
    coschedule: workspaces
    disable-affinity-assistant: true
    enable-api-fields: alpha
    enable-cel-in-whenexpression: true
    enable-param-enum: true
    max-result-size: 8192
    results-from: sidecar-logs

    options:
      disabled: false
      configMaps:
        # Modify default configuration: init container quotas, runAsUser, image pull timeout
        config-defaults:
          data:
            # Container configuration
            default-imagepullbackoff-timeout: 5m
            default-pod-template: |
              securityContext:
                runAsUser: 0

  addon: {}
  chain:
    artifacts.oci.format: simplesigning
    artifacts.oci.storage: oci
    artifacts.pipelinerun.format: in-toto
    artifacts.pipelinerun.storage: oci
    artifacts.taskrun.format: in-toto
    artifacts.taskrun.storage: oci
    disabled: false
    options: {}
  config: {}
  dashboard:
    options: {}
    readonly: false
  hub:
    options: {}

  platforms:
    openshift: {}
  profile: all
  pruner:
    disabled: false
    keep: 100
    resources:
    - pipelinerun
    schedule: 0 8 * * *
  targetNamespace: tekton-pipelines
  trigger:
    enable-api-fields: stable
    options: {}

WARNING

Important: Ensuring Both Legacy and New Pipelines Work

The configuration above sets runAsUser: 0 in the global default-pod-template to ensure backward compatibility with your existing Pipelines and container images.

For detailed guidance on how to configure Pod templates for different scenarios, including:

How to override Pod template for specific PipelineRuns
Using TaskRunSpecs for fine-grained control when mixing official and custom Tasks
Security best practices and configuration examples (see Example 5: Using Official Tasks with Legacy Global Configuration)

Please refer to the .

5. (Optional) Monitor and Verify Migration Progress

Method 1: Monitor Through Operator Logs

You can watch the migration progress in real-time by checking the tekton-operator-webhook logs:

kubectl logs -f -n tekton-operator tekton-operator-webhook-<suffix>

During the migration, you will see log entries like:

migrating %d group resources - Indicates the total number of resource types to be migrated
migrating group resource - Shows when migration of a specific resource type begins
migration completed - Confirms that migration of a specific resource type has finished

Method 2: Check TektonConfig Status

To verify that the migration is complete, check the TektonConfig resource status:

kubectl get tektonconfigs.operator.tekton.dev config -o yaml

Look for the version annotations in the output:

apiVersion: operator.tekton.dev/v1alpha1
kind: TektonConfig
metadata:
  name: config
spec:
status:
  annotations:
    operator.tekton.dev/post-upgrade-version: v0.74.1-a07f82b
    operator.tekton.dev/pre-upgrade-version: v0.74.1-a07f82b
  version: v0.74.1-a07f82b

Migration is complete when pre-upgrade-version and post-upgrade-version match the current version.

NOTE

Reminder

If you adjusted the operator resources in step 3, you can now remove the config section from the Subscription to restore default resource settings.

6. Configure Log Access Permissions

NOTE

If you previously used Tekton only in Alauda Container Platform Builds, you can skip the following steps and use the default configuration of Alauda DevOps Pipelines directly.

Since the results-from: sidecar-logs feature is enabled, you need to configure log access permissions for the controller:

Technical Note: This configuration allows the controller to retrieve results information from pod logs. For detailed information, please refer to the Tekton official documentation.

kubectl apply -f - <<EOF
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tekton-pipelines-controller-pod-log-access
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-pipelines
rules:
  - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tekton-pipelines-controller-pod-log-access
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: default
    app.kubernetes.io/part-of: tekton-pipelines
subjects:
  - kind: ServiceAccount
    name: tekton-pipelines-controller
    namespace: tekton-pipelines
roleRef:
  kind: ClusterRole
  name: tekton-pipelines-controller-pod-log-access
  apiGroup: rbac.authorization.k8s.io
EOF

Migration Complete

After completing the above steps, you have successfully migrated from Alauda DevOps Tekton v3 to Alauda DevOps Pipelines. The new version provides:

Enhanced system stability
Richer feature set
Better performance
More flexible configuration options

We recommend reviewing the Alauda DevOps Pipelines documentation to understand all the features the new version offers and take full advantage of its capabilities.

Migrating from `Alauda DevOps Tekton v3` to `Alauda DevOps Pipelines`

TOC

Migration Steps

1. Uninstall Existing Tekton Pipeline Instance and `Alauda DevOps Tekton v3`

2. Deploy `Alauda DevOps Pipelines`

3. (Optional) Adjust Operator Resources for Large-Scale Migrations

Adjusting Operator Resources

4. Configure TektonConfig

5. (Optional) Monitor and Verify Migration Progress

Method 1: Monitor Through Operator Logs

Method 2: Check TektonConfig Status

6. Configure Log Access Permissions

Migration Complete

Migrating from `Alauda DevOps Tekton v3` to `Alauda DevOps Pipelines`

TOC

Migration Steps

1. Uninstall Existing Tekton Pipeline Instance and `Alauda DevOps Tekton v3`

2. Deploy `Alauda DevOps Pipelines`

3. (Optional) Adjust Operator Resources for Large-Scale Migrations

Adjusting Operator Resources

4. Configure TektonConfig

5. (Optional) Monitor and Verify Migration Progress

Method 1: Monitor Through Operator Logs

Method 2: Check TektonConfig Status

6. Configure Log Access Permissions

Migration Complete

#Migrating from Alauda DevOps Tekton v3 to Alauda DevOps Pipelines

#TOC

#Migration Steps

#1. Uninstall Existing Tekton Pipeline Instance and Alauda DevOps Tekton v3

#2. Deploy Alauda DevOps Pipelines

#3. (Optional) Adjust Operator Resources for Large-Scale Migrations

#Adjusting Operator Resources

#4. Configure TektonConfig

#5. (Optional) Monitor and Verify Migration Progress

#Method 1: Monitor Through Operator Logs

#Method 2: Check TektonConfig Status

#6. Configure Log Access Permissions

#Migration Complete

#Migrating from Alauda DevOps Tekton v3 to Alauda DevOps Pipelines

#TOC

#Migration Steps

#1. Uninstall Existing Tekton Pipeline Instance and Alauda DevOps Tekton v3

#2. Deploy Alauda DevOps Pipelines

#3. (Optional) Adjust Operator Resources for Large-Scale Migrations

#Adjusting Operator Resources

#4. Configure TektonConfig

#5. (Optional) Monitor and Verify Migration Progress

#Method 1: Monitor Through Operator Logs

#Method 2: Check TektonConfig Status

#6. Configure Log Access Permissions

#Migration Complete

Migrating from `Alauda DevOps Tekton v3` to `Alauda DevOps Pipelines`

TOC

Migration Steps

1. Uninstall Existing Tekton Pipeline Instance and `Alauda DevOps Tekton v3`

2. Deploy `Alauda DevOps Pipelines`

3. (Optional) Adjust Operator Resources for Large-Scale Migrations

Adjusting Operator Resources

4. Configure TektonConfig

5. (Optional) Monitor and Verify Migration Progress

Method 1: Monitor Through Operator Logs

Method 2: Check TektonConfig Status

6. Configure Log Access Permissions

Migration Complete

Migrating from `Alauda DevOps Tekton v3` to `Alauda DevOps Pipelines`

TOC

Migration Steps

1. Uninstall Existing Tekton Pipeline Instance and `Alauda DevOps Tekton v3`

2. Deploy `Alauda DevOps Pipelines`

3. (Optional) Adjust Operator Resources for Large-Scale Migrations

Adjusting Operator Resources

4. Configure TektonConfig

5. (Optional) Monitor and Verify Migration Progress

Method 1: Monitor Through Operator Logs

Method 2: Check TektonConfig Status

6. Configure Log Access Permissions

Migration Complete