(feat): Add Pipelines-as-Code on Kubernetes; resolve openshift-pipelines/pipelines-as-code to tektoncd repo

Makefile

@@ -69,14 +69,14 @@ ifeq ($(TARGET), openshift)
 	rm -rf ./cmd/$(TARGET)/operator/kodata/manual-approval-gate
 	rm -rf ./cmd/$(TARGET)/operator/kodata/tekton-pruner
 	rm -rf ./cmd/$(TARGET)/operator/kodata/pruner
-	rm -rf ./cmd/$(TARGET)/operator/kodata/tekton-addon/pipelines-as-code
+	rm -rf ./cmd/$(TARGET)/operator/kodata/pipelines-as-code
 	find ./cmd/$(TARGET)/operator/kodata/tekton-addon/addons/06-ecosystem/tasks -type f ! -name "role.yaml" ! -name "rolebinding.yaml" -delete 
 	find ./cmd/$(TARGET)/operator/kodata/tekton-addon/addons/06-ecosystem/stepactions -type f ! -name "role.yaml" ! -name "rolebinding.yaml" -delete
-	rm -rf ./cmd/$(TARGET)/operator/kodata/tekton-addon/pipelines-as-code-templates/go.yaml
-	rm -rf ./cmd/$(TARGET)/operator/kodata/tekton-addon/pipelines-as-code-templates/java.yaml
-	rm -rf ./cmd/$(TARGET)/operator/kodata/tekton-addon/pipelines-as-code-templates/nodejs.yaml
-	rm -rf ./cmd/$(TARGET)/operator/kodata/tekton-addon/pipelines-as-code-templates/python.yaml
-	rm -rf ./cmd/$(TARGET)/operator/kodata/tekton-addon/pipelines-as-code-templates/generic.yaml
+	rm -f ./cmd/$(TARGET)/operator/kodata/pipelines-as-code-templates/go.yaml
+	rm -f ./cmd/$(TARGET)/operator/kodata/pipelines-as-code-templates/java.yaml
+	rm -f ./cmd/$(TARGET)/operator/kodata/pipelines-as-code-templates/nodejs.yaml
+	rm -f ./cmd/$(TARGET)/operator/kodata/pipelines-as-code-templates/python.yaml
+	rm -f ./cmd/$(TARGET)/operator/kodata/pipelines-as-code-templates/generic.yaml
 else
 	rm -rf ./cmd/$(TARGET)/operator/kodata/tekton*
 	rm -rf ./cmd/$(TARGET)/operator/kodata/pruner

charts/tekton-operator/templates/deployment.yaml

@@ -76,7 +76,7 @@ spec:
             {{- end }}
           args:
             - "-controllers"
-            - {{ .Values.controllers | default "tektonconfig,tektonpipeline,tektontrigger,tektonhub,tektonchain,tektonresult,tektondashboard,manualapprovalgate,tektonpruner" | quote }}
+            - {{ .Values.controllers | default "tektonconfig,tektonpipeline,tektontrigger,tektonhub,tektonchain,tektonresult,tektondashboard,manualapprovalgate,tektonpruner,openshiftpipelinesascode" | quote }}
             - "-unique-process-name"
             - "tekton-operator-lifecycle"
           image: {{ include "tekton-operator.operator-image" . }}

charts/tekton-operator/templates/kubernetes-crds.yaml

@@ -42,6 +42,47 @@ spec:
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
+metadata:
+  labels:
+    operator.tekton.dev/release: "devel"
+    version: "devel"
+  name: openshiftpipelinesascodes.operator.tekton.dev
+spec:
+  group: operator.tekton.dev
+  names:
+    kind: OpenShiftPipelinesAsCode
+    listKind: OpenShiftPipelinesAsCodeList
+    plural: openshiftpipelinesascodes
+    singular: openshiftpipelinesascode
+    shortNames:
+      - opac
+      - pac
+  preserveUnknownFields: false
+  scope: Cluster
+  versions:
+    - additionalPrinterColumns:
+        - jsonPath: .status.version
+          name: Version
+          type: string
+        - jsonPath: .status.conditions[?(@.type=="Ready")].status
+          name: Ready
+          type: string
+        - jsonPath: .status.conditions[?(@.type=="Ready")].message
+          name: Reason
+          type: string
+      name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          description: Schema for the OpenShiftPipelinesAsCode API
+          type: object
+          x-kubernetes-preserve-unknown-fields: true
+      served: true
+      storage: true
+      subresources:
+        status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
 metadata:
   labels:
     operator.tekton.dev/release: "devel"

charts/tekton-operator/templates/openshift-crds.yaml

@@ -111,7 +111,7 @@ spec:
       name: v1alpha1
       schema:
         openAPIV3Schema:
-          description: Schema for the tektonaddons API
+          description: Schema for the tektonaddons API. Supported on OpenShift only.
           type: object
           x-kubernetes-preserve-unknown-fields: true
       served: true

charts/tekton-operator/values.yaml

@@ -14,7 +14,7 @@ openshift:
 installCRDs: false
 
 ## Controllers to install
-controllers: "tektonconfig,tektonpipeline,tektontrigger,tektonhub,tektonchain,tektonresult,tektondashboard,manualapprovalgate,tektonpruner"
+controllers: "tektonconfig,tektonpipeline,tektontrigger,tektonhub,tektonchain,tektonresult,tektondashboard,manualapprovalgate,tektonpruner,openshiftpipelinesascode"
 
 ## Control the creation of RBAC resources (Serviceaccount, Role, ClusterRole, ClusterRoleBinding)
 rbac:

cmd/openshift/operator/kodata/tekton-addon/pipelines-as-code-templates/rbac.yaml → cmd/kubernetes/operator/kodata/pipelines-as-code-templates/rbac.yaml

@@ -1,18 +1,23 @@
+# Role and RoleBinding so authenticated users can read PAC PipelineRun template
+# ConfigMaps in this namespace (same namespace where PostSet installs template CMs).
+# Loaded with runtime templates from pipelines-as-code-templates/; see
+# pkg/reconciler/openshift/openshiftpipelinesascode/pipelinerun_templates.go
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: pipelines-as-code-templates
   labels:
     app.kubernetes.io/part-of: pipelines-as-code
 rules:
-  # All system:authenticated users needs to have access
-  # of the pipelines-as-code-templates ConfigMap even if they don't
-  # have access to the other resources present in the
-  # installed namespace.
   - apiGroups: [""]
     resources: ["configmaps"]
     verbs: ["get", "list"]
-    resourceNames: ["pipelines-as-code-go-template", "pipelines-as-code-java-template", "pipelines-as-code-nodejs-template", "pipelines-as-code-python-template"]
+    resourceNames:
+      - pipelines-as-code-pipelinerun-go
+      - pipelines-as-code-pipelinerun-java
+      - pipelines-as-code-pipelinerun-nodejs
+      - pipelines-as-code-pipelinerun-python
+      - pipelines-as-code-pipelinerun-generic
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

cmd/openshift/operator/kodata/pipelines-as-code-templates/rbac.yaml

@@ -0,0 +1,35 @@
+# Role and RoleBinding so authenticated users can read PAC PipelineRun template
+# ConfigMaps in this namespace (same namespace where PostSet installs template CMs).
+# Loaded with runtime templates from pipelines-as-code-templates/; see
+# pkg/reconciler/openshift/openshiftpipelinesascode/pipelinerun_templates.go
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: pipelines-as-code-templates
+  labels:
+    app.kubernetes.io/part-of: pipelines-as-code
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "list"]
+    resourceNames:
+      - pipelines-as-code-pipelinerun-go
+      - pipelines-as-code-pipelinerun-java
+      - pipelines-as-code-pipelinerun-nodejs
+      - pipelines-as-code-pipelinerun-python
+      - pipelines-as-code-pipelinerun-generic
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: pipelines-as-code-templates
+  labels:
+    app.kubernetes.io/part-of: pipelines-as-code
+subjects:
+  - kind: Group
+    name: system:authenticated
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: pipelines-as-code-templates

components.nightly.yaml

@@ -25,7 +25,7 @@ hub:
   github: openshift-pipelines/hub
   version: v1.18.0
 pipelines-as-code:
-  github: openshift-pipelines/pipelines-as-code
+  github: tektoncd/pipelines-as-code
   version: nightly
 pruner:
   github: tektoncd/pruner

components.yaml

@@ -17,7 +17,7 @@ pipeline:
   github: tektoncd/pipeline
   version: v1.11.0
 pipelines-as-code:
-  github: openshift-pipelines/pipelines-as-code
+  github: tektoncd/pipelines-as-code
   version: v0.45.0
 pruner:
   github: tektoncd/pruner

config/base/300-operator_v1alpha1_openshiftpipelinesascode_crd.yaml

@@ -0,0 +1,54 @@
+# Copyright 2022 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: openshiftpipelinesascodes.operator.tekton.dev
+  labels:
+    version: "devel"
+    operator.tekton.dev/release: "devel"
+spec:
+  group: operator.tekton.dev
+  names:
+    kind: OpenShiftPipelinesAsCode
+    listKind: OpenShiftPipelinesAsCodeList
+    plural: openshiftpipelinesascodes
+    singular: openshiftpipelinesascode
+    shortNames:
+    - opac
+    - pac
+  preserveUnknownFields: false
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+    subresources:
+      status: {}
+    additionalPrinterColumns:
+    - jsonPath: .status.version
+      name: Version
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: ".status.conditions[?(@.type==\"Ready\")].message"
+      name: Reason
+      type: string
+    schema:
+      openAPIV3Schema:
+        type: object
+        description: Schema for the OpenShiftPipelinesAsCode API
+        x-kubernetes-preserve-unknown-fields: true

config/base/kustomization.yaml

@@ -27,6 +27,7 @@ resources:
 - 300-operator_v1alpha1_scheduler_crd.yaml
 - 300-operator_v1alpha1_multiclusterproxyaae_crd.yaml
 - 300-operator_v1alpha1_syncerservice_crd.yaml
+- 300-operator_v1alpha1_openshiftpipelinesascode_crd.yaml
 - config-logging.yaml
 - config-observability.yaml
 - tekton-config-defaults.yaml

config/crs/kubernetes/kustomization.yaml

@@ -13,3 +13,4 @@ resources:
 - pruner/operator_v1alpha1_pruner_cr.yaml
 - scheduler/operator_v1alpha1_scheduler_cr.yaml
 - multicluster-proxy-aae/operator_v1alpha1_multiclusterproxyaae_cr.yaml
+- pipelinesascode/operator_v1alpha1_pipelinesascode_cr.yaml

config/crs/kubernetes/pipelinesascode/operator_v1alpha1_pipelinesascode_cr.yaml

@@ -0,0 +1,20 @@
+# Copyright 2025 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: operator.tekton.dev/v1alpha1
+kind: OpenShiftPipelinesAsCode
+metadata:
+  name: pipelines-as-code
+spec:
+  targetNamespace: tekton-pipelines

config/kubernetes/base/kustomization.yaml

@@ -33,3 +33,4 @@ resources:
 - ../../webhooks/
 - 300-operator_v1alpha1_dashboard_crd.yaml
 - operator_service.yaml
+- pipelinesascode.yaml

config/kubernetes/base/operator.yaml

@@ -33,7 +33,7 @@ spec:
         image: ko://github.com/tektoncd/operator/cmd/kubernetes/operator
         args:
         - "-controllers"
-        - "tektonconfig,tektonpipeline,tektontrigger,tektonhub,tektonchain,tektonresult,tektondashboard,manualapprovalgate,tektonpruner,tektonscheduler,tektonmulticlusterproxyaae"
+        - "tektonconfig,tektonpipeline,tektontrigger,tektonhub,tektonchain,tektonresult,tektondashboard,manualapprovalgate,tektonpruner,tektonscheduler,tektonmulticlusterproxyaae,openshiftpipelinesascode"
         - "-unique-process-name"
         - "tekton-operator-lifecycle"
         imagePullPolicy: IfNotPresent

config/kubernetes/base/pipelinesascode.yaml

@@ -0,0 +1,32 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tekton-pac-controller-role
+rules:
+  - apiGroups:
+      - pipelinesascode.tekton.dev
+    resources:
+      - repositories
+      - webhooks
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+      - deletecollection
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tekton-pac-controller-role-binding
+subjects:
+  - kind: ServiceAccount
+    name: tekton-operator
+    namespace: tekton-operator
+roleRef:
+  kind: ClusterRole
+  name: tekton-pac-controller-role
+  apiGroup: rbac.authorization.k8s.io

config/openshift/base/300-operator_v1alpha1_addon_crd.yaml

@@ -47,5 +47,5 @@ spec:
     schema:
       openAPIV3Schema:
         type: object
-        description: Schema for the tektonaddons API
+        description: Schema for the tektonaddons API. Supported on OpenShift only.
         x-kubernetes-preserve-unknown-fields: true

config/openshift/base/kustomization.yaml

@@ -44,7 +44,6 @@ resources:
 - ../../base/
 - ../../webhooks
 - 300-operator_v1alpha1_addon_crd.yaml
-- 300-operator_v1alpha1_openshiftpipelinesascode_crd.yaml
 - operator_service.yaml
 - operator_servicemonitor.yaml
 apiVersion: kustomize.config.k8s.io/v1beta1

docs/TektonConfig.md

@@ -21,6 +21,7 @@ Other than the above components depending on the platform operator also provides
   - [TektonResult](./TektonResult.md)
 - On Kubernetes
   - [TektonDashboard](./TektonDashboard.md)
+  - [OpenShiftPipelinesAsCode](./OpenShiftPipelinesAsCode.md) (installed via `spec.platforms.kubernetes.pipelinesAsCode`; same CRD/kind as on OpenShift)
 - On OpenShift
   - [TektonAddon](./TektonAddon.md)
   - [OpenShiftPipelinesAsCode](./OpenShiftPipelinesAsCode.md)
@@ -130,7 +131,7 @@ spec:
   trigger:
     disabled: false
 platforms:
-    openshift:
+    openshift:   # or `kubernetes:` on Kubernetes clusters
       pipelinesAsCode:
         additionalPACControllers:
           <controllerName>:
@@ -576,7 +577,7 @@ In the deployment the environment name will be converted as follows,
 
 ### OpenShiftPipelinesAsCode
 
-The PipelinesAsCode section allows you to customize the Pipelines as Code features. When you change the TektonConfig CR, the Operator automatically applies the settings to custom resources and configmaps in your installation.
+The PipelinesAsCode section allows you to customize the Pipelines as Code features on both Kubernetes and OpenShift. When you change the TektonConfig CR, the Operator automatically applies the settings to custom resources and configmaps in your installation. On Kubernetes, configure `spec.platforms.kubernetes.pipelinesAsCode` (the managed CR remains `OpenShiftPipelinesAsCode` for API compatibility).
 
 Some of the fields have default values, so operator will add them if the user hasn't passed in CR. Other fields which
 don't have default values unless the user specifies them. User can find those [here](https://pipelinesascode.com/docs/install/settings/#pipelines-as-code-configuration-settings).
@@ -585,7 +586,7 @@ Example:
 
 ```yaml
 platforms:
-  openshift:
+  openshift:   # or `kubernetes:`
     pipelinesAsCode:
       additionalPACControllers:
         controllername:
@@ -680,7 +681,7 @@ pipelinesascode.tekton.dev/task: "artifact://buildah"
 
 For more details, see the [Pipelines-as-Code Remote Hub Catalogs documentation](https://pipelinesascode.com/docs/install/settings/#remote-hub-catalogs).
 
-**NOTE**: OpenShiftPipelinesAsCode is currently available for the OpenShift Platform only.
+**NOTE**: On Kubernetes clusters, use `spec.platforms.kubernetes.pipelinesAsCode`. The custom resource kind remains `OpenShiftPipelinesAsCode`.
 
 ### Event based pruner 
 

go.mod

@@ -46,6 +46,7 @@ require (
 replace (
 	github.com/alibabacloud-go/cr-20160607 => github.com/vdemeester/cr-20160607 v1.0.1
 	github.com/go-jose/go-jose/v4 => github.com/go-jose/go-jose/v4 v4.1.4
+	github.com/openshift-pipelines/pipelines-as-code => github.com/tektoncd/pipelines-as-code v0.42.0
 	k8s.io/api => k8s.io/api v0.32.4
 	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.32.9
 	k8s.io/apimachinery => k8s.io/apimachinery v0.32.4

go.sum

@@ -2464,8 +2464,6 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
 github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
-github.com/openshift-pipelines/pipelines-as-code v0.42.0 h1:2VmvFso+tA+301Uxv0guoYTDv4KJ/FedY2dwSvdJFBU=
-github.com/openshift-pipelines/pipelines-as-code v0.42.0/go.mod h1:brABe5XhsEEkVhMoM0tFhDZmqum4nD6N91+brKPSQbQ=
 github.com/openshift/api v0.0.0-20240521185306-0314f31e7774 h1:SsoLnIil/D0FcjUbQ9Z8h95B7rxFvrso2X6OQjR8jPw=
 github.com/openshift/api v0.0.0-20240521185306-0314f31e7774/go.mod h1:7Hm1kLJGxWT6eysOpD2zUztdn+w91eiERn6KtI5o9aw=
 github.com/openshift/apiserver-library-go v0.0.0-20230816171015-6bfafa975bfb h1:UMgJny13BBcHpY+JQ9Eg1Dm9+J7nWO3eqPvV1Zpd49A=
@@ -2716,6 +2714,8 @@ github.com/tchap/go-patricia/v2 v2.3.3 h1:xfNEsODumaEcCcY3gI0hYPZ/PcpVv5ju6RMAhg
 github.com/tchap/go-patricia/v2 v2.3.3/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k=
 github.com/tektoncd/pipeline v1.9.1 h1:Js6NQleJLoo5vrS6ebg+WoHntMDY6xMS9zDvbGR2RjQ=
 github.com/tektoncd/pipeline v1.9.1/go.mod h1:PTlIZ4Mhr8HZDx404O7spJtafiynetTMedCsXStjtHk=
+github.com/tektoncd/pipelines-as-code v0.42.0 h1:KZqRXQk4v6blEhjNu6n9ZpPgyIeQR4Dc3ZqnK3s1pm8=
+github.com/tektoncd/pipelines-as-code v0.42.0/go.mod h1:brABe5XhsEEkVhMoM0tFhDZmqum4nD6N91+brKPSQbQ=
 github.com/tektoncd/plumbing v0.0.0-20250805154627-25448098dea2 h1:v4UPEbe6MEto5i4ELtiXWBxUAUIAWL5U1DznfPhi4WE=
 github.com/tektoncd/plumbing v0.0.0-20250805154627-25448098dea2/go.mod h1:BC6F3DlZc+wpUT9YcwG9MoSfb4tUiH2olB9xYoIsB4I=
 github.com/tektoncd/pruner v0.3.5 h1:eQTgnQ56Par9d/6BICsXfTkR0Ybx8c/0QLZeNoJnaYQ=