Tekton approvals based on Automatiko

Bringing approvals to continous delivery pipelines

Posted by Automatiko team on February 12, 2022 · 6 mins read

Approvals - "the missing" part of Tekton

"Tekton is a powerful and flexible open-source framework for creating CI/CD systems, allowing developers to build, test, and deploy across cloud providers and on-premise systems."

Tekton is a fantastic project that allows to build pipelines for your CI/CD needs. It works really great as it takes advantage of dynamic nature of Kubernetes cluster and uses resources only when it actually executes a task.

Tasks that are executed can be pretty much anything that starts a container (pod) and executes. There is a huge collection of tasks available in Tekton Hub that can be easily used within your own pipelines. Have a further read about Tekton if you're not familiar with it here.

There is just one tiny issue - tasks in Tekon are mainly about executing things and not waiting for things. And here comes Automatiko that plugs into the Tekton ecosystem via Custom Tasks. Custom tasks (realized in Tekton as Runs) allow to provide additional capabilities that are not meant to execute things - like starting a container/pod.

That is exactly what approvals are - they pause the pipeline run and wait for (usually) human based decision to be made.

Automatiko Approval Tasks are an implementation of Tekton Custom Task to bring in approvals into any pipeline. A complete installation steps are available here.

Let's explore the features of the Approval Tasks

  • Integrated with Tekton via Custom Tasks
  • Integrated with Tekton Dashboard via extensions
  • Integrated with email for notifications
  • Comes with predefined approval strategies (single or multi)

Integrated with Tekton via Custom Tasks

Approval Tasks are used within pipeline as any other task, by using taskRef

  apiVersion: tekton.dev/v1beta1
  kind: Pipeline
    name: testpipeline
      - name: approval
          apiVersion: tekton.automatiko.io/v1alpha1
          kind: ApprovalTask
          name: approvaltask
          - name: pipeline
            value: "$(context.pipelineRun.name)"
          - name: description
            value: "Sample approval from pipeline $(context.pipeline.name)"
          - name: approvers
              - "john"
Use approval tasks inside the pipeline

Approval task have several paramters that should be provided

  • pipeline - name of the pipeline run it references
  • description - user readable description to give a bit of context to approvers
  • approvers - list (can be empty to allow anyone to approve) of approvers
  • strategy - approval task strategy (SINGLE or MULTI) to be used

It also produces results

  • decision - true or false that represents approved or rejected decision
  • comment - optional comment made by approver
These results can be referenced in further tasks of the pipeline

  - name: approved
      - input: $(tasks.approval.results.decision)
        operator: in
        values: [ "true" ]
      name: print-decision
      - approval
Use approval tasks inside the pipeline

Integrated with Tekton Dashboard via extensions

Tekton Dashboard extension for Approval Tasks Tekton Dashboard extension for Approval Tasks.

Tekton Dashboard comes with really useful feature called Extensions. This allows to watch custom resources as dedicated item in the Dashboard's menu (as shown above).

Tekton Dashboard extension for Approval Tasks - Details view Tekton Dashboard extension for Approval Tasks - Details view.

Approval tasks detail view uses labels to communicate current state of the task - decision and responses. Users who are managing pipelines can easily find out where the task is and what is still to be done to move the pipeline forward.

Integrated with email for notifications

Approval tasks have built in support for email integration but it requires to be configured upon deployment so it knows what email server details to use. In addtion to that, approvers must be given as email addresses to receive email notification. Email notifications for Approval Tasks Email notifications for Approval Tasks.

Above is a sample email that is sent to approvers. Great value in email notification is that it has direct link to a task form where approver can make the decision to either approve or reject it.

Comes with predefined approval strategies (single or multi)

Approval tasks can be (currently) assigned based on two strategies

  • single - assignes a single task to all defined approvers, as soon as there is one decision given (by any of the approvers) pipeline run continues
  • multi - assignes dedicated task to each approver, all approvers must provide decision for pipeline run to continue
There are plans to provide additional strategies and if there are any ideas on potential strategies please let us know by creating an issue

Lastly, a short video demonstrating approval tasks with Tekton can be watched below.

The source code of approval tasks can be found here

It's just the beginning ...

This is really a first version of the approval task and lots of features are already in the works (integration with OIDC/OAuth, timeouts, cancelation etc) so stay tuned and provide your feedback and feature requests so this can become useful for many Tekton users.

Thanks for reading and make sure to drop us feedback or ask questions about this article.

Photographs by Unsplash.