Deploying Manual Approval Gate
TOC
Feature OverviewUse CasesPrerequisitesSteps1. Create theManualApprovalGate CR2. Verify controller health3. Reconfigure or force a rollout4. Uninstall Manual Approval GateOperation ResultsTroubleshootingLearn MoreFeature Overview
Manual Approval Gate provides the cluster-scoped controller and webhooks that back ApprovalTask custom tasks. Administrators must create and maintain the ManualApprovalGate custom resource (CR) so that platform users can insert manual approvals in their pipelines. This guide explains how to deploy the Manual Approval Gate component in tekton-pipelines, customize runtime options, and uninstall it safely.
Use Cases
- Enabling manual approvals for all teams in the cluster by provisioning a managed controller.
- Tweaking controller deployments (for example, replica counts, resource limits, or ConfigMaps) through the Operator's
optionscontract instead of editing manifests. - Cleaning up the feature when approval tasks are no longer required.
Prerequisites
Alauda DevOps Pipelinesv4.6.0 or later with cluster-admin access.kubectlconfigured against the target cluster.
Steps
1. Create the ManualApprovalGate CR
Save the manifest as manual-approval-gate.yaml and apply it:
spec.targetNamespacedetermines where controller deployments, webhooks, and ConfigMaps are created. We recommendtekton-pipelinesso that the component stays beside other Tekton services, but you can point it to any namespace as long as that namespace exists (or is created) before applying the CR.- Use
spec.optionsto override Deployments, ConfigMaps, or image fields without editing generated YAML. For detailed syntax, refer to Adjusting Optional Configuration Items of Subcomponents.
2. Verify controller health
The CR's READY condition must report True, and you should see controller and webhook Deployments running in tekton-pipelines.
3. Reconfigure or force a rollout
-
Patch the CR to adjust replicas or other options; the Operator rolls the workloads automatically:
4. Uninstall Manual Approval Gate
The CRD remains installed so you can recreate the CR later, but Deployments, Services, and Webhooks should disappear.
Operation Results
kubectl get manualapprovalgatesshows the instance withREADY=True,VERSION=<release>, andREASONempty orInstalled.kubectl get pods -n tekton-pipelines | grep manual-approval-gatelists controller and webhook pods inRunningstate.- After deletion, no pods or services with the same label remain, and the Operator stops reconciling
ApprovalTaskresources until the CR is recreated.
Troubleshooting
ManualApprovalGateCR stuck inNotReady: Runkubectl describe manualapprovalgate manual-approval-gateto check events, then review Operator logs (kubectl logs -n tekton-operator deploy/tekton-operator). Mis-typed fields inspec.optionsor insufficient privileges are the most common root causes.- Controller/webhook pods crash looping: Describe the failing pods in
tekton-pipelinesto confirm whether TLS secrets or configuration maps are missing. Reapplying the CR usually recreates these resources automatically. ApprovalTaskresources not created: Ensure theManualApprovalGateCR still exists withREADY=True. If it was deleted or is failing, reinstall it before users rerun pipelines.