Install Tekton

This topic tells you how to install Tekton Pipelines from the Tanzu Application Platform package repository.


Follow the steps in this topic if you do not want to use a profile to install Tekton Pipelines. For more information about profiles, see Components and installation profiles.


Before installing Tekton Pipelines, complete all prerequisites to install Tanzu Application Platform.

Install Tekton Pipelines

To install Tekton Pipelines:

  1. See the Tekton Pipelines package versions available to install by running:

    tanzu package available list -n tap-install

    For example:

    $ tanzu package available list -n tap-install
    \ Retrieving package versions for
      NAME                     VERSION  RELEASED-AT  0.30.0   2021-11-18 17:05:37Z
  2. Install Tekton Pipelines by running:

    tanzu package install tekton-pipelines -n tap-install -p -v VERSION

    Where VERSION is the desired version number. For example, 0.30.0.

    For example:

    $ tanzu package install tekton-pipelines -n tap-install -p -v 0.30.0
    - Installing package ''
    \ Getting package metadata for ''
    / Creating service account 'tekton-pipelines-tap-install-sa'
    / Creating cluster admin role 'tekton-pipelines-tap-install-cluster-role'
    / Creating cluster role binding 'tekton-pipelines-tap-install-cluster-rolebinding'
    / Creating package resource
    - Waiting for 'PackageInstall' reconciliation for 'tekton-pipelines'
    - 'PackageInstall' resource install status: Reconciling
     Added installed package 'tekton-pipelines'
  3. Verify that you installed the package by running:

    tanzu package installed get tekton-pipelines -n tap-install

    For example:

    $ tanzu package installed get tekton-pipelines -n tap-install
    \ Retrieving installation details for tekton...
    NAME:                    tekton-pipelines
    PACKAGE-VERSION:         0.30.0
    STATUS:                  Reconcile succeeded
    CONDITIONS:              [{ReconcileSucceeded True  }]

    Verify that STATUS is Reconcile succeeded.

Configure a namespace to use Tekton Pipelines

This section covers configuring a namespace to run Tekton Pipelines. If you rely on a SupplyChain to create Tekton PipelinesRuns in your cluster, skip this step because namespace configuration is covered in Set up developer namespaces to use your installed packages. Otherwise, perform the steps in this section for each namespace where you create Tekton Pipelines.

Service accounts that run Tekton workloads need access to the image pull secrets for the Tanzu package. This includes the default service account in a namespace, which is created automatically but is not associated with any image pull secrets. Without these credentials, PipelineRuns fail with a timeout and the pods report that they cannot pull images.


If you are using a registry with a custom CA certificate then you must provide this certificate to Tekton directly by including the CA in the service account used by the supply chain.

The Tanzu Application Platform distribution of Tekton does not support the Tanzu Application Platform field shared.ca_cert_data. For more information about setting the CA in the service account, see Use Git authentication with Supply Chain Choreographer.

To configure a namespace to use Tekton Pipelines:

  1. Create an image pull secret in the current namespace and fill it from the tap-registry secret. For more information, see Relocate images to a registry.

  2. Create an empty secret, and annotate it as a target of the secretgen controller, by running:

    kubectl create secret generic pull-secret --from-literal=.dockerconfigjson={}
    kubectl annotate secret pull-secret""
  3. After you create a pull-secret secret in the same namespace as the service account, add the secret to the service account by running:

    kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "pull-secret"}]}'
  4. Verify that a service account is correctly configured by running:

    kubectl describe serviceaccount default

    For example:

    kubectl describe sa default
    Name:                default
    Namespace:           default
    Labels:              <none>
    Annotations:         <none>
    Image pull secrets:  pull-secret
    Mountable secrets:   default-token-xh6p4
    Tokens:              default-token-xh6p4
    Events:              <none>

    The service account has access to the pull-secret image pull secret.

For more details about Tekton Pipelines, see the Tekton documentation and the GitHub repository.

For information about getting started with Tekton, see the Tekton tutorial in GitHub and the getting started guide in the Tekton documentation.


Windows workloads are deactivated and cause an error if any Tasks try to use Windows scripts.

check-circle-line exclamation-circle-line close-line
Scroll to top icon