Skip to content
This repository has been archived by the owner on Apr 1, 2023. It is now read-only.

Latest commit



623 lines (519 loc) · 20.9 KB

File metadata and controls

623 lines (519 loc) · 20.9 KB


PipelinesResources in a pipeline are the set of objects that are going to be used as inputs to a Task and can be output by a Task.

A Task can have multiple inputs and outputs.

For example:

  • A Task's input could be a GitHub source which contains your application code.
  • A Task's output can be your application container image which can be then deployed in a cluster.
  • A Task's output can be a jar file to be uploaded to a storage bucket.


To define a configuration file for a PipelineResource, you can specify the following fields:

  • Required:
    • apiVersion - Specifies the API version, for example
    • kind - Specify the PipelineResource resource object.
    • metadata - Specifies data to uniquely identify the PipelineResource object, for example a name.
    • spec - Specifies the configuration information for your PipelineResource resource object.
    • type - Specifies the type of the PipelineResource
  • Optional:
    • params - Parameters which are specific to each type of PipelineResource

Resource Types

The following PipelineResources are currently supported:

Git Resource

Git resource represents a git repository, that contains the source code to be built by the pipeline. Adding the git resource as an input to a Task will clone this repository and allow the Task to perform the required actions on the contents of the repo.

To create a git resource using the PipelineResource CRD:

kind: PipelineResource
  name: wizzbang-git
  namespace: default
  type: git
    - name: url
    - name: revision
      value: master

Params that can be added are the following:

  1. url: represents the location of the git repository, you can use this to change the repo, e.g. to use a fork
  2. revision: Git revision (branch, tag, commit SHA or ref) to clone. You can use this to control what commit or branch is used. If no revision is specified, the resource will default to latest from master.

Using a fork

The Url parameter can be used to point at any git repository, for example to use a GitHub fork at master:

  type: git
    - name: url

Using a branch

The revision can be any git commit-ish (revision). You can use this to create a git PipelineResource that points at a branch, for example:

  type: git
    - name: url
    - name: revision
      value: some_awesome_feature

To point at a pull request, you can use the pull requests's branch:

  type: git
    - name: url
    - name: revision
      value: refs/pull/52525/head

Pull Request Resource

Pull Request resource represents a pull request event from a source control system.

Adding the Pull Request resource as an input to a Task will populate the workspace with a JSON payload containing generic pull request related metadata such as base/head commit, comments, and labels. The payloads will also contain links to raw service-specific payloads where appropriate.

Adding the Pull Request resource as an output of a Task will update the source control system with any changes made to the pull request resource during the pipeline.

Example payload:

  "Base": {
    "Branch": "master",
    "Repo": "",
    "SHA": "75909bc18922c65141b6308d36e11bf4fae01a7c"
  "Comments": [
      "Author": "googlebot",
      "ID": 494863557,
      "Raw": "/tmp/pr/github/comments/494863557.json",
      "Text": "So there's good news and bad news.\n\n:thumbsup: The good news is that everyone that needs to sign a CLA (the pull request submitter and all commit authors) have done so. Everything is all good there.\n\n:confused: The bad news is that it appears that one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that here in the pull request.\n\n*Note to project maintainer: This is a terminal state, meaning the `cla/google` commit status will not change from this state. It's up to you to confirm consent of all the commit author(s), set the `cla` label to `yes` (if enabled on your project), and then merge this pull request when appropriate.*\n\n\u2139\ufe0f **Googlers: [Go here]( for more info**.\n\n<!-- need_author_consent -->"
      "Author": "wlynch",
      "ID": 494863879,
      "Raw": "/tmp/pr/github/comments/494863879.json",
      "Text": "/assign @dlorenc "
      "Author": "tekton-robot",
      "ID": 494864767,
      "Raw": "/tmp/pr/github/comments/494864767.json",
      "Text": "[APPROVALNOTIFIER] This PR is **NOT APPROVED**\n\nThis pull-request has been approved by: *<a href=\"\" title=\"Author self-approved\">wlynch</a>*\nTo fully approve this pull request, please assign additional approvers.\nWe suggest the following additional approver: **dlorenc**\n\nIf they are not already assigned, you can assign the PR to them by writing `/assign @dlorenc` in a comment when ready.\n\nThe full list of commands accepted by this bot can be found [here](\n\nThe pull request process is described [here](\n\n<details open>\nNeeds approval from an approver in each of these files:\n\n- **[OWNERS](**\n\nApprovers can indicate their approval by writing `/approve` in a comment\nApprovers can cancel approval by writing `/approve cancel` in a comment\n</details>\n<!-- META={\"approvers\":[\"dlorenc\"]} -->"
  "Head": {
    "Branch": "pr",
    "Repo": "",
    "SHA": "cbe1d606ac2276feb8a17d285c4a6581a031beb3"
  "ID": 281259176,
  "Labels": [
      "Text": "cla: no"
      "Text": "size/XXL"
  "Raw": "/tmp/pr/github/pr.json",
  "Type": "github"
  "Statuses": [
            "Code": "success",
            "Description": "Job succeeded.",
            "ID": "pull-tekton-pipeline-go-coverage",
            "URL": ""
  "RawStatus": "/tmp/pr/github/status.json"

See types.go for the full payload spec.

To create a pull request resource using the PipelineResource CRD:

kind: PipelineResource
  name: wizzbang-pr
  namespace: default
  type: pullRequest
    - name: url
    - fieldName: githubToken
      secretName: github-secrets
      secretKey: token

Params that can be added are the following:

  1. url: represents the location of the pull request to fetch.


The following status codes are available to use for the Pull Request resource:


Note: Status codes are currently case sensitive.

For more information on how Tekton Pull Request status codes convert to SCM provider statuses, see pullrequest-init/


The Pull Request resource will look for GitHub OAuth authentication tokens in spec secrets with a field name called githubToken.

URLs should be of the form:

Image Resource

An Image resource represents an image that lives in a remote repository. It is usually used as a Task output for Tasks that build images. This allows the same Tasks to be used to generically push to any registry.

Params that can be added are the following:

  1. url: The complete path to the image, including the registry and the image tag
  2. digest: The image digest which uniquely identifies a particular build of an image with a particular tag. While this can be provided as a parameter, there is not yet a way to update this value after an image is built, but this is planned in #216.

For example:

kind: PipelineResource
  name: kritis-resources-image
  namespace: default
  type: image
    - name: url

Surfacing the image digest built in a task

To surface the image digest in the output of the taskRun the builder tool should produce this information in a OCI Image Spec index.json file. This file should be placed on a location as specified in the task definition under the resource outputImageDir. Annotations in index.json will be ignored, and if there are multiple versions of the image, the latest will be used.

For example this build-push task defines the outputImageDir for the builtImage resource in /workspace/buildImage

kind: Task
  name: build-push
      - name: workspace
        type: git
      - name: builtImage
        type: image
        outputImageDir: /workspace/builtImage
  steps: ...

If no value is specified for outputImageDir, it will default to /builder/home/image-outputs/{resource-name}.

Please check the builder tool used on how to pass this path to create the output file.

The taskRun will include the image digest in the resourcesResult field that is part of the taskRun.Status

for example:

    - digest: sha256:eed29cd0b6feeb1a92bc3c4f977fd203c63b376a638731c88cacefe3adb1c660
      name: skaffold-image-leeroy-web

If the index.json file is not produced, the image digest will not be included in the taskRun output.

Cluster Resource

Cluster Resource represents a Kubernetes cluster other than the current cluster Tekton Pipelines is running on. A common use case for this resource is to deploy your application/function on different clusters.

The resource will use the provided parameters to create a kubeconfig file that can be used by other steps in the pipeline Task to access the target cluster. The kubeconfig will be placed in /workspace/<your-cluster-name>/kubeconfig on your Task container

The Cluster resource has the following parameters:

  • name (required): The name to be given to the target cluster, will be used in the kubeconfig and also as part of the path to the kubeconfig file
  • url (required): Host url of the master node
  • username (required): the user with access to the cluster
  • password: to be used for clusters with basic auth
  • token: to be used for authentication, if present will be used ahead of the password
  • insecure: to indicate server should be accessed without verifying the TLS certificate.
  • cadata (required): holds PEM-encoded bytes (typically read from a root certificates bundle).

Note: Since only one authentication technique is allowed per user, either a token or a password should be provided, if both are provided, the password will be ignored.

The following example shows the syntax and structure of a Cluster Resource:

kind: PipelineResource
  name: test-cluster
  type: cluster
    - name: url
      value: # url to the cluster master node
    - name: cadata
      value: LS0tLS1CRUdJTiBDRVJ.....
    - name: token
      value: ZXlKaGJHY2lPaU....

For added security, you can add the sensitive information in a Kubernetes Secret and populate the kubeconfig from them.

For example, create a secret like the following example:

apiVersion: v1
kind: Secret
  name: target-cluster-secrets
  cadatakey: LS0tLS1CRUdJTiBDRVJUSUZ......tLQo=
  tokenkey: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbX....M2ZiCg==

and then apply secrets to the cluster resource

kind: PipelineResource
  name: test-cluster
  type: cluster
    - name: url
    - name: username
      value: admin
    - fieldName: token
      secretKey: tokenKey
      secretName: target-cluster-secrets
    - fieldName: cadata
      secretKey: cadataKey
      secretName: target-cluster-secrets

Example usage of the cluster resource in a Task:

kind: Task
  name: deploy-image
  namespace: default
      - name: workspace
        type: git
      - name: dockerimage
        type: image
      - name: testcluster
        type: cluster
    - name: deploy
      image: image-wtih-kubectl
      command: ["bash"]
        - "-c"
        - kubectl --kubeconfig
          /workspace/${inputs.resources.testCluster.Name}/kubeconfig --context
          ${inputs.resources.testCluster.Name} apply -f /workspace/service.yaml'

Storage Resource

Storage resource represents blob storage, that contains either an object or directory. Adding the storage resource as an input to a Task will download the blob and allow the Task to perform the required actions on the contents of the blob.

Only blob storage type Google Cloud Storage(gcs) is supported as of now via GCS storage resource and BuildGCS storage resource.

GCS Storage Resource

GCS Storage resource points to Google Cloud Storage blob.

To create a GCS type of storage resource using the PipelineResource CRD:

kind: PipelineResource
  name: wizzbang-storage
  namespace: default
  type: storage
    - name: type
      value: gcs
    - name: location
      value: gs://some-bucket
    - name: dir
      value: "y" # This can have any value to be considered "true"

Params that can be added are the following:

  1. location: represents the location of the blob storage.

  2. type: represents the type of blob storage. For GCS storage resource this value should be set to gcs.

  3. dir: represents whether the blob storage is a directory or not. By default storage artifact is considered not a directory.

    • If artifact is a directory then -r(recursive) flag is used to copy all files under source directory to GCS bucket. Eg: gsutil cp -r source_dir/* gs://some-bucket
    • If artifact is a single file like zip, tar files then copy will be only 1 level deep(no recursive). It will not trigger copy of sub directories in source directory. Eg: gsutil cp source.tar gs://some-bucket.tar.

Private buckets can also be configured as storage resources. To access GCS private buckets, service accounts are required with correct permissions. The secrets field on the storage resource is used for configuring this information. Below is an example on how to create a storage resource with service account.

  1. Refer to official documentation on how to create service accounts and configuring IAM permissions to access bucket.

  2. Create a Kubernetes secret from downloaded service account json key

    kubectl create secret generic bucket-sa --from-file=./service_account.json
  3. To access GCS private bucket environment variable GOOGLE_APPLICATION_CREDENTIALS should be set so apply above created secret to the GCS storage resource under fieldName key.

    kind: PipelineResource
      name: wizzbang-storage
      namespace: default
      type: storage
        - name: type
          value: gcs
        - name: location
          value: gs://some-private-bucket
        - name: dir
          value: "y"
          secretName: bucket-sa
          secretKey: service_account.json

BuildGCS Storage Resource

BuildGCS storage resource points to Google Cloud Storage blob like GCS Storage Resource either in the form of a .zip archive, or based on the contents of a source manifest file.

In addition to fetching an .zip archive, BuildGCS also unzips it.

A Source Manifest File is a JSON object listing other objects in Cloud Storage that should be fetched. The format of the manifest is a mapping of destination file path to the location in Cloud Storage where the file's contents can be found. BuildGCS resource can also do incremental uploads of sources via Source Manifest File.

To create a BuildGCS type of storage resource using the PipelineResource CRD:

kind: PipelineResource
  name: build-gcs-storage
  namespace: default
  type: storage
    - name: type
      value: build-gcs
    - name: location
      value: gs://build-crd-tests/
    - name: artifactType
      value: Archive

Params that can be added are the following:

  1. location: represents the location of the blob storage.

  2. type: represents the type of blob storage. For BuildGCS, this value should be set to build-gcs

  3. artifactType: represent the type of GCS resource. Right now, we support following types:

    • Archive:
      • Archive indicates that resource fetched is an archive file. Currently, Build GCS resource only supports .zip archive.
      • It unzips the archive and places all the files in the directory which is set at runtime.
      • If artifactType is set to Archive, location should point to a .zip file.
    • Manifest:
      • Manifest indicates that resource should be fetched using a source manifest file.
      • If artifactType is set to Manifest, location should point to a source manifest file.

Private buckets other than ones accessible by TaskRun Service Account can not be configured as storage resources for BuildGCS Storage Resource right now. This is because the container image does not support configuring secrets.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License.