Tekton Operator release v0.80.0 "Release v0.80.0"

-Docs @ v0.80.0
-Examples @ v0.80.0

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/operator/previous/v0.80.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a3e010ea427c252384a71b383079ee72d7991f6329a0e92d78c026a709134d825

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a3e010ea427c252384a71b383079ee72d7991f6329a0e92d78c026a709134d825
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/operator/previous/v0.80.0/release.yaml
REKOR_UUID=108e9186e8c5677a3e010ea427c252384a71b383079ee72d7991f6329a0e92d78c026a709134d825

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.80.0@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ feat(tls): make central TLS opt-out by default (#3416)

Central TLS configuration is now enabled by default on OpenShift. The enableCentralTLSConfig
field in TektonConfig has changed from an opt-in bool to an opt-out *bool: existing clusters
will automatically inherit the cluster APIServer TLS profile (minimum version, cipher suites)
on the next reconcile after upgrade. Set enableCentralTLSConfig: false to opt out.

• ✨ feat(tls): centrally managed TLS for webhook and proxy-webhook (SRVKP-9612, SRVKP-9613) (#3406)

On OpenShift, the tekton-operator-webhook and tekton-operator-proxy-webhook now
inherit their TLS security settings (minimum TLS version and cipher suites) from
the cluster-wide OpenShift APIServer TLS security profile. Both webhooks restart
automatically when the profile changes so the new settings take effect immediately.

• ✨ feat(tls): inject centrally managed TLS config into pipelines-as-code (#3385)

On OpenShift, the pipelines-as-code-webhook deployment now automatically inherits the cluster-wide TLS version and cipher suites from the OpenShift APIServer TLS security profile. Changes to the profile are automatically propagated without manual intervention.

• ✨ feat(tls): inject centrally managed TLS config into triggers webhook (#3384)

The tekton-triggers-webhook and tekton-triggers-core-interceptor now inherits TLS configuration (minimum version and cipher suites) from the OpenShift cluster's APIServer TLS security profile when enableCentralTLSConfig is set in TektonConfig. Changes to the cluster TLS profile are automatically propagated to the webhook without operator restarts, enabling PQC readiness (SRVKP-9615)

• ✨ feat(tls): inject centrally managed TLS config into pipelines webhook (#3383)

The tekton-pipelines-webhook now inherits TLS configuration (minimum version and cipher suites) from the OpenShift cluster's APIServer TLS security profile when enableCentralTLSConfig is set in TektonConfig. Changes to the cluster TLS profile are automatically propagated to the webhook without operator restarts, enabling PQC readiness (SRVKP-9614).

• ✨ (feat): Add Pipelines-as-Code on Kubernetes (#3337)

• ✨ Migrate metrics from OpenCensus to OpenTelemetry (#3332)

Migrated operator metrics from OpenCensus to OpenTelemetry.

ACTION REQUIRED:

1. Configuration key change
   Replace metrics.backend-destination with metrics-protocol in your tekton-config-observability ConfigMap.

2. Infrastructure metric renaming

   ┌──────────────────────────────────────────────────────────────────┬────────────────────────────────────────────────────┐
   │ Old Metric Name (OpenCensus) │ New Metric Name (OpenTelemetry) │
   ├──────────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
   │ tekton_operator_lifecycle_workqueue_adds_total │ kn_workqueue_adds_total │
   │ tekton_operator_lifecycle_workqueue_depth │ kn_workqueue_depth │
   │ tekton_operator_lifecycle_workqueue_queue_latency_seconds │ kn_workqueue_queue_duration_seconds │
   │ tekton_operator_lifecycle_workqueue_work_duration_seconds │ kn_workqueue_process_duration_seconds │
   │ tekton_operator_lifecycle_workqueue_unfinished_work_seconds │ kn_workqueue_unfinished_work_seconds │
   │ tekton_operator_lifecycle_client_latency │ http_client_request_duration_seconds │
   │ tekton_operator_lifecycle_client_results │ kn_k8s_client_http_response_status_code_total │
   │ tekton_operator_lifecycle_go_* │ go_* │
   │ tekton_operator_lifecycle_reconcile_count │ removed (use kn_workqueue_adds_total) │
   │ tekton_operator_lifecycle_reconcile_latency │ removed (use kn_workqueue_process_duration_seconds)│
   └──────────────────────────────────────────────────────────────────┴────────────────────────────────────────────────────┘

3. The following operator specific metrics are removed in this version since they were unused and not serving the purpose as expected. New metrics would be added as required in future work:

tekton_operator_pipeline_reconcile_count
tekton_operator_trigger_reconcile_count
tekton_operator_chains_reconciled
tekton_operator_results_reconciled

• ✨ Centralized TLS config (#3225)

Add support for centralized TLS configuration on OpenShift. When
enableCentralTLSConfig is set to true in TektonConfig.spec.platforms.openshift,
Tekton components automatically inherit TLS settings (minimum version, cipher suites)
from the cluster's APIServer TLS security profile. Changes to the APIServer profile
are detected and propagated to components without manual intervention. TektonResult
is the first component to support this; other components will follow.

• ✨ [feat]Add centrally managed TLS configuration for console-plugin nginx (#3218)

The console-plugin nginx server now inherits TLS settings from the centrally managed APIServer TLS Profile, improving Post-Quantum Cryptography (PQC) readiness compliance on OpenShift.
The nginx server reads TLS configuration from api server profile (TLS_MIN_VERSION, TLS_CIPHER_SUITES, TLS_CURVE_PREFERENCES) and injects them into nginx.conf at runtime.
When no tls paramters are set, the server falls back to secure defaults (TLSv1.2 and TLSv1.3).
Cipher suites are intentionally delegated to nginx's built-in secure defaults.

• ✨ tekton: automate releases with Pipelines-as-Code (#3322)

Fixes

• 🐛 fix(openshift): delete operator webhooks before namespace cleanup on uninstall (#3472)

Bug fix: OpenShift Pipelines operator now uninstalls cleanly via the Console UI.
Previously, operator admission webhooks (namespace.operator.tekton.dev,
proxy.operator.tekton.dev) could still be registered while their backend service
was already removed during uninstall, causing TektonConfig finalization to fail
and leaving the Subscription, CSV, and operator deployment behind in
openshift-operators. The webhooks are now explicitly removed at the start of
finalization before namespace label cleanup runs.

• 🐛 fix(tekton-results): use passthrough TLS termination for route (#3425)

Tekton Results API route now uses passthrough TLS termination by default, enabling end-to-end encryption between clients and the Results API service.

• 🐛 Use dedicated release ServiceAccount in PAC release pipelines (#3364)
• 🐛 fix: use correct fully qualified image names in release pipeline (#3362)
• 🐛 fix: remove YAML document separator from .tekton files (#3342)
• 🐛 fix: remove release-right-meow SA from PAC release PipelineRuns (#3336)
• 🐛 fix: include branch filter in CEL expression for release trigger (#3335)
• 🐛 Fix TektonInstallerSet deadlock when resources have deletionTimestamp (#3217)

Misc

• 🔨 fix: update-tektoncd-task-versions workflow to resolve CI failures (#3426)
• 🔨 fix: harden patch-release workflow against script injection (#3424)
• 🔨 fix: replace symlinks with mv/cp in prepare-draft-release (#3366)
• 🔨 ci: fix GitHub Actions security issues found by zizmor (#3324)
• 🔨 fix-cherry-pick-failures (#3323)
• 🔨 chore(deps): bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 (#3463)
• 🔨 chore(deps): bump github/codeql-action from 4.35.5 to 4.36.0 (#3462)
• 🔨 chore(deps): bump github.com/tektoncd/triggers from 0.35.0 to 0.36.0 (#3461)
• 🔨 chore(deps): bump github.com/openshift-pipelines/pipelines-as-code from 0.46.0 to 0.47.0 (#3460)
• 🔨 chore(deps): bump step-security/harden-runner from 2.19.3 to 2.19.4 (#3459)
• 🔨 chore(deps): bump github/codeql-action from 4.35.4 to 4.35.5 (#3449)
• 🔨 chore(deps): bump k8s.io/apiextensions-apiserver from 0.35.4 to 0.35.5 (#3447)
• 🔨 chore(deps): bump github.com/tektoncd/pruner from 0.3.5 to 0.4.0 (#3446)
• 🔨 chore(deps): bump github.com/konflux-ci/tekton-kueue from 0.3.0 to 0.3.1 (#3445)
• 🔨 chore(deps): bump zizmorcore/zizmor-action from 0.5.3 to 0.5.6 (#3444)
• 🔨 chore(deps): bump step-security/harden-runner from 2.19.1 to 2.19.3 (#3443)
• 🔨 chore(deps): bump github/codeql-action from 4.35.3 to 4.35.4 (#3434)
• 🔨 chore(deps): bump golang.org/x/mod from 0.35.0 to 0.36.0 (#3433)
• 🔨 chore(deps): bump github.com/openshift-pipelines/pipelines-as-code from 0.45.0 to 0.46.0 (#3432)
• 🔨 chore(deps): bump k8s.io/apimachinery from 0.35.4 to 0.35.5 (#3431)
• 🔨 chore(deps): bump step-security/harden-runner from 2.19.0 to 2.19.1 (#3421)
• 🔨 chore(deps): bump github/codeql-action from 4.35.2 to 4.35.3 (#3420)
• 🔨 chore(deps): bump go.uber.org/zap from 1.27.1 to 1.28.0 (#3419)
• 🔨 chore(deps): bump github.com/tektoncd/pipeline from 1.11.1 to 1.12.0 (#3418)
• 🔨 chore(deps): bump chainguard-dev/actions from 1.6.16 to 1.6.19 (#3417)
• 🔨 chore(deps): bump github.com/in-toto/in-toto-golang from 0.9.0 to 0.11.0 (#3414)
• 🔨 chore(deps): bump github.com/openshift-pipelines/pipelines-as-code from 0.43.0 to 0.45.0 (#3393)
• 🔨 chore(deps): bump github.com/tektoncd/pipeline from 1.11.0 to 1.11.1 (#3392)
• 🔨 chore(deps): bump k8s.io/apiextensions-apiserver from 0.35.3 to 0.35.4 (#3391)
• 🔨 chore(deps): bump chainguard-dev/actions from 1.6.15 to 1.6.16 (#3389)
• 🔨 chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.42.0 to 1.43.0 (#3379)
• 🔨 chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp from 1.42.0 to 1.43.0 (#3378)
• 🔨 chore(deps): bump step-security/harden-runner from 2.17.0 to 2.19.0 (#3374)
• 🔨 chore(deps): bump chainguard-dev/actions from 1.6.14 to 1.6.15 (#3373)
• 🔨 chore(deps): bump github/codeql-action from 4.35.1 to 4.35.2 (#3372)
• 🔨 chore: bump pipeline from v1.11.0 to v1.11.1 (#3365)
• 🔨 chore(deps): bump zizmorcore/zizmor-action from 0.5.2 to 0.5.3 (#3359)
• 🔨 chore(deps): bump github.com/sigstore/cosign/v2 from 2.6.2 to 2.6.3 (#3358)
• 🔨 chore(deps): bump github.com/cert-manager/cert-manager from 1.20.1 to 1.20.2 (#3357)
• 🔨 chore(deps): bump golang.org/x/mod from 0.34.0 to 0.35.0 (#3356)
• 🔨 chore(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 (#3355)
• 🔨 chore(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 (#3354)
• 🔨 chore(deps): bump actions/cache from 5.0.4 to 5.0.5 (#3353)
• 🔨 chore(deps): bump github.com/sigstore/timestamp-authority/v2 from 2.0.3 to 2.0.6 (#3346)
• 🔨 chore(deps): bump chainguard-dev/actions from 1.6.11 to 1.6.13 (#3345)
• 🔨 chore(deps): bump step-security/harden-runner from 2.16.0 to 2.16.1 (#3344)
• 🔨 chore(deps): bump github.com/cert-manager/cert-manager from 1.19.4 to 1.20.1 (#3343)
• 🔨 chore(deps): bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0 (#3338)
• 🔨 chore(deps): bump github.com/cert-manager/cert-manager from 1.20.0 to 1.20.1 (#3316)
• 🔨 chore(deps): bump chainguard-dev/actions from 1.6.9 to 1.6.11 (#3315)
• 🔨 chore(deps): bump github/codeql-action from 4.34.1 to 4.35.1 (#3314)
• 🔨 chore(deps): bump azure/setup-helm from 4.3.1 to 5.0.0 (#3313)
• 🔨 chore(deps): bump actions/setup-go from 6.3.0 to 6.4.0 (#3312)
• 🔨 chore(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.3 (#3302)
• 🔨 chore(deps): bump github.com/tektoncd/pipeline from 1.9.1 to 1.9.2 (#3299)
• 🔨 chore(deps): bump actions/cache from 5.0.3 to 5.0.4 (#3297)
• 🔨 chore(deps): bump github/codeql-action from 4.33.0 to 4.34.1 (#3296)
• 🔨 chore(deps): bump chainguard-dev/actions from 1.6.8 to 1.6.9 (#3295)
• 🔨 chore(deps): bump golang.org/x/mod from 0.33.0 to 0.34.0 (#3289)
• 🔨 chore(deps): bump github.com/openshift-pipelines/pipelines-as-code from 0.42.0 to 0.43.0 (#3288)
• 🔨 chore(deps): bump github.com/cert-manager/cert-manager from 1.19.4 to 1.20.0 (#3287)
• 🔨 chore(deps): bump chainguard-dev/actions from 1.6.7 to 1.6.8 (#3286)
• 🔨 chore(deps): bump fgrosse/go-coverage-report from 1.2.0 to 1.3.0 (#3285)
• 🔨 chore(deps): bump github/codeql-action from 4.32.6 to 4.33.0 (#3284)
• 🔨 chore(deps): bump step-security/harden-runner from 2.15.1 to 2.16.0 (#3283)
• 🔨 fix some minor issues (#3282)
• 🔨 fix readme and bundle script update (#3277)
• 🔨 chore(deps): bump golang.org/x/sync from 0.19.0 to 0.20.0 (#3274)
• 🔨 chore(deps): bump github/codeql-action from 4.32.5 to 4.32.6 (#3273)
• 🔨 chore(deps): bump step-security/harden-runner from 2.15.0 to 2.15.1 (#3272)
• 🔨 chore(deps): bump chainguard-dev/actions from 1.6.5 to 1.6.7 (#3271)
• 🔨 Nominate pratap0007 as operator approver (#3268)
• 🔨 Move inactive approvers to alumni (#3267)
• 🔨 chore(deps): bump github.com/openshift-pipelines/pipelines-as-code (#3264)
• 🔨 chore(deps): bump github.com/docker/cli from 29.0.3+incompatible to 29.2.0+incompatible (#3263)
• 🔨 chore(deps): bump step-security/harden-runner from 2.14.2 to 2.15.0 (#3257)
• 🔨 chore(deps): bump github.com/konflux-ci/tekton-kueue from 0.0.0-20251231110853-e7a97991aa34 to 0.3.0 (#3214)

Docs

Thanks

Thanks to these contributors who contributed to v0.80.0!

• ❤️ @aThorp96
• ❤️ @ab-ghosh
• ❤️ @anithapriyanatarajan
• ❤️ @app/dependabot
• ❤️ @divyansh42
• ❤️ @enarha
• ❤️ @ferrohd
• ❤️ @infernus01
• ❤️ @jkhelil
• ❤️ @mbpavan
• ❤️ @mvanhorn
• ❤️ @pramodbindal
• ❤️ @pratap0007
• ❤️ @tekton-robot
• ❤️ @vdemeester

Extra shout-out for awesome release notes:

• 😍 @aThorp96
• 😍 @divyansh42
• 😍 @enarha
• 😍 @ferrohd
• 😍 @infernus01
• 😍 @jkhelil
• 😍 @mbpavan