Manage PAC Component
This guide is for cluster administrators only. It covers PAC component deployment, configuration, and maintenance tasks that require cluster administrator permissions.
Regular users should refer to:
- Guides - Set up Git provider integration
This guide explains how to deploy, update, and uninstall the Pipelines-as-Code (PAC) component on Kubernetes platforms.
TOC
PrerequisitesDeploy PAC ComponentStep 1: Create theOpenShiftPipelinesAsCode CRStep 2: Apply the ConfigurationStep 3: Verify DeploymentConfigure AccessUsing Gateway APIUsing IngressUsing NodePortConfiguration SettingsUpdate PAC ComponentUpdate ConfigurationCommon Configuration UpdatesConfigure Custom Console LinksChange Application NameEnable Error DetectionUpdate Hub URLDisable Remote TasksUninstall PAC ComponentDelete the OpenShiftPipelinesAsCode CRClean up resources the operator does not ownTroubleshootingPAC Pods Not StartingOpenShiftPipelinesAsCode CR Not ReadyTektonInstallerSet IssuesCR Not DeletingResources Not RemovedNext StepsPrerequisites
Before managing PAC, ensure you have:
- Kubernetes cluster (version 1.24 or higher)
- Tekton Operator installed and running
- Cluster administrator permissions
- kubectl installed and configured to access your cluster
Deploy PAC Component
PAC is deployed by creating the OpenShiftPipelinesAsCode CR. The operator picks it up and provisions all required resources.
Examples in this document use the default PAC namespace tekton-pipelines. If you set a different targetNamespace, replace tekton-pipelines in the commands and manifests.
Step 1: Create the OpenShiftPipelinesAsCode CR
Create a YAML file named pac.yaml:
- The resource name must be
pipelines-as-code, otherwise the operator will not deploy the PAC component. - The
targetNamespacefield specifies where PAC components will be deployed. The default istekton-pipelines, but you can use any namespace name.
Create the namespace if it doesn't exist:
Step 2: Apply the Configuration
Apply the CR to your cluster:
Example output:
Step 3: Verify Deployment
Check the OpenShiftPipelinesAsCode CR status:
The output should show the CR with Ready status:
Check the TektonInstallerSet status:
Example output:
TektonInstallerSet is an internal resource the Tekton Operator uses to roll out PAC and its sub-resources (Deployments, Services, ConfigMaps, RBAC). It is created and deleted by the operator when you create or delete the OpenShiftPipelinesAsCode CR. Do not modify or delete it by hand; it is referenced here only as a status checkpoint.
Verify the PAC pods are running:
Example output:
Three pods (controller, watcher, webhook) must be Running.
Configure Access
The PAC controller must be reachable from the Git providers that will send webhook events to it. Expose it through one of the methods below before configuring any repository.
Using Gateway API
Use this method to expose the PAC controller with a domain name through ACP Gateway API.
This example uses:
- Default PAC namespace:
tekton-pipelines - GatewayClass:
envoy-gateway-operator-cpaas-default - Domain:
pac.example.com
Step 1: Prepare Envoy Gateway. Install Alauda build of Envoy Gateway and ensure the default GatewayClass is accepted. Reference: Envoy Gateway Operator.
Step 2: Prepare LoadBalancer addresses. The Envoy Gateway Service will be created as type: LoadBalancer, so LoadBalancer Services must be able to get an external IP. On ACP bare-metal clusters, install and configure Alauda Container Platform Load Balancer for MetalLB. Reference: Configure MetalLB.
Expected result:
Step 3: Create Gateway API resources. Create gateway-api.yaml. Replace tekton-pipelines, envoy-gateway-operator-cpaas-default, and pac.example.com as needed. References: Configure GatewayAPI Gateway and Configure GatewayAPI Route.
Apply the file:
Expected result:
Step 4: Get the external address. Check the generated Envoy Service:
Expected result:
Step 5: Verify and get the webhook URL. Make sure the Git provider can resolve and access the PAC domain. A common way is to create a DNS A record. For example, if the Service EXTERNAL-IP is 192.168.1.100, create:
If DNS is not ready yet, or you only want to test the route from your current machine, use curl --resolve:
Expected result:
- The Service has an
EXTERNAL-IP. - The Gateway shows
PROGRAMMED=True. - The
HTTPRouteis accepted. curlreturns the PAC controller response.
After the domain is reachable from the Git provider network, print the URL:
WEBHOOK_URL is the PAC webhook URL. Register this value in the Git provider or enter it when tkn pac create repo prompts for a webhook URL.
If you expose PAC through ACP ALB or another Ingress Controller instead, use Using Ingress.
Notes:
HTTPRouteforwards to the existingpipelines-as-code-controllerService on port8080; do not point it at the admission webhook Service namedpipelines-as-code-webhook.- If the generated Envoy Service remains
EXTERNAL-IP=<pending>, check the cluster LoadBalancer provider. For MetalLB, see Configure MetalLB. - For Gateway API options such as a reserved VIP, hostless routes, or HTTPS listeners, see Configure GatewayAPI Gateway and Configure GatewayAPI Route.
Using Ingress
Use this method when the cluster already has an Ingress Controller and you want to expose the PAC controller with an Ingress domain.
This example uses:
- Default PAC namespace:
tekton-pipelines - Domain:
pac.example.com
Step 1: Prepare an Ingress Controller. Ensure an Ingress Controller is installed and ready. Reference: Configure Ingress.
Step 2: Create the Ingress resource. Create ingress.yaml. Replace tekton-pipelines and pac.example.com as needed.
Apply the file:
Expected result:
Step 3: Verify the Ingress address. Check that the Ingress has an address:
Expected result:
Step 4: Get the webhook URL. Make sure the Git provider can resolve and access pac.example.com through the Ingress address. Then print the URL:
WEBHOOK_URL is the PAC webhook URL. Register this value in the Git provider or enter it when tkn pac create repo prompts for a webhook URL.
If you do not have a DNS name, remove the host field and use the reachable Ingress IP URL instead.
Optional: Enable HTTPS. Create a TLS Secret in tekton-pipelines and add a tls section to the same Ingress. The certificate must match pac.example.com.
When TLS is configured, use the HTTPS webhook URL:
Using NodePort
Create a NodePort Service:
Important:
- The
targetPortmust be8082, which is the port the PAC controller pod listens on for webhook events - The
port(8080) is the Service port (used for internal cluster communication) - The
nodePort(30080) is the external port accessible from outside the cluster - For Ingress, the Service port is 8080, which routes to the controller's port 8082 internally
Print the URL from a reachable node IP and the generated NodePort:
WEBHOOK_URL is the PAC webhook URL. Register this value in the Git provider or enter it when tkn pac create repo prompts for a webhook URL.
Configuration Settings
You can customize PAC behavior through the settings field in the OpenShiftPipelinesAsCode CR:
hub-url addresses the Tekton Hub the PAC controller queries when resolving remote tasks. The default in-cluster URL is http://tekton-hub-api.tekton-pipelines:8000/v1; for a Hub in another namespace, use the same service DNS format with that namespace.
custom-console-* settings rewrite the cluster-side links PAC posts back to the Git provider so they point at the platform console rather than at the OpenShift Console. The walkthrough is in Configure Custom Console Links.
Update PAC Component
Update Configuration
-
Edit the
OpenShiftPipelinesAsCodeCR: -
Update the
settingsfield as needed: -
Save and exit. The operator will automatically update the TektonInstallerSet and apply the changes.
Common Configuration Updates
The examples in this section update the spec.settings field of the OpenShiftPipelinesAsCode CR named pipelines-as-code.
Configure Custom Console Links
The custom-console-* settings rewrite the cluster-side links PAC posts back to the Git provider so they point at the platform console. Replace console.example.com and my-cluster with your console host and cluster name:
Effect: Git provider status links open the platform console PipelineRun and task pages instead of the default OpenShift-style placeholder URLs.
PAC expands these variables when it posts status links:
For a PipelineRun named my-app-build-abc123 in namespace my-app, PAC generates links like:
These URLs appear in commit statuses, GitHub Checks panels and merge request comments.
Change Application Name
Use this setting to change the display name that PAC uses in Git provider status messages:
Effect: Git provider checks, statuses, and comments show the new application name. This does not change the OpenShiftPipelinesAsCode resource name.
Enable Error Detection
Effect: PAC scans failed task logs and adds a short error snippet to the Git provider feedback.
Update Hub URL
If your Tekton Hub is deployed in a different namespace or you want to use an external Hub:
Effect: PAC resolves remote tasks from the specified Tekton Hub API instead of the default in-cluster Hub.
To find your Tekton Hub service:
Example output:
Disable Remote Tasks
Use remote-tasks to control whether PAC fetches and embeds remote resources referenced by PAC annotations.
remote-tasks: "true" is the default. PAC can fetch remote resources referenced by pipelinesascode.tekton.dev/task and pipelinesascode.tekton.dev/pipeline annotations, then embed the resolved Task or Pipeline into the generated PipelineRun.
remote-tasks: "false" disables PAC annotation-based remote resource resolution. Pipeline code must define the required Pipeline and Tasks in the repository, inline them, or rely on cluster resources.
This setting does not disable Tekton Pipelines remote resolver syntax such as taskRef.resolver or pipelineRef.resolver; those are handled by the Tekton Pipelines controller.
Effect: Use "false" when you want to prevent PAC from fetching remote Tasks or Pipelines from annotation references.
Uninstall PAC Component
Delete the OpenShiftPipelinesAsCode CR
Removing the CR makes the operator tear down the TektonInstallerSet and every PAC Deployment, Service, ConfigMap and RBAC object the operator created.
Confirm the CR, the installer set and the pods are gone:
Each of these should return No resources found.
Clean up resources the operator does not own
The operator removes everything it created. Resources you added yourself stay behind and must be removed manually.
Repository CRs in user namespaces:
Per-repository Secrets in user namespaces. These are the Git provider access tokens (provider.token) and webhook secrets (webhook.secret) created by users when configuring repositories. The PAC-owned cluster secrets (carrying the app.kubernetes.io/part-of=pipelines-as-code label) are removed by the operator; these per-repository ones are not. Verify each Secret is not used by any other resource before deleting:
Gateway API resources for the PAC controller, if you created them in Configure Access:
Ingress / NodePort Service for the PAC controller, if you created them in Configure Access:
Troubleshooting
PAC Pods Not Starting
Check pod logs:
Example output (example log entries):
OpenShiftPipelinesAsCode CR Not Ready
Check the CR status and events:
Example output (abbreviated):
TektonInstallerSet Issues
When the TektonInstallerSet is not Ready, read its conditions and the operator's view of the underlying OpenShiftPipelinesAsCode CR. Both are read-only checks; never delete the installer set yourself.
If errors persist, recreate the OpenShiftPipelinesAsCode CR — the operator rebuilds the installer set from scratch.
CR Not Deleting
A deletion that hangs is usually held by the operator finalizer. List the finalizers:
A tekton.dev/operator finalizer means the operator is still cleaning up; wait and retry. An empty output means the CR is free to delete.
Resources Not Removed
When pods or Services linger after deletion: